I have figured out what my problem was and wanted to share with everyone (although some of you may already know).
I am using NTOP on a SPAN port on a Cisco 2950 switch. Ethereal would see the packets but not NTOP. While using the graphic version of Ethereal I noticed all the packets had an 802.1q encapsulation on them. This appears to be the problem. The switches are in a base configuration and not doing any VLAN or trunking. I found that older versions of the 2950 IOS automatically monitored the port with the 802.1q encapsulation. In the latest release the 802.1q encapsulation can be toggled on and off.
The one switch I was capturing data on was a 2924 (older version of the 2950) and it did not have this issue.
For future reference: If I was monitoring a switch using 802.1q encapsulation, are there switches in NTOP that I can set to get this to work? If not, might it be support on future versions?
Thanks for the help,
Tony Everett
-----Original Message-----
From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, February 05, 2003 3:53 PM
To: [EMAIL PROTECTED]
Subject: RE: [Ntop] Ntop with multiple interfaces
The report in info.html/textinfo.html reporting only eth0 is a trival bug
and doesn't affect processing.
I notice you don't have anything set for -m | --local-subnets. With
multiple (unnumbered) interfaces, that's pretty much required.
Otherwise, both sender and destination are treated as remote, and
remote-remote traffic is only shown in the IP Protos | Distribution report.
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Everett,
Anthony (GNPC)
Sent: Wednesday, February 05, 2003 2:10 PM
To: '[EMAIL PROTECTED]'
Cc: Elsaid, Fadi
Subject: RE: [Ntop] Ntop with multiple interfaces
Sorry about that.
Since receiving your email (and looking the mailing list issues) I have
removed the old version and install the latest (2.1.57pre). I also have
attached the text configuration output.
I still have the same problem, that only one interface is capturing IP data.
All NIC cards are the same manufacturer. As I mentioned, if I run Ethereal,
I can capture IP data.
Any help is greatly appreciated.
-Tony
-----Original Message-----
From: Burton M. Strauss III [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 31, 2003 3:39 PM
To: [EMAIL PROTECTED]
Subject: RE: [Ntop] Ntop with multiple interfaces
How about giving some info ... like ntop version, os, etc.?
See "Howto ask for help" in the docs/FAQ and/or at http://snapshot.ntop.org
-----Burton
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Everett,
Anthony (GNPC)
Sent: Friday, January 31, 2003 2:48 PM
To: '[EMAIL PROTECTED]'
Subject: [Ntop] Ntop with multiple interfaces
I have Ntop running with multiple interface (configuration:
/usr/sbin/ntop -d -P /usr/share/ntop/ -u operator -E -n -i
eth0,eth1,eth2,eth3,eth4 -L -c -M -p /usr/share/ntop/protocol.list) and most
interfaces captures little to no data. I use eth5 for management / access
to Ntop. I have tried all interfaces with and with out IP addresses. If I
run a sniffer trace I see plenty of data on all the interfaces. Some
interfaces report data but only layer 2 data.
The only interface the captures IP data is eth3, which is on the same subnet
as my management / access to Ntop interface. I have tried the -j option (I
am spanning or monitoring other ports) with no luck.
Any ideas why Ntop would not report the capture of data on different
interfaces (I have performed the switch interface function from the admin
screen)?
-Tony
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
