Gerhard, what's the nprobe configuration used?
Simone On Tue, Jan 17, 2017 at 8:08 PM, Gerhard Mourani <gmour...@prival.ca> wrote: > Hi Simone, > > Seem it doesn't work with my version 7.4.170109 of nprobe! > > Starting nProbe: 17/Jan/2017 14:05:54 [nprobe.c:3407] Valid nProbe license > found > 17/Jan/2017 14:05:54 [util.c:434] GeoIP: loaded AS config file > /usr/share/ntopng/httpdocs/geoip/GeoIPASNum.dat > 17/Jan/2017 14:05:54 [util.c:445] GeoIP: loaded AS IPv6 config file > /usr/share/ntopng/httpdocs/geoip/GeoIPASNumv6.dat > 17/Jan/2017 14:05:54 [util.c:474] GeoIP: loaded cities config file > /usr/share/ntopng/httpdocs/geoip/GeoLiteCity.dat > 17/Jan/2017 14:05:54 [util.c:484] GeoIP: loaded IPv6 cities config file > /usr/share/ntopng/httpdocs/geoip/GeoLiteCityv6.dat > 17/Jan/2017 14:05:54 [nprobe.c:4872] WARNING: The output interfaceId is > set to 0: did you forget to use -Q perhaps ? > 17/Jan/2017 14:05:54 [nprobe.c:4875] WARNING: The input interfaceId is set > to 0: did you forget to use -u perhaps ? > 17/Jan/2017 14:05:54 [nprobe.c:4975] Welcome to nProbe v.7.4.170109 > ($Revision: 5334 $) for x86_64-unknown-linux-gnu with native PF_RING > acceleration > 17/Jan/2017 14:05:54 [nprobe.c:4985] Running on CentOS release 6.8 (Final) > 17/Jan/2017 14:05:54 [nprobe.c:4996] [LICENSE] nProbe SystemId: > 3B86CF9076076A80 > 17/Jan/2017 14:05:54 [nprobe.c:5047] Tracing enabled > 17/Jan/2017 14:05:54 [plugin.c:250] 0 plugin(s) loaded [0 delete][0 > packet]. > 17/Jan/2017 14:05:54 [nprobe.c:7308] Welcome to nProbe v.7.4.170109 for > x86_64-unknown-linux-gnu > 17/Jan/2017 14:05:54 [nprobe.c:6350] GEO-533LITE 20170103 Build 1 > Copyright (c) 2017 MaxMind Inc All Rights Reser > 17/Jan/2017 14:05:54 [nprobe.c:6352] GEO-117 20170107 Build 1 Copyright > (c) 2017 MaxMind Inc All Rights Reser > 17/Jan/2017 14:05:54 [nprobe.c:6378] Compiling flow templates... > 17/Jan/2017 14:05:54 [plugin.c:1045] 0 plugin(s) enabled > 17/Jan/2017 14:05:54 [nprobe.c:6836] Non IPv4/v6 traffic is discarded > according to the template > *17/Jan/2017 14:05:54 [nprobe.c:7391] WARNING: You cannot use BPF filters > (not) in collector/proxy mode: BPF filter disabled* > 17/Jan/2017 14:05:54 [nprobe.c:5495] Using packet capture length 128 > 17/Jan/2017 14:05:54 [nprobe.c:7484] IPv6 traffic will NOT be > exported/accounted by this probe > 17/Jan/2017 14:05:54 [nprobe.c:7485] due to configuration options (e.g. > use NetFlow v9) > 17/Jan/2017 14:05:54 [nprobe.c:7488] The flows hash has 131072 buckets > 17/Jan/2017 14:05:54 [nprobe.c:7490] Flows older than 120 seconds will be > exported > 17/Jan/2017 14:05:54 [nprobe.c:7493] Flows inactive for at least 30 > seconds will be exported > 17/Jan/2017 14:05:54 [nprobe.c:7496] Expired flows will not be queued for > more than 30 seconds > 17/Jan/2017 14:05:54 [nprobe.c:7503] Exported flows with engineType 0 and > engineId 18 > 17/Jan/2017 14:05:54 [nprobe.c:7525] TCP TOS will be ignored and set to 0. > 17/Jan/2017 14:05:54 [nprobe.c:7543] After 1 flow packets are sent, we'll > delay at least 1 ms > 17/Jan/2017 14:05:54 [nprobe.c:7563] Flows will be emitted in NetFlow 5 > format > 17/Jan/2017 14:05:57 [nprobe.c:7611] Flow input interface index is set to 0 > 17/Jan/2017 14:05:57 [nprobe.c:7617] Flow output interface index is set to > 0 > 17/Jan/2017 14:05:57 [nprobe.c:7631] Not capturing packet from interface > (collector mode) > 17/Jan/2017 14:05:57 [util.c:2278] INIT: Parent process is exiting (this > is normal) > 17/Jan/2017 14:05:57 [util.c:2271] INIT: Bye bye: I'm becoming a daemon... > 17/Jan/2017 14:05:57 [util.c:4036] Initializing ZMQ as server > 17/Jan/2017 14:05:57 [util.c:4079] Succesfully created ZMQ endpoint > tcp://*:5556 > > Gerhard, > > On Jan 15, 2017, at 11:40 AM, Simone Mainardi <maina...@ntop.org> wrote: > > Simones-MacBook-Pro:nprobe simone$ ./nprobe -f "not host 10.0.0.1" -i en0 > -n none --zmq tcp://*:5556 -b 2 > [...] > 15/Jan/2017 17:38:59 [nprobe.c:6031] Packet capture filter set to "not > host 10.0.0.1" > [...] > > > > > > On Sun, Jan 15, 2017 at 5:07 PM, Gerhard Mourani <gmour...@prival.ca> > wrote: > >> Simone, >> >> >> > BPF is not supported for collector interfaces. If you want to use it >> then specify it on the nProbe. >> >> Can you show me an example, because I'm not able to do it on nprobe with >> the -f option. >> >> >> Gerhard Mourani >> ------------------------------ >> *From:* Simone Mainardi <maina...@ntop.org> >> *Sent:* January 15, 2017 9:55:58 AM >> *To:* Gerhard Mourani >> *Cc:* n...@unipi.it >> *Subject:* Re: [Ntop] Excluding hosts or a subnet from being monitored >> >> Gerhard, >> >> On Fri, Jan 13, 2017 at 9:25 PM, Gerhard Mourani <gmour...@prival.ca> >> wrote: >> >>> Simone, >>> >>> I found the problem: If you dont use the = sign on the filter parameter >>> line, it doesn't see it. >>> >>> Doesn't work -> --packet-filter "ip and not proto ipv6 and not ether >>> host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not >>> host 192.168.2.227" >>> >>> Work -> --packet-filter="ip and not proto ipv6 and not ether host >>> ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host >>> 192.168.2.227" >>> >> >> That is true, I have made a fix. >> >> The point is that when the filter is not seen, *ntopng doesn't say >> anything from the command line*. Nevertheless, in all your emails, you were >> sending us logs with ntopng showing "Packet capture filter set on ..." so >> it was not possible to figure out the cause of the issue. I don't know >> which logs you were sending but for sure they were not consistent with the >> claimed behavior. Next time please make sure to post logs that are actually >> representative. >> >> >>> >>> Also, if I've eth0 and tcp://127.0.0.1:5556 as my NIC, >>> >> >> BPF is not supported for collector interfaces. If you want to use it then >> specify it on the nProbe. >> >> >>> it doesn't work, here the output: >>> >>> /usr/bin/ntopng /etc/ntopng/ntopng.conf >>> 13/Jan/2017 15:20:15 [Prefs.cpp:715] Localhost HTTP user login disabled >>> 13/Jan/2017 15:20:15 [Ntop.cpp:1121] Setting local networks to >>> 192.168.2.0/24 >>> 13/Jan/2017 15:20:15 [Redis.cpp:92] Successfully connected to redis >>> 127.0.0.1:6379@0 >>> [NDPI] addDefaultPort(): found duplicate for port 5061: overwriting it >>> with new value >>> [NDPI] addDefaultPort(): found duplicate for port 3001: overwriting it >>> with new value >>> 13/Jan/2017 15:20:15 [PcapInterface.cpp:85] Reading packets from >>> interface eth0... >>> 13/Jan/2017 15:20:15 [PcapInterface.cpp:254] *Packet capture filter on >>> eth0 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and >>> not net (224.0.0.0/8 <http://224.0.0.0/8> or 239.0.0.0/8 >>> <http://239.0.0.0/8>) and not host 192.168.2.227"* >>> 13/Jan/2017 15:20:15 [Ntop.cpp:1267] Registered interface eth0 [id: 0] >>> [NDPI] addDefaultPort(): found duplicate for port 5061: overwriting it >>> with new value >>> [NDPI] addDefaultPort(): found duplicate for port 3001: overwriting it >>> with new value >>> 13/Jan/2017 15:20:15 [CollectorInterface.cpp:226] *ERROR: No filter can >>> be set on a collector interface. Ignored ip and not proto ipv6 and not >>> ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 <http://224.0.0.0/8> >>> or 239.0.0.0/8 <http://239.0.0.0/8>) and not host 192.168.2.227* >>> 13/Jan/2017 15:20:15 [Ntop.cpp:1267] Registered interface tcp:// >>> 127.0.0.1:5556 [id: 1] >>> 13/Jan/2017 15:20:15 [Ntop.cpp:1279] Registered interface view eth0 [id: >>> 0] >>> 13/Jan/2017 15:20:15 [Ntop.cpp:1279] Registered interface view tcp:// >>> 127.0.0.1:5556 [id: 1] >>> 13/Jan/2017 15:20:15 [main.cpp:255] PID stored in file >>> /var/run/ntopng/ntopng.pid >>> 13/Jan/2017 15:20:15 [Utils.cpp:341] User changed to ntopng >>> 13/Jan/2017 15:20:15 [HTTPserver.cpp:509] Web server dirs >>> [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] >>> 13/Jan/2017 15:20:15 [HTTPserver.cpp:515] HTTPS server listening on port >>> 3001 >>> 13/Jan/2017 15:20:15 [main.cpp:295] Working directory: >>> /var/lib/nst/ntopng >>> 13/Jan/2017 15:20:15 [main.cpp:297] Scripts/HTML pages directory: >>> /usr/share/ntopng >>> 13/Jan/2017 15:20:15 [Ntop.cpp:271] Welcome to ntopng x86_64 >>> v.2.4.161019 - (C) 1998-2016 ntop.org >>> 13/Jan/2017 15:20:15 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) >>> 13/Jan/2017 15:20:15 [PeriodicActivities.cpp:53] Started periodic >>> activities loop... >>> 13/Jan/2017 15:20:15 [RuntimePrefs.cpp:34] Dumping alerts into syslog >>> 13/Jan/2017 15:20:15 [Ntop.cpp:531] Adding 192.168.2.0/24 as IPv4 local >>> network for eth0 >>> 13/Jan/2017 15:20:15 [Ntop.cpp:561] Adding fe80::20c:29ff:fe83:c98e/64 >>> as IPv6 local network for eth0 >>> 13/Jan/2017 15:20:15 [NetworkInterface.cpp:1538] Started packet polling >>> on interface eth0 [id: 0]... >>> 13/Jan/2017 15:20:15 [NetworkInterface.cpp:1538] Started packet polling >>> on interface tcp://127.0.0.1:5556 [id: 1]... >>> 13/Jan/2017 15:20:15 [CollectorInterface.cpp:104] Collecting flows on >>> tcp://127.0.0.1:5556 [ntopng->nprobe] >>> 13/Jan/2017 15:20:16 [NetworkInterface.cpp:1058] Invalid packet received >>> [len: 2934][MTU: 1518]. >>> 13/Jan/2017 15:20:16 [NetworkInterface.cpp:1059] WARNING: If you have >>> TSO/GRO enabled, please disable it >>> 13/Jan/2017 15:20:16 [NetworkInterface.cpp:1061] WARNING: Use: sudo >>> ethtool -K eth0 gro off gso off tso off >>> 13/Jan/2017 15:21:05 [main.cpp:37] Shutting down... >>> 13/Jan/2017 15:21:05 [Redis.cpp:60] Redis has disconnected: >>> reconnecting... >>> Killed >>> >>> Gerhard, >>> >>> On Jan 13, 2017, at 3:00 PM, Simone Mainardi <maina...@ntop.org> wrote: >>> >>> Gerhard, both. >>> >>> Even if I put the filter in a conf file it works: >>> >>> deri@centos6 203> cat /tmp/test.conf >>> -i=eth0 >>> --packet-filter="ip and not proto ipv6 and not ether host >>> ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host >>> 192.168.2.109" >>> --community= >>> >>> deri@centos6 204> sudo /usr/local/bin/ntopng /tmp/test.conf >>> 13/Jan/2017 21:00:00 [Ntop.cpp:1121] Setting local networks to >>> 127.0.0.0/8 >>> 13/Jan/2017 21:00:00 [Redis.cpp:92] Successfully connected to redis >>> 127.0.0.1:6379@0 >>> 13/Jan/2017 21:00:01 [PcapInterface.cpp:85] Reading packets from >>> interface eth0... >>> 13/Jan/2017 21:00:01 [PcapInterface.cpp:254] Packet capture filter on >>> eth0 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and >>> not net (224.0.0.0/8 or 239.0.0.0/8) and not host 192.168.2.109" >>> >>> >>> >>> >>> On Thu, Jan 12, 2017 at 2:08 PM, Gerhard Mourani <gmour...@prival.ca> w >>> rote: >>> Simone, >>> >>> Did you run ntopng with the filter directly from the command line or via >>> the configuration file? I think the problem happens when the filter is in >>> the configuration file and you run ntopng to read it in this file. >>> >>> Gerhard, >>> >>> >>> On Jan 11, 2017, at 5:13 PM, Simone Mainardi <maina...@ntop.org> wrote: >>> >>> Gerhard, >>> >>> I've just tried to reproduce on centos6. The filter is working properly. >>> I also tried to exclude the ntopng host and it works. So the only >>> additional suggestion I have is to try and update ntopng to the latest >>> stable. >>> >>> Regards >>> >>> On Tue, Jan 10, 2017 at 10:23 PM, Gerhard Mourani <gmour...@prival.ca> w >>> rote: >>> > The point here is that the filter doesn't contain any clause that >>> matches host 10.0.0.39 ... >>> Because, I've changed 10.0.0.39 for 192.168.2.227 for the test. >>> >>> Here the one in prod with 10.0.0.39: >>> >>> [root@ntpprod ~]# /usr/bin/ntopng -i eth3 --packet-filter="ip and not >>> proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 >>> or 239.0.0.0/8) and not host 10.0.0.39" >>> 10/Jan/2017 16:22:02 [Ntop.cpp:1121] Setting local networks to >>> 127.0.0.0/8 >>> 10/Jan/2017 16:22:02 [Redis.cpp:92] Successfully connected to redis >>> 127.0.0.1:6379@0 >>> 10/Jan/2017 16:22:02 [PcapInterface.cpp:85] Reading packets from >>> interface eth3... >>> 10/Jan/2017 16:22:02 [PcapInterface.cpp:254] Packet capture filter on >>> eth3 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and >>> not net (224.0.0.0/8 or 239.0.0.0/8) and not host 10.0.0.39" >>> 10/Jan/2017 16:22:02 [Ntop.cpp:1267] Registered interface eth3 [id: 2] >>> 10/Jan/2017 16:22:02 [Ntop.cpp:1279] Registered interface view eth3 [id: >>> 2] >>> 10/Jan/2017 16:22:02 [main.cpp:255] PID stored in file >>> /var/run/ntopng.pid >>> 10/Jan/2017 16:22:02 [Utils.cpp:341] User changed to nobody >>> 10/Jan/2017 16:22:02 [HTTPserver.cpp:466] Please read >>> https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to >>> enable SSL. >>> 10/Jan/2017 16:22:02 [HTTPserver.cpp:509] Web server dirs >>> [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] >>> 10/Jan/2017 16:22:02 [HTTPserver.cpp:512] HTTP server listening on port >>> 3000 >>> 10/Jan/2017 16:22:02 [main.cpp:295] Working directory: /var/tmp/ntopng >>> 10/Jan/2017 16:22:02 [main.cpp:297] Scripts/HTML pages directory: >>> /usr/share/ntopng >>> 10/Jan/2017 16:22:02 [Ntop.cpp:271] Welcome to ntopng x86_64 >>> v.2.4.161013 - (C) 1998-2016 ntop.org >>> 10/Jan/2017 16:22:02 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) >>> 10/Jan/2017 16:22:02 [PeriodicActivities.cpp:53] Started periodic >>> activities loop... >>> 10/Jan/2017 16:22:02 [RuntimePrefs.cpp:34] Dumping alerts into syslog >>> 10/Jan/2017 16:22:02 [Ntop.cpp:531] Adding 169.254.0.0/16 as IPv4 local >>> network for eth3 >>> 10/Jan/2017 16:22:02 [Ntop.cpp:561] Adding fe80::250:56ff:fe90:7661/64 >>> as IPv6 local network for eth3 >>> 10/Jan/2017 16:22:02 [NetworkInterface.cpp:1538] Started packet polling >>> on interface eth3 [id: 2]... >>> >>> Gerhard, >>> >>> On Jan 10, 2017, at 4:17 PM, Simone Mainardi <maina...@ntop.org> wrote: >>> >>> Gerard, >>> >>> >>> On Tue, Jan 10, 2017 at 10:13 PM, Gerhard Mourani <gmour...@prival.ca> w >>> rote: >>> Simone, >>> >>> Here when launched from command line: >>> >>> [root@ntptest plugins]# /usr/bin/ntopng -i eth0 --packet-filter="ip and >>> not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net ( >>> 224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.227)" >>> >>> OK, so the filter is properly parsed. I went back through this thread >>> and found that you complained that >>> >>> > "The issue is that even if 10.0.0.39 is filtered to be excluded, it >>> appears in the view of top hosts.," >>> >>> The point here is that the filter doesn't contain any clause that >>> matches host 10.0.0.39 ... >>> >>> 10/Jan/2017 16:10:46 [Ntop.cpp:1121] Setting local networks to >>> 127.0.0.0/8 >>> 10/Jan/2017 16:10:46 [Redis.cpp:92] Successfully connected to redis >>> 127.0.0.1:6379@0 >>> 10/Jan/2017 16:10:46 [PcapInterface.cpp:85] Reading packets from >>> interface eth0... >>> 10/Jan/2017 16:10:46 [PcapInterface.cpp:254] Packet capture filter on >>> eth0 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff >>> and not net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.227)" >>> 10/Jan/2017 16:10:46 [Ntop.cpp:1267] Registered interface eth0 [id: 0] >>> 10/Jan/2017 16:10:46 [Ntop.cpp:1279] Registered interface view eth0 [id: >>> 0] >>> 10/Jan/2017 16:10:46 [main.cpp:255] PID stored in file >>> /var/run/ntopng.pid >>> 10/Jan/2017 16:10:46 [Utils.cpp:341] User changed to nobody >>> 10/Jan/2017 16:10:46 [HTTPserver.cpp:466] Please read >>> https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to >>> enable SSL. >>> 10/Jan/2017 16:10:46 [HTTPserver.cpp:509] Web server dirs >>> [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] >>> 10/Jan/2017 16:10:46 [HTTPserver.cpp:512] HTTP server listening on port >>> 3000 >>> 10/Jan/2017 16:10:46 [main.cpp:295] Working directory: /var/tmp/ntopng >>> 10/Jan/2017 16:10:46 [main.cpp:297] Scripts/HTML pages directory: >>> /usr/share/ntopng >>> 10/Jan/2017 16:10:46 [Ntop.cpp:271] Welcome to ntopng x86_64 >>> v.2.4.161019 - (C) 1998-2016 ntop.org >>> 10/Jan/2017 16:10:46 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) >>> 10/Jan/2017 16:10:46 [PeriodicActivities.cpp:53] Started periodic >>> activities loop... >>> 10/Jan/2017 16:10:46 [RuntimePrefs.cpp:34] Dumping alerts into syslog >>> 10/Jan/2017 16:10:46 [Ntop.cpp:531] Adding 192.168.2.0/24 as IPv4 local >>> network for eth0 >>> 10/Jan/2017 16:10:46 [Ntop.cpp:561] Adding fe80::20c:29ff:fe83:c98e/64 >>> as IPv6 local network for eth0 >>> 10/Jan/2017 16:10:46 [NetworkInterface.cpp:1538] Started packet polling >>> on interface eth0 [id: 0]... >>> 10/Jan/2017 16:10:53 [NetworkInterface.cpp:1058] Invalid packet received >>> [len: 1804][MTU: 1518]. >>> 10/Jan/2017 16:10:53 [NetworkInterface.cpp:1059] WARNING: If you have >>> TSO/GRO enabled, please disable it >>> 10/Jan/2017 16:10:53 [NetworkInterface.cpp:1061] WARNING: Use: sudo >>> ethtool -K eth0 gro off gso off tso off >>> >>> Seem that the filter passed but still can see IP 192.168.2.227 on my >>> list! >>> >>> Gerhard, >>> >>> >>> On Jan 10, 2017, at 4:04 PM, Simone Mainardi <maina...@ntop.org> wrote: >>> >>> Gerhard, >>> >>> From the logs I can't see anything that confirms ntopng has read/parsed >>> the bpf filter specified. It looks like the filter is ignored. I am >>> not sure those logs contain the full output, though. >>> >>> Can you please run ntopng in foreground and paste the output? Simply >>> call /usr/local/bin/ntopng /etc/ntopng/ntopng.conf >>> >>> Regards, >>> Simone >>> >>> On Mon, Jan 9, 2017 at 8:46 PM, Gerhard Mourani <gmour...@prival.ca> >>> wrote: >>> Configuration: >>> --interface tcp://127.0.0.1:5556 >>> --packet-filter "ip and not proto ipv6 and not ether host >>> ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host >>> 10.0.0.39" >>> --local-networks 10.0.0.0/24,192.168.2.0/24 >>> --daemon >>> --user ntopng >>> --pid /var/run/ntopng/ntopng.pid >>> --http-port 0 >>> --https-port 3001 >>> --data-dir /var/lib/nst/ntopng >>> --dns-mode 1 >>> --disable-autologout >>> --disable-login 0 >>> --sticky-hosts none >>> --http-prefix /ntopng >>> --ndpi-protocols /etc/ntopng/protos.txt >>> >>> Log file: >>> 09/Jan/2017 14:43:49 [Ntop.cpp:1121] Setting local networks to >>> 10.0.0.0/24,192.168.2.0/24 >>> 09/Jan/2017 14:43:49 [Redis.cpp:92] Successfully connected to redis >>> 127.0.0.1:6379@0 >>> 09/Jan/2017 14:43:49 [Ntop.cpp:1095] Parent process is exiting (this is >>> normal) >>> 09/Jan/2017 14:43:49 [Ntop.cpp:1267] Registered interface tcp:// >>> 127.0.0.1:5556 [id: 1] >>> 09/Jan/2017 14:43:49 [Ntop.cpp:1279] Registered interface view tcp:// >>> 127.0.0.1:5556 [id: 1] >>> 09/Jan/2017 14:43:49 [main.cpp:255] PID stored in file >>> /var/run/ntopng/ntopng.pid >>> 09/Jan/2017 14:43:49 [Utils.cpp:341] User changed to ntopng >>> 09/Jan/2017 14:43:49 [HTTPserver.cpp:509] Web server dirs >>> [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] >>> 09/Jan/2017 14:43:49 [HTTPserver.cpp:515] HTTPS server listening on port >>> 3001 >>> 09/Jan/2017 14:43:49 [main.cpp:295] Working directory: >>> /var/lib/nst/ntopng >>> 09/Jan/2017 14:43:49 [main.cpp:297] Scripts/HTML pages directory: >>> /usr/share/ntopng >>> 09/Jan/2017 14:43:49 [Ntop.cpp:271] Welcome to ntopng x86_64 >>> v.2.4.161013 - (C) 1998-2016 ntop.org >>> 09/Jan/2017 14:43:49 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) >>> 09/Jan/2017 14:43:49 [PeriodicActivities.cpp:53] Started periodic >>> activities loop... >>> 09/Jan/2017 14:43:49 [RuntimePrefs.cpp:34] Dumping alerts into syslog >>> 09/Jan/2017 14:43:49 [NetworkInterface.cpp:1538] Started packet polling >>> on interface tcp://127.0.0.1:5556 [id: 1]... >>> 09/Jan/2017 14:43:50 [CollectorInterface.cpp:104] Collecting flows on >>> tcp://127.0.0.1:5556 [ntopng->nprobe] >>> >>> Gerhard, >>> >>> On Jan 9, 2017, at 11:26 AM, Simone Mainardi <maina...@ntop.org> wrote: >>> >>> Gerhard, please attach the configuration used and the full ntopng >>> console output (or log file). >>> >>> On Mon, Jan 9, 2017 at 2:24 PM, Gerhard Mourani <gmour...@prival.ca> >>> wrote: >>> Simone, >>> >>> The issue is that even if 10.0.0.39 is filtered to be excluded, it >>> appears in the view of top hosts. Also, the IP 0.0.0.0 appaers and I >>> don't have any idea about what it is? >>> >>> >>> >>> GERHARD MOURANI | Spécialiste Telecom – Concepteur Logiciel >>> 450 761-9973 p634 | gmour...@prival.ca >>> 9935, rue de Châteauneuf, bureau 120, Brossard, Québec, J4Z 3V4 >>> Québec 418 907-8356 | Ottawa 613 689-1539 | Toronto 416 645-5626 >>> facebook.com/Prival-230867980323343 >>> linkedin.com/company/prival >>> >>> >>> >>> On Jan 8, 2017, at 5:36 AM, Simone Mainardi <maina...@ntop.org> wrote: >>> >>> Gerhard, >>> >>> The filter is correct and properly parsed by ntopng. So what is the >>> issue you are experiencing? >>> >>> Simone >>> >>> On Thu, Jan 5, 2017 at 7:58 PM, Gerhard Mourani <gmour...@prival.ca> >>> wrote: >>> This doesn't work for me, I'm using the following parameters to exclude >>> 10.0.0.39 which is my ntopng server IP: >>> --packet-filter "ip and not proto ipv6 and not ether host >>> ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host >>> 10.0.0.39" >>> >>> Gerhard, >>> >>> On Jan 5, 2017, at 12:09 PM, brett.sti...@cargocarriers.co.zw wrote: >>> >>> Thank you Simone. >>> >>> I will try that tomorrow morning. >>> >>> Much appreciated. >>> >>> >>> >>> On January 5, 2017 6:40:25 PM GMT+02:00, Simone Mainardi < >>> maina...@ntop.org> wrote: >>> >>> Brett, the filter is not complete. If you want to exclude 10.0.50.246 >>> set: >>> >>> --packet-filter="not host 10.0.50.246" >>> >>> If you look at the ntopng output you will see if the filter is parsed >>> correctly. >>> >>> >>> >>> >>> On Thu, Jan 5, 2017 at 4:05 PM, Brett Stiell (CCIH) < >>> brett.sti...@cargocarriers.co.zw> wrote: >>> >>> Hi there. >>> >>> >>> >>> Thanks for getting back to me >>> >>> >>> >>> This is the contents of my ntopng.start file:- >>> >>> >>> >>> -G=/var/run/ntopng.pid >>> >>> --daemon= >>> >>> --local-networks="10.0.50.0/25,10.0.50.128/26,10.0.50.193/30" >>> >>> --packet-filter 10.0.50.246 >>> >>> -m "10.0.50.0/25,10.0.50.128/26,10.0.50.193/30" >>> >>> --track-local-hosts >>> >>> >>> >>> Regards, >>> >>> >>> >>> Brett >>> >>> >>> >>> *From:* Simone Mainardi [mailto:maina...@ntop.org] >>> *Sent:* Thursday, January 05, 2017 3:26 PM >>> *To:* n...@unipi.it >>> *Cc:* ntop mailing list >>> *Subject:* Re: [Ntop] Excluding hosts or a subnet from being >>> >>> monitored >>> >>> >>> >>> >>> Hi, >>> >>> >>> >>> --packet-filter is the proper way to do that. Can you please report >>> >>> the >>> >>> exact filter you specified? Also check (and paste) ntopng output. >>> >>> ntopng >>> >>> prints a confirmation message if it has successfully parsed the >>> >>> filter. >>> >>> >>> >>> >>> Regards >>> >>> Simone >>> >>> >>> >>> On Thu, Jan 5, 2017 at 11:14 AM, Brett Stiell (CCIH) < >>> brett.sti...@cargocarriers.co.zw> wrote: >>> >>> Hi. >>> >>> >>> >>> Is there any way to exclude a subnet or a range of hosts from being >>> monitored and appearing on the dashboard etc. >>> >>> >>> >>> Our servers are in a specific IP range and I am not interested in >>> receiving their usage data. >>> >>> >>> >>> I tried –B and –packet-filter and “not” but they don’t seem to work. >>> >>> >>> >>> Thanks >>> >>> >>> _______________________________________________ >>> Ntop mailing list >>> Ntop@listgateway.unipi.it >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> >>> >>> >>> -- >>> Sent from my Android device with Email Mail. Please excuse my >>> brevity._______________________________________________ >>> Ntop mailing list >>> Ntop@listgateway.unipi.it >>> http://listgateway.unipi.it/mailman/listinfo/ntop >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >> > >
_______________________________________________ Ntop mailing list Ntop@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop
