IPv6? Hum... wonder if your version of tcpdump knows IPv6? Wonder too if the folks who added v6 support (for which we're quite grateful) tested this combo.
-----Burton > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > [EMAIL PROTECTED] > Sent: Friday, October 15, 2004 5:49 AM > To: [EMAIL PROTECTED] > Subject: RE: [Ntop] reading 'suspicious' and 'other' packets > > > Inline... > > On 30 September 2004 17:42, Ford,M,Mat,XGH5 FORDM5 R () wrote: > > >> -----Original Message----- > >> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > >> Behalf Of Burton M. Strauss III > >> Sent: 30 September 2004 17:22 > >> To: [EMAIL PROTECTED] > >> Subject: RE: [Ntop] reading 'suspicious' and 'other' packets > >> > >> Nothing obvious. I checked the code and the truncation of packets is > >> suspended if you have the suspicious dump on. Still it sounds like a > >> corrupted buffer. Maybe some more info on the ntop version, how > >> you're running it, platform, etc. > > > > ntop version: 3.0.053 MT (SSL) > > command: -a /usr/home/ntop/logs/http-log -d -L -i bge0 -O > > /usr/home/ntop/logs -u ntop -p /usr/home/ntop/protocols.list > > -w 0 -W 3001 -P /usr/home/ntop > > platform: FreeBSD 5.2.1-RELEASE-p9 > > > > FWIW I tried this with just the 'Other' packet logging on > > (i.e. no logging of 'Suspicious' packets), but no change. > > I could add to this that I am monitoring an IPv6 network - maybe it is a > problem related to the use of IPv6? > > Mat > > > > > Mat > > > >> > >> -----Burton > >> > >>> -----Original Message----- > >>> From: [EMAIL PROTECTED] > >> [mailto:[EMAIL PROTECTED] Behalf Of > >>> [EMAIL PROTECTED] > >>> Sent: Thursday, September 30, 2004 9:58 AM > >>> To: [EMAIL PROTECTED] > >>> Subject: [Ntop] reading 'suspicious' and 'other' packets > >>> > >>> > >>> Hi Burton, > >>> > >>> I didn't see your reply to my message until just now when I was > >>> browsing the archives - I guess it didn't get distributed to me as > >>> my subscription to the list hadn't been processed. Anyway... > >>> > >>> I tried shutting down ntop using the Admin interface, but tcpdump > >>> still reports the same error. Any other ideas? > >>> > >>> Cheers, > >>> Mat > >>> > >>> --------------------- > >>> > >>> It could be that the last buffer hasn't been written to disk or > >>> isn't initialized to zeros and tcpdump is trying to read that > >>> garbage. > >>> > >>> Causing a graceful shutdown of ntop will close the files. That > >>> should work... > >>> > >>> -----Burton > >>> > >>> > >>>> -----Original Message----- > >>>> From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it]On > >>>> Behalf Of matthew.ford at bt.com Sent: Friday, August 27, 2004 > >>>> 5:00 AM > >>>> To: ntop at Unipi.IT > >>>> Subject: [Ntop] reading 'suspicious' and 'other' packets > >>>> > >>>> > >>>> Hi, > >>>> > >>>> I'm trying to read the ntop-suspicious-pkts.dev[if].pcap and > >>>> ntop-other-pkts.[if].pcap files using > >>>> > >>>> tcpdump -r [filename] > >>>> > >>>> which is reporting 'tcpdump: pcap_loop: truncated dump file'. > >>>> > >>>> I've tried opening these files in ethereal as well, and that > >>>> chokes with: > >>>> > >>>> The capture file appears to be damaged or corrupt. > >>>> (pcap: File has 203949056-byte packet, bigger than maximum of > >>>> 65535) > >>>> > >>>> Anyone got any ideas/seen this before? Do I need to kill ntop > >>>> before these files will be readable? > >>>> > >>>> Mat > >>> _______________________________________________ > >>> Ntop mailing list > >>> [EMAIL PROTECTED] > >>> http://listgateway.unipi.it/mailman/listinfo/ntop > >> > >> _______________________________________________ > >> Ntop mailing list > >> [EMAIL PROTECTED] > >> http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
