Inline... On 30 September 2004 17:42, Ford,M,Mat,XGH5 FORDM5 R () wrote:
>> -----Original Message----- >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On >> Behalf Of Burton M. Strauss III >> Sent: 30 September 2004 17:22 >> To: [EMAIL PROTECTED] >> Subject: RE: [Ntop] reading 'suspicious' and 'other' packets >> >> Nothing obvious. I checked the code and the truncation of packets is >> suspended if you have the suspicious dump on. Still it sounds like a >> corrupted buffer. Maybe some more info on the ntop version, how >> you're running it, platform, etc. > > ntop version: 3.0.053 MT (SSL) > command: -a /usr/home/ntop/logs/http-log -d -L -i bge0 -O > /usr/home/ntop/logs -u ntop -p /usr/home/ntop/protocols.list > -w 0 -W 3001 -P /usr/home/ntop > platform: FreeBSD 5.2.1-RELEASE-p9 > > FWIW I tried this with just the 'Other' packet logging on > (i.e. no logging of 'Suspicious' packets), but no change. I could add to this that I am monitoring an IPv6 network - maybe it is a problem related to the use of IPv6? Mat > > Mat > >> >> -----Burton >> >>> -----Original Message----- >>> From: [EMAIL PROTECTED] >> [mailto:[EMAIL PROTECTED] Behalf Of >>> [EMAIL PROTECTED] >>> Sent: Thursday, September 30, 2004 9:58 AM >>> To: [EMAIL PROTECTED] >>> Subject: [Ntop] reading 'suspicious' and 'other' packets >>> >>> >>> Hi Burton, >>> >>> I didn't see your reply to my message until just now when I was >>> browsing the archives - I guess it didn't get distributed to me as >>> my subscription to the list hadn't been processed. Anyway... >>> >>> I tried shutting down ntop using the Admin interface, but tcpdump >>> still reports the same error. Any other ideas? >>> >>> Cheers, >>> Mat >>> >>> --------------------- >>> >>> It could be that the last buffer hasn't been written to disk or >>> isn't initialized to zeros and tcpdump is trying to read that >>> garbage. >>> >>> Causing a graceful shutdown of ntop will close the files. That >>> should work... >>> >>> -----Burton >>> >>> >>>> -----Original Message----- >>>> From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it]On >>>> Behalf Of matthew.ford at bt.com Sent: Friday, August 27, 2004 >>>> 5:00 AM >>>> To: ntop at Unipi.IT >>>> Subject: [Ntop] reading 'suspicious' and 'other' packets >>>> >>>> >>>> Hi, >>>> >>>> I'm trying to read the ntop-suspicious-pkts.dev[if].pcap and >>>> ntop-other-pkts.[if].pcap files using >>>> >>>> tcpdump -r [filename] >>>> >>>> which is reporting 'tcpdump: pcap_loop: truncated dump file'. >>>> >>>> I've tried opening these files in ethereal as well, and that >>>> chokes with: >>>> >>>> The capture file appears to be damaged or corrupt. >>>> (pcap: File has 203949056-byte packet, bigger than maximum of >>>> 65535) >>>> >>>> Anyone got any ideas/seen this before? Do I need to kill ntop >>>> before these files will be readable? >>>> >>>> Mat >>> _______________________________________________ >>> Ntop mailing list >>> [EMAIL PROTECTED] >>> http://listgateway.unipi.it/mailman/listinfo/ntop >> >> _______________________________________________ >> Ntop mailing list >> [EMAIL PROTECTED] >> http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
