Mailing List Archive

Please,

Explain how to reproduce and how you are delivering traffic to ntopng. It could be that the first SYN packet of the flow hasn't been seen - indeed, I don't see any SYN in the server -> client TCP flags - so ntopng has been tricked into thinking the server (who actually responded with a SYN+ACK) is the client.

This happens because a new flow gets it client and server assigned depending on the first seen packet.

Simone

> On 22 Jan 2020, at 11:11, Christophe Gierski <c.gierski@traxens.com> wrote:
>
> Dear all,
>
> I have installed NTopNG 3.8.200120 - Enterprise Edition on Ubuntu 18.04.2 LTS
>
> And It seems there is error as the flow display information between same machine and seems to invert Client/Server.
>
> <image003.png>
>
>
>
>
> Thx & Rgds,
> Christophe.
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop <http://listgateway.unipi.it/mailman/listinfo/ntop>

Please,

Explain how to reproduce and how you are delivering traffic to ntopng. It could be that the first SYN packet of the flow hasn't been seen - indeed, I don't see any SYN in the server -> client TCP flags - so ntopng has been tricked into thinking the server (who actually responded with a SYN+ACK) is the client.

This happens because a new flow gets it client and server assigned depending on the first seen packet.

Simone

> On 22 Jan 2020, at 11:11, Christophe Gierski <c.gierski@traxens.com> wrote:
>
> Dear all,
>
> I have installed NTopNG 3.8.200120 - Enterprise Edition on Ubuntu 18.04.2 LTS
>
> And It seems there is error as the flow display information between same machine and seems to invert Client/Server.
>
> <image003.png>
>
>
>
>
> Thx & Rgds,
> Christophe.
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop <http://listgateway.unipi.it/mailman/listinfo/ntop>

Dear,

Thanks for the reply.
The traffic is delivered to NtopNg with WAN port mirroring.
But what I do not understand is why is the NopNG web interface, in the flow, the link to the server is the real IP address of the client, and the link is server name !

Is there some debug/trace level that I could activated.

Thanks.
Christophe.



De : ntop-bounces@listgateway.unipi.it <ntop-bounces@listgateway.unipi.it> De la part de Simone Mainardi
Envoy? : jeudi 23 janvier 2020 15:10
? : ntop@unipi.it
Cc : ntop@listgateway.unipi.it
Objet : Re: [Ntop] Client/Server hostname/IP Mismatch

Please,

Explain how to reproduce and how you are delivering traffic to ntopng. It could be that the first SYN packet of the flow hasn't been seen - indeed, I don't see any SYN in the server -> client TCP flags - so ntopng has been tricked into thinking the server (who actually responded with a SYN+ACK) is the client.

This happens because a new flow gets it client and server assigned depending on the first seen packet.

Simone


On 22 Jan 2020, at 11:11, Christophe Gierski <c.gierski@traxens.com<mailto:c.gierski@traxens.com>> wrote:

Dear all,

I have installed NTopNG 3.8.200120 - Enterprise Edition on Ubuntu 18.04.2 LTS

And It seems there is error as the flow display information between same machine and seems to invert Client/Server.

<image003.png>




Thx & Rgds,
Christophe.


_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop

Dear,

Thanks for the reply.
The traffic is delivered to NtopNg with WAN port mirroring.
But what I do not understand is why is the NopNG web interface, in the flow, the link to the server is the real IP address of the client, and the link is server name !

Is there some debug/trace level that I could activated.

Thanks.
Christophe.



De : ntop-bounces@listgateway.unipi.it <ntop-bounces@listgateway.unipi.it> De la part de Simone Mainardi
Envoy? : jeudi 23 janvier 2020 15:10
? : ntop@unipi.it
Cc : ntop@listgateway.unipi.it
Objet : Re: [Ntop] Client/Server hostname/IP Mismatch

Please,

Explain how to reproduce and how you are delivering traffic to ntopng. It could be that the first SYN packet of the flow hasn't been seen - indeed, I don't see any SYN in the server -> client TCP flags - so ntopng has been tricked into thinking the server (who actually responded with a SYN+ACK) is the client.

This happens because a new flow gets it client and server assigned depending on the first seen packet.

Simone


On 22 Jan 2020, at 11:11, Christophe Gierski <c.gierski@traxens.com<mailto:c.gierski@traxens.com>> wrote:

Dear all,

I have installed NTopNG 3.8.200120 - Enterprise Edition on Ubuntu 18.04.2 LTS

And It seems there is error as the flow display information between same machine and seems to invert Client/Server.

<image003.png>




Thx & Rgds,
Christophe.


_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop

Thanks for pointing this out,

The highlighted flow is TLS. For TLS flows, to improve the readability of the peers, the server name is set to be the requested certificate Common Name (CN). Indeed, you can check that the CN shown after the "Client Requested:" equals the name chosen for the server.

The point that name shown in the breakdown is different from the name shown in the Flow Peers is a bug, and I've committed a fix for this. A new build 3.9 is in progress and ready in less than one hour.

Regards,

Simone

> On 22 Jan 2020, at 11:11, Christophe Gierski <c.gierski@traxens.com> wrote:
>
> Dear all,
>
> I have installed NTopNG 3.8.200120 - Enterprise Edition on Ubuntu 18.04.2 LTS
>
> And It seems there is error as the flow display information between same machine and seems to invert Client/Server.
>
> <image003.png>
>
>
>
>
> Thx & Rgds,
> Christophe.
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop <http://listgateway.unipi.it/mailman/listinfo/ntop>

Thanks for pointing this out,

The highlighted flow is TLS. For TLS flows, to improve the readability of the peers, the server name is set to be the requested certificate Common Name (CN). Indeed, you can check that the CN shown after the "Client Requested:" equals the name chosen for the server.

The point that name shown in the breakdown is different from the name shown in the Flow Peers is a bug, and I've committed a fix for this. A new build 3.9 is in progress and ready in less than one hour.

Regards,

Simone

> On 22 Jan 2020, at 11:11, Christophe Gierski <c.gierski@traxens.com> wrote:
>
> Dear all,
>
> I have installed NTopNG 3.8.200120 - Enterprise Edition on Ubuntu 18.04.2 LTS
>
> And It seems there is error as the flow display information between same machine and seems to invert Client/Server.
>
> <image003.png>
>
>
>
>
> Thx & Rgds,
> Christophe.
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop <http://listgateway.unipi.it/mailman/listinfo/ntop>