RE: [Ntop] How to get more detail on "Other IP" traffic?

Burton M. Strauss III Wed, 10 Apr 2002 00:46:18 -0700

Actually, you may already be seeing your web traffic - in the "other"
bucket - it's an artifact of how ntop classifies traffic.  Here's the code
(tcp, but udp is similar) from pbuf.c:


        /* choose most likely port for protocol traffic accounting
         * by trying lower number port first. This is based
         * on the assumption that lower port numbers are more likely
         * to be the servers and clients usually dont use ports <1024
         * This is only relevant if both port numbers are used to
         * gather service statistics.
         * e.g. traffic between port 2049 (nfsd) and 113 (nntp) will
         * be counted as nntp traffic in all directions by this heuristic
         * and not as nntp in one direction and nfs in the return direction.
         *
         * Courtesy of Andreas Pfaller <[EMAIL PROTECTED]>
         */
        if(dport < sport) {
          if(handleIP(dport, srcHostIdx, dstHostIdx, length,
isPassiveSession, actualDeviceId) == -1)
            handleIP(sport, srcHostIdx, dstHostIdx, length,
isPassiveSession, actualDeviceId);
        } else {
          if(handleIP(sport, srcHostIdx, dstHostIdx, length,
isPassiveSession, actualDeviceId) == -1)
            handleIP(dport, srcHostIdx, dstHostIdx, length,
isPassiveSession, actualDeviceId);
        }

The algorithm isn't perfect - if an http proxy (8080) connection picks 2049
as it's "random" destination port, it will be counted as nfs traffic.  But
2050 - not matching anything - will be counted in your http bucket.

Without putting it into the protocol (-p) list, traffic on ports not listed
in the defaults are counted as other.  Remember, ntop simply examines each
packet, and classifies it based on IP & port (src and dst), vs. doing
connection tracking like the Linux OS does.

One thing to check is whether the change to the protocol file really is
working - each part is treated independently and the error checking isn't
all it could be.  Best way is to make the debug line in main.c around 497
"live"...

#ifdef DEBUG
      traceEvent(TRACE_INFO, "          %30s %s", proto, tmpStr);
#endif

(just delete the #ifdef and #endif, leaving the traceEvent() as open code)

-----Burton



-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Craig
Humphrey
Sent: Monday, April 08, 2002 4:42 PM
To: '[EMAIL PROTECTED]'
Subject: [Ntop] How to get more detail on "Other IP" traffic?


Hi People,

is there any way in ntop to break up "Other IP" traffic?  I'm seeing
significant amounts and would like to track it down a bit more before I
break out tcpdump or snort...

On a related note: how extensive is the protocol.list file?  I've modified
mine to include Oracle (on it's own) and our proxys (under
http=http|https|web|8888|8080), but while I'm now seeing Oracle stats, I
haven't seen the increase in http traffic that I would have expected.

Thoughts people?

Soon'ish
Craig
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listmanager.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listmanager.unipi.it/mailman/listinfo/ntop

RE: [Ntop] How to get more detail on "Other IP" traffic?

Reply via email to