[Ntop] NTOP and Local vs Remote

Mon May 5 21:26:16 CEST 2008

I'm fresh out of ideas then.  I have mine (Virtual Address) set to my
"probe" address as indicated, but this address is included in my -m
networks as well.  Sorry I couldn't be more help.  Hopefully Luca,
Burton, or another guru will be able to resolve this!

G

________________________________

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Jason Baugher
Sent: Monday, May 05, 2008 2:20 PM
To: ntop at unipi.it
Subject: Re: [Ntop] NTOP and Local vs Remote

It's at the default, 192.168.0.0/255.255.0.0.  I've tried changing it,
if I remember correctly, to one of my 5 CIDR blocks with no change.

The NetFlow debug switch seems to have no affect at all when I try it.

Jason

________________________________

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Gary Gatten
Sent: Monday, May 05, 2008 2:09 PM
To: ntop at unipi.it
Subject: Re: [Ntop] NTOP and Local vs Remote

On the netflow config page, what address is your "Virtual Network
Interface Network Address" set to?

Also, there is a "debug" switch at the end of this page - maybe it will
spew out something useful?

G

________________________________

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Jason Baugher
Sent: Monday, May 05, 2008 11:49 AM
To: ntop at unipi.it
Subject: Re: [Ntop] NTOP and Local vs Remote

I switched to v5 for awhile, no noticable differences anywhere.

________________________________

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Gary Gatten
Sent: Monday, May 05, 2008 11:27 AM
To: ntop at unipi.it
Subject: Re: [Ntop] NTOP and Local vs Remote

I read somewhere the v9 flows are supported, but just converted to v5
flows before processing - so not sure if there's much benefit to using
v9.  Can't remember where I read this or if it's changed since then.  I
tried v9 flows a couple times and had various issues so went back to v5.
Maybe give that a try?

G

________________________________

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Jason Baugher
Sent: Monday, May 05, 2008 11:23 AM
To: ntop at unipi.it
Subject: Re: [Ntop] NTOP and Local vs Remote

No, I'm using netflow v9.

Jason

________________________________

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Gary Gatten
Sent: Monday, May 05, 2008 11:16 AM
To: ntop at unipi.it
Subject: Re: [Ntop] NTOP and Local vs Remote

Is this just with cat 6500's and netflow?  I'm using netflow on a 4510
with netflow card with no problems - well, guess I'd better double check
now!  Also using netflow from pure routers with no problems.

Jason, I thought you were doing SPAN?  Is this case or netflow as well?

Gary

________________________________

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Jason Baugher
Sent: Monday, May 05, 2008 9:06 AM
To: ntop at unipi.it
Subject: Re: [Ntop] NTOP and Local vs Remote

I'm glad to hear it's not just me.  I turned on the ADDRESS_DEBUG for
awhile, and it appears that it IS correctly identifying remote vs
pseudolocal.  I dug through the code for awhile, and everywhere I looked
things looked right... so I must have not looked far enough yet.

Jason

________________________________

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Michael P. Donnelly
Sent: Monday, May 05, 2008 7:58 AM
To: ntop at unipi.it
Subject: Re: [Ntop] NTOP and Local vs Remote

Same here .. opened a (now dead) thread a few weeks ago..
Local/Remote just doesnt work for me .. gary took a stab
 at it at that time ..

-----Original Message-----
From: ntop-bounces at unipi.it on behalf of Yves CLAESSENS
Sent: Mon 5/5/2008 8:19 AM
To: ntop at unipi.it
Subject: Re: [Ntop] NTOP and Local vs Remote

I have exactly the same problem. I'm using Netflow from a Catalyst 6500
and I configured Ntop with -m and 2 IP ranges.
Many more addresses appear as Local than intended.

Yves Claessens

-----------------------------

Message: 3
Date: Wed, 30 Apr 2008 16:58:47 -0500
From: "Jason Baugher" <JasonBaugher at adams.net>
Subject: Re: [Ntop] NTOP and Local vs Remote
To: <ntop at unipi.it>
Message-ID:
 <44B5220222D118449C905253FE55D32201995606 at atc-mail1.adams.corp>
Content-Type: text/plain; charset="us-ascii"

I've tried some of these now....  I upped the MAX_SUBNET_HOSTS to a very
high number, and turned on the address debugging.  It appears to be
correctly classifying each IP as remote or psuedo-local in the
debugging, but later in the web interface it shows them in the wrong
area.

I'll keep working with it tonight, but so far no good.

________________________________

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Gary Gatten
Sent: Wednesday, April 30, 2008 2:44 PM
To: ntop at unipi.it
Subject: Re: [Ntop] NTOP and Local vs Remote

That's really weird - never heard of this before; well except in cases
where the network id's and/or mask bits were wrong.  Properly configured
I've never heard of this not working.

Depending on your masks nTop MAY be truncating the network size to
something smaller than your mask is specifying and MAYBE confusing the
local/remote thing.  Check out all the options in "globals-defines.h" -
you'll see several entries such as "MAX_SUBNET_HOSTS", "ADDRESS_DEBUG",
"MAX_NUM_NETWORKS".  This file has a BUNCH of tweaks in it - but you
have to recompile after changes :-(

Not sure if this will help or not, but don't know what else to do.

G

________________________________

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Jason Baugher
Sent: Wednesday, April 30, 2008 2:18 PM
To: ntop at unipi.it
Subject: Re: [Ntop] NTOP and Local vs Remote

I checked, and it understands my -m and -o correctly.  I have 5 CIDR's
listed, in x.x.x.x/bits format, separated by commas, and it appears to
be happy with them.

Remote/local is also confused in other areas, such as All
Protocols->Traffic.  If I select Hosts: Remote Only, I see 9 IP's.
Local Only, I see local and many that should be remote.

Jason

________________________________

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Gary Gatten
Sent: Wednesday, April 30, 2008 1:21 PM
To: ntop at unipi.it
Subject: Re: [Ntop] NTOP and Local vs Remote

-m and -o are required for this and usually work without question.
Check your "About->Show Config" and look at the "Resolved To..." row;
make sure your flags (-m , -o, etc.) are actually being recognized.

Does the remote/local traffic appear to be distinguished correctly on
other views/reports?  Or, does it appear broken everywhere?

Gary

________________________________

From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Jason Baugher
Sent: Wednesday, April 30, 2008 1:02 PM
To: ntop at unipi.it
Subject: [Ntop] NTOP and Local vs Remote

I'm using NTOP to gather NetFlow's from 2 border routers, Cisco
7206VXR's, with around 50Mbps in/out traffic on each.

I've used the -m flag to specify all my internal IP's (our CIDR blocks),
as I want "Local to Local" to be traffic from one of our customers to
another, whereas "Local to Remote" and "Remote to Local" is traffic
from/to one of our customers from someone out on the Internet.

However, when I go to IP->Traffic Directions->Local to Local, I see
hosts that are definitely supposed to be Remote.

I've seen references in the archives to the -o flag - I've tried that
with no change.

Thanks,

Jason Baugher

jasonbaugher at adams.net

"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential. If
you are not the intended recipient, you are hereby notified that any
review, use, dissemination, disclosure or copying of this email and its
attachments, if any, is strictly prohibited. If you have received this
email in error, please immediately notify the sender by return email and
delete this email from your system."

"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential. If
you are not the intended recipient, you are hereby notified that any
review, use, dissemination, disclosure or copying of this email and its
attachments, if any, is strictly prohibited. If you have received this
email in error, please immediately notify the sender by return email and
delete this email from your system."
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://listgateway.unipi.it/pipermail/ntop/attachments/20080430/667fcbb4
/attachment-0001.html

------------------------------

Message: 4
Date: Thu, 1 May 2008 08:38:57 -0500
From: "Adamiec, Larry" <Ladamiec at kentlaw.edu>
Subject: Re: [Ntop] libcap library
To: <ntop at unipi.it>
Message-ID:
 <51B0FD54A7A225489454D4BB1EE49D4E06AD40DD at MAIL3.kentlaw.edu>
Content-Type: text/plain;                charset="us-ascii"

OK. I'll try libpcap.

I found the reference to libcap on page 5 of the NTop overview document
on ntop.org.

-----Original Message-----
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Gary Gatten
Sent: Wednesday, April 30, 2008 16:32
To: ntop at unipi.it
Subject: Re: [Ntop] libcap library

Libcap?  Maybe a typo - every OSS app I use for packet capture uses
libpcap; ntop, Ethereal, etc, etc.

-----Original Message-----
From: ntop-bounces at unipi.it [mailto:ntop-bounces at unipi.it] On Behalf Of
Adamiec, Larry
Sent: Wednesday, April 30, 2008 4:28 PM
To: ntop at unipi.it
Subject: [Ntop] libcap library

I am trying to install ntop on a Solaris 10 sever.  The docs says I need
to install libcap first.  I have found references to libpcap but not
libcap.

Does anyone know where I can get libcap?

Larry Adamiec
Kent-College of Law
_______________________________________________
Ntop mailing list
Ntop at unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

<font size="1">
<div style='border:none;border-bottom:double windowtext
2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

_______________________________________________
Ntop mailing list
Ntop at unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

------------------------------

_______________________________________________
Ntop mailing list
Ntop at unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop

End of Ntop Digest, Vol 48, Issue 1
***********************************

"This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential. If
you are not the intended recipient, you are hereby notified that any
review, use, dissemination, disclosure or copying of this email and its
attachments, if any, is strictly prohibited. If you have received this
email in error, please immediately notify the sender by return email and
delete this email from your system." 

<font size="1">
<div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'>
</div>
"This email is intended to be reviewed by only the intended recipient
 and may contain information that is privileged and/or confidential.
 If you are not the intended recipient, you are hereby notified that
 any review, use, dissemination, disclosure or copying of this email
 and its attachments, if any, is strictly prohibited.  If you have
 received this email in error, please immediately notify the sender by
 return email and delete this email from your system."
</font>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://listgateway.unipi.it/pipermail/ntop/attachments/20080505/7c81fd21/attachment-0001.html 