1NTOP(8) System Manager's Manual NTOP(8)
2
6 ntop - display top network users
7
9 ntop [@filename] [-a|--access-log-file <path>] [-b|--disable-decoders]
10 [-c|--sticky-hosts] [-e|--max-table-rows] [-f|--traffic-dump-file
11 file>] [-g|--track-local-hosts] [-h|--help] [-j|--create-other-packets]
12 [-l|--pcap-log <path>] [-m|--local-subnets <addresses>] [-n|--numeric-
13 ip-addresses] [-o|--no-mac] [-p|--protocols <list>] [-q|--create-suspi‐
14 cious-packets] [-r|--refresh-time <number>] [-s|--no-promiscuous]
15 [-t|--trace-level <number>] [-x <max_num_hash_entries>] [-w|--http-
16 server <port>] [-z|--disable-sessions] [-A|--set-admin-password pass‐
17 word] [-B|--filter-expression expression] [-C <configmode>]
18 [-D|--domain <name>] [-F|--flow-spec <specs>] [-M|--no-interface-merge]
19 [-N|--wwn-map <path>] [-O|----output-packet-path <path>] [-P|--db-file-
20 path <path>] [-Q|--spool-file-path <path>] [-U|--mapper <URL>]
21 [-V|--version] [-X <max_num_TCP_sessions>] [--disable-instantsession‐
22 purge] [--disable-mutexextrainfo] [--fc-only] [--instance] [--no-fc]
23 [--no-invalid-lun] [--p3p-cp] [--p3p-uri] [--skip-version-check]
24 [--w3c] [-4|--ipv4] [-6|--ipv6]
25 Unix options:
27 [-d|--daemon] [-i|--interface <name>] [-u|--user <user>] [-K|--enable-
29 debug] [-L] [--pcap_setnonblock] [--use-syslog= <facility>] [--web‐
30 server-queue <number>]
31 Windows option:
33 [-i|--interface <number|name>]
35 OpenSSL options:
37 [-W|--https-server <port>] [--ssl-watchdog]
39
42 ntop shows the current network usage. It displays a list of hosts that
43 are currently using the network and reports information concerning the
44 (IP and non-IP) traffic generated and received by each host. ntop may
45 operate as a front-end collector (sFlow and/or netFlow plugins) or as a
46 stand-alone collector/display program. A web browser is needed to
47 access the information captured by the ntop program.
48 ntop is a hybrid layer 2 / layer 3 network monitor, that is by default
50 it uses the layer 2 Media Access Control (MAC) addresses AND the layer
51 3 tcp/ip addresses. ntop is capable of associating the two, so that ip
52 and non-ip traffic (e.g. arp, rarp) are combined for a complete picture
53 of network activity.
54
57 @filename
58 The text of filename is copied - ignoring line breaks and comment
59 lines (anything following a #) - into the command line. ntop behaves
60 as if all of the text had simply been typed directly on the command
61 line. For example, if the command line is "-t 3 @d -u ntop" and file
62 d contains just the line '-d', then the effective command line is -t 3
63 -d -u ntop. Multiple @s are permitted. Nested @s (an @ inside the
64 file) are not permitted.
65 Remember, most ntop options are "sticky", that is they just set an
67 internal flag. Invoking them multiple times doesn't change ntop's
68 behavior. However, options that set a value, such as --trace-level,
69 will use the LAST value given: --trace-level 2 --trace-level 3 will
70 run as --trace-level 3.
71 Beginning with 3.1, many command-line options may also be set via the
73 web browser interface. These changes take effect on the next run of
74 and on each subsequent run until changed.
75 -a | --access-log-file
79 By default ntop does not maintain a log of HTTP requests to the inter‐
80 nal web server. Use this parameter to request logging and to specify
81 the location of the file where these HTTP requests are logged.
82 Each log entry is in Apache-like style. The only difference between
84 Apache and ntop logs is that an additional column has been added which
85 has the time (in milliseconds) that ntop needed to serve the request.
86 Log entries look like this:
87 192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET / HTTP/1.1" 200 1489 4
89 192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET /index_top.html HTTP/1.1" 200 1854 4
90 192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET /index_inner.html HTTP/1.1" 200 1441 7
91 192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /index_left.html HTTP/1.1" 200 1356 4
92 192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /home_.html HTTP/1.1" 200 154/617 9
93 192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /home.html HTTP/1.1" 200 1100/3195 10
94 192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /About.html HTTP/1.1" 200 2010 10
95 This parameter is the complete file name of the access log. In prior
97 releases it was erroneously called --access-log-path.
98 -b | --disable-decoders
101 This parameter disables protocol decoders.
102 Protocol decoders examine and collect information about layer 2 proto‐
104 cols such as NetBIOS or Netware SAP, as well as about specific tcp/ip
105 (layer 3) protocols, such as DNS, http and ftp.
106 This support is specifically coded for each protocol and is different
108 from the capability to count raw information (packets and bytes) by
109 protocol specified by the -p | --protocols parameter, below.
110 Decoding protocols is a significant consumer of resources. If the ntop
112 host is underpowered or monitoring a very busy network, you may wish
113 to disable protocol decoding via this parameter. It may also be
114 appropriate to use this parameter if you believe that ntop has prob‐
115 lems handling some protocols that occur on your network.
116 Even if decoding is disabled, ftp-data traffic is still decoded to
118 look for passive ftp port commands.
119 -c | --sticky-hosts
122 Use this parameter to prevent idle hosts from being purged from mem‐
123 ory.
124 By default idle hosts are periodically purged from memory. An idle
126 host is identified when no packets from or to that host have been mon‐
127 itored for the period of time defined by the value of
128 PARM_HOST_PURGE_MINIMUM_IDLE in globals-defines.h.
129 If you use this option, all hosts - active and idle - are retained in
131 memory for the duration of the ntop run.
132 P2P users, port scans, popular web servers and other activity will
134 cause ntop to record data about a large number of hosts. On an active
135 network, this will consume a significant - and always growing - amount
136 of memory. It is strongly recommended that you use a filtering
137 expression to limit the hosts which are stored if you use --sticky-
138 hosts.
139 The idle purge is a statistical one - a random selection of the eligi‐
141 ble hosts will be purged during each cycle. Thus it is possible on a
142 busy system for an idle host to remain in the ntop tables and appear
143 'active' for some considerable time after it is truly idle.
144 -d | --daemon
147 This parameter causes ntop to become a daemon, i.e. a task which runs
148 in the background without connection to a specific terminal. To use
149 ntop other than as a casual monitoring tool, you probably will want to
150 use this option.
151 WARNING: If you are running as a daemon, the messages from ntop will
153 be 'printed' on to stdout and thus dropped. You probably don't want
154 to do this. So remember to also use the -L or --use-syslog options to
155 save the messages into the system log.
156 -e | --max-table-rows
159 This defines the maximum number of lines that ntop will display on
160 each generated HTML page. If there are more lines to be displayed than
161 this setting permits, only part of the data will be displayed. There
162 will be page forward/back arrows placed at the bottom of the page for
163 navigation between pages.
164 -f | --traffic-dump-file
167 By default, ntop captures traffic from network interface cards (NICs)
168 or from netFlow/sFlow probes. However, ntop can also read data from a
169 file - typically a tcpdump capture or the output from one of the ntop
170 packet capture options.
171 if you specify -f, ntop will not capture any traffic from NICs during
173 or after the file has been read. netFlow/sFlow capture - if enabled -
174 would still be active.
175 This option is mostly used for debug purposes.
177 -g | --track-local-hosts
180 By default, ntop tracks all hosts that it sees from packets captured
181 on the various NICs. Use this parameter to tell ntop to capture data
182 only about local hosts. Local hosts are defined based on the
183 addresses of the NICs and those networks identified as local via the
184 -m | --local-subnets parameter.
185 This parameter is useful on large networks or those that see many
187 hosts, (e.g. a border router or gateway), where information about
188 remote hosts is not desired/required to be tracked.
189 -h | --help
192 Print help information for ntop, including usage and parameters.
193 -i | --interface
196 Specifies the network interface or interfaces to be used by ntop for
197 network monitoring.
198 If multiple interfaces are used (this feature is available only if
200 ntop is compiled with thread support) their names must be separated
201 with a comma. For instance -i "eth0,lo".
202 If not specified, the default is the first Ethernet device, e.g. eth0.
204 The specific device that is 'first' is highly system dependent. Espe‐
205 cially on systems where the device name reflects the driver name
206 instead of the type of interface.
207 By default, traffic information obtained by all the interfaces is
209 merged together as if the traffic was seen by only one interface. Use
210 the -M parameter to keep traffic separate by interface.
211 If you do not want ntop to monitor any interfaces, use -i none.
213 Under Windows, the parameter value is either the number of the inter‐
215 face or its name, e.g. {6252C14C-44C9-49D9-BF59-B2DC18C7B811}. Run
216 ntop -h to see a list of interface name-number mappings (at the end of
217 the help information).
218 -j | --create-other-packets
221 This parameter causes ntop to create a dump file of the 'other' net‐
222 work traffic captured. One file is created for each network interface
223 where <path>/ntop-other-pkts.<device>.pcap, where <path> is defined by
224 the -O | --output-packet-path parameter. This file is useful for
225 understanding these unclassifed packets.
226 -l | --pcap-log
229 This parameter causes a dump file to be created of the network traffic
230 captured by ntop in tcpdump (pcap) format. This file is useful for
231 debug, and may be read back into ntop by the -f | --traffic-dump-file
232 parameter. The dump is made after processing any filter expression (
233 never even sees filtered packets).
234 The output file will be named <path>/<log>.<device>.pcap (Windows:
236 <path>/<log>.pcap ), where <path> is defined by the -O | --output-
237 packet-path parameter and <log> is defined by this -l | --pcap-log
238 parameter.
239 -m | --local-subnets
242 ntop determines the ip addresses and netmasks for each active inter‐
243 face. Any traffic on those networks is considered local. This param‐
244 eter allows the user to define additional networks and subnetworks
245 whose traffic is also considered local in ntop reports. All other
246 hosts are considered remote.
247 Commas separate multiple network values. Both netmask and CIDR nota‐
249 tion may be used, even mixed together, for instance
250 "131.114.21.0/24,10.0.0.0/255.0.0.0".
251 The local subnet - as defined by the interface address(es) - is/are
253 always local and do not need to be specified. If you do give the same
254 value as a NIC's local address, a harmless warning message is issued.
255 -n | --numeric-ip-addresses
258 By default, ntop resolves IP addresses using a combination of active
259 (explicit) DNS queries and passive sniffing. Sniffing of DNS
260 responses occurs when ntop receives a network packet containing the
261 response to some other user's DNS query. ntop captures this informa‐
262 tion and enters it into ntop's DNS cache, in expectation of shortly
263 seeing traffic addressed to that host. This way ntop significantly
264 reduces the number of DNS queries it makes.
265 This parameter causes ntop to skip DNS resolution, showing only
267 numeric IP addresses instead of the symbolic names. This option can
268 useful when the DNS is not present or quite slow.
269 -o | --no-mac
272 ntop is a hybrid layer 2/3 network monitor. That is, it uses both the
273 lower level, physical device address - the MAC (Media Access Control)
274 address - and the higher level, logical, tcp/ip address (the familiar
275 www.ntop.org or 131.114.21.9 address). This allows ntop to link the
276 logical addresses to a physical machine with multiple addresses (This
277 occurs with virtual hosts or additional addresses assigned to the
278 interface, etc.) to present consolidated reporting.
279 This parameter specifies that ntop should not trust the MAC addresses
281 but just use the IP addresses.
282 Normally, since the MAC address must be globally unique, the dual
284 nature of ntop is a benefit and provides far better information about
285 the network than is available via a pure layer 2 or pure layer 3 moni‐
286 tor.
287 Under certain circumstances - whenever ntop is started on an interface
289 where MAC addresses cannot be really trusted - you may require this
290 option.
291 Situations which may require this option include port/VLAN mirror,
293 some cases with switches and spanning tree protocol, and (reportedly)
294 some specific models of Ethernet switches which re-write MAC addresses
295 of the packets they process. Normally, you discover that this option
296 is necessary when you observe that hosts seem to change their
297 addresses or information about different machines get lumped together.
298 Note that with this option, information which is dependent upon the
300 MAC addresses (non tcp/ip protocols like IPX) will not be collected
301 nor displayed.
302 -p | --protocols
305 This parameter is used to specify the TCP/UDP protocols that ntop will
306 monitor. The format is <label>=<protocol list> [, <label>=<protocol
307 list>], where label is used to symbolically identify the <protocol
308 list>. The format of <protocol list> is <protocol>[|<protocol>], where
309 <protocol> is either a valid protocol specified inside the /etc/ser‐
310 vices file or a numeric port range (e.g. 80, or 6000-6500).
311 A simple example is --protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-
313 data", which reduces the protocols displayed on the "IP" pages to
314 three:
315 Host Domain Data HTTP FTP Other IP
317 ns2.attbi.com <flag> 954 63.9 % 0 0 954
318 64.124.83.112.akamai.com <flag> 240 16.1 % 240 0 0
319 64.124.83.99.akamai.com <flag> 240 16.1 % 240 0 0
320 toolbarqueries.google.com <flag> 60 4.0 % 60 0 0
321 If the <protocol list> is very long you may store it in a file (for
323 instance protocol.list). To do so, specify the file name instead of
324 the <protocol list> on the command line. e.g. ntop -p protocol.list
325 If the -p parameter is omitted the following default value is used:
327 FTP=ftp|ftp-data
329 HTTP=http|www|https|3128 3128 is Squid, the HTTP cache
330 DNS=name|domain
331 Telnet=telnet|login
332 NBios-IP=netbios-ns|netbios-dgm|netbios-ssn
333 Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2
334 DHCP-BOOTP=67-68
335 SNMP=snmp|snmp-trap
336 NNTP=nntp
337 NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status
338 X11=6000-6010
339 SSH=22
340 Peer-to-Peer Protocols
342 ----------------------
343 Gnutella=6346|6347|6348
344 Kazaa=1214
345 WinMX=6699|7730
346 DirectConnect=0 Dummy port as this is a pure P2P protocol
347 eDonkey=4661-4665
348 Instant Messenger
350 -----------------
351 Messenger=1863|5000|5001|5190-5193
352 NOTE: To resolve protocol names to port numbers, they must be speci‐
354 fied in the system file used to list tcp/udp protocols and ports,
355 which is typically /etc/services file. You will have to match the
356 names in that file, exactly. Missing or unspecified (non-standard)
357 ports must be specified by number, such as 3128 in our examples above.
358 If you have a file named /etc/protocols, don't get confused by it, as
360 that's the Ethernet protocol numbers, which are not what you're look‐
361 ing for.
362 -q | --create-suspicious-packets
365 This parameter tells ntop to create a dump file of suspicious packets.
366 There are many, many, things that cause a packet to be labeled as
368 'suspicious', including:
369 Detected ICMP fragment
371 Detected Land Attack against host
372 Detected overlapping/tiny packet fragment
373 Detected traffic on a diagnostic port
374 Host performed ACK/FIN/NULL scan
375 Host rejected TCP session
376 HTTP/FTP/SMTP/SSH detected at wrong port
377 Malformed TCP/UDP/ICMP packet (packet too short)
378 Packet # %u too long
379 Received a ICMP protocol Unreachable from host
380 Sent ICMP Administratively Prohibited packet to host
381 Smurf packet detected for host
382 TCP connection with no data exchanged
383 TCP session reset without completing 3-way handshake
384 Two MAC addresses found for the same IP address
385 UDP data to a closed port
386 Unknown protocol (no HTTP/FTP/SMTP/SSH) detected (on port 80/21/25/22)
387 Unusual ICMP options
388 When this parameter is used, one file is created for each network
390 interface where suspicious packets are found. The file is in tcpdump
391 (pcap) format and is named <path>/ntop-suspicious-pkts.<device>.pcap,
392 where <path> is defined by the -O | --output-packet-path parameter.
393 -r | --refresh-time
396 Specifies the delay (in seconds) between automatic screen updates for
397 those generated HTML pages which support them. This parameter allows
398 you to leave your browser window open and have it always displaying
399 nearly real-time data from ntop.
400 The default is 3 seconds. Please note that if the delay is very short
402 (1 second for instance), ntop might not be able to process all of the
403 network traffic.
404 -s | --no-promiscuous
407 Use this parameter to prevent from setting the interface(s) into pro‐
408 miscuous mode.
409 An interface in promiscuous mode will accept ALL Ethernet frames,
411 regardless of whether they directed (addressed) to the specific net‐
412 work interface (NIC) or not. This is an essential part of enabling
413 ntop to monitor an entire network. (Without promiscuous mode, ntop
414 will only see traffic directed to the specific host it is running on,
415 plus broadcast traffic such as the arp and dhcp protocols.
416 Even if you use this parameter, the interface could well be in promis‐
418 cuous mode if another application enabled it.
419 ntop passes this setting on to libpcap, the packet capture library.
421 On many systems, a non-promiscuous open of the network interface will
422 fail, since the libpcap function on most systems require it to capture
423 raw packets ( ntop captures raw packets so that we may view and ana‐
424 lyze the layer 2 - MAC - information).
425 Thus on most systems, ntop must probably still be started as root, and
427 this option is largely ornamental. If it fails, you will see a
428 ***FATALERROR*** message referring to pcap_open_live() and then an
429 information message, "Sorry, but on this system, even with -s, it
430 appears that ntop must be started as root".
431 -t | --trace-level
434 This parameter specifies the 'information' level of messages that you
435 wish ntop to display (on stdout or to the log). The higher the trace
436 level number the more information that is displayed. The trace level
437 ranges between 0 (no trace) and 5 (full debug tracings).
438 The default trace value is 3.
440 Trace level 0 is not quite zero messages. Fatal errors and certain
442 startup/shutdown messages are always displayed. Trace level 1 is used
443 to display errors only, level 2 for both errors and warnings, and
444 level 3 displays error, warning and informational messages.
445 Trace level 4 is called 'noisy' and it is - generating many messages
447 about the internal functioning of ntop. Trace level 5 and above are
448 'noisy' plus extra logs, i.e. all possible messages, with a file:line
449 tag prepended to every message.
450 -u | --user
453 Specifies the user ntop should run as after it initializes.
454 ntop must normally be started as root so that it has sufficient privi‐
456 leges to open the network interfaces in promiscuous mode and to
457 receive raw frames. See the discussion of -s | --no-promiscuous
458 above, if you wish to try starting ntop as a non-root user.
459 Shortly after starting up, ntop becomes the user you specify here,
461 which normally has substantially reduced privileges, such as no login
462 shell. This is the userid which owns ntop's database and output
463 files.
464 The value specified may be either a username or a numeric user id.
466 The group id used will be the primary group of the user specified.
467 If this parameter is not specified, ntop will try to switch first to
469 'nobody' and then to 'anonymous' before giving up.
470 NOTE: This should not be root unless you really understand the secu‐
472 rity risks. In order to prevent this by accident, the only way to run
473 ntop as root is to explicitly specify -u root. Don't do it.
474 -x
477 -X
479 ntop creates a new hash/list entry for each new host/TCP session seen.
480 In case of DOS (Denial Of Service) an attacker can easily exhaust all
481 the host available memory because ntop is creating entries for dummy
482 hosts. In order to avoid this you can set an upper limit in order to
483 limit the memory ntop can use.
484 -w | --http-server
487 -W | --https-server
489 ntop offers an embedded web server to present the information that has
490 been so painstakingly gathered. An external HTTP server is NOT
491 required NOR supported. The ntop web server is embedded into the
492 application. These parameters specify the port (and optionally the
493 address (i.e. interface)) of the ntop web server.
494 For example, if started with -w 3000 (the default port), the URL to
496 access ntop is http://hostname:3000/. If started with a full specifi‐
497 cation, e.g. -w 192.168.1.1:3000, ntop listens on only that
498 address/port combination.
499 If -w is set to 0 the web server will not listen for http:// connec‐
501 tions.
502 -W operates similarly, but controls the port for the https:// connec‐
504 tions.
505 Some examples:
507 ntop -w 3000 -W 0 (this is the default setting) HTTP requests on port
509 3000 and no HTTPS.
510 ntop -w 80 -W 443 Both HTTP and HTTPS have been enabled on their most
512 common ports.
513 ntop -w 0 -W 443 HTTP disabled, HTTPS enabled on the common port.
515 Certain sensitive, configuration pages of the ntop web server are pro‐
517 tected by a userid/password. By default, these are the user/URL
518 administration, filter, shutdown and reset stats are password pro‐
519 tected
520 and are accessible initially only to user admin with a password set
521 during the first run of ntop.
522 Users can modify/add/delete users/URLs using ntop itself - see the
524 Admin tab.
525 The passwords, userids and URLs to protect with passwords are stored
527 in a database file. Passwords are stored in an encrypted form in the
528 database for further security. Best practices call for securing that
529 database so that only the ntop user can read it.
530 There is a discussion in docs/FAQ about further securing the ntop
532 environment.
533 -z | --disable-sessions
536 This parameter disables TCP session tracking. Use it for better per‐
537 formance or when you don't really need/care to track sessions.
538 -A | --set-admin-password
541 This parameter is used to start ntop , set the admin password and
542 quit. It is quite useful for installers that need to automatically set
543 the password for the admin user.
544 -A and --set-admin-password (without a value) will prompt the user for
546 the password.
547 You may also use this parameter to set a specific value using --set-
549 admin-password=value. The = is REQUIRED and no spaces are permitted!
550 If you attempt to run ntop as a daemon without setting a password, a
552 FATAL ERROR message is generated and ntop stops.
553 -B | --filter-expression
556 Filters allows the user to restrict the traffic seen by ntop on just
557 about any imaginable item.
558 The filter expression is set at run time by this parameter, but it may
560 be changed during the ntop run on the Admin | Change Filter web page.
561 The basic format is -B filter , where the quotes are REQUIRED
563 The syntax of the filter expression uses the same BPF (Berkeley Packet
565 Filter) expressions used by other packages such as tcpdump
566 For instance, suppose you are interested only in the traffic gener‐
568 ated/received by the host jake.unipi.it. ntop can then be started
569 with the following filter:
570 ntop -B src host jake.unipi.it or dst host jake.unipi.it
572 or in shorthand:
574 ntop -B host jake.unipi.it or host jake.unipi.it
576 See the 'expression' section of the tcpdump man page - usually avail‐
578 able at http://www.tcpdump.org/tcpdump_man.html - for further informa‐
579 tion and the best quick guide to BPF filters currently available.
580 WARNING: If you are using complex filter expressions, especially those
582 with =s or meaningful spaces in them, be sure and use the long option
583 format, --filter-expression="xxxx" and not -B "xxxx".
584 -C |
588 This instruments ntop to be used in two configurations: host and net‐
589 work mode. In host mode (default) ntop works as usual: the IP
590 addresses received are those of real hosts. In host mode the IP
591 addresses received are those of the C-class network to which the
592 address belongs. Using ntop in network mode is extremely useful when
593 installed in a traffic exchange (e.g. in the middle of the Internet)
594 whereas the host mode should be used when ntop is installed on the
595 edge of a network (e.g. inside a company). The network mode signifi‐
596 cantly reduces the amount of work ntop has to perform and it has to be
597 used whenever ntop is used to find out how the network traffic flows
598 and not to pin-point specific hosts.
599 -D | --domain
603 This identifies the local domain suffix, e.g. ntop.org. It may be
604 necessary, if ntop is having difficulty determining it from the inter‐
605 face.
606 -F | --flow-spec
609 It is used to specify network flows similar to more powerful applica‐
610 tions such as NeTraMet. A flow is a stream of captured packets that
611 match a specified rule. The format is
612 <flow-label>='<matching expression>'[,<flow-label>='<matching expres‐
614 sion>']
615 , where the label is used to symbolically identify the flow specified
617 by the expression. The expression is a bpf (Berkeley Packet Filter)
618 expression. If an expression is specified, then the information con‐
619 cerning flows can be accessed following the HTML link named 'List Net‐
620 Flows'.
621 For instance define two flows with the following expression Luca‐
623 Hosts='host jake.unipi.it or host pisanino.unipi.it',GatewayRoutedP‐
624 kts='gateway gateway.unipi.it' .
625 All the traffic sent/received by hosts jake.unipi.it or
627 pisanino.unipi.it is collected by ntop and added to the LucaHosts
628 flow, whereas all the packet routed by the gateway gateway.unipi.it
629 are added to the GatewayRoutedPkts flow. If the flows list is very
630 long you may store in a file (for instance flows.list) and specify the
631 file name instead of the actual flows list (in the above example, this
632 would be 'ntop -F flows.list').
633 Note that the double quotations around the entire flow expression are
635 required.
636 -K | --enable-debug
639 Use this parameter to simplify application debug. It does three
640 things: 1. Does not fork() on the "read only" html pages. 2. Displays
641 mutex values on the configuration (info.html) page. 3. (If available
642 - glibc/gcc) Activates an automated backtrace on application errors.
643 -L | --use-syslog=facility
646 Use this parameter to send log messages to the system log instead of
647 stdout.
648 -L and the simple form --use-syslog use the default log facility,
650 defined as LOG_DAEMON in the #define symbol DEFAULT_SYSLOG_FACILITY in
651 globals-defines.h.
652 The complex form, --use-syslog=facility will set the log facility to
654 whatever value (e.g. local3, security) you specify. The = is REQUIRED
655 and no spaces are allowed!
656 This setting applies both to ntop and to any child fork()ed for
658 reporting. If this parameter is not specified, any fork()ed child
659 will use the default value and will log it's messages to the system
660 log (this occurs because the fork()ed child must give up it's access
661 to the parents stdout).
662 Because various systems do not make the permissible names available,
664 we have a table at the end of globals-core.c. Look for myFacility‐
665 Names.
666 -M | --no-interface-merge
669 By default, ntop merges the data collected from all of the interfaces
670 (NICs) it is monitoring into a single set of counters.
671 If you have a simple network, say a small LAN with a connection to the
673 internet, merging data is good as it gives you a better picture of the
674 whole network. For larger, more complex networks, this may not be
675 desirable. You may also have other reasons for wishing to monitor
676 each interface separately, for example DMZ vs. LAN traffic.
677 This option instructs ntop not to merge network interfaces together.
679 This means that ntop will collect statistics for each interface and
680 report them separately.
681 Only ONE interface may be reported on at a time - use the Admin |
683 Switch NIC option on the web server to select which interface to
684 report upon.
685 Note that activating either the netFlow and/or sFlow plugins will
687 force the setting of -M. Once enabled, you cannot go back.
688 -N | --wwn-map
691 This options names the file providing the map of WWN to FCID/VSAN ids.
692 -O | --output-packet-path
695 This parameter defines the base path for the ntop-suspicious-
696 pkts.XXX.pcap and normal packet dump files.
697 If this parameter is not specified, the default value is the config.h
699 parameter CFG_DBFILE_DIR, which is set during ./configure from the
700 --localstatedir= parameter. If --localstatedir is not specified, it
701 defaults to the --prefix value plus /var (e.g. /usr/local/var).
702 Be aware that this may not be what you expect when running ntop as a
704 daemon or Windows service. Setting an explicit and absolute path value
705 is STRONGLY recommended if you use this facility.
706 -P | --db-file-path
709 -Q | --spool-file-path
711 These parameters specify where ntop stores database files.
712 There are two types, 'temporary' - that is ones which need not be
714 retained from ntop run to ntop run, and 'permanent', which must be
715 retained (or recreated).
716 The 'permanent' databases are the preferences, "prefsCache.db" and the
718 password file, "ntop_pw.db". These are stored in the -P | --db-file-
719 path specified location.
720 Certain plugins use the -P | --db-file-path specified location for
722 their database ("LsWatch.db") or (as a default value) for files
723 (.../rrd/...).
724 The 'temporary' databases are the address queue, "addressQueue.db",
726 the cached DNS resolutions, "dnsCache.db" and the MAC prefix (vendor
727 table), "macPrefix.db".
728 If only -P | --db-file-path is specified, it is used for both types of
730 databases.
731 The directories named must allow read/write and file creation by the
733 ntop user. For security, nobody else should have even read access to
734 these files.
735 Note that the default value is the config.h parameter CFG_DBFILE_DIR.
737 This is set during ./configure from the --localstatedir= parameter.
738 If --localstatedir is not specified, it defaults to the --prefix value
739 plus /var (e.g. /usr/local/var).
740 This may not be what you expect when running ntop as a daemon or Win‐
742 dows service.
743 Note that on versions of ntop prior to 2.3, these parameters defaulted
745 to "." (the current working directory, e.g. the value returned by the
746 pwd command) and caused havoc as it was different when ntop was run
747 from the command line, vs. run via cron, vs. run from an initializa‐
748 tion script.
749 Setting an explicit and absolute path value is STRONGLY recommended.
751 -U | --mapper
754 Specifies the URL of the mapper.pl utility.
755 If provided, ntop creates a clickable hyperlink on the 'Info about
757 host xxxxxx' page to this URL by appending ?host=xxxxx. Any type of
758 host lookup could be performed, but this is intended to lookup the
759 geographical location of the host.
760 A cgi-based mapper interface to http://www.multimap.com is part of the
762 ntop distribution [see www/Perl/mapper.pl]).
763 -V | --version
766 Prints ntop version information and then exits.
767 -W | --https-server
770 (See the joint documentation with the -w parameter, above)
771 --disable-instantsessionpurge
774 ntop sets completed sessions as 'timed out' and then purge them almost
775 instantly, which is not the behavior you might expect from the discus‐
776 sions about purge timeouts. This switch makes ntop respect the time‐
777 outs for completed sessions. It is NOT the default because a busy web
778 server may have 100s or 1000s of completed sessions and this would
779 significantly increase the amount of memory ntop uses.
780 --disable-mutexextrainfo
783 ntop stores extra information about the locks and unlocks of the pro‐
784 tective mutexes it uses. Since ntop uses fine-grained locking, this
785 information is updated frequently. On some OSes, the system calls
786 used to collect this informatio (getpid() and gettimeofday()) are
787 expensive. This option disables the extra information. It should
788 have no processing impact on ntop
789 - however should ntop actually deadlock, we would lose the informa‐
790 tion that sometimes tells us why.
791 --fc-only
794 Display only Fibre Channel statistics.
796 --instance
799 You can run multiple instances of ntop simultaneously by specifying
801 different -P values (typically through separate ntop.conf files). If
802 you set a value for this parameter (available only on the command
803 line), you (1) display the 'instance' name on every web page and (2)
804 alter the log prefix from "NTOP" to your chosen value.
805 If you want to make the tag more obvious, create a .instance class in
807 style.css, e.g.:
808 .instance {
810 color: #666666;
811 font-size: 18pt;
812 }
813 Note (UNIX): To run completely different versions of the ntop binary,
815 you need to compile and install into a different library (using ./con‐
816 figure --prefix) and then specify the LD_LIBRARY_PATH before invoking,
817 e.g.
818 LD_LIBRARY_PATH=/devel/lib/ntop/:... /devel/bin/ntop ...args...
820 If present, a file of the form <instance>_ntop_logo.gif will be used
822 instead of the normal ntop_logo.gif. This is tested for ONLY once, at
823 the beginning of the run. The EXACT word(s) of the --instance flag
824 are used, without testing if they make a proper file name. If - for
825 any reason - the file is not found, an informational message is logged
826 and the normal logo file is used. To construct your own logo, make it
827 a 300x40 transparent gif.
828 NOTE: On the web pages, ntop uses the dladdr() function. The original
830 Solaris routine had a bug, replicated in FreeBSD (and possibly other
831 places) where it uses the ARGV[0] value - which might be erroneous -
832 instead of the actual file name. If the 'running from' value looks
833 bogus but the 'libaries in' value looks ok, go with the libarary.
834 --no-fc
837 Disable processing & Display of Fibre Channel
839 --no-invalid-lun
842 Don't display Invalid LUN information.
844 --p3p-cp
847 --p3p-uri
849 P3P is a W3C recommendation - http://www.w3.org/TR/P3P/ - for specify‐
851 ing personal information a site collects and what it does with the
852 information. These parameters allow to return P3P information. We do
853 not supply samples.
854 --pcap_setnonblock
857 On some platforms, the ntop web server will hang or appear to hang (it
858 actually just responds incredibly slowly to the first request from a
859 browser session), while the rest of ntop runs just fine. This is known
860 to be an issue under FreeBSD 4.x.
861 This option sets the non-blocking option (assuming it's available in
863 the version of libpcap that is installed).
864 While this works around the problem (by turing an interupt driven
866 process into a poll), it also MAY signifcantly increases the cpu usage
867 of ntop. Although it does not actually interfere with other work,
868 seeing ntop use 80-90% or more of the cpu is not uncommon - don't say
869 we didn't warn you.
870 THIS OPTION IS OFFICIALLY UNSUPPORTED and used at your own risk. Read
872 the docs/FAQ write-up.
873 --skip-version-check
876 By default, ntop accesses a remote file to periodically check if the
877 most current version is running. This option disables that check.
878 Please review the privacy notice at the bottom of this page for more
879 information. By default, the recheck period is slightly more than 15
880 days. This can be adjusted via a constant in globals-defines.h. If
881 the result of the initial check indicates that the ntop version is a
882 'new development' version (that is newer than the latest published
883 development version), the recheck is disabled. This is because which
884 fixes and enhancements were present/absent from the code.
885 NOTE: At present, the recheck does not work under Windows.
887 --ssl-watchdog
890 Enable a watchdog for webserver hangs. These usually happen when con‐
892 necting with older browsers. The user gets nothing back and other
893 users can't connect. Internally, packet processing continues but there
894 is no way to access the data through the web server or shutdown ntop
895 cleanly. With the watchdog, a timeout occurs after 3 seconds, and
896 processing continues with a log message. Unfortunately, the user sees
897 nothing - it just looks like a failed connection. (also available as a
898 ./configure option, --enable-sslwatchdog)
899 --w3c
902 By default, ntop generates displayable but not great html. There are
903 a number of tags we do not generate because they cause problems with
904 older browsers which are still commonly used or are important to look
905 good on real-world browsers. This flag tells ntop to generate 'BET‐
906 TER' (but not perfect) w3c compliant html 4.01 output. This in no way
907 addresses all of the compatibility and markup issues. Over time, we
908 would like to make ntop more compatible, but it will never be 100%.
909 If you find any issues, please report them to ntop-dev.
910 -4 | --ipv4
913 Use IPv4 connections.
914 -6 | --ipv6
917 Use IPv6 connections
918
921 While ntop is running, multiple users can access the traffic informa‐
922 tion using their web browsers. ntop does not generate 'fancy' or 'com‐
923 plex' html, although it does use frames, shallowly nested tables and
924 makes some use of JavaScript and Cascading Style Sheets.
925 Beginning with release 3.1, the menus are cascading dropdowns via
927 JSCookMenu. With release 3.2, this extends to plugins.
928 We do not expect problems with any current web browser, but our ability
930 to test with less common ones is very limited. Testing has included
931 Firefox and Internet Explorer, with very limited testing on other cur‐
932 rent common browsers such as Opera.
933 In documentation and this man page, when we refer to a page such as
935 Admin | Switch NIC, we mean the Broad category "Admin" and the detailed
936 item "Switch NIC" on that Admin menu.
937
940 ntop requires a number of external tools and libraries to operate.
941 Certain other tools are optional, but add to the program's capabili‐
942 ties.
943 --webserver-queue
946 Specifies the maximum number of web server requests for the tcp/ip
947 stack to retain in it's queue awaiting delivery to the ntop web
948 server. Requests in excess of this queue may be dropped (allowing for
949 retransmission) or rejected at the tcp/ip stack level, depending upon
950 the OS. Whatever happens, happens at the OS level, without any infor‐
951 mation being delivered to ntop
952 Required libraries include:
954 libpcap from http://www.tcpdump.org/, version 0.7.2 or newer. 0.8.3 or
956 newer is strongly recommended.
957 The Windows version makes use of WinPcap (libpcap for Windows) which
959 may be downloaded from http://winpcap.polito.it/install/default.htm.
960 WARNING: The 2.x releases of WinPcap will NOT support SMP machines.
962 gdbm from http://www.gnu.org/software/gdbm/gdbm.html
964 ntop requires a POSIX threads library. As of ntop 3.2, the single-
966 threaded version of ntop is no longer available.
967 The gd 2.x library, for the creation of png files, available at
969 http://www.boutell.com/gd/.
970 The libpng 1.2.x library, for the creation of png files, available at
972 http://www.libpng.org/pub/png/libpng.html.
973 ntop should support both gd 1.X and libpng 1.0.x libraries but this
975 has not been tested. Note that there are incompatibilities if you
976 compile with one version of these libraries and then run with the
977 other. Please read the discussion in docs/FAQ before reporting ANY
978 problems of this nature.
979 (if an https:// server is desired) openSSL from the OpenSSL project
981 available at http://www.openssl.org.
982 The rrdtool library is required by the rrd plugin. rrdtool creates
984 'Round-Robin databases' which are used to store and graph historical
985 data in a format that permits long duration retention without growing
986 larger over time. The rrdtool home page is http://peo‐
987 ple.ee.ethz.ch/~oetiker/webtools/rrdtool/
988 ntop includes a limited version of rrdtool 1.0.49 in the myrrd/ direc‐
990 tory. Users of ntop 3.2 should not need to specifically install rrd‐
991 tool.
992 The sflow Plugin is courtesy of and supported by InMon Corporation,
994 http://www.inmon.com/sflowTools.htm.
995 There are other optional libraries. See the output of ./configure for
997 a fuller listing.
998 Tool locations are current as of August 2005 - please send email to
1000 report new locations or dead links.
1001
1004 top(1), tcpdump(8). pcap(3).
1005
1008 By default at startup and at periodic intervals, the ntop program will
1009 retrieve a file containing current ntop program version information.
1010 Retrieving this file allows this ntop instance to confirm that it is
1011 running the most current version.
1012 The retrieval is done using standard http:// requests, which will cre‐
1014 ate log records on the hosting system. These log records do contain
1015 information which identifies a specific ntop site. Accordingly, you
1016 are being notified that this individually identifiable information is
1017 being transmitted and recorded.
1018 You may request - via the --skip-version-check run-time option - that
1020 this check be eliminated. If you use this option, no individually
1021 identifiable information is transmitted or recorded, because the entire
1022 retrieval and check is skipped.
1023 We ask you to allow this retrieval and check, because it benefits both
1025 you and the ntop developers. It benefits you because you will be auto‐
1026 matically notified if the ntop program version is obsolete, becomes
1027 unsupported or is no longer current. It benefits the developers of
1028 ntop because it allows us to determine the number of active ntop
1029 instances, and the operating system/versions that users are running
1030 ntop under. This allows us to focus development resources on systems
1031 like those our users are using ntop on.
1032 The individually identifiable information is contained in the web
1034 server log records which are automatically created each time the ver‐
1035 sion file is retrieved. This is a function of the web server and not
1036 of ntop , but we do take advantage of it. The log record shows the IP
1037 address of the requestor (the ntop instance) and a User-Agent header
1038 field. We place information in the User-Agent header as follows:
1039 ntop/<version>
1041 host/<name from config.guess>
1042 distro/<if one>
1043 release/<of the distro, also if one>
1044 kernrlse/<kernel version or release>
1045 GCC/<version>
1046 config() <condensed parameters from ./configure>
1047 run() <condensed flags - no data - from the execution line>
1048 libpcap/<version>
1049 gdbm/<version>
1050 openssl/<version>
1051 zlib/<version>
1052 access/<http, https, both or none>
1053 interfaces() <given interface names>
1054 For example:
1056 ntop/2.2.98 host/i686-pc-linux-gnu distro/redhat release/9 kern‐
1058 rlse/2.4.20-8smp
1059 GCC/3.2.2 config(i18n) run(i; u; P; w; t; logextra; m; instantses‐
1060 sionpurge;
1061 schedyield; d; usesyslog=; t) gdbm/1.8.0 openssl/0.9.7a zlib/1.1.4
1062 access/http interfaces(eth0,eth1)
1063 Distro and release information is determined at compile time and con‐
1065 sists of information typically found in the /etc/release (or similar)
1066 file. See the ntop tool linuxrelease for how this is determined.
1067 gcc compiler version (if available) is the internal version #s for the
1069 gcc compiler, e.g. 3.2.3.
1070 kernrlse is the Linux Kernel version or the xBSD 'release' such as
1072 4.9-RELEASE and is determined from the uname data (if it's available).
1073 The ./configure parameters are stripped of directory paths, leading -s,
1075 etc. to create a short form that shows us what ./configure parameters
1076 people are using.
1077 Similarly, the run time parameters are stripped of data and paths, just
1079 showing which flags are being used.
1080 The libpcap, gdbm, openssl and zlib versions come from the strings
1082 returned by the various inquiry functions (if they're availabe).
1083 Here's a sample log record:
1085 67.xxx.xxx.xxx - - [28/Dec/2003:12:11:46 -0500] "GET /version.xml
1087 HTTP/1.0"
1088 200 1568 www.burtonstrauss.com "-" "ntop/2.2.98 host/i686-pc-linux-
1089 gnu
1090 distro/redhat release/9 kernrlse/2.4.20-8smp GCC/3.2.2 config(i18n)
1091 run(i; u; P; w; t; logextra; m; instantsessionpurge; schedyield; d;
1092 usesyslog=) libpcap/0.8 gdbm/1.8.0 openssl/0.9.7a zlib/1.1.4
1093 access/http
1094 interfaces(eth0,eth1,eth2)" "-"
1095
1098 Please send bug reports to the ntop-dev <ntop-dev@ntop.org> mailing
1099 list. The ntop <ntop@ntop.org> mailing list is used for discussing ntop
1100 usage issues. In order to post messages on the lists a (free) subscrip‐
1101 tion is required to limit/avoid spam. Please do NOT contact the author
1102 directly unless this is a personal question.
1103 Commercial support is available upon request. Please see the ntop site
1105 for further info.
1106 Please send code patches to <patch@ntop.org>.
1108
1111 ntop's author is Luca Deri (http://luca.ntop.org/) who can be reached
1112 at <deri@ntop.org>.
1113
1116 ntop is distributed under the GNU GPL licence (http://www.gnu.org/).
1117
1120 The author acknowledges the Centro Serra of the University of Pisa,
1121 Italy (http://www-serra.unipi.it/) for hosting the ntop sites (both web
1122 and mailing lists), and Burton Strauss <burton@ntopsupport.com> for his
1123 help and user assistance. Many thanks to Stefano Suin <ste‐
1124 fano@ntop.org> and Rocco Carbone <rocco@ntop.org> for contributing to
1125 the project.
1126 August 2005 (ntop 3.2) NTOP(8)