> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Burton M. Strauss III > Sent: 30 September 2004 17:22 > To: [EMAIL PROTECTED] > Subject: RE: [Ntop] reading 'suspicious' and 'other' packets > > Nothing obvious. I checked the code and the truncation of packets is > suspended if you have the suspicious dump on. Still it sounds like a > corrupted buffer. Maybe some more info on the ntop version, > how you're > running it, platform, etc.
ntop version: 3.0.053 MT (SSL) command: -a /usr/home/ntop/logs/http-log -d -L -i bge0 -O /usr/home/ntop/logs -u ntop -p /usr/home/ntop/protocols.list -w 0 -W 3001 -P /usr/home/ntop platform: FreeBSD 5.2.1-RELEASE-p9 FWIW I tried this with just the 'Other' packet logging on (i.e. no logging of 'Suspicious' packets), but no change. Mat > > -----Burton > > > -----Original Message----- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of > > [EMAIL PROTECTED] > > Sent: Thursday, September 30, 2004 9:58 AM > > To: [EMAIL PROTECTED] > > Subject: [Ntop] reading 'suspicious' and 'other' packets > > > > > > Hi Burton, > > > > I didn't see your reply to my message until just now when I > was browsing > > the archives - I guess it didn't get distributed to me as my > > subscription to the list hadn't been processed. Anyway... > > > > I tried shutting down ntop using the Admin interface, but > tcpdump still > > reports the same error. Any other ideas? > > > > Cheers, > > Mat > > > > --------------------- > > > > It could be that the last buffer hasn't been written to > disk or isn't > > initialized to zeros and tcpdump is trying to read that garbage. > > > > Causing a graceful shutdown of ntop will close the files. > That should > > work... > > > > -----Burton > > > > > > > -----Original Message----- > > > From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it]On > > Behalf Of > > > matthew.ford at bt.com > > > Sent: Friday, August 27, 2004 5:00 AM > > > To: ntop at Unipi.IT > > > Subject: [Ntop] reading 'suspicious' and 'other' packets > > > > > > > > > Hi, > > > > > > I'm trying to read the ntop-suspicious-pkts.dev[if].pcap and > > > ntop-other-pkts.[if].pcap files using > > > > > > tcpdump -r [filename] > > > > > > which is reporting 'tcpdump: pcap_loop: truncated dump file'. > > > > > > I've tried opening these files in ethereal as well, and > that chokes > > > with: > > > > > > The capture file appears to be damaged or corrupt. > > > (pcap: File has 203949056-byte packet, bigger than > maximum of 65535) > > > > > > Anyone got any ideas/seen this before? Do I need to kill > ntop before > > > these files will be readable? > > > > > > Mat > > _______________________________________________ > > Ntop mailing list > > [EMAIL PROTECTED] > > http://listgateway.unipi.it/mailman/listinfo/ntop > > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop > _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
