Hi, > On 21 May 2020, at 14:55, David van Ginneken <[email protected]> wrote: > > Hi everyone, > > Starting with ntopng, I have a small issue initially setting it up. > > I use port mirroring on a switch to replicate all ports to port 5 where a > dedicated ntopng interface 'listens' (Official package on raspbian 10). > On that same switch I have my Internet gateway (Unifi USG3P) connected to > port 1. This same device also acts as a DHCP/DNS server. > > When mirroring all ports BUT port 1, I receive alerts about thousands of DNS > queries not being answered. I did confirm that with a pcap dump.
When you monitor just port 1, apart from the DNS queries unanswered alerts, do you get bi-directional traffic if you look at the flows page? Do you see the @1? > > So I went and started to mirror port 1 along with others, and the missing > traffic (DNS replies) started to be collected. > The issue is that with that configuration, all flows are listed twice in > ntop. Internal hosts are showing normally and with "@1" at the end of the > hostname. @1 means VLAN=1 so VLAN-tagged packets are received from the mirror port. VLAN depend on your switch configuration. If you can disregard VLANs you can use option --ignore-vlans > > Is there a way for ntop to discard this duplicated traffic in the accounting > of ntopng? I am not sure the traffic is duplicated. It could be that ntopng is keeping the two directions of every flow separated due to the VLAN. Let's continue the investigation depending on your responses. Simone > It makes sense to me that it is detected as a host's traffic will be seen > on its own switch port and then in many cases on port 1. > > Many thanks. > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
