Two issues ... As Arnt says, the br# interface only shows the packets crossing the bridge.
Second is that some old versions of libpcap had issues w/ bridges. In an ntop world you usually don't want to see filtered data - you want to be able to filter it yourself to meet your specific needs and so one of the underlying interfaces is probably more likely what you want to monitor. But YMMV... -----Burton > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of > Arnt Karlsen > Sent: Friday, October 29, 2004 9:56 AM > To: [EMAIL PROTECTED] > Subject: Re: [Ntop] ..ntop-3.0 on a test bridge box, and > /etc/init.d/ntop onFedora Core 2 > > > On Fri, 29 Oct 2004 13:40:15 +0100, Simon wrote in message > <[EMAIL PROTECTED]>: > > > On Friday 29 Oct 2004 12:23 pm, Arnt Karlsen wrote: > > > > > > ..with ntop-3.0 on a test bridge box, can I use the bridge > > > interfaces (br0, br1, etc) or do I need to use the bridge > > > "elementary" interfaces (eth1, eth2, eth3, etc) ? > > > > I have it here on a bridge, on eth0. > > ..br0 according to your "scrub that" msg. ;-) > > > I vaguely recall you can use either, but there were issues with how > > the data is aggregated, so you're probably better of avoiding the > > bridge interface. Otherwise it is hard to relate it back to where the > > traffic is from/to, although there could be "deeper magic" in ntop I > > haven't discovered. > > ..in my isp case, I threw out br0 from the start-up command line, > as br0 only showed the differences between its 2 eth nics. ;-) > > > I guess it depends what you are trying to monitor, but for me it is > > mostly the slow Internet traffic that is of interest, and bucketing > > this in with the fast ethernet traffic makes no sense. If the traffic > > goes through it is measured once anyway. > > > > > > ..I left RH-7.3-9 for Debian and love it, this is a one-off, a > > > client's box, and I see "RH setup things" _has_ changed, > > > so I'm back to newbie status on Red Hat's and Fedora's. ;-) > > > > The bridge here is RH9, and yes I prefer Debian as well. > > ..I have a bridge at an isp occationally running ntop-2.2 on RH7.3, > the bridge is ip-less and uses cbq to throttle bandwidth. Here I just > put the entire start-up command line in the "start)" section of > /etc/(rc.d/)init.d/ntop, so my client can go "service ntop start" etc > whenever he feels like ntop'ing. Here, br0 is eth0 + eth1. > > -- > ..med vennlig hilsen = with Kind Regards from Arnt... ;-) > ...with a number of polar bear hunters in his ancestry... > Scenarios always come in sets of three: > best case, worst case, and just in case. > > _______________________________________________ > Ntop mailing list > [EMAIL PROTECTED] > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
