ntop Usage

ntop usagentop usage potentially can take many forms. You can use ntop as either a stand-alone application (via the web interface) or as a traffic measurement server. ntop can export traffic data in several ways: via the embedded SNMP agent, XML, RRD files, and via a PHP/Perl/Python/JSON data export. By means of the rrd-alarm companion application, ntop also allows users to emit alarms based on some traffic conditions.


ntop Usage: Typical Scenarios

To put ntop usage into context, here are some typical scenarios in which you can deploy ntop:

  • Simple host: This is probably the most common scenario: install ntop on your PC that’s part of a LAN you use for your daily tasks. In such a scenario, you will likely only see a portion of the traffic.
  • Border gateway: In this case, you will see only the traffic from and to your LAN. As your ntop will probably need to analyze several packets, you will want to use some of the command-line options (such as -b, -n, and -z) in order to reduce the amount of work needed to analyze all the traffic.
  • Mirror Line: In this case you will see packets that were not supposed to be received by the PC where ntop runs. Due to this, ntop usually cannot trust MAC addresses but just IPs. Thus, you’ll probably want to use the -o option.


ntop Usage: Command-Line Options

ntop usage from the command-line is fairly simple. ntop has numerous command-line options; here are some of the more common ones:

  • -a or –access-log-file: By default, ntop does not maintain a log of HTTP requests to the internal web server. Use this parameter to request logging and to specify the location of the file where these HTTP request are logged.
  • -b or –disable-decoders: This parameter disables protocol decoders. Protocol decoders examine and collect information about later 2 protocols such as NetBIOS or Netware SAP, as well as about specific TCP/IP, protocols, such as DNS, HTTP, and FTP. Decoding protocols is a significant consumer of resources. If the ntop host is underpowered or monitoring a very busy network, you may wish to disable protocol decoding via this parameter.
  • -d or –daemon: This parameter causes ntop to become a daemon; a task which runs in the background without connection to a specific terminal. If you want to use ntop on a constant basis, you probably want to use this option.
  • -n or –numeric-ip-addresses: By default, ntop resolves IP addresses using a combination of active (explicit) DNS queries and passive sniffing. Sniffing of DNS responses occurs when ntop receives a network packet containing the response to some other user’s DNS query. ntop captures this information and enters it into ntop’s DNS cache, in expectation of shortly seeing traffic addressed to that host. In this way, when ntop significantly reduces the number of DNS queries it makes, making ntop usage more lightweight.
  • -w or –http-server or -W or –https-server: ntop offers an embedded web server to present the information. An external HTTP server is not required nor supported. The ntop web server is embedded into the application. These parameters specify the port (and optionally the address of the ntop web server. For example, if started with -w 3000 (the default port), the URL to access ntop is http://hostname:3000/ If started with a full specification (e.g. -w 192.168.1.1:3000), ntop listens only on that address and port combination.
  • -z or –disable sessions: This parameter disables TCP session tracking in ntop usage. Use it for better performance or when you don’t need or care to track sessions.




When ntop is running, multiple users can access the traffic information using conventional web browsers. The main HTML page is divided into two frames. The left frame allows users to select the traffic view that will be displayed in the right frame. Available sections are: sort traffic by data sent, sort traffic by data received, traffic statistics, active hosts list, remote to local IP traffic, local to local IP traffic, list of active TCP sessions, IP protocol distribution statistics, IP protocol usage and IP traffic matrix.

External links:

ntop man page at www.ntop.org

Be Sociable, Share!

Speak Your Mind

*

© 2013 David Zientara. All rights reserved. Privacy Policy