Right. And don't forget that netFlow only sends ntop the header information - source/dest ip and port plus the packet size. So there's nothing to DO the deep packet inspection on.
-----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Gatten Sent: Wednesday, August 02, 2006 10:58 AM To: [email protected] Subject: RE: [Ntop] Question about ports Not to be nit-picky, but stateful inspection does nothing to identify this type of traffic. You need some other sort of deep packet inspection, such as NBAR that can look above layer 4. If your router can correctly identify the traffic, you can use policy based routing and NAT to change all the interesting stuff that uses dynamic ports, to some fixed port of your choice. Within NTOP You can then associate that fixed port with the service. Make sense? Gary >>> [EMAIL PROTECTED] 8/2/2006 10:29 AM >>> My router does statefull packet inspection to identify Bittorrent and other P2P traffic. The netflow information I'm sending from this router to NTOP does not appear to contain this data. Am I right? Does NTOP figure out itself what these packets are I guess? Can NTOP be configured to recognize these packets (which may be on any port), or the netflow configured for that from the router that CAN determine what is P2P regardless of port? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Lunde Sent: Wednesday, August 02, 2006 9:26 AM To: [email protected] Subject: Re: [Ntop] Question about ports The protocol list is embedded in the ntop code. The best solution is to create your own list and start ntop with the -p option. (i.e. ntop -p /etc/ntop/protocol.list). I started with ntop's list and added a bunch more based on the services I run. To find what ports a particular service runs on, you can check /etc/ services, the services configuration file, or netstat -a to see what ports are listening. Sorry, I'm no windows guy, so linux is all I can help with. Google is your best friend otherwise. Daniel Here's my list: HTTP=http|www|https|3128 DNS=name|domain Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2 NFS=mount|pcnfs|bwnfs|nfsd|nfs|nfsd-status|7000-7009 AFP=afpovertcp Windows=netbios-ns|netbios-dgm|netbios-ssn FTP=ftp|ftp-data TFTP=69 LDAP=ldap|ldapssl SSH=ssh Telnet=telnet|login iTunes=3689 Radmind=6662 Amanda=10080-10083 Xgrid=4111 Keysvr=19283 Filemkr=5003|50003|50006 FlexLM=7111 ARD=3238 QTSS=554|8000-8001 mDNS=5353 sFlow=6343 DHCP=67-68 RPC=111 SNMP=snmp|snmp-trap SLP=427 LPR=515|631 NNTP=nntp VoIP=5060|2000|54045 X11=6000-6010 Gnutella=6346|6347|6348 Kazaa=1214 WinMX=6699|7730 DirectConnect=-1 eDonkey=4661-4665 BitTorrent=6881-6999|6969 Messenger=1863|5000|5001|5190-5193 On Aug 2, 2006, at 10:02 AM, Hugo Rebello wrote: > Guys, > > I´d like to know how to ntop identify the kazaa, eDonkey,Messenger and > others traffics ? > Where can I find the port information about this traffic ? > > Thank you. > > Cheers, > Hugo > > > > _______________________________________________ > Ntop mailing list > [email protected] > http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.5/405 - Release Date: 8/1/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.10.5/405 - Release Date: 8/1/2006 _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop =========================================================================== "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
