[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntop
Subject:    RE: [Ntop] erroneous service reporting
From:       "Gary Gatten" <Ggatten () waddell ! com>
Date:       2006-05-11 22:52:25
Message-ID: s46379f7.025 () gwia ! waddell ! com
[Download RAW message or body]

LMAO!

So, fork up some $$$ or go away?  Sounds reasonable to me - I don't
work for free either.

Using NBAR I can classify certain types of traffic (most p2p stuff)
regardless of what port(s) it uses.  I can then manipulate the IP and
TCP headers using Policy Based Routing, NAT, etc.  For instance, I can
make all Gnutella traffic look like it's coming from a specific IP
and/or port number - regardless of what the end user is actually using. 
So, nTop will in theory always know that port ... "n" = Gnutella.  The
only question is whether or not netflow will report the IP and port
numbers before or after all the trickery NBAR and PBR and NAT does... 
I'm not sure about this part....

Maybe someone smarter than me - that WILL work for free - could borrow
come code from somewhere (Snort) and build us a plugin?

Gary


>>> Burton@ntopSupport.com 5/11/2006 4:13 PM >>>
Right church, wrong pew.  It's actually a smidge more complex - we
report
traffic based on the lower port # we recognize.

So if we come in in the middle and see 80->32451, we call it HTTP(80)
same
as if we saw the initial 32451->80 request.


For me, Plans = Supported Development.  $0 supported development = no
plans.


Remember:

Layer 3 (e.g. http) are handled via the -P protocol list.

Layer 2 protocols are more complex - that takes coding.

Similarly, deep inspection (into the packets of a layer 3 protocol)
takes:
   (1) coding
   (2) access to packet contents - NetFlow?  Buzzz but thanks for
playing...
   (3) a reality check

(WRT #3 - we don't, for example, want to maintain a site wide
connection
tracking table to monitor - say - NAT or P2P sessions)


-----Burton


-----Original Message-----
From: ntop-bounces@unipi.it [mailto:ntop-bounces@unipi.it] On Behalf Of
Gary
Gatten
Sent: Thursday, May 11, 2006 3:06 PM
To: Burton@ntopSupport.com; ntop@unipi.it 
Subject: RE: [Ntop] erroneous service reporting

I guess that's what I was saying.  AFAIK you (nTop) do simple port
matching
right?  No deep packet inspection or protocol analysis?  So if
Bittorent (or
anything else) uses 554, it will show up as rtsp.

Is there any plugins or planned support for deeper protocol analysis
for
more accurate traffic stats?  I've done some stuff with Cisco NBAR and
policy based routing / NAT so nTop always see's the same port for a
specific
application - regardless of what that application tries to use.
 But, that only works in certain configs.  Would be nice if nTop could
look
deeper to determine what's really using a specific port.  Of course,
with
netflow I don't think this would work at all would it? 
Since you don't actually get the packets when using netflow, there'd
be
nothing for you to analyze.  I THINK netflow "can" report addy/ports
post
NAT processes, so my NBAR/ PBR thing may actually work. 
Interesting...



>>> Burton@ntopSupport.com 5/11/2006 2:50 PM >>>
Um...

  Real Time Streaming Protocol (RTSP) (RFC 2326 and others I imagine)
define
the standard port as 554. Bittorrent defaults to 6881, but that's
almost
always changed...

Still, I don't see the collision...

-----Burton



 

-----Original Message-----
From: ntop-bounces@unipi.it [mailto:ntop-bounces@unipi.it] On Behalf Of
Gary
Gatten
Sent: Thursday, May 11, 2006 2:14 PM
To: Burton@ntopSupport.com; ntop@unipi.it 
Subject: RE: [Ntop] erroneous service reporting

I think he means Real Time Streaming Protocol.  I think your
explanation
still holds true however.

Gary


>>> Burton@ntopSupport.com 5/11/2006 2:04 PM >>>
RSTP is layer 2 (Rapid Spanning Tree Protocol).  Bittorrent is based
on
tcp/ip (protocol 17).  Or do you mean some other RSTP?

If this is all layer 3, then read docs/FAQ - the article on how ntop
classifies traffic.

You may need to remove protocols from the list if they aren't on your
network there's also an article on that.

-----Burton
 

-----Original Message-----
From: ntop-bounces@unipi.it [mailto:ntop-bounces@unipi.it] On Behalf Of
John
Fountain
Sent: Thursday, May 11, 2006 1:14 PM
To: ntop@unipi.it 
Subject: [Ntop] erroneous service reporting

List-

We are having an issue where we believe ntop may be reporting rtsp
streaming
traffic as bittorrent. Are there any known issues regarding this
situation?

thanks

-john
_______________________________________________
Ntop mailing list
Ntop@unipi.it 
http://listgateway.unipi.it/mailman/listinfo/ntop 

_______________________________________________
Ntop mailing list
Ntop@unipi.it 
http://listgateway.unipi.it/mailman/listinfo/ntop 


_______________________________________________
Ntop mailing list
Ntop@unipi.it 
http://listgateway.unipi.it/mailman/listinfo/ntop 

_______________________________________________
Ntop mailing list
Ntop@unipi.it 
http://listgateway.unipi.it/mailman/listinfo/ntop 


_______________________________________________
Ntop mailing list
Ntop@unipi.it 
http://listgateway.unipi.it/mailman/listinfo/ntop 

_______________________________________________
Ntop mailing list
Ntop@unipi.it 
http://listgateway.unipi.it/mailman/listinfo/ntop


_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic