This repository has been archived by the owner on Jan 30, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathntop.txt
1084 lines (797 loc) · 55.1 KB
/
ntop.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
NTOP(8) NTOP(8)
NNAAMMEE
ntop - display top network users
SSYYNNOOPPSSIISS
nnttoopp [@@ffiilleennaammee] [--aa|----aacccceessss--lloogg--ffiillee _<_p_a_t_h_>] [--bb|----ddiissaabbllee--ddeeccooddeerrss]
[--cc|----ssttiicckkyy--hhoossttss] [--ee|----mmaaxx--ttaabbllee--rroowwss] [--ff|----ttrraaffffiicc--dduummpp--ffiillee
_f_i_l_e_>] [--gg|----ttrraacckk--llooccaall--hhoossttss] [--hh|----hheellpp] [--ll|----ppccaapp--lloogg _<_p_a_t_h_>]
[--mm|----llooccaall--ssuubbnneettss _<_a_d_d_r_e_s_s_e_s_>] [--nn|----nnuummeerriicc--iipp--aaddddrreesssseess] [--pp|----pprroo--
ttooccoollss _<_l_i_s_t_>] [--qq|----ccrreeaattee--ssuussppiicciioouuss--ppaacckkeettss] [--rr|----rreeffrreesshh--ttiimmee
_<_n_u_m_b_e_r_>] [--ss|----nnoo--pprroommiissccuuoouuss] [--tt|----ttrraaccee--lleevveell _<_n_u_m_b_e_r_>] [--xx
_<_m_a_x___n_u_m___h_a_s_h___e_n_t_r_i_e_s_>] [--ww|----hhttttpp--sseerrvveerr _<_p_o_r_t_>] [--zz|----ddiissaabbllee--sseess--
ssiioonnss] [--AA|----sseett--aaddmmiinn--ppaasssswwoorrdd _p_a_s_s_w_o_r_d] [--BB|----ffiilltteerr--eexxpprreessssiioonn
_e_x_p_r_e_s_s_i_o_n] [--CC _<_c_o_n_f_i_gmode>_] [--DD|----ddoommaaiinn _<_n_a_m_e_>] [--FF|----ffllooww--ssppeecc
_<_s_p_e_c_s_>] [--MM|----nnoo--iinntteerrffaaccee--mmeerrggee] [--NN|----wwwwnn--mmaapp _<_p_a_t_h_>] [--OO|--------oouutt--
ppuutt--ppaacckkeett--ppaatthh _<_p_a_t_h_>] [--PP|----ddbb--ffiillee--ppaatthh _<_p_a_t_h_>] [--QQ|----ssppooooll--ffiillee--
ppaatthh _<_p_a_t_h_>] [--UU|----mmaappppeerr _<_U_R_L_>] [--VV|----vveerrssiioonn]] [--XX _<_m_a_x___n_u_m___T_C_P___s_e_s_-
_s_i_o_n_s_>] [----ddiissaabbllee--iinnssttaannttsseessssiioonnppuurrggee] [----ddiissaabbllee--mmuutteexxeexxttrraaiinnffoo]
[----ddiissaabbllee--nnddppii] [----ddiissaabbllee--ppyytthhoonn] [----iinnssttaannccee] [----pp33pp--ccpp] [----pp33pp--uurrii]
[----sskkiipp--vveerrssiioonn--cchheecckk] [----ww33cc] [--44|----iippvv44]] [--66|----iippvv66]]
Unix options:
[--dd|----ddaaeemmoonn] [--ii|----iinntteerrffaaccee _<_n_a_m_e_>] [--uu|----uusseerr _<_u_s_e_r_>] [--KK|----eennaabbllee--
ddeebbuugg] [--LL] [----ppccaapp__sseettnnoonnbblloocckk] [----uussee--ssyysslloogg== _<_f_a_c_i_l_i_t_y_>] [----wweebb--
sseerrvveerr--qquueeuuee _<_n_u_m_b_e_r_>]
Windows option:
[--ii|----iinntteerrffaaccee _<_n_u_m_b_e_r_|_n_a_m_e_>]
OpenSSL options:
[--WW|----hhttttppss--sseerrvveerr _<_p_o_r_t_>] [----ssssll--wwaattcchhddoogg]
DDEESSCCRRIIPPTTIIOONN
nnttoopp shows the current network usage. It displays a list of hosts that
are currently using the network and reports information concerning the
(IP and non-IP) traffic generated and received by each host. nnttoopp may
operate as a front-end collector (sFlow and/or netFlow plugins) or as a
stand-alone collector/display program. A web browser is needed to
access the information captured by the nnttoopp program.
nnttoopp is a hybrid layer 2 / layer 3 network monitor, that is by default
it uses the layer 2 Media Access Control (MAC) addresses AND the layer
3 tcp/ip addresses. nnttoopp is capable of associating the two, so that ip
and non-ip traffic (e.g. arp, rarp) are combined for a complete picture
of network activity.
CCOOMMMMAANNDD--LLIINNEE OOPPTTIIOONNSS
@@ffiilleennaammee
The text of ffiilleennaammee is copied - ignoring line breaks and comment
lines (anything following a #) - into the command line. nnttoopp behaves
as if all of the text had simply been typed directly on the command
line. For example, if the command line is "-t 3 @d -u ntop" and file
d contains just the line '-d', then the effective command line is -t 3
-d -u ntop. Multiple @s are permitted. Nested @s (an @ inside the
file) are not permitted.
Remember, most nnttoopp options are "sticky", that is they just set an
internal flag. Invoking them multiple times doesn't change nnttoopp''ss
behavior. However, options that set a value, such as --trace-level,
will use the LAST value given: --trace-level 2 --trace-level 3 will
run as --trace-level 3.
Beginning with 3.1, many command-line options may also be set via the
web browser interface. These changes take effect on the next run of
and on each subsequent run until changed.
--aa || ----aacccceessss--lloogg--ffiillee
By default nnttoopp does not maintain a log of HTTP requests to the inter-
nal web server. Use this parameter to request logging and to specify
the location of the file where these HTTP requests are logged.
Each log entry is in Apache-like style. The only difference between
Apache and nnttoopp logs is that an additional column has been added which
has the time (in milliseconds) that nnttoopp needed to serve the request.
Log entries look like this:
192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET / HTTP/1.1" 200 1489 4
192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET /index_top.html HTTP/1.1" 200 1854 4
192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET /index_inner.html HTTP/1.1" 200 1441 7
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /index_left.html HTTP/1.1" 200 1356 4
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /home_.html HTTP/1.1" 200 154/617 9
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /home.html HTTP/1.1" 200 1100/3195 10
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /About.html HTTP/1.1" 200 2010 10
This parameter is the complete file name of the access log. In prior
releases it was erroneously called --access-log-path.
--bb || ----ddiissaabbllee--ddeeccooddeerrss
This parameter disables protocol decoders.
Protocol decoders examine and collect information about layer 2 proto-
cols such as NetBIOS or Netware SAP, as well as about specific tcp/ip
(layer 3) protocols, such as DNS, http and ftp.
This support is specifically coded for each protocol and is different
from the capability to count raw information (packets and bytes) by
protocol specified by the -p | --protocols parameter, below.
Decoding protocols is a significant consumer of resources. If the nnttoopp
host is underpowered or monitoring a very busy network, you may wish
to disable protocol decoding via this parameter. It may also be
appropriate to use this parameter if you believe that nnttoopp has prob-
lems handling some protocols that occur on your network.
Even if decoding is disabled, ftp-data traffic is still decoded to
look for passive ftp port commands.
--cc || ----ssttiicckkyy--hhoossttss
Use this parameter to prevent idle hosts from being purged from mem-
ory.
By default idle hosts are periodically purged from memory. An idle
host is identified when no packets from or to that host have been mon-
itored for the period of time defined by the value of
PARM_HOST_PURGE_MINIMUM_IDLE in globals-defines.h.
If you use this option, all hosts - active and idle - are retained in
memory for the duration of the nnttoopp run.
P2P users, port scans, popular web servers and other activity will
cause nnttoopp to record data about a large number of hosts. On an active
network, this will consume a significant - and always growing - amount
of memory. It is strongly recommended that you use a filtering
expression to limit the hosts which are stored if you use --sticky-
hosts.
The idle purge is a statistical one - a random selection of the eligi-
ble hosts will be purged during each cycle. Thus it is possible on a
busy system for an idle host to remain in the nnttoopp tables and appear
'active' for some considerable time after it is truly idle.
--dd || ----ddaaeemmoonn
This parameter causes ntop to become a daemon, i.e. a task which runs
in the background without connection to a specific terminal. To use
nnttoopp other than as a casual monitoring tool, you probably will want to
use this option.
WWAARRNNIINNGG:: If you are running as a daemon, the messages from nnttoopp will
be 'printed' on to stdout and thus dropped. You probably don't want
to do this. So remember to also use the -L or --use-syslog options to
save the messages into the system log.
--ee || ----mmaaxx--ttaabbllee--rroowwss
This defines the maximum number of lines that nnttoopp will display on
each generated HTML page. If there are more lines to be displayed than
this setting permits, only part of the data will be displayed. There
will be page forward/back arrows placed at the bottom of the page for
navigation between pages.
--ff || ----ttrraaffffiicc--dduummpp--ffiillee
By default, nnttoopp captures traffic from network interface cards (NICs)
or from netFlow/sFlow probes. However, nnttoopp can also read data from a
file - typically a tcpdump capture or the output from one of the nnttoopp
packet capture options.
if you specify -f, nnttoopp will not capture any traffic from NICs during
or after the file has been read. netFlow/sFlow capture - if enabled -
would still be active.
This option is mostly used for debug purposes.
--gg || ----ttrraacckk--llooccaall--hhoossttss
By default, nnttoopp tracks all hosts that it sees from packets captured
on the various NICs. Use this parameter to tell nnttoopp to capture data
only about local hosts. Local hosts are defined based on the
addresses of the NICs and those networks identified as local via the
-m | --local-subnets parameter.
This parameter is useful on large networks or those that see many
hosts, (e.g. a border router or gateway), where information about
remote hosts is not desired/required to be tracked.
--hh || ----hheellpp
Print help information for nnttoopp,, including usage and parameters.
--ii || ----iinntteerrffaaccee
Specifies the network interface or interfaces to be used by nnttoopp for
network monitoring.
If multiple interfaces are used (this feature is available only if
ntop is compiled with thread support) their names must be separated
with a comma. For instance -i "eth0,lo".
If not specified, the default is the first Ethernet device, e.g. eth0.
The specific device that is 'first' is highly system dependent. Espe-
cially on systems where the device name reflects the driver name
instead of the type of interface.
By default, traffic information obtained by all the interfaces is
merged together as if the traffic was seen by only one interface. Use
the -M parameter to keep traffic separate by interface.
If you do not want nnttoopp to monitor any interfaces, use -i none.
Under Windows, the parameter value is either the number of the inter-
face or its name, e.g. {6252C14C-44C9-49D9-BF59-B2DC18C7B811}. Run
nnttoopp -h to see a list of interface name-number mappings (at the end of
the help information).
--ll || ----ppccaapp--lloogg
This parameter causes a dump file to be created of the network traffic
captured by nnttoopp in tcpdump (pcap) format. This file is useful for
debug, and may be read back into nnttoopp by the -f | --traffic-dump-file
parameter. The dump is made after processing any filter expression (
never even sees filtered packets).
The output file will be named _<_p_a_t_h_>_/_<_l_o_g_>_._<_d_e_v_i_c_e_>_._p_c_a_p (Windows:
_<_p_a_t_h_>_/_<_l_o_g_>_._p_c_a_p ), where <path> is defined by the -O | --output-
packet-path parameter and <log> is defined by this -l | --pcap-log
parameter.
--mm || ----llooccaall--ssuubbnneettss
nnttoopp determines the ip addresses and netmasks for each active inter-
face. Any traffic on those networks is considered local. This param-
eter allows the user to define additional networks and subnetworks
whose traffic is also considered local in nnttoopp reports. All other
hosts are considered remote.
Commas separate multiple network values. Both netmask and CIDR nota-
tion may be used, even mixed together, for instance
"131.114.21.0/24,10.0.0.0/255.0.0.0".
The local subnet - as defined by the interface address(es) - is/are
always local and do not need to be specified. If you do give the same
value as a NIC's local address, a harmless warning message is issued.
--nn || ----nnuummeerriicc--iipp--aaddddrreesssseess
By default, nnttoopp resolves IP addresses using a combination of active
(explicit) DNS queries and passive sniffing. Sniffing of DNS
responses occurs when nnttoopp receives a network packet containing the
response to some other user's DNS query. nnttoopp captures this informa-
tion and enters it into nnttoopp''ss DNS cache, in expectation of shortly
seeing traffic addressed to that host. This way nnttoopp significantly
reduces the number of DNS queries it makes.
This parameter causes nnttoopp to skip DNS resolution, showing only
numeric IP addresses instead of the symbolic names. This option can
useful when the DNS is not present or quite slow.
--pp || ----pprroottooccoollss
This parameter is used to specify the TCP/UDP protocols that nnttoopp will
monitor. The format is <label>=<protocol list> [, <label>=<protocol
list>], where label is used to symbolically identify the <protocol
list>. The format of <protocol list> is <protocol>[|<protocol>], where
<protocol> is either a valid protocol specified inside the /etc/ser-
vices file or a numeric port range (e.g. 80, or 6000-6500).
A simple example is --protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-
data", which reduces the protocols displayed on the "IP" pages to
three:
Host Domain Data HTTP FTP Other IP
ns2.attbi.com <flag> 954 63.9 % 0 0 954
64.124.83.112.akamai.com <flag> 240 16.1 % 240 0 0
64.124.83.99.akamai.com <flag> 240 16.1 % 240 0 0
toolbarqueries.google.com <flag> 60 4.0 % 60 0 0
If the <protocol list> is very long you may store it in a file (for
instance protocol.list). To do so, specify the file name instead of
the <protocol list> on the command line. e.g. nnttoopp --pp pprroottooccooll..lliisstt
If the -p parameter is omitted the following default value is used:
FTP=ftp|ftp-data
HTTP=http|www|https|3128 3128 is Squid, the HTTP cache
DNS=name|domain
Telnet=telnet|login
NBios-IP=netbios-ns|netbios-dgm|netbios-ssn
Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2
DHCP-BOOTP=67-68
SNMP=snmp|snmp-trap
NNTP=nntp
NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status
X11=6000-6010
SSH=22
Peer-to-Peer Protocols
----------------------
Gnutella=6346|6347|6348
Kazaa=1214
WinMX=6699|7730
DirectConnect=0 Dummy port as this is a pure P2P protocol
eDonkey=4661-4665
Instant Messenger
-----------------
Messenger=1863|5000|5001|5190-5193
NOTE: To resolve protocol names to port numbers, they must be speci-
fied in the system file used to list tcp/udp protocols and ports,
which is typically /etc/services file. You will have to match the
names in that file, exactly. Missing or unspecified (non-standard)
ports must be specified by number, such as 3128 in our examples above.
If you have a file named /etc/protocols, don't get confused by it, as
that's the Ethernet protocol numbers, which are not what you're look-
ing for.
--qq || ----ccrreeaattee--ssuussppiicciioouuss--ppaacckkeettss
This parameter tells nnttoopp to create a dump file of suspicious packets.
There are many, many, things that cause a packet to be labeled as
'suspicious', including:
Detected ICMP fragment
Detected Land Attack against host
Detected overlapping/tiny packet fragment
Detected traffic on a diagnostic port
Host performed ACK/FIN/NULL scan
Host rejected TCP session
HTTP/FTP/SMTP/SSH detected at wrong port
Malformed TCP/UDP/ICMP packet (packet too short)
Packet # %u too long
Received a ICMP protocol Unreachable from host
Sent ICMP Administratively Prohibited packet to host
Smurf packet detected for host
TCP connection with no data exchanged
TCP session reset without completing 3-way handshake
Two MAC addresses found for the same IP address
UDP data to a closed port
Unknown protocol (no HTTP/FTP/SMTP/SSH) detected (on port 80/21/25/22)
Unusual ICMP options
When this parameter is used, one file is created for each network
interface where suspicious packets are found. The file is in tcpdump
(pcap) format and is named <path>/ntop-suspicious-pkts.<device>.pcap,
where <path> is defined by the -O | --output-packet-path parameter.
--rr || ----rreeffrreesshh--ttiimmee
Specifies the delay (in seconds) between automatic screen updates for
those generated HTML pages which support them. This parameter allows
you to leave your browser window open and have it always displaying
nearly real-time data from nnttoopp..
The default is 3 seconds. Please note that if the delay is very short
(1 second for instance), nnttoopp might not be able to process all of the
network traffic.
--ss || ----nnoo--pprroommiissccuuoouuss
Use this parameter to prevent from setting the interface(s) into
promiscuous mode.
An interface in promiscuous mode will accept ALL Ethernet frames,
regardless of whether they directed (addressed) to the specific net-
work interface (NIC) or not. This is an essential part of enabling
nnttoopp to monitor an entire network. (Without promiscuous mode, nnttoopp
will only see traffic directed to the specific host it is running on,
plus broadcast traffic such as the arp and dhcp protocols.
Even if you use this parameter, the interface could well be in promis-
cuous mode if another application enabled it.
nnttoopp passes this setting on to libpcap, the packet capture library.
On many systems, a non-promiscuous open of the network interface will
fail, since the libpcap function on most systems require it to capture
raw packets ( nnttoopp captures raw packets so that we may view and ana-
lyze the layer 2 - MAC - information).
Thus on most systems, nnttoopp must probably still be started as root, and
this option is largely ornamental. If it fails, you will see a
***FATALERROR*** message referring to pcap_open_live() and then an
information message, "Sorry, but on this system, even with -s, it
appears that ntop must be started as root".
--tt || ----ttrraaccee--lleevveell
This parameter specifies the 'information' level of messages that you
wish nnttoopp to display (on stdout or to the log). The higher the trace
level number the more information that is displayed. The trace level
ranges between 0 (no trace) and 5 (full debug tracings).
The default trace value is 3.
Trace level 0 is not quite zero messages. Fatal errors and certain
startup/shutdown messages are always displayed. Trace level 1 is used
to display errors only, level 2 for both errors and warnings, and
level 3 displays error, warning and informational messages.
Trace level 4 is called 'noisy' and it is - generating many messages
about the internal functioning of nnttoopp.. Trace level 5 and above are
'noisy' plus extra logs, i.e. all possible messages, with a file:line
tag prepended to every message.
--uu || ----uusseerr
Specifies the user nnttoopp should run as after it initializes.
nnttoopp must normally be started as root so that it has sufficient privi-
leges to open the network interfaces in promiscuous mode and to
receive raw frames. See the discussion of -s | --no-promiscuous
above, if you wish to try starting nnttoopp as a non-root user.
Shortly after starting up, nnttoopp becomes the user you specify here,
which normally has substantially reduced privileges, such as no login
shell. This is the userid which owns nnttoopp''ss database and output
files.
The value specified may be either a username or a numeric user id.
The group id used will be the primary group of the user specified.
If this parameter is not specified, ntop will try to switch first to
'nobody' and then to 'anonymous' before giving up.
NOTE: This should not be root unless you really understand the secu-
rity risks. In order to prevent this by accident, the only way to run
nnttoopp as root is to explicitly specify -u root. DDoonn''tt ddoo iitt..
--xx
--XX
nnttoopp creates a new hash/list entry for each new host/TCP session seen.
In case of DOS (Denial Of Service) an attacker can easily exhaust all
the host available memory because ntop is creating entries for dummy
hosts. In order to avoid this you can set an upper limit in order to
limit the memory ntop can use.
--ww || ----hhttttpp--sseerrvveerr
--WW || ----hhttttppss--sseerrvveerr
nnttoopp offers an embedded web server to present the information that has
been so painstakingly gathered. An external HTTP server is NOT
required NOR supported. The nnttoopp web server is embedded into the
application. These parameters specify the port (and optionally the
address (i.e. interface)) of the nnttoopp web server.
For example, if started with -w 3000 (the default port), the URL to
access nnttoopp is http://hostname:3000/. If started with a full specifi-
cation, e.g. -w 192.168.1.1:3000, nnttoopp listens on only that
address/port combination.
If -w is set to 0 the web server will not listen for http:// connec-
tions.
-W operates similarly, but controls the port for the https:// connec-
tions.
Some examples:
nnttoopp --ww 33000000 --WW 00 (this is the default setting) HTTP requests on port
3000 and no HTTPS.
nnttoopp --ww 8800 --WW 444433 Both HTTP and HTTPS have been enabled on their most
common ports.
nnttoopp --ww 00 --WW 444433 HTTP disabled, HTTPS enabled on the common port.
Certain sensitive, configuration pages of the nnttoopp web server are pro-
tected by a userid/password. By default, these are the user/URL
administration, filter, shutdown and reset stats are password pro-
tected
and are accessible initially only to user aaddmmiinn with a password set
during the first run of nnttoopp..
Users can modify/add/delete users/URLs using ntop itself - see the
Admin tab.
The passwords, userids and URLs to protect with passwords are stored
in a database file. Passwords are stored in an encrypted form in the
database for further security. Best practices call for securing that
database so that only the nnttoopp user can read it.
There is a discussion in docs/FAQ about further securing the nnttoopp
environment.
--zz || ----ddiissaabbllee--sseessssiioonnss
This parameter disables TCP session tracking. Use it for better per-
formance or when you don't really need/care to track sessions.
--AA || ----sseett--aaddmmiinn--ppaasssswwoorrdd
This parameter is used to start nnttoopp , set the admin password and
quit. It is quite useful for installers that need to automatically set
the password for the admin user.
-A and --set-admin-password (without a value) will prompt the user for
the password.
You may also use this parameter to set a specific value using --set-
admin-password=value. TThhee == iiss RREEQQUUIIRREEDD aanndd nnoo ssppaacceess aarree ppeerrmmiitttteedd!!
If you attempt to run nnttoopp as a daemon without setting a password, a
FATAL ERROR message is generated and nnttoopp stops.
--BB || ----ffiilltteerr--eexxpprreessssiioonn
Filters allows the user to restrict the traffic seen by nnttoopp on just
about any imaginable item.
The filter expression is set at run time by this parameter, but it may
be changed during the nnttoopp run on the Admin | Change Filter web page.
The basic format is --BB ffiilltteerr , where the quotes are RREEQQUUIIRREEDD
The syntax of the filter expression uses the same BPF (Berkeley Packet
Filter) expressions used by other packages such as tcpdump
For instance, suppose you are interested only in the traffic gener-
ated/received by the host jake.unipi.it. nnttoopp can then be started
with the following filter:
nnttoopp --BB ssrrcc hhoosstt jjaakkee..uunniippii..iitt oorr ddsstt hhoosstt jjaakkee..uunniippii..iitt
or in shorthand:
nnttoopp --BB hhoosstt jjaakkee..uunniippii..iitt oorr hhoosstt jjaakkee..uunniippii..iitt
See the 'expression' section of the ttccppdduummpp man page - usually avail-
able at http://www.tcpdump.org/tcpdump_man.html - for further informa-
tion and the best quick guide to BPF filters currently available.
WARNING: If you are using complex filter expressions, especially those
with =s or meaningful spaces in them, be sure and use the long option
format, --filter-expression="xxxx" and not -B "xxxx".
--CC ||
This instruments ntop to be used in two configurations: host and net-
work mode. In host mode (default) ntop works as usual: the IP
addresses received are those of real hosts. In host mode the IP
addresses received are those of the C-class network to which the
address belongs. Using ntop in network mode is extremely useful when
installed in a traffic exchange (e.g. in the middle of the Internet)
whereas the host mode should be used when ntop is installed on the
edge of a network (e.g. inside a company). The network mode signifi-
cantly reduces the amount of work ntop has to perform and it has to be
used whenever ntop is used to find out how the network traffic flows
and not to pin-point specific hosts.
--DD || ----ddoommaaiinn
This identifies the local domain suffix, e.g. ntop.org. It may be
necessary, if nnttoopp is having difficulty determining it from the inter-
face.
--FF || ----ffllooww--ssppeecc
It is used to specify network flows similar to more powerful applica-
tions such as NeTraMet. A flow is a stream of captured packets that
match a specified rule. The format is
<<ffllooww--llaabbeell>>==''<<mmaattcchhiinngg eexxpprreessssiioonn>>''[[,,<<ffllooww--llaabbeell>>==''<<mmaattcchhiinngg eexxpprreess--
ssiioonn>>'']]
, where the label is used to symbolically identify the flow specified
by the expression. The expression is a bpf (Berkeley Packet Filter)
expression. If an expression is specified, then the information con-
cerning flows can be accessed following the HTML link named 'List Net-
Flows'.
For instance define two flows with the following expression LLuuccaa--
HHoossttss==''hhoosstt jjaakkee..uunniippii..iitt oorr hhoosstt ppiissaanniinnoo..uunniippii..iitt'',,GGaatteewwaayyRRoouutteeddPP--
kkttss==''ggaatteewwaayy ggaatteewwaayy..uunniippii..iitt'' ..
All the traffic sent/received by hosts jake.unipi.it or
pisanino.unipi.it is collected by nnttoopp and added to the LucaHosts
flow, whereas all the packet routed by the gateway gateway.unipi.it
are added to the GatewayRoutedPkts flow. If the flows list is very
long you may store in a file (for instance flows.list) and specify the
file name instead of the actual flows list (in the above example, this
would be 'ntop -F flows.list').
Note that the double quotations around the entire flow expression are
required.
--KK || ----eennaabbllee--ddeebbuugg
Use this parameter to simplify application debug. It does three
things: 1. Does not fork() on the "read only" html pages. 2. Displays
mutex values on the configuration (info.html) page. 3. (If available
- glibc/gcc) Activates an automated backtrace on application errors.
--LL || ----uussee--ssyysslloogg==ffaacciilliittyy
Use this parameter to send log messages to the system log instead of
stdout.
-L and the simple form --use-syslog use the default log facility,
defined as LOG_DAEMON in the #define symbol DEFAULT_SYSLOG_FACILITY in
globals-defines.h.
The complex form, --use-syslog=facility will set the log facility to
whatever value (e.g. local3, security) you specify. TThhee == iiss RREEQQUUIIRREEDD
aanndd nnoo ssppaacceess aarree aalllloowweedd!!
This setting applies both to nnttoopp and to any child fork()ed for
reporting. If this parameter is not specified, any fork()ed child
will use the default value and will log it's messages to the system
log (this occurs because the fork()ed child must give up it's access
to the parents stdout).
Because various systems do not make the permissible names available,
we have a table at the end of globals-core.c. Look for myFacility-
Names.
--MM || ----nnoo--iinntteerrffaaccee--mmeerrggee
By default, nnttoopp merges the data collected from all of the interfaces
(NICs) it is monitoring into a single set of counters.
If you have a simple network, say a small LAN with a connection to the
internet, merging data is good as it gives you a better picture of the
whole network. For larger, more complex networks, this may not be
desirable. You may also have other reasons for wishing to monitor
each interface separately, for example DMZ vs. LAN traffic.
This option instructs nnttoopp not to merge network interfaces together.
This means that nnttoopp will collect statistics for each interface and
report them separately.
Only ONE interface may be reported on at a time - use the AAddmmiinn ||
SSwwiittcchh NNIICC option on the web server to select which interface to
report upon.
Note that activating either the netFlow and/or sFlow plugins will
force the setting of -M. Once enabled, you cannot go back.
--NN || ----wwwwnn--mmaapp
This options names the file providing the map of WWN to FCID/VSAN ids.
--OO || ----oouuttppuutt--ppaacckkeett--ppaatthh
This parameter defines the base path for the ntop-suspicious-
pkts.XXX.pcap and normal packet dump files.
If this parameter is not specified, the default value is the config.h
parameter CFG_DBFILE_DIR, which is set during ./configure from the
--localstatedir= parameter. If --localstatedir is not specified, it
defaults to the --prefix value plus /var (e.g. /usr/local/var).
Be aware that this may not be what you expect when running nnttoopp as a
daemon or Windows service. Setting an explicit and absolute path value
is SSTTRROONNGGLLYY recommended if you use this facility.
--PP || ----ddbb--ffiillee--ppaatthh
--QQ || ----ssppooooll--ffiillee--ppaatthh
These parameters specify where nnttoopp stores database files.
There are two types, 'temporary' - that is ones which need not be
retained from nnttoopp run to nnttoopp run, and 'permanent', which must be
retained (or recreated).
The 'permanent' databases are the preferences, "prefsCache.db" and the
password file, "ntop_pw.db". These are stored in the -P | --db-file-
path specified location.
Certain plugins use the -P | --db-file-path specified location for
their database ("LsWatch.db") or (as a default value) for files
(.../rrd/...).
The 'temporary' databases are the address queue, "addressQueue.db",
the cached DNS resolutions, "dnsCache.db" and the MAC prefix (vendor
table), "macPrefix.db".
If only -P | --db-file-path is specified, it is used for both types of
databases.
The directories named must allow read/write and file creation by the
nnttoopp user. For security, nobody else should have even read access to
these files.
Note that the default value is the config.h parameter CFG_DBFILE_DIR.
This is set during ./configure from the --localstatedir= parameter.
If --localstatedir is not specified, it defaults to the --prefix value
plus /var (e.g. /usr/local/var).
This may not be what you expect when running nnttoopp as a daemon or Win-
dows service.
Note that on versions of nnttoopp prior to 2.3, these parameters defaulted
to "." (the current working directory, e.g. the value returned by the
pwd command) and caused havoc as it was different when nnttoopp was run
from the command line, vs. run via cron, vs. run from an initializa-
tion script.
Setting an explicit and absolute path value is SSTTRROONNGGLLYY recommended.
--UU || ----mmaappppeerr
Specifies the URL of the mapper.pl utility.
If provided, nnttoopp creates a clickable hyperlink on the 'Info about
host xxxxxx' page to this URL by appending ?host=xxxxx. Any type of
host lookup could be performed, but this is intended to lookup the
geographical location of the host.
A cgi-based mapper interface to http://www.multimap.com is part of the
nnttoopp distribution [see www/Perl/mapper.pl]).
--VV || ----vveerrssiioonn
Prints nnttoopp version information and then exits.
--WW || ----hhttttppss--sseerrvveerr
(See the joint documentation with the -w parameter, above)
----ddiissaabbllee--iinnssttaannttsseessssiioonnppuurrggee
nnttoopp sets completed sessions as 'timed out' and then purge them almost
instantly, which is not the behavior you might expect from the discus-
sions about purge timeouts. This switch makes ntop respect the time-
outs for completed sessions. It is NOT the default because a busy web
server may have 100s or 1000s of completed sessions and this would
significantly increase the amount of memory nnttoopp uses.
----ddiissaabbllee--mmuutteexxeexxttrraaiinnffoo
nnttoopp stores extra information about the locks and unlocks of the pro-
tective mutexes it uses. Since nnttoopp uses fine-grained locking, this
information is updated frequently. On some OSes, the system calls
used to collect this informatio (getpid() and gettimeofday()) are
expensive. This option disables the extra information. It should
have no processing impact on nnttoopp
- however should nnttoopp actually deadlock, we would lose the informa-
tion that sometimes tells us why.
----ddiissaabbllee--nnddppii
nnttoopp is started without nDPI support thus application protocols are
not recognized.
----ddiissaabbllee--ppyytthhoonn
nnttoopp is started without the Python interpreter. Beware as some ntop
reports are based on python, thus disabling it will prevent some
reports to work properly.
----iinnssttaannccee
You can run multiple instances of nnttoopp simultaneously by specifying
different -P values (typically through separate ntop.conf files). If
you set a value for this parameter (available only on the command
line), you (1) display the 'instance' name on every web page and (2)
alter the log prefix from "NTOP" to your chosen value.
If you want to make the tag more obvious, create a .instance class in
style.css, e.g.:
.instance {
color: #666666;
font-size: 18pt;
}
Note (UNIX): To run completely different versions of the nnttoopp binary,
you need to compile and install into a different library (using ./con-
figure --prefix) and then specify the LD_LIBRARY_PATH before invoking,
e.g.
LD_LIBRARY_PATH=/devel/lib/ntop/:... /devel/bin/ntop ...args...
If present, a file of the form <instance>_ntop_logo.gif will be used
instead of the normal ntop_logo.gif. This is tested for ONLY once, at
the beginning of the run. The EXACT word(s) of the --instance flag
are used, without testing if they make a proper file name. If - for
any reason - the file is not found, an informational message is logged
and the normal logo file is used. To construct your own logo, make it
a 300x40 transparent gif.
NOTE: On the web pages, nnttoopp uses the dladdr() function. The original
Solaris routine had a bug, replicated in FreeBSD (and possibly other
places) where it uses the ARGV[0] value - which might be erroneous -
instead of the actual file name. If the 'running from' value looks
bogus but the 'libaries in' value looks ok, go with the libarary.
----pp33pp--ccpp
----pp33pp--uurrii
P3P is a W3C recommendation - http://www.w3.org/TR/P3P/ - for specify-
ing personal information a site collects and what it does with the
information. These parameters allow to return P3P information. We do
not supply samples.
----ppccaapp__sseettnnoonnbblloocckk
On some platforms, the nnttoopp web server will hang or appear to hang (it
actually just responds incredibly slowly to the first request from a
browser session), while the rest of nnttoopp runs just fine. This is known
to be an issue under FreeBSD 4.x.
This option sets the non-blocking option (assuming it's available in
the version of libpcap that is installed).
While this works around the problem (by turing an interupt driven
process into a poll), it also MAY signifcantly increases the cpu usage
of nnttoopp.. Although it does not actually interfere with other work,
seeing nnttoopp use 80-90% or more of the cpu is not uncommon - don't say
we didn't warn you.
TTHHIISS OOPPTTIIOONN IISS OOFFFFIICCIIAALLLLYY UUNNSSUUPPPPOORRTTEEDD and used at your own risk. Read
the docs/FAQ write-up.
----sskkiipp--vveerrssiioonn--cchheecckk
By default, nnttoopp accesses a remote file to periodically check if the
most current version is running. This option disables that check.
Please review the privacy notice at the bottom of this page for more
information. By default, the recheck period is slightly more than 15
days. This can be adjusted via a constant in globals-defines.h. If
the result of the initial check indicates that the nnttoopp version is a
'new development' version (that is newer than the latest published
development version), the recheck is disabled. This is because which
fixes and enhancements were present/absent from the code.
NOTE: At present, the recheck does not work under Windows.
----ssssll--wwaattcchhddoogg
Enable a watchdog for webserver hangs. These usually happen when con-
necting with older browsers. The user gets nothing back and other
users can't connect. Internally, packet processing continues but there
is no way to access the data through the web server or shutdown ntop
cleanly. With the watchdog, a timeout occurs after 3 seconds, and
processing continues with a log message. Unfortunately, the user sees
nothing - it just looks like a failed connection. (also available as a
./configure option, --enable-sslwatchdog)
----ww33cc
By default, nnttoopp generates displayable but not great html. There are
a number of tags we do not generate because they cause problems with
older browsers which are still commonly used or are important to look
good on real-world browsers. This flag tells nnttoopp to generate 'BET-
TER' (but not perfect) w3c compliant html 4.01 output. This in no way
addresses all of the compatibility and markup issues. Over time, we
would like to make nnttoopp more compatible, but it will never be 100%.
If you find any issues, please report them to ntop-dev.
--44 || ----iippvv44
Use IPv4 connections.
--66 || ----iippvv66
Use IPv6 connections
WWEEBB VVIIEEWWSS
While nnttoopp is running, multiple users can access the traffic informa-
tion using their web browsers. nnttoopp does not generate 'fancy' or 'com-
plex' html, although it does use frames, shallowly nested tables and
makes some use of JavaScript and Cascading Style Sheets.
Beginning with release 3.1, the menus are cascading dropdowns via
JSCookMenu. With release 3.2, this extends to plugins.
We do not expect problems with any current web browser, but our ability
to test with less common ones is very limited. Testing has included
Firefox and Internet Explorer, with very limited testing on other cur-
rent common browsers such as Opera.
In documentation and this man page, when we refer to a page such as
Admin | Switch NIC, we mean the Broad category "Admin" and the detailed
item "Switch NIC" on that Admin menu.
NNOOTTEESS
nnttoopp requires a number of external tools and libraries to operate.
Certain other tools are optional, but add to the program's capabili-
ties.
----wweebbsseerrvveerr--qquueeuuee
Specifies the maximum number of web server requests for the tcp/ip
stack to retain in it's queue awaiting delivery to the nnttoopp web
server. Requests in excess of this queue may be dropped (allowing for
retransmission) or rejected at the tcp/ip stack level, depending upon
the OS. Whatever happens, happens at the OS level, without any infor-
mation being delivered to nnttoopp
Required libraries include:
lliibbppccaapp from http://www.tcpdump.org/, version 0.7.2 or newer. 0.8.3 or
newer is strongly recommended.
The Windows version makes use of WWiinnPPccaapp (libpcap for Windows) which
may be downloaded from http://winpcap.polito.it/install/default.htm.
WARNING: The 2.x releases of WWiinnPPccaapp will NOT support SMP machines.
ggddbbmm from http://www.gnu.org/software/gdbm/gdbm.html
nnttoopp requires a POSIX threads library. As of nnttoopp 3.2, the single-
threaded version of nnttoopp is no longer available.
The ggdd 2.x library, for the creation of png files, available at
http://www.boutell.com/gd/.
The lliibbppnngg 1.2.x library, for the creation of png files, available at
http://www.libpng.org/pub/png/libpng.html.
nnttoopp should support both gd 1.X and libpng 1.0.x libraries but this
has not been tested. Note that there are incompatibilities if you
compile with one version of these libraries and then run with the
other. Please read the discussion in docs/FAQ before reporting ANY
problems of this nature.
(if an https:// server is desired) ooppeennSSSSLL from the OpenSSL project
available at http://www.openssl.org.
The rrrrddttooooll library is required by the rrd plugin. rrdtool creates
'Round-Robin databases' which are used to store and graph historical
data in a format that permits long duration retention without growing
larger over time. The rrdtool home page is http://peo-
ple.ee.ethz.ch/~oetiker/webtools/rrdtool/
nnttoopp includes a limited version of rrdtool 1.0.49 in the myrrd/ direc-
tory. Users of nnttoopp 3.2 should not need to specifically install rrd-
tool.
The ssffllooww Plugin is courtesy of and supported by InMon Corporation,
http://www.inmon.com/sflowTools.htm.
There are other optional libraries. See the output of ./configure for
a fuller listing.
Tool locations are current as of August 2005 - please send email to
report new locations or dead links.
SSEEEE AALLSSOO
ttoopp(1), ttccppdduummpp(8). ppccaapp(3).
PPRRIIVVAACCYY NNOOTTIICCEE
By default at startup and at periodic intervals, the nnttoopp program will
retrieve a file containing current ntop program version information.
Retrieving this file allows this nnttoopp instance to confirm that it is
running the most current version.
The retrieval is done using standard http:// requests, which will cre-
ate log records on the hosting system. These log records do contain
information which identifies a specific nnttoopp site. Accordingly, you
are being notified that this individually identifiable information is
being transmitted and recorded.
You may request - via the ----sskkiipp--vveerrssiioonn--cchheecckk run-time option - that
this check be eliminated. If you use this option, no individually
identifiable information is transmitted or recorded, because the entire
retrieval and check is skipped.
We ask you to allow this retrieval and check, because it benefits both
you and the nnttoopp developers. It benefits you because you will be auto-
matically notified if the nnttoopp program version is obsolete, becomes
unsupported or is no longer current. It benefits the developers of
nnttoopp because it allows us to determine the number of active nnttoopp
instances, and the operating system/versions that users are running
nnttoopp under. This allows us to focus development resources on systems
like those our users are using nnttoopp on.
The individually identifiable information is contained in the web
server log records which are automatically created each time the ver-
sion file is retrieved. This is a function of the web server and not
of nnttoopp , but we do take advantage of it. The log record shows the IP
address of the requestor (the nnttoopp instance) and a User-Agent header
field. We place information in the User-Agent header as follows:
ntop/<version>
host/<name from config.guess>
distro/<if one>
release/<of the distro, also if one>
kernrlse/<kernel version or release>
GCC/<version>