ntop Usage

ntop usagentop usage potentially can take many forms. You can use ntop as either a stand-alone application (via the web interface) or as a traffic measurement server. ntop can export traffic data in several ways: via the embedded SNMP agent, XML, RRD files, and via a PHP/Perl/Python/JSON data export. By means of the rrd-alarm companion application, ntop also allows users to emit alarms based on some traffic conditions.

ntop Usage: Typical Scenarios

To put ntop usage into context, here are some typical scenarios in which you can deploy ntop:

  • Simple host: This is probably the most common scenario: install ntop on your PC that’s part of a LAN you use for your daily tasks. In such a scenario, you will likely only see a portion of the traffic.
  • Border gateway: In this case, you will see only the traffic from and to your LAN. As your ntop will probably need to analyze several packets, you will want to use some of the command-line options (such as -b, -n, and -z) in order to reduce the amount of work needed to analyze all the traffic.
  • Mirror Line: In this case you will see packets that were not supposed to be received by the PC where ntop runs. Due to this, ntop usually cannot trust MAC addresses but just IPs. Thus, you’ll probably want to use the -o option.

ntop Usage: Command-Line Options

ntop usage from the command-line is fairly simple. ntop has numerous command-line options; here are some of the more common ones:

  • -a or –access-log-file: By default, ntop does not maintain a log of HTTP requests to the internal web server. Use this parameter to request logging and to specify the location of the file where these HTTP request are logged.
  • -b or –disable-decoders: This parameter disables protocol decoders. Protocol decoders examine and collect information about later 2 protocols such as NetBIOS or Netware SAP, as well as about specific TCP/IP, protocols, such as DNS, HTTP, and FTP. Decoding protocols is a significant consumer of resources. If the ntop host is underpowered or monitoring a very busy network, you may wish to disable protocol decoding via this parameter.
  • -d or –daemon: This parameter causes ntop to become a daemon; a task which runs in the background without connection to a specific terminal. If you want to use ntop on a constant basis, you probably want to use this option.
  • -n or –numeric-ip-addresses: By default, ntop resolves IP addresses using a combination of active (explicit) DNS queries and passive sniffing. Sniffing of DNS responses occurs when ntop receives a network packet containing the response to some other user’s DNS query. ntop captures this information and enters it into ntop’s DNS cache, in expectation of shortly seeing traffic addressed to that host. In this way, when ntop significantly reduces the number of DNS queries it makes, making ntop usage more lightweight.
  • -w or –http-server or -W or –https-server: ntop offers an embedded web server to present the information. An external HTTP server is not required nor supported. The ntop web server is embedded into the application. These parameters specify the port (and optionally the address of the ntop web server. For example, if started with -w 3000 (the default port), the URL to access ntop is http://hostname:3000/ If started with a full specification (e.g. -w, ntop listens only on that address and port combination.
  • -z or –disable sessions: This parameter disables TCP session tracking in ntop usage. Use it for better performance or when you don’t need or care to track sessions.

When ntop is running, multiple users can access the traffic information using conventional web browsers. The main HTML page is divided into two frames. The left frame allows users to select the traffic view that will be displayed in the right frame. Available sections are: sort traffic by data sent, sort traffic by data received, traffic statistics, active hosts list, remote to local IP traffic, local to local IP traffic, list of active TCP sessions, IP protocol distribution statistics, IP protocol usage and IP traffic matrix.

External links:

ntop man page at www.ntop.org

ntop: An Introduction

ntopntop is a network probe that shows network usage. It displays a list of hosts that are currently using the network and reports information concerning the IP and non-IP traffic generated by each host. It is a simple, open source (GPL), portable traffic measurement and monitoring tool, which supports various management activities, including network optimization and planning, and detection of network security violations. In interactive mode, it displays the network status on the user’s terminal; in web mode, it acts as a web server, creating an HTML dump of the network status. ntop was developed by Luca Deri, a research scientist and network manager at the University of Pisa. It started development in 1997, and the first public release was in 1998 (v. 0.4). Version 2.0 was released in 2002 and added support for commercial protocols such as NetFlow v5 and sFlow v2, and version 3.0 was released in 2004 and added RRD support, as well as IPv6 and SCSI/FiberChannel support. Binaries for ntop are currently available for Ubuntu and Red Hat/CentOS.

Advantages of ntop

There are several advantages to using ntop. It is portable and platform neutral; you can deploy it wherever you want with the same look and feel. There are minimal requirements needed to leverage its use. Finally, it is suitable for monitoring both a LAN (by default) and a WAN (if ntop is configured properly).

We can classify the network activity measured by ntop into two categories: traffic measurement and traffic characterization and monitoring. Traffic measurement covers data sent and received, including volume and packets, classified according to network and IP protocol, as well as multicast traffic, TCP session history, bandwidth measurement and analysis, VLAN and AS traffic statistics, and VoIP monitoring. Traffic characterization and monitoring involves observing network flows as well as protocol utilization, ARP and ICMP monitoring, and detection of popular P2P protocols. Monitoring such traffic can be an aid in network optimization and planning which encompasses identification of routers and Internet servers, traffic distribution, service mapping, and mapping network traffic.

In the next article, I will cover integration of ntop into your network.

External Links:

The official ntop site

Open Source Software: Costs and Benefits

Some of those accessing this blog are undoubtedly considering deploying pfSense on their home network, or perhaps in a small office/home office (SOHO) environment. For that reason, I thought it might be useful to devote an article to the costs and benefits of using free and open source software (FOSS) versus commercial software and hardware when deploying a firewall/router.

Open Source Software: Factors to Consider

open source software

The Linksys WRT54G, an example of a consumer grade router.

The most obvious factor to consider is the monetary cost. Initially, this would seem to weigh heavily in favor of pfSense and other free firewall software. For $20 to $50, however, you can purchase a small Linksys, Netgear or Asus router, which uses almost no power and supports port forwarding, performs Network Address Translation (NAT), acts as a Dynamic Host Configuration Protocol (DHCP) server, and provides stateful packet filters. If you use Linux and netfilter, or for that matter m0n0wall or pfsense, even if you have an old PC on which to run the software, it will cost you at least a few dollars a month in electricity. Unless you are familiar with the software you are using, you will find it more difficult to configure than one of the cheap consumer-grade routers, so there is an additional investment of time. If you are setting it up for a small business, it will cost more to pay for the employee’s time to set up a Linux or pfSense firewall than the Linksys would cost to buy. If all you require is a router/firewall than can do port forwarding and DHCP, then there are readily available commercial solutions that are affordable.

If you require additional functionality, however, the situation may change. Commercial VPN solutions can be staggeringly expensive. Yet free solutions such as pfSense and m0n0wall will also work. Even taking into account the fact that the free solutions may not have the same features and capabilities of the commercial version, if you need to implement a virtual private network and there is open source software that meets your requirements, then you can achieve substantial savings.

There are additional factors, some of which are related to cost. For example, support: what does it cost, is it available, and how timely is the support? Moreover, what format does support take: phone, e-mail, online forums, service calls, and so on?

open source software

If installing and configuring netfilter, pfSense or another open source solution doesn’t sound intimidating, an old PC may be suitable.

Time is another factor, and this can cut both for and against open source software. Take the case where a business is considering entering into a partnership with another company. This other company is concerned because the partnership requires sending sensitive data, and the business only has a consumer-grade firewall. The IT department could recommend the purchase of an enterprise-level firewall. This will require contacting vendors, getting quotes, passing a quote on to a manager for approval, and then submitting a purchasing order to the accounting department. Or the IT department can just find an old PC, load Linux and netfilter onto it (or m0n0wall or pfSense or IPCop or any one of a number of open source software solutions), and be done with it, especially if time is of the essence. On the other hand, if your IT department is not familiar with Linux or BSD, deploying an open source solution may actually cost you time, so you would be better off seeking a commercial product.

Another related factor is performance. Speed, efficiency, and reliability are important indices of performance. A fast solution that crashes all the time isn’t very useful. Conversely, a reliable software package that runs slowly may not be the best option.

Usability is another factor, and it relates to cost. If the learning curve is very high, then your training costs will rise. You may want to consider whether a product is customizable if it does not do exactly what you want it to do.

It is often important to consider how well-established the product is. The more well-established the software is, the more likely its creators will be around in the future. A larger and more well-established project will also likely have better community support and reliability. You do not want to invest a lot of time into a product that is likely to go away. In this regard, open source software does well. The netfilter project started in 1998; m0n0wall has been around since 2004, and PF, the packet filtering software on top of which pfSense is built, has been part of OpenBSD since 2001.

Even a security product like a firewall involves security implications, which should be an important factor in your choice. Is the product secure, and will it be handling secure data? You want to consider whether it will be opening any security risks, as well as what type of auditing and logging it can produce.

Finally, you will want to review the license agreement closely. Often the free software is not free if you are a business, or there are special restrictions on the number of installations or other criteria. If your company has a legal department or if you have legal counsel, it might not be a bad idea to have them review the license agreement.


It may just be my bias as the owner of a blog devoted to a particular piece of open source software, but I am inclined to think that in many if not most circumstances, you will find open source software to be the more cost-effective and efficient solution. At one end of the spectrum, commercial consumer-grade routers provide a lot of functionality at a low price. At the other end of the spectrum, enterprise-level firewalls often provide a greater level of management control and logging capabilities, which a mid-sized or large company may require. These capabilities often justify the higher cost. But for those who fall in between these two extremes, often open source software provides the better alternative.

External Links:

The True Cost of Open Source – web site devoted to explaining how you can cut development costs and improve performance with open source software.

Open Source Applications: Benefits and Risks at www.networksolutions.com

10 Reasons Open Source Is Good for Business at www.pcworld.com

Snort Security Optimization

snort securityIn the previous two articles (part one part two), I discussed the installation of snort. In this article, I will mention some ways to improve snort security.

Improving Snort Security

One of the snort security issues is preventing unauthorized access to a privileged account. There are several ways of preventing this. First, when running snort in daemon (-D) mode, the user (-u) and group (-g) switches should be used. This will allow snort to run as a given user and group after it is initialized. Typically, most system administrators prefer to add the snort user and group to their systems, and that the snort user should be unable to login or initiate shell privileges.

Second, the source code for snort/DAQ binaries, logging directories, shared/static libraries, and configuration files should all be owned by the snort user with appropriate permissions. Finally, all binaries which are produced by the compiling and installation process of snort and DAQ should be verified using a hash function and the output stored on removable media. A cron job could be used to run this process on a regular basis with results e-mailed to a system administrator. Another alternative would be the use of a utility called tripwire for auditing installed software on a computer. All of these measures are excellent ways of increasing snort security.

Mirroring or Copying Network Traffic to Snort

In addition, your small office/home office (SOHO) router can be used to mirror or copy network traffic to a snort sensor running on a standalone system or to a virtual machine running in VirtualBox, VMWare, or Xen. This method of improving snort security can be easily done provided you have a router that is running DD-WRT, OpenWRT, or Tomato as the firmware. If you are running Tomato, you may have to add the following to your startup script:

modprobe ipt ROUTE

Users of OpenWRT must use the Tee option for IPtable (provided by module iptables-mod-tee). The module “iptabels-mod-tee” must be loaded before the following command will work:

iptables -t mangle-A PREROUTING -j TEE -gateway x.x.x.x

Where x.x.x.x is an IP address you wish to mirror traffic to (usually a system running snort). It should be noted that in more recent versions of OpenWRT (10.03.1 and never), iptables-mod-tee does not seem to be enabled by default, and using it will require a rebuild/re-enabling of modules for OpenWRT.

Now, using DD-WRT or Tomato’s GUI (or SSHing into the router), issue the following commands:

iptables -A PREROUTING -t mangle -j ROUTE -gw x.x.x.x -tee

iptables -A POSTROUTING -t mangle -j ROUTE -gw x.x.x.x -tee

In each case, x.x.x.x is the address of the machine running snort. To stop mirroring traffic, type

iptables -F -t mangle

If you have snort running in test mode (-T option), try starting snort with /etc/rc.d/snort start (you should get a running message if snort is running properly). If there is a problem, check the output in /var/log/messages. Also, you can check the status of snort by issuing this command:

./snort status

External Links:

How to make some home routers mirror traffic to Snort at www.snort.org




© 2013 David Zientara. All rights reserved. Privacy Policy