1
<!-- Creator : groff version 1.19.2 -->
2
<!-- CreationDate: Sat Jan 9 14:52:42 2010 -->
3
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
4
"http://www.w3.org/TR/html4/loose.dtd">
7
<meta name="generator" content="groff -Thtml, see www.gnu.org">
8
<meta http-equiv="Content-Type" content="text/html; charset=US-ASCII">
9
<meta name="Content-Style" content="text/css">
10
<style type="text/css">
11
p { margin-top: 0; margin-bottom: 0; }
12
pre { margin-top: 0; margin-bottom: 0; }
13
table { margin-top: 0; margin-bottom: 0; }
17
<!-- Added by insertssi -->
18
<link rel=stylesheet href="/style.css" type="text/css">
19
<!--#include virtual="/menuHead.html" -->
22
<!--#include virtual="/menuBody.html" -->
24
<h1 align=center>NTOP</h1>
26
<a href="#NAME">NAME</a><br>
27
<a href="#SYNOPSIS">SYNOPSIS</a><br>
28
<a href="#DESCRIPTION">DESCRIPTION</a><br>
29
<a href="#COMMAND−LINE OPTIONS">COMMAND−LINE OPTIONS</a><br>
30
<a href="#WEB VIEWS">WEB VIEWS</a><br>
31
<a href="#NOTES">NOTES</a><br>
32
<a href="#SEE ALSO">SEE ALSO</a><br>
33
<a href="#PRIVACY NOTICE">PRIVACY NOTICE</a><br>
34
<a href="#USER SUPPORT">USER SUPPORT</a><br>
35
<a href="#AUTHOR">AUTHOR</a><br>
36
<a href="#LICENCE">LICENCE</a><br>
37
<a href="#ACKNOWLEDGMENTS">ACKNOWLEDGMENTS</a><br>
46
<p style="margin-left:11%; margin-top: 1em">ntop −
47
display top network users</p>
49
<a name="SYNOPSIS"></a>
53
<p style="margin-left:11%; margin-top: 1em"><b>ntop</b>
54
[<b>@filename</b>] [<b>-a</b>|<b>--access-log-file</b>
55
<i><path></i>] [<b>-b</b>|<b>--disable-decoders</b>]
56
[<b>-c</b>|<b>--sticky-hosts</b>]
57
[<b>-e</b>|<b>--max-table-rows</b>]
58
[<b>-f</b>|<b>--traffic-dump-file</b> <i>file></i>]
59
[<b>-g</b>|<b>--track-local-hosts</b>]
60
[<b>-h</b>|<b>--help</b>]
61
[<b>-j</b>|<b>--create-other-packets</b>]
62
[<b>-l</b>|<b>--pcap-log</b> <i><path></i>]
63
[<b>-m</b>|<b>--local-subnets</b> <i><addresses></i>]
64
[<b>-n</b>|<b>--numeric-ip-addresses</b>]
65
[<b>-o</b>|<b>--no-mac</b>] [<b>-p</b>|<b>--protocols</b>
67
[<b>-q</b>|<b>--create-suspicious-packets</b>]
68
[<b>-r</b>|<b>--refresh-time</b> <i><number></i>]
69
[<b>-s</b>|<b>--no-promiscuous</b>]
70
[<b>-t</b>|<b>--trace-level</b> <i><number></i>]
71
[<b>-x</b> <i><max_num_hash_entries></i>]
72
[<b>-w</b>|<b>--http-server</b> <i><port></i>]
73
[<b>-z</b>|<b>--disable-sessions</b>]
74
[<b>-A</b>|<b>--set-admin-password</b> <i>password</i>]
75
[<b>-B</b>|<b>--filter-expression</b> <i>expression</i>]
76
[<b>-C</b> <i><config</i>mode><i>]</i>
77
[<b>-D</b>|<b>--domain</b> <i><name></i>]
78
[<b>-F</b>|<b>--flow-spec</b> <i><specs></i>]
79
[<b>-M</b>|<b>--no-interface-merge</b>]
80
[<b>-N</b>|<b>--wwn-map</b> <i><path></i>]
81
[<b>-O</b>|<b>----output-packet-path</b>
82
<i><path></i>] [<b>-P</b>|<b>--db-file-path</b>
83
<i><path></i>] [<b>-Q</b>|<b>--spool-file-path</b>
84
<i><path></i>] [<b>-U</b>|<b>--mapper</b>
85
<i><URL></i>] [<b>-V</b>|<b>--version]</b> [<b>-X</b>
86
<i><max_num_TCP_sessions></i>]
87
[<b>--disable-instantsessionpurge</b>]
88
[<b>--disable-mutexextrainfo</b>] [<b>--fc-only</b>]
89
[<b>--instance</b>] [<b>--no-fc</b>]
90
[<b>--no-invalid-lun</b>] [<b>--p3p-cp</b>]
91
[<b>--p3p-uri</b>] [<b>--skip-version-check</b>]
92
[<b>--w3c</b>] [<b>-4</b>|<b>--ipv4]</b>
93
[<b>-6</b>|<b>--ipv6]</b></p>
95
<p style="margin-left:11%; margin-top: 1em">Unix
99
<p style="margin-left:11%; margin-top: 1em">[<b>-d</b>|<b>--daemon</b>]
100
[<b>-i</b>|<b>--interface</b> <i><name></i>]
101
[<b>-u</b>|<b>--user</b> <i><user></i>]
102
[<b>-K</b>|<b>--enable-debug</b>] [<b>-L</b>]
103
[<b>--pcap_setnonblock</b>] [<b>--use-syslog=</b>
104
<i><facility></i>] [<b>--webserver-queue</b>
105
<i><number></i>]</p>
107
<p style="margin-left:11%; margin-top: 1em">Windows
111
<p style="margin-left:11%; margin-top: 1em">[<b>-i</b>|<b>--interface</b>
112
<i><number|name></i>]</p>
114
<p style="margin-left:11%; margin-top: 1em">OpenSSL
118
<p style="margin-left:11%; margin-top: 1em">[<b>-W</b>|<b>--https-server</b>
119
<i><port></i>] [<b>--ssl-watchdog</b>]</p>
121
<a name="DESCRIPTION"></a>
125
<p style="margin-left:11%; margin-top: 1em"><b>ntop</b>
126
shows the current network usage. It displays a list of hosts
127
that are currently using the network and reports information
128
concerning the (IP and non-IP) traffic generated and
129
received by each host. <b>ntop</b> may operate as a
130
front-end collector (sFlow and/or netFlow plugins) or as a
131
stand-alone collector/display program. A web browser is
132
needed to access the information captured by the <b>ntop</b>
135
<p style="margin-left:11%; margin-top: 1em"><b>ntop</b> is
136
a hybrid layer 2 / layer 3 network monitor, that is by
137
default it uses the layer 2 Media Access Control (MAC)
138
addresses AND the layer 3 tcp/ip addresses. <b>ntop</b> is
139
capable of associating the two, so that ip and non-ip
140
traffic (e.g. arp, rarp) are combined for a complete picture
141
of network activity.</p>
143
<a name="COMMAND−LINE OPTIONS"></a>
144
<h2>COMMAND−LINE OPTIONS</h2>
148
<p style="margin-left:11%; margin-top: 1em"><b>@filename</b></p>
150
<p style="margin-left:12%;">The text of <b>filename</b> is
151
copied - ignoring line breaks and comment lines (anything
152
following a #) - into the command line. <b>ntop</b> behaves
153
as if all of the text had simply been typed directly on the
154
command line. For example, if the command line is "-t 3
155
@d -u ntop" and file d contains just the line
156
’-d’, then the effective command line is -t 3 -d
157
-u ntop. Multiple @s are permitted. Nested @s (an @ inside
158
the file) are not permitted.</p>
160
<p style="margin-left:12%; margin-top: 1em">Remember, most
161
<b>ntop</b> options are "sticky", that is they
162
just set an internal flag. Invoking them multiple times
163
doesn’t change <b>ntop’s</b> behavior. However,
164
options that set a value, such as --trace-level, will use
165
the LAST value given: --trace-level 2 --trace-level 3 will
166
run as --trace-level 3.</p>
168
<p style="margin-left:12%; margin-top: 1em">Beginning with
169
3.1, many command-line options may also be set via the web
170
browser interface. These changes take effect on the next run
171
of and on each subsequent run until changed.</p>
173
<p style="margin-left:11%;"><b>-a |
174
--access-log-file</b></p>
176
<p style="margin-left:12%;">By default <b>ntop</b> does not
177
maintain a log of HTTP requests to the internal web server.
178
Use this parameter to request logging and to specify the
179
location of the file where these HTTP requests are
182
<p style="margin-left:12%; margin-top: 1em">Each log entry
183
is in Apache-like style. The only difference between Apache
184
and <b>ntop</b> logs is that an additional column has been
185
added which has the time (in milliseconds) that <b>ntop</b>
186
needed to serve the request. Log entries look like this:</p>
188
<p style="margin-left:12%; margin-top: 1em">192.168.1.1 - -
189
[04/Sep/2003:20:38:55 -0500] - "GET / HTTP/1.1"
191
192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET
192
/index_top.html HTTP/1.1" 200 1854 4 <br>
193
192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET
194
/index_inner.html HTTP/1.1" 200 1441 7 <br>
195
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET
196
/index_left.html HTTP/1.1" 200 1356 4 <br>
197
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET
198
/home_.html HTTP/1.1" 200 154/617 9 <br>
199
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET
200
/home.html HTTP/1.1" 200 1100/3195 10 <br>
201
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET
202
/About.html HTTP/1.1" 200 2010 10</p>
204
<p style="margin-left:12%; margin-top: 1em">This parameter
205
is the complete file name of the access log. In prior
206
releases it was erroneously called --access-log-path.</p>
208
<p style="margin-left:11%;"><b>-b |
209
--disable-decoders</b></p>
211
<p style="margin-left:12%;">This parameter disables
212
protocol decoders.</p>
214
<p style="margin-left:12%; margin-top: 1em">Protocol
215
decoders examine and collect information about layer 2
216
protocols such as NetBIOS or Netware SAP, as well as about
217
specific tcp/ip (layer 3) protocols, such as DNS, http and
220
<p style="margin-left:12%; margin-top: 1em">This support is
221
specifically coded for each protocol and is different from
222
the capability to count raw information (packets and bytes)
223
by protocol specified by the -p | --protocols parameter,
226
<p style="margin-left:12%; margin-top: 1em">Decoding
227
protocols is a significant consumer of resources. If the
228
<b>ntop</b> host is underpowered or monitoring a very busy
229
network, you may wish to disable protocol decoding via this
230
parameter. It may also be appropriate to use this parameter
231
if you believe that <b>ntop</b> has problems handling some
232
protocols that occur on your network.</p>
234
<p style="margin-left:12%; margin-top: 1em">Even if
235
decoding is disabled, ftp-data traffic is still decoded to
236
look for passive ftp port commands.</p>
238
<p style="margin-left:11%;"><b>-c | --sticky-hosts</b></p>
240
<p style="margin-left:12%;">Use this parameter to prevent
241
idle hosts from being purged from memory.</p>
243
<p style="margin-left:12%; margin-top: 1em">By default idle
244
hosts are periodically purged from memory. An idle host is
245
identified when no packets from or to that host have been
246
monitored for the period of time defined by the value of
247
PARM_HOST_PURGE_MINIMUM_IDLE in globals-defines.h.</p>
249
<p style="margin-left:12%; margin-top: 1em">If you use this
250
option, all hosts - active and idle - are retained in memory
251
for the duration of the <b>ntop</b> run.</p>
253
<p style="margin-left:12%; margin-top: 1em">P2P users, port
254
scans, popular web servers and other activity will cause
255
<b>ntop</b> to record data about a large number of hosts. On
256
an active network, this will consume a significant - and
257
always growing - amount of memory. It is strongly
258
recommended that you use a filtering expression to limit the
259
hosts which are stored if you use --sticky-hosts.</p>
261
<p style="margin-left:12%; margin-top: 1em">The idle purge
262
is a statistical one - a random selection of the eligible
263
hosts will be purged during each cycle. Thus it is possible
264
on a busy system for an idle host to remain in the
265
<b>ntop</b> tables and appear ’active’ for some
266
considerable time after it is truly idle.</p>
268
<p style="margin-left:11%;"><b>-d | --daemon</b></p>
270
<p style="margin-left:12%;">This parameter causes ntop to
271
become a daemon, i.e. a task which runs in the background
272
without connection to a specific terminal. To use
273
<b>ntop</b> other than as a casual monitoring tool, you
274
probably will want to use this option.</p>
277
<p style="margin-left:12%; margin-top: 1em"><b>WARNING:</b>
278
If you are running as a daemon, the messages from
279
<b>ntop</b> will be ’printed’ on to stdout and
280
thus dropped. You probably don’t want to do this. So
281
remember to also use the -L or --use-syslog options to save
282
the messages into the system log.</p>
284
<p style="margin-left:11%;"><b>-e |
285
--max-table-rows</b></p>
287
<p style="margin-left:12%;">This defines the maximum number
288
of lines that <b>ntop</b> will display on each generated
289
ML page. If there are more lines to be displayed than this
290
setting permits, only part of the data will be displayed.
291
There will be page forward/back arrows placed at the bottom
292
of the page for navigation between pages.</p>
294
<p style="margin-left:11%;"><b>-f |
295
--traffic-dump-file</b></p>
297
<p style="margin-left:12%;">By default, <b>ntop</b>
298
captures traffic from network interface cards (NICs) or from
299
netFlow/sFlow probes. However, <b>ntop</b> can also read
300
data from a file - typically a tcpdump capture or the output
301
from one of the <b>ntop</b> packet capture options.</p>
303
<p style="margin-left:12%; margin-top: 1em">if you specify
304
-f, <b>ntop</b> will not capture any traffic from NICs
305
during or after the file has been read. netFlow/sFlow
306
capture - if enabled - would still be active.</p>
308
<p style="margin-left:12%; margin-top: 1em">This option is
309
mostly used for debug purposes.</p>
311
<p style="margin-left:11%;"><b>-g |
312
--track-local-hosts</b></p>
314
<p style="margin-left:12%;">By default, <b>ntop</b> tracks
315
all hosts that it sees from packets captured on the various
316
NICs. Use this parameter to tell <b>ntop</b> to capture data
317
only about local hosts. Local hosts are defined based on the
318
addresses of the NICs and those networks identified as local
319
via the -m | --local-subnets parameter.</p>
321
<p style="margin-left:12%; margin-top: 1em">This parameter
322
is useful on large networks or those that see many hosts,
323
(e.g. a border router or gateway), where information about
324
remote hosts is not desired/required to be tracked.</p>
326
<p style="margin-left:11%;"><b>-h | --help</b></p>
328
<p style="margin-left:12%;">Print help information for
329
<b>ntop,</b> including usage and parameters.</p>
331
<p style="margin-left:11%;"><b>-i | --interface</b></p>
333
<p style="margin-left:12%;">Specifies the network interface
334
or interfaces to be used by <b>ntop</b> for network
337
<p style="margin-left:12%; margin-top: 1em">If multiple
338
interfaces are used (this feature is available only if ntop
339
is compiled with thread support) their names must be
340
separated with a comma. For instance -i
341
"eth0,lo".</p>
343
<p style="margin-left:12%; margin-top: 1em">If not
344
specified, the default is the first Ethernet device, e.g.
345
eth0. The specific device that is ’first’ is
346
highly system dependent. Especially on systems where the
347
device name reflects the driver name instead of the type of
350
<p style="margin-left:12%; margin-top: 1em">By default,
351
traffic information obtained by all the interfaces is merged
352
together as if the traffic was seen by only one interface.
353
Use the -M parameter to keep traffic separate by
356
<p style="margin-left:12%; margin-top: 1em">If you do not
357
want <b>ntop</b> to monitor any interfaces, use -i none.</p>
359
<p style="margin-left:12%; margin-top: 1em">Under Windows,
360
the parameter value is either the number of the interface or
361
its name, e.g. {6252C14C-44C9-49D9-BF59-B2DC18C7B811}. Run
362
<b>ntop</b> -h to see a list of interface name-number
363
mappings (at the end of the help information).</p>
365
<p style="margin-left:11%;"><b>-j |
366
--create-other-packets</b></p>
368
<p style="margin-left:12%;">This parameter causes
369
<b>ntop</b> to create a dump file of the ’other’
370
network traffic captured. One file is created for each
371
network interface where
372
<path>/ntop-other-pkts.<device>.pcap, where
373
<path> is defined by the -O | --output-packet-path
374
parameter. This file is useful for understanding these
375
unclassifed packets.</p>
377
<p style="margin-left:11%;"><b>-l | --pcap-log</b></p>
379
<p style="margin-left:12%;">This parameter causes a dump
380
file to be created of the network traffic captured by
381
<b>ntop</b> in tcpdump (pcap) format. This file is useful
382
for debug, and may be read back into <b>ntop</b> by the -f |
383
--traffic-dump-file parameter. The dump is made after
384
processing any filter expression ( never even sees filtered
387
<p style="margin-left:12%; margin-top: 1em">The output file
389
<i><path>/<log>.<device>.pcap</i>
390
(Windows: <i><path>/<log>.pcap</i> ), where
391
<path> is defined by the -O | --output-packet-path
392
parameter and <log> is defined by this -l | --pcap-log
395
<p style="margin-left:11%;"><b>-m | --local-subnets</b></p>
397
<p style="margin-left:12%;"><b>ntop</b> determines the ip
398
addresses and netmasks for each active interface. Any
399
traffic on those networks is considered local. This
400
parameter allows the user to define additional networks and
401
subnetworks whose traffic is also considered local in
402
<b>ntop</b> reports. All other hosts are considered
405
<p style="margin-left:12%; margin-top: 1em">Commas separate
406
multiple network values. Both netmask and CIDR notation may
407
be used, even mixed together, for instance
408
"131.114.21.0/24,10.0.0.0/255.0.0.0".</p>
410
<p style="margin-left:12%; margin-top: 1em">The local
411
subnet - as defined by the interface address(es) - is/are
412
always local and do not need to be specified. If you do give
413
the same value as a NIC’s local address, a harmless
414
warning message is issued.</p>
416
<p style="margin-left:11%;"><b>-n |
417
--numeric-ip-addresses</b></p>
419
<p style="margin-left:12%;">By default, <b>ntop</b>
420
resolves IP addresses using a combination of active
421
(explicit) DNS queries and passive sniffing. Sniffing of DNS
422
responses occurs when <b>ntop</b> receives a network packet
423
containing the response to some other user’s DNS
424
query. <b>ntop</b> captures this information and enters it
425
into <b>ntop’s</b> DNS cache, in expectation of
426
shortly seeing traffic addressed to that host. This way
427
<b>ntop</b> significantly reduces the number of DNS queries
430
<p style="margin-left:12%; margin-top: 1em">This parameter
431
causes <b>ntop</b> to skip DNS resolution, showing only
432
numeric IP addresses instead of the symbolic names. This
433
option can useful when the DNS is not present or quite
436
<p style="margin-left:11%;"><b>-o | --no-mac</b></p>
438
<p style="margin-left:12%;"><b>ntop</b> is a hybrid layer
439
2/3 network monitor. That is, it uses both the lower level,
440
physical device address - the MAC (Media Access Control)
441
address - and the higher level, logical, tcp/ip address (the
442
familiar www.ntop.org or 131.114.21.9 address). This allows
443
<b>ntop</b> to link the logical addresses to a physical
444
machine with multiple addresses (This occurs with virtual
445
hosts or additional addresses assigned to the interface,
446
etc.) to present consolidated reporting.</p>
448
<p style="margin-left:12%; margin-top: 1em">This parameter
449
specifies that <b>ntop</b> should not trust the MAC
450
addresses but just use the IP addresses.</p>
452
<p style="margin-left:12%; margin-top: 1em">Normally, since
453
the MAC address must be globally unique, the dual nature of
454
<b>ntop</b> is a benefit and provides far better information
455
about the network than is available via a pure layer 2 or
456
pure layer 3 monitor.</p>
458
<p style="margin-left:12%; margin-top: 1em">Under certain
459
circumstances - whenever <b>ntop</b> is started on an
460
interface where MAC addresses cannot be really trusted - you
461
may require this option.</p>
463
<p style="margin-left:12%; margin-top: 1em">Situations
464
which may require this option include port/VLAN mirror, some
465
cases with switches and spanning tree protocol, and
466
(reportedly) some specific models of Ethernet switches which
467
re-write MAC addresses of the packets they process.
468
Normally, you discover that this option is necessary when
469
you observe that hosts seem to change their addresses or
470
information about different machines get lumped
473
<p style="margin-left:12%; margin-top: 1em">Note that with
474
this option, information which is dependent upon the MAC
475
addresses (non tcp/ip protocols like IPX) will not be
476
collected nor displayed.</p>
478
<p style="margin-left:11%;"><b>-p | --protocols</b></p>
480
<p style="margin-left:12%;">This parameter is used to
481
specify the TCP/UDP protocols that <b>ntop</b> will monitor.
482
The format is <label>=<protocol list> [,
483
<label>=<protocol list>], where label is used to
484
symbolically identify the <protocol list>. The format
485
of <protocol list> is
486
<protocol>[|<protocol>], where <protocol>
487
is either a valid protocol specified inside the
488
/etc/services file or a numeric port range (e.g. 80, or
491
<p style="margin-left:12%; margin-top: 1em">A simple
493
--protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-data",
494
which reduces the protocols displayed on the "IP"
497
<p style="margin-left:12%; margin-top: 1em">Host Domain
498
Data HTTP FTP Other IP <br>
499
ns2.attbi.com <flag> 954 63.9 % 0 0 954 <br>
500
64.124.83.112.akamai.com <flag> 240 16.1 % 240 0 0
502
64.124.83.99.akamai.com <flag> 240 16.1 % 240 0 0 <br>
503
toolbarqueries.google.com <flag> 60 4.0 % 60 0 0</p>
505
<p style="margin-left:12%; margin-top: 1em">If the
506
<protocol list> is very long you may store it in a
507
file (for instance protocol.list). To do so, specify the
508
file name instead of the <protocol list> on the
509
command line. e.g. <b>ntop -p protocol.list</b></p>
511
<p style="margin-left:12%; margin-top: 1em">If the -p
512
parameter is omitted the following default value is
516
<p style="margin-left:12%; margin-top: 1em">FTP=ftp|ftp-data
518
TP=http|www|https|3128 3128 is Squid, the HTTP cache <br>
520
Telnet=telnet|login <br>
521
NBios-IP=netbios-ns|netbios-dgm|netbios-ssn <br>
522
Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2 <br>
523
DHCP-BOOTP=67-68 <br>
524
SNMP=snmp|snmp-trap <br>
526
NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status <br>
530
<p style="margin-left:12%; margin-top: 1em">Peer-to-Peer
532
---------------------- <br>
533
Gnutella=6346|6347|6348 <br>
536
DirectConnect=0 Dummy port as this is a pure P2P protocol
538
eDonkey=4661-4665</p>
540
<p style="margin-left:12%; margin-top: 1em">Instant
542
----------------- <br>
543
Messenger=1863|5000|5001|5190-5193</p>
545
<p style="margin-left:12%; margin-top: 1em">NOTE: To
546
resolve protocol names to port numbers, they must be
547
specified in the system file used to list tcp/udp protocols
548
and ports, which is typically /etc/services file. You will
549
have to match the names in that file, exactly. Missing or
550
unspecified (non-standard) ports must be specified by
551
number, such as 3128 in our examples above.</p>
553
<p style="margin-left:12%; margin-top: 1em">If you have a
554
file named /etc/protocols, don’t get confused by it,
555
as that’s the Ethernet protocol numbers, which are not
556
what you’re looking for.</p>
558
<p style="margin-left:11%;"><b>-q |
559
--create-suspicious-packets</b></p>
561
<p style="margin-left:12%;">This parameter tells
562
<b>ntop</b> to create a dump file of suspicious packets.</p>
564
<p style="margin-left:12%; margin-top: 1em">There are many,
565
many, things that cause a packet to be labeled as
566
’suspicious’, including:</p>
568
<p style="margin-left:12%; margin-top: 1em">Detected ICMP
570
Detected Land Attack against host <br>
571
Detected overlapping/tiny packet fragment <br>
572
Detected traffic on a diagnostic port <br>
573
Host performed ACK/FIN/NULL scan <br>
574
Host rejected TCP session <br>
575
TP/FTP/SMTP/SSH detected at wrong port <br>
576
Malformed TCP/UDP/ICMP packet (packet too short) <br>
577
Packet # %u too long <br>
578
Received a ICMP protocol Unreachable from host <br>
579
Sent ICMP Administratively Prohibited packet to host <br>
580
Smurf packet detected for host <br>
581
TCP connection with no data exchanged <br>
582
TCP session reset without completing 3-way handshake <br>
583
Two MAC addresses found for the same IP address <br>
584
UDP data to a closed port <br>
585
Unknown protocol (no HTTP/FTP/SMTP/SSH) detected (on port
587
Unusual ICMP options</p>
589
<p style="margin-left:12%; margin-top: 1em">When this
590
parameter is used, one file is created for each network
591
interface where suspicious packets are found. The file is in
592
tcpdump (pcap) format and is named
593
<path>/ntop-suspicious-pkts.<device>.pcap, where
594
<path> is defined by the -O | --output-packet-path
597
<p style="margin-left:11%;"><b>-r | --refresh-time</b></p>
599
<p style="margin-left:12%;">Specifies the delay (in
600
seconds) between automatic screen updates for those
601
generated HTML pages which support them. This parameter
602
allows you to leave your browser window open and have it
603
always displaying nearly real-time data from
606
<p style="margin-left:12%; margin-top: 1em">The default is
607
3 seconds. Please note that if the delay is very short (1
608
second for instance), <b>ntop</b> might not be able to
609
process all of the network traffic.</p>
611
<p style="margin-left:11%;"><b>-s |
612
--no-promiscuous</b></p>
614
<p style="margin-left:12%;">Use this parameter to prevent
615
from setting the interface(s) into promiscuous mode.</p>
617
<p style="margin-left:12%; margin-top: 1em">An interface in
618
promiscuous mode will accept ALL Ethernet frames, regardless
619
of whether they directed (addressed) to the specific network
620
interface (NIC) or not. This is an essential part of
621
enabling <b>ntop</b> to monitor an entire network. (Without
622
promiscuous mode, <b>ntop</b> will only see traffic directed
623
to the specific host it is running on, plus broadcast
624
traffic such as the arp and dhcp protocols.</p>
626
<p style="margin-left:12%; margin-top: 1em">Even if you use
627
this parameter, the interface could well be in promiscuous
628
mode if another application enabled it.</p>
630
<p style="margin-left:12%; margin-top: 1em"><b>ntop</b>
631
passes this setting on to libpcap, the packet capture
632
library. On many systems, a non-promiscuous open of the
633
network interface will fail, since the libpcap function on
634
most systems require it to capture raw packets ( <b>ntop</b>
635
captures raw packets so that we may view and analyze the
636
layer 2 - MAC - information).</p>
638
<p style="margin-left:12%; margin-top: 1em">Thus on most
639
systems, <b>ntop</b> must probably still be started as root,
640
and this option is largely ornamental. If it fails, you will
641
see a ***FATALERROR*** message referring to pcap_open_live()
642
and then an information message, "Sorry, but on this
643
system, even with -s, it appears that ntop must be started
646
<p style="margin-left:11%;"><b>-t | --trace-level</b></p>
648
<p style="margin-left:12%;">This parameter specifies the
649
’information’ level of messages that you wish
650
<b>ntop</b> to display (on stdout or to the log). The higher
651
the trace level number the more information that is
652
displayed. The trace level ranges between 0 (no trace) and 5
653
(full debug tracings).</p>
655
<p style="margin-left:12%; margin-top: 1em">The default
656
trace value is 3.</p>
658
<p style="margin-left:12%; margin-top: 1em">Trace level 0
659
is not quite zero messages. Fatal errors and certain
660
startup/shutdown messages are always displayed. Trace level
661
1 is used to display errors only, level 2 for both errors
662
and warnings, and level 3 displays error, warning and
663
informational messages.</p>
665
<p style="margin-left:12%; margin-top: 1em">Trace level 4
666
is called ’noisy’ and it is - generating many
667
messages about the internal functioning of <b>ntop.</b>
668
Trace level 5 and above are ’noisy’ plus extra
669
logs, i.e. all possible messages, with a file:line tag
670
prepended to every message.</p>
672
<p style="margin-left:11%;"><b>-u | --user</b></p>
674
<p style="margin-left:12%;">Specifies the user <b>ntop</b>
675
should run as after it initializes.</p>
677
<p style="margin-left:12%; margin-top: 1em"><b>ntop</b>
678
must normally be started as root so that it has sufficient
679
privileges to open the network interfaces in promiscuous
680
mode and to receive raw frames. See the discussion of -s |
681
--no-promiscuous above, if you wish to try starting
682
<b>ntop</b> as a non-root user.</p>
684
<p style="margin-left:12%; margin-top: 1em">Shortly after
685
starting up, <b>ntop</b> becomes the user you specify here,
686
which normally has substantially reduced privileges, such as
687
no login shell. This is the userid which owns
688
<b>ntop’s</b> database and output files.</p>
690
<p style="margin-left:12%; margin-top: 1em">The value
691
specified may be either a username or a numeric user id. The
692
group id used will be the primary group of the user
695
<p style="margin-left:12%; margin-top: 1em">If this
696
parameter is not specified, ntop will try to switch first to
697
’nobody’ and then to ’anonymous’
698
before giving up.</p>
700
<p style="margin-left:12%; margin-top: 1em">NOTE: This
701
should not be root unless you really understand the security
702
risks. In order to prevent this by accident, the only way to
703
run <b>ntop</b> as root is to explicitly specify -u root.
704
<b>Don’t do it.</b></p>
706
<p style="margin-left:11%;"><b>-x <br>
709
<p style="margin-left:12%;"><b>ntop</b> creates a new
710
hash/list entry for each new host/TCP session seen. In case
711
of DOS (Denial Of Service) an attacker can easily exhaust
712
all the host available memory because ntop is creating
713
entries for dummy hosts. In order to avoid this you can set
714
an upper limit in order to limit the memory ntop can
717
<p style="margin-left:11%;"><b>-w | --http-server <br>
718
-W | --https-server</b></p>
720
<p style="margin-left:12%;"><b>ntop</b> offers an embedded
721
web server to present the information that has been so
722
painstakingly gathered. An external HTTP server is NOT
723
required NOR supported. The <b>ntop</b> web server is
724
embedded into the application. These parameters specify the
725
port (and optionally the address (i.e. interface)) of the
726
<b>ntop</b> web server.</p>
728
<p style="margin-left:12%; margin-top: 1em">For example, if
729
started with -w 3000 (the default port), the URL to access
730
<b>ntop</b> is http://hostname:3000/. If started with a full
731
specification, e.g. -w 192.168.1.1:3000, <b>ntop</b> listens
732
on only that address/port combination.</p>
734
<p style="margin-left:12%; margin-top: 1em">If -w is set to
735
0 the web server will not listen for http://
738
<p style="margin-left:12%; margin-top: 1em">-W operates
739
similarly, but controls the port for the https://
742
<p style="margin-left:12%; margin-top: 1em">Some
745
<p style="margin-left:12%; margin-top: 1em"><b>ntop -w 3000
746
-W 0</b> (this is the default setting) HTTP requests on port
747
3000 and no HTTPS.</p>
749
<p style="margin-left:12%; margin-top: 1em"><b>ntop -w 80
750
-W 443</b> Both HTTP and HTTPS have been enabled on their
751
most common ports.</p>
753
<p style="margin-left:12%; margin-top: 1em"><b>ntop -w 0 -W
754
443</b> HTTP disabled, HTTPS enabled on the common port.</p>
756
<p style="margin-left:12%; margin-top: 1em">Certain
757
sensitive, configuration pages of the <b>ntop</b> web server
758
are protected by a userid/password. By default, these are
759
the user/URL administration, filter, shutdown and reset
760
stats are password protected <br>
761
and are accessible initially only to user <b>admin</b> with
762
a password set during the first run of <b>ntop.</b></p>
764
<p style="margin-left:12%; margin-top: 1em">Users can
765
modify/add/delete users/URLs using ntop itself - see the
768
<p style="margin-left:12%; margin-top: 1em">The passwords,
769
userids and URLs to protect with passwords are stored in a
770
database file. Passwords are stored in an encrypted form in
771
the database for further security. Best practices call for
772
securing that database so that only the <b>ntop</b> user can
775
<p style="margin-left:12%; margin-top: 1em">There is a
776
discussion in docs/FAQ about further securing the
777
<b>ntop</b> environment.</p>
779
<p style="margin-left:11%;"><b>-z |
780
--disable-sessions</b></p>
782
<p style="margin-left:12%;">This parameter disables TCP
783
session tracking. Use it for better performance or when you
784
don’t really need/care to track sessions.</p>
786
<p style="margin-left:11%;"><b>-A |
787
--set-admin-password</b></p>
789
<p style="margin-left:12%;">This parameter is used to start
790
<b>ntop</b> , set the admin password and quit. It is quite
791
useful for installers that need to automatically set the
792
password for the admin user.</p>
794
<p style="margin-left:12%; margin-top: 1em">-A and
795
--set-admin-password (without a value) will prompt the user
796
for the password.</p>
798
<p style="margin-left:12%; margin-top: 1em">You may also
799
use this parameter to set a specific value using
800
--set-admin-password=value. <b>The = is REQUIRED and no
801
spaces are permitted!</b></p>
803
<p style="margin-left:12%; margin-top: 1em">If you attempt
804
to run <b>ntop</b> as a daemon without setting a password, a
805
FATAL ERROR message is generated and <b>ntop</b> stops.</p>
807
<p style="margin-left:11%;"><b>-B |
808
--filter-expression</b></p>
810
<p style="margin-left:12%;">Filters allows the user to
811
restrict the traffic seen by <b>ntop</b> on just about any
814
<p style="margin-left:12%; margin-top: 1em">The filter
815
expression is set at run time by this parameter, but it may
816
be changed during the <b>ntop</b> run on the Admin | Change
819
<p style="margin-left:12%; margin-top: 1em">The basic
820
format is <b>-B filter</b> , where the quotes are
823
<p style="margin-left:12%; margin-top: 1em">The syntax of
824
the filter expression uses the same BPF (Berkeley Packet
825
Filter) expressions used by other packages such as
828
<p style="margin-left:12%; margin-top: 1em">For instance,
829
suppose you are interested only in the traffic
830
generated/received by the host jake.unipi.it. <b>ntop</b>
831
can then be started with the following filter:</p>
833
<p style="margin-left:12%; margin-top: 1em"><b>ntop -B src
834
host jake.unipi.it or dst host jake.unipi.it</b></p>
836
<p style="margin-left:12%; margin-top: 1em">or in
839
<p style="margin-left:12%; margin-top: 1em"><b>ntop -B host
840
jake.unipi.it or host jake.unipi.it</b></p>
842
<p style="margin-left:12%; margin-top: 1em">See the
843
’expression’ section of the <b>tcpdump</b> man
844
page - usually available at
845
http://www.tcpdump.org/tcpdump_man.html - for further
846
information and the best quick guide to BPF filters
847
currently available.</p>
849
<p style="margin-left:12%; margin-top: 1em">WARNING: If you
850
are using complex filter expressions, especially those with
851
=s or meaningful spaces in them, be sure and use the long
852
option format, --filter-expression="xxxx" and not
853
-B "xxxx".</p>
855
<p style="margin-left:11%;"><b>-C |</b></p>
857
<p style="margin-left:12%;">This instruments ntop to be
858
used in two configurations: host and network mode. In host
859
mode (default) ntop works as usual: the IP addresses
860
received are those of real hosts. In host mode the IP
861
addresses received are those of the C-class network to which
862
the address belongs. Using ntop in network mode is extremely
863
useful when installed in a traffic exchange (e.g. in the
864
middle of the Internet) whereas the host mode should be used
865
when ntop is installed on the edge of a network (e.g. inside
866
a company). The network mode significantly reduces the
867
amount of work ntop has to perform and it has to be used
868
whenever ntop is used to find out how the network traffic
869
flows and not to pin-point specific hosts.</p>
871
<p style="margin-left:11%;"><b>-D | --domain</b></p>
873
<p style="margin-left:12%;">This identifies the local
874
domain suffix, e.g. ntop.org. It may be necessary, if
875
<b>ntop</b> is having difficulty determining it from the
878
<p style="margin-left:11%;"><b>-F | --flow-spec</b></p>
880
<p style="margin-left:12%;">It is used to specify network
881
flows similar to more powerful applications such as
882
NeTraMet. A flow is a stream of captured packets that match
883
a specified rule. The format is</p>
886
<p style="margin-left:12%; margin-top: 1em"><b><flow-label>=’<matching
887
expression>’[,<flow-label>=’<matching
888
expression>’]</b></p>
890
<p style="margin-left:12%; margin-top: 1em">, where the
891
label is used to symbolically identify the flow specified by
892
the expression. The expression is a bpf (Berkeley Packet
893
Filter) expression. If an expression is specified, then the
894
information concerning flows can be accessed following the
895
ML link named ’List NetFlows’.</p>
897
<p style="margin-left:12%; margin-top: 1em">For instance
898
define two flows with the following expression
899
<b>LucaHosts=’host jake.unipi.it or host
900
pisanino.unipi.it’,GatewayRoutedPkts=’gateway
901
gateway.unipi.it’ .</b></p>
903
<p style="margin-left:12%; margin-top: 1em">All the traffic
904
sent/received by hosts jake.unipi.it or pisanino.unipi.it is
905
collected by <b>ntop</b> and added to the LucaHosts flow,
906
whereas all the packet routed by the gateway
907
gateway.unipi.it are added to the GatewayRoutedPkts flow. If
908
the flows list is very long you may store in a file (for
909
instance flows.list) and specify the file name instead of
910
the actual flows list (in the above example, this would be
911
’ntop -F flows.list’).</p>
913
<p style="margin-left:12%; margin-top: 1em">Note that the
914
double quotations around the entire flow expression are
917
<p style="margin-left:11%;"><b>-K | --enable-debug</b></p>
919
<p style="margin-left:12%;">Use this parameter to simplify
920
application debug. It does three things: 1. Does not fork()
921
on the "read only" html pages. 2. Displays mutex
922
values on the configuration (info.html) page. 3. (If
923
available - glibc/gcc) Activates an automated backtrace on
924
application errors.</p>
926
<p style="margin-left:11%;"><b>-L |
927
--use-syslog=facility</b></p>
929
<p style="margin-left:12%;">Use this parameter to send log
930
messages to the system log instead of stdout.</p>
932
<p style="margin-left:12%; margin-top: 1em">-L and the
933
simple form --use-syslog use the default log facility,
934
defined as LOG_DAEMON in the #define symbol
935
DEFAULT_SYSLOG_FACILITY in globals-defines.h.</p>
937
<p style="margin-left:12%; margin-top: 1em">The complex
938
form, --use-syslog=facility will set the log facility to
939
whatever value (e.g. local3, security) you specify. <b>The =
940
is REQUIRED and no spaces are allowed!</b></p>
942
<p style="margin-left:12%; margin-top: 1em">This setting
943
applies both to <b>ntop</b> and to any child fork()ed for
944
reporting. If this parameter is not specified, any fork()ed
945
child will use the default value and will log it’s
946
messages to the system log (this occurs because the fork()ed
947
child must give up it’s access to the parents
950
<p style="margin-left:12%; margin-top: 1em">Because various
951
systems do not make the permissible names available, we have
952
a table at the end of globals-core.c. Look for
955
<p style="margin-left:11%;"><b>-M |
956
--no-interface-merge</b></p>
958
<p style="margin-left:12%;">By default, <b>ntop</b> merges
959
the data collected from all of the interfaces (NICs) it is
960
monitoring into a single set of counters.</p>
962
<p style="margin-left:12%; margin-top: 1em">If you have a
963
simple network, say a small LAN with a connection to the
964
internet, merging data is good as it gives you a better
965
picture of the whole network. For larger, more complex
966
networks, this may not be desirable. You may also have other
967
reasons for wishing to monitor each interface separately,
968
for example DMZ vs. LAN traffic.</p>
970
<p style="margin-left:12%; margin-top: 1em">This option
971
instructs <b>ntop</b> not to merge network interfaces
972
together. This means that <b>ntop</b> will collect
973
statistics for each interface and report them
976
<p style="margin-left:12%; margin-top: 1em">Only ONE
977
interface may be reported on at a time - use the <b>Admin |
978
Switch NIC</b> option on the web server to select which
979
interface to report upon.</p>
981
<p style="margin-left:12%; margin-top: 1em">Note that
982
activating either the netFlow and/or sFlow plugins will
983
force the setting of -M. Once enabled, you cannot go
986
<p style="margin-left:11%;"><b>-N | --wwn-map</b></p>
988
<p style="margin-left:12%;">This options names the file
989
providing the map of WWN to FCID/VSAN ids.</p>
991
<p style="margin-left:11%;"><b>-O |
992
--output-packet-path</b></p>
994
<p style="margin-left:12%;">This parameter defines the base
995
path for the ntop-suspicious-pkts.XXX.pcap and normal packet
998
<p style="margin-left:12%; margin-top: 1em">If this
999
parameter is not specified, the default value is the
1000
config.h parameter CFG_DBFILE_DIR, which is set during
1001
./configure from the --localstatedir= parameter. If
1002
--localstatedir is not specified, it defaults to the
1003
--prefix value plus /var (e.g. /usr/local/var).</p>
1005
<p style="margin-left:12%; margin-top: 1em">Be aware that
1006
this may not be what you expect when running <b>ntop</b> as
1007
a daemon or Windows service. Setting an explicit and
1008
absolute path value is <b>STRONGLY</b> recommended if you
1009
use this facility.</p>
1011
<p style="margin-left:11%;"><b>-P | --db-file-path <br>
1012
-Q | --spool-file-path</b></p>
1014
<p style="margin-left:12%;">These parameters specify where
1015
<b>ntop</b> stores database files.</p>
1017
<p style="margin-left:12%; margin-top: 1em">There are two
1018
types, ’temporary’ - that is ones which need not
1019
be retained from <b>ntop</b> run to <b>ntop</b> run, and
1020
’permanent’, which must be retained (or
1023
<p style="margin-left:12%; margin-top: 1em">The
1024
’permanent’ databases are the preferences,
1025
"prefsCache.db" and the password file,
1026
"ntop_pw.db". These are stored in the -P |
1027
--db-file-path specified location.</p>
1029
<p style="margin-left:12%; margin-top: 1em">Certain plugins
1030
use the -P | --db-file-path specified location for their
1031
database ("LsWatch.db") or (as a default value)
1032
for files (.../rrd/...).</p>
1034
<p style="margin-left:12%; margin-top: 1em">The
1035
’temporary’ databases are the address queue,
1036
"addressQueue.db", the cached DNS resolutions,
1037
"dnsCache.db" and the MAC prefix (vendor table),
1038
"macPrefix.db".</p>
1040
<p style="margin-left:12%; margin-top: 1em">If only -P |
1041
--db-file-path is specified, it is used for both types of
1044
<p style="margin-left:12%; margin-top: 1em">The directories
1045
named must allow read/write and file creation by the
1046
<b>ntop</b> user. For security, nobody else should have even
1047
read access to these files.</p>
1049
<p style="margin-left:12%; margin-top: 1em">Note that the
1050
default value is the config.h parameter CFG_DBFILE_DIR. This
1051
is set during ./configure from the --localstatedir=
1052
parameter. If --localstatedir is not specified, it defaults
1053
to the --prefix value plus /var (e.g. /usr/local/var).</p>
1055
<p style="margin-left:12%; margin-top: 1em">This may not be
1056
what you expect when running <b>ntop</b> as a daemon or
1057
Windows service.</p>
1059
<p style="margin-left:12%; margin-top: 1em">Note that on
1060
versions of <b>ntop</b> prior to 2.3, these parameters
1061
defaulted to "." (the current working directory,
1062
e.g. the value returned by the pwd command) and caused havoc
1063
as it was different when <b>ntop</b> was run from the
1064
command line, vs. run via cron, vs. run from an
1065
initialization script.</p>
1067
<p style="margin-left:12%; margin-top: 1em">Setting an
1068
explicit and absolute path value is <b>STRONGLY</b>
1071
<p style="margin-left:11%;"><b>-U | --mapper</b></p>
1073
<p style="margin-left:12%;">Specifies the URL of the
1074
mapper.pl utility.</p>
1076
<p style="margin-left:12%; margin-top: 1em">If provided,
1077
<b>ntop</b> creates a clickable hyperlink on the ’Info
1078
about host xxxxxx’ page to this URL by appending
1079
?host=xxxxx. Any type of host lookup could be performed, but
1080
this is intended to lookup the geographical location of the
1083
<p style="margin-left:12%; margin-top: 1em">A cgi-based
1084
mapper interface to http://www.multimap.com is part of the
1085
<b>ntop</b> distribution [see www/Perl/mapper.pl]).</p>
1087
<p style="margin-left:11%;"><b>-V | --version</b></p>
1089
<p style="margin-left:12%;">Prints <b>ntop</b> version
1090
information and then exits.</p>
1092
<p style="margin-left:11%;"><b>-W | --https-server</b></p>
1094
<p style="margin-left:12%;">(See the joint documentation
1095
with the -w parameter, above)</p>
1098
<p style="margin-left:11%;"><b>--disable-instantsessionpurge</b></p>
1100
<p style="margin-left:12%;"><b>ntop</b> sets completed
1101
sessions as ’timed out’ and then purge them
1102
almost instantly, which is not the behavior you might expect
1103
from the discussions about purge timeouts. This switch makes
1104
ntop respect the timeouts for completed sessions. It is NOT
1105
the default because a busy web server may have 100s or 1000s
1106
of completed sessions and this would significantly increase
1107
the amount of memory <b>ntop</b> uses.</p>
1110
<p style="margin-left:11%;"><b>--disable-mutexextrainfo</b></p>
1112
<p style="margin-left:12%;"><b>ntop</b> stores extra
1113
information about the locks and unlocks of the protective
1114
mutexes it uses. Since <b>ntop</b> uses fine-grained
1115
locking, this information is updated frequently. On some
1116
OSes, the system calls used to collect this informatio
1117
(getpid() and gettimeofday()) are expensive. This option
1118
disables the extra information. It should have no processing
1119
impact on <b>ntop</b> <br>
1120
- however should <b>ntop</b> actually deadlock, we would
1121
lose the information that sometimes tells us why.</p>
1123
<p style="margin-left:11%;"><b>--fc-only</b></p>
1125
<p style="margin-left:12%; margin-top: 1em">Display only
1126
Fibre Channel statistics.</p>
1128
<p style="margin-left:11%;"><b>--instance</b></p>
1130
<p style="margin-left:12%; margin-top: 1em">You can run
1131
multiple instances of <b>ntop</b> simultaneously by
1132
specifying different -P values (typically through separate
1133
ntop.conf files). If you set a value for this parameter
1134
(available only on the command line), you (1) display the
1135
’instance’ name on every web page and (2) alter
1136
the log prefix from "NTOP" to your chosen
1139
<p style="margin-left:12%; margin-top: 1em">If you want to
1140
make the tag more obvious, create a .instance class in
1141
style.css, e.g.:</p>
1143
<p style="margin-left:12%; margin-top: 1em">.instance {
1145
color: #666666; <br>
1146
font-size: 18pt; <br>
1149
<p style="margin-left:12%; margin-top: 1em">Note (UNIX): To
1150
run completely different versions of the <b>ntop</b> binary,
1151
you need to compile and install into a different library
1152
(using ./configure --prefix) and then specify the
1153
LD_LIBRARY_PATH before invoking, e.g.</p>
1156
<p style="margin-left:12%; margin-top: 1em">LD_LIBRARY_PATH=/devel/lib/ntop/:...
1157
/devel/bin/ntop ...args...</p>
1159
<p style="margin-left:12%; margin-top: 1em">If present, a
1160
file of the form <instance>_ntop_logo.gif will be used
1161
instead of the normal ntop_logo.gif. This is tested for ONLY
1162
once, at the beginning of the run. The EXACT word(s) of the
1163
--instance flag are used, without testing if they make a
1164
proper file name. If - for any reason - the file is not
1165
found, an informational message is logged and the normal
1166
logo file is used. To construct your own logo, make it a
1167
300x40 transparent gif.</p>
1169
<p style="margin-left:12%; margin-top: 1em">NOTE: On the
1170
web pages, <b>ntop</b> uses the dladdr() function. The
1171
original Solaris routine had a bug, replicated in FreeBSD
1172
(and possibly other places) where it uses the ARGV[0] value
1173
- which might be erroneous - instead of the actual file
1174
name. If the ’running from’ value looks bogus
1175
but the ’libaries in’ value looks ok, go with
1178
<p style="margin-left:11%;"><b>--no-fc</b></p>
1180
<p style="margin-left:12%; margin-top: 1em">Disable
1181
processing & Display of Fibre Channel</p>
1183
<p style="margin-left:11%;"><b>--no-invalid-lun</b></p>
1185
<p style="margin-left:12%; margin-top: 1em">Don’t
1186
display Invalid LUN information.</p>
1188
<p style="margin-left:11%;"><b>--p3p-cp <br>
1191
<p style="margin-left:12%; margin-top: 1em">P3P is a W3C
1192
recommendation - http://www.w3.org/TR/P3P/ - for specifying
1193
personal information a site collects and what it does with
1194
the information. These parameters allow to return P3P
1195
information. We do not supply samples.</p>
1197
<p style="margin-left:11%;"><b>--pcap_setnonblock</b></p>
1199
<p style="margin-left:12%;">On some platforms, the
1200
<b>ntop</b> web server will hang or appear to hang (it
1201
actually just responds incredibly slowly to the first
1202
request from a browser session), while the rest of
1203
<b>ntop</b> runs just fine. This is known to be an issue
1204
under FreeBSD 4.x.</p>
1206
<p style="margin-left:12%; margin-top: 1em">This option
1207
sets the non-blocking option (assuming it’s available
1208
in the version of libpcap that is installed).</p>
1210
<p style="margin-left:12%; margin-top: 1em">While this
1211
works around the problem (by turing an interupt driven
1212
process into a poll), it also MAY signifcantly increases the
1213
cpu usage of <b>ntop.</b> Although it does not actually
1214
interfere with other work, seeing <b>ntop</b> use 80-90% or
1215
more of the cpu is not uncommon - don’t say we
1216
didn’t warn you.</p>
1218
<p style="margin-left:12%; margin-top: 1em"><b>THIS OPTION
1219
IS OFFICIALLY UNSUPPORTED</b> and used at your own risk.
1220
Read the docs/FAQ write-up.</p>
1223
<p style="margin-left:11%;"><b>--skip-version-check</b></p>
1225
<p style="margin-left:12%;">By default, <b>ntop</b>
1226
accesses a remote file to periodically check if the most
1227
current version is running. This option disables that check.
1228
Please review the privacy notice at the bottom of this page
1229
for more information. By default, the recheck period is
1230
slightly more than 15 days. This can be adjusted via a
1231
constant in globals-defines.h. If the result of the initial
1232
check indicates that the <b>ntop</b> version is a ’new
1233
development’ version (that is newer than the latest
1234
published development version), the recheck is disabled.
1235
This is because which fixes and enhancements were
1236
present/absent from the code.</p>
1238
<p style="margin-left:12%; margin-top: 1em">NOTE: At
1239
present, the recheck does not work under Windows.</p>
1241
<p style="margin-left:11%;"><b>--ssl-watchdog</b></p>
1243
<p style="margin-left:12%; margin-top: 1em">Enable a
1244
watchdog for webserver hangs. These usually happen when
1245
connecting with older browsers. The user gets nothing back
1246
and other users can’t connect. Internally, packet
1247
processing continues but there is no way to access the data
1248
through the web server or shutdown ntop cleanly. With the
1249
watchdog, a timeout occurs after 3 seconds, and processing
1250
continues with a log message. Unfortunately, the user sees
1251
nothing - it just looks like a failed connection. (also
1252
available as a ./configure option, --enable-sslwatchdog)</p>
1254
<p style="margin-left:11%;"><b>--w3c</b></p>
1256
<p style="margin-left:12%;">By default, <b>ntop</b>
1257
generates displayable but not great html. There are a number
1258
of tags we do not generate because they cause problems with
1259
older browsers which are still commonly used or are
1260
important to look good on real-world browsers. This flag
1261
tells <b>ntop</b> to generate ’BETTER’ (but not
1262
perfect) w3c compliant html 4.01 output. This in no way
1263
addresses all of the compatibility and markup issues. Over
1264
time, we would like to make <b>ntop</b> more compatible, but
1265
it will never be 100%. If you find any issues, please report
1266
them to ntop-dev.</p>
1268
<p style="margin-left:11%;"><b>-4 | --ipv4</b></p>
1270
<p style="margin-left:12%;">Use IPv4 connections.</p>
1272
<p style="margin-left:11%;"><b>-6 | --ipv6</b></p>
1274
<p style="margin-left:12%;">Use IPv6 connections</p>
1276
<a name="WEB VIEWS"></a>
1280
<p style="margin-left:11%; margin-top: 1em">While
1281
<b>ntop</b> is running, multiple users can access the
1282
traffic information using their web browsers. <b>ntop</b>
1283
does not generate ’fancy’ or
1284
’complex’ html, although it does use frames,
1285
shallowly nested tables and makes some use of JavaScript and
1286
Cascading Style Sheets.</p>
1288
<p style="margin-left:11%; margin-top: 1em">Beginning with
1289
release 3.1, the menus are cascading dropdowns via
1290
JSCookMenu. With release 3.2, this extends to plugins.</p>
1292
<p style="margin-left:11%; margin-top: 1em">We do not
1293
expect problems with any current web browser, but our
1294
ability to test with less common ones is very limited.
1295
Testing has included Firefox and Internet Explorer, with
1296
very limited testing on other current common browsers such
1299
<p style="margin-left:11%; margin-top: 1em">In
1300
documentation and this man page, when we refer to a page
1301
such as Admin | Switch NIC, we mean the Broad category
1302
"Admin" and the detailed item "Switch
1303
NIC" on that Admin menu.</p>
1305
<a name="NOTES"></a>
1309
<p style="margin-left:11%; margin-top: 1em"><b>ntop</b>
1310
requires a number of external tools and libraries to
1311
operate. Certain other tools are optional, but add to the
1312
program’s capabilities. <b><br>
1313
--webserver-queue</b></p>
1315
<p style="margin-left:12%;">Specifies the maximum number of
1316
web server requests for the tcp/ip stack to retain in
1317
it’s queue awaiting delivery to the <b>ntop</b> web
1318
server. Requests in excess of this queue may be dropped
1319
(allowing for retransmission) or rejected at the tcp/ip
1320
stack level, depending upon the OS. Whatever happens,
1321
happens at the OS level, without any information being
1322
delivered to <b>ntop</b></p>
1324
<p style="margin-left:12%; margin-top: 1em">Required
1325
libraries include:</p>
1327
<p style="margin-left:12%; margin-top: 1em"><b>libpcap</b>
1328
from http://www.tcpdump.org/, version 0.7.2 or newer. 0.8.3
1329
or newer is strongly recommended.</p>
1331
<p style="margin-left:12%; margin-top: 1em">The Windows
1332
version makes use of <b>WinPcap</b> (libpcap for Windows)
1333
which may be downloaded from
1334
http://winpcap.polito.it/install/default.htm.</p>
1336
<p style="margin-left:12%; margin-top: 1em">WARNING: The
1337
2.x releases of <b>WinPcap</b> will NOT support SMP
1340
<p style="margin-left:12%; margin-top: 1em"><b>gdbm</b>
1341
from http://www.gnu.org/software/gdbm/gdbm.html</p>
1343
<p style="margin-left:12%; margin-top: 1em"><b>ntop</b>
1344
requires a POSIX threads library. As of <b>ntop</b> 3.2, the
1345
single-threaded version of <b>ntop</b> is no longer
1348
<p style="margin-left:12%; margin-top: 1em">The <b>gd</b>
1349
2.x library, for the creation of png files, available at
1350
http://www.boutell.com/gd/.</p>
1352
<p style="margin-left:12%; margin-top: 1em">The
1353
<b>libpng</b> 1.2.x library, for the creation of png files,
1354
available at http://www.libpng.org/pub/png/libpng.html.</p>
1356
<p style="margin-left:12%; margin-top: 1em"><b>ntop</b>
1357
should support both gd 1.X and libpng 1.0.x libraries but
1358
this has not been tested. Note that there are
1359
incompatibilities if you compile with one version of these
1360
libraries and then run with the other. Please read the
1361
discussion in docs/FAQ before reporting ANY problems of this
1364
<p style="margin-left:12%; margin-top: 1em">(if an https://
1365
server is desired) <b>openSSL</b> from the OpenSSL project
1366
available at http://www.openssl.org.</p>
1368
<p style="margin-left:12%; margin-top: 1em">The
1369
<b>rrdtool</b> library is required by the rrd plugin.
1370
rrdtool creates ’Round-Robin databases’ which
1371
are used to store and graph historical data in a format that
1372
permits long duration retention without growing larger over
1373
time. The rrdtool home page is
1374
http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/</p>
1376
<p style="margin-left:12%; margin-top: 1em"><b>ntop</b>
1377
includes a limited version of rrdtool 1.0.49 in the myrrd/
1378
directory. Users of <b>ntop</b> 3.2 should not need to
1379
specifically install rrdtool.</p>
1381
<p style="margin-left:12%; margin-top: 1em">The
1382
<b>sflow</b> Plugin is courtesy of and supported by InMon
1383
Corporation, http://www.inmon.com/sflowTools.htm.</p>
1385
<p style="margin-left:12%; margin-top: 1em">There are other
1386
optional libraries. See the output of ./configure for a
1389
<p style="margin-left:12%; margin-top: 1em">Tool locations
1390
are current as of August 2005 - please send email to report
1391
new locations or dead links.</p>
1393
<a name="SEE ALSO"></a>
1397
<p style="margin-left:11%; margin-top: 1em"><b>top</b>(1),
1398
<b>tcpdump</b>(8). <b>pcap</b>(3).</p>
1400
<a name="PRIVACY NOTICE"></a>
1401
<h2>PRIVACY NOTICE</h2>
1404
<p style="margin-left:11%; margin-top: 1em">By default at
1405
startup and at periodic intervals, the <b>ntop</b> program
1406
will retrieve a file containing current ntop program version
1407
information. Retrieving this file allows this <b>ntop</b>
1408
instance to confirm that it is running the most current
1411
<p style="margin-left:11%; margin-top: 1em">The retrieval
1412
is done using standard http:// requests, which will create
1413
log records on the hosting system. These log records do
1414
contain information which identifies a specific <b>ntop</b>
1415
site. Accordingly, you are being notified that this
1416
individually identifiable information is being transmitted
1419
<p style="margin-left:11%; margin-top: 1em">You may request
1420
- via the <b>--skip-version-check</b> run-time option - that
1421
this check be eliminated. If you use this option, no
1422
individually identifiable information is transmitted or
1423
recorded, because the entire retrieval and check is
1426
<p style="margin-left:11%; margin-top: 1em">We ask you to
1427
allow this retrieval and check, because it benefits both you
1428
and the <b>ntop</b> developers. It benefits you because you
1429
will be automatically notified if the <b>ntop</b> program
1430
version is obsolete, becomes unsupported or is no longer
1431
current. It benefits the developers of <b>ntop</b> because
1432
it allows us to determine the number of active <b>ntop</b>
1433
instances, and the operating system/versions that users are
1434
running <b>ntop</b> under. This allows us to focus
1435
development resources on systems like those our users are
1436
using <b>ntop</b> on.</p>
1438
<p style="margin-left:11%; margin-top: 1em">The
1439
individually identifiable information is contained in the
1440
web server log records which are automatically created each
1441
time the version file is retrieved. This is a function of
1442
the web server and not of <b>ntop</b> , but we do take
1443
advantage of it. The log record shows the IP address of the
1444
requestor (the <b>ntop</b> instance) and a User-Agent header
1445
field. We place information in the User-Agent header as
1449
<p style="margin-left:11%; margin-top: 1em">ntop/<version>
1451
host/<name from config.guess> <br>
1452
distro/<if one> <br>
1453
release/<of the distro, also if one> <br>
1454
kernrlse/<kernel version or release> <br>
1455
GCC/<version> <br>
1456
config() <condensed parameters from ./configure> <br>
1457
run() <condensed flags - no data - from the execution
1459
libpcap/<version> <br>
1460
gdbm/<version> <br>
1461
openssl/<version> <br>
1462
zlib/<version> <br>
1463
access/<http, https, both or none> <br>
1464
interfaces() <given interface names></p>
1466
<p style="margin-left:11%; margin-top: 1em">For
1469
<p style="margin-left:11%; margin-top: 1em">ntop/2.2.98
1470
host/i686-pc-linux-gnu distro/redhat release/9
1471
kernrlse/2.4.20-8smp <br>
1472
GCC/3.2.2 config(i18n) run(i; u; P; w; t; logextra; m;
1473
instantsessionpurge; <br>
1474
schedyield; d; usesyslog=; t) gdbm/1.8.0 openssl/0.9.7a
1476
access/http interfaces(eth0,eth1)</p>
1478
<p style="margin-left:11%; margin-top: 1em">Distro and
1479
release information is determined at compile time and
1480
consists of information typically found in the /etc/release
1481
(or similar) file. See the <b>ntop</b> tool linuxrelease for
1482
how this is determined.</p>
1484
<p style="margin-left:11%; margin-top: 1em">gcc compiler
1485
version (if available) is the internal version #s for the
1486
gcc compiler, e.g. 3.2.3.</p>
1488
<p style="margin-left:11%; margin-top: 1em">kernrlse is the
1489
Linux Kernel version or the xBSD ’release’ such
1490
as 4.9-RELEASE and is determined from the uname data (if
1491
it’s available).</p>
1493
<p style="margin-left:11%; margin-top: 1em">The ./configure
1494
parameters are stripped of directory paths, leading -s, etc.
1495
to create a short form that shows us what ./configure
1496
parameters people are using.</p>
1498
<p style="margin-left:11%; margin-top: 1em">Similarly, the
1499
run time parameters are stripped of data and paths, just
1500
showing which flags are being used.</p>
1502
<p style="margin-left:11%; margin-top: 1em">The libpcap,
1503
gdbm, openssl and zlib versions come from the strings
1504
returned by the various inquiry functions (if they’re
1507
<p style="margin-left:11%; margin-top: 1em">Here’s a
1508
sample log record:</p>
1510
<p style="margin-left:11%; margin-top: 1em">67.xxx.xxx.xxx
1511
- - [28/Dec/2003:12:11:46 -0500] "GET /version.xml
1513
200 1568 www.burtonstrauss.com "-"
1514
"ntop/2.2.98 host/i686-pc-linux-gnu <br>
1515
distro/redhat release/9 kernrlse/2.4.20-8smp GCC/3.2.2
1517
run(i; u; P; w; t; logextra; m; instantsessionpurge;
1519
usesyslog=) libpcap/0.8 gdbm/1.8.0 openssl/0.9.7a zlib/1.1.4
1521
interfaces(eth0,eth1,eth2)" "-"</p>
1523
<a name="USER SUPPORT"></a>
1524
<h2>USER SUPPORT</h2>
1527
<p style="margin-left:11%; margin-top: 1em">Please send bug
1528
reports to the ntop-dev <ntop-dev@ntop.org> mailing
1529
list. The ntop <ntop@ntop.org> mailing list is used
1530
for discussing ntop usage issues. In order to post messages
1531
on the lists a (free) subscription is required to
1532
limit/avoid spam. Please do NOT contact the author directly
1533
unless this is a personal question.</p>
1535
<p style="margin-left:11%; margin-top: 1em">Commercial
1536
support is available upon request. Please see the ntop site
1537
for further info.</p>
1539
<p style="margin-left:11%; margin-top: 1em">Please send
1540
code patches to <patch@ntop.org>.</p>
1542
<a name="AUTHOR"></a>
1546
<p style="margin-left:11%; margin-top: 1em">ntop’s
1547
author is Luca Deri (http://luca.ntop.org/) who can be
1548
reached at <deri@ntop.org>.</p>
1550
<a name="LICENCE"></a>
1554
<p style="margin-left:11%; margin-top: 1em">ntop is
1555
distributed under the GNU GPL licence
1556
(http://www.gnu.org/).</p>
1558
<a name="ACKNOWLEDGMENTS"></a>
1559
<h2>ACKNOWLEDGMENTS</h2>
1562
<p style="margin-left:11%; margin-top: 1em">The author
1563
acknowledges the Centro Serra of the University of Pisa,
1564
Italy (http://www-serra.unipi.it/) for hosting the ntop
1565
sites (both web and mailing lists), and Burton Strauss
1566
<burton@ntopsupport.com> for his help and user
1567
assistance. Many thanks to Stefano Suin
1568
<stefano@ntop.org> and Rocco Carbone
1569
<rocco@ntop.org> for contributing to the project.</p>