THINK about it... 00:60:12:12:14:34
is a valid MAC. Is it local or remote? How do you tell? You can't... Is it the MAC of the destination, the source or some intermediate hop? You can't tell unless you know the network topology. IP addresses are self-referential, because you have the netmask to divide into host and network portions, which you then compare to your own interface (or a list of host/mask via -m). With MAC addressing you have non of that. Just 48 bits -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Schoplocher Peter (Student at Congleton) Sent: Friday, September 12, 2003 12:49 PM To: '[EMAIL PROTECTED]' Subject: [Ntop] --local-subnets & --no-mac Hello Everybody, short version: is there a way to make ntop trust only IP addresses but display MAC addresses "as if started w/o -o" ? long version: I use ntop to monitor large networks via switches (port mirroring). If I don't use -m, everything "works fine", but as expected most of the traffic is considered remote<->remote. However if I tell ntop what to consider local, it stops picking up all hosts (I am not sure about remote hosts, but it definitely fails to see several local hosts; I monitored the exact same traffic using two different ntop sensors connected to a hub, one with -m and one without). One of the local hosts ntop actually displays, seems to produce much more traffic then it actually does and the number of open ports is not correct either. Naturally, the displayed MAC is in fact the gateway's (and the traffic is probably the total traffic coming through that gateway, so that the open ports mentioned above are probably indeed open, but on several different hosts). If I add -o, everything "works fine" again, ntop (most probably) picks up all hosts and classifies them remote/local according to -m. But it does not only not "trust MAC addresses" [manpage] but also it does not diplay them... Eventually, that is still pretty good. But I don't understand why distinguishing between local and remote traffic inhibits the monitoring of MAC addresses (and IPX). In case this isn't due to my settings or a bug, I would also welcome a way of just displaying the MAC addresses ntop figured out in a separate table row. Thanks in advance! Regards Peter _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
