Re: [Ntop] Identifying Inbound Network Traffic

[James Chase]

Thanks again, Gary.

We use a 3Com managed switch and run OpenBSD as our firewall router. I'm 
not too familiar with the available options on the switch but I'll keep 
those things in mind as I look into it. I wonder if setting up 
OpenBSD/PF with Netflow will provide additional beneficial information? 
The NTOP/netFlow is still a new discussion for me.

Your previous post was extremely helpful. I think I had a misconception 
that because ntop was gathering all this data and keeping it in a RRD 
that I would be able to use it to troubleshoot historical anomalies as 
well and I can see because of the problem storing host information that 
this is difficult and it's not really feasible. So just understanding 
that is helpful. Also thanks for your insight into your toubleshooting 
techniques with NTOP. I'll keep experimenting and see what works best to 
solve the problem.

James
On 7/30/2009 3:18 PM, Gary Gatten wrote:
PS: Narrowing it to IP is easy if you have Ci$co - probably others -
managed switches / routers; use IP accounting - per IP stats.  If you
have Ci$co you can use NBAR "protocol discovery" and narrow down the
ports as well.  NBAR has a MIB so you could even configure your Cacti to
collect it.

Also, yes, you could run Wireshark or whatever.  Config it to start /
stop capturing at a certain time (or other trigger) and then review the
data when you get in.

G


-----Original Message-----
From: ntop-boun...@unipi.it [mailto:ntop-boun...@unipi.it] On Behalf Of
James Chase
Sent: Thursday, July 30, 2009 1:49 PM
To: ntop@unipi.it
Subject: Re: [Ntop] Identifying Inbound Network Traffic

Thanks for your reply. I am looking at the reports within hours of the 
data spike but am not dumping data to MySQL yet.

I guess what I am looking to do is zoom in on the Mail Protocol graph 
for instance, select a time period and see information similar to what 
is available in Remote -> Local Traffic Report which has statistics on 
how much data was sent from particular hosts, or even more useful -- a 
way to see how much data was sent to what host in particular during the 
selected time period. I don't see a way to get reports like that and 
isolate that kind of data from the system even before ntop clears it's 
idle host data

Should I be thinking about running ntop with the -B dst host 
mail.hostname.com and xxx.xxx.xxx.xxx and dump it to a pcap logfile to 
inspect with ntop later? Or am I missing something in the ntop reporting

tools?

Thanks again!

On 7/30/2009 12:24 PM, Gary Gatten wrote:
  
You can if you catch it within 24 hours, or even better if you can
    
catch
  
it real-time.  Once sessions / hosts age out from inactivity the
    
details
  
are hard to get at.  Try to view the nTop reports during the suspect
time window.  Else, turn up the logging configs in the rrd plugin
    
(watch
  
your disk space) and / or get the newer(newest) version of nTop that
supports mySql and dump everything there.



-----Original Message-----
From: ntop-boun...@unipi.it [mailto:ntop-boun...@unipi.it] On Behalf
    
Of
  
James Chase
Sent: Thursday, July 30, 2009 11:18 AM
To: ntop@unipi.it
Subject: [Ntop] Identifying Inbound Network Traffic

Hi,

I'm seeing an inbound traffic spike at our hosting facility early
    
every 
  
morning at roughly the same time through our MRTG and Cacti graphs. We
    

  
recently installed NTOP to try and pin down the source and destination
    

  
as well as port/protocol of the traffic, but I haven't been able to do
    

  
this as effectively as I thought. I know through Cacti which host the 
traffic is going to, but it has ~10 virtual IP's and due to a
    
limitation
  
of the SNMP protocol I can't limit it to which IP exactly.

But a more general question, is there a good way to get this
    
information
  
with NTOP? Taking a certain time period and identifying the
    
association 
  
of a traffic spike; where the data is going to and where it is coming 
from, and on which port? I really want to drill down during the time 
period in question but the more detailed stats seem more cumulative.

Should I just be sampling output to a file during the period in 
question? Are there other useful plugins for this?

Thanks for any help,
James
_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop





<font size="1">
<div style='border:none;border-bottom:double windowtext
    
2.25pt;padding:0in 0in 1.0pt 0in'>
  
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
---
[This E-mail scanned for viruses by Declude EVA]


  
    
_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop





<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
---
[This E-mail scanned for viruses by Declude EVA]


  
_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop