ntop recording traffic as FTP

[NeoIce]

so I have some custom stuff running on some custom ports and I've added them to the ntop protocol.list, but when the client is running, all the traffic is getting categorized as FTP traffic. I'm not sure whats going on because netstat shows the traffic as being on the 49xxx ports, external inspection shows the clients are connecting to the 49xxx ports, but ntop still says its FTP. iptables is even blocking FTP... anyone have any thoughts?

additionally, ntop shows lots of NetBIOS and other random traffic (probably from other clients) but I should be dropping all that at the iptables level. I even have a few custom rules to suppress Windows-related broadcast traffic.

thanks in advance,
-rb

[NeoIce]

ok, so I figured out that the client sends on the 49xxx range, but the clients its connecting to can use any port. at least ntop is smart enough to realize that large amounts of data transfer deserve to be recorded SOMEWHERE and just clumps it into FTP.

I'm still not sure why I'm picking up so much broadcast traffic (NetBIOS needs to be quiet) / other junk, but I've just clumped it all together under a 'Junk' category for now.

my other issue is making ntop records persistent. it looses its data count every time I stop the daemon, which is irritating if I'm trying to track my own monthly usage. any ideas on that topic?