Simone,
> BPF is not supported for collector interfaces. If you want to use it then specify it on the nProbe.
Can you show me an example, because I'm not able to do it on nprobe with the -f option.
Gerhard Mourani
________________________________
From: Simone Mainardi <mainardi@ntop.org>
Sent: January 15, 2017 9:55:58 AM
To: Gerhard Mourani
Cc: ntop@unipi.it
Subject: Re: [Ntop] Excluding hosts or a subnet from being monitored
Gerhard,
On Fri, Jan 13, 2017 at 9:25 PM, Gerhard Mourani <GMourani@prival.ca<mailto:GMourani@prival.ca>> wrote:
Simone,
I found the problem: If you dont use the = sign on the filter parameter line, it doesn't see it.
Doesn't work -> --packet-filter "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8<
http://224.0.0.0/8> or 239.0.0.0/8<
http://239.0.0.0/8>) and not host 192.168.2.227"
Work -> --packet-filter="ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8<
http://224.0.0.0/8> or 239.0.0.0/8<
http://239.0.0.0/8>) and not host 192.168.2.227"
That is true, I have made a fix.
The point is that when the filter is not seen, *ntopng doesn't say anything from the command line*. Nevertheless, in all your emails, you were sending us logs with ntopng showing "Packet capture filter set on ..." so it was not possible to figure out the cause of the issue. I don't know which logs you were sending but for sure they were not consistent with the claimed behavior. Next time please make sure to post logs that are actually representative.
Also, if I've eth0 and tcp://127.0.0.1:5556 as my NIC,
BPF is not supported for collector interfaces. If you want to use it then specify it on the nProbe.
it doesn't work, here the output:
/usr/bin/ntopng /etc/ntopng/ntopng.conf
13/Jan/2017 15:20:15 [Prefs.cpp:715] Localhost HTTP user login disabled
13/Jan/2017 15:20:15 [Ntop.cpp:1121] Setting local networks to 192.168.2.0/24<
http://192.168.2.0/24>
13/Jan/2017 15:20:15 [Redis.cpp:92] Successfully connected to redis 127.0.0.1:6379@0
[NDPI] addDefaultPort(): found duplicate for port 5061: overwriting it with new value
[NDPI] addDefaultPort(): found duplicate for port 3001: overwriting it with new value
13/Jan/2017 15:20:15 [PcapInterface.cpp:85] Reading packets from interface eth0...
13/Jan/2017 15:20:15 [PcapInterface.cpp:254] Packet capture filter on eth0 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8<
http://224.0.0.0/8> or 239.0.0.0/8<
http://239.0.0.0/8>) and not host 192.168.2.227"
13/Jan/2017 15:20:15 [Ntop.cpp:1267] Registered interface eth0 [id: 0]
[NDPI] addDefaultPort(): found duplicate for port 5061: overwriting it with new value
[NDPI] addDefaultPort(): found duplicate for port 3001: overwriting it with new value
13/Jan/2017 15:20:15 [CollectorInterface.cpp:226] ERROR: No filter can be set on a collector interface. Ignored ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8<
http://224.0.0.0/8> or 239.0.0.0/8<
http://239.0.0.0/8>) and not host 192.168.2.227
13/Jan/2017 15:20:15 [Ntop.cpp:1267] Registered interface tcp://127.0.0.1:5556<
http://127.0.0.1:5556> [id: 1]
13/Jan/2017 15:20:15 [Ntop.cpp:1279] Registered interface view eth0 [id: 0]
13/Jan/2017 15:20:15 [Ntop.cpp:1279] Registered interface view tcp://127.0.0.1:5556<
http://127.0.0.1:5556> [id: 1]
13/Jan/2017 15:20:15 [main.cpp:255] PID stored in file /var/run/ntopng/ntopng.pid
13/Jan/2017 15:20:15 [Utils.cpp:341] User changed to ntopng
13/Jan/2017 15:20:15 [HTTPserver.cpp:509] Web server dirs [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts]
13/Jan/2017 15:20:15 [HTTPserver.cpp:515] HTTPS server listening on port 3001
13/Jan/2017 15:20:15 [main.cpp:295] Working directory: /var/lib/nst/ntopng
13/Jan/2017 15:20:15 [main.cpp:297] Scripts/HTML pages directory: /usr/share/ntopng
13/Jan/2017 15:20:15 [Ntop.cpp:271] Welcome to ntopng x86_64 v.2.4.161019 - (C) 1998-2016 ntop.org<
http://ntop.org>
13/Jan/2017 15:20:15 [Ntop.cpp:276] Built on CentOS release 6.8 (Final)
13/Jan/2017 15:20:15 [PeriodicActivities.cpp:53] Started periodic activities loop...
13/Jan/2017 15:20:15 [RuntimePrefs.cpp:34] Dumping alerts into syslog
13/Jan/2017 15:20:15 [Ntop.cpp:531] Adding 192.168.2.0/24<
http://192.168.2.0/24> as IPv4 local network for eth0
13/Jan/2017 15:20:15 [Ntop.cpp:561] Adding fe80::20c:29ff:fe83:c98e/64 as IPv6 local network for eth0
13/Jan/2017 15:20:15 [NetworkInterface.cpp:1538] Started packet polling on interface eth0 [id: 0]...
13/Jan/2017 15:20:15 [NetworkInterface.cpp:1538] Started packet polling on interface tcp://127.0.0.1:5556<
http://127.0.0.1:5556> [id: 1]...
13/Jan/2017 15:20:15 [CollectorInterface.cpp:104] Collecting flows on tcp://127.0.0.1:5556<
http://127.0.0.1:5556> [ntopng->nprobe]
13/Jan/2017 15:20:16 [NetworkInterface.cpp:1058] Invalid packet received [len: 2934][MTU: 1518].
13/Jan/2017 15:20:16 [NetworkInterface.cpp:1059] WARNING: If you have TSO/GRO enabled, please disable it
13/Jan/2017 15:20:16 [NetworkInterface.cpp:1061] WARNING: Use: sudo ethtool -K eth0 gro off gso off tso off
13/Jan/2017 15:21:05 [main.cpp:37] Shutting down...
13/Jan/2017 15:21:05 [Redis.cpp:60] Redis has disconnected: reconnecting...
Killed
Gerhard,
On Jan 13, 2017, at 3:00 PM, Simone Mainardi <mainardi@ntop.org<mailto:mainardi@ntop.org>> wrote:
Gerhard, both.
Even if I put the filter in a conf file it works:
deri@centos6 203> cat /tmp/test.conf
-i=eth0
--packet-filter="ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8<
http://224.0.0.0/8> or 239.0.0.0/8<
http://239.0.0.0/8>) and not host 192.168.2.109"
--community=
deri@centos6 204> sudo /usr/local/bin/ntopng /tmp/test.conf
13/Jan/2017 21:00:00 [Ntop.cpp:1121] Setting local networks to 127.0.0.0/8<
http://127.0.0.0/8>
13/Jan/2017 21:00:00 [Redis.cpp:92] Successfully connected to redis 127.0.0.1:6379@0
13/Jan/2017 21:00:01 [PcapInterface.cpp:85] Reading packets from interface eth0...
13/Jan/2017 21:00:01 [PcapInterface.cpp:254] Packet capture filter on eth0 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8<
http://224.0.0.0/8> or 239.0.0.0/8<
http://239.0.0.0/8>) and not host 192.168.2.109"
On Thu, Jan 12, 2017 at 2:08 PM, Gerhard Mourani <GMourani@prival.ca<mailto:GMourani@prival.ca>> wrote:
Simone,
Did you run ntopng with the filter directly from the command line or via the configuration file? I think the problem happens when the filter is in the configuration file and you run ntopng to read it in this file.
Gerhard,
On Jan 11, 2017, at 5:13 PM, Simone Mainardi <mainardi@ntop.org<mailto:mainardi@ntop.org>> wrote:
Gerhard,
I've just tried to reproduce on centos6. The filter is working properly. I also tried to exclude the ntopng host and it works. So the only additional suggestion I have is to try and update ntopng to the latest stable.
Regards
On Tue, Jan 10, 2017 at 10:23 PM, Gerhard Mourani <GMourani@prival.ca<mailto:GMourani@prival.ca>> wrote:
> The point here is that the filter doesn't contain any clause that matches host 10.0.0.39 ...
Because, I've changed 10.0.0.39 for 192.168.2.227 for the test.
Here the one in prod with 10.0.0.39<
http://10.0.0.39>:
[root@ntpprod ~]# /usr/bin/ntopng -i eth3 --packet-filter="ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8<
http://224.0.0.0/8> or 239.0.0.0/8<
http://239.0.0.0/8>) and not host 10.0.0.39"
10/Jan/2017 16:22:02 [Ntop.cpp:1121] Setting local networks to 127.0.0.0/8<
http://127.0.0.0/8>
10/Jan/2017 16:22:02 [Redis.cpp:92] Successfully connected to redis 127.0.0.1:6379@0
10/Jan/2017 16:22:02 [PcapInterface.cpp:85] Reading packets from interface eth3...
10/Jan/2017 16:22:02 [PcapInterface.cpp:254] Packet capture filter on eth3 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8<
http://224.0.0.0/8> or 239.0.0.0/8<
http://239.0.0.0/8>) and not host 10.0.0.39"
10/Jan/2017 16:22:02 [Ntop.cpp:1267] Registered interface eth3 [id: 2]
10/Jan/2017 16:22:02 [Ntop.cpp:1279] Registered interface view eth3 [id: 2]
10/Jan/2017 16:22:02 [main.cpp:255] PID stored in file /var/run/ntopng.pid
10/Jan/2017 16:22:02 [Utils.cpp:341] User changed to nobody
10/Jan/2017 16:22:02 [HTTPserver.cpp:466] Please read
https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to enable SSL.
10/Jan/2017 16:22:02 [HTTPserver.cpp:509] Web server dirs [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts]
10/Jan/2017 16:22:02 [HTTPserver.cpp:512] HTTP server listening on port 3000
10/Jan/2017 16:22:02 [main.cpp:295] Working directory: /var/tmp/ntopng
10/Jan/2017 16:22:02 [main.cpp:297] Scripts/HTML pages directory: /usr/share/ntopng
10/Jan/2017 16:22:02 [Ntop.cpp:271] Welcome to ntopng x86_64 v.2.4.161013 - (C) 1998-2016 ntop.org<
http://ntop.org>
10/Jan/2017 16:22:02 [Ntop.cpp:276] Built on CentOS release 6.8 (Final)
10/Jan/2017 16:22:02 [PeriodicActivities.cpp:53] Started periodic activities loop...
10/Jan/2017 16:22:02 [RuntimePrefs.cpp:34] Dumping alerts into syslog
10/Jan/2017 16:22:02 [Ntop.cpp:531] Adding 169.254.0.0/16<
http://169.254.0.0/16> as IPv4 local network for eth3
10/Jan/2017 16:22:02 [Ntop.cpp:561] Adding fe80::250:56ff:fe90:7661/64 as IPv6 local network for eth3
10/Jan/2017 16:22:02 [NetworkInterface.cpp:1538] Started packet polling on interface eth3 [id: 2]...
Gerhard,
On Jan 10, 2017, at 4:17 PM, Simone Mainardi <mainardi@ntop.org<mailto:mainardi@ntop.org>> wrote:
Gerard,
On Tue, Jan 10, 2017 at 10:13 PM, Gerhard Mourani <GMourani@prival.ca<mailto:GMourani@prival.ca>> wrote:
Simone,
Here when launched from command line:
[root@ntptest plugins]# /usr/bin/ntopng -i eth0 --packet-filter="ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8<
http://224.0.0.0/8> or 239.0.0.0/8<
http://239.0.0.0/8>) and not host (192.168.2.227)"
OK, so the filter is properly parsed. I went back through this thread and found that you complained that
> "The issue is that even if 10.0.0.39 is filtered to be excluded, it appears in the view of top hosts.,"
The point here is that the filter doesn't contain any clause that matches host 10.0.0.39 ...
10/Jan/2017 16:10:46 [Ntop.cpp:1121] Setting local networks to 127.0.0.0/8<
http://127.0.0.0/8>
10/Jan/2017 16:10:46 [Redis.cpp:92] Successfully connected to redis 127.0.0.1:6379@0
10/Jan/2017 16:10:46 [PcapInterface.cpp:85] Reading packets from interface eth0...
10/Jan/2017 16:10:46 [PcapInterface.cpp:254] Packet capture filter on eth0 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8<
http://224.0.0.0/8> or 239.0.0.0/8<
http://239.0.0.0/8>) and not host (192.168.2.227)"
10/Jan/2017 16:10:46 [Ntop.cpp:1267] Registered interface eth0 [id: 0]
10/Jan/2017 16:10:46 [Ntop.cpp:1279] Registered interface view eth0 [id: 0]
10/Jan/2017 16:10:46 [main.cpp:255] PID stored in file /var/run/ntopng.pid
10/Jan/2017 16:10:46 [Utils.cpp:341] User changed to nobody
10/Jan/2017 16:10:46 [HTTPserver.cpp:466] Please read
https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to enable SSL.
10/Jan/2017 16:10:46 [HTTPserver.cpp:509] Web server dirs [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts]
10/Jan/2017 16:10:46 [HTTPserver.cpp:512] HTTP server listening on port 3000
10/Jan/2017 16:10:46 [main.cpp:295] Working directory: /var/tmp/ntopng
10/Jan/2017 16:10:46 [main.cpp:297] Scripts/HTML pages directory: /usr/share/ntopng
10/Jan/2017 16:10:46 [Ntop.cpp:271] Welcome to ntopng x86_64 v.2.4.161019 - (C) 1998-2016 ntop.org<
http://ntop.org>
10/Jan/2017 16:10:46 [Ntop.cpp:276] Built on CentOS release 6.8 (Final)
10/Jan/2017 16:10:46 [PeriodicActivities.cpp:53] Started periodic activities loop...
10/Jan/2017 16:10:46 [RuntimePrefs.cpp:34] Dumping alerts into syslog
10/Jan/2017 16:10:46 [Ntop.cpp:531] Adding 192.168.2.0/24<
http://192.168.2.0/24> as IPv4 local network for eth0
10/Jan/2017 16:10:46 [Ntop.cpp:561] Adding fe80::20c:29ff:fe83:c98e/64 as IPv6 local network for eth0
10/Jan/2017 16:10:46 [NetworkInterface.cpp:1538] Started packet polling on interface eth0 [id: 0]...
10/Jan/2017 16:10:53 [NetworkInterface.cpp:1058] Invalid packet received [len: 1804][MTU: 1518].
10/Jan/2017 16:10:53 [NetworkInterface.cpp:1059] WARNING: If you have TSO/GRO enabled, please disable it
10/Jan/2017 16:10:53 [NetworkInterface.cpp:1061] WARNING: Use: sudo ethtool -K eth0 gro off gso off tso off
Seem that the filter passed but still can see IP 192.168.2.227 on my list!
Gerhard,
On Jan 10, 2017, at 4:04 PM, Simone Mainardi <mainardi@ntop.org<mailto:mainardi@ntop.org>> wrote:
Gerhard,
>From the logs I can't see anything that confirms ntopng has read/parsed the bpf filter specified. It looks like the filter is ignored. I am not sure those logs contain the full output, though.
Can you please run ntopng in foreground and paste the output? Simply call /usr/local/bin/ntopng /etc/ntopng/ntopng.conf
Regards,
Simone
On Mon, Jan 9, 2017 at 8:46 PM, Gerhard Mourani <GMourani@prival.ca<mailto:GMourani@prival.ca>> wrote:
Configuration:
--interface tcp://127.0.0.1:5556<
http://127.0.0.1:5556>
--packet-filter "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8<
http://224.0.0.0/8> or 239.0.0.0/8<
http://239.0.0.0/8>) and not host 10.0.0.39"
--local-networks 10.0.0.0/24,192.168.2.0/24<
http://10.0.0.0/24,192.168.2.0/24>
--daemon
--user ntopng
--pid /var/run/ntopng/ntopng.pid
--http-port 0
--https-port 3001
--data-dir /var/lib/nst/ntopng
--dns-mode 1
--disable-autologout
--disable-login 0
--sticky-hosts none
--http-prefix /ntopng
--ndpi-protocols /etc/ntopng/protos.txt
Log file:
09/Jan/2017 14:43:49 [Ntop.cpp:1121] Setting local networks to 10.0.0.0/24,192.168.2.0/24<
http://10.0.0.0/24,192.168.2.0/24>
09/Jan/2017 14:43:49 [Redis.cpp:92] Successfully connected to redis 127.0.0.1:6379@0
09/Jan/2017 14:43:49 [Ntop.cpp:1095] Parent process is exiting (this is normal)
09/Jan/2017 14:43:49 [Ntop.cpp:1267] Registered interface tcp://127.0.0.1:5556<
http://127.0.0.1:5556> [id: 1]
09/Jan/2017 14:43:49 [Ntop.cpp:1279] Registered interface view tcp://127.0.0.1:5556<
http://127.0.0.1:5556> [id: 1]
09/Jan/2017 14:43:49 [main.cpp:255] PID stored in file /var/run/ntopng/ntopng.pid
09/Jan/2017 14:43:49 [Utils.cpp:341] User changed to ntopng
09/Jan/2017 14:43:49 [HTTPserver.cpp:509] Web server dirs [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts]
09/Jan/2017 14:43:49 [HTTPserver.cpp:515] HTTPS server listening on port 3001
09/Jan/2017 14:43:49 [main.cpp:295] Working directory: /var/lib/nst/ntopng
09/Jan/2017 14:43:49 [main.cpp:297] Scripts/HTML pages directory: /usr/share/ntopng
09/Jan/2017 14:43:49 [Ntop.cpp:271] Welcome to ntopng x86_64 v.2.4.161013 - (C) 1998-2016 ntop.org<
http://ntop.org>
09/Jan/2017 14:43:49 [Ntop.cpp:276] Built on CentOS release 6.8 (Final)
09/Jan/2017 14:43:49 [PeriodicActivities.cpp:53] Started periodic activities loop...
09/Jan/2017 14:43:49 [RuntimePrefs.cpp:34] Dumping alerts into syslog
09/Jan/2017 14:43:49 [NetworkInterface.cpp:1538] Started packet polling on interface tcp://127.0.0.1:5556<
http://127.0.0.1:5556> [id: 1]...
09/Jan/2017 14:43:50 [CollectorInterface.cpp:104] Collecting flows on tcp://127.0.0.1:5556<
http://127.0.0.1:5556> [ntopng->nprobe]
Gerhard,
On Jan 9, 2017, at 11:26 AM, Simone Mainardi <mainardi@ntop.org<mailto:mainardi@ntop.org>> wrote:
Gerhard, please attach the configuration used and the full ntopng console output (or log file).
On Mon, Jan 9, 2017 at 2:24 PM, Gerhard Mourani <GMourani@prival.ca<mailto:GMourani@prival.ca>> wrote:
Simone,
The issue is that even if 10.0.0.39 is filtered to be excluded, it appears in the view of top hosts. Also, the IP 0.0.0.0 appaers and I don't have any idea about what it is?
[X]
GERHARD MOURANI | Sp?cialiste Telecom ? Concepteur Logiciel
450 761-9973 p634 | gmourani@prival.ca<mailto:gmourani@prival.ca>
9935, rue de Ch?teauneuf, bureau 120, Brossard, Qu?bec, J4Z 3V4
Qu?bec 418 907-8356 | Ottawa 613 689-1539 | Toronto 416 645-5626
facebook.com/Prival-230867980323343<
http://facebook.com/Prival-230867980323343>
linkedin.com/company/prival<
http://linkedin.com/company/prival>
[X]
On Jan 8, 2017, at 5:36 AM, Simone Mainardi <mainardi@ntop.org<mailto:mainardi@ntop.org>> wrote:
Gerhard,
The filter is correct and properly parsed by ntopng. So what is the issue you are experiencing?
Simone
On Thu, Jan 5, 2017 at 7:58 PM, Gerhard Mourani <GMourani@prival.ca<mailto:GMourani@prival.ca>> wrote:
This doesn't work for me, I'm using the following parameters to exclude 10.0.0.39 which is my ntopng server IP:
--packet-filter "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8<
http://224.0.0.0/8> or 239.0.0.0/8<
http://239.0.0.0/8>) and not host 10.0.0.39"
Gerhard,
On Jan 5, 2017, at 12:09 PM, brett.stiell@cargocarriers.co.zw<mailto:brett.stiell@cargocarriers.co.zw> wrote:
Thank you Simone.
I will try that tomorrow morning.
Much appreciated.
On January 5, 2017 6:40:25 PM GMT+02:00, Simone Mainardi <mainardi@ntop.org<mailto:mainardi@ntop.org>> wrote:
Brett, the filter is not complete. If you want to exclude 10.0.50.246
set:
--packet-filter="not host 10.0.50.246"
If you look at the ntopng output you will see if the filter is parsed
correctly.
On Thu, Jan 5, 2017 at 4:05 PM, Brett Stiell (CCIH) <
brett.stiell@cargocarriers.co.zw<mailto:brett.stiell@cargocarriers.co.zw>> wrote:
Hi there.
Thanks for getting back to me
This is the contents of my ntopng.start file:-
-G=/var/run/ntopng.pid
--daemon=
--local-networks="10.0.50.0/25,10.0.50.128/26,10.0.50.193/30<
http://10.0.50.0/25,10.0.50.128/26,10.0.50.193/30>"
--packet-filter 10.0.50.246
-m "10.0.50.0/25,10.0.50.128/26,10.0.50.193/30<
http://10.0.50.0/25,10.0.50.128/26,10.0.50.193/30>"
--track-local-hosts
Regards,
Brett
*From:* Simone Mainardi [mailto:mainardi@ntop.org<mailto:mainardi@ntop.org>]
*Sent:* Thursday, January 05, 2017 3:26 PM
*To:* ntop@unipi.it<mailto:ntop@unipi.it>
*Cc:* ntop mailing list
*Subject:* Re: [Ntop] Excluding hosts or a subnet from being
monitored
Hi,
--packet-filter is the proper way to do that. Can you please report
the
exact filter you specified? Also check (and paste) ntopng output.
ntopng
prints a confirmation message if it has successfully parsed the
filter.
Regards
Simone
On Thu, Jan 5, 2017 at 11:14 AM, Brett Stiell (CCIH) <
brett.stiell@cargocarriers.co.zw<mailto:brett.stiell@cargocarriers.co.zw>> wrote:
Hi.
Is there any way to exclude a subnet or a range of hosts from being
monitored and appearing on the dashboard etc.
Our servers are in a specific IP range and I am not interested in
receiving their usage data.
I tried ?B and ?packet-filter and ?not? but they don?t seem to work.
Thanks
_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop --
Sent from my Android device with Email Mail. Please excuse my brevity._______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop