Let me see if my experiance is at all similar. I also monitor a network
(large is always relative:) with spans (what cisco calls mirrors). Now
I set -m but what seems to happen is ntop gets confused as to what is
local or remote since a lot of traffic has the firewall/gateways mac
addr. So I see hosts show up with huge amounts of traffic when its
really the gateway's mac not the host but that was just the first host
ntop saw on that mac. So I have to deduce some of the reports. I think
what we need is the ability to tell ntop a preloaded mac-ip-name table
for gateways. That way he can still trust macs but just get the right
names for some of them. He can also preload the routers table so we get
that right. I suspect that will also fix some of the "multihomed" I get
on non-multihomed machines. Am I way off base? It could also be
mac-ip/mask-name that way he knows what nets that interface serves (and
considers them local)?
Thanks
-Chris
>
> THINK about it...
>
> 00:60:12:12:14:34
>
> is a valid MAC. Is it local or remote? How do you tell? You can't...
>
> Is it the MAC of the destination, the source or some intermediate hop? You
> can't tell unless you know the network topology.
>
> IP addresses are self-referential, because you have the netmask to divide
> into host and network portions, which you then compare to your own interface
> (or a list of host/mask via -m).
>
> With MAC addressing you have non of that. Just 48 bits
>
>
> -----Burton
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of
> Schoplocher Peter (Student at Congleton)
> Sent: Friday, September 12, 2003 12:49 PM
> To: '[EMAIL PROTECTED]'
> Subject: [Ntop] --local-subnets & --no-mac
>
>
> Hello Everybody,
>
> short version:
> is there a way to make ntop trust only IP addresses but display MAC
> addresses "as if started w/o -o" ?
>
> long version:
> I use ntop to monitor large networks via switches (port mirroring). If I
> don't use -m, everything "works fine", but as expected most of the traffic
> is considered remote<->remote.
> However if I tell ntop what to consider local, it stops picking up all hosts
> (I am not sure about remote hosts, but it definitely fails to see several
> local hosts; I monitored the exact same traffic using two different ntop
> sensors connected to a hub, one with -m and one without). One of the local
> hosts ntop actually displays, seems to produce much more traffic then it
> actually does and the number of open ports is not correct either. Naturally,
> the displayed MAC is in fact the gateway's (and the traffic is probably the
> total traffic coming through that gateway, so that the open ports mentioned
> above are probably indeed open, but on several different hosts).
> If I add -o, everything "works fine" again, ntop (most probably) picks up
> all hosts and classifies them remote/local according to -m. But it does not
> only not "trust MAC addresses" [manpage] but also it does not diplay them...
> Eventually, that is still pretty good.
> But I don't understand why distinguishing between local and remote traffic
> inhibits the monitoring of MAC addresses (and IPX). In case this isn't due
> to my settings or a bug, I would also welcome a way of just displaying the
> MAC addresses ntop figured out in a separate table row.
>
> Thanks in advance!
> Regards
> Peter
> _______________________________________________
> Ntop mailing list
> [EMAIL PROTECTED]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
> _______________________________________________
> Ntop mailing list
> [EMAIL PROTECTED]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
--
[EMAIL PROTECTED] Chris Turbeville NTT/VERIO
Send mail with subject "send PGP Key" for PGP 6.5.2 Public key
_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop
