jeff on 1 Apr 2009 11:26:15 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] ntop cool

Through all the playing around I've done with network monitoring, I 
never tried ntop.  I read an article on it and thought it might be an 
interesting idea.

I got it working but it's of limited use on a switched network.  I hate 
that.  The results were cool enough to want to see them for the whole 
network so I put on my spelunking helmet and navigated the dark caverns 
of switch documentation, in search of how to mirror ports.

A well-meaning coworker said that it would probably just be on the 
switch's http page.  And it was, if I wanted to mirror a port on a 
Netgear switch.  Unfortunately the one I wanted to mirror was on a ....

[insert dramatic music]

CISCO switch.

At this point my helmet with 15 element high intensity LEDs felt 
strangely inadequate.  I began to shake uncontrollably.  My coworkers 
asked about the near silent sobs.

Cisco has a graphical assistant that will help.
Now where is it?

I have no idea.  I have the attention span of a pregnant gnat.

Screw it - off to, where they have it.
And they want you to log in.  Simply spending thousands of dollars on a 
switch is not sufficient: you have to LOG IN too.

What I didn't realize was that I had outsmarted myself by putting the 
client in the CISCO folder of our utilities drive.  Of course I didn't 
realize it- I wasn't smart enough.

The HEAVY CLIENT installed and there I was, looking at it, with no 
apparent selection for what I wanted to do.  I looked up MIRRORING and 
found nothing.  I looked up all sorts of things and found nothing.  I 
finally Google'd it and realized why I couldn't find it: we work in the 
MIS Tower of Babble, wherein no two functions on different brands are 
named the same thing.

If you're using a Netgear switch, you need to MIRROR ports.
If you're using a Cisco switch, you need to SPAN ports.
If you're using a 3com switch, it's just called BARBARA.

Very shortly manufacturers will begin ensuring that NO parts share 
common names.  If you're looking at a port...

on Netgear, it's called a PORT.
on Cisco, it's called an INDIVIDUAL ETHERNET OUTLET.
on 3com, it's called a HERRING.

Going back to the Cisco Heavy Client, I looked up SPANNING, which 
provided damn near sixty percent of the answer.  I understand that after 
this version of help came out it was immediately recalled because Cisco 
thought that providing sixty percent of an answer was giving away the farm.

I can just hear those of you with Cisco certs saying that Cisco merely 
wants to make certain I *really* want to accomplish something.  If I'm 
truly serious, I'll go to the trouble of learning how to do it at the CLI.

Oddly enough, any search result I clicked on provided 100% of the answer 
(so long as the link wasn't to  I even found out that you 
can mirror/span more than one port.  My only problem was whether or not 
my egress needed to be forwarded, encrypted, or put on a VLAN and hung 
out like laundry for everyone to see.  I took a random guess and alerted 
my coworkers to be on the lookout for internet outages (yes, that was 
the port I was mirroring/spanning/barbara).

For some reason I still don't understand, it worked.  The great thing 
about Egress Guessing is that it MUST be the right answer, as there are 
results.  If I saw no ntop activity, I'd know I made the wrong Egress Guess.

It's shooting out results faster than Obama shoots out trillion-dollar 
handout packages.  I'm waiting for the Big Test, which is when people 
start downloading Beyonce videos en-masse.  Or when April Autism kicks 
in and everybody starts streaming the badminton playoff videos.

The most baffling thing is ntop's steadfast refusal to *stop* working 
for no apparent reason.  This always leaves me waiting for the other 
herring to drop.

ThermionicEmissions  -  the blog
Philadelphia Linux Users Group         --
Announcements -
General Discussion  --