8
ntop - display top network users
10
S�SY�YN�NO�OP�PS�SI�IS�S
11
n�nt�to�op�p [-�-c�c] [-�-E�E] [-�-r�r _�r_�e_�f_�r_�e_�s_�h _�t_�i_�m_�e] [-�-R�R _�f_�i_�l_�t_�e_�r _�r_�u_�l_�e_�s] [-�-f�f
12
_�t_�r_�a_�f_�f_�i_�c _�d_�u_�m_�p _�f_�i_�l_�e] [-�-n�n] [-�-N�N] [-�-M�M] [-�-q�q] [-�-p�p] _�T_�C_�P_�/_�U_�D_�P _�p_�r_�o_�t_�o_��
13
_�c_�o_�l_�s _�t_�o _�m_�o_�n_�i_�t_�o_�r] [-�-i�i _�i_�n_�t_�e_�r_�f_�a_�c_�e] [-�-e�e _�n_�u_�m _�r_�o_�w_�s] [-�-w�w _�H_�T_�T_�P
14
_�I_�P_�:_�p_�o_�r_�t] [-�-W�W _�H_�T_�T_�P_�S _�I_�P_�:_�p_�o_�r_�t] [-�-d�d] [-�-S�Svalue]�] [-�-P�P _�d_�b_�p_�a_�t_�h_�] [-�-m�m
15
_�l_�o_�c_�a_�l _�s_�u_�b_�n_�e_�t] [-�-a�a _�a_�c_�c_�e_�s_�s _�l_�o_�g _�f_�i_�l_�e _�p_�a_�t_�h] [-�-b�b _�c_�l_�i_�e_�n_�t_�:_�p_�o_�r_�t _�D_�B
16
_�c_�l_�i_�e_�n_�t] [-�-g�g _�c_�l_�i_�e_�n_�t_�:_�p_�o_�r_�t _�N_�e_�t_�F_�l_�o_�w _�C_�o_�l_�l_�e_�c_�t_�o_�r] [-�-t�t _�t_�r_�a_�c_�e
17
_�l_�e_�v_�e_�l] [-�-u�u _�u_�s_�e_�r _�n_�a_�m_�e] [-�-l�l _�d_�u_�m_�p _�f_�i_�l_�e _�n_�a_�m_�e] [-�-U�U _�m_�a_�p_�p_�e_�r_�._�p_�l
18
_�U_�R_�L] [-�-F�F _�f_�l_�o_�w _�f_�i_�l_�t_�e_�r _�e_�x_�p_�r_�e_�s_�s_�i_�o_�n] [f�fi�il�lt�te�er�r e�ex�xp�pr�re�es�ss�si�io�on�n]
20
D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
21
n�nt�to�op�p shows the current network usage. It displays a list
22
of hosts that are currently using the network and reports
23
information concerning the (IP and non-IP) traffic gener�
24
ated by each host. n�nt�to�op�p can be started either in a termi�
25
nal window (see i�in�nt�to�op�p ) or in web mode. In the latter
26
case, a web browser is needed to use the program.
30
C�CO�OM�MM�MA�AN�ND�D-�-L�LI�IN�NE�E O�OP�PT�TI�IO�ON�NS�S
32
By default idle hosts are periodically purged from mem�
33
ory. Use this flag to prevent idle hosts from being
34
purged from memory. NOTE: if idle hosts are kept in mem�
35
ory you can experience severe memory usage.
39
By default ntop does not take advance of lsof/nmap even
40
if present. Use this flag if you want make ntop aware of
41
such tools (if present).
45
Specifies the filter rules used by ntop for emitting
46
alerts and warnings when the traffic matches the speci�
47
fied rules. Shall you need further details about filter
48
rules, please refer to ntop-rules (8) man page.
52
Specifies the delay (in seconds) between screen updates
53
(the default is 3 seconds). If the -l flag is used, it
54
specifies how often entries are logged in the log file.
55
Please note that if the delay is very short (1 second for
56
instance), ntop might not be able to process all the net�
74
Specifies the file containing tcpdump captured traffic
75
that has to be used by ntop. Note: if you specify -f ntop
76
will not capture any traffic after the file has been
77
read. This option is mostly used for debug purposes.
81
Forces ntop not to use nmap (if it is installed).
85
Forces ntop not to merge network interfaces together.
86
This means that ntop will collect statistics for each
87
interface and will not merge data together.
91
Forces ntop to create a file ntop-suspicious-
92
pkts.XXX.pcap (XXX is the interface name) for each net�
93
work interface where are stored suspicious packets. The
94
file is in pcap format (tcpdump).
98
This causes n�nt�to�op�p to show numeric IP addresses instead of
99
the symbolic names. This option can useful when the DNS
100
is not present or quite slow. You can toggle the address
101
format (numeric vs. symbolic) by pressing the n�n key while
102
n�nt�to�op�p is running.
106
It is used to specify the TCP/UDP protocols that n�nt�to�op�p
107
will monitor. The format is <label>=<protocol list> [,
108
<label>=<protocol list>], where label is used to symboli�
109
cally identify the <protocol list>. The format of <proto�
110
col list> is <protocol>[|<protocol>], where <protocol> is
111
either a valid protocol specified inside the /etc/ser�
112
vices file or a numeric port range (e.g. 80, or
113
6000-6500). If the -p flag is omitted the following
114
default value is used: "FTP=ftp|ftp-
115
data,HTTP=http|www|https,DNS=name|domain,Telnet=tel�
116
net|login,NBios-IP=netbios-ns|netbios-dgm|netbios-
117
ssn,Mail=pop-2|pop-3|kpop|smtp|imap|imap2,SNMP=snmp|snmp-
118
trap,NEWS=nntp,NFS=mount|pcnfs|bwnfs|nfs|nfsd-sta�
119
tus,X11=6000-6010,SSH=ssh". If the <protocol list> is
120
very long you may store in a file (for instance proto�
121
col.list) the value of the <protocol list> and specify
122
the file name instead of the <protocol list> (in above
123
example you will invoke 'ntop -p protocol.list').
140
Specifies the network interface used by n�nt�to�op�p If multiple
141
interfaces are used (this feature is available only if
142
ntop is compiled with thread support) they have to be
143
separated with a comma. For instance -i "eth0,lo". Traf�
144
fic information obtained by all the interfaces is merged
145
together as if the traffic would have been produced by
146
one interface. Use the -M flag for not merging traffic.
150
Is the maximum number of HTML table rows that n�nt�to�op�p will
155
n�nt�to�op�p sports and embedded web server so that users can
156
attach their web browsers to the specified port and
157
browse traffic information remotely. Supposing to start
158
n�nt�to�op�p at the port 3�30�00�00�0 (default port), the URL to access
159
is http://hostname:3000/. Users and URLs to protect with
160
passwords are stored in a database file. By default
161
user/URL administration are accessible uniquely by the
162
user a�ad�dm�mi�in�n with password a�ad�dm�mi�in�n Passwords are stored in an
163
encrypted form into the database for further security.
164
Please note that an HTTP server is NOT needed but it's
165
embedded into the application. If -w is set to 0 the HTTP
166
port will not be enabled ('-w 0' is accepted only if n�nt�to�op�p
167
has been compiled with HTTPS support and n�nt�to�op�p has not
168
been started with '-W 0' [see below]). You can also use
169
the IP:Port notation to bind ntop to the specified IP-
170
Address, e.g. -�-w�w 1�12�27�7.�.0�0.�.0�0.�.1�1:�:3�30�00�00�0
174
If n�nt�to�op�p has been compiled with HTTPS support (via
175
OpenSSL), this flag can be used to set the HTTPS port
176
(default 3�30�00�01�1 ). If the user specifies '-W 0', HTTPS sup�
177
port is disabled. Some examples: 1. n�nt�to�op�p -�-w�w 8�80�0 -�-W�W 4�44�43�3
178
(both HTTP and HTTPS have been enabled at their default
179
ports) 2. n�nt�to�op�p -�-w�w 0�0 -�-W�W 4�44�43�3 (HTTP disabled, HTTPS enabled
180
at the default port). You can also use the IP:Port nota�
181
tion to bind ntop to the specified IP-Address, e.g. -�-w�w
182
1�12�27�7.�.0�0.�.0�0.�.1�1:�:3�30�00�01�1
187
This flag causes ntop to become a daemon, i.e. it is
188
started in background and detached from the terminal.
192
Use this flag for telling ntop to save information about
205
host traffic on shutdown. Valid values are: 0 = don't
206
store hosts, 1 = store all hosts, 2 = store only local
207
hosts. This flag allows ntop not to loose traffic stats
208
across multiple ntop sessions. Please note that informa�
209
tion about TCP session is (obviously) lost.
213
This allows to specify where db-files are searched or
214
created (default "."). In addition DBPATH/html is added
215
to the searchlist for the WEB-files
219
This flag allows users to specify the subnets whose traf�
220
fic is considered local. The format is <network
221
address>/<# subnet mask bits>[,<network address>/<# sub�
222
net mask bits>]. For instance
223
"131.114.21.0/24,10.0.0.0/255.0.0.0".
227
By default n�nt�to�op�p logs HTTP accesses in the file
228
ntop.access.log in the current directory. Use this flag
229
to specify the path of the file where HTTP accesses will
230
be logged. Each log entry is in Apache-like style. The
231
only difference between Apache and n�nt�to�op�p is that .B ntop
232
added a new column has been added. Such column contains
233
the time (in milliseconds) that ntop needed in order to
238
Exports n�nt�to�op�p traffic information into a SQL database. The
239
flag specifies (in http-like host format) the address
240
(IP:port) of a SQL client. The database/ directory part
241
of ntop contains a few clients. Please use one of those.
245
Exports n�nt�to�op�p traffic information in Cisco NetFlow V5
246
(http://www.cisco.com/warp/pub�
247
lic/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm) format. The
248
flag specifies (in http-like host format) the address
249
(IP:port) of a NetFlow client such as ftp://ftp.net.ohio-
250
state.edu/users/maf/cisco/.
254
Specifies the user n�nt�to�op�p should run as after it initial�
255
izes. The value specified may be either a username or a
256
numeric user id. The group id used will be the primary
257
group of the user specified.
272
Dumps the network traffic captured by ntop in a file in
273
pcap format (useful for debug).
277
It specifies the UTR of the mapper.pl utility (it's part
278
of the ntop distribution [see www/Perl/mapper.pl] for
279
displaying host location.
283
This flag specifies the level of n�nt�to�op�p tracings on stdout.
284
The trace level ranges between 0 (no trace) and 5 (full
285
debug tracings). The default trace value is 3. The higher
286
is the trace level the more information are printed.
287
Trace level 1 is used to print errors only, level 2 for
288
both warnings and errors, and so on.
292
It is used to specify network flows similar to more pow�
293
erful applications such as NeTraMet. A flow is a stream
294
of captured packets that match a specified rule. The for�
295
mat is <flow-label>='<matching expression>'[,<flow-
296
label>='<matching expression>'], where the label is used
297
to symbolically identify the flow specified by the
298
expression. The expression format is specified in the
299
appendix. If an expression is specified, then the infor�
300
mation concerning flows can be accessed following the
301
HTML link named 'List NetFlows'. For instance suppose to
302
define two flows with the following expression "Luca�
303
Hosts='host jake.unipi.it or host
304
pisanino.unipi.it',GatewayRoutedPkts='gateway gate�
305
way.unipi.it'". All the traffic sent/received by hosts
306
jake.unipi.it or pisanino.unipi.it is collected by n�nt�to�op�p
307
and added to the LucaHosts flow, whereas all the packet
308
routed by the gateway gateway.unipi.it are added to the
309
GatewayRoutedPkts flow. If the flows list is very long
310
you may store in a file (for instance flows.list) the
311
list of flows and specify the file name instead of the
312
flows list (in above example you will invoke 'ntop -F
318
f�fi�il�lt�te�er�r e�ex�xp�pr�re�es�ss�si�io�on�n
319
n�nt�to�op�p , similar to what tcpdump does, allows users to
320
specify an expression that restricts the type of traffic
321
handled by n�nt�to�op�p hence to select only the traffic of
322
interest. For instance, suppose to be interested only in
323
the traffic generated/received by the host jake.unipi.it.
324
n�nt�to�op�p can then be started with the following filter: 'ntop
337
src host jake.unipi.it or dst host jake.unipi.it'. See
338
the t�tc�cp�pd�du�um�mp�p man page for further information about this
343
W�WE�EB�B V�VI�IE�EW�WS�S
344
While n�nt�to�op�p is running, multiple users can access the traf�
345
fic information using conventional web browsers. The main
346
HTML page, is divided is two frames. The left frame allows
347
users to select the traffic view that will be displayed in
348
the right frame. Available sections are: sort traffic by
349
data sent, sort traffic by data received, traffic statis�
350
tics, active hosts list, remote to local (i.e. inside the
351
subnet defined for the network board from which the pro�
352
gram is currently sniffing) IP traffic, local to remote IP
353
traffic, local to local IP traffic, list of active TCP
354
sessions, IP protocol distribution statistics, IP protocol
355
usage, IP traffic matrix.
359
n�nt�to�op�p is based on the libpcap library that can be found at
360
http://www.tcpdump.org/. The Win32 version makes use of
361
libpcap for Win32 that can be downloaded from
362
http://www.netgroup.polito.it/WinPcap/install/).
364
S�SE�EE�E A�AL�LS�SO�O
365
i�in�nt�to�op�p(1), n�nt�to�op�p-�-r�ru�ul�le�es�s(8), t�to�op�p(1), n�ng�gr�re�ep�p(8), t�tc�cp�pd�du�um�mp�p(8).
366
n�ne�et�tr�ra�am�me�et�t(http://www.auckland.ac.nz/net/Account�
367
ing/ntm.Release.note.html).
370
Please send bug reports to the ntop mailing list
371
<ntop@ntop.org>. ntop's author is Luca Deri
added
removed
ntop/ntop.txt
