But that's exactly why Luca introduced the -j | --border-sniffer-mode switch. Because ntop uses MAC addresses for many things, when the switch rewrites them on the monitoring port, ntop gets confused.
Quoting from Luca's comment to my change log proposal (because it's the best short version I've seen): -j is used when you are starting ntop on a mirrored interface where you cannot trust MAC addresses. Note that: 1. -j usually requires you to specify the local network (-m) as a mirrored interface might have a wrong/ip-less/privare IP address. 2. -j disables some features as TCP session tracking etc. In future versions -j will disappear and it will be replaces with more flags for better controlling all these options. You said, "My assumption was that the "border Sniffer Mode" makes Ntop only use IP address's for it's comparison instead of MAC address's. This assumption is obviously wrong." Actually, you are right - that's what it does. It's just that there are LOTS of cases, and ntop - today - doesn't handle them all. -j is a bit of a hack... the history is that Luca added it right after releasing 2.0 when he found that ntop 2.0 would not correctly monitor the U of Pisa network (which, after all is the entire reason ntop came into existence). That's why he disappeared from the list in December 2001... (and why I started shooting my mouth off and answering all of the questions). But for now, -j is a chainsaw, not a scalpel. It was a matter of adding some high-level switches to turn-off chunks of code which referenced MAC address, with the plan to go back and make them more surgical. At the time, he needed to get ntop working, rather than carefully analyzing each situation to determine whether it could use IP or needed MAC. So, basically, what I had you try was to see if undoing the chainsaw thing worked - for you - in your environment. It doesn't so you're stuck with what the tool does. Not good enough? Dust off those old programming skills and dive in. We'd love the help! -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eugene Spiker Sent: Thursday, June 13, 2002 12:45 PM To: [EMAIL PROTECTED] Subject: RE: [Ntop] Session Information when in border sniffer mode Burton, Thanks for the suggestion. I found the area in initialize.c you suggested and tried changing the settings various whys. It didn't help much. The only thing I was able to change was the message on the web display. It used to indicated that the session information was not available due to the configuration flags. It now says there are no active sessions. There are no sessions displayed on the WEB display and there are no TCPsessions written to the mySQL database via the -b flag. (I haven't figured out the new -v option yet. There must be more to it than what is in the man page) To give a little more information why I am using this mode. A single Cisco or other brand for that matter does not need "border Sniffer Mode". When the switch is connected to other switches using "trunk" configurations then the "trunk" port MAC address shows up as the MAC address for all the IP address's coming across from the other switch via the "trunk" port. The reports are therefore very confused to say the least. My assumption was that the "border Sniffer Mode" makes Ntop only use IP address's for it's comparison instead of MAC address's. This assumption is obviously wrong. I am not a C programmer, by any stretch of the imagination. I can make minor changes if it is obivous enough, and I can follow the "make clean" "make" "make install" process, but that is about it. If you or anyone else has other suggestions let me know I will try them out. Gene -----Original Message----- From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]] Sent: Wednesday, June 12, 2002 10:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: [Ntop] Session Information when in border sniffer mode The menus are just html files. There is a set for regular mode and a j_xxx.html set for border sniffer mode. So the link just hasn't been deleted. As to whether/why sessions are disabled, suggest you grep in the code - look for myGlobals.borderSnifferMode and follow it into initialize.c where it sets the other flags. You'll have to figure out which is disabling the session reporting, enable that one and then see what you get. Sorry, but I really don't understand -j... -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Eugene Spiker Sent: Wednesday, June 12, 2002 7:02 PM To: [EMAIL PROTECTED] Subject: [Ntop] Session Information when in border sniffer mode All, I am using Ntop to monitor traffic on Cisco switches and need to use border sniffer mode. When border sniffer mode was first introduced the session information was still available and by using the sql-host (-b) configuration I was able to save the sessions into a mySQL database and write reports based on the information. The session information is important to me in that I use it to identify who is talking to whom on my network. This helped me make recommendations on changing WAN routes and connections and also reposition various servers (mail, file and application) to more central locations. This information along with WAN bandwidth usage reports made a complete picture. Is there anyway to gather the session information using the latest version of Ntop, while using border sniffer mode? The fact that the session information is still a menu selection when in border sniffer mode, makes me think there might be a way. I assume if there was not that it would have been removed from the menu along with the other tabs and menu items. Any suggestions or recommendations would be appreciated. Thanks, Eugene (Gene) Spiker _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://lists.ntop.org/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://lists.ntop.org/mailman/listinfo/ntop
