Simone, I found the problem: If you dont use the = sign on the filter parameter line, it doesn't see it.
Doesn't work -> --packet-filter "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host 192.168.2.227" Work -> --packet-filter="ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host 192.168.2.227" Also, if I've eth0 and tcp://127.0.0.1:5556 as my NIC, it doesn't work, here the output: /usr/bin/ntopng /etc/ntopng/ntopng.conf 13/Jan/2017 15:20:15 [Prefs.cpp:715] Localhost HTTP user login disabled 13/Jan/2017 15:20:15 [Ntop.cpp:1121] Setting local networks to 192.168.2.0/24 13/Jan/2017 15:20:15 [Redis.cpp:92] Successfully connected to redis 127.0.0.1:6379@0 [NDPI] addDefaultPort(): found duplicate for port 5061: overwriting it with new value [NDPI] addDefaultPort(): found duplicate for port 3001: overwriting it with new value 13/Jan/2017 15:20:15 [PcapInterface.cpp:85] Reading packets from interface eth0... 13/Jan/2017 15:20:15 [PcapInterface.cpp:254] Packet capture filter on eth0 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host 192.168.2.227" 13/Jan/2017 15:20:15 [Ntop.cpp:1267] Registered interface eth0 [id: 0] [NDPI] addDefaultPort(): found duplicate for port 5061: overwriting it with new value [NDPI] addDefaultPort(): found duplicate for port 3001: overwriting it with new value 13/Jan/2017 15:20:15 [CollectorInterface.cpp:226] ERROR: No filter can be set on a collector interface. Ignored ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host 192.168.2.227 13/Jan/2017 15:20:15 [Ntop.cpp:1267] Registered interface tcp://127.0.0.1:5556 [id: 1] 13/Jan/2017 15:20:15 [Ntop.cpp:1279] Registered interface view eth0 [id: 0] 13/Jan/2017 15:20:15 [Ntop.cpp:1279] Registered interface view tcp://127.0.0.1:5556 [id: 1] 13/Jan/2017 15:20:15 [main.cpp:255] PID stored in file /var/run/ntopng/ntopng.pid 13/Jan/2017 15:20:15 [Utils.cpp:341] User changed to ntopng 13/Jan/2017 15:20:15 [HTTPserver.cpp:509] Web server dirs [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] 13/Jan/2017 15:20:15 [HTTPserver.cpp:515] HTTPS server listening on port 3001 13/Jan/2017 15:20:15 [main.cpp:295] Working directory: /var/lib/nst/ntopng 13/Jan/2017 15:20:15 [main.cpp:297] Scripts/HTML pages directory: /usr/share/ntopng 13/Jan/2017 15:20:15 [Ntop.cpp:271] Welcome to ntopng x86_64 v.2.4.161019 - (C) 1998-2016 ntop.org 13/Jan/2017 15:20:15 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) 13/Jan/2017 15:20:15 [PeriodicActivities.cpp:53] Started periodic activities loop... 13/Jan/2017 15:20:15 [RuntimePrefs.cpp:34] Dumping alerts into syslog 13/Jan/2017 15:20:15 [Ntop.cpp:531] Adding 192.168.2.0/24 as IPv4 local network for eth0 13/Jan/2017 15:20:15 [Ntop.cpp:561] Adding fe80::20c:29ff:fe83:c98e/64 as IPv6 local network for eth0 13/Jan/2017 15:20:15 [NetworkInterface.cpp:1538] Started packet polling on interface eth0 [id: 0]... 13/Jan/2017 15:20:15 [NetworkInterface.cpp:1538] Started packet polling on interface tcp://127.0.0.1:5556 [id: 1]... 13/Jan/2017 15:20:15 [CollectorInterface.cpp:104] Collecting flows on tcp://127.0.0.1:5556 [ntopng->nprobe] 13/Jan/2017 15:20:16 [NetworkInterface.cpp:1058] Invalid packet received [len: 2934][MTU: 1518]. 13/Jan/2017 15:20:16 [NetworkInterface.cpp:1059] WARNING: If you have TSO/GRO enabled, please disable it 13/Jan/2017 15:20:16 [NetworkInterface.cpp:1061] WARNING: Use: sudo ethtool -K eth0 gro off gso off tso off 13/Jan/2017 15:21:05 [main.cpp:37] Shutting down... 13/Jan/2017 15:21:05 [Redis.cpp:60] Redis has disconnected: reconnecting... Killed Gerhard, On Jan 13, 2017, at 3:00 PM, Simone Mainardi <[email protected]> wrote: Gerhard, both. Even if I put the filter in a conf file it works: deri@centos6 203> cat /tmp/test.conf -i=eth0 --packet-filter="ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host 192.168.2.109" --community= deri@centos6 204> sudo /usr/local/bin/ntopng /tmp/test.conf 13/Jan/2017 21:00:00 [Ntop.cpp:1121] Setting local networks to 127.0.0.0/8 13/Jan/2017 21:00:00 [Redis.cpp:92] Successfully connected to redis 127.0.0.1:6379@0 13/Jan/2017 21:00:01 [PcapInterface.cpp:85] Reading packets from interface eth0... 13/Jan/2017 21:00:01 [PcapInterface.cpp:254] Packet capture filter on eth0 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host 192.168.2.109" On Thu, Jan 12, 2017 at 2:08 PM, Gerhard Mourani <[email protected]> wrote: Simone, Did you run ntopng with the filter directly from the command line or via the configuration file? I think the problem happens when the filter is in the configuration file and you run ntopng to read it in this file. Gerhard, On Jan 11, 2017, at 5:13 PM, Simone Mainardi <[email protected]> wrote: Gerhard, I've just tried to reproduce on centos6. The filter is working properly. I also tried to exclude the ntopng host and it works. So the only additional suggestion I have is to try and update ntopng to the latest stable. Regards On Tue, Jan 10, 2017 at 10:23 PM, Gerhard Mourani <[email protected]> wrote: > The point here is that the filter doesn't contain any clause that matches > host 10.0.0.39 ... Because, I've changed 10.0.0.39 for 192.168.2.227 for the test. Here the one in prod with 10.0.0.39: [root@ntpprod ~]# /usr/bin/ntopng -i eth3 --packet-filter="ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host 10.0.0.39" 10/Jan/2017 16:22:02 [Ntop.cpp:1121] Setting local networks to 127.0.0.0/8 10/Jan/2017 16:22:02 [Redis.cpp:92] Successfully connected to redis 127.0.0.1:6379@0 10/Jan/2017 16:22:02 [PcapInterface.cpp:85] Reading packets from interface eth3... 10/Jan/2017 16:22:02 [PcapInterface.cpp:254] Packet capture filter on eth3 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host 10.0.0.39" 10/Jan/2017 16:22:02 [Ntop.cpp:1267] Registered interface eth3 [id: 2] 10/Jan/2017 16:22:02 [Ntop.cpp:1279] Registered interface view eth3 [id: 2] 10/Jan/2017 16:22:02 [main.cpp:255] PID stored in file /var/run/ntopng.pid 10/Jan/2017 16:22:02 [Utils.cpp:341] User changed to nobody 10/Jan/2017 16:22:02 [HTTPserver.cpp:466] Please read https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to enable SSL. 10/Jan/2017 16:22:02 [HTTPserver.cpp:509] Web server dirs [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] 10/Jan/2017 16:22:02 [HTTPserver.cpp:512] HTTP server listening on port 3000 10/Jan/2017 16:22:02 [main.cpp:295] Working directory: /var/tmp/ntopng 10/Jan/2017 16:22:02 [main.cpp:297] Scripts/HTML pages directory: /usr/share/ntopng 10/Jan/2017 16:22:02 [Ntop.cpp:271] Welcome to ntopng x86_64 v.2.4.161013 - (C) 1998-2016 ntop.org 10/Jan/2017 16:22:02 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) 10/Jan/2017 16:22:02 [PeriodicActivities.cpp:53] Started periodic activities loop... 10/Jan/2017 16:22:02 [RuntimePrefs.cpp:34] Dumping alerts into syslog 10/Jan/2017 16:22:02 [Ntop.cpp:531] Adding 169.254.0.0/16 as IPv4 local network for eth3 10/Jan/2017 16:22:02 [Ntop.cpp:561] Adding fe80::250:56ff:fe90:7661/64 as IPv6 local network for eth3 10/Jan/2017 16:22:02 [NetworkInterface.cpp:1538] Started packet polling on interface eth3 [id: 2]... Gerhard, On Jan 10, 2017, at 4:17 PM, Simone Mainardi <[email protected]> wrote: Gerard, On Tue, Jan 10, 2017 at 10:13 PM, Gerhard Mourani <[email protected]> wrote: Simone, Here when launched from command line: [root@ntptest plugins]# /usr/bin/ntopng -i eth0 --packet-filter="ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.227)" OK, so the filter is properly parsed. I went back through this thread and found that you complained that > "The issue is that even if 10.0.0.39 is filtered to be excluded, it appears > in the view of top hosts.," The point here is that the filter doesn't contain any clause that matches host 10.0.0.39 ... 10/Jan/2017 16:10:46 [Ntop.cpp:1121] Setting local networks to 127.0.0.0/8 10/Jan/2017 16:10:46 [Redis.cpp:92] Successfully connected to redis 127.0.0.1:6379@0 10/Jan/2017 16:10:46 [PcapInterface.cpp:85] Reading packets from interface eth0... 10/Jan/2017 16:10:46 [PcapInterface.cpp:254] Packet capture filter on eth0 set to "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host (192.168.2.227)" 10/Jan/2017 16:10:46 [Ntop.cpp:1267] Registered interface eth0 [id: 0] 10/Jan/2017 16:10:46 [Ntop.cpp:1279] Registered interface view eth0 [id: 0] 10/Jan/2017 16:10:46 [main.cpp:255] PID stored in file /var/run/ntopng.pid 10/Jan/2017 16:10:46 [Utils.cpp:341] User changed to nobody 10/Jan/2017 16:10:46 [HTTPserver.cpp:466] Please read https://github.com/ntop/ntopng/blob/dev/doc/README.SSL if you want to enable SSL. 10/Jan/2017 16:10:46 [HTTPserver.cpp:509] Web server dirs [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] 10/Jan/2017 16:10:46 [HTTPserver.cpp:512] HTTP server listening on port 3000 10/Jan/2017 16:10:46 [main.cpp:295] Working directory: /var/tmp/ntopng 10/Jan/2017 16:10:46 [main.cpp:297] Scripts/HTML pages directory: /usr/share/ntopng 10/Jan/2017 16:10:46 [Ntop.cpp:271] Welcome to ntopng x86_64 v.2.4.161019 - (C) 1998-2016 ntop.org 10/Jan/2017 16:10:46 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) 10/Jan/2017 16:10:46 [PeriodicActivities.cpp:53] Started periodic activities loop... 10/Jan/2017 16:10:46 [RuntimePrefs.cpp:34] Dumping alerts into syslog 10/Jan/2017 16:10:46 [Ntop.cpp:531] Adding 192.168.2.0/24 as IPv4 local network for eth0 10/Jan/2017 16:10:46 [Ntop.cpp:561] Adding fe80::20c:29ff:fe83:c98e/64 as IPv6 local network for eth0 10/Jan/2017 16:10:46 [NetworkInterface.cpp:1538] Started packet polling on interface eth0 [id: 0]... 10/Jan/2017 16:10:53 [NetworkInterface.cpp:1058] Invalid packet received [len: 1804][MTU: 1518]. 10/Jan/2017 16:10:53 [NetworkInterface.cpp:1059] WARNING: If you have TSO/GRO enabled, please disable it 10/Jan/2017 16:10:53 [NetworkInterface.cpp:1061] WARNING: Use: sudo ethtool -K eth0 gro off gso off tso off Seem that the filter passed but still can see IP 192.168.2.227 on my list! Gerhard, On Jan 10, 2017, at 4:04 PM, Simone Mainardi <[email protected]> wrote: Gerhard, From the logs I can't see anything that confirms ntopng has read/parsed the bpf filter specified. It looks like the filter is ignored. I am not sure those logs contain the full output, though. Can you please run ntopng in foreground and paste the output? Simply call /usr/local/bin/ntopng /etc/ntopng/ntopng.conf Regards, Simone On Mon, Jan 9, 2017 at 8:46 PM, Gerhard Mourani <[email protected]> wrote: Configuration: --interface tcp://127.0.0.1:5556 --packet-filter "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host 10.0.0.39" --local-networks 10.0.0.0/24,192.168.2.0/24 --daemon --user ntopng --pid /var/run/ntopng/ntopng.pid --http-port 0 --https-port 3001 --data-dir /var/lib/nst/ntopng --dns-mode 1 --disable-autologout --disable-login 0 --sticky-hosts none --http-prefix /ntopng --ndpi-protocols /etc/ntopng/protos.txt Log file: 09/Jan/2017 14:43:49 [Ntop.cpp:1121] Setting local networks to 10.0.0.0/24,192.168.2.0/24 09/Jan/2017 14:43:49 [Redis.cpp:92] Successfully connected to redis 127.0.0.1:6379@0 09/Jan/2017 14:43:49 [Ntop.cpp:1095] Parent process is exiting (this is normal) 09/Jan/2017 14:43:49 [Ntop.cpp:1267] Registered interface tcp://127.0.0.1:5556 [id: 1] 09/Jan/2017 14:43:49 [Ntop.cpp:1279] Registered interface view tcp://127.0.0.1:5556 [id: 1] 09/Jan/2017 14:43:49 [main.cpp:255] PID stored in file /var/run/ntopng/ntopng.pid 09/Jan/2017 14:43:49 [Utils.cpp:341] User changed to ntopng 09/Jan/2017 14:43:49 [HTTPserver.cpp:509] Web server dirs [/usr/share/ntopng/httpdocs][/usr/share/ntopng/scripts] 09/Jan/2017 14:43:49 [HTTPserver.cpp:515] HTTPS server listening on port 3001 09/Jan/2017 14:43:49 [main.cpp:295] Working directory: /var/lib/nst/ntopng 09/Jan/2017 14:43:49 [main.cpp:297] Scripts/HTML pages directory: /usr/share/ntopng 09/Jan/2017 14:43:49 [Ntop.cpp:271] Welcome to ntopng x86_64 v.2.4.161013 - (C) 1998-2016 ntop.org 09/Jan/2017 14:43:49 [Ntop.cpp:276] Built on CentOS release 6.8 (Final) 09/Jan/2017 14:43:49 [PeriodicActivities.cpp:53] Started periodic activities loop... 09/Jan/2017 14:43:49 [RuntimePrefs.cpp:34] Dumping alerts into syslog 09/Jan/2017 14:43:49 [NetworkInterface.cpp:1538] Started packet polling on interface tcp://127.0.0.1:5556 [id: 1]... 09/Jan/2017 14:43:50 [CollectorInterface.cpp:104] Collecting flows on tcp://127.0.0.1:5556 [ntopng->nprobe] Gerhard, On Jan 9, 2017, at 11:26 AM, Simone Mainardi <[email protected]> wrote: Gerhard, please attach the configuration used and the full ntopng console output (or log file). On Mon, Jan 9, 2017 at 2:24 PM, Gerhard Mourani <[email protected]> wrote: Simone, The issue is that even if 10.0.0.39 is filtered to be excluded, it appears in the view of top hosts. Also, the IP 0.0.0.0 appaers and I don't have any idea about what it is? [X] GERHARD MOURANI | Spécialiste Telecom – Concepteur Logiciel 450 761-9973 p634 | [email protected] 9935, rue de Châteauneuf, bureau 120, Brossard, Québec, J4Z 3V4 Québec 418 907-8356 | Ottawa 613 689-1539 | Toronto 416 645-5626 facebook.com/Prival-230867980323343 linkedin.com/company/prival [X] On Jan 8, 2017, at 5:36 AM, Simone Mainardi <[email protected]> wrote: Gerhard, The filter is correct and properly parsed by ntopng. So what is the issue you are experiencing? Simone On Thu, Jan 5, 2017 at 7:58 PM, Gerhard Mourani <[email protected]> wrote: This doesn't work for me, I'm using the following parameters to exclude 10.0.0.39 which is my ntopng server IP: --packet-filter "ip and not proto ipv6 and not ether host ff:ff:ff:ff:ff:ff and not net (224.0.0.0/8 or 239.0.0.0/8) and not host 10.0.0.39" Gerhard, On Jan 5, 2017, at 12:09 PM, [email protected] wrote: Thank you Simone. I will try that tomorrow morning. Much appreciated. On January 5, 2017 6:40:25 PM GMT+02:00, Simone Mainardi <[email protected]> wrote: Brett, the filter is not complete. If you want to exclude 10.0.50.246 set: --packet-filter="not host 10.0.50.246" If you look at the ntopng output you will see if the filter is parsed correctly. On Thu, Jan 5, 2017 at 4:05 PM, Brett Stiell (CCIH) < [email protected]> wrote: Hi there. Thanks for getting back to me This is the contents of my ntopng.start file:- -G=/var/run/ntopng.pid --daemon= --local-networks="10.0.50.0/25,10.0.50.128/26,10.0.50.193/30" --packet-filter 10.0.50.246 -m "10.0.50.0/25,10.0.50.128/26,10.0.50.193/30" --track-local-hosts Regards, Brett *From:* Simone Mainardi [mailto:[email protected]] *Sent:* Thursday, January 05, 2017 3:26 PM *To:* [email protected] *Cc:* ntop mailing list *Subject:* Re: [Ntop] Excluding hosts or a subnet from being monitored Hi, --packet-filter is the proper way to do that. Can you please report the exact filter you specified? Also check (and paste) ntopng output. ntopng prints a confirmation message if it has successfully parsed the filter. Regards Simone On Thu, Jan 5, 2017 at 11:14 AM, Brett Stiell (CCIH) < [email protected]> wrote: Hi. Is there any way to exclude a subnet or a range of hosts from being monitored and appearing on the dashboard etc. Our servers are in a specific IP range and I am not interested in receiving their usage data. I tried –B and –packet-filter and “not” but they don’t seem to work. Thanks _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop -- Sent from my Android device with Email Mail. Please excuse my brevity._______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
