#25 Flag to disable sniffing for DNS names to avoid aliases show



Would it be possible to implement this using a runtime control flag on the ntop.exe?

Please add it to the wishlist. Unfortunatelly I’m not a good enough C programmer to arrange a patch…

Best regards

// Roger


Från: ntop-bounces@unipi.it [mailto:ntop-bounces@unipi.it] För Burton Strauss III
Skickat: den 17 december 2006 17:26
Till: ntop@unipi.it
Ämne: RE: [Ntop] (no subject)


ntop uses the standard gethostbyname() C library calls, which gets translated into the DNS query. Whatever the DNS returns is what we use – first name for the IP. So if six names resolve to the same IP/MAC address, whichever we see first is what we use.

You could try preloading the cache (it’s a gdbm database) with the resolutions you want (or you might use a hosts file), but that may not work: We use sniffing of other people’s DNS queries to reduce the number we actually make (they are async, naturally and so nasty from a real time perspective).

I suppose you could turn off sniffing (and possibly caching), by adding a control flag. That discussion belongs over in ntop-dev. And could be a big performance hit, especially during ntop’s first few minutes (which is when it learns most common names).



From: ntop-bounces@unipi.it [mailto:ntop-bounces@unipi.it] On Behalf Of Lindholm Roger
Sent: Friday, December 15, 2006 3:36 AM
To: ntop@listgateway.unipi.it
Subject: [Ntop] (no subject)


On my network we use DNS CNAME-aliases to access most services. I have problems with Ntop showing traffic as belonging to the aliases instead of the real computer name. Is there any way to force Ntop to always do a DNS reverse lookup and thereby get the real computername, instead of listening on the conversation for names?

In a typical Windows Active Directory environment DNS is used to translate things like which are the domain controllers for a domain etc. This means that when Ntop listens to these kind of requests it will cache the domains’ name adress instead of the computer name for the IP adress captured. So this is an issue even if not using aliases.

I currently run 3.2.6 on Windows 2003.

Best regards

Roger Lindholm


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks