Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
Fatherhood.Org

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents

· Introduction to Operating Systems
· Linux Basics
· Working with the System
· Shells and Utilities
· Editing Files
· Basic Administration
· The Operating System
· The X Windowing System
· The Computer Itself
· Networking
· System Monitoring
· Solving Problems
· Security
· Installing and Upgrading
· Linux and Windows

Glossary
MoreInfo
Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
FAQ
Copyright Info
Terms of Use
Privacy Info
Disclaimer
WorkBoard
Thanks
Donations
Advertising
Masthead / Impressum
Your Account

Communication
Feedback
Forums
Private Messages
Surveys

Features
HOWTOs
News Archive
Submit News
Topics
User Articles
Web Links

Google
Google


The Web
linux-tutorial.info

Who's Online
There are currently, 61 guest(s) and 0 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here

  

ntop



SYNOPSIS

       ntop  [@filename] [-a|--access-log-path <path>] [-b|--dis­
       able-decoders] [-c|--sticky-hosts] [-f|--traffic-dump-file
       file>]  [-g|--track-local-hosts] [-h|--help] [-k|--filter-
       expression-in-extra-frame]     [-l|--pcap-log      <path>]
       [-m|--local-subnets     <addresses>]     [-n|--numeric-ip-
       addresses]    [-o|--no-mac]    [-p|--protocols     <list>]
       [-q|--create-suspicious-packets]  [-r|--refresh-time <num­
       ber>]  [-s|--no-promiscuous]  [-t|--trace-level  <number>]
       [-w|--http-server      <port>]     [-z|--disable-sessions]
       [-A|--set-admin-password password] [-B|--filter-expression
       expression]   [-C|--large-network]   [-D|--domain  <name>]
       [-F|--flow-spec     <specs>]     [-M|--no-interface-merge]
       [-O|----output-packet-path]   [-P|--db-file-path   <path>]
       [-R|--filter-rule <file>]  <number>]  [-U|--mapper  <URL>]
       [-V|--version]  [--throughput-bar-chart] [--dynamic-purge-
       limits]  [--reuse-rrd-graphics]   [--p3p-cp]   [--p3p-uri]
       [--disable-stopcap]

       Not available on micro-ntop:

       [-e|--max-table-rows <number>]

       Unix options:

       [-d|--daemon]  [-i|--interface  <name>] [-u|--user <user>]
       [-E|--enable-external-tools]   [-K|--enable-debug]    [-L]
       [-use-syslog <facility>] [--ignore-sigpipe]

       Win32 option:

       [-i|--interface <number>]

       OpenSSL options:

       [-W|--https-server <port>] [--use-sslwatchdog]


DESCRIPTION

       ntop  shows  the current network usage. It displays a list
       of hosts that are currently using the network and  reports
       information  concerning the (IP and non-IP) traffic gener­
       ated by each host.  ntop may operate as a  front-end  col­
       lector  (sFlow and/or netFlow plugins) or as a stand-alone
       collector/display program. A  web  browser  is  needed  to
       access the information captured by the ntop program.

       An older, and unsupported version, intop can be started in
       a terminal window.

        given:  --trace-level  2  --trace-level  3  will  run  as
        --trace-level 3.

       -a | --access-log-path
        By  default  ntop does not maintain an http log. Use this
        flag to specify the path of the file where HTTP  accesses
        will  be  logged. Each log entry is in Apache-like style.
        The only difference between Apache and ntop  is  that  an
        additional  column  has been added which has the time (in
        milliseconds) that ntop needed  in  order  to  serve  the
        request.

       -b | --disable-decoders
        This flag disables protocol decoders (e.g. DNS, NetBIOS).
        Use it for better performance or if  you  feel  ntop  has
        problem handling some protocols.

       -c | --sticky-hosts
        By  default  idle hosts are periodically purged from mem­
        ory.  Use this flag to  prevent  idle  hosts  from  being
        purged from memory.  NOTE: if idle hosts are kept in mem­
        ory you can experience severe memory usage.

       -d | --daemon
        This flag causes ntop to become  a  daemon,  i.e.  it  is
        started  in  background and runs detached from the termi­
        nal.

       -e | --max-table-rows
        Is the maximum number of HTML table rows that  ntop  will
        display.

       -f | --traffic-dump-file
        Specifies  the  file  containing tcpdump captured traffic
        that has to be used by ntop.  NOTE:  if  you  specify  -f
        ntop will not capture any traffic after the file has been
        read.  This option is mostly used for debug purposes.

       -g | --track-local-hosts
        Use this flag to tell ntop that you do  care  only  about
        local hosts (use -m to specify local nets).  This flag is
        useful on large networks or those that  see  many  hosts,
        (e.g.  a  border  router  or gateway), yet only the local
        ones need to be tracked.

        interfaces is merged together as if the traffic were seen
        by  only  one interface.  Use the -M flag to keep traffic
        separate by interface.

        Win32 note: This is the number of the interface, not it's
        name.  Run ntop -h to see a list of interface name-number
        mappings (at the end of the help information).

       -k | --filter-expression-in-extra-frame
        When this flag is used, the current filter expression  is
        printed in an extra frame and thus always visible.

       -l | --pcap-log
        Dumps  the  network traffic captured by ntop in a file in
        pcap format (useful for debug).

       -m | --local-subnets
        This flag allows users to specify the subnets whose traf­
        fic   is   considered  local.   The  format  is  <network
        address>/<# subnet mask bits>[,<network address>/<#  sub­
        net  mask bits>].  Both netmasks and CIDR notation may be
        used, for instance  "131.114.21.0/24,10.0.0.0/255.0.0.0".

       -n | --numeric-ip-addresses
        This  causes ntop to show numeric IP addresses instead of
        the symbolic names. This option can useful when  the  DNS
        is  not present or quite slow.  Under intop, you can tog­
        gle the address format (numeric vs. symbolic) by pressing
        the n key while intop is running.

       -o | --no-mac
        Specifies  the  user  ntop should not trust MAC addresses
        but just IP addresses.  This option  is  useful  whenever
        ntop  is started on an interface where MAC addresses can­
        not be really trusted (e.g. port/VLAN mirror).

        Be aware that information which is dependent upon the MAC
        addresses  (such  as  IPX) will not be collected nor dis­
        played.

       -p | --protocols
        It is used to specify the  TCP/UDP  protocols  that  ntop
        will  monitor.  The  format is <label>=<protocol list> [,
        <label>=<protocol list>], where label is used to symboli­
        cally identify the <protocol list>. The format of <proto­
        col list> is <protocol>[|<protocol>], where <protocol> is
          NNTP=nntp
          NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status
          X11=6000-6010
          SSH=22

          Peer-to-Peer Protocols
          ----------------------
          Gnutella=6346|6347|6348
          Kazaa=1214
          WinMX=6699|7730
          DirectConnect=0       Dummy  port as this is a pure P2P
        protocol
          eDonkey=4661-4665

          Instant Messenger
          -----------------
          Messenger=1863|5000|5001|5190-5193

        If the <protocol list> is very long you may store it in a
        file (for instance protocol.list).  To do so, specify the
        file name instead of the <protocol list> on  the  command
        line.   e.g.   ntop  -p  protocol.list instead of ntop -p
        FTP=ftp|ftp-data,HTTP=http|www|https|3128 ...

       -q | --create-suspicious-packets
        Forces   ntop   to   create   a   file   ntop-suspicious-
        pkts.XXX.pcap (XXX is the interface name) file.  One file
        is created for each network  interface  where  suspicious
        packets are found.  The file is in pcap format (tcpdump).

       -r | --refresh-time
        Specifies the delay (in seconds) between  screen  updates
        (the default is 3 seconds).

        Please note that if the delay is very short (1 second for
        instance), ntop might not be able to process all the net­
        work traffic.

       -s | --no-promiscuous
        Use  this  flag  for  preventing  from setting the inter­
        face(s) into promiscuous mode.

        ntop must probably still be started as  root,  since  the
        libpcap  function  on  most systems require it to capture
        raw packets.

        This eliminates the ability of capturing ethernet  frames
        regardless of whether they are directed to the local eth­
        ernet card or to the ethernet broadcast address.
        Trace  level  4  is  called  'noisy'  and it is.  It also
        enables a MSGID-nnnnn tag on every message, which may  be
        useful for log watchers.

       -u | --user
        Specifies  the  user ntop should run as after it initial­
        izes. The value specified may be either a username  or  a
        numeric  user  id.  The group id used will be the primary
        group of the user specified.  If this  parameter  is  not
        specified,  ntop will try to switch first to 'nobody' and
        then to 'anonymous' before giving up.

       -w | --http-server
        ntop offers an embedded web  server  so  that  users  can
        attach their web browsers to the program and browse traf­
        fic information remotely.  This parameter  specifies  the
        port (and optionally the address (i.e. interface)) of the
        ntop web server.  For example, if started  with  -w  3000
        (the   default   port),   the   URL  to  access  ntop  is
        http://hostname:3000/.  If started with a full specifica­
        tion, e.g. -w 192.168.1.1:3000, ntop listens on only that
        address/port combination.

        If -w is set to 0 the HTTP port will not be enabled  ('-w
        0'  is accepted only if ntop has been compiled with HTTPS
        support and  has  not  been  started  with  '-W  0'  [see
        below]).

        Some examples:

        ntop  -w  3000  -W  0  (this is the default setting) HTTP
        requests on port 3000 and no HTTPS.

        ntop -w 80 -W 443 Both HTTP and HTTPS have  been  enabled
        on their most common ports.

        ntop -w 0 -W 443 HTTP disabled, HTTPS enabled on the com­
        mon port.

        An external HTTP server is NOT  required  NOR  supported.
        The ntop web server is embedded into the application.

        By default user/URL administration are password protected
        and are accessible initially only user admin with a pass­
        word set during the first run of ntop

        Users  can modify/add/delete users/URLs using ntop itself
        - see the Admin tab.

        The passwords, userids and URLs to protect with passwords

        -A and --set-admin-password (without a value) will prompt
        the user for the password.

        You  may  set  a  specific  value using --set-admin-pass­
        word=value.  The = is REQUIRED!

       -B | --filter-expression
        ntop , similar to what tcpdump does (and using  the  same
        BPF  -  Berkeley  Packet  Filter syntax), this allows the
        user to specify an expression which restricts the traffic
        seen  by ntop You may use this to select only the traffic
        of interest. For instance,  suppose  you  are  interested
        only  in  the  traffic  generated/received  by  the  host
        jake.unipi.it.  ntop can then be started with the follow­
        ing  filter: 'ntop -B "src host jake.unipi.it or dst host
        jake.unipi.it"'. i

        See the 'expression' section of the tcpdump man page  for
        further information about BPF filters.

       -C | --large-network
        This  flag is a hint for ntop : as the network being ana­
        lyzed will be large, ntop will  build  a  more  efficient
        hash  and  save  memory  by  disabling some features (e.g
        traffic distribution during the day) that take up a large
        amount of memory.

       -D | --domain
        This  identifies  the local domain suffix, e.g. ntop.org.
        It may be necessary, if ntop is having difficulty  deter­
        mining it from the interface.

       -E | --enable-external-tools
        By  default  ntop  does  not take advance of lsof even if
        present. Use this flag if you want make ntop enable  it's
        use of lsof if lsof is present.

       -F | --flow-spec
        It  is used to specify network flows similar to more pow­
        erful applications such as NeTraMet.  A flow is a  stream
        of captured packets that match a specified rule. The for­
        mat is

        <flow-label>='<matching              expression>'[,<flow-
        label>='<matching expression>']

        gateway gateway.unipi.it are added to the GatewayRoutedP­
        kts flow. If the flows list is very long you may store in
        a  file  (for  instance  flows.list) and specify the file
        name instead of the actual flows list (in the above exam­
        ple, this would be 'ntop -F flows.list').

       -K | --enable-debug
        Use  this  flag  to  simplify application debug.  It does
        three things: 1. Does not fork() on the "read only"  html
        pages.   2.  Displays  mutex  values on the configuration
        (info.html) page.  3. (If available  -  glibc/gcc)  Acti­
        vates an automated backtrace on application errors.

       -L | --use-syslog=facility
        Use  this  flag  for  using the syslog instead of stdout.
        Please note that if ntop (ever) forks a child, regardless
        of  this setting, the syslog will be used for this child.
        The (optional) parameter  value  indicates  the  facility
        (e.g.  daemon,  security)  to  be used for logging, using
        --use-syslog=facility.  The = is REQUIRED!

       -M | --no-interface-merge
        Forces ntop not to  merge  network  interfaces  together.
        This  means  that  ntop  will collect statistics for each
        interface and report them separately - see Admin | Switch
        NIC to select which interface to report.

        Note  that  the  netFlow and sFlow plugins will force the
        setting of -M.

       -O | --output-packet-path
        Base path for the ntop-suspicious-pkts.XXX.pcap and  nor­
        mal  packet  log  file  (in tcpdump format).  If the base
        path is a directory you have to append a / to the  string
        for this to work.

       -P | --db-file-path
        This specifies where ntop db files are created.

        Note  that  the  default,  "." may not be what you expect
        when running ntop as a daemon or Win32 service.   Setting
        an explicit value is STRONGLY recommended.

       -U | --mapper
        Specifies the URL of the mapper.pl utility.  ntop creates
        a hyperlink to this URL by appending ?host=xxxxx and cre­
        If  ntop  has  been  compiled  with  HTTPS  support  (via
        OpenSSL), this flag can be used to set the HTTPS port and
        address.   If the user specifies '-W 0', HTTPS support is
        disabled.  This is the default (disabled).

        For more information, see the -w parameter above.

       --throughput-bar-chart
        Format the throughput charts with bars instead of  as  an
        area chart.

       --dynamic-purge-limits
        Enable  a  dynamic adjustment of the idle host purge lim­
        its.  Normally the purge is limited to 1/3  of  the  hash
        size or 512 hosts (whichever is smaller) per cycle.  This
        switch allows ntop to dynamically  adjust  the  limit  so
        that the purge takes between 0.5 and 5.0 seconds (but the
        minimum dynamic limit is 64 per cycle).  These values may
        be adjusted via compile time constants.

       --reuse-rrd-graphics
        Enable  the  reuse of rrd graphics if appropriate (no rrd
        updates in the interim).  By default, with the  flag  not
        set, the graphics are recreated for each request.

       --p3p-cp
        Tells ntop what to return in the p3p header, cp="xxxx".

       --p3p-uri
        Tells  ntop  what  to  return  in  the  p3p header, poli­
        cyref="xxxx".

       --disable-stopcap
        Return ntop to the old (v2.1) behavior on a memory error.
        The  default  of  stopcap enabled makes the web interface
        available albeit with static content until ntop is  shut­
        down.

       --ignore-sigpipe
        Enable a handler for SIGPIPE errors. This usually happens
        only under debug (gdb).  (also available as a ./configure
        option, --enable-ignoresigpipe)

       --use-sslwatchdog
        --enable-sslwatchdog)


WEB VIEWS

       While ntop is running, multiple users can access the traf­
       fic information using conventional web browsers.  The main
       HTML  page is divided is three frames.  The top frame is a
       familiar tabbed navigation bar, containing items  such  as
       'Total',  'Sent'  and  'IP Protos'.  The left frame allows
       users to select the specific traffic view from among those
       for  the tab.  The resulting data will be displayed in the
       right frame.


NOTES

       ntop requires a number of external tools.  Other tools are
       optional, but add to the program's capabilities.

       Required libraries include:

       libpcap from http://www.tcpdump.org/

       The Win32 version makes use of libpcap for Win32 which may
       be          downloaded          from           http://win­
       pcap.polito.it/install/default.htm).    WARNING:  The  2.x
       series of libpcap for Win32 releases will NOT support  SMP
       machines.

       gdbm from http://www.gnu.org/software/gdbm/gdbm.html

       ntop  requires a POSIX threads library. Although a single-
       threaded version of ntop can be built from the  source  if
       requested  during  ./configure,  it is not recommended for
       more than trivial usage.

       intop requires ncrypt and readline.

       Optional libraries include:

       The       gdchart       library,       available        at
       http://www.fred.net/brv/chart/.    Note   that  ntop  dis­
       tributes an enhanced version of gdchart, 0.94c, as part of
       the  ntop  source  tree.   ntop has not be tested with the
       (development/beta) releases of gdchart (the 0.10 and  0.11
       series).

       The  gd  library, for the creation of gif files, available
       at http://www.boutell.com/gd/.  The 1.8.3 version of gd is
       included with gdchart 0.94c in the ntop source tree.  ntop
       has not been tested with any other version.
       rectify the problem or notify the user.  This may not work
       in all cases.  If you have a  problem  with  graphics  not
       being produced, check the ntop log and check the installed
       versions of libpng.

       (if an  https://  server  is  desired)  openSSL  from  the
       OpenSSL project available at http://www.openssl.org.

       The  rrdtool  is required by the rrd plugin.  rrdtool cre­
       ates 'Round-Robin databases' which are used  to  hold  and
       graph   historical   data.    The  rrdtool  home  page  is
       http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/

       ntop has been  tested  with  rrdtool  versions  1.0.38  ->
       1.0.41.   ntop has NOT been (successfully) tested with the
       rrdtool development versions, and  there  are  significant
       differences between the two branches.

       Also,  please note that there is a patched version of rrd­
       tool 1.0.41 available in the ntop files  area  of  Source­
       Forge.   This  contains  a  bug fix (which will be part of
       rrdtool 1.0.42 when released).  Without this fix, ntop may
       - rarely - crash during the create/update of an rrd.

       The  sflow  Plugin  is  courtesy of and supported by InMon
       Corporation, http://www.inmon.com/sflowTools.htm.

       There are other optional libraries.   See  the  output  of
       ./configure for a fuller listing.

       An optional tool, which ntop will utilize if available, is
       lsof        available        from        ftp://vic.cc.pur­
       due.edu/pub/tools/unix/lsof/README.

       lsof is used to present a remote view of the open files on
       the ntop host.

       Note that lsof must be configured suid root to enable it's
       use.   The user is cautioned to fully understand the secu­
       rity implications of  this  setting  before  enabling  it.
       ntop will function quite properly without the lsof tool.


SEE ALSO

       intop(1), top(1), tcpdump(8).


AUTHOR

       Please   send   bug  reports  to  the  ntop  mailing  list
       <ntop@ntop.org>.    Please   send    code    patches    to
       <patch@ntop.org>.
  

There are several different ways to navigate the tutorial.


Login
Nickname

Password

Security Code
Security Code
Type Security Code


Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!


Amazon Wish List

Did You Know?
You can choose larger fonts by selecting a different themes.


Friends



Tell a Friend About Us

Bookmark and Share



Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.09 Seconds