RE: [Ntop] Adding BPF expression to ntop.sh

Tue, 25 Apr 2006 15:25:09 -0700 

Yup, the quotes in the examples are intentionally double quotes and that's
pretty much what the shell (and thus the library routine getopt())
demands...

Q. My filter doesn't work!  I'm running ntop like this:
      /usr/local/bin/ntop -u nobody -L -d -E -w 3000 \
                      -m 192.168.10.0/24,xxx.xxx.xxx.xxx/32 \
                      -M -i eth0,eth1 \
                      (src net 192.168.10.0/24 or src host xxx.xxx.xxx.xxx )
\
                       and not dst net 192.168.10.0/24
A. Yup, it doesn't work.  Use the -B option and put the filter in quotes:
      -B "(src net 192.168.10.0/24 or src host xxx.xxx.xxx.xxx ) and
           not dst net 192.168.10.0/24"

   ntop used to assume anything it didn't recognize was a filter.  But not
since
   2.1.3.  If you try this now, you should see a log warning that says maybe
you
   forgot the quotes


No biggie - those are the easy ?s to answer...

-----Burton 

-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kurt
Buff
Sent: Tuesday, April 25, 2006 4:00 PM
To: [email protected]
Subject: Re: [Ntop] Adding BPF expression to ntop.sh

Did read the FAQ, but completely misinterpreted it. Thought it meant single
quotes, not double quotes.

Silly me, and thanks for the help.

Kurt


On 4/25/06, Burton Strauss <[EMAIL PROTECTED]> wrote:
> Read docs/FAQ - you need "s around the filter expression.
>
> -----Burton
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf 
> Of Kurt Buff
> Sent: Tuesday, April 25, 2006 2:34 PM
> To: [email protected]
> Subject: [Ntop] Adding BPF expression to ntop.sh
>
> Howdy,
>
> I'm trying to add a filter to exclude the traffic between a firewall 
> and its management station, and have the following problem.
>
> ntop.sh with the following line works just fine (without the 
> surrounding double quotes):
>
> "additional_args='-U -a -o -P /home/ntop/ntop -m 192.168.8.0/24'"
>
> ntop.sh with the following line (again, without the surrounding double
> quotes) dies - logs below my sig:
>
> "additional_args='-U -a -o -P /home/ntop/ntop -m 192.168.8.0/24 -B not 
> ((src host 192.168.8.2 and dst host 192.168.10.88) or (src host
> 192.168.10.88 and dst host 192.168.8.2))'"
>
> If I put more single quotes after -B, it dies an even worse death, 
> talking about mismatched parens, and suchlike.
>
> Anyone have a clue for me? I'm running FreeBSD 6.0-RELEASE, ntop 3.2, 
> from ports
>
> Kurt
>
> Apr 25 12:14:41 zntop ntop[51624]:   CLEANUP[t147189248]: ntop caught
signal
> 15
> Apr 25 12:14:41 zntop ntop[51624]:   THREADMGMT[t147189248]: ntop
> RUNSTATE: SHUTDOWN(7)
> Apr 25 12:14:41 zntop ntop[51624]:   CLEANUP[t147189248] catching
> thread is unknown
> Apr 25 12:14:41 zntop ntop[51624]:   CLEANUP: Running threads NPA SFP
> SIH WEB DNSAR1 NPS1
> Apr 25 12:14:41 zntop ntop[51624]:   THREADMGMT[t134613504]: NPA:
> network packet analyzer (packet pr
> ocessor) thread terminated [p51624]
> Apr 25 12:14:41 zntop ntop[51624]:   THREADMGMT[t147185664]: DNSAR(1):
> Address resolution thread ter
> minated [p51624]
> Apr 25 12:14:41 zntop ntop[51624]:   STATS: 892,356 packets received
> by filter on xl0
> Apr 25 12:14:41 zntop ntop[51624]:   STATS: 3,304 packets dropped
> (according to libpcap)
> Apr 25 12:14:41 zntop ntop[51624]:   STATS: 0 packets dropped (by ntop)
> Apr 25 12:14:41 zntop kernel: xl0: promiscuous mode disabled
> Apr 25 12:14:41 zntop ntop[51624]:   THREADMGMT[t147187200]:
> NPS(1,xl0): pcapDispatch thread termina ted [p51624]
> Apr 25 12:14:41 zntop ntop[51624]:   CLEANUP: Locking purge mutex (may
> block for a little while)
> Apr 25 12:14:41 zntop ntop[51624]:   CLEANUP: Locked purge mutex,
> continuing shutdown
> Apr 25 12:14:41 zntop ntop[51624]:   CLEANUP: Continues (still running
> SFP SIH WEB)
> Apr 25 12:14:41 zntop ntop[51624]:   FREE_HOST: Start, 2 device(s)
> Apr 25 12:14:41 zntop ntop[51624]:   FREE_HOST: End, freed 1228
> Apr 25 12:14:41 zntop ntop[51624]:   FREE_HOST: Start, 2 device(s)
> Apr 25 12:14:41 zntop ntop[51624]:   FREE_HOST: End, freed 0
> Apr 25 12:14:41 zntop ntop[51624]:   PLUGIN_TERM: Unloading plugins (if
any)
> Apr 25 12:14:41 zntop ntop[51624]:   LASTSEEN: Thanks for using LsWatch
> Apr 25 12:14:42 zntop ntop[51624]:   LASTSEEN: Done
> Apr 25 12:14:42 zntop ntop[51624]:   ICMP: Thanks for using icmpWatch
> Apr 25 12:14:42 zntop ntop[51624]:   ICMP: Done
> Apr 25 12:14:42 zntop ntop[51624]:   NETFLOW: Terminating NetFlow
> Apr 25 12:14:42 zntop ntop[51624]:   NETFLOW: terminating device
> NetFlow-device.2
> Apr 25 12:14:42 zntop ntop[51624]:   NETFLOW: Thanks for using ntop
NetFlow
> Apr 25 12:14:42 zntop ntop[51624]:   NETFLOW: Done
> Apr 25 12:14:42 zntop ntop[51624]:   RRD: Shutting down, locking mutex
> (may block for a little while
> )
> Apr 25 12:14:42 zntop ntop[51624]:   RRD: Locked mutex, continuing
shutdown
> Apr 25 12:14:42 zntop ntop[51624]:   THREADMGMT[t147189248]: RRD:
> killThread(rrdThread) succeeded
> Apr 25 12:14:42 zntop ntop[51624]:   THREADMGMT[t147189248]: RRD:
> killThread(rrdTrafficThread) succe
> eded
> Apr 25 12:14:42 zntop ntop[51624]:   THREADMGMT[t147189248]: RRD:
> Waiting 12 seconds for threads to
> stop
> Apr 25 12:14:48 zntop ntop[51624]:   THREADMGMT[t134614528]: SIH: Idle
> host scan thread terminated [
> p51624]
> Apr 25 12:14:49 zntop ntop[51624]:   THREADMGMT[t134610944]: Main
> thread shutting down
> Apr 25 12:14:50 zntop ntop[51624]:   THREADMGMT[t134614016]: SFP:
> Fingerprint scan thread terminated
>  [p51624]
> Apr 25 12:14:50 zntop ntop[51624]:   THREADMGMT[t147186176]: WEB:
> Server connection thread terminate
> d [p51624]
> Apr 25 12:14:50 zntop ntop[51624]:   THREADMGMT[t147186688]: RRD: Data
> collection thread stopping [p
> 51624] State>RUN
> Apr 25 12:14:50 zntop ntop[51624]:   THREADMGMT[t147186688]: RRD: Data
> collection thread terminated
> [p51624]
> Apr 25 12:14:54 zntop ntop[51624]:   THREADMGMT[t147189248]: RRD:
> Plugin shutdown continuing
> Apr 25 12:14:54 zntop ntop[51624]:   RRD: Thanks for using the rrdPlugin
> Apr 25 12:14:54 zntop ntop[51624]:   RRD: Done
> Apr 25 12:14:55 zntop ntop[51624]:   CLEANUP: Freeing device xl0 (idx=0)
> Apr 25 12:14:55 zntop ntop[51624]:   CLEANUP: Freeing device
> NetFlow-device.2 (idx=1)
> Apr 25 12:14:55 zntop ntop[51624]:   TERM: Removed pid file
> (/home/ntop/ntop/ntop.pid)
> Apr 25 12:14:55 zntop ntop[51624]:   CLEANUP: Clean up complete
> Apr 25 12:14:55 zntop ntop[51624]:   THREADMGMT[t147189248]: ntop
> RUNSTATE: TERM(8)
> Apr 25 12:14:55 zntop ntop[51624]:   ===================================
> Apr 25 12:14:55 zntop ntop[51624]:           ntop is shutdown...
> Apr 25 12:14:55 zntop ntop[51624]:   ===================================
> Apr 25 12:15:02 zntop ntop[51726]:   THREADMGMT[t134610944]: ntop
> RUNSTATE: PREINIT(1)
> Apr 25 12:15:02 zntop ntop[51726]:   THREADMGMT[t134610944]: ntop
> RUNSTATE: INIT(2)
> Apr 25 12:17:59 zntop ntop[51736]:   THREADMGMT[t134610944]: ntop
> RUNSTATE: PREINIT(1)
> Apr 25 12:17:59 zntop ntop[51736]:   THREADMGMT[t134610944]: ntop
> RUNSTATE: INIT(2)
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
> _______________________________________________
> Ntop mailing list
> [email protected]
> http://listgateway.unipi.it/mailman/listinfo/ntop
>
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to