Gerhard, BPF filters are only available for packet interfaces, not for Netflow.
Regards, Simone On Wed, Jan 18, 2017 at 1:59 PM, Gerhard Mourani <gmour...@prival.ca> wrote: > Hi Simone, > > Here the configuration used: > > /usr/local/bin/nprobe -f "not host 192.168.2.227" -i none -n none --zmq > tcp://*:5556 -b 2 -3 6343 > --as-list=/usr/share/ntopng/httpdocs/geoip/GeoIPASNum.dat > --city-list=/usr/share/ntopng/httpdocs/geoip/GeoLiteCity.dat -G > --pid-file /var/run/nprobe/nprobe.pid > > Gerhard, > > > On Jan 18, 2017, at 4:01 AM, Simone Mainardi <maina...@ntop.org> wrote: > > Gerhard, > > what's the nprobe configuration used? > > Simone > > > On Tue, Jan 17, 2017 at 8:08 PM, Gerhard Mourani <gmour...@prival.ca> > wrote: > >> Hi Simone, >> >> Seem it doesn't work with my version 7.4.170109 of nprobe! >> >> Starting nProbe: 17/Jan/2017 14:05:54 [nprobe.c:3407] Valid nProbe >> license found >> 17/Jan/2017 14:05:54 [util.c:434] GeoIP: loaded AS config file >> /usr/share/ntopng/httpdocs/geoip/GeoIPASNum.dat >> 17/Jan/2017 14:05:54 [util.c:445] GeoIP: loaded AS IPv6 config file >> /usr/share/ntopng/httpdocs/geoip/GeoIPASNumv6.dat >> 17/Jan/2017 14:05:54 [util.c:474] GeoIP: loaded cities config file >> /usr/share/ntopng/httpdocs/geoip/GeoLiteCity.dat >> 17/Jan/2017 14:05:54 [util.c:484] GeoIP: loaded IPv6 cities config file >> /usr/share/ntopng/httpdocs/geoip/GeoLiteCityv6.dat >> 17/Jan/2017 14:05:54 [nprobe.c:4872] WARNING: The output interfaceId is >> set to 0: did you forget to use -Q perhaps ? >> 17/Jan/2017 14:05:54 [nprobe.c:4875] WARNING: The input interfaceId is >> set to 0: did you forget to use -u perhaps ? >> 17/Jan/2017 14:05:54 [nprobe.c:4975] Welcome to nProbe v.7.4.170109 >> ($Revision: 5334 $) for x86_64-unknown-linux-gnu with native PF_RING >> acceleration >> 17/Jan/2017 14:05:54 [nprobe.c:4985] Running on CentOS release 6.8 (Final) >> 17/Jan/2017 14:05:54 [nprobe.c:4996] [LICENSE] nProbe SystemId: >> 3B86CF9076076A80 >> 17/Jan/2017 14:05:54 [nprobe.c:5047] Tracing enabled >> 17/Jan/2017 14:05:54 [plugin.c:250] 0 plugin(s) loaded [0 delete][0 >> packet]. >> 17/Jan/2017 14:05:54 [nprobe.c:7308] Welcome to nProbe v.7.4.170109 for >> x86_64-unknown-linux-gnu >> 17/Jan/2017 14:05:54 [nprobe.c:6350] GEO-533LITE 20170103 Build 1 >> Copyright (c) 2017 MaxMind Inc All Rights Reser >> 17/Jan/2017 14:05:54 [nprobe.c:6352] GEO-117 20170107 Build 1 Copyright >> (c) 2017 MaxMind Inc All Rights Reser >> 17/Jan/2017 14:05:54 [nprobe.c:6378] Compiling flow templates... >> 17/Jan/2017 14:05:54 [plugin.c:1045] 0 plugin(s) enabled >> 17/Jan/2017 14:05:54 [nprobe.c:6836] Non IPv4/v6 traffic is discarded >> according to the template >> *17/Jan/2017 14:05:54 [nprobe.c:7391] WARNING: You cannot use BPF filters >> (not) in collector/proxy mode: BPF filter disabled* >> 17/Jan/2017 14:05:54 [nprobe.c:5495] Using packet capture length 128 >> 17/Jan/2017 14:05:54 [nprobe.c:7484] IPv6 traffic will NOT be >> exported/accounted by this probe >> 17/Jan/2017 14:05:54 [nprobe.c:7485] due to configuration options (e.g. >> use NetFlow v9) >> 17/Jan/2017 14:05:54 [nprobe.c:7488] The flows hash has 131072 buckets >> 17/Jan/2017 14:05:54 [nprobe.c:7490] Flows older than 120 seconds will be >> exported >> 17/Jan/2017 14:05:54 [nprobe.c:7493] Flows inactive for at least 30 >> seconds will be exported >> 17/Jan/2017 14:05:54 [nprobe.c:7496] Expired flows will not be queued for >> more than 30 seconds >> 17/Jan/2017 14:05:54 [nprobe.c:7503] Exported flows with engineType 0 and >> engineId 18 >> 17/Jan/2017 14:05:54 [nprobe.c:7525] TCP TOS will be ignored and set to 0. >> 17/Jan/2017 14:05:54 [nprobe.c:7543] After 1 flow packets are sent, we'll >> delay at least 1 ms >> 17/Jan/2017 14:05:54 [nprobe.c:7563] Flows will be emitted in NetFlow 5 >> format >> 17/Jan/2017 14:05:57 [nprobe.c:7611] Flow input interface index is set to >> 0 >> 17/Jan/2017 14:05:57 [nprobe.c:7617] Flow output interface index is set >> to 0 >> 17/Jan/2017 14:05:57 [nprobe.c:7631] Not capturing packet from interface >> (collector mode) >> 17/Jan/2017 14:05:57 [util.c:2278] INIT: Parent process is exiting (this >> is normal) >> 17/Jan/2017 14:05:57 [util.c:2271] INIT: Bye bye: I'm becoming a daemon... >> 17/Jan/2017 14:05:57 [util.c:4036] Initializing ZMQ as server >> 17/Jan/2017 14:05:57 [util.c:4079] Succesfully created ZMQ endpoint >> tcp://*:5556 >> >> Gerhard, >> >> On Jan 15, 2017, at 11:40 AM, Simone Mainardi <maina...@ntop.org> wrote: >> >> Simones-MacBook-Pro:nprobe simone$ ./nprobe -f "not host 10.0.0.1" -i en0 >> -n none --zmq tcp://*:5556 -b 2 >> [...] >> 15/Jan/2017 17:38:59 [nprobe.c:6031] Packet capture filter set to "not >> host 10.0.0.1" >> [...] >> >> >> >> >> >> On Sun, Jan 15, 2017 at 5:07 PM, Gerhard Mourani <gmour...@prival.ca> >> wrote: >> >>> Simone, >>> >>> >>> > BPF is not supported for collector interfaces. If you want to use it >>> then specify it on the nProbe. >>> >>> Can you show me an example, because I'm not able to do it on nprobe with >>> the -f option. >>> >>> >>> Gerhard Mourani >>> ------------------------------ >>> *From:* Simone Mainardi <maina...@ntop.org> >>> *Sent:* January 15, 2017 9:55:58 AM >>> *To:* Gerhard Mourani >>> *Cc:* n...@unipi.it >>> *Subject:* Re: [Ntop] Excluding hosts or a subnet from being monitored >>> >>> Gerhard, >>> >>> On Fri, Jan 13, 2017 at 9:25 PM, Gerhard Mourani <gmour...@prival.ca> >>> wrote: >>> >>>> Simone, >>>> >>>> I found the problem: If you dont use the = sign on the filter parameter >>>> line, it doesn't see it. >>>> >>>> Doesn't work -> --packet-filter "ip and not proto ipv6 and not ether >>>> host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) >>>> and not host 192.168.2.227" >>>> >>>> Work -> --packet-filter="ip and not proto ipv6 and not ether host >>>> ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not >>>> host 192.168.2.227" >>>> >>> >>> That is true, I have made a fix. >>> >>> The point is that when the filter is not seen, *ntopng doesn't say >>> anything from the command line*. Nevertheless, in all your emails, you were >>> sending us logs with ntopng showing "Packet capture filter set on ..." so >>> it was not possible to figure out the cause of the issue. I don't know >>> which logs you were sending but for sure they were not consistent with the >>> claimed behavior. Next time please make sure to post logs that are actually >>> representative. >>> >>> >>>> >>>> Also, if I've eth0 and tcp://127.0.0.1:5556 as my NIC, >>>> >>> >>> BPF is not supported for collector interfaces. If you want to use it >>> then specify it on the nProbe. >>> >>> >>>> it doesn't work, here the output: >>>> >>>> /usr/bin/ntopng /etc/ntopng/ntopng.conf >>>> 13/Jan/2017 15:20:15 [Prefs.cpp:715] Localhost HTTP user login disabled >>>> 13/Jan/2017 15:20:15 [Ntop.cpp:1121] Setting local networks to >>>> 192.168.2.0/24 >>>> 13/Jan/2017 15:20:15 [Redis.cpp:92] Successfully connected to redis >>>> 127.0.0.1:6379@0 >>>> [NDPI] addDefaultPort(): found duplicate for port 5061: overwriting it >>>> with new value >>>> [NDPI] addDefaultPort(): found duplicate for port 3001: overwriting it >>>> with new value >>>> 13/Jan/2017 15:20:15 [PcapInterface.cpp:85] Reading packets from >>>> interface eth0... >>>> 13/Jan/2017 15:20:15 [PcapInterface.cpp:254] *Packet capture filter on >>>> eth0 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and >>>> not net (224.0.0.0/8 <http://224.0.0.0/8> or 239.0.0.0/8 >>>> <http://239.0.0.0/8>) and not host 192.168.2.227"* >>>> 13/Jan/2017 15:20:15 [Ntop.cpp:1267] Registered interface eth0 [id: 0] >>>> [NDPI] addDefaultPort(): found duplicate for port 5061: overwriting it >>>> with new value >>>> [NDPI] addDefaultPort(): found duplicate for port 3001: overwriting it >>>> with new value >>>> 13/Jan/2017 15:20:15 [CollectorInterface.cpp:226] *ERROR: No filter >>>> can be set on a collector interface. Ignored ip and not proto ipv6 and not >>>> ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 <http://224.0.0.0/8> >>>> or 239.0.0.0/8 <http://239.0.0.0/8>) and not host 192.168.2.227* >>>> 13/Jan/2017 15:20:15 [Ntop.cpp:1267] Registered interface tcp:// >>>> 127.0.0.1:5556 [id: 1] >>>> 13/Jan/2017 15:20:15 [Ntop.cpp:1279] Registered interface view eth0 >>>> [id: 0] >>>> 13/Jan/2017 15:20:15 [Ntop.cpp:1279] Registered interface view tcp:// >>>> 127.0.0.1:5556 [id: 1] >>>> 13/Jan/2017 15:20:15 [main.cpp:255] PID stored in file >>>> /var/run/ntopng/ntopng.pid >>>> 13/Jan/2017 15:20:15 [Utils.cpp:341] User changed to ntopng >>>> 13/Jan/2017 15:20:15 [HTTPserver.cpp:509] Web server dirs >>>> [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] >>>> 13/Jan/2017 15:20:15 [HTTPserver.cpp:515] HTTPS server listening on >>>> port 3001 >>>> 13/Jan/2017 15:20:15 [main.cpp:295] Working directory: >>>> /var/lib/nst/ntopng >>>> 13/Jan/2017 15:20:15 [main.cpp:297] Scripts/HTML pages directory: >>>> /usr/share/ntopng >>>> 13/Jan/2017 15:20:15 [Ntop.cpp:271] Welcome to ntopng x86_64 >>>> v.2.4.161019 - (C) 1998-2016 ntop.org >>>> 13/Jan/2017 15:20:15 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) >>>> 13/Jan/2017 15:20:15 [PeriodicActivities.cpp:53] Started periodic >>>> activities loop... >>>> 13/Jan/2017 15:20:15 [RuntimePrefs.cpp:34] Dumping alerts into syslog >>>> 13/Jan/2017 15:20:15 [Ntop.cpp:531] Adding 192.168.2.0/24 as IPv4 >>>> local network for eth0 >>>> 13/Jan/2017 15:20:15 [Ntop.cpp:561] Adding fe80::20c:29ff:fe83:c98e/64 >>>> as IPv6 local network for eth0 >>>> 13/Jan/2017 15:20:15 [NetworkInterface.cpp:1538] Started packet polling >>>> on interface eth0 [id: 0]... >>>> 13/Jan/2017 15:20:15 [NetworkInterface.cpp:1538] Started packet polling >>>> on interface tcp://127.0.0.1:5556 [id: 1]... >>>> 13/Jan/2017 15:20:15 [CollectorInterface.cpp:104] Collecting flows on >>>> tcp://127.0.0.1:5556 [ntopng->nprobe] >>>> 13/Jan/2017 15:20:16 [NetworkInterface.cpp:1058] Invalid packet >>>> received [len: 2934][MTU: 1518]. >>>> 13/Jan/2017 15:20:16 [NetworkInterface.cpp:1059] WARNING: If you have >>>> TSO/GRO enabled, please disable it >>>> 13/Jan/2017 15:20:16 [NetworkInterface.cpp:1061] WARNING: Use: sudo >>>> ethtool -K eth0 gro off gso off tso off >>>> 13/Jan/2017 15:21:05 [main.cpp:37] Shutting down... >>>> 13/Jan/2017 15:21:05 [Redis.cpp:60] Redis has disconnected: >>>> reconnecting... >>>> Killed >>>> >>>> Gerhard, >>>> >>>> On Jan 13, 2017, at 3:00 PM, Simone Mainardi <maina...@ntop.org> wrote: >>>> >>>> Gerhard, both. >>>> >>>> Even if I put the filter in a conf file it works: >>>> >>>> deri@centos6 203> cat /tmp/test.conf >>>> -i=eth0 >>>> --packet-filter="ip and not proto ipv6 and not ether host >>>> ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not >>>> host 192.168.2.109" >>>> --community= >>>> >>>> deri@centos6 204> sudo /usr/local/bin/ntopng /tmp/test.conf >>>> 13/Jan/2017 21:00:00 [Ntop.cpp:1121] Setting local networks to >>>> 127.0.0.0/8 >>>> 13/Jan/2017 21:00:00 [Redis.cpp:92] Successfully connected to redis >>>> 127.0.0.1:6379@0 >>>> 13/Jan/2017 21:00:01 [PcapInterface.cpp:85] Reading packets from >>>> interface eth0... >>>> 13/Jan/2017 21:00:01 [PcapInterface.cpp:254] Packet capture filter on >>>> eth0 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and >>>> not net (224.0.0.0/8 or 239.0.0.0/8) and not host 192.168.2.109" >>>> >>>> >>>> >>>> >>>> On Thu, Jan 12, 2017 at 2:08 PM, Gerhard Mourani <gmour...@prival.ca> w >>>> rote: >>>> Simone, >>>> >>>> Did you run ntopng with the filter directly from the command line or >>>> via the configuration file? I think the problem happens when the filter is >>>> in the configuration file and you run ntopng to read it in this file. >>>> >>>> Gerhard, >>>> >>>> >>>> On Jan 11, 2017, at 5:13 PM, Simone Mainardi <maina...@ntop.org> wrote: >>>> >>>> Gerhard, >>>> >>>> I've just tried to reproduce on centos6. The filter is working >>>> properly. I also tried to exclude the ntopng host and it works. So the only >>>> additional suggestion I have is to try and update ntopng to the latest >>>> stable. >>>> >>>> Regards >>>> >>>> On Tue, Jan 10, 2017 at 10:23 PM, Gerhard Mourani <gmour...@prival.ca >>>> > wrote: >>>> > The point here is that the filter doesn't contain any clause that >>>> matches host 10.0.0.39 ... >>>> Because, I've changed 10.0.0.39 for 192.168.2.227 for the test. >>>> >>>> Here the one in prod with 10.0.0.39: >>>> >>>> [root@ntpprod ~]# /usr/bin/ntopng -i eth3 --packet-filter="ip and not >>>> proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net ( >>>> 224.0.0.0/8 or 239.0.0.0/8) and not host 10.0.0.39" >>>> 10/Jan/2017 16:22:02 [Ntop.cpp:1121] Setting local networks to >>>> 127.0.0.0/8 >>>> 10/Jan/2017 16:22:02 [Redis.cpp:92] Successfully connected to redis >>>> 127.0.0.1:6379@0 >>>> 10/Jan/2017 16:22:02 [PcapInterface.cpp:85] Reading packets from >>>> interface eth3... >>>> 10/Jan/2017 16:22:02 [PcapInterface.cpp:254] Packet capture filter on >>>> eth3 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and >>>> not net (224.0.0.0/8 or 239.0.0.0/8) and not host 10.0.0.39" >>>> 10/Jan/2017 16:22:02 [Ntop.cpp:1267] Registered interface eth3 [id: 2] >>>> 10/Jan/2017 16:22:02 [Ntop.cpp:1279] Registered interface view eth3 >>>> [id: 2] >>>> 10/Jan/2017 16:22:02 [main.cpp:255] PID stored in file >>>> /var/run/ntopng.pid >>>> 10/Jan/2017 16:22:02 [Utils.cpp:341] User changed to nobody >>>> 10/Jan/2017 16:22:02 [HTTPserver.cpp:466] Please read >>>> https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to >>>> enable SSL. >>>> 10/Jan/2017 16:22:02 [HTTPserver.cpp:509] Web server dirs >>>> [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] >>>> 10/Jan/2017 16:22:02 [HTTPserver.cpp:512] HTTP server listening on port >>>> 3000 >>>> 10/Jan/2017 16:22:02 [main.cpp:295] Working directory: /var/tmp/ntopng >>>> 10/Jan/2017 16:22:02 [main.cpp:297] Scripts/HTML pages directory: >>>> /usr/share/ntopng >>>> 10/Jan/2017 16:22:02 [Ntop.cpp:271] Welcome to ntopng x86_64 >>>> v.2.4.161013 - (C) 1998-2016 ntop.org >>>> 10/Jan/2017 16:22:02 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) >>>> 10/Jan/2017 16:22:02 [PeriodicActivities.cpp:53] Started periodic >>>> activities loop... >>>> 10/Jan/2017 16:22:02 [RuntimePrefs.cpp:34] Dumping alerts into syslog >>>> 10/Jan/2017 16:22:02 [Ntop.cpp:531] Adding 169.254.0.0/16 as IPv4 >>>> local network for eth3 >>>> 10/Jan/2017 16:22:02 [Ntop.cpp:561] Adding fe80::250:56ff:fe90:7661/64 >>>> as IPv6 local network for eth3 >>>> 10/Jan/2017 16:22:02 [NetworkInterface.cpp:1538] Started packet polling >>>> on interface eth3 [id: 2]... >>>> >>>> Gerhard, >>>> >>>> On Jan 10, 2017, at 4:17 PM, Simone Mainardi <maina...@ntop.org> wrote: >>>> >>>> Gerard, >>>> >>>> >>>> On Tue, Jan 10, 2017 at 10:13 PM, Gerhard Mourani <gmour...@prival.ca >>>> > wrote: >>>> Simone, >>>> >>>> Here when launched from command line: >>>> >>>> [root@ntptest plugins]# /usr/bin/ntopng -i eth0 --packet-filter="ip >>>> and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net ( >>>> 224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.227)" >>>> >>>> OK, so the filter is properly parsed. I went back through this thread >>>> and found that you complained that >>>> >>>> > "The issue is that even if 10.0.0.39 is filtered to be excluded, it >>>> appears in the view of top hosts.," >>>> >>>> The point here is that the filter doesn't contain any clause that >>>> matches host 10.0.0.39 ... >>>> >>>> 10/Jan/2017 16:10:46 [Ntop.cpp:1121] Setting local networks to >>>> 127.0.0.0/8 >>>> 10/Jan/2017 16:10:46 [Redis.cpp:92] Successfully connected to redis >>>> 127.0.0.1:6379@0 >>>> 10/Jan/2017 16:10:46 [PcapInterface.cpp:85] Reading packets from >>>> interface eth0... >>>> 10/Jan/2017 16:10:46 [PcapInterface.cpp:254] Packet capture filter on >>>> eth0 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff >>>> and not net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.227)" >>>> 10/Jan/2017 16:10:46 [Ntop.cpp:1267] Registered interface eth0 [id: 0] >>>> 10/Jan/2017 16:10:46 [Ntop.cpp:1279] Registered interface view eth0 >>>> [id: 0] >>>> 10/Jan/2017 16:10:46 [main.cpp:255] PID stored in file >>>> /var/run/ntopng.pid >>>> 10/Jan/2017 16:10:46 [Utils.cpp:341] User changed to nobody >>>> 10/Jan/2017 16:10:46 [HTTPserver.cpp:466] Please read >>>> https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to >>>> enable SSL. >>>> 10/Jan/2017 16:10:46 [HTTPserver.cpp:509] Web server dirs >>>> [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] >>>> 10/Jan/2017 16:10:46 [HTTPserver.cpp:512] HTTP server listening on port >>>> 3000 >>>> 10/Jan/2017 16:10:46 [main.cpp:295] Working directory: /var/tmp/ntopng >>>> 10/Jan/2017 16:10:46 [main.cpp:297] Scripts/HTML pages directory: >>>> /usr/share/ntopng >>>> 10/Jan/2017 16:10:46 [Ntop.cpp:271] Welcome to ntopng x86_64 >>>> v.2.4.161019 - (C) 1998-2016 ntop.org >>>> 10/Jan/2017 16:10:46 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) >>>> 10/Jan/2017 16:10:46 [PeriodicActivities.cpp:53] Started periodic >>>> activities loop... >>>> 10/Jan/2017 16:10:46 [RuntimePrefs.cpp:34] Dumping alerts into syslog >>>> 10/Jan/2017 16:10:46 [Ntop.cpp:531] Adding 192.168.2.0/24 as IPv4 >>>> local network for eth0 >>>> 10/Jan/2017 16:10:46 [Ntop.cpp:561] Adding fe80::20c:29ff:fe83:c98e/64 >>>> as IPv6 local network for eth0 >>>> 10/Jan/2017 16:10:46 [NetworkInterface.cpp:1538] Started packet polling >>>> on interface eth0 [id: 0]... >>>> 10/Jan/2017 16:10:53 [NetworkInterface.cpp:1058] Invalid packet >>>> received [len: 1804][MTU: 1518]. >>>> 10/Jan/2017 16:10:53 [NetworkInterface.cpp:1059] WARNING: If you have >>>> TSO/GRO enabled, please disable it >>>> 10/Jan/2017 16:10:53 [NetworkInterface.cpp:1061] WARNING: Use: sudo >>>> ethtool -K eth0 gro off gso off tso off >>>> >>>> Seem that the filter passed but still can see IP 192.168.2.227 on my >>>> list! >>>> >>>> Gerhard, >>>> >>>> >>>> On Jan 10, 2017, at 4:04 PM, Simone Mainardi <maina...@ntop.org> wrote: >>>> >>>> Gerhard, >>>> >>>> From the logs I can't see anything that confirms ntopng has read/parsed >>>> the bpf filter specified. It looks like the filter is ignored. I am >>>> not sure those logs contain the full output, though. >>>> >>>> Can you please run ntopng in foreground and paste the output? Simply >>>> call /usr/local/bin/ntopng /etc/ntopng/ntopng.conf >>>> >>>> Regards, >>>> Simone >>>> >>>> On Mon, Jan 9, 2017 at 8:46 PM, Gerhard Mourani <gmour...@prival.ca> >>>> wrote: >>>> Configuration: >>>> --interface tcp://127.0.0.1:5556 >>>> --packet-filter "ip and not proto ipv6 and not ether host >>>> ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not >>>> host 10.0.0.39" >>>> --local-networks 10.0.0.0/24,192.168.2.0/24 >>>> --daemon >>>> --user ntopng >>>> --pid /var/run/ntopng/ntopng.pid >>>> --http-port 0 >>>> --https-port 3001 >>>> --data-dir /var/lib/nst/ntopng >>>> --dns-mode 1 >>>> --disable-autologout >>>> --disable-login 0 >>>> --sticky-hosts none >>>> --http-prefix /ntopng >>>> --ndpi-protocols /etc/ntopng/protos.txt >>>> >>>> Log file: >>>> 09/Jan/2017 14:43:49 [Ntop.cpp:1121] Setting local networks to >>>> 10.0.0.0/24,192.168.2.0/24 >>>> 09/Jan/2017 14:43:49 [Redis.cpp:92] Successfully connected to redis >>>> 127.0.0.1:6379@0 >>>> 09/Jan/2017 14:43:49 [Ntop.cpp:1095] Parent process is exiting (this is >>>> normal) >>>> 09/Jan/2017 14:43:49 [Ntop.cpp:1267] Registered interface tcp:// >>>> 127.0.0.1:5556 [id: 1] >>>> 09/Jan/2017 14:43:49 [Ntop.cpp:1279] Registered interface view tcp:// >>>> 127.0.0.1:5556 [id: 1] >>>> 09/Jan/2017 14:43:49 [main.cpp:255] PID stored in file >>>> /var/run/ntopng/ntopng.pid >>>> 09/Jan/2017 14:43:49 [Utils.cpp:341] User changed to ntopng >>>> 09/Jan/2017 14:43:49 [HTTPserver.cpp:509] Web server dirs >>>> [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] >>>> 09/Jan/2017 14:43:49 [HTTPserver.cpp:515] HTTPS server listening on >>>> port 3001 >>>> 09/Jan/2017 14:43:49 [main.cpp:295] Working directory: >>>> /var/lib/nst/ntopng >>>> 09/Jan/2017 14:43:49 [main.cpp:297] Scripts/HTML pages directory: >>>> /usr/share/ntopng >>>> 09/Jan/2017 14:43:49 [Ntop.cpp:271] Welcome to ntopng x86_64 >>>> v.2.4.161013 - (C) 1998-2016 ntop.org >>>> 09/Jan/2017 14:43:49 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) >>>> 09/Jan/2017 14:43:49 [PeriodicActivities.cpp:53] Started periodic >>>> activities loop... >>>> 09/Jan/2017 14:43:49 [RuntimePrefs.cpp:34] Dumping alerts into syslog >>>> 09/Jan/2017 14:43:49 [NetworkInterface.cpp:1538] Started packet polling >>>> on interface tcp://127.0.0.1:5556 [id: 1]... >>>> 09/Jan/2017 14:43:50 [CollectorInterface.cpp:104] Collecting flows on >>>> tcp://127.0.0.1:5556 [ntopng->nprobe] >>>> >>>> Gerhard, >>>> >>>> On Jan 9, 2017, at 11:26 AM, Simone Mainardi <maina...@ntop.org> wrote: >>>> >>>> Gerhard, please attach the configuration used and the full ntopng >>>> console output (or log file). >>>> >>>> On Mon, Jan 9, 2017 at 2:24 PM, Gerhard Mourani <gmour...@prival.ca> >>>> wrote: >>>> Simone, >>>> >>>> The issue is that even if 10.0.0.39 is filtered to be excluded, it >>>> appears in the view of top hosts. Also, the IP 0.0.0.0 appaers and I >>>> don't have any idea about what it is? >>>> >>>> >>>> >>>> GERHARD MOURANI | Spécialiste Telecom – Concepteur Logiciel >>>> 450 761-9973 p634 | gmour...@prival.ca >>>> 9935, rue de Châteauneuf, bureau 120, Brossard, Québec, J4Z 3V4 >>>> Québec 418 907-8356 | Ottawa 613 689-1539 | Toronto 416 645-5626 >>>> facebook.com/Prival-230867980323343 >>>> linkedin.com/company/prival >>>> >>>> >>>> >>>> On Jan 8, 2017, at 5:36 AM, Simone Mainardi <maina...@ntop.org> wrote: >>>> >>>> Gerhard, >>>> >>>> The filter is correct and properly parsed by ntopng. So what is the >>>> issue you are experiencing? >>>> >>>> Simone >>>> >>>> On Thu, Jan 5, 2017 at 7:58 PM, Gerhard Mourani <gmour...@prival.ca> >>>> wrote: >>>> This doesn't work for me, I'm using the following parameters to exclude >>>> 10.0.0.39 which is my ntopng server IP: >>>> --packet-filter "ip and not proto ipv6 and not ether host >>>> ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not >>>> host 10.0.0.39" >>>> >>>> Gerhard, >>>> >>>> On Jan 5, 2017, at 12:09 PM, brett.sti...@cargocarriers.co.zw wrote: >>>> >>>> Thank you Simone. >>>> >>>> I will try that tomorrow morning. >>>> >>>> Much appreciated. >>>> >>>> >>>> >>>> On January 5, 2017 6:40:25 PM GMT+02:00, Simone Mainardi < >>>> maina...@ntop.org> wrote: >>>> >>>> Brett, the filter is not complete. If you want to exclude 10.0.50.246 >>>> set: >>>> >>>> --packet-filter="not host 10.0.50.246" >>>> >>>> If you look at the ntopng output you will see if the filter is parsed >>>> correctly. >>>> >>>> >>>> >>>> >>>> On Thu, Jan 5, 2017 at 4:05 PM, Brett Stiell (CCIH) < >>>> brett.sti...@cargocarriers.co.zw> wrote: >>>> >>>> Hi there. >>>> >>>> >>>> >>>> Thanks for getting back to me >>>> >>>> >>>> >>>> This is the contents of my ntopng.start file:- >>>> >>>> >>>> >>>> -G=/var/run/ntopng.pid >>>> >>>> --daemon= >>>> >>>> --local-networks="10.0.50.0/25,10.0.50.128/26,10.0.50.193/30" >>>> >>>> --packet-filter 10.0.50.246 >>>> >>>> -m "10.0.50.0/25,10.0.50.128/26,10.0.50.193/30" >>>> >>>> --track-local-hosts >>>> >>>> >>>> >>>> Regards, >>>> >>>> >>>> >>>> Brett >>>> >>>> >>>> >>>> *From:* Simone Mainardi [mailto:maina...@ntop.org] >>>> *Sent:* Thursday, January 05, 2017 3:26 PM >>>> *To:* n...@unipi.it >>>> *Cc:* ntop mailing list >>>> *Subject:* Re: [Ntop] Excluding hosts or a subnet from being >>>> >>>> monitored >>>> >>>> >>>> >>>> >>>> Hi, >>>> >>>> >>>> >>>> --packet-filter is the proper way to do that. Can you please report >>>> >>>> the >>>> >>>> exact filter you specified? Also check (and paste) ntopng output. >>>> >>>> ntopng >>>> >>>> prints a confirmation message if it has successfully parsed the >>>> >>>> filter. >>>> >>>> >>>> >>>> >>>> Regards >>>> >>>> Simone >>>> >>>> >>>> >>>> On Thu, Jan 5, 2017 at 11:14 AM, Brett Stiell (CCIH) < >>>> brett.sti...@cargocarriers.co.zw> wrote: >>>> >>>> Hi. >>>> >>>> >>>> >>>> Is there any way to exclude a subnet or a range of hosts from being >>>> monitored and appearing on the dashboard etc. >>>> >>>> >>>> >>>> Our servers are in a specific IP range and I am not interested in >>>> receiving their usage data. >>>> >>>> >>>> >>>> I tried –B and –packet-filter and “not” but they don’t seem to work. >>>> >>>> >>>> >>>> Thanks >>>> >>>> >>>> _______________________________________________ >>>> Ntop mailing list >>>> Ntop@listgateway.unipi.it >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> >>>> >>>> >>>> >>>> -- >>>> Sent from my Android device with Email Mail. Please excuse my >>>> brevity._______________________________________________ >>>> Ntop mailing list >>>> Ntop@listgateway.unipi.it >>>> http://listgateway.unipi.it/mailman/listinfo/ntop >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>> >> >> > >
_______________________________________________ Ntop mailing list Ntop@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop
