~ubuntu-branches/ubuntu/natty/ntop/natty

Viewing changes to ntop.html

Committer: Bazaar Package Importer
Author(s): Ludovico Cavedon, Jordan Metzmeier, Ludovico Cavedon
Date: 2010-12-15 20:06:19 UTC
mfrom: (5.1.5 sid)
Revision ID: james.westby@ubuntu.com-20101215200619-0ojz3iak95ihibun

Tags: 3:4.0.3+dfsg1-1

http://bugs.debian.org/522042

http://bugs.debian.org/595450

[ Jordan Metzmeier ]
* New upstream release (Closes: #522042)
* Move data files to /usr/share/ntop (Closes: #595450).
* Package architecture independent data in a separate ntop-data package.
* Use debhelper 7.
* Update Standards-Version to 3.9.1.
* Depend on python-mako.
* Do not include ntop.txt in binary packages as it is a copy of the man
 page.
* Do not include NEWS, as it is outdated.
* Switch to package source version 3.0 (quilt).
* Add password creation to debconf
* Changed init script to fix localization problems (thanks to Alejandro
 Varas <alej0varas@gmail.com>, LP: #257466)
* Remove manual update-rc.d calls from postrm and postinst. debhelper adds
 this for us.
* Add pre-depends on adduser for postinst script.
* Fix errors in the manpages: fix-manpage-errors.patch.
* Added fixes for matching active interfaces.
* Added a watch file.

[ Ludovico Cavedon ]
* Remove direct changes to upstream tree, and move them into specific patch
 files:
 - fix-manpage-errors.patch: fix typos in ntop.8.
 - dot-path.patch: fix path of /usr/bin/dot executable
* Add patches:
 - reduce-autogen-purged-files.patch: prevent agutogen.sh from reamoving
 too many files during cleanup.
 - Add build-without-ntop-darwin.patch, to fix compilation without
 ntop_darwin.c.
* No longer add faq.html, as it is not distributed in the upstream tarball.
* Use ${source:Version} in control file. Have ntop-data recommend
 ntop.
* Rename dirs to ntop.dirs and keep only empty directories that need
 to be created.
* Remove var/lib from ntop.install file, as it is empty (keeping it in
 ntop.dirs).
* Update po files.
* Breaks and Replaces instead of Conflitcs for ntop-data.
* Use a longer package description.
* Remove useless configure options from debian/rules.
* Move private shared libraries libraries in /usr/lib/ntop.
* Add change-plugin-dir.patch for adjusting plugin directory.
* Remove development files.
* Use system library for MochiKit.js.
* Rewrite DEP5 copyright file.
* Repackage upstream tarball in order to remove non-DFSG-compliant code. Add
 get-orig-source.sh script and get-orig-source target in debian/rules.
* Add explanation to README.Debian why geolocation is no longer working.
* Add avoid-copy-maxmind-db.patch to prevent copying of Geo*.dat
 files.
* Remove old unused patches.

files added:
.pc

.pc/.version

.pc/applied-patches

.pc/avoid-copy-maxmind-db.patch

.pc/avoid-copy-maxmind-db.patch/Makefile.am

.pc/build-without-ntop-darwin.patch

.pc/build-without-ntop-darwin.patch/Makefile.am

.pc/change-plugin-dir.patch

.pc/change-plugin-dir.patch/configure.in

.pc/change-plugin-dir.patch/plugins

.pc/change-plugin-dir.patch/plugins/Makefile.am

.pc/dot-path.patch

.pc/dot-path.patch/report.c

.pc/fix-manpage-errors.patch

.pc/fix-manpage-errors.patch/ntop.8

.pc/fix-wget-during-build.patch

.pc/fix-wget-during-build.patch/Makefile.am

.pc/fix-wget-during-build.patch/autogen.sh

.pc/fix-wget-during-build.patch/configure.in

.pc/reduce-autogen-purged-files.patch

.pc/reduce-autogen-purged-files.patch/autogen.sh

3rd_party

3rd_party/etter.finger.os.gz

3rd_party/oui.txt.gz

3rd_party/specialMAC.txt.gz

LICENSE-OpenSSL.txt

configureextra/python-config

debian/get-orig-source.sh

debian/ntop-data.install

debian/ntop.config

debian/ntop.default

debian/ntop.dirs

debian/ntop.docs

debian/ntop.init

debian/ntop.install

debian/ntop.manpages

debian/ntop.postinst

debian/ntop.templates

debian/patches/avoid-copy-maxmind-db.patch

debian/patches/build-without-ntop-darwin.patch

debian/patches/change-plugin-dir.patch

debian/patches/dot-path.patch

debian/patches/fix-manpage-errors.patch

debian/patches/fix-wget-during-build.patch

debian/patches/reduce-autogen-purged-files.patch

debian/patches/series

debian/preinst

debian/source

debian/source/format

debian/watch

event.c

html/MochiKit/DragAndDrop.js

html/MochiKit/Position.js

html/MochiKit/Selector.js

html/MochiKit/Sortable.js

html/MochiKit/Style.js

html/ajax

html/arrow_down.png

html/arrow_up.png

html/back.png

html/bit_off.png

html/bit_on.png

html/docs

html/docs/python

html/docs/python/api-objects.txt

html/docs/python/crarr.png

html/docs/python/epydoc.css

html/docs/python/epydoc.js

html/docs/python/fastbit-module.html

html/docs/python/frames.html

html/docs/python/help.html

html/docs/python/host-module.html

html/docs/python/identifier-index.html

html/docs/python/index.html

html/docs/python/interface-module.html

html/docs/python/module-tree.html

html/docs/python/ntop-module.html

html/docs/python/redirect.html

html/docs/python/toc-everything.html

html/docs/python/toc-fastbit-module.html

html/docs/python/toc-host-module.html

html/docs/python/toc-interface-module.html

html/docs/python/toc-ntop-module.html

html/docs/python/toc.html

html/fback.png

html/fforward.png

html/forward.png

html/graph_zoomDOWN.gif

html/graph_zoomUP.gif

html/icon_python.png

html/json2.js

html/line-bottom.png

html/multihomed.png

html/ntop_logo.png

html/reflection.js

html/rrdAlarmConfig.js

html/sorterScript.js

html/sorterStyle.css

iwtan

iwtan/Makefile

iwtan/iwtan_analyze.c

iwtan/iwtan_analyze.h

iwtan/iwtan_data.c

iwtan/iwtan_data.h

iwtan/iwtan_example.c

iwtan/iwtan_example.h

iwtan/test_analyze.c

iwtan/test_data_driver.c

map.c

misc

misc/configure.in.lua

misc/configure.in.perl

misc/lua

misc/lua.c

misc/lua/test.lua

misc/perl

misc/perl.c

misc/perl/ntop.i

misc/perl/ntop_perl.h

misc/perl/ntop_wrap.c

misc/perl/report

misc/perl/report.pl

misc/perl/report/basic.xml

misc/perl/test.pl

packages/debian/etc/ld.so.conf.d

packages/debian/etc/ld.so.conf.d/ntop.conf

plugins/cpacketPlugin.c

python

python.c

python/GeoPacketVisualizer.py

python/docs

python/docs/Makefile

python/docs/epydoc.conf

python/docs/src

python/docs/src/fastbit.py

python/docs/src/host.py

python/docs/src/interface.py

python/docs/src/ntop.py

python/fastbit.py

python/hello_world.py

python/ipPortQuery.py

python/json

python/json/info.py

python/json/interfaces.py

python/json/iphone

python/json/iphone/clientcheck.py

python/json/iphone/hostinfo.py

python/json/iphone/ifdata.py

python/json/iphone/iflist.py

python/json/iphone/iftophosts.py

python/json/iphone/instance.py

python/json/iphone/interfaces.py

python/rrdalarm

python/rrdalarm/config.py

python/rrdalarm/crontab.rrdalarm

python/rrdalarm/save.py

python/rrdalarm/scripts

python/rrdalarm/scripts/savelog.py

python/rrdalarm/scripts/sendmail.py

python/rrdalarm/start.py

python/templates

python/templates/GeoPacketVisualizer.tmpl

python/templates/fastbit.tmpl

python/templates/ipPortQuery.tmpl

python/templates/queryResults.tmpl

python/templates/rrdAlarmConfigurator.tmpl

python/templates/rrdAlarmConfiguratorHelp.tmpl

python/templates/rrdAlarmStart.tmpl

subnets.txt

utils/gdbm_rw.c

utils/getopt

utils/getopt/getopt.c

utils/getopt/getopt.h

utils/getopt/getopt1.c

utils/rrd-alarm/doc/rrd.html

files removed:
AS-list.txt.gz

acinclude.m4

aclocal.m4

config.guess

config.h.in

debian/config

debian/dirs

debian/init

debian/patches/ntop-3.2-snmp_plugin_ipv6.diff

debian/patches/ntop-xmldump.diff

debian/patches/ntop.8.v1.diff

debian/patches/ntop.config.diff

debian/patches/ntop.init.d.diff

debian/postinst

debian/templates

docs/database/README.mySQL

etter.finger.os.gz

faq.html

getopt.c

getopt.h

getopt1.c

html/arrow_down.gif

html/arrow_up.gif

html/back.gif

html/faq.html

html/fback.gif

html/fforward.gif

html/forward.gif

html/multihomed.gif

html/ntop_logo.gif

l7-patterns

l7-patterns/100bao.pat

l7-patterns/aim.pat

l7-patterns/aimwebcontent.pat

l7-patterns/applejuice.pat

l7-patterns/ares.pat

l7-patterns/battlefield1942.pat

l7-patterns/battlefield2.pat

l7-patterns/bgp.pat

l7-patterns/biff.pat

l7-patterns/bittorrent.pat

l7-patterns/ciscovpn.pat

l7-patterns/citrix.pat

l7-patterns/counterstrike-source.pat

l7-patterns/cvs.pat

l7-patterns/dayofdefeat-source.pat

l7-patterns/dhcp.pat

l7-patterns/directconnect.pat

l7-patterns/dns.pat

l7-patterns/doom3.pat

l7-patterns/edonkey.pat

l7-patterns/fasttrack.pat

l7-patterns/finger.pat

l7-patterns/freenet.pat

l7-patterns/ftp.pat

l7-patterns/gkrellm.pat

l7-patterns/gnucleuslan.pat

l7-patterns/gnutella.pat

l7-patterns/goboogy.pat

l7-patterns/gopher.pat

l7-patterns/h323.pat

l7-patterns/halflife2-deathmatch.pat

l7-patterns/hddtemp.pat

l7-patterns/hotline.pat

l7-patterns/http.pat

l7-patterns/ident.pat

l7-patterns/imap.pat

l7-patterns/ipp.pat

l7-patterns/irc.pat

l7-patterns/jabber.pat

l7-patterns/kugoo.pat

l7-patterns/live365.pat

l7-patterns/lpd.pat

l7-patterns/msn-filetransfer.pat

l7-patterns/msnmessenger.pat

l7-patterns/mute.pat

l7-patterns/napster.pat

l7-patterns/nbns.pat

l7-patterns/ncp.pat

l7-patterns/netbios.pat

l7-patterns/nntp.pat

l7-patterns/ntp.pat

l7-patterns/openft.pat

l7-patterns/poco.pat

l7-patterns/pop3.pat

l7-patterns/pressplay.pat

l7-patterns/qq.pat

l7-patterns/quake-halflife.pat

l7-patterns/quake1.pat

l7-patterns/rdp.pat

l7-patterns/rlogin.pat

l7-patterns/rtsp.pat

l7-patterns/shoutcast.pat

l7-patterns/sip.pat

l7-patterns/skypeout.pat

l7-patterns/skypetoskype.pat

l7-patterns/smb.pat

l7-patterns/smtp.pat

l7-patterns/snmp.pat

l7-patterns/socks.pat

l7-patterns/soribada.pat

l7-patterns/soulseek.pat

l7-patterns/ssdp.pat

l7-patterns/ssh.pat

l7-patterns/ssl.pat

l7-patterns/subspace.pat

l7-patterns/telnet.pat

l7-patterns/tesla.pat

l7-patterns/tftp.pat

l7-patterns/tls.pat

l7-patterns/tsp.pat

l7-patterns/validcertssl.pat

l7-patterns/vnc.pat

l7-patterns/whois.pat

l7-patterns/x11.pat

l7-patterns/xboxlive.pat

l7-patterns/xunlei.pat

l7-patterns/yahoo.pat

l7-patterns/zmaap.pat

l7.c

libtool.m4.in

ltmain.sh

ntop_darwin.c

ntop_darwin.h

ntop_win32.c

ntop_win32.h

oui.txt.gz

p2c.opt.table.gz

packages/Win32/ntop-VC6-project.zip

packages/debian/usr

plugins/lastSeenPlugin.c

plugins/pdaPlugin.c

plugins/remotePlugin.c

specialMAC.txt.gz

utils/p2c

utils/p2clib.c

utils/p2clib.h

utils/rrd-alarm/doc/rrd.pdf

version.c

files modified:
COPYING

INSTALL

Makefile.am

NetFlow/README

NetFlow/docs/ntop-netflow-cisco.pdf

README

THANKS

address.c

admin.c

autogen.sh

config.sub

configure.in

configureextra/LINUXsuse

dataFormat.c

database.c

debian/README.Debian

debian/changelog

debian/compat

debian/control

debian/copyright

debian/po/POTFILES.in

debian/po/cs.po

debian/po/de.po

debian/po/es.po

debian/po/eu.po

debian/po/fi.po

debian/po/fr.po

debian/po/gl.po

debian/po/it.po

debian/po/ja.po

debian/po/nl.po

debian/po/pt.po

debian/po/pt_BR.po

debian/po/ru.po

debian/po/sv.po

debian/po/templates.pot

debian/postrm

debian/rules

depcomp

docs/BUILD-NTOP.txt

docs/RedHat-rpmbuild-HOWTO.txt

docs/database/README

docs/ntop-autotools.pdf

docs/ntop-autotools.vsd

emitter.c

fcReport.c

fcUtils.c

fcUtils.h

globals-core.c

globals-core.h

globals-defines.h

globals-report.c

globals-report.h

globals-structtypes.h

graph.c

hash.c

html/JSCookMenu.js

html/MochiKit/Async.js

html/MochiKit/Base.js

html/MochiKit/Color.js

html/MochiKit/DOM.js

html/MochiKit/DateTime.js

html/MochiKit/Format.js

html/MochiKit/Iter.js

html/MochiKit/Logging.js

html/MochiKit/LoggingPane.js

html/MochiKit/MochiKit.js

html/MochiKit/MockDOM.js

html/MochiKit/Signal.js

html/MochiKit/Test.js

html/MochiKit/Visual.js

html/MochiKit/__package__.js

html/autosuggest.css

html/autosuggest.js

html/calendar-setup.js

html/calendar.js

html/deleteUser.gif

html/domLib.js

html/domTT.js

html/dump.html

html/edit.gif

html/favicon.ico

html/graph_if.svg

html/help.html

html/jscalendar/calendar-setup.js

html/jscalendar/calendar.js

html/ntop.html

html/style.css

html/theme.js

html/user.gif

html/zoom.js

http.c

iface.c

iface.h

initialize.c

install-sh

installer/MacOSX/ntop.package.pmproj

leaks.c

main.c

missing

ntop.8

ntop.c

ntop.h

ntop.html

ntop.txt

packages/Gentoo/ntop-3.0_pre1.ebuild

packages/Gentoo/ntop-3.0_pre2.ebuild

packages/MacOSX/ltmain.sh

packages/MacOSX/ntop.package.pmsp

packages/Makefile.debian

packages/RedHat/ntop.conf.sample

packages/RedHat/ntop.init

packages/debian/changelog

packages/debian/control

packages/debian/etc/init.d/ntop

packages/debian/files

packages/debian/postinst

packages/debian/postrm

packages/debian/prerm

packages/debian/rules

packages/debian/substvars

pbuf.c

plugin.c

pluginSkeleton.c

plugins/Makefile.am

plugins/icmpPlugin.c

plugins/netflowPlugin.c

plugins/rrdPlugin.c

plugins/rrdPlugin.h

plugins/sflowPlugin.c

prefs.c

protocols.c

report.c

reportUtils.c

scsiUtils.h

sessions.c

ssl.c

term.c

traffic.c

util.c

utildl.c

utils/Juniper/README

utils/Juniper/setFilter.pl

utils/Makefile

utils/inetnum2countryalloc.c

utils/linuxrelease

utils/lookuptest.c

utils/prefixtablegen.c

utils/rrd-alarm/rrd_alarm.c

vendor.c

webInterface.c

www/Perl/mapper.pl

Show diffs side-by-side

added added

removed removed

ntop.html

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"

"http://www.w3.org/TR/html4/loose.dtd">

<html>

<head>

p { margin-top: 0; margin-bottom: 0; }

pre { margin-top: 0; margin-bottom: 0; }

table { margin-top: 0; margin-bottom: 0; }

</style>

</head>

<body>

<a href="#SYNOPSIS">SYNOPSIS</a>

<a href="#DESCRIPTION">DESCRIPTION</a>

<a href="#COMMAND−LINE OPTIONS">COMMAND−LINE OPTIONS</a>

<a href="#WEB VIEWS">WEB VIEWS</a>

<a href="#NOTES">NOTES</a>

<a href="#PRIVACY NOTICE">PRIVACY NOTICE</a>

<a href="#USER SUPPORT">USER SUPPORT</a>

<a href="#AUTHOR">AUTHOR</a>

<a href="#LICENCE">LICENCE</a>

<a href="#ACKNOWLEDGMENTS">ACKNOWLEDGMENTS</a>

<hr>

ntop −

display top network users

<h2>SYNOPSIS</h2>

ntop

[@filename] [-a|--access-log-file

<path>] [-b|--disable-decoders]

[-c|--sticky-hosts]

[-e|--max-table-rows]

[-f|--traffic-dump-file file>]

[-g|--track-local-hosts]

[-h|--help]

[-j|--create-other-packets]

[-l|--pcap-log <path>]

[-m|--local-subnets <addresses>]

[-n|--numeric-ip-addresses]

[-o|--no-mac] [-p|--protocols

<list>]

[-q|--create-suspicious-packets]

[-r|--refresh-time <number>]

[-s|--no-promiscuous]

[-t|--trace-level <number>]

[-x <max_num_hash_entries>]

[-w|--http-server <port>]

[-z|--disable-sessions]

[-A|--set-admin-password password]

[-B|--filter-expression expression]

[-C <configmode>]

[-D|--domain <name>]

[-F|--flow-spec <specs>]

[-M|--no-interface-merge]

[-N|--wwn-map <path>]

[-O|----output-packet-path

<path>] [-P|--db-file-path

<path>] [-Q|--spool-file-path

<path>] [-U|--mapper

<URL>] [-V|--version] [-X

<max_num_TCP_sessions>]

[--disable-instantsessionpurge]

[--disable-mutexextrainfo] [--fc-only]

[--instance] [--no-fc]

[--no-invalid-lun] [--p3p-cp]

[--p3p-uri] [--skip-version-check]

[--w3c] [-4|--ipv4]

[-6|--ipv6]

Unix

options:

[-d|--daemon]

100

[-i|--interface <name>]

101

[-u|--user <user>]

102

[-K|--enable-debug] [-L]

103

[--pcap_setnonblock] [--use-syslog=

104

<facility>] [--webserver-queue

105

<number>]

106

107

Windows

108

option:

109

110

111

[-i|--interface

112

<number|name>]

113

114

OpenSSL

115

options:

116

117

118

[-W|--https-server

119

<port>] [--ssl-watchdog]

120

121

122

<h2>DESCRIPTION</h2>

123

124

125

ntop

126

shows the current network usage. It displays a list of hosts

127

that are currently using the network and reports information

128

concerning the (IP and non-IP) traffic generated and

129

received by each host. ntop may operate as a

130

front-end collector (sFlow and/or netFlow plugins) or as a

131

stand-alone collector/display program. A web browser is

132

needed to access the information captured by the ntop

133

program.

134

135

ntop is

136

a hybrid layer 2 / layer 3 network monitor, that is by

137

default it uses the layer 2 Media Access Control (MAC)

138

addresses AND the layer 3 tcp/ip addresses. ntop is

139

capable of associating the two, so that ip and non-ip

140

traffic (e.g. arp, rarp) are combined for a complete picture

141

of network activity.

142

143

144

<h2>COMMAND−LINE OPTIONS</h2>

145

146

147

148

@filename

149

150

The text of filename is

151

copied - ignoring line breaks and comment lines (anything

152

following a #) - into the command line. ntop behaves

153

as if all of the text had simply been typed directly on the

154

command line. For example, if the command line is "-t 3

155

@d -u ntop" and file d contains just the line

156

’-d’, then the effective command line is -t 3 -d

157

-u ntop. Multiple @s are permitted. Nested @s (an @ inside

158

the file) are not permitted.

159

160

Remember, most

161

ntop options are "sticky", that is they

162

just set an internal flag. Invoking them multiple times

163

doesn’t change ntop’s behavior. However,

164

options that set a value, such as --trace-level, will use

165

the LAST value given: --trace-level 2 --trace-level 3 will

166

run as --trace-level 3.

167

168

Beginning with

169

3.1, many command-line options may also be set via the web

170

browser interface. These changes take effect on the next run

171

of and on each subsequent run until changed.

172

173

-a |

174

--access-log-file

175

176

By default ntop does not

177

maintain a log of HTTP requests to the internal web server.

178

Use this parameter to request logging and to specify the

179

location of the file where these HTTP requests are

180

logged.

181

182

Each log entry

183

is in Apache-like style. The only difference between Apache

184

and ntop logs is that an additional column has been

185

added which has the time (in milliseconds) that ntop

186

needed to serve the request. Log entries look like this:

187

188

192.168.1.1 - -

189

[04/Sep/2003:20:38:55 -0500] - "GET / HTTP/1.1"

190

200 1489 4

191

192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET

192

/index_top.html HTTP/1.1" 200 1854 4

193

192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET

194

/index_inner.html HTTP/1.1" 200 1441 7

195

192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET

196

/index_left.html HTTP/1.1" 200 1356 4

197

192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET

198

/home_.html HTTP/1.1" 200 154/617 9

199

192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET

200

/home.html HTTP/1.1" 200 1100/3195 10

201

192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET

202

/About.html HTTP/1.1" 200 2010 10

203

204

This parameter

205

is the complete file name of the access log. In prior

206

releases it was erroneously called --access-log-path.

207

208

-b |

209

--disable-decoders

210

211

This parameter disables

212

protocol decoders.

213

214

Protocol

215

decoders examine and collect information about layer 2

216

protocols such as NetBIOS or Netware SAP, as well as about

217

specific tcp/ip (layer 3) protocols, such as DNS, http and

218

ftp.

219

220

This support is

221

specifically coded for each protocol and is different from

222

the capability to count raw information (packets and bytes)

223

by protocol specified by the -p | --protocols parameter,

224

below.

225

226

Decoding

227

protocols is a significant consumer of resources. If the

228

ntop host is underpowered or monitoring a very busy

229

network, you may wish to disable protocol decoding via this

230

parameter. It may also be appropriate to use this parameter

231

if you believe that ntop has problems handling some

232

protocols that occur on your network.

233

234

Even if

235

decoding is disabled, ftp-data traffic is still decoded to

236

look for passive ftp port commands.

237

238

-c | --sticky-hosts

239

240

Use this parameter to prevent

241

idle hosts from being purged from memory.

242

243

By default idle

244

hosts are periodically purged from memory. An idle host is

245

identified when no packets from or to that host have been

246

monitored for the period of time defined by the value of

247

PARM_HOST_PURGE_MINIMUM_IDLE in globals-defines.h.

248

249

If you use this

250

option, all hosts - active and idle - are retained in memory

251

for the duration of the ntop run.

252

253

P2P users, port

254

scans, popular web servers and other activity will cause

255

ntop to record data about a large number of hosts. On

256

an active network, this will consume a significant - and

257

always growing - amount of memory. It is strongly

258

recommended that you use a filtering expression to limit the

259

hosts which are stored if you use --sticky-hosts.

260

261

The idle purge

262

is a statistical one - a random selection of the eligible

263

hosts will be purged during each cycle. Thus it is possible

264

on a busy system for an idle host to remain in the

265

ntop tables and appear ’active’ for some

266

considerable time after it is truly idle.

267

268

-d | --daemon

269

270

This parameter causes ntop to

271

become a daemon, i.e. a task which runs in the background

272

without connection to a specific terminal. To use

273

ntop other than as a casual monitoring tool, you

274

probably will want to use this option.

275

276

277

WARNING:

278

If you are running as a daemon, the messages from

279

ntop will be ’printed’ on to stdout and

280

thus dropped. You probably don’t want to do this. So

281

remember to also use the -L or --use-syslog options to save

282

the messages into the system log.

283

284

-e |

285

--max-table-rows

286

287

This defines the maximum number

288

of lines that ntop will display on each generated

289

ML page. If there are more lines to be displayed than this

290

setting permits, only part of the data will be displayed.

291

There will be page forward/back arrows placed at the bottom

292

of the page for navigation between pages.

293

294

-f |

295

--traffic-dump-file

296

297

By default, ntop

298

captures traffic from network interface cards (NICs) or from

299

netFlow/sFlow probes. However, ntop can also read

300

data from a file - typically a tcpdump capture or the output

301

from one of the ntop packet capture options.

302

303

if you specify

304

-f, ntop will not capture any traffic from NICs

305

during or after the file has been read. netFlow/sFlow

306

capture - if enabled - would still be active.

307

308

This option is

309

mostly used for debug purposes.

310

311

-g |

312

--track-local-hosts

313

314

By default, ntop tracks

315

all hosts that it sees from packets captured on the various

316

NICs. Use this parameter to tell ntop to capture data

317

only about local hosts. Local hosts are defined based on the

318

addresses of the NICs and those networks identified as local

319

via the -m | --local-subnets parameter.

320

321

This parameter

322

is useful on large networks or those that see many hosts,

323

(e.g. a border router or gateway), where information about

324

remote hosts is not desired/required to be tracked.

325

326

-h | --help

327

328

Print help information for

329

ntop, including usage and parameters.

330

331

-i | --interface

332

333

Specifies the network interface

334

or interfaces to be used by ntop for network

335

monitoring.

336

337

If multiple

338

interfaces are used (this feature is available only if ntop

339

is compiled with thread support) their names must be

340

separated with a comma. For instance -i

341

"eth0,lo".

342

343

If not

344

specified, the default is the first Ethernet device, e.g.

345

eth0. The specific device that is ’first’ is

346

highly system dependent. Especially on systems where the

347

device name reflects the driver name instead of the type of

348

interface.

349

350

By default,

351

traffic information obtained by all the interfaces is merged

352

together as if the traffic was seen by only one interface.

353

Use the -M parameter to keep traffic separate by

354

interface.

355

356

If you do not

357

want ntop to monitor any interfaces, use -i none.

358

359

Under Windows,

360

the parameter value is either the number of the interface or

361

its name, e.g. {6252C14C-44C9-49D9-BF59-B2DC18C7B811}. Run

362

ntop -h to see a list of interface name-number

363

mappings (at the end of the help information).

364

365

-j |

366

--create-other-packets

367

368

This parameter causes

369

ntop to create a dump file of the ’other’

370

network traffic captured. One file is created for each

371

network interface where

372

<path>/ntop-other-pkts.<device>.pcap, where

373

<path> is defined by the -O | --output-packet-path

374

parameter. This file is useful for understanding these

375

unclassifed packets.

376

377

-l | --pcap-log

378

379

This parameter causes a dump

380

file to be created of the network traffic captured by

381

ntop in tcpdump (pcap) format. This file is useful

382

for debug, and may be read back into ntop by the -f |

383

--traffic-dump-file parameter. The dump is made after

384

processing any filter expression ( never even sees filtered

385

packets).

386

387

The output file

388

will be named

389

<path>/<log>.<device>.pcap

390

(Windows: <path>/<log>.pcap ), where

391

<path> is defined by the -O | --output-packet-path

392

parameter and <log> is defined by this -l | --pcap-log

393

parameter.

394

395

-m | --local-subnets

396

397

ntop determines the ip

398

addresses and netmasks for each active interface. Any

399

traffic on those networks is considered local. This

400

parameter allows the user to define additional networks and

401

subnetworks whose traffic is also considered local in

402

ntop reports. All other hosts are considered

403

remote.

404

405

Commas separate

406

multiple network values. Both netmask and CIDR notation may

407

be used, even mixed together, for instance

408

"131.114.21.0/24,10.0.0.0/255.0.0.0".

409

410

The local

411

subnet - as defined by the interface address(es) - is/are

412

always local and do not need to be specified. If you do give

413

the same value as a NIC’s local address, a harmless

414

warning message is issued.

415

416

-n |

417

--numeric-ip-addresses

418

419

By default, ntop

420

resolves IP addresses using a combination of active

421

(explicit) DNS queries and passive sniffing. Sniffing of DNS

422

responses occurs when ntop receives a network packet

423

containing the response to some other user’s DNS

424

query. ntop captures this information and enters it

425

into ntop’s DNS cache, in expectation of

426

shortly seeing traffic addressed to that host. This way

427

ntop significantly reduces the number of DNS queries

428

it makes.

429

430

This parameter

431

causes ntop to skip DNS resolution, showing only

432

numeric IP addresses instead of the symbolic names. This

433

option can useful when the DNS is not present or quite

434

slow.

435

436

-o | --no-mac

437

438

ntop is a hybrid layer

439

2/3 network monitor. That is, it uses both the lower level,

440

physical device address - the MAC (Media Access Control)

441

address - and the higher level, logical, tcp/ip address (the

442

familiar www.ntop.org or 131.114.21.9 address). This allows

443

ntop to link the logical addresses to a physical

444

machine with multiple addresses (This occurs with virtual

445

hosts or additional addresses assigned to the interface,

446

etc.) to present consolidated reporting.

447

448

This parameter

449

specifies that ntop should not trust the MAC

450

addresses but just use the IP addresses.

451

452

Normally, since

453

the MAC address must be globally unique, the dual nature of

454

ntop is a benefit and provides far better information

455

about the network than is available via a pure layer 2 or

456

pure layer 3 monitor.

457

458

Under certain

459

circumstances - whenever ntop is started on an

460

interface where MAC addresses cannot be really trusted - you

461

may require this option.

462

463

Situations

464

which may require this option include port/VLAN mirror, some

465

cases with switches and spanning tree protocol, and

466

(reportedly) some specific models of Ethernet switches which

467

re-write MAC addresses of the packets they process.

468

Normally, you discover that this option is necessary when

469

you observe that hosts seem to change their addresses or

470

information about different machines get lumped

471

together.

472

473

Note that with

474

this option, information which is dependent upon the MAC

475

addresses (non tcp/ip protocols like IPX) will not be

476

collected nor displayed.

477

478

-p | --protocols

479

480

This parameter is used to

481

specify the TCP/UDP protocols that ntop will monitor.

482

The format is <label>=<protocol list> [,

483

<label>=<protocol list>], where label is used to

484

symbolically identify the <protocol list>. The format

485

of <protocol list> is

486

<protocol>[|<protocol>], where <protocol>

487

is either a valid protocol specified inside the

488

/etc/services file or a numeric port range (e.g. 80, or

489

6000-6500).

490

491

A simple

492

example is

493

--protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-data",

494

which reduces the protocols displayed on the "IP"

495

pages to three:

496

497

Host Domain

498

Data HTTP FTP Other IP

499

ns2.attbi.com <flag> 954 63.9 % 0 0 954

500

64.124.83.112.akamai.com <flag> 240 16.1 % 240 0 0

501

502

64.124.83.99.akamai.com <flag> 240 16.1 % 240 0 0

503

toolbarqueries.google.com <flag> 60 4.0 % 60 0 0

504

505

If the

506

<protocol list> is very long you may store it in a

507

file (for instance protocol.list). To do so, specify the

508

file name instead of the <protocol list> on the

509

command line. e.g. ntop -p protocol.list

510

511

If the -p

512

parameter is omitted the following default value is

513

used:

514

515

516

FTP=ftp|ftp-data

517

518

TP=http|www|https|3128 3128 is Squid, the HTTP cache

519

DNS=name|domain

520

Telnet=telnet|login

521

NBios-IP=netbios-ns|netbios-dgm|netbios-ssn

522

523

DHCP-BOOTP=67-68

524

SNMP=snmp|snmp-trap

525

NNTP=nntp

526

NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status

527

X11=6000-6010

528

SSH=22

529

530

Peer-to-Peer

531

Protocols

532

----------------------

533

Gnutella=6346|6347|6348

534

Kazaa=1214

535

WinMX=6699|7730

536

DirectConnect=0 Dummy port as this is a pure P2P protocol

537

538

eDonkey=4661-4665

539

540

Instant

541

Messenger

542

-----------------

543

Messenger=1863|5000|5001|5190-5193

544

545

NOTE: To

546

resolve protocol names to port numbers, they must be

547

specified in the system file used to list tcp/udp protocols

548

and ports, which is typically /etc/services file. You will

549

have to match the names in that file, exactly. Missing or

550

unspecified (non-standard) ports must be specified by

551

number, such as 3128 in our examples above.

552

553

If you have a

554

file named /etc/protocols, don’t get confused by it,

555

as that’s the Ethernet protocol numbers, which are not

556

what you’re looking for.

557

558

-q |

559

--create-suspicious-packets

560

561

This parameter tells

562

ntop to create a dump file of suspicious packets.

563

564

There are many,

565

many, things that cause a packet to be labeled as

566

’suspicious’, including:

567

568

Detected ICMP

569

fragment

570

Detected Land Attack against host

571

Detected overlapping/tiny packet fragment

572

Detected traffic on a diagnostic port

573

Host performed ACK/FIN/NULL scan

574

Host rejected TCP session

575

TP/FTP/SMTP/SSH detected at wrong port

576

Malformed TCP/UDP/ICMP packet (packet too short)

577

Packet # %u too long

578

Received a ICMP protocol Unreachable from host

579

Sent ICMP Administratively Prohibited packet to host

580

Smurf packet detected for host

581

TCP connection with no data exchanged

582

TCP session reset without completing 3-way handshake

583

Two MAC addresses found for the same IP address

584

UDP data to a closed port

585

Unknown protocol (no HTTP/FTP/SMTP/SSH) detected (on port

586

80/21/25/22)

587

Unusual ICMP options

588

589

When this

590

parameter is used, one file is created for each network

591

interface where suspicious packets are found. The file is in

592

tcpdump (pcap) format and is named

593

<path>/ntop-suspicious-pkts.<device>.pcap, where

594

<path> is defined by the -O | --output-packet-path

595

parameter.

596

597

-r | --refresh-time

598

599

Specifies the delay (in

600

seconds) between automatic screen updates for those

601

generated HTML pages which support them. This parameter

602

allows you to leave your browser window open and have it

603

always displaying nearly real-time data from

604

ntop.

605

606

The default is

607

3 seconds. Please note that if the delay is very short (1

608

second for instance), ntop might not be able to

609

process all of the network traffic.

610

611

-s |

612

--no-promiscuous

613

614

Use this parameter to prevent

615

from setting the interface(s) into promiscuous mode.

616

617

An interface in

618

promiscuous mode will accept ALL Ethernet frames, regardless

619

of whether they directed (addressed) to the specific network

620

interface (NIC) or not. This is an essential part of

621

enabling ntop to monitor an entire network. (Without

622

promiscuous mode, ntop will only see traffic directed

623

to the specific host it is running on, plus broadcast

624

traffic such as the arp and dhcp protocols.

625

626

Even if you use

627

this parameter, the interface could well be in promiscuous

628

mode if another application enabled it.

629

630

ntop

631

passes this setting on to libpcap, the packet capture

632

library. On many systems, a non-promiscuous open of the

633

network interface will fail, since the libpcap function on

634

most systems require it to capture raw packets ( ntop

635

captures raw packets so that we may view and analyze the

636

layer 2 - MAC - information).

637

638

Thus on most

639

systems, ntop must probably still be started as root,

640

and this option is largely ornamental. If it fails, you will

641

see a ***FATALERROR*** message referring to pcap_open_live()

642

and then an information message, "Sorry, but on this

643

system, even with -s, it appears that ntop must be started

644

as root".

645

646

-t | --trace-level

647

648

This parameter specifies the

649

’information’ level of messages that you wish

650

ntop to display (on stdout or to the log). The higher

651

the trace level number the more information that is

652

displayed. The trace level ranges between 0 (no trace) and 5

653

(full debug tracings).

654

655

The default

656

trace value is 3.

657

658

Trace level 0

659

is not quite zero messages. Fatal errors and certain

660

startup/shutdown messages are always displayed. Trace level

661

1 is used to display errors only, level 2 for both errors

662

and warnings, and level 3 displays error, warning and

663

informational messages.

664

665

Trace level 4

666

is called ’noisy’ and it is - generating many

667

messages about the internal functioning of ntop.

668

Trace level 5 and above are ’noisy’ plus extra

669

logs, i.e. all possible messages, with a file:line tag

670

prepended to every message.

671

672

-u | --user

673

674

Specifies the user ntop

675

should run as after it initializes.

676

677

ntop

678

must normally be started as root so that it has sufficient

679

privileges to open the network interfaces in promiscuous

680

mode and to receive raw frames. See the discussion of -s |

681

--no-promiscuous above, if you wish to try starting

682

ntop as a non-root user.

683

684

Shortly after

685

starting up, ntop becomes the user you specify here,

686

which normally has substantially reduced privileges, such as

687

no login shell. This is the userid which owns

688

ntop’s database and output files.

689

690

The value

691

specified may be either a username or a numeric user id. The

692

group id used will be the primary group of the user

693

specified.

694

695

If this

696

parameter is not specified, ntop will try to switch first to

697

’nobody’ and then to ’anonymous’

698

before giving up.

699

700

NOTE: This

701

should not be root unless you really understand the security

702

risks. In order to prevent this by accident, the only way to

703

run ntop as root is to explicitly specify -u root.

704

Don’t do it.

705

706

-x

707

-X

708

709

ntop creates a new

710

hash/list entry for each new host/TCP session seen. In case

711

of DOS (Denial Of Service) an attacker can easily exhaust

712

all the host available memory because ntop is creating

713

entries for dummy hosts. In order to avoid this you can set

714

an upper limit in order to limit the memory ntop can

715

use.

716

717

-w | --http-server

718

-W | --https-server

719

720

ntop offers an embedded

721

web server to present the information that has been so

722

painstakingly gathered. An external HTTP server is NOT

723

required NOR supported. The ntop web server is

724

embedded into the application. These parameters specify the

725

port (and optionally the address (i.e. interface)) of the

726

ntop web server.

727

728

For example, if

729

started with -w 3000 (the default port), the URL to access

730

ntop is http://hostname:3000/. If started with a full

731

specification, e.g. -w 192.168.1.1:3000, ntop listens

732

on only that address/port combination.

733

734

If -w is set to

735

0 the web server will not listen for http://

736

connections.

737

738

-W operates

739

similarly, but controls the port for the https://

740

connections.

741

742

Some

743

examples:

744

745

ntop -w 3000

746

-W 0 (this is the default setting) HTTP requests on port

747

3000 and no HTTPS.

748

749

ntop -w 80

750

-W 443 Both HTTP and HTTPS have been enabled on their

751

most common ports.

752

753

ntop -w 0 -W

754

443 HTTP disabled, HTTPS enabled on the common port.

755

756

Certain

757

sensitive, configuration pages of the ntop web server

758

are protected by a userid/password. By default, these are

759

the user/URL administration, filter, shutdown and reset

760

stats are password protected

761

and are accessible initially only to user admin with

762

a password set during the first run of ntop.

763

764

Users can

765

modify/add/delete users/URLs using ntop itself - see the

766

Admin tab.

767

768

The passwords,

769

userids and URLs to protect with passwords are stored in a

770

database file. Passwords are stored in an encrypted form in

771

the database for further security. Best practices call for

772

securing that database so that only the ntop user can

773

read it.

774

775

There is a

776

discussion in docs/FAQ about further securing the

777

ntop environment.

778

779

-z |

780

--disable-sessions

781

782

This parameter disables TCP

783

session tracking. Use it for better performance or when you

784

don’t really need/care to track sessions.

785

786

-A |

787

--set-admin-password

788

789

This parameter is used to start

790

ntop , set the admin password and quit. It is quite

791

useful for installers that need to automatically set the

792

password for the admin user.

793

794

-A and

795

--set-admin-password (without a value) will prompt the user

796

for the password.

797

798

You may also

799

use this parameter to set a specific value using

800

--set-admin-password=value. The = is REQUIRED and no

801

spaces are permitted!

802

803

If you attempt

804

to run ntop as a daemon without setting a password, a

805

FATAL ERROR message is generated and ntop stops.

806

807

-B |

808

--filter-expression

809

810

Filters allows the user to

811

restrict the traffic seen by ntop on just about any

812

imaginable item.

813

814

The filter

815

expression is set at run time by this parameter, but it may

816

be changed during the ntop run on the Admin | Change

817

Filter web page.

818

819

The basic

820

format is -B filter , where the quotes are

821

REQUIRED

822

823

The syntax of

824

the filter expression uses the same BPF (Berkeley Packet

825

Filter) expressions used by other packages such as

826

tcpdump

827

828

For instance,

829

suppose you are interested only in the traffic

830

generated/received by the host jake.unipi.it. ntop

831

can then be started with the following filter:

832

833

ntop -B src

834

host jake.unipi.it or dst host jake.unipi.it

835

836

or in

837

shorthand:

838

839

ntop -B host

840

jake.unipi.it or host jake.unipi.it

841

842

See the

843

’expression’ section of the tcpdump man

844

page - usually available at

845

http://www.tcpdump.org/tcpdump_man.html - for further

846

information and the best quick guide to BPF filters

847

currently available.

848

849

WARNING: If you

850

are using complex filter expressions, especially those with

851

=s or meaningful spaces in them, be sure and use the long

852

option format, --filter-expression="xxxx" and not

853

-B "xxxx".

854

855

-C |

856

857

This instruments ntop to be

858

used in two configurations: host and network mode. In host

859

mode (default) ntop works as usual: the IP addresses

860

received are those of real hosts. In host mode the IP

861

addresses received are those of the C-class network to which

862

the address belongs. Using ntop in network mode is extremely

863

useful when installed in a traffic exchange (e.g. in the

864

middle of the Internet) whereas the host mode should be used

865

when ntop is installed on the edge of a network (e.g. inside

866

a company). The network mode significantly reduces the

867

amount of work ntop has to perform and it has to be used

868

whenever ntop is used to find out how the network traffic

869

flows and not to pin-point specific hosts.

870

871

-D | --domain

872

873

This identifies the local

874

domain suffix, e.g. ntop.org. It may be necessary, if

875

ntop is having difficulty determining it from the

876

interface.

877

878

-F | --flow-spec

879

880

It is used to specify network

881

flows similar to more powerful applications such as

882

NeTraMet. A flow is a stream of captured packets that match

883

a specified rule. The format is

884

885

886

<flow-label>=’<matching

887

expression>’[,<flow-label>=’<matching

888

expression>’]

889

890

, where the

891

label is used to symbolically identify the flow specified by

892

the expression. The expression is a bpf (Berkeley Packet

893

Filter) expression. If an expression is specified, then the

894

information concerning flows can be accessed following the

895

ML link named ’List NetFlows’.

896

897

For instance

898

define two flows with the following expression

899

LucaHosts=’host jake.unipi.it or host

900

pisanino.unipi.it’,GatewayRoutedPkts=’gateway

901

gateway.unipi.it’ .

902

903

All the traffic

904

sent/received by hosts jake.unipi.it or pisanino.unipi.it is

905

collected by ntop and added to the LucaHosts flow,

906

whereas all the packet routed by the gateway

907

gateway.unipi.it are added to the GatewayRoutedPkts flow. If

908

the flows list is very long you may store in a file (for

909

instance flows.list) and specify the file name instead of

910

the actual flows list (in the above example, this would be

911

’ntop -F flows.list’).

912

913

Note that the

914

double quotations around the entire flow expression are

915

required.

916

917

-K | --enable-debug

918

919

Use this parameter to simplify

920

application debug. It does three things: 1. Does not fork()

921

on the "read only" html pages. 2. Displays mutex

922

values on the configuration (info.html) page. 3. (If

923

available - glibc/gcc) Activates an automated backtrace on

924

application errors.

925

926

-L |

927

--use-syslog=facility

928

929

Use this parameter to send log

930

messages to the system log instead of stdout.

931

932

-L and the

933

simple form --use-syslog use the default log facility,

934

defined as LOG_DAEMON in the #define symbol

935

DEFAULT_SYSLOG_FACILITY in globals-defines.h.

936

937

The complex

938

form, --use-syslog=facility will set the log facility to

939

whatever value (e.g. local3, security) you specify. The =

940

is REQUIRED and no spaces are allowed!

941

942

This setting

943

applies both to ntop and to any child fork()ed for

944

reporting. If this parameter is not specified, any fork()ed

945

child will use the default value and will log it’s

946

messages to the system log (this occurs because the fork()ed

947

child must give up it’s access to the parents

948

stdout).

949

950

Because various

951

systems do not make the permissible names available, we have

952

a table at the end of globals-core.c. Look for

953

myFacilityNames.

954

955

-M |

956

--no-interface-merge

957

958

By default, ntop merges

959

the data collected from all of the interfaces (NICs) it is

960

monitoring into a single set of counters.

961

962

If you have a

963

simple network, say a small LAN with a connection to the

964

internet, merging data is good as it gives you a better

965

picture of the whole network. For larger, more complex

966

networks, this may not be desirable. You may also have other

967

reasons for wishing to monitor each interface separately,

968

for example DMZ vs. LAN traffic.

969

970

This option

971

instructs ntop not to merge network interfaces

972

together. This means that ntop will collect

973

statistics for each interface and report them

974

separately.

975

976

Only ONE

977

interface may be reported on at a time - use the Admin |

978

Switch NIC option on the web server to select which

979

interface to report upon.

980

981

Note that

982

activating either the netFlow and/or sFlow plugins will

983

force the setting of -M. Once enabled, you cannot go

984

back.

985

986

-N | --wwn-map

987

988

This options names the file

989

providing the map of WWN to FCID/VSAN ids.

990

991

-O |

992

--output-packet-path

993

994

This parameter defines the base

995

path for the ntop-suspicious-pkts.XXX.pcap and normal packet

996

dump files.

997

998

If this

999

parameter is not specified, the default value is the

1000

config.h parameter CFG_DBFILE_DIR, which is set during

1001

./configure from the --localstatedir= parameter. If

1002

--localstatedir is not specified, it defaults to the

1003

--prefix value plus /var (e.g. /usr/local/var).

1004

1005

Be aware that

1006

this may not be what you expect when running ntop as

1007

a daemon or Windows service. Setting an explicit and

1008

absolute path value is STRONGLY recommended if you

1009

use this facility.

1010

1011

-P | --db-file-path

1012

-Q | --spool-file-path

1013

1014

These parameters specify where

1015

ntop stores database files.

1016

1017

There are two

1018

types, ’temporary’ - that is ones which need not

1019

be retained from ntop run to ntop run, and

1020

’permanent’, which must be retained (or

1021

recreated).

1022

1023

The

1024

’permanent’ databases are the preferences,

1025

"prefsCache.db" and the password file,

1026

"ntop_pw.db". These are stored in the -P |

1027

--db-file-path specified location.

1028

1029

Certain plugins

1030

use the -P | --db-file-path specified location for their

1031

database ("LsWatch.db") or (as a default value)

1032

for files (.../rrd/...).

1033

1034

The

1035

’temporary’ databases are the address queue,

1036

"addressQueue.db", the cached DNS resolutions,

1037

"dnsCache.db" and the MAC prefix (vendor table),

1038

"macPrefix.db".

1039

1040

If only -P |

1041

--db-file-path is specified, it is used for both types of

1042

databases.

1043

1044

The directories

1045

named must allow read/write and file creation by the

1046

ntop user. For security, nobody else should have even

1047

read access to these files.

1048

1049

Note that the

1050

default value is the config.h parameter CFG_DBFILE_DIR. This

1051

is set during ./configure from the --localstatedir=

1052

parameter. If --localstatedir is not specified, it defaults

1053

to the --prefix value plus /var (e.g. /usr/local/var).

1054

1055

This may not be

1056

what you expect when running ntop as a daemon or

1057

Windows service.

1058

1059

Note that on

1060

versions of ntop prior to 2.3, these parameters

1061

defaulted to "." (the current working directory,

1062

e.g. the value returned by the pwd command) and caused havoc

1063

as it was different when ntop was run from the

1064

command line, vs. run via cron, vs. run from an

1065

initialization script.

1066

1067

Setting an

1068

explicit and absolute path value is STRONGLY

1069

recommended.

1070

1071

-U | --mapper

1072

1073

Specifies the URL of the

1074

mapper.pl utility.

1075

1076

If provided,

1077

ntop creates a clickable hyperlink on the ’Info

1078

about host xxxxxx’ page to this URL by appending

1079

?host=xxxxx. Any type of host lookup could be performed, but

1080

this is intended to lookup the geographical location of the

1081

host.

1082

1083

A cgi-based

1084

mapper interface to http://www.multimap.com is part of the

1085

ntop distribution [see www/Perl/mapper.pl]).

1086

1087

-V | --version

1088

1089

Prints ntop version

1090

information and then exits.

1091

1092

-W | --https-server

1093

1094

(See the joint documentation

1095

with the -w parameter, above)

1096

1097

1098

--disable-instantsessionpurge

1099

1100

ntop sets completed

1101

sessions as ’timed out’ and then purge them

1102

almost instantly, which is not the behavior you might expect

1103

from the discussions about purge timeouts. This switch makes

1104

ntop respect the timeouts for completed sessions. It is NOT

1105

the default because a busy web server may have 100s or 1000s

1106

of completed sessions and this would significantly increase

1107

the amount of memory ntop uses.

1108

1109

1110

--disable-mutexextrainfo

1111

1112

ntop stores extra

1113

information about the locks and unlocks of the protective

1114

mutexes it uses. Since ntop uses fine-grained

1115

locking, this information is updated frequently. On some

1116

OSes, the system calls used to collect this informatio

1117

(getpid() and gettimeofday()) are expensive. This option

1118

disables the extra information. It should have no processing

1119

impact on ntop

1120

- however should ntop actually deadlock, we would

1121

lose the information that sometimes tells us why.

1122

1123

--fc-only

1124

1125

Display only

1126

Fibre Channel statistics.

1127

1128

--instance

1129

1130

You can run

1131

multiple instances of ntop simultaneously by

1132

specifying different -P values (typically through separate

1133

ntop.conf files). If you set a value for this parameter

1134

(available only on the command line), you (1) display the

1135

’instance’ name on every web page and (2) alter

1136

the log prefix from "NTOP" to your chosen

1137

value.

1138

1139

If you want to

1140

make the tag more obvious, create a .instance class in

1141

style.css, e.g.:

1142

1143

.instance {

1144

1145

color: #666666;

1146

font-size: 18pt;

1147

}

1148

1149

Note (UNIX): To

1150

run completely different versions of the ntop binary,

1151

you need to compile and install into a different library

1152

(using ./configure --prefix) and then specify the

1153

LD_LIBRARY_PATH before invoking, e.g.

1154

1155

1156

LD_LIBRARY_PATH=/devel/lib/ntop/:...

1157

/devel/bin/ntop ...args...

1158

1159

If present, a

1160

file of the form <instance>_ntop_logo.gif will be used

1161

instead of the normal ntop_logo.gif. This is tested for ONLY

1162

once, at the beginning of the run. The EXACT word(s) of the

1163

--instance flag are used, without testing if they make a

1164

proper file name. If - for any reason - the file is not

1165

found, an informational message is logged and the normal

1166

logo file is used. To construct your own logo, make it a

1167

300x40 transparent gif.

1168

1169

NOTE: On the

1170

web pages, ntop uses the dladdr() function. The

1171

original Solaris routine had a bug, replicated in FreeBSD

1172

(and possibly other places) where it uses the ARGV[0] value

1173

- which might be erroneous - instead of the actual file

1174

name. If the ’running from’ value looks bogus

1175

but the ’libaries in’ value looks ok, go with

1176

the libarary.

1177

1178

--no-fc

1179

1180

Disable

1181

processing & Display of Fibre Channel

1182

1183

--no-invalid-lun

1184

1185

Don’t

1186

display Invalid LUN information.

1187

1188

--p3p-cp

1189

--p3p-uri

1190

1191

P3P is a W3C

1192

recommendation - http://www.w3.org/TR/P3P/ - for specifying

1193

personal information a site collects and what it does with

1194

the information. These parameters allow to return P3P

1195

information. We do not supply samples.

1196

1197

--pcap_setnonblock

1198

1199

On some platforms, the

1200

ntop web server will hang or appear to hang (it

1201

actually just responds incredibly slowly to the first

1202

request from a browser session), while the rest of

1203

ntop runs just fine. This is known to be an issue

1204

under FreeBSD 4.x.

1205

1206

This option

1207

sets the non-blocking option (assuming it’s available

1208

in the version of libpcap that is installed).

1209

1210

While this

1211

works around the problem (by turing an interupt driven

1212

process into a poll), it also MAY signifcantly increases the

1213

cpu usage of ntop. Although it does not actually

1214

interfere with other work, seeing ntop use 80-90% or

1215

more of the cpu is not uncommon - don’t say we

1216

didn’t warn you.

1217

1218

THIS OPTION

1219

IS OFFICIALLY UNSUPPORTED and used at your own risk.

1220

Read the docs/FAQ write-up.

1221

1222

1223

--skip-version-check

1224

1225

By default, ntop

1226

accesses a remote file to periodically check if the most

1227

current version is running. This option disables that check.

1228

Please review the privacy notice at the bottom of this page

1229

for more information. By default, the recheck period is

1230

slightly more than 15 days. This can be adjusted via a

1231

constant in globals-defines.h. If the result of the initial

1232

check indicates that the ntop version is a ’new

1233

development’ version (that is newer than the latest

1234

published development version), the recheck is disabled.

1235

This is because which fixes and enhancements were

1236

present/absent from the code.

1237

1238

NOTE: At

1239

present, the recheck does not work under Windows.

1240

1241

--ssl-watchdog

1242

1243

Enable a

1244

watchdog for webserver hangs. These usually happen when

1245

connecting with older browsers. The user gets nothing back

1246

and other users can’t connect. Internally, packet

1247

processing continues but there is no way to access the data

1248

through the web server or shutdown ntop cleanly. With the

1249

watchdog, a timeout occurs after 3 seconds, and processing

1250

continues with a log message. Unfortunately, the user sees

1251

nothing - it just looks like a failed connection. (also

1252

available as a ./configure option, --enable-sslwatchdog)

1253

1254

--w3c

1255

1256

By default, ntop

1257

generates displayable but not great html. There are a number

1258

of tags we do not generate because they cause problems with

1259

older browsers which are still commonly used or are

1260

important to look good on real-world browsers. This flag

1261

tells ntop to generate ’BETTER’ (but not

1262

perfect) w3c compliant html 4.01 output. This in no way

1263

addresses all of the compatibility and markup issues. Over

1264

time, we would like to make ntop more compatible, but

1265

it will never be 100%. If you find any issues, please report

1266

them to ntop-dev.

1267

1268

-4 | --ipv4

1269

1270

Use IPv4 connections.

1271

1272

-6 | --ipv6

1273

1274

Use IPv6 connections

1275

1276

1277

<h2>WEB VIEWS</h2>

1278

1279

1280

While

1281

ntop is running, multiple users can access the

1282

traffic information using their web browsers. ntop

1283

does not generate ’fancy’ or

1284

’complex’ html, although it does use frames,

1285

shallowly nested tables and makes some use of JavaScript and

1286

Cascading Style Sheets.

1287

1288

Beginning with

1289

release 3.1, the menus are cascading dropdowns via

1290

JSCookMenu. With release 3.2, this extends to plugins.

1291

1292

We do not

1293

expect problems with any current web browser, but our

1294

ability to test with less common ones is very limited.

1295

Testing has included Firefox and Internet Explorer, with

1296

very limited testing on other current common browsers such

1297

as Opera.

1298

1299

In

1300

documentation and this man page, when we refer to a page

1301

such as Admin | Switch NIC, we mean the Broad category

1302

"Admin" and the detailed item "Switch

1303

NIC" on that Admin menu.

1304

1305

1306

<h2>NOTES</h2>

1307

1308

1309

ntop

1310

requires a number of external tools and libraries to

1311

operate. Certain other tools are optional, but add to the

1312

program’s capabilities.

1313

--webserver-queue

1314

1315

Specifies the maximum number of

1316

web server requests for the tcp/ip stack to retain in

1317

it’s queue awaiting delivery to the ntop web

1318

server. Requests in excess of this queue may be dropped

1319

(allowing for retransmission) or rejected at the tcp/ip

1320

stack level, depending upon the OS. Whatever happens,

1321

happens at the OS level, without any information being

1322

delivered to ntop

1323

1324

Required

1325

libraries include:

1326

1327

libpcap

1328

from http://www.tcpdump.org/, version 0.7.2 or newer. 0.8.3

1329

or newer is strongly recommended.

1330

1331

The Windows

1332

version makes use of WinPcap (libpcap for Windows)

1333

which may be downloaded from

1334

http://winpcap.polito.it/install/default.htm.

1335

1336

WARNING: The

1337

2.x releases of WinPcap will NOT support SMP

1338

machines.

1339

1340

gdbm

1341

from http://www.gnu.org/software/gdbm/gdbm.html

1342

1343

ntop

1344

requires a POSIX threads library. As of ntop 3.2, the

1345

single-threaded version of ntop is no longer

1346

available.

1347

1348

The gd

1349

2.x library, for the creation of png files, available at

1350

http://www.boutell.com/gd/.

1351

1352

The

1353

libpng 1.2.x library, for the creation of png files,

1354

available at http://www.libpng.org/pub/png/libpng.html.

1355

1356

ntop

1357

should support both gd 1.X and libpng 1.0.x libraries but

1358

this has not been tested. Note that there are

1359

incompatibilities if you compile with one version of these

1360

libraries and then run with the other. Please read the

1361

discussion in docs/FAQ before reporting ANY problems of this

1362

nature.

1363

1364

(if an https://

1365

server is desired) openSSL from the OpenSSL project

1366

available at http://www.openssl.org.

1367

1368

The

1369

rrdtool library is required by the rrd plugin.

1370

rrdtool creates ’Round-Robin databases’ which

1371

are used to store and graph historical data in a format that

1372

permits long duration retention without growing larger over

1373

time. The rrdtool home page is

1374

http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/

1375

1376

ntop

1377

includes a limited version of rrdtool 1.0.49 in the myrrd/

1378

directory. Users of ntop 3.2 should not need to

1379

specifically install rrdtool.

1380

1381

The

1382

sflow Plugin is courtesy of and supported by InMon

1383

Corporation, http://www.inmon.com/sflowTools.htm.

1384

1385

There are other

1386

optional libraries. See the output of ./configure for a

1387

fuller listing.

1388

1389

Tool locations

1390

are current as of August 2005 - please send email to report

1391

new locations or dead links.

1392

1393

1394

1395

1396

1397

top(1),

1398

tcpdump(8). pcap(3).

1399

1400

1401

<h2>PRIVACY NOTICE</h2>

1402

1403

1404

By default at

1405

startup and at periodic intervals, the ntop program

1406

will retrieve a file containing current ntop program version

1407

information. Retrieving this file allows this ntop

1408

instance to confirm that it is running the most current

1409

version.

1410

1411

The retrieval

1412

is done using standard http:// requests, which will create

1413

log records on the hosting system. These log records do

1414

contain information which identifies a specific ntop

1415

site. Accordingly, you are being notified that this

1416

individually identifiable information is being transmitted

1417

and recorded.

1418

1419

You may request

1420

- via the --skip-version-check run-time option - that

1421

this check be eliminated. If you use this option, no

1422

individually identifiable information is transmitted or

1423

recorded, because the entire retrieval and check is

1424

skipped.

1425

1426

We ask you to

1427

allow this retrieval and check, because it benefits both you

1428

and the ntop developers. It benefits you because you

1429

will be automatically notified if the ntop program

1430

version is obsolete, becomes unsupported or is no longer

1431

current. It benefits the developers of ntop because

1432

it allows us to determine the number of active ntop

1433

instances, and the operating system/versions that users are

1434

running ntop under. This allows us to focus

1435

development resources on systems like those our users are

1436

using ntop on.

1437

1438

The

1439

individually identifiable information is contained in the

1440

web server log records which are automatically created each

1441

time the version file is retrieved. This is a function of

1442

the web server and not of ntop , but we do take

1443

advantage of it. The log record shows the IP address of the

1444

requestor (the ntop instance) and a User-Agent header

1445

field. We place information in the User-Agent header as

1446

follows:

1447

1448

1449

ntop/<version>

1450

1451

host/<name from config.guess>

1452

distro/<if one>

1453

release/<of the distro, also if one>

1454

kernrlse/<kernel version or release>

1455

GCC/<version>

1456

config() <condensed parameters from ./configure>

1457

run() <condensed flags - no data - from the execution

1458

line>

1459

libpcap/<version>

1460

gdbm/<version>

1461

openssl/<version>

1462

zlib/<version>

1463

access/<http, https, both or none>

1464

interfaces() <given interface names>

1465

1466

For

1467

example:

1468

1469

ntop/2.2.98

1470

host/i686-pc-linux-gnu distro/redhat release/9

1471

kernrlse/2.4.20-8smp

1472

GCC/3.2.2 config(i18n) run(i; u; P; w; t; logextra; m;

1473

instantsessionpurge;

1474

schedyield; d; usesyslog=; t) gdbm/1.8.0 openssl/0.9.7a

1475

zlib/1.1.4

1476

access/http interfaces(eth0,eth1)

1477

1478

Distro and

1479

release information is determined at compile time and

1480

consists of information typically found in the /etc/release

1481

(or similar) file. See the ntop tool linuxrelease for

1482

how this is determined.

1483

1484

gcc compiler

1485

version (if available) is the internal version #s for the

1486

gcc compiler, e.g. 3.2.3.

1487

1488

kernrlse is the

1489

Linux Kernel version or the xBSD ’release’ such

1490

as 4.9-RELEASE and is determined from the uname data (if

1491

it’s available).

1492

1493

The ./configure

1494

parameters are stripped of directory paths, leading -s, etc.

1495

to create a short form that shows us what ./configure

1496

parameters people are using.

1497

1498

Similarly, the

1499

run time parameters are stripped of data and paths, just

1500

showing which flags are being used.

1501

1502

The libpcap,

1503

gdbm, openssl and zlib versions come from the strings

1504

returned by the various inquiry functions (if they’re

1505

availabe).

1506

1507

Here’s a

1508

sample log record:

1509

1510

67.xxx.xxx.xxx

1511

- - [28/Dec/2003:12:11:46 -0500] "GET /version.xml

1512

TP/1.0"

1513

200 1568 www.burtonstrauss.com "-"

1514

"ntop/2.2.98 host/i686-pc-linux-gnu

1515

distro/redhat release/9 kernrlse/2.4.20-8smp GCC/3.2.2

1516

config(i18n)

1517

run(i; u; P; w; t; logextra; m; instantsessionpurge;

1518

schedyield; d;

1519

usesyslog=) libpcap/0.8 gdbm/1.8.0 openssl/0.9.7a zlib/1.1.4

1520

access/http

1521

interfaces(eth0,eth1,eth2)" "-"

1522

1523

1524

<h2>USER SUPPORT</h2>

1525

1526

1527

Please send bug

1528

reports to the ntop-dev <ntop-dev@ntop.org> mailing

1529

list. The ntop <ntop@ntop.org> mailing list is used

1530

for discussing ntop usage issues. In order to post messages

1531

on the lists a (free) subscription is required to

1532

limit/avoid spam. Please do NOT contact the author directly

1533

unless this is a personal question.

1534

1535

Commercial

1536

support is available upon request. Please see the ntop site

1537

for further info.

1538

1539

Please send

1540

code patches to <patch@ntop.org>.

1541

1542

1543

<h2>AUTHOR</h2>

1544

1545

1546

ntop’s

1547

author is Luca Deri (http://luca.ntop.org/) who can be

1548

reached at <deri@ntop.org>.

1549

1550

1551

<h2>LICENCE</h2>

1552

1553

1554

ntop is

1555

distributed under the GNU GPL licence

1556

(http://www.gnu.org/).

1557

1558

1559

<h2>ACKNOWLEDGMENTS</h2>

1560

1561

1562

The author

1563

acknowledges the Centro Serra of the University of Pisa,

1564

Italy (http://www-serra.unipi.it/) for hosting the ntop

1565

sites (both web and mailing lists), and Burton Strauss

1566

<burton@ntopsupport.com> for his help and user

1567

assistance. Many thanks to Stefano Suin

1568

<stefano@ntop.org> and Rocco Carbone

1569

<rocco@ntop.org> for contributing to the project.

1570

<hr>

1571

</body>

1572

</html>

Older »