1. Reply to the list not me personally... 2. Neither: Get your head out of the application layers - packets travel the wire with 32bit ip address numbers and 8 bit port numbers in them (oh, yeah, and 48 bit MAC addresses). Any interpretation of those is part of the application layer.
Want a suggestion? Run tcpdump or ethereal or another packet sniffer for a few minutes and look at what you see. That's what ntop sees... -----Burton -----Original Message----- From: Matthew Boeckman [mailto:[EMAIL PROTECTED]] Sent: Friday, May 17, 2002 10:52 AM To: Burton M. Strauss III Subject: Re: [Ntop] name virtual hosts question ok, and i realise that this would be messy, but could you run multiple instances of ntop, each with a filter expression for the unique named hosts? i.e. ntop dst x.something.com ntop dst y.something.com etc? I'm guessing that that wouldn't work, although I don't know whether it would be because multiple ntops wouldn't play well together (maybe if each had seperate http ports, db's, etc?) or if it wouldn't work because DNS would resolve each of the x. y. to the same IP and ntop would still then report for *all* hosts... I am unfamiliar with sFlow/NetFlow, and will read up a bit more on those to see if that's a path i can follow. > How does Apache handle virtual hosts? It analyzes the flow at the > application level (layer 4) not the wire/packet/protocol (layers 1, 2 and > 3). It does this by re-assembling packets into a layer 4 message (e.g. GET > http://virtual.host.name.com/page.html)... i guess I had thought that since ntop is also doing DNS lookups that it might then be able to break that out... but i see why it cant/doesn't by default. I imagine that that would produce considerable load to have ntop and apache both looking at the headers of every packet... _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
