Ntop monitoring - Hosts visible with no SPAN/mirroring
Posted
by Cory J
on Server Fault
See other posts from Server Fault
or by Cory J
Published on 2010-03-05T23:51:54Z
Indexed on
2010/03/08
4:38 UTC
Read the original article
Hit count: 553
I am attempting to use ntop to monitor traffic over a Cisco Catalyst switch. I was assuming that in order to see any of the traffic, I'd have to use monitor, as described here: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml.
Howver, before I did anything on the switch, I simply plugged my ntop server in and fired up ntop. To my suprise, I instantly see 3+ pages of hosts, and thousands of packets. How is ntop seeing this?
I have verified that no monitoring exists on the switch (run as en):
cs1.pvdc#show monitor
No SPAN configuration is present in the system.
My ntop server is Ubuntu 8.04, I haven't done ANY configuration, I just installed the ntop package. This is also a fresh Ubuntu install.
Is there anything else on my switch besides "monitor" that might cause my switch to mirror all its traffic like this? I've tried plugging ntop into different ports with the same results.
UPDATE: It appears to be more then just broadcast traffic showing up in ntop, for example, I can see when my IPs have talked to the DNS server or generated HTTP traffic. If my switch is misconfigured, can anyone point me in the right direction towards rectify this? Not a Cisco expert.
© Server Fault or respective owner