Re: Adding protocols
Francois Mikus <fmikus <at> acktomic.com>
2001-10-03 15:25:11 GMT
Is it correct to say that all protocol identification is done by port
numbers. As such, this means that ntop is basically useless in analyzing
protocol distribution with accurate data rates. Even if as someone on
the list pointed out, that you could add other well known ports. As most
protocols will respond back to the client on a non well known port.
I had initially been very excited by that capability (protocol dist.
with bandwith usage) in doing WAN link analysis with ntop. To verify if
the link would benefit from protocol specific rate limiting (traffic
Right now, for those interested, and I am seeing quite a few requests
going on this list any type of protocol breakdown would have to be done
with a sniffer that can decode and identify the different protocols.
tcpdump comes to mind.
Surprisingly, I have researched this and have only come up with a single
tool (ttt by Kenjiro Cho) that takes tcpdump trace files and generates
protocol bandwith usage breakdowns. I will be trying it out later today,
so if anyone is interested I will share what I find out. Another tool I
haven't tried which may do that is flstats by Greg Minshall.
Correct me if I am wrong, maybe ethereal does this, but I have not read
anywhere that ethereal can export summarized data to something like RRD
for short/mid/long term trending.
Here is my dream tool. A tool that will integrate with tcpdump and then
export the accurate flow data to RRD which can then integrated in data
gathered from cricket/mrtg. For a better visibility of critical links.
Then, one can make an informed decision on implementing traffic shaping,
beefing up the link or beating up users that complain for nothing.
I hope to get your views.
Network Architect - Acktomic Network Architects Inc.
fmikus <at> acktomic.com
<snip, sorry I failed to copy the persons name>
I'm not entirely sure, but as this also relates to what I'm trying to do
with NTOP I'm going to put this on the mailing list in the hope of
some feedback. AFAIK NTOP distinguishes between protocols by using the
number, so if your FTP traffic is not using the standard port numbers
21 if I'm not mistaken) it will not be counted as FTP, but as unknown
Please correct me if I'm wrong :)
What I'm trying to do is add other protocols, which is not difficult if
are at a standard port, but the problem is a lot of protocols used by
example peer-to-peer applications use random port numbers, so you really
need to analyze the packets. I've taken a glance at the source code and
seems almost impossible to do this, or am I wrong? The only easy way I
is by using a plugin, but I don't think a plugin can report back to the
"main" database (which is used for creating the IP stats). If any one
suggestions, please let me know.