December 8th, 2004, 08:21 AM
OS detection in NTop
I've recently put up a linux box running ntop on our college-to-university uplink and had a few questions to ask.
1) How does the OS detection work in Ntop? I've one remote machine [located on the university network] sending significant amounts of data to various machines on our college network. Ntop shows this machine as running NetBSD, whereas nmap shows its a Windows Box. [nmap is probably right as the protocol for transferring data is NetBios-IP].
2) The college-university uplink is a Gigabit link, but the utilization hardly ever exceeds 8-10MBps. Hence, I connected a machine with a 10/100 NIC to the port mirroring the uplink. The ntop page shows a 3.2% packet loss by libpcap, with 0% packet loss by ntop. I was hoping if anyone could explain the significance of that.
P.S: The machine sending large amounts of data to various machines on our network --- students copying movies from one place to another... wonder what are the rules about that at other colleges/universities
December 8th, 2004, 10:45 PM
Though I haven't used it, I believe that ntop is a passive observer, and only collects information as it passes by on its own. NMap, however, will actively go out and do queries to find the information, and process how the computer's reply. Because of that, NMap is more reliable. If I'm wrong, NMap is still generally more reliable, because its been tested out the wazoo.
Ntop is based off of libcap...are you running both, and if so, from where in relation to each other?
Most universities, BTW, strictly forbid running any sort of server behind the fire wall, including file sharing programs that run only on the school's server, and furthermore specifically rule out the illegal sharing of movies, music, and games. It is rarely enforced, but it such a big deal these days that a large college or university simply can't afford to not forbid it.