Search Results

Search found 25 results on 1 pages for 'ntop'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 1/1 | 1 

  • Ntop monitoring - Hosts visible with no SPAN/mirroring

    - by Cory J
    I am attempting to use ntop to monitor traffic over a Cisco Catalyst switch. I was assuming that in order to see any of the traffic, I'd have to use monitor, as described here: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml. Howver, before I did anything on the switch, I simply plugged my ntop server in and fired up ntop. To my suprise, I instantly see 3+ pages of hosts, and thousands of packets. How is ntop seeing this? I have verified that no monitoring exists on the switch (run as en): cs1.pvdc#show monitor No SPAN configuration is present in the system. My ntop server is Ubuntu 8.04, I haven't done ANY configuration, I just installed the ntop package. This is also a fresh Ubuntu install. Is there anything else on my switch besides "monitor" that might cause my switch to mirror all its traffic like this? I've tried plugging ntop into different ports with the same results. UPDATE: It appears to be more then just broadcast traffic showing up in ntop, for example, I can see when my IPs have talked to the DNS server or generated HTTP traffic. If my switch is misconfigured, can anyone point me in the right direction towards rectify this? Not a Cisco expert.

    Read the article

  • installing ntop in ubuntu 12.4

    - by George Ninan
    When i try to start the ntop i get the following error - Secure Connection Failed An error occurred during a connection to 192.168.166.229:3000. SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site. Please advice

    Read the article

  • How to monitor traffic on certain ports with ntop

    - by Claudiu
    How to configure ntop so I can get the amount of upload traffic sent through a certain port ? I've added port in ntop/protocol.list, restarted ntop and after some time I've checked Summary - Traffic - TCP/UDP Traffic Port Distribution: Last Minute View, but data from that table is not too relevant. I think there is much more about this ntop that I don't know (configuration, usage).

    Read the article

  • NTOP gives warnings on startup

    - by FR6
    I just installed ntop 1.4.4 and when I start it, it give me infinite warnings "packet truncated": ... RRD_DEBUG: umask 0066 RRD_DEBUG: DirPerms 0700 THREADMGMT: RRD: Started thread (t2992630672) for data collection THREADMGMT[t2992630672]: RRD: Data collection thread starting [p30923] INIT: Created pid file (/var/run/ntop.pid) THREADMGMT[t3086329552]: ntop RUNSTATE: INITNONROOT(3) Now running as requested user 'nobody' (99:99) Note: Reporting device initally set to 0 [eth0] (merged) THREADMGMT[t3086329552]: ntop RUNSTATE: RUN(4) THREADMGMT[t2982140816]: NPS(1): Started thread for network packet sniffing [eth0] THREADMGMT[t2982140816]: NPS(eth0): pcapDispatch thread starting [p30923] THREADMGMT[t2982140816]: NPS(eth0): pcapDispatch thread running [p30923] THREADMGMT[t3047009168]: SIH: Idle host scan thread running [p30923] THREADMGMT[t3057499024]: SFP: Fingerprint scan thread running [p30923] **WARNING** packet truncated (8814->8232) **WARNING** packet truncated (10274->8232) **WARNING** packet truncated (8814->8232) **WARNING** packet truncated (8814->8232) ... Do I need to configure something? I tried to access the web interface (http://localhost:3000) but it does not work. Note: I'm on CentOS. EDIT: Not sure if it helps but there is my "ifconfig": eth0 Link encap:Ethernet HWaddr 00:16:76:BC:7E:77 inet addr:192.168.0.221 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::216:76ff:febc:7e77/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:15496640 errors:0 dropped:0 overruns:0 frame:0 TX packets:19256813 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:836230629 (797.4 MiB) TX bytes:608496148 (580.3 MiB) Memory:dffe0000-e0000000

    Read the article

  • ntop to analyse bandwidth usage on multiple ASA 5505

    - by dunxd
    I have set up a netflow server at our data centre, which is connected via VPN to ~40 remote offices using Cisco ASA 5505. The aim is to analyse usage data and find out exactly how the remote connections are being used. I followed through http://techowto.files.wordpress.com/2008/09/ntop-guide.pdf to set up ntop and https://supportforums.cisco.com/docs/DOC-6114 to set up the ASAs. I can see from the Plugin Netflow Statistics page that netflow packets from my ASAs are being received - the counter is increasing. However, I am not seeing any breakdown on the Global Traffic Statistic page after switching to the Netflow interface. I'm just seeing a pie chart showing 100% traffic for eth0. The interfaces and documentation are a little hard to follow so I am not sure I have got things configured correctly. When setting up my NetFlow-device.2 I can specify Virtual NetFlow Interface Network Address - the web UI says This value is in the form of a network address and mask on the network where the actual NetFlow probe is located. is this a Network address (e.g. 192.168.0.0/24) or an actual host IP address (192.167.0.1/24)? If that should be a network address, is this the network in which one of my ASAs is or the network in which my ntop server is? If a host IP address, is this the IP address used by eth0 on my ntop server, the IP address of an ASA, or something else? Do I need a separate virtual interface for each ASA I am collecting netflow data from? Any guidance would be greatly welcome.

    Read the article

  • NTOP gives warnings on startup

    - by FR6
    I just installed ntop 1.4.4 and when I start it, it give me infinite warnings "packet truncated": ... RRD_DEBUG: umask 0066 RRD_DEBUG: DirPerms 0700 THREADMGMT: RRD: Started thread (t2992630672) for data collection THREADMGMT[t2992630672]: RRD: Data collection thread starting [p30923] INIT: Created pid file (/var/run/ntop.pid) THREADMGMT[t3086329552]: ntop RUNSTATE: INITNONROOT(3) Now running as requested user 'nobody' (99:99) Note: Reporting device initally set to 0 [eth0] (merged) THREADMGMT[t3086329552]: ntop RUNSTATE: RUN(4) THREADMGMT[t2982140816]: NPS(1): Started thread for network packet sniffing [eth0] THREADMGMT[t2982140816]: NPS(eth0): pcapDispatch thread starting [p30923] THREADMGMT[t2982140816]: NPS(eth0): pcapDispatch thread running [p30923] THREADMGMT[t3047009168]: SIH: Idle host scan thread running [p30923] THREADMGMT[t3057499024]: SFP: Fingerprint scan thread running [p30923] **WARNING** packet truncated (8814->8232) **WARNING** packet truncated (10274->8232) **WARNING** packet truncated (8814->8232) **WARNING** packet truncated (8814->8232) ... Do I need to configure something? I tried to access the web interface (http://localhost:3000) but it does not work. Note: I'm on CentOS. EDIT: Not sure if it helps but there is my "ifconfig": eth0 Link encap:Ethernet HWaddr 00:16:76:BC:7E:77 inet addr:192.168.0.221 Bcast:192.168.0.255 Mask:255.255.255.0 inet6 addr: fe80::216:76ff:febc:7e77/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:15496640 errors:0 dropped:0 overruns:0 frame:0 TX packets:19256813 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:836230629 (797.4 MiB) TX bytes:608496148 (580.3 MiB) Memory:dffe0000-e0000000

    Read the article

  • nTop RRD file architecture

    - by Seanny123
    I have a gig of nTop RRD files and I would like to start graphing them with rrdtool (but not with nTop, since I'm hoping to do this with a separate backup of the database as workaround to the impossibility of limiting the RRD files by size), but I don't know how the files are structured. I've tried reading the RRD documentation from SourceForge and the nTop FAQ, but I'm not finding the information I need. Does anyone know of any documentation I should be looking at or how the files are structured? Here https://dl.dropbox.com/u/669437/file%20structure.png is a screenshot of the file structure. At first I thought it was organized by IP address (so the rrd files for address 1.1.2.3 would be stored in folder 1-1-2-3 or even the reverse order), but that doesn't seem to be the case. It isn't organized by MAC address either, although some hosts are saved that way. Any help would be appreciated.

    Read the article

  • Ubuntu reboot suddenly

    - by Gladiator
    Its the second day I have this issue, and Ubuntu still reboot suddenly. nothing significatif in syslog. salim@SalimPC:~$ tail -f /var/log/syslog<br> Nov 7 12:34:53 SalimPC dbus[873]: [system] Successfully activated service 'com.ubuntu.SystemService' SalimPC dbus[873]: [system] Activating service name='org.freedesktop.PackageKit' (using servicehelper) SalimPC AptDaemon: INFO: Initializing daemon SalimPC AptDaemon.PackageKit: INFO: Initializing PackageKit compat layer SalimPC dbus[873]: [system] Successfully activated service 'org.freedesktop.PackageKit' SalimPC AptDaemon.PackageKit: INFO: Initializing PackageKit transaction SalimPC AptDaemon.Worker: INFO: Simulating trans:/org/debian/apt/transaction/6933b4b977d944fa8714898c01bfeae4<br> SalimPC AptDaemon.Worker: INFO: Processing transaction org/debian/apt/transaction/6933b4b977d944fa8714898c01bfeae4 SalimPC AptDaemon.PackageKit: INFO: Get updates() Nov 7 12:34:58 SalimPC AptDaemon.Worker: INFO: Finished transaction /org/debian/apt/transaction/6933b4b977d944fa8714898c01bfeae4 ---------------------------------Previous post------------------ Hi My ubuntu has rebooted suddenly (2 time till now in one hour). After login, a crash was indicated in /usr/sbin/ntop. below are the syslog and a screenshot of the crash. salim@SalimPC:~$ tail /var/log/syslog Nov 6 18:25:38 SalimPC ntop[1630]: **WARNING** packet truncated (9642->8232) Nov 6 18:25:38 SalimPC ntop[1630]: **WARNING** packet truncated (8274->8232) Nov 6 18:25:38 SalimPC ntop[1630]: **WARNING** packet truncated (11010->8232) Nov 6 18:25:38 SalimPC ntop[1630]: **WARNING** packet truncated (17850->8232) Nov 6 18:25:38 SalimPC ntop[1630]: **WARNING** packet truncated (8274->8232) Nov 6 18:25:39 ntop[1630]: last message repeated 2 times Nov 6 18:25:39 SalimPC ntop[1630]: **WARNING** packet truncated (16482->8232) Nov 6 18:25:40 SalimPC ntop[1630]: **WARNING** packet truncated (11010->8232) Nov 6 18:25:43 SalimPC ntop[3075]: THREADMGMT[t3063068672]: ntop RUNSTATE: PREINIT(1) Nov 6 18:25:43

    Read the article

  • Symlink - Permission Denied

    - by John Smith
    I'm facing an interesting problem with plenty of Permission Denied outputs when using SymLinks Linux: Slackware 13.1 Directory with Symlink: root@Tower:/var/lib# ls -lah drwxr-xr-x 8 root root 0 2012-12-02 20:09 ./ drwxr-xr-x 15 root root 0 2012-12-01 21:06 ../ lrwxrwxrwx 1 ntop ntop 21 2012-12-02 20:09 ntop - /mnt/user/media/ntop6/ Symlinked Directory: root@Tower:/mnt/user/media# ls -lah drwxrwx--- 1 nobody users 1.4K 2012-12-02 19:28 ./ drwxrwx--- 1 nobody users 128 2012-11-18 16:06 ../ drwxrwxrwx 1 ntop ntop 320 2012-12-02 20:22 ntop6/ What I have done: I have used chown -h ntop:ntop on the ntop directory in /var/lib Just to be sure, I have chmod 777 to both directories Permission denied actions: root@Tower:/var/lib# sudo -u ntop mkdir /var/lib/ntop/test mkdir: cannot create directory `/var/lib/ntop/test': Permission denied Any ideas?

    Read the article

  • Network Sniffing and Hubs

    - by Chris_K
    This will likely seem naive to the experts... but it has been on my mind lately. For years I've been using ntop and a cheap 4 port hub to sniff client networks to determine who's doing what -- and how much. Great way to see what's going on when they call and say "Geeze, the network seems really slow today." No need to bring in a managed switch (or access the existing one) and no need to configure spanning or mirroring. I just drop in the hub inline where I want to measure. Lately I noticed it is just about impossible to buy a real honest-to-goodness hub anymore. While looking for a new one, I had someone tell me that I should be sure to get a full-duplex hub or I'd only be seeing half the traffic when I monitor. Really? I've been using a crusty old Netgear DS104 all this time. No clue if it is half or FD. Have I really been understating my measurements? I'm just not bright enough about the physical layer to really know... Side note: Just ordered a Dualcomm Ethernet Switch TAP as a hub replacement. Seems like a nifty gadget. Any notes or tips about it would be welcome in the comments :-)

    Read the article

  • Looking for a host based network monitor solution

    - by Ole Martin Handeland
    Hi all! Problem So, my hosting company has a network usage graph for my dedicated server. It seems that one day earlier this month, my network usage suddenly spiked with several hundred megabytes transferred (usually it's in the tens, not hundreds). It was probably me, but i just can't be sure who or what it was. Question So my question is; does anyone know of any host based solution for monitoring network usage that would tell me the client's IP-address, the port/service he/she used? What I don't want I'm just guessing that someone will suggest i use nagios, munin, zabbix, cacti, mrtg - I've also looked at those, but a graph over network usage will not give me the answers I'm looking for. :-) Almost there I've already looked at a lot of monitoring solutions, and I've tried [ntop][http://www.ntop.org/], [darkstat][http://unix4lyfe.org/darkstat/] and others. Darkstat just didn't give me the answers. Although it listed a lot of statistics, and i could list the clients - it doesn't show me the network usage for a particular period. Ntop is by far the best I've seen so far - but i think it mostly shows current network usage, not the historical part. I could run apt-get upgrade and download a whole bunch of software, but not see it in the log afterwards.

    Read the article

  • Monitoring Bandwidth Usage (Per Internal IP) - Cisco ASA 5505

    - by Joseph Sturtevant
    I manage a small network with a Cisco ASA 5505 and a shared DSL connection. I would like to be able monitor the bandwidth usage of the various users/devices on my network (by IP). Can I do that using the ASA? Has anyone got this working? What is the best way to do this? Some Ideas I Have Seen Online: SNMP with a tool like Cacti Does this give per IP usage with an ASA or just overall usage? Netflow with a tool like ntop Couldn't get this to work. It seems that the Netflows sent by ASA are not exactly standard. Ntop receives them, but doesn't seem to know what do with them.

    Read the article

  • Is there a free tool/package that can monitor web traffic and display URLS accessed? [closed]

    - by Anthony
    I couldn't find a similar question but then maybe I am searching for the wrong terms. A few years ago I used a router like device, I'm pretty sure it was a SonicWall, that did this on a clients site. Basically all traffic would be routed through this device and it allowed the manager/administrator to inspect web usage of the workers, determine how often certain resources were accessed and block them if necessary (much like content filter). It showed reports based on domain name reached etc. Facebbok.com, Bebo.com and so on. It also displayed the usual IP traffic information etc. it was a UTM also. I have tried Endian firewall, with it's NTOP install, but I don't think that will show URLs browsed. Maybe I just haven't found it in NTOP yet? I need this to troubleshoot connection and traffic issue at my home, with about twenty devices/users so didn't want to buy a dedicated solution and have spare hardware to use a community product.

    Read the article

  • Xorg eating up too much RAM on Ubuntu 9.10 box

    - by Yang
    Xorg is eating up 444MB of 2GB total RAM on my Ubuntu 9.10 x86_64 machine with nvidia drivers installed for the nvidia G86 (GeForce 8300 GS). top shows: top - 18:21:41 up 6 days, 2:40, 9 users, load average: 0.46, 1.12, 1.22 Tasks: 266 total, 3 running, 262 sleeping, 1 stopped, 0 zombie Cpu(s): 8.4%us, 2.0%sy, 0.0%ni, 89.1%id, 0.5%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 2055736k total, 1965136k used, 90600k free, 3952k buffers Swap: 979924k total, 979908k used, 16k free, 102636k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 1432 root 20 0 1154m 442m 7492 S 8 22.0 32:56.97 Xorg 18462 yang 20 0 1001m 219m 8356 S 0 10.9 5:13.25 chrome 24099 yang 20 0 865m 83m 13m S 0 4.2 0:06.91 chrome xrestop shows: xrestop - Display: :0.0 Monitoring 47 clients. XErrors: 0 Pixmaps: 40430K total, Other: 142K total, All: 40573K total res-base Wins GCs Fnts Pxms Misc Pxm mem Other Total PID Identifier 1c00000 21 46 1 19 697 9128K 18K 9146K 3169 x-nautilus-desktop 1000000 4 3 0 17 194 9000K 4K 9004K 3134 gnome-settings-daemon 1600000 51 2 1 25 1100 7648K 28K 7676K ? compiz For comparison, here's my other Ubuntu box, which also has compiz etc. enabled but with ATI RV370 (Radeon X300SE): top - 18:18:18 up 58 days, 4:27, 9 users, load average: 0.00, 0.00, 0.00 Tasks: 224 total, 1 running, 223 sleeping, 0 stopped, 0 zombie Cpu(s): 0.3%us, 0.3%sy, 0.0%ni, 98.8%id, 0.5%wa, 0.0%hi, 0.0%si, 0.0%st Mem: 1024964k total, 987124k used, 37840k free, 247012k buffers Swap: 2048276k total, 94296k used, 1953980k free, 264744k cached PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 24324 yang 20 0 61936 35m 6364 S 0 3.5 4:35.84 nxagent 1768 ntop 20 0 190m 32m 5388 S 1 3.2 283:36.15 ntop 1178 root 20 0 60588 29m 1788 S 0 3.0 5:48.89 console-kit-dae ... 1315 root 20 0 343m 4956 4020 S 0 0.5 3:43.87 Xorg Any ideas on how to get to the bottom of this? (i.e. not "Log out"/"Reboot") Thanks in advance.

    Read the article

  • class selector refuses after append to body

    - by supersize
    I'm appending loads of divs in a wrapper: var cubes = [], allCubes = '', for(var i = 0; i < 380; i++) { var randomleft = Math.floor(Math.random()*Math.floor(Math.random()*1000)), randomtop = Math.floor(Math.random()*Math.floor(Math.random()*1000)); allCubes += '<div id="cube'+i+'" class="cube" style="position: absolute; border: 2px #000 solid; left: '+randomleft+'px; top: '+randomtop+'px; width: 9px; height: 9px; z-index: -1"></div>'; } $('#wrapper').append(allCubes); // performance for(var i = 0; i < 380; i++) { cubes.push($('#cube'+i)); } and then I would like to make them all draggable with jQueryUI and log their current position. var allc = $('.cube'); allc.draggable().on('mouseup', function(i) { allc.each(function() { var nleft = $(this).offset().left; var ntop = $(this).offset().top; console.log('cubes['+i+'].animate({ left:'+nleft+',top:'+ntop+'})'); }); }); Unfortunenately it does not work. They are neither draggable nor there comes up a log. Thanks

    Read the article

  • Juniper SSG5 find bandwidth eater

    - by Pol
    Hello forum, I looking for a way to get the list of the top bandwidth eater on my Juniper ssg5. On my old OpenBSD Box I had a command line version of ntop. It was just perfect. How can I do the same thing whith the SSG? Thank you !

    Read the article

  • Network traffic monitoring for unexperienced users

    - by Eduardo Casteluci
    I'm a really unexperienced Ubuntu user and I'm having a hard time monitoring my network traffic. I just need to know what websites each one of the devices connected to my network are accessing. I've tried to use ntop, but I couldn't work around it. Is that possible? I mean, is it possible to know that kind of data only by specifing a local IP address? How can I do that? It's a security issue that I'm facing and I need to work that "easy" monitoring out. Thanks

    Read the article

  • Swap, Swapiness and Standby: swapping starts when waking up

    - by mdo
    I'm running running Ubuntu 12.04 on a Lenovo W500 (Core2Duo T9400, 4GB Ram) Current kernel: 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:33:09 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux -- but the problems exists since a couple of months, surviving quite a few software (includig kernel) updates I regularly put my machine into suspend-to-ram (S3) and when the machine comes back up Ubuntu starts to swap out processes. I was able to observe that the used swap-space starts to grow right after the box returns. See munin graphs below, the gap (obviously) shows the timeframe in STR. Needless to say that the box becomes unusable while swapping, load goes up beyond 10. What I've done so far: lowered swappiness from default (60) to 10 (via /etc/sysctl.conf: vm.swappiness=10) -- this has improved the situation much, but sometimes the problem comes back, I have not found a trigger (like memory usage) for this for now lowered swappiness to 5 -- perhaps this has brought an improvement again Before going to STR the box ran stable without (swapping) problems for hours. Today when the issue showed up again I used this script (- http://stackoverflow.com/questions/479953/how-to-find-out-which-processes-are-swapping-in-linux) to find what processes have the most used swap space. The result after the swap orgy is like that (all PIDs with more than 10M usage): Overall swap used: 2121344 kB ======================================== kB pid name ======================================== 439520 17491 java 208148 22719 firefox 136640 4337 /usr/bin/quodli 120852 5271 chrome 81832 5264 chrome 74284 17003 chrome 65368 16960 chrome 57088 3675 chrome 56184 30923 chrome 54412 11331 chrome 54264 3878 chrome 51508 18382 chrome 50088 3163 zeitgeist-fts 49772 15543 chrome 41344 15355 compiz 35040 1161 mysqld 32124 18374 chrome 30940 11339 chrome 30044 5752 chrome 28780 4235 plugin-containe 24576 31246 empathy-chat 23840 17703 chrome 22512 3207 ubuntuone-syncd 21588 1937 ntop 18336 2021 asterisk 17200 3915 chrome 13964 1935 Xorg 12036 10679 chrome 11104 30782 empathy 11056 2889 python 10932 16565 knotify4 The java instance at the top is IntelliJ. IntelliJ, Firefox and Chrome also were all used right before the box was put to STR. So my question is: can I somehow prevent these swapouts AND why do they happen? Is it perhaps related to some misidentification of idle processes? I'm not looking for resolutions like: turn off swap buy more RAM Thanks in advance!

    Read the article

  • Does HyperV allow binding physical NIC on virtual machine with promiscues mode?

    - by MadBoy
    I have HyperV on Windows 2008 Enterprise R2 installed with some Virtual Server running that I wanted to have ISA or NTOP to monitor traffic. I've added additional physical NIC to server and wanted to use this NIC as traffic monitor (I've enabled port mirroring on switch). I can see on physical machine that runs HyperV a lot of traffic coming to the NIC so port mirroring works fine. However in virtual machine even thou I've assigned that NIC to only this one and only server it sees 0 packets. In VWMare Workstation it worked without problem and I could see mirrored traffic on VM. Should this be possible or HyperV is crippled?

    Read the article

  • Python: how to calculate data received and send between two ipaddresses and ports [closed]

    - by ramdaz
    I guess it's socket programming. But I have never done socket programming expect for running the tutorial examples while learning Python. I need some more ideas to implement this. What I specifically need is to run a monitoring program of a server which will poll or listen to traffic being exchange from different IPs across different popular ports. For example, how do I get data received and sent through port 80 of 192.168.1.10 and 192.168.1.1 ( which is the gateway). I checked out a number of ready made tools like MRTG, Bwmon, Ntop etc but since we are looking at doing some specific pattern studies, we need to do data capturing within the program. Idea is to monitor some popular ports and do a study of network traffic across some periods and compare them with some other data. We would like to figure a way to do all this with Python....

    Read the article

  • snort analysis of wireshark capture

    - by Ben Voigt
    I'm trying to identify trouble users on our network. ntop identifies high traffic and high connection users, but malware doesn't always need high bandwidth to really mess things up. So I am trying to do offline analysis with snort (don't want to burden the router with inline analysis of 20 Mbps traffic). Apparently snort provides a -r option for this purpose, but I can't get the analysis to run. The analysis system is gentoo, amd64, in case that makes any difference. I've already used oinkmaster to download the latest IDS signatures. But when I try to run snort, I keep getting the following error: % snort -V ,,_ -*> Snort! <*- o" )~ Version 2.9.0.3 IPv6 GRE (Build 98) x86_64-linux '''' By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team Copyright (C) 1998-2010 Sourcefire, Inc., et al. Using libpcap version 1.1.1 Using PCRE version: 8.11 2010-12-10 Using ZLIB version: 1.2.5 %> snort -v -r jan21-for-snort.cap -c /etc/snort/snort.conf -l ~/snortlog/ (snip) 273 out of 1024 flowbits in use. [ Port Based Pattern Matching Memory ] +- [ Aho-Corasick Summary ] ------------------------------------- | Storage Format : Full-Q | Finite Automaton : DFA | Alphabet Size : 256 Chars | Sizeof State : Variable (1,2,4 bytes) | Instances : 314 | 1 byte states : 304 | 2 byte states : 10 | 4 byte states : 0 | Characters : 69371 | States : 58631 | Transitions : 3471623 | State Density : 23.1% | Patterns : 3020 | Match States : 2934 | Memory (MB) : 29.66 | Patterns : 0.36 | Match Lists : 0.77 | DFA | 1 byte states : 1.37 | 2 byte states : 26.59 | 4 byte states : 0.00 +---------------------------------------------------------------- [ Number of patterns truncated to 20 bytes: 563 ] ERROR: Can't find pcap DAQ! Fatal Error, Quitting.. net-libs/daq is installed, but I don't even want to capture traffic, I just want to process the capture file. What configuration options should I be setting/unsetting in order to do offline analysis instead of real-time capture?

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

1