I'm trying to run NTOP on a linux 2.4 box that is bonding 2 interfaces together. The results I get are incorrect, and ntop starts behaving strangely depending on the options I give it.
For example, when I specify a home-net (which is a must since the bonded interface has no IP and ntop will be unable to determine the local net for itself), ntop only seems to be seeing traffic from specific hosts on my home net, and ignoring others. When I do not specify a home net, it sees more of my local hosts, but has no idea that they are local so the stats aren't as useful. I have a class C net (we'll use 172.16.2.0/24 as an example), which is split up into several smaller chunks. For example: 172.16.2.0/29 172.16.2.64/26 172.16.2.128/26 ...etc... I get different results if I specify my home net as 172.16.2.0/24, or specify each smaller subnet using commas. I also get different results if I use the -g flag (show only local hosts), which doesn't make sense. For example: Without the -g flag, ntop may only show stats for host 172.16.2.15. But when I add the -g flag, .15 dissappears, and now it shows stats for .16, but they BOTH are in my specified home-net range! I even get different results depending on how I notate the netmask! For example, if I use: -m 172.16.2.0/24 I might see traffic ONLY from host .17 but if I say: -m 172.16.2.0/255.255.255.0 I see NO traffic from .17, but now start seeing traffic from .18! I also get different results if I use quotes or not (-m 172.16.2.0/24 or -m "172.16.2.0/24"). This makes absolutely no sense. I know there is not a hardware/OS problem, as I am running a Snort/ACID setup on the same box, listening on the same bond0 interface. It sees all traffic fine and behaves normally. No matter what combination of options I try, I can't seem to get NTOP to see all my hosts that I KNOW are generating lots of traffic on the wire (we are talking very busy web and mail servers here). Is anyone else out there successfully using ntop on a bonded linux interface or having the same wierd problems? -- Miles Stevenson [EMAIL PROTECTED] PGP FP: 035F 7D40 44A9 28FA 7453 BDF4 329F 889D 767D 2F63 _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
