Cisco – Ntop monitoring – Hosts visible with no SPAN/mirroring

I am attempting to use ntop to monitor traffic over a Cisco Catalyst switch.
I was assuming that in order to see any of the traffic, I'd have to use monitor, as described here: http://www.cisco.com/en/US/products/hw/switches/ps708/products_tech_note09186a008015c612.shtml.

Howver, before I did anything on the switch, I simply plugged my ntop server in and fired up ntop. To my suprise, I instantly see 3+ pages of hosts, and thousands of packets. How is ntop seeing this?

I have verified that no monitoring exists on the switch (run as en):

cs1.pvdc#show monitor
  No SPAN configuration is present in the system.

My ntop server is Ubuntu 8.04, I haven't done ANY configuration, I just installed the ntop package. This is also a fresh Ubuntu install.

Is there anything else on my switch besides "monitor" that might cause my switch to mirror all its traffic like this? I've tried plugging ntop into different ports with the same results.

UPDATE: It appears to be more then just broadcast traffic showing up in ntop, for example, I can see when my IPs have talked to the DNS server or generated HTTP traffic. If my switch is misconfigured, can anyone point me in the right direction towards rectify this? Not a Cisco expert.

Best Answer

What kind of packets are you seeing? In general I've found that a good size network will inevitably have a lot of broadcast chatter. Things like NetBios announcements and ARP requests. What you shouldn't see is any point to point to point traffic. Look at the source and destination IP/MAC addresses. If you are seeing specific point to point traffic then there is possibly a configuration problem with your switch.

Also, it would be good to turn spanning-tree port-fast on each of your access ports of the switch because this will prevent the mac-address table from getting flushed when a port goes up/down. Which is usually the cause of switches flooding packets.

EDIT:

You could try changing the MAC address table aging time:
http://www.cisco.com/en/US/docs/ios/12_3/switch/command/reference/swi_m1.html#wp1085773

The command would be:
mac-address-table aging-time seconds

This would change the time an entry stays in the switche's table allowing it to remember addresses longer and limit unicast flooding.

The other command to use is the one I mentioned above spanning-tree port-fast. You should enable this on each interface that does not connect to another switch. This will have 2 benefits: First, it will speed up the time it takes to plug in a new computer, Second, it will also keep the switch from flushing the MAC table when it thinks there is a topology change (a feature of spanning tree).

Best Answer

Related Solutions

Linux – ntop usage to monitor bandwidth

Cisco – Is span monitoring on Cisco ASA 5520 possible

Related Topic