Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

#25 Flag to disable sniffing for DNS names to avoid aliases show

open
nobody
None
5
2012-12-07
2007-01-04
Roger Lindholm
No

Hi,

Would it be possible to implement this using a runtime control flag on the ntop.exe?

Please add it to the wishlist. Unfortunatelly I’m not a good enough C programmer to arrange a patch…

Best regards

// Roger

--------------------------------------------------------------------------------

Från: ntop-bounces@unipi.it [mailto:ntop-bounces@unipi.it] För Burton Strauss III
Skickat: den 17 december 2006 17:26
Till: ntop@unipi.it
Ämne: RE: [Ntop] (no subject)

Nope.

ntop uses the standard gethostbyname() C library calls, which gets translated into the DNS query. Whatever the DNS returns is what we use – first name for the IP. So if six names resolve to the same IP/MAC address, whichever we see first is what we use.

You could try preloading the cache (it’s a gdbm database) with the resolutions you want (or you might use a hosts file), but that may not work: We use sniffing of other people’s DNS queries to reduce the number we actually make (they are async, naturally and so nasty from a real time perspective).

I suppose you could turn off sniffing (and possibly caching), by adding a control flag. That discussion belongs over in ntop-dev. And could be a big performance hit, especially during ntop’s first few minutes (which is when it learns most common names).

-----Burton

--------------------------------------------------------------------------------

From: ntop-bounces@unipi.it [mailto:ntop-bounces@unipi.it] On Behalf Of Lindholm Roger
Sent: Friday, December 15, 2006 3:36 AM
To: ntop@listgateway.unipi.it
Subject: [Ntop] (no subject)

Hi,

On my network we use DNS CNAME-aliases to access most services. I have problems with Ntop showing traffic as belonging to the aliases instead of the real computer name. Is there any way to force Ntop to always do a DNS reverse lookup and thereby get the real computername, instead of listening on the conversation for names?

In a typical Windows Active Directory environment DNS is used to translate things like which are the domain controllers for a domain etc. This means that when Ntop listens to these kind of requests it will cache the domains’ name adress instead of the computer name for the IP adress captured. So this is an issue even if not using aliases.

I currently run 3.2.6 on Windows 2003.

Best regards

Roger Lindholm

Discussion