Read the docs/FAQ file on this parameter. What's in there is what's known.
AFAIG, those two plugins are driven via the packet capture and are ip address based, so they probably work. But what's known is in docs/FAQ. Research it and let us know for inclusion. FWIW, I'm working on a Wiki for this stuff so users can grow the documentation with less effort. Let me know if anyone is interested in being an experimental lab animal... -----Burton > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Kurt > Buff > Sent: Thursday, January 22, 2004 11:15 AM > To: '[EMAIL PROTECTED]' > Subject: RE: [Ntop] mac address associated with incorrect host > > > Thanks for your help. > > Will this modification change the behavior of the LastSeen or icmpWatch > plugins? > > |-----Original Message----- > |From: Burton M. Strauss III [mailto:[EMAIL PROTECTED] > |Sent: Wednesday, January 21, 2004 20:29 > |To: [EMAIL PROTECTED] > |Subject: RE: [Ntop] mac address associated with incorrect host > | > | > |ntop is seeing the 1st packet with the IP address of the > |remote site and the > |MAC of the firewall - which is after all how it's being > |injected into the > |LAN - and making that association. Then all other packets > |with that MAC are > |assocated with the single IP that ntop 1st saw. It's probably > |flaged the > |host with the multihomed risk flag, too. > | > |Assuming that the firewall/IPSec combo is rewriting the > |packets as if they > |ORIGINATE on the IPSec gateway, that is with it's MAC address, > |then your > |only choice is -o - that's EXACTLY what it's for. Read the entries in > |docs/FAQ on this subject. > | > | > |-----Burton > | > |> -----Original Message----- > |> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > |Behalf Of Kurt > |> Buff > |> Sent: Wednesday, January 21, 2004 9:09 PM > |> To: '[EMAIL PROTECTED]' > |> Subject: [Ntop] mac address associated with incorrect host > |> > |> > |> All, > |> > |> Perhaps I'm dim, but I think I'm missing something. I've > |read the man page > |> for ntop, and can't seem to figure this out - I don't think > |that the -o > |> option is correct, but I'm willing to listen to an > |alternative opinion. > |> > |> I am very interested in tracking the remote sites' traffic, > |and the local > |> traffic, but I've found that ntop doesn't do well on our > |network with the > |> volume of Internet traffic, so I'm using --track-local-hosts > |to keep the > |> excess traffic from being logged, and using --local-subnet > |to tell ntop to > |> keep track of the foreign offices who are attached to us via > |our IPSec > |> tunnels. > |> > |> I've got a host at 192.168.61.8 (in AU) that seems to have > |had attached to > |> it the MAC address for our firewall locally (in the US, and > |the firewall's > |> address is 192.168.6.9), and ntop is reporting all traffic > |against the MAC > |> address of the firewall as coming from the remote host. The ntop > |> host is on > |> a hub with the firewall, so it's listening to all of the traffic > |> transiting > |> the firewall. > |> > |> Is there any way I can separate out the traffic? Does this > |require the use > |> of the -o option? > |> > |> ntop.conf, minus the comments, is below my .sig > |> > |> > |> Kurt Buff > |> Sr. Network Administrator > |> Zetron, Inc. > |> 425.820.6363 x463 > |> [EMAIL PROTECTED] > |> PO Box 97004 > |> Redmond, WA 98073 > |> > |> ----------ntop.conf---------- > |> --user ntop > |> --db-file-path /home/ntop/db/ntop > |> --interface xl0 > |> --use-syslog > |> --track-local-hosts > |> --http-server 3000 > |> --local-subnet > |> 192.168.0.0/20,192.168.16.0/24,192.168.17.0/24,192.168.24.0/24,192 > |> .168.38.0/ > |> 24,192.168.61.0/24,192.168.111.0/24 > |> --reuse-rrd-graphics > |> --daemon > |> ----------ntop.conf---------- > |> > |> > |> > |> > |> _______________________________________________ > |> Ntop mailing list > |> [EMAIL PROTECTED] > |> http://listgateway.unipi.it/mailman/listinfo/ntop > |> > | > |_______________________________________________ > |Ntop mailing list > |[EMAIL PROTECTED] > |http://listgateway.unipi.it/mailman/listinfo/ntop > | > > > > > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
