On Fri, 29 Oct 2004 12:19:46 -0500, Burton wrote in message <[EMAIL PROTECTED]>: > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf > > Of Arnt Karlsen > > Sent: Friday, October 29, 2004 9:56 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [Ntop] ..ntop-3.0 on a test bridge box, and > > /etc/init.d/ntop onFedora Core 2 > > > > > > On Fri, 29 Oct 2004 13:40:15 +0100, Simon wrote in message > > <[EMAIL PROTECTED]>: > > > > > On Friday 29 Oct 2004 12:23 pm, Arnt Karlsen wrote: > > > > > > > > ..with ntop-3.0 on a test bridge box, can I use the bridge > > > > interfaces (br0, br1, etc) or do I need to use the bridge > > > > "elementary" interfaces (eth1, eth2, eth3, etc) ? > > > > > > I have it here on a bridge, on eth0. > > > > ..br0 according to your "scrub that" msg. ;-) > > > > > I vaguely recall you can use either, but there were issues with > > > how the data is aggregated, so you're probably better of avoiding > > > the bridge interface. Otherwise it is hard to relate it back to > > > where the traffic is from/to, although there could be "deeper > > > magic" in ntop I haven't discovered. > > > > ..in my isp case, I threw out br0 from the start-up command line, > > as br0 only showed the differences between its 2 eth nics. ;-) > > > > > I guess it depends what you are trying to monitor, but for me it > > > is mostly the slow Internet traffic that is of interest, and > > > bucketing this in with the fast ethernet traffic makes no sense. > > > If the traffic goes through it is measured once anyway. > > > > > > > > ..I left RH-7.3-9 for Debian and love it, this is a one-off, a > > > > client's box, and I see "RH setup things" _has_ changed, > > > > so I'm back to newbie status on Red Hat's and Fedora's. ;-) > > > > > > The bridge here is RH9, and yes I prefer Debian as well. > > > > ..I have a bridge at an isp occationally running ntop-2.2 on RH7.3, > > the bridge is ip-less and uses cbq to throttle bandwidth. Here I > > just put the entire start-up command line in the "start)" section of > > /etc/(rc.d/)init.d/ntop, so my client can go "service ntop start" > > etc whenever he feels like ntop'ing. Here, br0 is eth0 + eth1.
..and these /etc(/rc.d)/init.d/ntop start-up hacks are no longer neccessary to start up ntop on a bridge, just put everything in /etc/ntop.conf and fire first the bridge and then ntop. ;-) > Two issues ... > > As Arnt says, the br# interface only shows the packets crossing the > bridge. > > Second is that some old versions of libpcap had issues w/ bridges. > > In an ntop world you usually don't want to see filtered data - you > want to be able to filter it yourself to meet your specific needs and > so one of the underlying interfaces is probably more likely what you > want to monitor. But YMMV... .ntop-3.0 is a nice piece of work, guys. :-) -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. _______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
