Hi!
I also have been trying to find a program like yours for
some time and I
feel lucky that you had written it ;-)
I really like the program, however I'd like to make you a
sugestion, maybe I
didn't understand aggregation well, but if I understood it
well, and after
trying it I think I did it... if you select for example remote
por
aggregation you ignore the remote port and you add all
the connections to
the very same machine together, and if you select host
you ignore the host
but also the port. I think It would be good to have a host
aggregate (just
host) so that you would ignore the host and take the
port into account, that
should give you the statistics on how each service is
being used.
As I told you maybe I understood it wrong and this can
already be done, but
if not, I think you should add host+port aggregation that
should be what
host aggregation is now and change the host
aggregation to just ignore the
host.
Sorry if I misunderstood all this, I just wanted to make a
sugestion.
Thanks for your program.
Regards!
Santiago Garcia Mantinan <manty@aytolacoruna.es>
Logged In: NO
I noticed the same thing. It is a trivial fix; there is
'break' statement
missing that causes requests for host aggregation not to stop
at applying host aggregation, but also continue on to also
applying port aggregation. Here is a patch against the 0.9
sources.
----- start of patch ----
*** jnettop-0.9.orig/jnettop.c Wed Jul 30 12:24:24 2003
--- jnettop-0.9/jnettop.c Thu May 20 11:31:09 2004
***************
*** 270,281 ****
--- 270,283 ----
switch (localAggregation) {
case AGG_HOST:
stream->src.s_addr = 0x01000000;
+ break;
case AGG_PORT:
stream->srcport = -1;
}
switch (remoteAggregation) {
case AGG_HOST:
stream->dst.s_addr = 0x01000000;
+ break;
case AGG_PORT:
stream->dstport = -1;
}
---- end of patch ----
Logged In: YES
user_id=41611
Attached is a patch which corrects the original host
behavior to just host-only, and adds a new host+port
aggregation, so the original behavior is still available.
--start of patch--
--- jnettop-0.9.orig/README
+++ jnettop-0.9/README
@@ -17,10 +17,11 @@
(What is it?)
Aggregation is a way, how to modify packet classicication
rules. There are
-two types of aggregation in jnettop: host and port. If
there is port
-aggregation enabled, it means, that all packets seem to
come(go to) same port
-numbers. If there is host aggregation enabled, it means,
that all packets
-seem to come(go to) same host. Let's have an example:
+two types of aggregation in jnettop: host, port, and
host+port. If there
+is port aggregation enabled, it means, that all packets
seem to come(go
+to) same port numbers. If there is host aggregation
enabled, it means,
+that all packets seem to come(go to) same host. If host+port
+aggregation is enabled, it aggregates both. Let's have an
example:
Suppose we have following configuration:
+--- host0
@@ -30,14 +31,14 @@
i.e. typical border router with eth0 interface looking into
internet and
eth1 interface looking to intranet. Suppose we're running
jnettop on router
sniffing on interface eth0. To see how many bytes every
host consumes out
-of the internet connection, we enable remote host
aggregation and local port
-aggregation. i.e. All internet will behave as one endpoint
and all programs
-on one host will, too, behave as one endpoint. This way,
every stream we see
-in jnettop will be from one of the hosts in intranet to a
public internet.
-Aggregation is very powerfull laser-knife in network
traffic analysis.
-I understand, that it is not very user friendly
implementation in jnettop and
-I will gratefully welcome every suggestion on how to make
this topic clear and
-more clear-to-use.
+of the internet connection, we enable remote host+port
aggregation and
+local port aggregation. i.e. All internet will behave as
one endpoint
+and all programs on one host will, too, behave as one
endpoint. This
+way, every stream we see in jnettop will be from one of the
hosts in
+intranet to a public internet. Aggregation is very
powerfull laser-knife
+in network traffic analysis. I understand, that it is not
very user
+friendly implementation in jnettop and I will gratefully
welcome every
+suggestion on how to make this topic clear and more
clear-to-use.
-- .jnettop configuration file --
@@ -84,14 +85,14 @@
Since version 0.9, jnettop supports following new keywors:
- local_aggregation [none|host|port]
+ local_aggregation [none|host|port|host+port]
this keyword sets startup local aggregation value
ex.
local_aggregation port
- remote_aggregation [none|host|port]
+ remote_aggregation [none|host|port|host+port]
this keyword sets startup remote aggregation value
ex.
--- jnettop-0.9.orig/jnettop.c
+++ jnettop-0.9/jnettop.c
@@ -35,7 +35,7 @@
#endif
gchar *NTOP_PROTOCOLS[] = { "UNK.", "IP", "TCP", "UDP",
"ARP", "ETHER", "SLL", "AGGR." };
-gchar *NTOP_AGGREGATION[] = { "none", "port", "host" };
+gchar *NTOP_AGGREGATION[] = { "none", "port", "host",
"host+port" };
char pcap_errbuf[PCAP_ERRBUF_SIZE];
@@ -270,14 +270,26 @@
switch (localAggregation) {
case AGG_HOST:
stream->src.s_addr = 0x01000000;
+ break;
case AGG_PORT:
stream->srcport = -1;
+ break;
+ case AGG_BOTH:
+ stream->src.s_addr = 0x01000000;
+ stream->srcport = -1;
+ break;
}
switch (remoteAggregation) {
case AGG_HOST:
stream->dst.s_addr = 0x01000000;
+ break;
case AGG_PORT:
stream->dstport = -1;
+ break;
+ case AGG_BOTH:
+ stream->dst.s_addr = 0x01000000;
+ stream->dstport = -1;
+ break;
}
}
@@ -448,7 +460,7 @@
attrset(A_NORMAL);
mvprintw(0, 0, "run XXX:XX:XX device
XXXXXXXXXX pkt[f]ilter: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX");
- mvprintw(1, 0, "[c]ntfilter: XXX
[b]ps=XXXXXXX [l]ocal aggr.: XXXX [r]emote aggr.: XXXX ");
+ mvprintw(1, 0, "[c]ntfilter: XXX
[b]ps=XXXXXXX [l]ocal aggr.: XXXXXXXXX [r]emote
aggr.:XXXXXXXXX");
#if HAVE_PCAP_FINDALLDEVS
if (devices_count>1) {
mvprintw(2, 10, "[0]-[9] switch
device");
@@ -505,8 +517,8 @@
mvprintw(0, 45, "%-29.29s",
activeBPFFilterName?activeBPFFilterName:"none");
mvprintw(1, 13, "%s", onoffContentFiltering?"on
":"off");
mvprintw(1, 23, "%s", onoffBitValues?"bits/s
":"bytes/s");
- mvprintw(1, 46, "%s",
NTOP_AGGREGATION[localAggregation]);
- mvprintw(1, 67, "%s",
NTOP_AGGREGATION[remoteAggregation]);
+ mvprintw(1, 46, "%-9s",
NTOP_AGGREGATION[localAggregation]);
+ mvprintw(1, 71, "%-9s",
NTOP_AGGREGATION[remoteAggregation]);
attroff(A_BOLD);
@@ -763,11 +775,11 @@
break;
case 'l':
markAllAsDead();
-
localAggregation = (localAggregation + 1) % 3;
+
localAggregation = (localAggregation + 1) % 4;
break;
case 'r':
markAllAsDead();
-
remoteAggregation = (remoteAggregation + 1) % 3;
+
remoteAggregation = (remoteAggregation + 1) % 4;
break;
case '0':
case '1':
@@ -998,15 +1010,16 @@
}
int parse_aggregation(const char *agg) {
- if (strcmp(agg, "none") && strcmp(agg,"host") &&
strcmp(agg,"port")) {
+ if (strcmp(agg, "none") == 0)
+ return AGG_NONE;
+ else if (strcmp(agg,"host") == 0)
+ return AGG_HOST;
+ else if (strcmp(agg,"port") == 0)
+ return AGG_PORT;
+ else if (strcmp(agg,"host+port") == 0)
+ return AGG_BOTH;
+ else
return AGG_UNKNOWN;
- }
- switch (*agg) {
- case 'n': return AGG_NONE;
- case 'h': return AGG_HOST;
- case 'p': return AGG_PORT;
- }
- return AGG_UNKNOWN;
}
int config_parse_aggregation(GScanner *s) {
@@ -1212,14 +1225,14 @@
" -d, --debug filename
write debug information into file\n"
" -f, --config-file name
reads configuration from file. defaults to ~/.jnettop\n"
" -i, --interface name
capture packets on specified interface\n"
- " --local-aggr arg
set local aggregation to none/host/port\n"
+ " --local-aggr arg
set local aggregation to none/host/port/host+port\n"
" -p, --promiscuous
enable promisc mode on the devices\n"
- " --remote-aggr arg
set remote aggregation to none/host/port\n"
+ " --remote-aggr arg
set remote aggregation to none/host/port/host+port\n"
" -s, --select-rule rule
selects one of the rules defined in config file\n"
"
by it's name\n"
" -x, --filter rule
allows for specification of custom filtering rule\n"
"
this follows tcpdump(1) syntax. don't forget to\n"
- "
enclose the filter into quotes when running from shell\n"
+ "
enclose the filter in quotes when running from shell\n"
"\n"
"Report bugs to <j@kubs.cz>\n");
exit(0);
--- jnettop-0.9.orig/jnettop.h
+++ jnettop-0.9/jnettop.h
@@ -160,4 +160,5 @@
#define AGG_NONE 0
#define AGG_PORT 1
#define AGG_HOST 2
+#define AGG_BOTH 3
--end of patch--