I think you're off, because of the processing overhead. What you're proposing is to make the --no-mac switch more granular, with a table of untrustworthy MAC addresses. That certainly can be done, but I worry about the overhead of changing 17 simple if tests into database lookups.
-----Burton ---------- Original Message ---------------------------------- From: Chris Turbeville <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] Date: Sat, 13 Sep 2003 20:19:50 -0500 (CDT) >Let me see if my experiance is at all similar. I also monitor a network >(large is always relative:) with spans (what cisco calls mirrors). Now >I set -m but what seems to happen is ntop gets confused as to what is >local or remote since a lot of traffic has the firewall/gateways mac >addr. So I see hosts show up with huge amounts of traffic when its >really the gateway's mac not the host but that was just the first host >ntop saw on that mac. So I have to deduce some of the reports. I think >what we need is the ability to tell ntop a preloaded mac-ip-name table >for gateways. That way he can still trust macs but just get the right >names for some of them. He can also preload the routers table so we get >that right. I suspect that will also fix some of the "multihomed" I get >on non-multihomed machines. Am I way off base? It could also be >mac-ip/mask-name that way he knows what nets that interface serves (and >considers them local)? >Thanks >-Chris >> >> THINK about it... >> >> 00:60:12:12:14:34 >> >> is a valid MAC. Is it local or remote? How do you tell? You can't... >> >> Is it the MAC of the destination, the source or some intermediate hop? You >> can't tell unless you know the network topology. >> >> IP addresses are self-referential, because you have the netmask to divide >> into host and network portions, which you then compare to your own interface >> (or a list of host/mask via -m). >> >> With MAC addressing you have non of that. Just 48 bits >> >> >> -----Burton >> >> >> -----Original Message----- >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of >> Schoplocher Peter (Student at Congleton) >> Sent: Friday, September 12, 2003 12:49 PM >> To: '[EMAIL PROTECTED]' >> Subject: [Ntop] --local-subnets & --no-mac >> >> >> Hello Everybody, >> >> short version: >> is there a way to make ntop trust only IP addresses but display MAC >> addresses "as if started w/o -o" ? >> >> long version: >> I use ntop to monitor large networks via switches (port mirroring). If I >> don't use -m, everything "works fine", but as expected most of the traffic >> is considered remote<->remote. >> However if I tell ntop what to consider local, it stops picking up all hosts >> (I am not sure about remote hosts, but it definitely fails to see several >> local hosts; I monitored the exact same traffic using two different ntop >> sensors connected to a hub, one with -m and one without). One of the local >> hosts ntop actually displays, seems to produce much more traffic then it >> actually does and the number of open ports is not correct either. Naturally, >> the displayed MAC is in fact the gateway's (and the traffic is probably the >> total traffic coming through that gateway, so that the open ports mentioned >> above are probably indeed open, but on several different hosts). >> If I add -o, everything "works fine" again, ntop (most probably) picks up >> all hosts and classifies them remote/local according to -m. But it does not >> only not "trust MAC addresses" [manpage] but also it does not diplay them... >> Eventually, that is still pretty good. >> But I don't understand why distinguishing between local and remote traffic >> inhibits the monitoring of MAC addresses (and IPX). In case this isn't due >> to my settings or a bug, I would also welcome a way of just displaying the >> MAC addresses ntop figured out in a separate table row. >> >> Thanks in advance! >> Regards >> Peter >> _______________________________________________ >> Ntop mailing list >> [EMAIL PROTECTED] >> http://listgateway.unipi.it/mailman/listinfo/ntop >> >> _______________________________________________ >> Ntop mailing list >> [EMAIL PROTECTED] >> http://listgateway.unipi.it/mailman/listinfo/ntop >> > > >-- >[EMAIL PROTECTED] Chris Turbeville NTT/VERIO > Send mail with subject "send PGP Key" for PGP 6.5.2 Public key >_______________________________________________ >Ntop mailing list >[EMAIL PROTECTED] >http://listgateway.unipi.it/mailman/listinfo/ntop > ____________________________________________________________ Free 20MB Web Site Hosting and Personalized E-mail Service! Get It Now At Doteasy.com http://www.doteasy.com/et/ _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
