You are correct about Layer 2 switching. but your hub may not do what you want - FYI there's an article in docs/FAQ on just this, but I may steal your picture.
Think about what traffic will be flowing across the hub in B? It's ONLY the traffic to-from the internet, all of the internal traffic is switched and not seen on that link. If that's ALL you want to see - nothing about your network backbone, OK. But, with A, you have the right configuration, but you can't use an ordinary switch port - otherwise the switch will quickly learn that there's 'nobody' there on the ntop port and forward no traffic. You need what is called a span, or mirror or monitoring port - where the switch copies all of the traffic down that port for monitoring. WRT to 'dumb hubs' good luck. The last time I actually found a true hub was 7 or 8 years ago - the old Linksys ones. Most 'hubs' are 'switching-hubs' and for our purposes are equivalent to a switch. You will really want to use a passive tap. For 10/100 you can build your own (our FAQ has the pointer to the article on the snort site). Or you can buy a commercial unit (which you will have to do for GigE - that can't be passive). The trick with taps is that they split transmit from receive and so you need two ntop ports and MUST combine NICs (ntop parameter). -----Burton _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Houtan Makeki Sent: Sunday, January 27, 2008 2:31 AM To: [email protected] Subject: [Ntop] ntop computer connected to switched network and promiscuousmode!!! Hi there ntop newbie here, please help. I am interested to use ntop as an IP based traffic monitoring tool. I have been using MRTG for years, and its great, but now I want IP based measurements. I have a bunch of servers connected to a managed switch. Also the internet gateway is connected to this switch. (no firewalls). I got ntop working on a linux machine . It is running in promiscious mode. I can see all traffic to the local server, but nothing gets logged for traffic from Internet to other servers connected to the switch. I believe the reason the ntop server cant see the Internet to other servers is that the switch is isolating each port. As far as I understand the switch remembers the IP to MAC and then MAC to switch port and isolates traffic that way. But I could be totally wrong since my understanding of networking layer level 2 is limited. If I am right then one solution seems to be to put a hub between the upstream router and the switch and connect the ntop server to that hub, so it can see all the packets that come and go to and from internet and my network But before I do this, can anyone tell me if my assumption that the switch is blocking things is correct. And does anyone know if it is possible to program a 3COM managed switch to treat one port like a hub! It is a not fun adding a third NIC to this linux box.
<<image001.gif>>
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
