8
ntop - display top network users
11
nnttoopp [--cc] [--EE] [--rr _r_e_f_r_e_s_h _t_i_m_e] [--RR _f_i_l_t_e_r _r_u_l_e_s] [--ff
12
_t_r_a_f_f_i_c _d_u_m_p _f_i_l_e] [--nn] [--NN] [--MM] [--qq] [--pp] _T_C_P_/_U_D_P _p_r_o_t_o_�
13
_c_o_l_s _t_o _m_o_n_i_t_o_r] [--ii _i_n_t_e_r_f_a_c_e] [--ee _n_u_m _r_o_w_s] [--ww _H_T_T_P
14
_I_P_:_p_o_r_t] [--WW _H_T_T_P_S _I_P_:_p_o_r_t] [--dd] [--SSvalue]] [--PP _d_b_p_a_t_h_] [--mm
15
_l_o_c_a_l _s_u_b_n_e_t] [--aa _a_c_c_e_s_s _l_o_g _f_i_l_e _p_a_t_h] [--bb _c_l_i_e_n_t_:_p_o_r_t _D_B
16
_c_l_i_e_n_t] [--gg _c_l_i_e_n_t_:_p_o_r_t _N_e_t_F_l_o_w _C_o_l_l_e_c_t_o_r] [--tt _t_r_a_c_e
17
_l_e_v_e_l] [--uu _u_s_e_r _n_a_m_e] [--ll _d_u_m_p _f_i_l_e _n_a_m_e] [--UU _m_a_p_p_e_r_._p_l
18
_U_R_L] [--FF _f_l_o_w _f_i_l_t_e_r _e_x_p_r_e_s_s_i_o_n] [ffiilltteerr eexxpprreessssiioonn]
20
DDEESSCCRRIIPPTTIIOONN
21
nnttoopp shows the current network usage. It displays a list
22
of hosts that are currently using the network and reports
23
information concerning the (IP and non-IP) traffic gener�
24
ated by each host. nnttoopp can be started either in a termi�
25
nal window (see iinnttoopp ) or in web mode. In the latter
26
case, a web browser is needed to use the program.
30
CCOOMMMMAANNDD--LLIINNEE OOPPTTIIOONNSS
32
By default idle hosts are periodically purged from mem�
33
ory. Use this flag to prevent idle hosts from being
34
purged from memory. NOTE: if idle hosts are kept in mem�
35
ory you can experience severe memory usage.
39
By default ntop does not take advance of lsof/nmap even
40
if present. Use this flag if you want make ntop aware of
41
such tools (if present).
45
Specifies the filter rules used by ntop for emitting
46
alerts and warnings when the traffic matches the speci�
47
fied rules. Shall you need further details about filter
48
rules, please refer to ntop-rules (8) man page.
52
Specifies the delay (in seconds) between screen updates
53
(the default is 3 seconds). If the -l flag is used, it
54
specifies how often entries are logged in the log file.
55
Please note that if the delay is very short (1 second for
56
instance), ntop might not be able to process all the net�
74
Specifies the file containing tcpdump captured traffic
75
that has to be used by ntop. Note: if you specify -f ntop
76
will not capture any traffic after the file has been
77
read. This option is mostly used for debug purposes.
81
Forces ntop not to use nmap (if it is installed).
85
Forces ntop not to merge network interfaces together.
86
This means that ntop will collect statistics for each
87
interface and will not merge data together.
91
Forces ntop to create a file ntop-suspicious-
92
pkts.XXX.pcap (XXX is the interface name) for each net�
93
work interface where are stored suspicious packets. The
94
file is in pcap format (tcpdump).
98
This causes nnttoopp to show numeric IP addresses instead of
99
the symbolic names. This option can useful when the DNS
100
is not present or quite slow. You can toggle the address
101
format (numeric vs. symbolic) by pressing the nn key while
106
It is used to specify the TCP/UDP protocols that nnttoopp
107
will monitor. The format is <label>=<protocol list> [,
108
<label>=<protocol list>], where label is used to symboli�
109
cally identify the <protocol list>. The format of <proto�
110
col list> is <protocol>[|<protocol>], where <protocol> is
111
either a valid protocol specified inside the /etc/ser�
112
vices file or a numeric port range (e.g. 80, or
113
6000-6500). If the -p flag is omitted the following
114
default value is used: "FTP=ftp|ftp-
115
data,HTTP=http|www|https,DNS=name|domain,Telnet=tel�
116
net|login,NBios-IP=netbios-ns|netbios-dgm|netbios-
117
ssn,Mail=pop-2|pop-3|kpop|smtp|imap|imap2,SNMP=snmp|snmp-
118
trap,NEWS=nntp,NFS=mount|pcnfs|bwnfs|nfs|nfsd-sta�
119
tus,X11=6000-6010,SSH=ssh". If the <protocol list> is
120
very long you may store in a file (for instance proto�
121
col.list) the value of the <protocol list> and specify
122
the file name instead of the <protocol list> (in above
123
example you will invoke 'ntop -p protocol.list').
140
Specifies the network interface used by nnttoopp If multiple
141
interfaces are used (this feature is available only if
142
ntop is compiled with thread support) they have to be
143
separated with a comma. For instance -i "eth0,lo". Traf�
144
fic information obtained by all the interfaces is merged
145
together as if the traffic would have been produced by
146
one interface. Use the -M flag for not merging traffic.
150
Is the maximum number of HTML table rows that nnttoopp will
155
nnttoopp sports and embedded web server so that users can
156
attach their web browsers to the specified port and
157
browse traffic information remotely. Supposing to start
158
nnttoopp at the port 33000000 (default port), the URL to access
159
is http://hostname:3000/. Users and URLs to protect with
160
passwords are stored in a database file. By default
161
user/URL administration are accessible uniquely by the
162
user aaddmmiinn with password aaddmmiinn Passwords are stored in an
163
encrypted form into the database for further security.
164
Please note that an HTTP server is NOT needed but it's
165
embedded into the application. If -w is set to 0 the HTTP
166
port will not be enabled ('-w 0' is accepted only if nnttoopp
167
has been compiled with HTTPS support and nnttoopp has not
168
been started with '-W 0' [see below]). You can also use
169
the IP:Port notation to bind ntop to the specified IP-
170
Address, e.g. --ww 112277..00..00..11::33000000
174
If nnttoopp has been compiled with HTTPS support (via
175
OpenSSL), this flag can be used to set the HTTPS port
176
(default 33000011 ). If the user specifies '-W 0', HTTPS sup�
177
port is disabled. Some examples: 1. nnttoopp --ww 8800 --WW 444433
178
(both HTTP and HTTPS have been enabled at their default
179
ports) 2. nnttoopp --ww 00 --WW 444433 (HTTP disabled, HTTPS enabled
180
at the default port). You can also use the IP:Port nota�
181
tion to bind ntop to the specified IP-Address, e.g. --ww
182
112277..00..00..11::33000011
187
This flag causes ntop to become a daemon, i.e. it is
188
started in background and detached from the terminal.
192
Use this flag for telling ntop to save information about
205
host traffic on shutdown. Valid values are: 0 = don't
206
store hosts, 1 = store all hosts, 2 = store only local
207
hosts. This flag allows ntop not to loose traffic stats
208
across multiple ntop sessions. Please note that informa�
209
tion about TCP session is (obviously) lost.
213
This allows to specify where db-files are searched or
214
created (default "."). In addition DBPATH/html is added
215
to the searchlist for the WEB-files
219
This flag allows users to specify the subnets whose traf�
220
fic is considered local. The format is <network
221
address>/<# subnet mask bits>[,<network address>/<# sub�
222
net mask bits>]. For instance
223
"131.114.21.0/24,10.0.0.0/255.0.0.0".
227
By default nnttoopp logs HTTP accesses in the file
228
ntop.access.log in the current directory. Use this flag
229
to specify the path of the file where HTTP accesses will
230
be logged. Each log entry is in Apache-like style. The
231
only difference between Apache and nnttoopp is that .B ntop
232
added a new column has been added. Such column contains
233
the time (in milliseconds) that ntop needed in order to
238
Exports nnttoopp traffic information into a SQL database. The
239
flag specifies (in http-like host format) the address
240
(IP:port) of a SQL client. The database/ directory part
241
of ntop contains a few clients. Please use one of those.
245
Exports nnttoopp traffic information in Cisco NetFlow V5
246
(http://www.cisco.com/warp/pub�
247
lic/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm) format. The
248
flag specifies (in http-like host format) the address
249
(IP:port) of a NetFlow client such as ftp://ftp.net.ohio-
250
state.edu/users/maf/cisco/.
254
Specifies the user nnttoopp should run as after it initial�
255
izes. The value specified may be either a username or a
256
numeric user id. The group id used will be the primary
257
group of the user specified.
272
Dumps the network traffic captured by ntop in a file in
273
pcap format (useful for debug).
277
It specifies the UTR of the mapper.pl utility (it's part
278
of the ntop distribution [see www/Perl/mapper.pl] for
279
displaying host location.
283
This flag specifies the level of nnttoopp tracings on stdout.
284
The trace level ranges between 0 (no trace) and 5 (full
285
debug tracings). The default trace value is 3. The higher
286
is the trace level the more information are printed.
287
Trace level 1 is used to print errors only, level 2 for
288
both warnings and errors, and so on.
292
It is used to specify network flows similar to more pow�
293
erful applications such as NeTraMet. A flow is a stream
294
of captured packets that match a specified rule. The for�
295
mat is <flow-label>='<matching expression>'[,<flow-
296
label>='<matching expression>'], where the label is used
297
to symbolically identify the flow specified by the
298
expression. The expression format is specified in the
299
appendix. If an expression is specified, then the infor�
300
mation concerning flows can be accessed following the
301
HTML link named 'List NetFlows'. For instance suppose to
302
define two flows with the following expression "Luca�
303
Hosts='host jake.unipi.it or host
304
pisanino.unipi.it',GatewayRoutedPkts='gateway gate�
305
way.unipi.it'". All the traffic sent/received by hosts
306
jake.unipi.it or pisanino.unipi.it is collected by nnttoopp
307
and added to the LucaHosts flow, whereas all the packet
308
routed by the gateway gateway.unipi.it are added to the
309
GatewayRoutedPkts flow. If the flows list is very long
310
you may store in a file (for instance flows.list) the
311
list of flows and specify the file name instead of the
312
flows list (in above example you will invoke 'ntop -F
318
ffiilltteerr eexxpprreessssiioonn
319
nnttoopp , similar to what tcpdump does, allows users to
320
specify an expression that restricts the type of traffic
321
handled by nnttoopp hence to select only the traffic of
322
interest. For instance, suppose to be interested only in
323
the traffic generated/received by the host jake.unipi.it.
324
nnttoopp can then be started with the following filter: 'ntop
337
src host jake.unipi.it or dst host jake.unipi.it'. See
338
the ttccppdduummpp man page for further information about this
344
While nnttoopp is running, multiple users can access the traf�
345
fic information using conventional web browsers. The main
346
HTML page, is divided is two frames. The left frame allows
347
users to select the traffic view that will be displayed in
348
the right frame. Available sections are: sort traffic by
349
data sent, sort traffic by data received, traffic statis�
350
tics, active hosts list, remote to local (i.e. inside the
351
subnet defined for the network board from which the pro�
352
gram is currently sniffing) IP traffic, local to remote IP
353
traffic, local to local IP traffic, list of active TCP
354
sessions, IP protocol distribution statistics, IP protocol
355
usage, IP traffic matrix.
359
nnttoopp is based on the libpcap library that can be found at
360
http://www.tcpdump.org/. The Win32 version makes use of
361
libpcap for Win32 that can be downloaded from
362
http://www.netgroup.polito.it/WinPcap/install/).
365
iinnttoopp(1), nnttoopp--rruulleess(8), ttoopp(1), nnggrreepp(8), ttccppdduummpp(8).
366
nneettrraammeett(http://www.auckland.ac.nz/net/Account�
367
ing/ntm.Release.note.html).
370
Please send bug reports to the ntop mailing list
371
<ntop@ntop.org>. ntop's author is Luca Deri