ntop is seeing the 1st packet with the IP address of the remote site and the MAC of the firewall - which is after all how it's being injected into the LAN - and making that association. Then all other packets with that MAC are assocated with the single IP that ntop 1st saw. It's probably flaged the host with the multihomed risk flag, too.
Assuming that the firewall/IPSec combo is rewriting the packets as if they ORIGINATE on the IPSec gateway, that is with it's MAC address, then your only choice is -o - that's EXACTLY what it's for. Read the entries in docs/FAQ on this subject. -----Burton > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kurt > Buff > Sent: Wednesday, January 21, 2004 9:09 PM > To: '[EMAIL PROTECTED]' > Subject: [Ntop] mac address associated with incorrect host > > > All, > > Perhaps I'm dim, but I think I'm missing something. I've read the man page > for ntop, and can't seem to figure this out - I don't think that the -o > option is correct, but I'm willing to listen to an alternative opinion. > > I am very interested in tracking the remote sites' traffic, and the local > traffic, but I've found that ntop doesn't do well on our network with the > volume of Internet traffic, so I'm using --track-local-hosts to keep the > excess traffic from being logged, and using --local-subnet to tell ntop to > keep track of the foreign offices who are attached to us via our IPSec > tunnels. > > I've got a host at 192.168.61.8 (in AU) that seems to have had attached to > it the MAC address for our firewall locally (in the US, and the firewall's > address is 192.168.6.9), and ntop is reporting all traffic against the MAC > address of the firewall as coming from the remote host. The ntop > host is on > a hub with the firewall, so it's listening to all of the traffic > transiting > the firewall. > > Is there any way I can separate out the traffic? Does this require the use > of the -o option? > > ntop.conf, minus the comments, is below my .sig > > > Kurt Buff > Sr. Network Administrator > Zetron, Inc. > 425.820.6363 x463 > [EMAIL PROTECTED] > PO Box 97004 > Redmond, WA 98073 > > ----------ntop.conf---------- > --user ntop > --db-file-path /home/ntop/db/ntop > --interface xl0 > --use-syslog > --track-local-hosts > --http-server 3000 > --local-subnet > 192.168.0.0/20,192.168.16.0/24,192.168.17.0/24,192.168.24.0/24,192 > .168.38.0/ > 24,192.168.61.0/24,192.168.111.0/24 > --reuse-rrd-graphics > --daemon > ----------ntop.conf---------- > > > > > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
