NTop

ntop shows the current network usage. It displays a list of hosts that are currently using the network and reports information concerning the (IP and non-IP) traffic generated by each host. ntop may operate as a front-end collector (sFlow and/or netFlow plugins) or as a stand-alone collector/display program. A web browser is used to access the information captured by the ntop program.

ntop is a hybrid layer 2 / layer 3 network monitor, that is by default it uses the layer 2 Media Access Control (MAC) addresses AND the layer 3 tcp/ip addresses. ntop is capable of associating the two, so that ip and non-ip traffic (e.g. arp, rarp) are combined for a complete picture of network activity.

NST is configured with a setup script for running the ntop application. The script: /usr/local/bin/setup_ntop creates a ntop runtime environment along with setting up a file directory structure for the Round Robin Database support tool (RRDtool). The NST alias: lntop can be used to reference the /usr/local/bin/setup_ntop script.

The following caption displays the documentation usage for the /usr/local/bin/setup_ntop script:

[root@probe root]# /usr/local/bin/setup_ntop -h

Usage: setup_ntop [-s] [-i <interface>] [-rd <RAM device>]
                  [-rds <RAM disk size (MB)>] [-rmp <RAM mount point>]
                  [-rdir <runtime directory>] [-no <ntop_options>] [-v] [-h]

     This script is used to create a runtime execution environment for ntop and
     start the ntop daemon. ntop is a network traffic probe that shows network
     usage and protocol statistics. Accessibility to ntop is via ones Web browser
     at the default SSL port: 3001. The default configuration will create a 64MB
     RAM disk for ntop and its associated Round Robin Database (rrd) at directory
     location: /mnt/ram4/ntop.

     The following are 2 examples on how to get access to the ntop Web
     interface:

     Example 1: Local Access (IP Address "localhost": 127.0.0.1)
              NST probe running a ntop daemon.
              Interface: "Firefox" browser using X Windows or VNC client, or the "elinks"
                         browser using the console or a SSH session.
                    URL: http://127.0.0.1:3001

     Example 2: Remote Access (IP Address of NST Probe running ntop: 192.168.3.24)
              Interface: Any Web browser that suport SSL.
                    URL: https://192.168.3.24:3001

  -s | --stop
     Use this optional parameter to stop an already running ntop daemon. If this
     option is not used and a ntop daemon is already running, this script will
     terminate normally leaving the existing ntop daemon running.

  -i | --interface
     Use this optional parameter to specify the network interface or interfaces to be used
     by ntop for network monitoring. If multiple interfaces are used their names must be
     separated with a comma. For instance -i "eth0,lo,eth2".

  -rd <RAM device> | --ram-device <RAM device>
     Use this optional parameter to change the default RAM device that will be used for this
     instance of ntop and rrd data files. Available RAM device names on NST:
     "/dev/ram0 - /dev/ram9". A cooresponding mount point: "/mnt/ram0 - /mnt/ram9"
     will be automatically selected for the RAM device. One can use the following optional
     parameter: "-rmp <mount point>" to change mount point location for the selected RAM
     device.
     Default: "/dev/ram4"

  -rds <RAM dsk size (MB)> | --ram-disk-size <RAM disk size (MB)>
     Use this optional parameter to change the default RAM disk size in MegaBytes (MB) that
     will be used for ntop and rrd data files.
     Default: "64"
     ** Note: Use a reasonable value and make sure you to not exceed your available system RAM.
              The system memory utility: "free" can be used to help make your determination.

  -rmp <mount point> | --ram-mount-point <mount point>
     Use this optional parameter to change the selected RAM device's: "-rd <RAM device>"
     mount point for ntop and rrd data files.
     Default: "/mnt/ram4"

  -rdir <runtime directory> | --runtime-directory <runtime directory>
     One can use this optional parameter to force the setup script to use an existing
     directory on a locally attached disk drive or a mounted network file system and
     bypass the creation of a RAM disk. To do this, make sure the directory initially
     exists prior to running this script.
     Example:  Mount Point: "/dev/hdc1" mount at: "/probe1" type ext3 (rw)
                 Directory: "/probe1/networkdata"
                       Use: "-rdir /probe1/networkdata" to create the top level
                            runtime directory structure the ntop and rrd data files.
       Directory Structure: ntop  => /probe1/networkdata/ntop
                             rrd  => /probe1/networkdata/ntop/rrd

  -no <ntop_options> | --ntop-option <ntop_options>
     Use this optional parameter to pass options to ntop in the format used by
     ntop(8). This is useful when specifying options for which there is no separate
     "setup_ntop" command-line flag.  For example, set sticky hosts and change the
     default ntop HTTP server port to 4600: -no "-c -w 4600".
     ** Note: Double quotes are necessary when spaces exist between command-line
         flags and values.

  -v | --verbose
     This optional switch will enable verbose output. Without this switch set, minimal
     output from the execution of this script will be displayed.

  -h | --help
     Displays this help information.
      

This script will also startup a ntop daemon with user access via a SSL capable web browser at the default SSL port: 3001. ntop parameters can be set in the /etc/ntop.conf configuration file or passed along to the ntop daemon via the "-no" or "--ntop-option" command-line parameter.

Note

The command-line parameters take precedence over any settings in the ntop configuration file: /etc/ntop.conf

The following example will startup an ntop instance monitoring network traffic on a stealth interface: eth1. An 80 MByte RAM disk associated with device: /dev/ram9 will be used for the runtime environment. The ntop parameter: "set sticky hosts" - "-c" will be passed along to the ntop daemon. Verbose output from the execution of the setup_ntop script using the example parameters above is shown in the depiction below.

[root@probe root]# /usr/local/bin/setup_ntop -i eth1 -no "-c" -rd /dev/ram9 -rds 80 -v

*** Creating a 80MByte RAM disk at mount point: "/mnt/ram9"... 1
/root/bin/create_ramdisk -s 80 -d /dev/ram9 -m /mnt/ram9 -v

============================================================
= Creating a 81920KB RAM disk at mount point: /mnt/ram9... =
============================================================

*** Zeroing out RAM device: "/dev/ram9"...
/bin/dd if=/dev/zero of=/dev/ram9 bs=1k count=81920
81920+0 records in
81920+0 records out

*** Creating a 81920KB Linux ext2 file system on RAM device: "/dev/ram9"...
/sbin/mke2fs -vm 0 /dev/ram9 81920
mke2fs 1.32 (09-Nov-2002)
Filesystem label=
OS type: Linux
Block size=1024 (log=0)
Fragment size=1024 (log=0)
20480 inodes, 81920 blocks
0 blocks (0.00%) reserved for the super user
First data block=1
10 block groups
8192 blocks per group, 8192 fragments per group
2048 inodes per group
Superblock backups stored on blocks:
        8193, 24577, 40961, 57345, 73729

Writing inode tables: done
Writing superblocks and filesystem accounting information: done

This filesystem will be automatically checked every 28 mounts or
180 days, whichever comes first.  Use tune2fs -c or -i to override.

*** Mounting RAM disk device: "/dev/ram9" at mount point: "/mnt/ram9"...
/bin/mount -t ext2 /dev/ram9 /mnt/ram9

*** Show all current mounts... 2
/bin/df -k
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/ram                 63461     32705     30756  52% /
none                    192256         0    192256   0% /dev/shm
/dev/cdrom              494976    494976         0 100% /mnt/cdrom
/dev/ram5                31729     20553     11176  65% /mnt/ram5
/dev/ram9                79327        13     79314   1% /mnt/ram9

*** Successfully created a 81920KB RAM Disk: "/dev/ram9" at mount point: "/mnt/ram9"...


*** Starting up ntop... 3
/usr/local/bin/ntop @/etc/ntop.conf -d -i "eth1" -c

   Processing file /etc/ntop.conf for parameters...
Wed Jul 14 20:01:27 2004  ntop v.3.0 SourceForge RPM MT (SSL)
Wed Jul 14 20:01:27 2004  Configured on Mar 21 2004 18:07:20, built on Mar 21 2004 18:08:27.
Wed Jul 14 20:01:27 2004  Copyright 1998-2004 by Luca Deri <deri@ntop.org>
Wed Jul 14 20:01:27 2004  Get the freshest ntop from http://www.ntop.org/
Wed Jul 14 20:01:27 2004  Initializing ntop
Wed Jul 14 20:01:30 2004  Checking eth1 for additional devices
Wed Jul 14 20:01:30 2004  Resetting traffic statistics for device eth1
Wed Jul 14 20:01:30 2004  DLT: Device 0 [eth1] is 1, mtu 1514, header 14
Wed Jul 14 20:01:30 2004  Initializing gdbm databases
Wed Jul 14 20:01:30 2004  Now running as requested user 'ntop' (100:101)
Wed Jul 14 20:01:30 2004  VENDOR: Loading MAC address table.
Wed Jul 14 20:01:30 2004  VENDOR: Checking for MAC address table file
Wed Jul 14 20:01:30 2004  VENDOR: Loading newer file '/etc/ntop/specialMAC.txt.gz'
Wed Jul 14 20:01:30 2004  VENDOR: ...found 61 lines
Wed Jul 14 20:01:30 2004  VENDOR: ...loaded 59 records
Wed Jul 14 20:01:30 2004  VENDOR: Checking for MAC address table file
Wed Jul 14 20:01:30 2004  VENDOR: Loading newer file '/etc/ntop/oui.txt.gz'
Wed Jul 14 20:01:31 2004  VENDOR: ...found 44580 lines
Wed Jul 14 20:01:31 2004  VENDOR: ...loaded 7231 records
Wed Jul 14 20:01:31 2004  INIT: Bye bye: I'm becoming a daemon...
Wed Jul 14 20:01:31 2004  INIT: Parent process is exiting (this is normal)

ntop successfully started and monitoring interface(s): eth1...

    

1

Create a RAM disk at mount point: /mnt/ram9.

2

List all mounts points on the probe system. Notice the 80 MBytes RAM disk created at mount point: /mnt/ram9.

3

Startup a ntop daemon on interface: eth1 with the "set sticky hosts" - "-c" parameter specified.

Access to visualize the ntop network traffic analysis is via a SSL capable web browser. In this case the ntop daemon is running on NST probe with IP address: 10.222.222.117. The URL for access to this ntop daemon is: http://10.222.222.117:3001. A remote Microsoft Windows XP Professional desktop running Internet Explorer will now be used to show various ntop screen shots for this example.

ntop screen shot showing the network load time series.

Figure 3.3. NTop Network Load

NTop Network Load

ntop screen shot showing all protocol data as a function of detected hosts.

Figure 3.4. NTop All Protocol Data

NTop All Protocol Data

ntop screen shot showing graphs of packet rates (ethernet and broadcast) collected on eth1. These graphs were generated from data stored in the associated rrdtool database.

Figure 3.5. NTop Packet Rate Graphs (RRD)

NTop Packet Rate Graphs (RRD)

Note

NST's Web User Interface found in Chapter 2, The Web User Interface (WUI) can also be used to start up ntop. Look under the "Networking/Monitors" section for the "ntop" link.