search

ntop / ntopng

Web-based Traffic and Security Network Traffic Monitoring
http://www.ntop.org
GNU General Public License v3.0
6.28k stars 656 forks source link

Questions about IP-identified domain names in ntopng #6650

Closed hdsjahuen closed 2 years ago

hdsjahuen commented 2 years ago

Environment:

What happened:

What did you expect to happen?

How did you reproduce it?

Debug Information:

I would like to ask how the mechanism of IP to domain name conversion works For example, 112.80.40.76, which is our company's public IP, is displayed as a domain name of someone unknown. image1

Because the other day also found some problems is more excessive, our company's public IP display into a pornographic site. image2

lucaderi commented 2 years ago

ntopng binds the hostname to the IP (via passive sniffing) when somebody connects to a server. In the current ntopng version (so not yours) we check if the request was successful and then we do the binding, whereas in your version we did the binding all the time. So if you have somebody that is probing your server, what you see is normal. Bottom line please update. If you enable clickhouse support, you can figure out why this problem happened

hdsjahuen commented 2 years ago

image The version of ntopng is shown in the figure

hdsjahuen commented 2 years ago

Hello, I would like to ask if this version I have is the latest one?

lucaderi commented 2 years ago

Download the latest package from https://packages.ntop.org. The version has the date in the format, so it has to be recent (from late May 2022)

hdsjahuen commented 2 years ago

Hi, I don't think it's a software update problem,Because there are multiple public network segments in the company, different operators and different regions, it is impossible for each segment to be considered a pornographic site. This image shows the domain name and IP in Historical Flows. This IP starting with 103 is our company's, but the domain name shown is the domain name of the porn site. I don't really think the captured packets will contain these domains. image

This one is now LIve Flow, which does not show the IP, only the domain name. But note that it is marked with L after it, which is the local IP.So I think NTOPNG caught the IP is no problem, but the bindings are displayed out there is a problem

hdsjahuen commented 2 years ago

hello,Want to know how to solve this problem

hdsjahuen commented 2 years ago

I would like to ask what is the problem with this IP domain name