ntop shows the current network usage. It displays a list of hosts that are currently using the network and reports information concerning the (IP and non-IP) traffic generated by each host. ntop may operate as a front-end collector (sFlow and/or netFlow plugins) or as a stand-alone collector/display program. A web browser is used to access the information captured by the ntop program.
ntop is a hybrid layer 2 / layer 3 network monitor, that is by default it uses the layer 2 Media Access Control (MAC) addresses AND the layer 3 tcp/ip addresses. ntop is capable of associating the two, so that ip and non-ip traffic (e.g. arp, rarp) are combined for a complete picture of network activity.
NST is configured with a setup script for running the ntop application. The script: /usr/local/bin/setup_ntop creates a ntop runtime environment along with setting up a file directory structure for the Round Robin Database support tool (RRDtool). The NST alias: lntop can be used to reference the /usr/local/bin/setup_ntop script.
The following caption displays the documentation usage for the /usr/local/bin/setup_ntop script:
[root@probe root]#
/usr/local/bin/setup_ntop -h
Usage: setup_ntop [-s] [-i <interface>] [-rd <RAM device>] [-rds <RAM disk size (MB)>] [-rmp <RAM mount point>] [-rdir <runtime directory>] [-no <ntop_options>] [-v] [-h] This script is used to create a runtime execution environment for ntop and start the ntop daemon. ntop is a network traffic probe that shows network usage and protocol statistics. Accessibility to ntop is via ones Web browser at the default SSL port: 3001. The default configuration will create a 64MB RAM disk for ntop and its associated Round Robin Database (rrd) at directory location: /mnt/ram4/ntop. The following are 2 examples on how to get access to the ntop Web interface: Example 1: Local Access (IP Address "localhost": 127.0.0.1) NST probe running a ntop daemon. Interface: "Firefox" browser using X Windows or VNC client, or the "elinks" browser using the console or a SSH session. URL: http://127.0.0.1:3001 Example 2: Remote Access (IP Address of NST Probe running ntop: 192.168.3.24) Interface: Any Web browser that suport SSL. URL: https://192.168.3.24:3001 -s | --stop Use this optional parameter to stop an already running ntop daemon. If this option is not used and a ntop daemon is already running, this script will terminate normally leaving the existing ntop daemon running. -i | --interface Use this optional parameter to specify the network interface or interfaces to be used by ntop for network monitoring. If multiple interfaces are used their names must be separated with a comma. For instance -i "eth0,lo,eth2". -rd <RAM device> | --ram-device <RAM device> Use this optional parameter to change the default RAM device that will be used for this instance of ntop and rrd data files. Available RAM device names on NST: "/dev/ram0 - /dev/ram9". A cooresponding mount point: "/mnt/ram0 - /mnt/ram9" will be automatically selected for the RAM device. One can use the following optional parameter: "-rmp <mount point>" to change mount point location for the selected RAM device. Default: "/dev/ram4" -rds <RAM dsk size (MB)> | --ram-disk-size <RAM disk size (MB)> Use this optional parameter to change the default RAM disk size in MegaBytes (MB) that will be used for ntop and rrd data files. Default: "64" ** Note: Use a reasonable value and make sure you to not exceed your available system RAM. The system memory utility: "free" can be used to help make your determination. -rmp <mount point> | --ram-mount-point <mount point> Use this optional parameter to change the selected RAM device's: "-rd <RAM device>" mount point for ntop and rrd data files. Default: "/mnt/ram4" -rdir <runtime directory> | --runtime-directory <runtime directory> One can use this optional parameter to force the setup script to use an existing directory on a locally attached disk drive or a mounted network file system and bypass the creation of a RAM disk. To do this, make sure the directory initially exists prior to running this script. Example: Mount Point: "/dev/hdc1" mount at: "/probe1" type ext3 (rw) Directory: "/probe1/networkdata" Use: "-rdir /probe1/networkdata" to create the top level runtime directory structure the ntop and rrd data files. Directory Structure: ntop => /probe1/networkdata/ntop rrd => /probe1/networkdata/ntop/rrd -no <ntop_options> | --ntop-option <ntop_options> Use this optional parameter to pass options to ntop in the format used by ntop(8). This is useful when specifying options for which there is no separate "setup_ntop" command-line flag. For example, set sticky hosts and change the default ntop HTTP server port to 4600: -no "-c -w 4600". ** Note: Double quotes are necessary when spaces exist between command-line flags and values. -v | --verbose This optional switch will enable verbose output. Without this switch set, minimal output from the execution of this script will be displayed. -h | --help Displays this help information.
This script will also startup a ntop daemon with user
access via a SSL capable web browser at the default SSL port:
3001. ntop parameters can be set in
the /etc/ntop.conf
configuration file or
passed along to the ntop daemon via the "-no" or
"--ntop-option" command-line parameter.
The command-line parameters take precedence over any
settings in the ntop configuration file:
/etc/ntop.conf
The following example will startup an ntop instance monitoring network traffic on a stealth interface: eth1. An 80 MByte RAM disk associated with device: /dev/ram9 will be used for the runtime environment. The ntop parameter: "set sticky hosts" - "-c" will be passed along to the ntop daemon. Verbose output from the execution of the setup_ntop script using the example parameters above is shown in the depiction below.
[root@probe root]#
/usr/local/bin/setup_ntop -i eth1 -no "-c" -rd /dev/ram9 -rds 80 -v
*** Creating a 80MByte RAM disk at mount point: "/mnt/ram9"... /root/bin/create_ramdisk -s 80 -d /dev/ram9 -m /mnt/ram9 -v ============================================================ = Creating a 81920KB RAM disk at mount point: /mnt/ram9... = ============================================================ *** Zeroing out RAM device: "/dev/ram9"... /bin/dd if=/dev/zero of=/dev/ram9 bs=1k count=81920 81920+0 records in 81920+0 records out *** Creating a 81920KB Linux ext2 file system on RAM device: "/dev/ram9"... /sbin/mke2fs -vm 0 /dev/ram9 81920 mke2fs 1.32 (09-Nov-2002) Filesystem label= OS type: Linux Block size=1024 (log=0) Fragment size=1024 (log=0) 20480 inodes, 81920 blocks 0 blocks (0.00%) reserved for the super user First data block=1 10 block groups 8192 blocks per group, 8192 fragments per group 2048 inodes per group Superblock backups stored on blocks: 8193, 24577, 40961, 57345, 73729 Writing inode tables: done Writing superblocks and filesystem accounting information: done This filesystem will be automatically checked every 28 mounts or 180 days, whichever comes first. Use tune2fs -c or -i to override. *** Mounting RAM disk device: "/dev/ram9" at mount point: "/mnt/ram9"... /bin/mount -t ext2 /dev/ram9 /mnt/ram9 *** Show all current mounts... /bin/df -k Filesystem 1K-blocks Used Available Use% Mounted on /dev/ram 63461 32705 30756 52% / none 192256 0 192256 0% /dev/shm /dev/cdrom 494976 494976 0 100% /mnt/cdrom /dev/ram5 31729 20553 11176 65% /mnt/ram5 /dev/ram9 79327 13 79314 1% /mnt/ram9 *** Successfully created a 81920KB RAM Disk: "/dev/ram9" at mount point: "/mnt/ram9"... *** Starting up ntop... /usr/local/bin/ntop @/etc/ntop.conf -d -i "eth1" -c Processing file /etc/ntop.conf for parameters... Wed Jul 14 20:01:27 2004 ntop v.3.0 SourceForge RPM MT (SSL) Wed Jul 14 20:01:27 2004 Configured on Mar 21 2004 18:07:20, built on Mar 21 2004 18:08:27. Wed Jul 14 20:01:27 2004 Copyright 1998-2004 by Luca Deri <deri@ntop.org> Wed Jul 14 20:01:27 2004 Get the freshest ntop from http://www.ntop.org/ Wed Jul 14 20:01:27 2004 Initializing ntop Wed Jul 14 20:01:30 2004 Checking eth1 for additional devices Wed Jul 14 20:01:30 2004 Resetting traffic statistics for device eth1 Wed Jul 14 20:01:30 2004 DLT: Device 0 [eth1] is 1, mtu 1514, header 14 Wed Jul 14 20:01:30 2004 Initializing gdbm databases Wed Jul 14 20:01:30 2004 Now running as requested user 'ntop' (100:101) Wed Jul 14 20:01:30 2004 VENDOR: Loading MAC address table. Wed Jul 14 20:01:30 2004 VENDOR: Checking for MAC address table file Wed Jul 14 20:01:30 2004 VENDOR: Loading newer file '/etc/ntop/specialMAC.txt.gz' Wed Jul 14 20:01:30 2004 VENDOR: ...found 61 lines Wed Jul 14 20:01:30 2004 VENDOR: ...loaded 59 records Wed Jul 14 20:01:30 2004 VENDOR: Checking for MAC address table file Wed Jul 14 20:01:30 2004 VENDOR: Loading newer file '/etc/ntop/oui.txt.gz' Wed Jul 14 20:01:31 2004 VENDOR: ...found 44580 lines Wed Jul 14 20:01:31 2004 VENDOR: ...loaded 7231 records Wed Jul 14 20:01:31 2004 INIT: Bye bye: I'm becoming a daemon... Wed Jul 14 20:01:31 2004 INIT: Parent process is exiting (this is normal) ntop successfully started and monitoring interface(s): eth1...
Create a RAM disk at mount point: /mnt/ram9. | |
List all mounts points on the probe system. Notice the 80 MBytes RAM disk created at mount point: /mnt/ram9. | |
Startup a ntop daemon on interface: eth1 with the "set sticky hosts" - "-c" parameter specified. |
Access to visualize the ntop network traffic analysis is via a SSL capable web browser. In this case the ntop daemon is running on NST probe with IP address: 10.222.222.117. The URL for access to this ntop daemon is: http://10.222.222.117:3001. A remote Microsoft Windows XP Professional desktop running Internet Explorer will now be used to show various ntop screen shots for this example.
ntop screen shot showing the network load time series.
ntop screen shot showing all protocol data as a function of detected hosts.
ntop screen shot showing graphs of packet rates (ethernet and broadcast) collected on eth1. These graphs were generated from data stored in the associated rrdtool database.
NST's Web User Interface found in Chapter 2, The Web User Interface (WUI) can also be used to start up ntop. Look under the "Networking/Monitors" section for the "ntop" link.