1NTOP(8) System Manager's Manual NTOP(8)
2
6 ntop - display top network users
7
9 ntop [@filename] [-a|--access-log-file <path>] [-b|--disable-decoders]
10 [-c|--sticky-hosts] [-e|--max-table-rows] [-f|--traffic-dump-file
11 file>] [-g|--track-local-hosts] [-h|--help] [-l|--pcap-log <path>]
12 [-m|--local-subnets <addresses>] [-n|--numeric-ip-addresses] [-p|--pro‐
13 tocols <list>] [-q|--create-suspicious-packets] [-r|--refresh-time
14 <number>] [-s|--no-promiscuous] [-t|--trace-level <number>] [-x
15 <max_num_hash_entries>] [-w|--http-server <port>] [-z|--disable-ses‐
16 sions] [-A|--set-admin-password password] [-B|--filter-expression
17 expression] [-C <configmode>] [-D|--domain <name>] [-F|--flow-spec
18 <specs>] [-M|--no-interface-merge] [-N|--wwn-map <path>] [-O|----out‐
19 put-packet-path <path>] [-P|--db-file-path <path>] [-Q|--spool-file-
20 path <path>] [-U|--mapper <URL>] [-V|--version] [-X <max_num_TCP_ses‐
21 sions>] [--disable-instantsessionpurge] [--disable-mutexextrainfo]
22 [--disable-ndpi] [--disable-python] [--instance] [--p3p-cp] [--p3p-uri]
23 [--skip-version-check] [--w3c] [-4|--ipv4] [-6|--ipv6]
24 Unix options:
26 [-d|--daemon] [-i|--interface <name>] [-u|--user <user>] [-K|--enable-
28 debug] [-L] [--pcap_setnonblock] [--use-syslog= <facility>] [--web‐
29 server-queue <number>]
30 Windows option:
32 [-i|--interface <number|name>]
34 OpenSSL options:
36 [-W|--https-server <port>] [--ssl-watchdog]
38
41 ntop shows the current network usage. It displays a list of hosts that
42 are currently using the network and reports information concerning the
43 (IP and non-IP) traffic generated and received by each host. ntop may
44 operate as a front-end collector (sFlow and/or netFlow plugins) or as a
45 stand-alone collector/display program. A web browser is needed to
46 access the information captured by the ntop program.
47 ntop is a hybrid layer 2 / layer 3 network monitor, that is by default
49 it uses the layer 2 Media Access Control (MAC) addresses AND the layer
50 3 tcp/ip addresses. ntop is capable of associating the two, so that ip
51 and non-ip traffic (e.g. arp, rarp) are combined for a complete picture
52 of network activity.
53
56 @filename
57 The text of filename is copied - ignoring line breaks and comment
58 lines (anything following a #) - into the command line. ntop behaves
59 as if all of the text had simply been typed directly on the command
60 line. For example, if the command line is "-t 3 @d -u ntop" and file
61 d contains just the line '-d', then the effective command line is -t 3
62 -d -u ntop. Multiple @s are permitted. Nested @s (an @ inside the
63 file) are not permitted.
64 Remember, most ntop options are "sticky", that is they just set an
66 internal flag. Invoking them multiple times doesn't change ntop's
67 behavior. However, options that set a value, such as --trace-level,
68 will use the LAST value given: --trace-level 2 --trace-level 3 will
69 run as --trace-level 3.
70 Beginning with 3.1, many command-line options may also be set via the
72 web browser interface. These changes take effect on the next run of
73 and on each subsequent run until changed.
74 -a | --access-log-file
78 By default ntop does not maintain a log of HTTP requests to the inter‐
79 nal web server. Use this parameter to request logging and to specify
80 the location of the file where these HTTP requests are logged.
81 Each log entry is in Apache-like style. The only difference between
83 Apache and ntop logs is that an additional column has been added which
84 has the time (in milliseconds) that ntop needed to serve the request.
85 Log entries look like this:
86 192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET / HTTP/1.1" 200 1489 4
88 192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET /index_top.html HTTP/1.1" 200 1854 4
89 192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET /index_inner.html HTTP/1.1" 200 1441 7
90 192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /index_left.html HTTP/1.1" 200 1356 4
91 192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /home_.html HTTP/1.1" 200 154/617 9
92 192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /home.html HTTP/1.1" 200 1100/3195 10
93 192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /About.html HTTP/1.1" 200 2010 10
94 This parameter is the complete file name of the access log. In prior
96 releases it was erroneously called --access-log-path.
97 -b | --disable-decoders
100 This parameter disables protocol decoders.
101 Protocol decoders examine and collect information about layer 2 proto‐
103 cols such as NetBIOS or Netware SAP, as well as about specific tcp/ip
104 (layer 3) protocols, such as DNS, http and ftp.
105 This support is specifically coded for each protocol and is different
107 from the capability to count raw information (packets and bytes) by
108 protocol specified by the -p | --protocols parameter, below.
109 Decoding protocols is a significant consumer of resources. If the ntop
111 host is underpowered or monitoring a very busy network, you may wish
112 to disable protocol decoding via this parameter. It may also be
113 appropriate to use this parameter if you believe that ntop has prob‐
114 lems handling some protocols that occur on your network.
115 Even if decoding is disabled, ftp-data traffic is still decoded to
117 look for passive ftp port commands.
118 -c | --sticky-hosts
121 Use this parameter to prevent idle hosts from being purged from mem‐
122 ory.
123 By default idle hosts are periodically purged from memory. An idle
125 host is identified when no packets from or to that host have been mon‐
126 itored for the period of time defined by the value of
127 PARM_HOST_PURGE_MINIMUM_IDLE in globals-defines.h.
128 If you use this option, all hosts - active and idle - are retained in
130 memory for the duration of the ntop run.
131 P2P users, port scans, popular web servers and other activity will
133 cause ntop to record data about a large number of hosts. On an active
134 network, this will consume a significant - and always growing - amount
135 of memory. It is strongly recommended that you use a filtering
136 expression to limit the hosts which are stored if you use --sticky-
137 hosts.
138 The idle purge is a statistical one - a random selection of the eligi‐
140 ble hosts will be purged during each cycle. Thus it is possible on a
141 busy system for an idle host to remain in the ntop tables and appear
142 'active' for some considerable time after it is truly idle.
143 -d | --daemon
146 This parameter causes ntop to become a daemon, i.e. a task which runs
147 in the background without connection to a specific terminal. To use
148 ntop other than as a casual monitoring tool, you probably will want to
149 use this option.
150 WARNING: If you are running as a daemon, the messages from ntop will
152 be 'printed' on to stdout and thus dropped. You probably don't want
153 to do this. So remember to also use the -L or --use-syslog options to
154 save the messages into the system log.
155 -e | --max-table-rows
158 This defines the maximum number of lines that ntop will display on
159 each generated HTML page. If there are more lines to be displayed than
160 this setting permits, only part of the data will be displayed. There
161 will be page forward/back arrows placed at the bottom of the page for
162 navigation between pages.
163 -f | --traffic-dump-file
166 By default, ntop captures traffic from network interface cards (NICs)
167 or from netFlow/sFlow probes. However, ntop can also read data from a
168 file - typically a tcpdump capture or the output from one of the ntop
169 packet capture options.
170 if you specify -f, ntop will not capture any traffic from NICs during
172 or after the file has been read. netFlow/sFlow capture - if enabled -
173 would still be active.
174 This option is mostly used for debug purposes.
176 -g | --track-local-hosts
179 By default, ntop tracks all hosts that it sees from packets captured
180 on the various NICs. Use this parameter to tell ntop to capture data
181 only about local hosts. Local hosts are defined based on the
182 addresses of the NICs and those networks identified as local via the
183 -m | --local-subnets parameter.
184 This parameter is useful on large networks or those that see many
186 hosts, (e.g. a border router or gateway), where information about
187 remote hosts is not desired/required to be tracked.
188 -h | --help
191 Print help information for ntop, including usage and parameters.
192 -i | --interface
195 Specifies the network interface or interfaces to be used by ntop for
196 network monitoring.
197 If multiple interfaces are used (this feature is available only if
199 ntop is compiled with thread support) their names must be separated
200 with a comma. For instance -i "eth0,lo".
201 If not specified, the default is the first Ethernet device, e.g. eth0.
203 The specific device that is 'first' is highly system dependent. Espe‐
204 cially on systems where the device name reflects the driver name
205 instead of the type of interface.
206 By default, traffic information obtained by all the interfaces is
208 merged together as if the traffic was seen by only one interface. Use
209 the -M parameter to keep traffic separate by interface.
210 If you do not want ntop to monitor any interfaces, use -i none.
212 Under Windows, the parameter value is either the number of the inter‐
214 face or its name, e.g. {6252C14C-44C9-49D9-BF59-B2DC18C7B811}. Run
215 ntop -h to see a list of interface name-number mappings (at the end of
216 the help information).
217 -l | --pcap-log
220 This parameter causes a dump file to be created of the network traffic
221 captured by ntop in tcpdump (pcap) format. This file is useful for
222 debug, and may be read back into ntop by the -f | --traffic-dump-file
223 parameter. The dump is made after processing any filter expression (
224 never even sees filtered packets).
225 The output file will be named <path>/<log>.<device>.pcap (Windows:
227 <path>/<log>.pcap ), where <path> is defined by the -O | --output-
228 packet-path parameter and <log> is defined by this -l | --pcap-log
229 parameter.
230 -m | --local-subnets
233 ntop determines the ip addresses and netmasks for each active inter‐
234 face. Any traffic on those networks is considered local. This param‐
235 eter allows the user to define additional networks and subnetworks
236 whose traffic is also considered local in ntop reports. All other
237 hosts are considered remote.
238 Commas separate multiple network values. Both netmask and CIDR nota‐
240 tion may be used, even mixed together, for instance
241 "131.114.21.0/24,10.0.0.0/255.0.0.0".
242 The local subnet - as defined by the interface address(es) - is/are
244 always local and do not need to be specified. If you do give the same
245 value as a NIC's local address, a harmless warning message is issued.
246 -n | --numeric-ip-addresses
249 By default, ntop resolves IP addresses using a combination of active
250 (explicit) DNS queries and passive sniffing. Sniffing of DNS
251 responses occurs when ntop receives a network packet containing the
252 response to some other user's DNS query. ntop captures this informa‐
253 tion and enters it into ntop's DNS cache, in expectation of shortly
254 seeing traffic addressed to that host. This way ntop significantly
255 reduces the number of DNS queries it makes.
256 This parameter causes ntop to skip DNS resolution, showing only
258 numeric IP addresses instead of the symbolic names. This option can
259 useful when the DNS is not present or quite slow.
260 -p | --protocols
263 This parameter is used to specify the TCP/UDP protocols that ntop will
264 monitor. The format is <label>=<protocol list> [, <label>=<protocol
265 list>], where label is used to symbolically identify the <protocol
266 list>. The format of <protocol list> is <protocol>[|<protocol>], where
267 <protocol> is either a valid protocol specified inside the /etc/ser‐
268 vices file or a numeric port range (e.g. 80, or 6000-6500).
269 A simple example is --protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-
271 data", which reduces the protocols displayed on the "IP" pages to
272 three:
273 Host Domain Data HTTP FTP Other IP
275 ns2.attbi.com <flag> 954 63.9 % 0 0 954
276 64.124.83.112.akamai.com <flag> 240 16.1 % 240 0 0
277 64.124.83.99.akamai.com <flag> 240 16.1 % 240 0 0
278 toolbarqueries.google.com <flag> 60 4.0 % 60 0 0
279 If the <protocol list> is very long you may store it in a file (for
281 instance protocol.list). To do so, specify the file name instead of
282 the <protocol list> on the command line. e.g. ntop -p protocol.list
283 If the -p parameter is omitted the following default value is used:
285 FTP=ftp|ftp-data
287 HTTP=http|www|https|3128 3128 is Squid, the HTTP cache
288 DNS=name|domain
289 Telnet=telnet|login
290 NBios-IP=netbios-ns|netbios-dgm|netbios-ssn
291 Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2
292 DHCP-BOOTP=67-68
293 SNMP=snmp|snmp-trap
294 NNTP=nntp
295 NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status
296 X11=6000-6010
297 SSH=22
298 Peer-to-Peer Protocols
300 ----------------------
301 Gnutella=6346|6347|6348
302 Kazaa=1214
303 WinMX=6699|7730
304 DirectConnect=0 Dummy port as this is a pure P2P protocol
305 eDonkey=4661-4665
306 Instant Messenger
308 -----------------
309 Messenger=1863|5000|5001|5190-5193
310 NOTE: To resolve protocol names to port numbers, they must be speci‐
312 fied in the system file used to list tcp/udp protocols and ports,
313 which is typically /etc/services file. You will have to match the
314 names in that file, exactly. Missing or unspecified (non-standard)
315 ports must be specified by number, such as 3128 in our examples above.
316 If you have a file named /etc/protocols, don't get confused by it, as
318 that's the Ethernet protocol numbers, which are not what you're look‐
319 ing for.
320 -q | --create-suspicious-packets
323 This parameter tells ntop to create a dump file of suspicious packets.
324 There are many, many, things that cause a packet to be labeled as
326 'suspicious', including:
327 Detected ICMP fragment
329 Detected Land Attack against host
330 Detected overlapping/tiny packet fragment
331 Detected traffic on a diagnostic port
332 Host performed ACK/FIN/NULL scan
333 Host rejected TCP session
334 HTTP/FTP/SMTP/SSH detected at wrong port
335 Malformed TCP/UDP/ICMP packet (packet too short)
336 Packet # %u too long
337 Received a ICMP protocol Unreachable from host
338 Sent ICMP Administratively Prohibited packet to host
339 Smurf packet detected for host
340 TCP connection with no data exchanged
341 TCP session reset without completing 3-way handshake
342 Two MAC addresses found for the same IP address
343 UDP data to a closed port
344 Unknown protocol (no HTTP/FTP/SMTP/SSH) detected (on port 80/21/25/22)
345 Unusual ICMP options
346 When this parameter is used, one file is created for each network
348 interface where suspicious packets are found. The file is in tcpdump
349 (pcap) format and is named <path>/ntop-suspicious-pkts.<device>.pcap,
350 where <path> is defined by the -O | --output-packet-path parameter.
351 -r | --refresh-time
354 Specifies the delay (in seconds) between automatic screen updates for
355 those generated HTML pages which support them. This parameter allows
356 you to leave your browser window open and have it always displaying
357 nearly real-time data from ntop.
358 The default is 3 seconds. Please note that if the delay is very short
360 (1 second for instance), ntop might not be able to process all of the
361 network traffic.
362 -s | --no-promiscuous
365 Use this parameter to prevent from setting the interface(s) into pro‐
366 miscuous mode.
367 An interface in promiscuous mode will accept ALL Ethernet frames,
369 regardless of whether they directed (addressed) to the specific net‐
370 work interface (NIC) or not. This is an essential part of enabling
371 ntop to monitor an entire network. (Without promiscuous mode, ntop
372 will only see traffic directed to the specific host it is running on,
373 plus broadcast traffic such as the arp and dhcp protocols.
374 Even if you use this parameter, the interface could well be in promis‐
376 cuous mode if another application enabled it.
377 ntop passes this setting on to libpcap, the packet capture library.
379 On many systems, a non-promiscuous open of the network interface will
380 fail, since the libpcap function on most systems require it to capture
381 raw packets ( ntop captures raw packets so that we may view and ana‐
382 lyze the layer 2 - MAC - information).
383 Thus on most systems, ntop must probably still be started as root, and
385 this option is largely ornamental. If it fails, you will see a
386 ***FATALERROR*** message referring to pcap_open_live() and then an
387 information message, "Sorry, but on this system, even with -s, it
388 appears that ntop must be started as root".
389 -t | --trace-level
392 This parameter specifies the 'information' level of messages that you
393 wish ntop to display (on stdout or to the log). The higher the trace
394 level number the more information that is displayed. The trace level
395 ranges between 0 (no trace) and 5 (full debug tracings).
396 The default trace value is 3.
398 Trace level 0 is not quite zero messages. Fatal errors and certain
400 startup/shutdown messages are always displayed. Trace level 1 is used
401 to display errors only, level 2 for both errors and warnings, and
402 level 3 displays error, warning and informational messages.
403 Trace level 4 is called 'noisy' and it is - generating many messages
405 about the internal functioning of ntop. Trace level 5 and above are
406 'noisy' plus extra logs, i.e. all possible messages, with a file:line
407 tag prepended to every message.
408 -u | --user
411 Specifies the user ntop should run as after it initializes.
412 ntop must normally be started as root so that it has sufficient privi‐
414 leges to open the network interfaces in promiscuous mode and to
415 receive raw frames. See the discussion of -s | --no-promiscuous
416 above, if you wish to try starting ntop as a non-root user.
417 Shortly after starting up, ntop becomes the user you specify here,
419 which normally has substantially reduced privileges, such as no login
420 shell. This is the userid which owns ntop's database and output
421 files.
422 The value specified may be either a username or a numeric user id.
424 The group id used will be the primary group of the user specified.
425 If this parameter is not specified, ntop will try to switch first to
427 'nobody' and then to 'anonymous' before giving up.
428 NOTE: This should not be root unless you really understand the secu‐
430 rity risks. In order to prevent this by accident, the only way to run
431 ntop as root is to explicitly specify -u root. Don't do it.
432 -x
435 -X
437 ntop creates a new hash/list entry for each new host/TCP session seen.
438 In case of DOS (Denial Of Service) an attacker can easily exhaust all
439 the host available memory because ntop is creating entries for dummy
440 hosts. In order to avoid this you can set an upper limit in order to
441 limit the memory ntop can use.
442 -w | --http-server
445 -W | --https-server
447 ntop offers an embedded web server to present the information that has
448 been so painstakingly gathered. An external HTTP server is NOT
449 required NOR supported. The ntop web server is embedded into the
450 application. These parameters specify the port (and optionally the
451 address (i.e. interface)) of the ntop web server.
452 For example, if started with -w 3000 (the default port), the URL to
454 access ntop is http://hostname:3000/. If started with a full specifi‐
455 cation, e.g. -w 192.168.1.1:3000, ntop listens on only that
456 address/port combination.
457 If -w is set to 0 the web server will not listen for http:// connec‐
459 tions.
460 -W operates similarly, but controls the port for the https:// connec‐
462 tions.
463 Some examples:
465 ntop -w 3000 -W 0 (this is the default setting) HTTP requests on port
467 3000 and no HTTPS.
468 ntop -w 80 -W 443 Both HTTP and HTTPS have been enabled on their most
470 common ports.
471 ntop -w 0 -W 443 HTTP disabled, HTTPS enabled on the common port.
473 Certain sensitive, configuration pages of the ntop web server are pro‐
475 tected by a userid/password. By default, these are the user/URL
476 administration, filter, shutdown and reset stats are password pro‐
477 tected
478 and are accessible initially only to user admin with a password set
479 during the first run of ntop.
480 Users can modify/add/delete users/URLs using ntop itself - see the
482 Admin tab.
483 The passwords, userids and URLs to protect with passwords are stored
485 in a database file. Passwords are stored in an encrypted form in the
486 database for further security. Best practices call for securing that
487 database so that only the ntop user can read it.
488 There is a discussion in docs/FAQ about further securing the ntop
490 environment.
491 -z | --disable-sessions
494 This parameter disables TCP session tracking. Use it for better per‐
495 formance or when you don't really need/care to track sessions.
496 -A | --set-admin-password
499 This parameter is used to start ntop , set the admin password and
500 quit. It is quite useful for installers that need to automatically set
501 the password for the admin user.
502 -A and --set-admin-password (without a value) will prompt the user for
504 the password.
505 You may also use this parameter to set a specific value using --set-
507 admin-password=value. The = is REQUIRED and no spaces are permitted!
508 If you attempt to run ntop as a daemon without setting a password, a
510 FATAL ERROR message is generated and ntop stops.
511 -B | --filter-expression
514 Filters allows the user to restrict the traffic seen by ntop on just
515 about any imaginable item.
516 The filter expression is set at run time by this parameter, but it may
518 be changed during the ntop run on the Admin | Change Filter web page.
519 The basic format is -B filter , where the quotes are REQUIRED
521 The syntax of the filter expression uses the same BPF (Berkeley Packet
523 Filter) expressions used by other packages such as tcpdump
524 For instance, suppose you are interested only in the traffic gener‐
526 ated/received by the host jake.unipi.it. ntop can then be started
527 with the following filter:
528 ntop -B src host jake.unipi.it or dst host jake.unipi.it
530 or in shorthand:
532 ntop -B host jake.unipi.it or host jake.unipi.it
534 See the 'expression' section of the tcpdump man page - usually avail‐
536 able at http://www.tcpdump.org/tcpdump_man.html - for further informa‐
537 tion and the best quick guide to BPF filters currently available.
538 WARNING: If you are using complex filter expressions, especially those
540 with =s or meaningful spaces in them, be sure and use the long option
541 format, --filter-expression="xxxx" and not -B "xxxx".
542 -C |
546 This instruments ntop to be used in two configurations: host and net‐
547 work mode. In host mode (default) ntop works as usual: the IP
548 addresses received are those of real hosts. In host mode the IP
549 addresses received are those of the C-class network to which the
550 address belongs. Using ntop in network mode is extremely useful when
551 installed in a traffic exchange (e.g. in the middle of the Internet)
552 whereas the host mode should be used when ntop is installed on the
553 edge of a network (e.g. inside a company). The network mode signifi‐
554 cantly reduces the amount of work ntop has to perform and it has to be
555 used whenever ntop is used to find out how the network traffic flows
556 and not to pin-point specific hosts.
557 -D | --domain
561 This identifies the local domain suffix, e.g. ntop.org. It may be
562 necessary, if ntop is having difficulty determining it from the inter‐
563 face.
564 -F | --flow-spec
567 It is used to specify network flows similar to more powerful applica‐
568 tions such as NeTraMet. A flow is a stream of captured packets that
569 match a specified rule. The format is
570 <flow-label>='<matching expression>'[,<flow-label>='<matching expres‐
572 sion>']
573 , where the label is used to symbolically identify the flow specified
575 by the expression. The expression is a bpf (Berkeley Packet Filter)
576 expression. If an expression is specified, then the information con‐
577 cerning flows can be accessed following the HTML link named 'List Net‐
578 Flows'.
579 For instance define two flows with the following expression Luca‐
581 Hosts='host jake.unipi.it or host pisanino.unipi.it',GatewayRoutedP‐
582 kts='gateway gateway.unipi.it' .
583 All the traffic sent/received by hosts jake.unipi.it or
585 pisanino.unipi.it is collected by ntop and added to the LucaHosts
586 flow, whereas all the packet routed by the gateway gateway.unipi.it
587 are added to the GatewayRoutedPkts flow. If the flows list is very
588 long you may store in a file (for instance flows.list) and specify the
589 file name instead of the actual flows list (in the above example, this
590 would be 'ntop -F flows.list').
591 Note that the double quotations around the entire flow expression are
593 required.
594 -K | --enable-debug
597 Use this parameter to simplify application debug. It does three
598 things: 1. Does not fork() on the "read only" html pages. 2. Displays
599 mutex values on the configuration (info.html) page. 3. (If available
600 - glibc/gcc) Activates an automated backtrace on application errors.
601 -L | --use-syslog=facility
604 Use this parameter to send log messages to the system log instead of
605 stdout.
606 -L and the simple form --use-syslog use the default log facility,
608 defined as LOG_DAEMON in the #define symbol DEFAULT_SYSLOG_FACILITY in
609 globals-defines.h.
610 The complex form, --use-syslog=facility will set the log facility to
612 whatever value (e.g. local3, security) you specify. The = is REQUIRED
613 and no spaces are allowed!
614 This setting applies both to ntop and to any child fork()ed for
616 reporting. If this parameter is not specified, any fork()ed child
617 will use the default value and will log it's messages to the system
618 log (this occurs because the fork()ed child must give up it's access
619 to the parents stdout).
620 Because various systems do not make the permissible names available,
622 we have a table at the end of globals-core.c. Look for myFacility‐
623 Names.
624 -M | --no-interface-merge
627 By default, ntop merges the data collected from all of the interfaces
628 (NICs) it is monitoring into a single set of counters.
629 If you have a simple network, say a small LAN with a connection to the
631 internet, merging data is good as it gives you a better picture of the
632 whole network. For larger, more complex networks, this may not be
633 desirable. You may also have other reasons for wishing to monitor
634 each interface separately, for example DMZ vs. LAN traffic.
635 This option instructs ntop not to merge network interfaces together.
637 This means that ntop will collect statistics for each interface and
638 report them separately.
639 Only ONE interface may be reported on at a time - use the Admin |
641 Switch NIC option on the web server to select which interface to
642 report upon.
643 Note that activating either the netFlow and/or sFlow plugins will
645 force the setting of -M. Once enabled, you cannot go back.
646 -N | --wwn-map
649 This options names the file providing the map of WWN to FCID/VSAN ids.
650 -O | --output-packet-path
653 This parameter defines the base path for the ntop-suspicious-
654 pkts.XXX.pcap and normal packet dump files.
655 If this parameter is not specified, the default value is the config.h
657 parameter CFG_DBFILE_DIR, which is set during ./configure from the
658 --localstatedir= parameter. If --localstatedir is not specified, it
659 defaults to the --prefix value plus /var (e.g. /usr/local/var).
660 Be aware that this may not be what you expect when running ntop as a
662 daemon or Windows service. Setting an explicit and absolute path value
663 is STRONGLY recommended if you use this facility.
664 -P | --db-file-path
667 -Q | --spool-file-path
669 These parameters specify where ntop stores database files.
670 There are two types, 'temporary' - that is ones which need not be
672 retained from ntop run to ntop run, and 'permanent', which must be
673 retained (or recreated).
674 The 'permanent' databases are the preferences, "prefsCache.db" and the
676 password file, "ntop_pw.db". These are stored in the -P | --db-file-
677 path specified location.
678 Certain plugins use the -P | --db-file-path specified location for
680 their database ("LsWatch.db") or (as a default value) for files
681 (.../rrd/...).
682 The 'temporary' databases are the address queue, "addressQueue.db",
684 the cached DNS resolutions, "dnsCache.db" and the MAC prefix (vendor
685 table), "macPrefix.db".
686 If only -P | --db-file-path is specified, it is used for both types of
688 databases.
689 The directories named must allow read/write and file creation by the
691 ntop user. For security, nobody else should have even read access to
692 these files.
693 Note that the default value is the config.h parameter CFG_DBFILE_DIR.
695 This is set during ./configure from the --localstatedir= parameter.
696 If --localstatedir is not specified, it defaults to the --prefix value
697 plus /var (e.g. /usr/local/var).
698 This may not be what you expect when running ntop as a daemon or Win‐
700 dows service.
701 Note that on versions of ntop prior to 2.3, these parameters defaulted
703 to "." (the current working directory, e.g. the value returned by the
704 pwd command) and caused havoc as it was different when ntop was run
705 from the command line, vs. run via cron, vs. run from an initializa‐
706 tion script.
707 Setting an explicit and absolute path value is STRONGLY recommended.
709 -U | --mapper
712 Specifies the URL of the mapper.pl utility.
713 If provided, ntop creates a clickable hyperlink on the 'Info about
715 host xxxxxx' page to this URL by appending ?host=xxxxx. Any type of
716 host lookup could be performed, but this is intended to lookup the
717 geographical location of the host.
718 A cgi-based mapper interface to http://www.multimap.com is part of the
720 ntop distribution [see www/Perl/mapper.pl]).
721 -V | --version
724 Prints ntop version information and then exits.
725 -W | --https-server
728 (See the joint documentation with the -w parameter, above)
729 --disable-instantsessionpurge
732 ntop sets completed sessions as 'timed out' and then purge them almost
733 instantly, which is not the behavior you might expect from the discus‐
734 sions about purge timeouts. This switch makes ntop respect the time‐
735 outs for completed sessions. It is NOT the default because a busy web
736 server may have 100s or 1000s of completed sessions and this would
737 significantly increase the amount of memory ntop uses.
738 --disable-mutexextrainfo
741 ntop stores extra information about the locks and unlocks of the pro‐
742 tective mutexes it uses. Since ntop uses fine-grained locking, this
743 information is updated frequently. On some OSes, the system calls
744 used to collect this informatio (getpid() and gettimeofday()) are
745 expensive. This option disables the extra information. It should
746 have no processing impact on ntop
747 - however should ntop actually deadlock, we would lose the informa‐
748 tion that sometimes tells us why.
749 --disable-ndpi
752 ntop is started without nDPI support thus application protocols are
753 not recognized.
754 --disable-python
757 ntop is started without the Python interpreter. Beware as some ntop
758 reports are based on python, thus disabling it will prevent some
759 reports to work properly.
760 --instance
763 You can run multiple instances of ntop simultaneously by specifying
765 different -P values (typically through separate ntop.conf files). If
766 you set a value for this parameter (available only on the command
767 line), you (1) display the 'instance' name on every web page and (2)
768 alter the log prefix from "NTOP" to your chosen value.
769 If you want to make the tag more obvious, create a .instance class in
771 style.css, e.g.:
772 .instance {
774 color: #666666;
775 font-size: 18pt;
776 }
777 Note (UNIX): To run completely different versions of the ntop binary,
779 you need to compile and install into a different library (using ./con‐
780 figure --prefix) and then specify the LD_LIBRARY_PATH before invoking,
781 e.g.
782 LD_LIBRARY_PATH=/devel/lib/ntop/:... /devel/bin/ntop ...args...
784 If present, a file of the form <instance>_ntop_logo.gif will be used
786 instead of the normal ntop_logo.gif. This is tested for ONLY once, at
787 the beginning of the run. The EXACT word(s) of the --instance flag
788 are used, without testing if they make a proper file name. If - for
789 any reason - the file is not found, an informational message is logged
790 and the normal logo file is used. To construct your own logo, make it
791 a 300x40 transparent gif.
792 NOTE: On the web pages, ntop uses the dladdr() function. The original
794 Solaris routine had a bug, replicated in FreeBSD (and possibly other
795 places) where it uses the ARGV[0] value - which might be erroneous -
796 instead of the actual file name. If the 'running from' value looks
797 bogus but the 'libaries in' value looks ok, go with the libarary.
798 --p3p-cp
801 --p3p-uri
803 P3P is a W3C recommendation - http://www.w3.org/TR/P3P/ - for specify‐
805 ing personal information a site collects and what it does with the
806 information. These parameters allow to return P3P information. We do
807 not supply samples.
808 --pcap_setnonblock
811 On some platforms, the ntop web server will hang or appear to hang (it
812 actually just responds incredibly slowly to the first request from a
813 browser session), while the rest of ntop runs just fine. This is known
814 to be an issue under FreeBSD 4.x.
815 This option sets the non-blocking option (assuming it's available in
817 the version of libpcap that is installed).
818 While this works around the problem (by turing an interupt driven
820 process into a poll), it also MAY signifcantly increases the cpu usage
821 of ntop. Although it does not actually interfere with other work,
822 seeing ntop use 80-90% or more of the cpu is not uncommon - don't say
823 we didn't warn you.
824 THIS OPTION IS OFFICIALLY UNSUPPORTED and used at your own risk. Read
826 the docs/FAQ write-up.
827 --skip-version-check
830 By default, ntop accesses a remote file to periodically check if the
831 most current version is running. This option disables that check.
832 Please review the privacy notice at the bottom of this page for more
833 information. By default, the recheck period is slightly more than 15
834 days. This can be adjusted via a constant in globals-defines.h. If
835 the result of the initial check indicates that the ntop version is a
836 'new development' version (that is newer than the latest published
837 development version), the recheck is disabled. This is because which
838 fixes and enhancements were present/absent from the code.
839 NOTE: At present, the recheck does not work under Windows.
841 --ssl-watchdog
844 Enable a watchdog for webserver hangs. These usually happen when con‐
846 necting with older browsers. The user gets nothing back and other
847 users can't connect. Internally, packet processing continues but there
848 is no way to access the data through the web server or shutdown ntop
849 cleanly. With the watchdog, a timeout occurs after 3 seconds, and
850 processing continues with a log message. Unfortunately, the user sees
851 nothing - it just looks like a failed connection. (also available as a
852 ./configure option, --enable-sslwatchdog)
853 --w3c
856 By default, ntop generates displayable but not great html. There are
857 a number of tags we do not generate because they cause problems with
858 older browsers which are still commonly used or are important to look
859 good on real-world browsers. This flag tells ntop to generate 'BET‐
860 TER' (but not perfect) w3c compliant html 4.01 output. This in no way
861 addresses all of the compatibility and markup issues. Over time, we
862 would like to make ntop more compatible, but it will never be 100%.
863 If you find any issues, please report them to ntop-dev.
864 -4 | --ipv4
867 Use IPv4 connections.
868 -6 | --ipv6
871 Use IPv6 connections
872
875 While ntop is running, multiple users can access the traffic informa‐
876 tion using their web browsers. ntop does not generate 'fancy' or 'com‐
877 plex' html, although it does use frames, shallowly nested tables and
878 makes some use of JavaScript and Cascading Style Sheets.
879 Beginning with release 3.1, the menus are cascading dropdowns via
881 JSCookMenu. With release 3.2, this extends to plugins.
882 We do not expect problems with any current web browser, but our ability
884 to test with less common ones is very limited. Testing has included
885 Firefox and Internet Explorer, with very limited testing on other cur‐
886 rent common browsers such as Opera.
887 In documentation and this man page, when we refer to a page such as
889 Admin | Switch NIC, we mean the Broad category "Admin" and the detailed
890 item "Switch NIC" on that Admin menu.
891
894 ntop requires a number of external tools and libraries to operate.
895 Certain other tools are optional, but add to the program's capabili‐
896 ties.
897 --webserver-queue
900 Specifies the maximum number of web server requests for the tcp/ip
901 stack to retain in it's queue awaiting delivery to the ntop web
902 server. Requests in excess of this queue may be dropped (allowing for
903 retransmission) or rejected at the tcp/ip stack level, depending upon
904 the OS. Whatever happens, happens at the OS level, without any infor‐
905 mation being delivered to ntop
906 Required libraries include:
908 libpcap from http://www.tcpdump.org/, version 0.7.2 or newer. 0.8.3 or
910 newer is strongly recommended.
911 The Windows version makes use of WinPcap (libpcap for Windows) which
913 may be downloaded from http://winpcap.polito.it/install/default.htm.
914 WARNING: The 2.x releases of WinPcap will NOT support SMP machines.
916 gdbm from http://www.gnu.org/software/gdbm/gdbm.html
918 ntop requires a POSIX threads library. As of ntop 3.2, the single-
920 threaded version of ntop is no longer available.
921 The gd 2.x library, for the creation of png files, available at
923 http://www.boutell.com/gd/.
924 The libpng 1.2.x library, for the creation of png files, available at
926 http://www.libpng.org/pub/png/libpng.html.
927 ntop should support both gd 1.X and libpng 1.0.x libraries but this
929 has not been tested. Note that there are incompatibilities if you
930 compile with one version of these libraries and then run with the
931 other. Please read the discussion in docs/FAQ before reporting ANY
932 problems of this nature.
933 (if an https:// server is desired) openSSL from the OpenSSL project
935 available at http://www.openssl.org.
936 The rrdtool library is required by the rrd plugin. rrdtool creates
938 'Round-Robin databases' which are used to store and graph historical
939 data in a format that permits long duration retention without growing
940 larger over time. The rrdtool home page is http://peo‐
941 ple.ee.ethz.ch/~oetiker/webtools/rrdtool/
942 ntop includes a limited version of rrdtool 1.0.49 in the myrrd/ direc‐
944 tory. Users of ntop 3.2 should not need to specifically install rrd‐
945 tool.
946 The sflow Plugin is courtesy of and supported by InMon Corporation,
948 http://www.inmon.com/sflowTools.htm.
949 There are other optional libraries. See the output of ./configure for
951 a fuller listing.
952 Tool locations are current as of August 2005 - please send email to
954 report new locations or dead links.
955
958 top(1), tcpdump(8). pcap(3).
959
962 By default at startup and at periodic intervals, the ntop program will
963 retrieve a file containing current ntop program version information.
964 Retrieving this file allows this ntop instance to confirm that it is
965 running the most current version.
966 The retrieval is done using standard http:// requests, which will cre‐
968 ate log records on the hosting system. These log records do contain
969 information which identifies a specific ntop site. Accordingly, you
970 are being notified that this individually identifiable information is
971 being transmitted and recorded.
972 You may request - via the --skip-version-check run-time option - that
974 this check be eliminated. If you use this option, no individually
975 identifiable information is transmitted or recorded, because the entire
976 retrieval and check is skipped.
977 We ask you to allow this retrieval and check, because it benefits both
979 you and the ntop developers. It benefits you because you will be auto‐
980 matically notified if the ntop program version is obsolete, becomes
981 unsupported or is no longer current. It benefits the developers of
982 ntop because it allows us to determine the number of active ntop
983 instances, and the operating system/versions that users are running
984 ntop under. This allows us to focus development resources on systems
985 like those our users are using ntop on.
986 The individually identifiable information is contained in the web
988 server log records which are automatically created each time the ver‐
989 sion file is retrieved. This is a function of the web server and not
990 of ntop , but we do take advantage of it. The log record shows the IP
991 address of the requestor (the ntop instance) and a User-Agent header
992 field. We place information in the User-Agent header as follows:
993 ntop/<version>
995 host/<name from config.guess>
996 distro/<if one>
997 release/<of the distro, also if one>
998 kernrlse/<kernel version or release>
999 GCC/<version>
1000 config() <condensed parameters from ./configure>
1001 run() <condensed flags - no data - from the execution line>
1002 libpcap/<version>
1003 gdbm/<version>
1004 openssl/<version>
1005 zlib/<version>
1006 access/<http, https, both or none>
1007 interfaces() <given interface names>
1008 For example:
1010 ntop/2.2.98 host/i686-pc-linux-gnu distro/redhat release/9 kern‐
1012 rlse/2.4.20-8smp
1013 GCC/3.2.2 config(i18n) run(i; u; P; w; t; logextra; m; instantses‐
1014 sionpurge;
1015 schedyield; d; usesyslog=; t) gdbm/1.8.0 openssl/0.9.7a zlib/1.1.4
1016 access/http interfaces(eth0,eth1)
1017 Distro and release information is determined at compile time and con‐
1019 sists of information typically found in the /etc/release (or similar)
1020 file. See the ntop tool linuxrelease for how this is determined.
1021 gcc compiler version (if available) is the internal version #s for the
1023 gcc compiler, e.g. 3.2.3.
1024 kernrlse is the Linux Kernel version or the xBSD 'release' such as
1026 4.9-RELEASE and is determined from the uname data (if it's available).
1027 The ./configure parameters are stripped of directory paths, leading -s,
1029 etc. to create a short form that shows us what ./configure parameters
1030 people are using.
1031 Similarly, the run time parameters are stripped of data and paths, just
1033 showing which flags are being used.
1034 The libpcap, gdbm, openssl and zlib versions come from the strings
1036 returned by the various inquiry functions (if they're availabe).
1037 Here's a sample log record:
1039 67.xxx.xxx.xxx - - [28/Dec/2003:12:11:46 -0500] "GET /version.xml
1041 HTTP/1.0"
1042 200 1568 www.burtonstrauss.com "-" "ntop/2.2.98 host/i686-pc-linux-
1043 gnu
1044 distro/redhat release/9 kernrlse/2.4.20-8smp GCC/3.2.2 config(i18n)
1045 run(i; u; P; w; t; logextra; m; instantsessionpurge; schedyield; d;
1046 usesyslog=) libpcap/0.8 gdbm/1.8.0 openssl/0.9.7a zlib/1.1.4
1047 access/http
1048 interfaces(eth0,eth1,eth2)" "-"
1049
1052 Please send bug reports to the ntop-dev <ntop-dev@ntop.org> mailing
1053 list. The ntop <ntop@ntop.org> mailing list is used for discussing ntop
1054 usage issues. In order to post messages on the lists a (free) subscrip‐
1055 tion is required to limit/avoid spam. Please do NOT contact the author
1056 directly unless this is a personal question.
1057 Commercial support is available upon request. Please see the ntop site
1059 for further info.
1060 Please send code patches to <patch@ntop.org>.
1062
1065 ntop's author is Luca Deri (http://luca.ntop.org/) who can be reached
1066 at <deri@ntop.org>.
1067
1070 ntop is distributed under the GNU GPL licence (http://www.gnu.org/).
1071
1074 The author acknowledges the Centro Serra of the University of Pisa,
1075 Italy (http://www-serra.unipi.it/) for hosting the ntop sites (both web
1076 and mailing lists), and Burton Strauss <burton@ntopsupport.com> for his
1077 help and user assistance. Many thanks to Stefano Suin <ste‐
1078 fano@ntop.org> and Rocco Carbone <rocco@ntop.org> for contributing to
1079 the project.
1080 August 2005 (ntop 3.2) NTOP(8)