1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
4
<!--meta http-equiv="Content-Type" content="text/html; charset=utf-8" -->
5
<meta http-equiv="Content-Style-Type" content="text/css">
6
<meta http-equiv="Window-target" content="_top">
7
<meta name="description" content="ntop (http://www.ntop.org) FAQ file.">
8
<meta name="author" content="ntop">
9
<meta name="generator" content="ntop 3.0">
10
<link rel="stylesheet" type="text/css" href="style.css">
11
<title>ntop FAQ</title>
13
<body background="white_bg.gif">
15
<p>This is an unsophisticated, automated conversion of the source file, docs/FAQ into html.
16
Please report problems to the ntop-dev mailing list.
17
But remember, it's not about making it look good, it's about making the content available.</p>
23
Where can I find ntop?
27
The official website can be found at http://www.ntop.org/.
32
Where do I get the source?
36
SourceForge -- http://sourceforge.net/projects/ntop/
39
There is also a cvs (current development) maintained at cvs.ntop.org.
40
(instructions are on the download page of www.ntop.org)
44
DO NOT (under ANY circumstances) USE THE SOURCE FILES FROM
45
http://snapshot.ntop.org!!!!! They are broken, incomplete and
46
WILL NOT WORK. (See 'snapshot, cvs and the Wiki' below)
55
ntop is an open source network top - it monitors a network and collects
56
information about the protocols and hosts for display.
61
Um, so it's like mrtg (http://people.ee.ethz.ch/~oetiker/webtools/mrtg/)?
68
Yes in that both are analyzers of network packets.
71
Yes in that both display information about your network.
74
No in that they take very different approaches to collecting information.
77
No in that they display different types of information.
86
mrtg creates a picture of the network centered on the device on the link
87
between devices (and aggregations of devices and links).
90
Tobias (Tobi) Oetiker describe mrtg as:
94
"The Multi Router Traffic Grapher (MRTG) is a tool to monitor
95
the traffic load on network-links. MRTG generates HTML pages
96
containing graphical images which provide a LIVE visual
97
representation of this traffic."
106
mrtg reads the counters maintained by various devices such as routers, using
107
a protocol called 'snmp' (Simple Network Monitoring Protocol). The
108
management information bases (MIBs) read using snmp, contain incredibly
109
detailed information about the packets the device has seen and what it has
116
"MRTG ... uses SNMP to read the traffic counters of your routers and
119
... which logs the traffic data and creates beautiful graphs representing
120
the traffic on the monitored network connection."
123
mrtg is focused on 'layer 2' (the tcp/ip and other low level protocol).
132
ntop doesn't use snmp - it's not a device centric view of the network.
133
Instead ntop actually processes the network packets directly.
138
What's wrong with snmp?
145
snmp is a pull protocol, that is a monitoring tool has to pull the
146
information from the device. snmp has 'traps' that is alert messages which
147
can be sent out, but the MIB data has to be read by the monitoring tool from
151
snmp is an older protocol, from the dawn of the network era and it has some
152
minor issues of security and complexity and verbosity. But it's a critical
153
network protocol, used successfully by 1000s of ISPs to monitor AND CONTROL
157
From our perspective, the problems with snmp are minor -
161
It can use a lot of bandwidth - especially if you're reading from devices
162
on the far side of slow links.
166
Pulling data out of MIBs is a complex process. MIBs can be specified in
167
an RFC, or be unique to a vendor/device.
171
An snmp-based tool either has to restrict itself to the common MIBs,
172
or (most often for vendor tools) it be updated whenever a new device
173
must be supported or a MIB changes.
177
This makes snmp-based tools complex, because data may be unavailable
178
in certain versions of seemingly similar devices, etc. For example,
179
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
180
is a page which links to the specific MIBs supported by various
186
So why hasn't ntop 'won'?
190
mrtg excels at monitoring 100s or 1000s of network devices (routers,
191
switches, etc.) and presenting that information over long periods of time.
194
ntop doesn't do a good job of showing multiple 'networks' - it's really
195
focused on aggregating a picture of a single network. And for drilling down
196
into that picture or presenting it over long periods of time.
199
The processing of packets requires a lot more computer resources than just
200
reading counters from devices. On the plus side, this gives much more
201
detailed information - for example ntop sees the actual web server request
202
instead of just that there was traffic on port 80. On the minus side, it's
203
pretty easy to exceed the processing power of the low end machine typically
204
available for ntop. An ISP using ntop to monitor a couple of T3s needs a
205
FAST computer and A LOT of memory.
208
ntop also requires access to the physical network (either directly via a
209
network card or indirectly via a netFlow/sFlow probe). This limits ntop's
210
(usefullness|ability) to work across sites.
213
Once you learn what they do (mrtg and ntop), you'll probably discover that
219
What's this 'layer' crud?
223
Network layers come from a widely cited but never implemented model, the OSI
224
(Open System Interconnect ) networking model from the ISO (International
225
Standards Organization).
228
Google for it - for example
231
http://www.ussg.iu.edu/usail/network/nfs/network_layers.html
236
So ntop is like netFlow (Cisco), sFlow (RFC 3176, http://www.sflow.org) or
241
Not really, actually those are all protocols for sending and receiving
242
information about the network.
245
ntop has lots in common with the tools that USE those protocols.
248
And there are lots of tools - some proprietary, many open source.
251
The devices/programs that collect the information and send it out in netFlow,
252
sFlow or RMON format are usually called (by me) 'probes'. The devices and/or
253
programs that receive the netFlow, sFlow or RMON formatted information and do
254
things with it are called 'collectors' (if they process it and forward it on)
255
or called 'displays'.
258
In fact, ntop can receive netFlow packets and both send and receive sFlow
259
packets. It can be a 'probe' or a 'display'. (ntop used to be able to send
260
netFlow packets - that was removed 2004-03 by Luca).
265
So ntop is like Nagios or Ipswitch's - WhatsUp Gold?.
269
Nope - those are layer 4 and higher (application) monitoring programs.
278
Enough already - if you search Freshmeat.net,
279
http://freshmeat.net/search/?q=network+monitor§ion=projects
280
you will find (as of 18Aug2003):
284
Topic :: System :: Networking :: Monitoring (654 projects)
287
We'll be here all day. ntop is ntop.
292
Ok, so ntop is a unique TCP/IP analyzer.
299
First off, ntop pretty much doesn't care about the lowest (layer 1 or wire)
300
layer. It leaves dealing with that to a library, libpcap, which hides most
304
ntop is designed as a hybrid packet analyzer, not a pure Ethernet analyzer
305
(layer 2) nor a pure TCP/IP analyzer (layer 3).
308
ntop gets the data at the layer 2 (frame) level, which could be Ethernet
309
or another protocol. Beyond Ethernet, ntop has minimal smarts about FDDI,
310
PPP, RAW and TOKEN-RING frames. That is, at least enough for some basic
311
counts or to extract the (layer 3) TCP/IP data in side.
314
ntop 3.0 adds TWO (three?) HUGE areas of new protocol support.
317
ntop 3.0 supports IPv6, thanks to code contributed by Olivier Festor
318
<Olivier.Festor@loria.fr> and Abdelkader Lahmadi <Abdelkader.Lahmadi@loria.fr>
319
of the MADYNES Research Time (Managing DYnamic NEtworks and Services), see
320
http://madynes.loria.fr/.
323
ntop 3.0 has more than a fair amount of smarts about FibreChannel and SCSI
324
thanks to code contributed by Dinesh G Dutt <ddutt@cisco.com> of Cisco.
327
However, since most of ntop's displayed counts are at the TCP/IP level, it
328
confuses people into thinking ntop is purely a TCP/IP analyzer.
331
ntop is a traffic monitor with it's own network interfaces, which monitors
332
what it sees (or is told about through netFlow or sFlow probes).
341
ntop is known to work under Linux, Mac OS X, FreeBSD, OpenBSD (3.4, nothing
342
earlier) NetBSD (with issues) and Win32.
345
ntop development is done primarily on RedHat Linux and Mac OS.
348
Luca also does a port to Win32 (MS Visual C++) and works in the Sun
352
I (Burton) usually work under RedHat Linux, but have a multi-boot system
353
for testing that runs various Linux distros, FreeBSD (4.9 and 5.2),
354
NetBSD, Solaris 8 i86 and OpenBSD.
357
During the ntop 3.0 development cycle, we did some development and
358
testing on various platforms. Here's data from the version.xml log
359
showing what people were running while testing 2.2.98 and 2.2.99:
364
------- ------- --------------
366
90 Windows WinNT/2K/XP
375
and <5 records for FreeBSD 4.6.2, 4.8, 5.0, 5.2.1; OpenBSD 3.4;
383
Solaris 8 / 9 work, 2.6 and 7 probably would...
384
FreeBSD 4.6.2/4.8/4.9 and 5.1/5.2
388
NetBSD doesn't seem to have been tested.
391
Lots of Different Linuxes... of the ones we recognize:
396
------- --------- --------
402
15 debian (probably 3.0)
414
and < 5 records for arch 0.6; aurora 1.0; aurox 9.2; fedora 0.95;
415
gentoo 1.4.2.9, 1.4.3.10 and 1.4.3.12; immunix 7.0; mandrake 8.1 and 8.2;
416
pld 1.1; redhat 1, 2.1, 6.2, 7.0, 7.1; slackware 7.1.0, 8.1 and 9.0-beta;
417
suse 6.3, 7.0, 8.0 and 8.1; and yellowdog 3.0.
421
Running under pretty much any *nix is at least theoretically possible.
422
But it takes interested party/parties and access to resources - some of the
423
things that ntop does such as libpcap and loading plugins are tied tighter
424
to the OS than you might like.
428
There are sections below about each specific OS.
434
What determines the features of ntop?
438
<laugh>Whatever Luca wants</laugh>
443
Why did you do this "x" instead of feature "y"?
447
Don't know. I could guess...
450
Imagine you are the network manager for a large University network and have
451
to crack down on users who are illegally exchanging copyrighted files or
452
using University resources to run a business without paying for the resources
459
You are a major vendor of infrastructure, whose customers are using networks
460
for new features such as storage area networks and you want to give them
461
the ability to monitor these.
467
You have a really cool technology that you've just donated to the community
468
via an RFC and wish to jump-start adoption of it.
474
You are moving heavily into IPv6 and need to be able to monitor your 'new'
475
network just like you monitored the IPv4 one.
481
You really, really, really hate that ntop generates such lousy html code
482
and you decide to scratch that itch.
485
or (what should happen)
488
A major corporation, with out resources, time, skills and/or inclination
489
to do it themselves sponsors the development of a feature that's critical
496
Then again, it could just be because it's cool...
505
Probably - as long as it doesn't move the tool away from it's purpose and
506
it's strengths, almost anything is possible - especially as a plugin.
515
Maybe - if it's of interest to a developer, or you provide the code such
516
that it can be merged in, or if you're willing to sponsor the development
517
effort (contact us through http://www.ntop.org/consultancy.html).
519
<h2>Documentation</h2>
523
Why isn't there (any)(more)(better) documentation.
527
(A personal peeve from Burton...)
530
I get real tired of people complaining that there isn't any documentation
531
and then being unwilling to contribute even the simplest stuff. I've said
532
I'll edit and assemble whatever people send me... and since I started working
533
with ntop in November 2001, I've received maybe six pages of stuff.
536
I'm trying to get people - who aren't coders - to contribute to ntop the
537
project. The contribution that ANYONE can make is "documentation". A task-
538
specific HOWTO... some sample screen shots... An FAQ entry...
541
I've tried being nice.
543
I've tried shaming people into it.
546
What have I gotten? Zip.
549
Nasty is all that's left... This is your fair warning. If you show up on
550
the ntop mailing lists and complain about documentation, you will get
559
Ok, where can I find what does exist.
563
http://www.ntop.org has pointers and some (dated) documents.
566
The documentation in the docs/ directory, the Documentation files at SourceForge
567
and some at http://www.ntopsupport.com are basically all that there is.
570
Search the ntop mailing lists at gmane, http://search.gmane.org. The lists
571
are called gmane.linux.ntop.general and gmane.linux.ntop.devel.
574
Please contribute to the ntop community by writing things up for inclusion
575
in this FAQ or other documents!
578
You can even do this all by yourself at the ntop Wiki,
579
http://www.burtonstrauss.com/pmwiki/pmwiki.php?pagename=Ntop.HomePage
580
(But note that whether it remains available depends on whether people
586
I can't find a file at SourceForge!
590
You can reach the archives through any SourceForge mirror, e.g.
594
http://telia.dl.sourceforge.net/sourceforge/ntop/
595
^^^^^ change that qualifier to one that's close to you.
598
It has ALL the files unless we explicitly delete them...
608
Make sure it's a supported release!
611
We support only the current versions of ntop. This is either:
615
* the last release, e.g. v3.0.
616
* the current cvs (cvs.ntop.org)
617
* the latest development version posted at SourceForge (if one)
620
If you use a port/package and the latest version available for your
621
OS is some release candidate from a year ago, sorry. Contact the
622
packager and ask them to get current.
625
Luca usually asks people to try the latest cvs (development) version
626
because problems are frequently already fixed in there.
631
I'm running something supported and I've tried the latest & greatest.
632
Still, I have a problem.
636
Read the ntop mailing lists.
639
The ntop mailing lists are at
642
http://listgateway.unipi.it/mailman/listinfo/ntop
644
http://listgateway.unipi.it/mailman/listinfo/ntop-dev
647
If you're having non-user problems OR you are using the cvs, you should be
648
reading and posting ntop-dev (for example, the cvs commit messages are posted
652
You can read the lists through gmane (or other gateways) if you don't
653
want to subscribe, but only subscribers can post.
656
You can download the older messages in large chunks from the mailing list
657
subscription pages. Look for "To see the collection of prior postings to
663
I looked and I didn't find my problem.
667
Join the mailing list(s) and ask for help.
670
Before you post, check the "HowTo Ask for Help" at the end of this FAQ.
673
Please, if at all possible, use the built in PR_ form (the little 'bug' icon
677
Guidelines for asking questions:
681
ONE and only ONE problem / issue / question per message.
685
With a meaningful subject.
689
The goal is that if you're asking a common question, the
690
subject would have allowed you to find it in the back
691
traffic for the mailing list.
695
Post the information about your environment we ask for.
699
We STRONGLY suggest you use the automatically generated "Problem
700
Report" form that since it contains much of the necessary information.
704
Make sure you're in a supported environment (./configure --showoses).
708
If it's an unsupported environment, we're interested in your efforts to
709
make ntop work, but we don't have the time, resources, knowledge and/or
710
interest to do it ourselves.
714
For software 'crashes', please run ntop under the gdb debugger and capture
715
the full failure information.
719
Brief instructions on using gdb are at the end of this file (docs/FAQ).
724
I posted to the list and nobody answered me.
728
ntop is open source, and the lists are a community resource. If nobody
729
answered your question, then nobody knew the answers off-hand and nobody
730
wanted to spend THEIR time solving YOUR problem.
735
Do you offer paid support?
739
Yes - contact us through http://www.ntop.org/consultancy.html
741
<h2>Configuring ntop</h2>
745
What does ./configure do?
749
./configure checks for the tools installed on your system - configuring
750
ntop to compile with the ones you have and skip the ones you don't (or
751
to tell you if you're missing something critical).
756
Why bother - just compile the code.
760
Then you would have to have a machine configured EXACTLY like Luca's.
761
Nothing else would work. Various OSes and Linux distributions package
762
the files in different ways and put them in different places. Plus some
763
packages put files into directories with release information in them, etc.
772
Is how you tell ntop where to find things. A lot of stuff it can figure
773
out on it's own, but if things get put in 'strange' places, ntop's
774
./configure has switches you use to tell where to find things.
783
./configure --help shows the whole list. It's a bit confusing because
784
there are standard options and ntop options mixed in there.
788
So, first let's look at the 'where are things' options. There are two
789
types of files ntop is looking for, '.h' files and libxxxx files.
792
.h files are also called 'includes' and libxxxx files are called libraries
796
.h files are the C source for functions provided by the OS or by libraries.
797
They are typically in a directory named /usr/include, but they can be
801
lib files are compiled libraries of these functions (the .h tells ntop
802
how to call something, the lib file is the actual code). Their names
803
usually begin libxxxx (so the library gd is named libgd).
806
By convention, libraries end in .so or .a. A .so library is a shared
807
library (Windows DLL), where one copy of the library is used by all
808
programs that want it's functions. A .a library is a non-shared or
809
static library, which must be merged (the technical term is linked)
813
ntop uses both - the myrrd library is a static, .a library. When it
814
comes to things like libpcap or libgd, we use shared (.so) libraries.
817
Library files are typically placed in /usr/lib, where the gnu linker
818
(ld), 'knows' automatically how to find them. However, from OS to
819
OS and distribution to distribution, there are many other common places.
820
Some OSes even have a file telling ld all the places to look.
825
So ntop looks for these .h and library thingies in a couple of places.
826
What if it doesn't find them?
830
If a basic ./configure can't find something, you'll have to tell ntop
834
It's complex and OS/distro dependent. For example, if you install libgd
835
from the Sun Freeware site on to a Solaris machine, the files get put
836
into /usr/local/include and /usr/local/lib, which are not on the lists
837
of 'standard' places for Solaris' versions of gcc (the Gnu c compiler)
838
or ld. So to compile ntop, you have to tell gcc to look in these
839
additional locations.
842
The things ntop might be looking for are in this part of the
843
./configure --help output:
847
+-External-source-locations:-------------------------------------------------+
848
--with-pcap-root=DIR LBNL pcap located in DIR
849
--with-pcap-lib=DIR or libpcap located in DIR
850
--with-pcap-include=DIR or pcap.h located in DIR
851
--with-gdbm-root=DIR gdbm located in DIR
852
--with-gdbm-lib=DIR or libgdbm located in DIR
853
--with-gdbm-include=DIR or gdbm.h located in DIR
854
--with-zlib-root=DIR zlib located in DIR
855
--with-zlib-lib=DIR or libz located in DIR
856
--with-zlib-include=DIR or zlib.h located in DIR
857
--with-gd-root=DIR gd located in DIR
858
--with-gd-lib=DIR or libgd located in DIR
859
--with-gd-include=DIR or gd.h located in DIR
860
--with-libpng-root=DIR libpng located in DIR
861
--with-libpng-lib=DIR or libpng located in DIR
862
--with-libpng-include=DIR or png.h located in DIR
863
--with-ossl-root=DIR openSSL located in DIR
864
--with-ossl-lib=DIR or libssl located in DIR
865
--with-ossl-include=DIR or ssl.h located in DIR
866
--with-localedir=DIR LOCALE files located in DIR (i18n)
867
+-----------------------------------------------------------------------+
870
You can see that there is a pattern, pretty much every --with-xxxxx-root
871
has a --with-xxxxx-include and --with-xxxxx-lib option.
874
So, if ntop tells you it can't find something, do this - first look for the
880
/usr/include/pcap/pcap.h
883
(If you don't have locate, this works too:
886
$ find / -type f -name "pcap.h"
890
And then tell ./configure via --with-pcap-include=/usr/include/pcap
893
(Some OSes are smart enough to look in a subdirectory of the standard
894
location, but others aren't).
899
Ok, but why three options?
903
You use either the --with-xxxxx-root option OR either/both of the others
904
at a time. But ntop really only looks at the --with-xxxxx-include and
905
--with-xxxxx-lib options.
908
Internally, --with-xxxxx-root=/a/b/c is translated into
909
--with-xxxxx-lib=/a/b/c/lib and --with-xxxxx-include=/a/b/c/include
910
(that's the usual pattern).
913
Now sometimes libraries are installed logically - if the pcap.h file is in
914
/usr/local/pcap/include, the library (libpcap.so) is probably in
915
/usr/local/pcap/lib. Sometimes they are not logical and you will have
916
to use the split options.
919
The --with-pcap-root=/usr/local/pcap is shorthand for the two options,
920
--with-pcap-include=/usr/local/pcap/include and
921
--with-pcap-lib=/usr/local/pcap/lib.
926
Oh Ghu - aren't there any short cuts.
930
For the first time you try ./configure, there's a script on SourceForge in
931
The user contributed area that will try to build the ./configure line for
937
And the OTHER options?
941
There is a set that tells ntop where to install stuff. For simplicity,
942
the two you might want to change are:
946
--prefix=PREFIX install architecture-independent files in PREFIX
948
--datadir=DIR read-only architecture-independent data
952
--prefix tells ntop where to install the various files. The default value
953
is /usr/local, which is where most non-OS software normal goes.
956
A common choice for libraries (such as pcap) is --prefix=/usr, which puts
957
things like .h files in places easier to automatically find (/usr/include).
958
--prefix=/usr certainly works for ntop. --prefix=/opt is another choice.
961
The 'proper' choice turns on which model of file organization the OS and
962
sysadmin prefer. That's a fight I'm staying out of.
965
--datadir tells ntop where to put its databases and output files. The
966
default is /usr/share/ntop, but that will give some sysadmin's agita.
967
Another popular choice is --datadir=/var, which puts all the files in
968
/var/ntop. That may be attractive especially if you make /var/ntop
969
a separate partition, so the rrd files don't eat all your disk space.
974
What's --enable-iknowbetter Override WILLFAIL
978
There are some error messages where it's possible that thing work (now)
979
that didn't used to, or you're doing development and don't want ntop
980
to stop you from doing something, or there's an error message that you
981
have skipped before without getting bitten.
984
--enable-iknowbetter will print the message but not stop ntop from
985
finishing ./configure.
988
Use it at your own risk.
993
What are the --enable and --disable options?
997
These (and the with/without options) pretty much do what you think - they
998
enable or disable large chunks of ntop functionality:
1002
+--ntop-specific:-------------------------------------------------------+
1003
--disable-mt disable multithread support [default=enabled]
1004
--enable-sslv3 enable ssl v3 support [default=disabled]
1005
--enable-sslwatchdog enable Watchdog for ssl hang-ups
1007
--disable-plugins disable compilation of plugins
1009
--enable-static-plugins Enable static linked plugins sntop,
1011
--enable-ignoresigpipe Ignore SIGPIPE errors [default=do not ignore]
1012
--enable-i18n Enable (limited) internationalization
1014
--enable-showoses display OS Support information.
1015
--disable-ipv6 use IPv6 [default=enabled]
1016
+-----------------------------------------------------------------------+
1020
+--external-packages:---------------------------------------------------+
1021
--without-ssl disable HTPPS support [default=enabled]
1022
--without-zlib disable zlib [default=enabled]
1023
--with-tcpwrap enable use of TCP Wrapper [default=disabled]
1032
There are some so called 'environment variables' you can set that change
1033
things too. The common ones are:
1036
CC C compiler command
1037
CFLAGS C compiler flags
1038
LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
1039
nonstandard directory <lib dir>
1040
CPPFLAGS C/C++ preprocessor flags, e.g. -I<include dir> if you have
1041
headers in a nonstandard directory <include dir>
1045
You would use these variables to override the choices made by ./configure
1046
or to help it to find libraries and programs with truly nonstandard
1050
The best place to look for examples of these environment variables are in
1051
the OS/distribution files in the configureextra directory. For example,
1052
(again picking on Solaris), we use LDFLAGS to tell ld to look in some
1053
common Solaris locations for libraries via this:
1057
LDFLAGS="-L/usr/local/lib -R/usr/local/lib ${LDFLAGS}"
1060
What that does is add /usr/local/lib to the locations that ld will check.
1065
./configure dies in some strange horrible way complaining about version
1066
conflicts, lunar phase or whatever.
1070
The process of creating portable cross-platform scripts for building
1071
software is ugly and hard and prone to failure. There are tools
1072
(released by gnu) to help, named automake, autoconf and libtool.
1073
(Collectively the auto* tools).
1076
These tools take basic files and generate more complex files based
1077
on a series of rules, conventions and macros (much of which is poorly
1078
or undocumented). Other processes (e.g. ./configure) take these files
1079
and generate more complex files based on a different series of rules,
1080
conventions and macros. This ultimately produces the 'Makefile', which
1081
a program called make uses - based on (...wait for it...) yet another
1082
series of rules, conventions and macros - to actually compile the ntop
1086
There are interdependencies among the tools, partial support for older
1087
versions in some releases, but not in other releases and many more
1091
Different OSes and different Linux distros ship with wildly different
1092
versions. Some even have scripts that attempt to analyze the file and
1093
pick the correct version (which just means that trying to code a file
1094
with multiple version support confuses the tool).
1097
So if you have a basic, total failure of ./configure, it's usually
1101
ntop used to ship with a manual script that rebuilt the generated files
1102
according to the version(s) of the tools installed on the system you were
1103
using to build ntop. Thus the standard answer was 'run ./autogen.sh -1'.
1106
But, this meant that you had to have these 'developer' tools installed
1107
and caused much problems and gnashing of teeth.
1110
So we spent 100s of hours rebuilding the scripts to be totally independent
1111
of having the tools installed on your system - only to run into problems
1112
because the xyz 1.6.1 tool installed by default on OS A isn't quite
1113
compatible with the 1.6.3 version on OS B.
1116
So we put technology in place to automatically detect tool versions and
1117
rebuild the generated files if necessary. That meant you had to have
1118
these 'developer' tools installed and caused much problems.
1121
So we rebuilt the scripts AGAIN and AGAIN, dropped support for old versions
1122
of the tools and finally reached a point where it works for most reasonably
1123
current platforms. This is a compromise:
1127
Systems that don't have the tools installed usually work.
1128
Systems that have bleeding edge versions of these tools may break.
1129
Systems with very old versions also may break.
1132
The technology to detect versions and rebuild the script files if
1133
appropriate is still in there, but it's disabled from normal use.
1136
If you have the auto* tools installed and have ./configure problems, you
1137
can activate the automatic rebuild feature via:
1141
$ export NTOPAUTOREBUILD=yes
1145
If the rebuild fixes it, that's great. Regardless, please report the
1146
problem to the ntop mailing list. Please don't paraphrase the messages
1147
cut & paste the ACTUAL MESSAGES into your report. Also, please let us
1148
know the version(s) of the tools installed on your system:
1153
$ autoheader --version
1154
$ autoconf --version
1155
$ automake --version
1161
But how does it all hang together?
1165
There's a vsd (Visio)/pdf in the docs directory - ntop-autotools.pdf.
1167
<h2>Compiling ntop</h2>
1171
Which packages/libraries do I need to compile ntop:
1175
Note: In some cases the minimal header files for a tool will be in
1176
one "package" and the execution library in another. ntop needs
1177
both so that the ./configure test finds the tool. It's usually
1178
safest to install both the tool and development packages!
1182
(Some packages will have additional packages as pre-requisites)
1186
gdbm (We have people using 1.7.3, 1.8.0, 1.8.2 and 1.8.3)
1191
We recommend 0.7.2, but ntop works with most 0.6.x versions.
1192
The newest version, 0.8.x works too - there are ntop fixes since
1193
late 2.2.9x releases for this.
1197
STAY AWAY from older versions, especially under Linux.
1201
Note: Building libpcap requires: bison/flex
1205
gd (1.8.x - stay away from 2.x development versions)
1206
http://www.boutell.com/gd/gd.html
1210
libpng (1.2.x - although ntop works with 1.0.x versions, the two libpng
1211
versions are not compatible and will often cause version conflicts
1225
Note: Both gcc 2.95/2.96 and 3.2/3.3 are reported to work. Across a lot
1226
of software, gcc 3.0 had problems - no clue re ntop.
1227
For you folks still running 2.94, I think I fixed all the compile errors,
1228
but upgrade for ghu's sake!
1232
libtool 1.4+ (distribution with 1.4.2)
1233
(there are successes reported with 1.3.4 or 1.3.5 -
1234
use --enable-iknowbetter)
1239
Note: If all you have is nawk, then --enable-showoses will not work.
1240
If all you have is original awk, then ./configure will not work.
1245
Will the "xyz" compiler work instead of gcc?
1249
We explicitly REQUIRE gcc.
1252
We know that under many systems, a compiler called cc is available. On some,
1253
it's a symbolic link to gcc, BUT, when invoked as cc, it often triggers 'old'
1254
behaviors for cc compatibility. On others, cc is a retarded compiler just good
1255
enough for compiling the kernel.
1258
The one exception is Sun's cc, which - since Luca used to do a lot of development
1259
on Solaris - was pretty well supported.
1268
Only if you are going to rebuild the distributed script files:
1272
autoconf 2.5+ (distribution with 2.57)
1273
automake 1.6+ (distribution with 1.6.1)
1282
Lots. The most common is:
1286
openssl (for https:// support)
1287
Note: For security reasons you should only have the most current
1288
Version of openssl installed.
1293
ntop doesn't compile.
1297
Sure, it does - for me :-)
1302
Right smarty-pants...
1306
First, check if you're using a supported OS.
1309
The long and short of it is that ntop works under Linux, Mac OS X and
1313
Luca distributes a Win32 version through http://shop.ntop.org but charges a
1314
convenience fee. Or you can fire up Microsoft's Visual C++ 6.0 and compile
1315
the Win32 version that way. We don't recommend Visual C++ .Net as the
1316
internals of the memory management caused problems.
1319
It works (albeit with severe limitations) on NetBSD.
1322
It works on OpenBSD 3.4 (only).
1325
It used to work under MinGW, but that broke after 2.1.3 and we need somebody
1326
with some technical skills and an interest in MinGW to fix it.
1329
Anything else, you are in untested waters. Some cases we know there are
1330
problems, others we just haven't tested.
1335
But that was as of 18Aug2003?
1339
Yes. For the latest scoop, run ./configure --enable-showoses
1342
ntop will perform the basic ./configure tests (make sure you have a c
1343
compiler that works, etc.) and then output a table.
1346
This is from a pretty complete 3.0 release (at least as far as OS support
1351
ntop OS Support status extract for version 2.2.91
1352
Run Mon Aug 18 10:00:58 CDT 2003
1356
config.guess value compiler OS name Status
1357
------------------ --------- --------- ---------------
1358
mingw32* gcc MINGW UNTESTED
1359
cygwin* * CYGWIN WILLFAIL
1360
linux* *gcc LINUX SUPPORTED
1361
solaris2.9* * SOLARIS UNTESTED
1362
solaris2.8* * SOLARIS SUPPORTED
1363
solaris2.5* * SOLARIS UNTESTED
1364
solaris* * SOLARIS UNTESTED
1365
darwin* * DARWIN SUPPORTED
1366
freebsd[45]* *gcc FREEBSD SUPPORTED
1367
freebsd* * FREEBSD UNTESTED
1368
openbsd* * OPENBSD WILLFAIL
1369
netbsd*1.5* gcc NETBSD
1370
netbsd* * NETBSD UNTESTED
1371
hpux11* gcc HPUX WILLFAIL
1376
Quoting from the ./configure --enable-showoses output:
1380
Status of 'SUPPORTED' means you are:
1384
Building ntop for a supported platform
1385
This means we expect ntop to work without major issues
1389
Status of 'UNTESTED' means you are:
1393
Building ntop for an untested platform
1397
Untested means that:
1401
1. A previous version of this OS is supported.
1402
or 2. This version of this OS was supported by a
1403
previous version of ntop.
1407
./configure applies the same configuration options,
1408
special parameters, etc. as for the prior release.
1412
For OS .0 releases that is probably a bad bet...
1416
It could just be that you are compiling an older version
1417
of ntop on a new OS release - check the http://www.ntop.org
1422
Status of 'WILLFAIL' means you are:
1426
Attempting to build ntop for an unsupported platform
1430
>>> This is unsupported.
1431
>>> It will almost certainly fail
1432
(that is why it is listed as 'unsupported' - doh!)
1436
Status of blank means that the support level depends
1437
upon ntop settings and/or other factors.
1442
Ok, it's a supported release and it still won't compile.
1446
Did you run ./configure? And did it complete successfully?
1449
Usually 'compile' problems for supported platforms are a missing
1450
(critical) library or header file, but the user ignored (didn't see)
1451
the error/warning message and tried running make anyway.
1454
./configure checks a lot of things. When it's looking for
1455
headers and libraries, ntop will report KEY information and PROBLEMS
1456
in large, set-off, lines:
1460
*******************************************************************
1462
* NOTE: Building ntop for a supported platform
1463
* This means we expect ntop to work without major issues
1465
* 'i686-pc-linux-gnu'
1467
* Please keep the ntop-dev mailing list updated with any
1468
* successes you have or problems you encounter...
1470
* Support for this platform was most recently verified for
1472
* RedHat7.2 w/ updates ntop 2.1.51 on 2002-10-21
1473
* Suse i686, 2.4.18-4GB-SMP ntop 2.1.51 on 2002-10-24
1475
*******************************************************************
1478
READ THESE BOXES. Even if you don't read the rest of the output, read
1479
the boxes. ntop can work around a lot of problems (missing libraries)
1480
by disabling features that need them. If, for example, you don't have
1481
zlib, ntop will compile a version that doesn't output compressed html
1482
pages. If you don't read the boxes, you will never know.
1485
READ THE MESSAGE BOXES!
1489
*******************************************************************
1491
* NOTICE: I know you're used to ignoring output from ./configure *
1493
* ntop has a lot of complexity and interdependences. *
1495
* Please, please AT LEAST read the stuff in these *
1498
*>>> The ACTION taken is shown prefixed '>>>' *
1500
* If the ACTION is unacceptable, *
1501
*??? The REMEDIATION plan is shown prefixed with '???' *
1503
*******************************************************************
1506
The box will tell you what's wrong, what ntop did and often how to fix it
1507
if you don't like ntop's fix.
1510
READ THE MESSAGE BOXES!
1513
Hint: It may sometimes be that you're missing the header files (often those
1514
are in a -devel rpm if you're running RedHat)
1517
If you see a message box and don't understand why ("I'm sure that
1518
header file is present"), then look at a file called config.log. Search
1519
for the specific header or library reported in the message box and you will
1520
see the detailed compiler/linker error messages.
1523
For example, ./configure reports:
1527
checking for linux/if_pppox.h... no
1530
The first thing to so is check if it's on your system:
1534
$ locate linux/if_pppox.h
1535
/usr/include/linux/if_pppox.h
1538
(If you don't have locate, this works too:
1541
$ find / -type f -name "ethertype.h"
1545
Open up config.log and look for if_pppox.h:
1549
configure:13086: checking for linux/if_pppox.h
1550
configure:13103: gcc -c -g -O2 -Wshadow -Wpointer-arith
1551
-Wmissing-prototypes -Wmissing-declarations -Wnested-externs -fPIC
1552
-DLINUX conftest.c >&5
1553
configure:13158: parse error before '/' token
1554
In file included from configure:13160:
1555
/usr/include/linux/if_pppox.h:38: `ETH_ALEN' undeclared here (not in a
1557
/usr/include/linux/if_pppox.h:39: `IFNAMSIZ' undeclared here (not in a
1559
/usr/include/linux/if_pppox.h:40: confused by earlier errors, bailing out
1560
configure:13106: $? = 1
1561
configure: failed program was:
1562
| #line 13091 "configure"
1565
| #define PACKAGE_NAME "ntop"
1566
| #define PACKAGE_TARNAME "ntop"
1567
| #define PACKAGE_VERSION "2.2.91"
1568
| #define PACKAGE_STRING "ntop 2.2.91"
1569
| #define PACKAGE_BUGREPORT ""
1570
| #define PACKAGE "ntop"
1571
| #define VERSION "2.2.91"
1572
| #define STDC_HEADERS 1
1574
| #define HAVE_NETINET_UDP_H 1
1575
| /* end confdefs.h. */
1576
| net/if.h netinet/if_ether.h
1578
| #include <linux/if_pppox.h>
1579
configure:13123: result: no
1582
You see the actual test program, the actual compile line and the error
1586
Before reporting it to us, chase down where those missing items are declared:
1590
$ grep -R 'ETH_ALEN' /usr/include/* | grep '#define'
1591
/usr/include/linux/if_ether.h:#define ETH_ALEN 6
1592
/usr/include/net/ethernet.h:#define ETHER_ADDR_LEN ETH_ALEN
1595
And post that information with your error report. The reason is that these
1596
field definitions are often placed in very different places in different
1597
OSes and even in different distributions.
1600
FWIW, if you look in the older configure.in:
1604
AC_CHECK_HEADERS([linux/if_pppox.h], [], [], [net/if.h
1605
netinet/if_ether.h])
1612
AC_CHECK_HEADERS([linux/if_pppox.h], [], [], [#include <net/if.h>
1613
#include <netinet/if_ether.h>])
1616
because the macro doesn't do the #include automatically.
1621
Nope, it's not ./configure...
1625
If it's not the configuration, then it's usually a problem with your specific
1630
- A new release of a supported OS.
1631
- An uncommon option/configuration of a supported OS.
1634
In other words, something is different from what we've seen or expected.
1637
Review the output from make. The error message will usually give you a
1638
Somewhat cryptic description of what's wrong and where. Look for messages
1639
about missing files. Post as much information as you can - do locates for
1640
the missing files, etc. The more you give us the less we will have to ask
1644
Remember, we can't see your box - all that the people on the list see is the
1645
information you give in your message.
1650
Compile dies because it's missing depcomp
1654
automake/autoconf issue. The problem should have been fixed. If not, just
1655
Copy the missing file (or make a symbolic link) into the ntop source
1659
It's in /usr/share/automake on my Linux boxes. Another user reports it is in
1660
/usr/local/share/automake in sun8.
1663
If you have automake installed, this will do it automatically:
1667
$ automake --add-missing --gnu -c
1672
Make fails with a message about being unable to create a .deps file.
1676
Check the permissions on the (hidden) .deps (and .libs) directories - if root
1677
owns them your non-root userid may not be able to create files in there.
1682
Make fails with a message about a missing .deps file
1686
Basically, it's a automake 1.5 bug, related to dependency tracking.
1689
If you don't have automake installed, you shouldn't see this problem.
1692
ntop requires automake 1.6+ - that dependency is EXPLICT in the Makefile.am!
1695
If you do have automake installed, it's possible to hit this problem -
1696
especially if it's one of those Linux distributions that have three versions
1697
of automake installed and a (broken) script that's supposed to figure out
1698
which version to actually run.
1701
Since we distribute ntop with scripts generated from 1.6.3, you would *think*
1702
they should work, regardless of what version of automake is installed.
1705
That's not the case. The problem occurs because automake gets invoked by
1706
./configure to copy the missing gnu files such as depcomp. If you have 1.5
1707
installed, it then remakes the plugins/Makefile as a 1.5 version, which
1711
The problem should be trapped and worked around, however, so report the
1712
problem to the list.
1717
Why is the .deps problem mostly happening under FreeBSD?
1721
Because the FreeBSD ports tree only has 1.5, but that's a FreeBSD ports
1722
problem, not ntop's. If you search the FreeBSD lists on Google, there's lots
1723
of traffic about a 1.6 version for FreeBSD, but it doesn't seem to be in the
1724
tree. What's there is:
1732
-- which does NOT work
1737
So how do I work around the problem?
1741
Install 1.6.3. It's quite easy, does NOT require root. The steps are listed
1742
in the ./configure message, repeated below:
1746
Download automake 1.6.3 from gnu
1747
$ wget http://ftp.gnu.org/gnu/automake/automake-1.6.3.tar.gz
1752
$ tar xfvz automake-1.6.3.tar.gz
1758
$ ./configure --prefix=/home/<whatever>/automake163
1764
Add it to your path (this is bash, but other shells, can do it too)
1768
$ PATH=/home/<whatever>automake163/bin:$PATH
1773
And then untar, ./configure and make ntop.
1778
Make fails with a message like this:
1781
/bin/ld: Warning: size of symbol `pcap_open_dead' changed from 100 to 67
1783
collect2: ld returned 1 exit status
1784
make[2]: *** [libntop.la] Error 1
1785
make[2]: Leaving directory `/linuxadmin/ntop/ntop2.2.3/ntop-2.2.3'
1786
make[1]: *** [all-recursive] Error 1
1787
make[1]: Leaving directory `/linuxadmin/ntop/ntop2.2.3/ntop-2.2.3'
1788
make: *** [all] Error 2
1792
Ah yes, size of symbol...changed. It means you have a conflict between
1793
the version of the shared library (be it libpcap, libgd, whatever) that
1794
was used to compile ntop with the version that was used to link ntop.
1803
If you break down a typical link line:
1807
gcc -shared address.lo ... ntop_darwin.lo
1808
-L/usr/local/include
1810
-L/linuxadmin/ntop/ntop2.2.3/ntop-2.2.3/myrrd
1811
-lpthread -lresolv -lnsl -lz -lc -lssl
1812
-lcrypto -lgd -lpng -lpcap /usr/lib/libgdbm.so
1814
-Wl,-soname -Wl,libntop-2.2.3.so
1815
-o .libs/libntop-2.2.3.so
1818
You see the mix of -L and -l parameters. The -L parameters ADD
1819
additional places to look for the shared libraries, which are in
1820
addition to the 'standard locations' for the system. The -l
1821
parameters tell which libraries to include.
1824
Read the man pages (man ld, man ld.so, etc.)
1827
The 'standard locations' are very system dependent, but usually
1828
include /usr/lib and /lib. PLUS whatever is (under Linux) in the
1829
ld.so.conf file, for example
1833
$ cat /etc/ld.so.conf
1836
/usr/lib/qt-3.0.5/lib
1840
So, on this system, to resolve a library, ld looks in the -L values:
1844
1. /usr/local/include
1846
3. /linuxadmin/ntop/ntop2.2.3/ntop-2.2.3/myrrd
1850
And then the 'standard' places:
1854
4. /usr/kerberos/lib
1856
6. /usr/lib/qt-3.0.5/lib
1862
Similarly, if you break apart the gcc COMPILE line and scrap the dups,
1863
you'll have a different set of places where gcc looks for the .h files.
1864
For those, it's the -I parameters plus whatever is 'standard' on your
1865
system, which is dependent on the specific gcc port:
1868
/bin/sh ./libtool --mode=compile gcc -DHAVE_CONFIG_H -DLINUX
1871
-I. -I/linuxadmin/ntop/ntop2.2.3/ntop-2.2.3/myrrd
1872
-I/usr/local/include
1873
-g -O2 -fPIC -g -O2 -c
1874
-Wshadow ... -Wnested-externs
1878
Again, read the gcc man page.
1881
A big problem is that - unlike .so files, it's not real clear what
1882
directories ARE searched for .h files, only that there is a set.
1885
With me so far? Go back to the message... what it means is that:
1889
* From one set of locations, at compile time, the size of
1890
the parameter list for pcap_open_dead was 100 bytes.
1891
* From the other set of locations, at link (ld) time, the
1892
library expects the parameter list to be of size 67.
1895
Danger, Will Robinson...
1898
The most likely cause of this problem is when you tell ntop to look at
1899
one location to resolve either the .h or .so and it finds the other,
1900
'automatically' in a 'standard' location, but the two are actually from
1901
incompatible versions.
1904
Say you have libpcap 0.6.2 installed by the os in /usr/lib and
1905
/usr/include, but you also install libpcap 0.7.2 in /usr/local/lib and
1912
/usr/local/include/pcap.h
1920
/usr/lib/libpcap.so.0
1922
/usr/lib/libpcap.so.0.6.2
1923
/usr/lib/libpcap.so.0.6
1924
/usr/local/lib/libpcap.so.0
1925
/usr/local/lib/libpcap.so
1926
/usr/local/lib/libpcap.so.0.7.2
1927
/usr/local/lib/libpcap.so.0.7
1930
If all you give ./configure is --with-pcap-header=/usr/local/lib
1934
* At compile time, it finds the pcap.h in /usr/local/lib (0.7.2)
1935
* At link time, it finds the libpcap.so in the 'default',
1936
/usr/lib/libpcap.so which is actually libpcap.so.0.6.2
1939
ntop did EXACTLY what you told it to do. The fact that it makes no
1940
sense is a problem, so you get the error message.
1945
So the real solution is?
1949
Give ntop pointers to consistent sets of header and library files, and maybe
1950
don't have multiple versions of the same library installed at once.
1955
I'm done compiling and it works/doesn't work, what do I do?
1959
make install (You'll typically need to be root for this to work)
1968
Yes. Run the "census" - this will send us an email telling us what's
1969
working and what's not working. The census sends me the basics - uname
1970
information, autotool versions, version.c. The domain name is blinded,
1971
and the script will show you the file before it's sent (you'll have 10
1972
seconds to press control-c to abort).
1975
If things work ok, then send the census information via
1982
If you have problems, the create the census information via
1989
Edit it to describe the problem and send it to census@ntopsupport.com
1994
I'm seeing a lot of "changing search order for system directory" messages?
1998
It's not a problem, just confusing. This warning, which appears if you
1999
redefine the system include directory, causes lots of confusion. Supposedly,
2000
according to this http://gcc.gnu.org/ml/gcc-bugs/2002-10/msg01080.html,
2001
it wasn't fixed in gcc 3.2.0, but should be fixed in gcc 3.2.1.
2004
According to this: http://gcc.gnu.org/onlinedocs/cpp/Invocation.html,
2005
it's truly harmless on systems which already have /usr/local/include as
2006
a standard system library:
2011
Add the directory dir to the list of directories to be searched for
2012
header files. See Search Path. Directories named by -I are searched
2013
before the standard system include directories. If the directory dir
2014
is a standard system include directory, the option is ignored to ensure
2015
that the default search order for system directories and the special
2016
treatment of system headers are not defeated (see System Headers) .
2018
<h2>Other ./configure features</h2>
2022
How do I update the Vendor Table (MAC address prefixes)?
2026
ntop has (in Makefile), a rule to automatically download the latest vendor
2027
information table from the IEEE, the oui.txt file ntop reads.
2030
If you are seeing unknown MAC address prefixes (the 1st three units), try
2031
the full IEEE table. To rebuild it:
2038
and then copy the new oui.txt over the one installed by ntop originally.
2041
Also note that the table changes over time - there are almost 600
2042
Modifications and/or new assignments between the version shipped with
2043
ntop 2.0 and the version on the IEEE site in February 2002.
2048
How do I update the passive ethernet fingerprint database?
2052
ntop has (in Makefile), a rule to automatically download the latest
2053
ettercap file from SourceForge:
2060
It will also compress the file and tell you how big the old and new files
2066
How do I update the IP to Country Code table?
2070
Again, ntop has (in Makefile), a rule to automatically download the
2071
latest data and build the file.
2078
Note that this is actually a fairly complex script (utils/p2c) and is
2079
dependent upon data posted to supposedly well known locations by the various
2080
internet number authorities (APNIC, RIPE, etc.)
2083
It's a LOT of data to download so don't do this on a site with a slow
2084
link to the internet. Also, read the output carefully and DO NOT apply a
2085
file if there are messages you don't understand.
2090
But the IP -> CC data is wrong.
2094
Yeah. Most people don't care :-(... it's enough to see various pretty
2098
Sadly, the registries often post files with errors in them. Some Tier
2099
1 ISPs post their own data to elaborate on the registry data. Most ISPs
2100
don't post data. Some entries in the files make 'logical' sense, but not
2104
If you find another set of data, let us know - the shell script is pretty
2105
easy to follow to add another data source.
2108
The user who used to care about this (Mr. Anon E. Mouse) used to send me
2109
a file of corrections to apply to the file we posted with ntop.
2112
If such a file exists, it would be posted @ SourceForge in the user
2115
<h2>Running - Startup</h2>
2119
ntop won't start - I get this message:
2122
** FATAL ERROR** ... open of /var/ntop/addressQueue.db failed:
2127
It's either permissions (the ntop -u userid doesn't have read/write access
2128
to that file - common if you're upgrading from 2.2 to 3.0).
2131
The other cause is that there's still an instance of ntop running. Make
2132
sure you shutdown ntop before starting it.
2137
What is the function of the 'ntop' script in the build directory - should I
2138
call it or /usr/local/bin/ntop ?
2142
(from the comments in the script):
2146
# ntop - temporary wrapper script for .libs/ntop
2147
# Generated by ltmain.sh - GNU libtool 1.4 (1.920 2001/04/24 23:26:18)
2149
# The ntop program cannot be directly executed until all the libtool
2150
# libraries that it depends on are installed.
2152
# This wrapper script should never be moved out of the build directory.
2153
# If it is, it will not operate correctly.
2156
It allows you to run ntop out of the build directory before doing a "make
2157
install" by doing all the necessary linkage magic - such as forcing a relink
2158
if it didn't succeed originally - to the files in .libs.
2161
Think of it as simulating make install, but not moving stuff to /usr/local
2165
Don't use it - it just causes problems...
2170
Which libraries do I need?
2174
To run ntop: glibc, gdbm, libpcap
2177
For https://, add openssl.
2178
For other tools and compile options, add the appropriate libraries.
2183
ntop seems to run, but the web server isn't up.
2187
Set the password - see docs/1STRUN.TXT
2192
How do you reset Admin password if we lost it?
2196
Delete ntop_pw.db and follow the procedure in docs/1STRUN.txt
2201
I'm being prompted to set a password, what do I enter.
2205
Anything you want, of 5 or more characters. If ntop can't find the value
2206
in it's database, it will prompt you to set on. If this happens every
2207
time you start ntop, check the permissions on the ntop_pw.db file.
2212
How does the @filename option work e.g. /usr/bin/ntop ... @filename ...
2216
The text of 'filename', is copied - ignoring line breaks and
2217
comments (anything following a #) - into the command line.
2220
ntop behaves as if all of the text had simply been typed directly
2221
on the command line. Multiple @s are permitted in the command
2222
line, nesting is not. @s in the file will cause an error.
2225
Both are displayed on the info.html report, the "Started as"
2226
shows the actual command line ntop was given and the
2227
"Resolved to" shows what ntop processed.
2230
Started as /usr/bin/ntop -i eth0,eth1 @/root/ntop_parms -d -L
2233
with /root/ntop_parms containing:
2237
-p /usr/share/ntop/protocol.list
2239
-w 192.168.42.38:3000
2240
# -W 192.168.42.38:3001
2243
-m 12.239.0.0/16,10.113.0.0/16
2251
Resolved to /usr/bin/ntop -i eth0,eth1 -p /usr/share/ntop/protocol.list
2254
-P /usr/share/ntop -w 192.168.42.38 -u ntop --trace-level 3
2255
-m 12.239.0.0/16,10.113.0.0/16 -E -K -d -L
2258
Remember, most ntop options are "sticky", that is they just set an
2259
internal flag. Invoking them multiple times doesn't change ntop's
2260
behavior. However, options that set a value, such as --trace-level,
2261
will use the LAST value given: --trace-level 2 --trace-level 3 will
2262
run as --trace-level 3.
2265
It is recommended that you use FULL pathnames for @filename, since
2266
ntop may have different effective directories when run in different
2267
ways. However, you may wish to use relative pathnames to take
2268
advantage of the different effective directories (say cron vs.
2269
command line). Just know where you're starting.
2274
ntop seems to run but I don't see any traffic.
2278
Make sure you aren't running against the loopback (127.0.0.1) interface.
2279
lo shouldn't see much traffic, only that originating on the host destined
2280
for it (e.g. ping 127.0.0.1).
2285
ntop is unable to open its database file. Specifically:
2286
I have following messages while running ntop
2290
wait please: ntop is coming up...
2291
24/Jul/2003 15:15:23 Initializing IP services...
2293
24/Jul/2003 15:15:23 Initializing GDBM...
2294
24/Jul/2003 15:15:23 Database '/var/ntop/addressCache.db' open failed: File
2296
24/Jul/2003 15:15:23 Possible solution: please use '-P <directory>'
2300
Multiple possible choices...
2303
1. The directory /var/ntop doesn't exist. Create it or, as the message
2304
says, use the -P parameter to point ntop at another directory.
2305
2. You many not have read/write rights in /var/ntop - if you're running in
2306
non-promiscuous mode from a user other than root.
2307
3. Another instance of ntop may already be running, so it has the file open
2313
What's inside the .db files and what's their format?
2317
The files are stored in GDBM format. You can dump their content using tools like
2318
this: http://tboudet.free.fr/dumpgdbm/. In principle you should not be
2319
interested in the file content as they are temporary caches and contain the
2320
configuration as well as the MD5 hash of the web passwords.
2323
I posted a trivial dumpgdbm.c to gmane - search for it.
2328
ntop starts up with this:
2329
WARNING: Discarded network 172.20.0.0/16: this is the local network.
2333
No worries. The message means exactly what it says - it's a warning that
2334
you gave the local network as one of the parameter(s) to -m. Since the
2335
local networks are always local, ntop doesn't need to make them pseudo-local.
2340
What are ntop's options?
2344
There are a couple of options that appear only if they're not compiled in,
2345
and a few that depend on various external libraries, e.g. openSSL.
2348
The best way to see what is actually available is to run ntop with the -h or
2349
--help options and see. Also read man ntop.
2352
Here is the FULL set of real, working options as of February 2004
2357
Use IPv4 connections (for the ntop web server)
2359
Use IPv6 connections (for the ntop web server)
2363
-a <file> | --access-log-file <file>
2364
File for ntop web server access log
2368
-b | --disable-decoders
2369
Disable protocol decoders
2374
Idle hosts are not purged from memory
2379
Run ntop in daemon mode
2383
-e <number> | --max-table-rows <number>
2384
Maximum number of table rows to report
2388
-f <file> | --traffic-dump-file <file>
2389
Traffic dump file (see tcpdump)
2393
-g | --track-local-hosts
2394
Track only local hosts
2399
Display help and exit
2403
-i <name> | --interface <name>
2404
Interface name or names to monitor
2408
-j | --create-other-packets
2409
Create file ntop-other-pkts.XXX.pcap file
2414
ntop will trust just IP addresses (no MACs)
2418
-k | --filter-expression-in-extra-frame
2419
Show kernel filter expression in extra frame
2423
-l <path> | --pcap-log <path>
2424
Dump packets captured to a file (debug only!)
2428
-m <addresses> | --local-subnets <addresses>
2429
Local subnetwork(s) (see man page)
2433
-n | --numeric-ip-addresses
2434
Numeric IP addresses - no DNS resolution
2438
-p <list> | --protocols <list>
2439
List of IP protocols to monitor (see man page)
2443
-q | --create-suspicious-packets
2444
Create file ntop-suspicious-pkts.XXX.pcap file
2448
-r <number> | --refresh-time <number>
2449
Refresh time in seconds, default is 120
2453
-s | --no-promiscuous
2454
Disable promiscuous mode
2458
-t <number> | --trace-level <number>
2463
-u <user> | --user <user>
2464
Userid/name to run ntop under (see man page)
2468
-x <max num hash entries>
2469
Max num. hash entries ntop can handle (default 4294967295)
2473
-w <port> | --http-server <port>
2474
Web server (http:) port (or address:port) to listen on
2478
-z | --disable-sessions
2479
Disable TCP session tracking
2484
Ask admin user password and exit
2488
--set-admin-password=<pass>
2489
Set password for the admin user to <pass>
2494
Add extra headers to make better html
2498
-B <filter> | --filter-expression
2499
Packet filter expression, like tcpdump
2503
-D <name> | --domain <name>
2504
Internet domain name
2508
-F <spec> | --flow-spec <specs>
2509
Flow specs (see man page)
2519
Do logging via syslog
2523
--use-syslog=<facility>
2524
Do logging via syslog, facility ('=' is REQUIRED)
2528
-M | --no-interface-merge
2529
Don't merge network interfaces (see man page)
2534
Map file providing map of WWN to FCID/VSAN
2538
-O <path> | --pcap-file-path <path>
2539
Path for log files in pcap format
2543
-P <path> | --db-file-path <path>
2544
Path for ntop internal database files
2548
-U <URL> | --mapper <URL>
2549
URL (mapper.pl) for displaying host location
2554
Output version information and exit
2558
-X <max num TCP sessions>
2559
Max num. TCP sessions ntop can handle (default 4294967295)
2563
-W <port> | --https-server <port>
2564
Web server (https:) port (or address:port) to listen on
2568
--disable-instantsessionpurge
2569
Disable instant FIN session purge
2573
--disable-mutexextrainfo
2574
Disable extra mutex info
2578
--disable-schedyield
2579
Turn off sched_yield() calls, if ntop is deadlocking on them
2584
Capture packets even if there's no memory left
2589
Display only Fibre Channel statistics
2594
Disable processing & Display of Fibre Channel
2599
Don't display Invalid LUN information
2604
Set return value for p3p compact policy, header
2609
Set return value for p3p policyref header
2613
--set-pcap-nonblocking
2614
Call pcap_setnonblock
2618
--skip-version-check
2619
Skip ntop version check
2624
Use ssl watchdog (NS6 problem)
2633
The default for the ntop web server is to connect to any address and any family
2634
of addresses, so if the NIC has both IPv4 and IPv6 addresses it should respond
2635
to both. Use these to restrict the web server.
2644
The settings 0..4 control the amount of information logged or displayed.
2645
5 adds a [MSGIDnnnn] field and 6 adds the file:line where the message originated.
2646
-t 5 can be useful with a log watch type package, -t 6 is mostly for debugging.
2652
[MSGID8757584] OSFP: scanFingerprintLoop() checked 1, resolved 1
2658
[MSGID8757584] [ntop:698] OSFP: scanFingerprintLoop() checked 1, resolved 1
2663
ntop starts up find and then seems to die.
2667
Are the ntop threads still there? Use ps to check, for example:
2668
# ps -C ntop -m -o "uid,pid,ppid,stat,time,command"
2672
UID PID PPID STAT TIME COMMAND
2673
501 18327 1 S 00:00:00 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf...
2674
501 18330 18327 S 00:00:00 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf...
2675
501 18331 18330 S 00:00:05 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf...
2676
501 18332 18330 S 00:00:45 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf...
2677
501 18333 18330 S 00:00:00 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf...
2678
501 18334 18330 S 00:00:06 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf...
2679
501 18335 18330 S 00:00:00 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf...
2680
501 18336 18330 R 00:00:32 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf...
2681
501 18337 18330 S 00:00:41 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf...
2684
The 'PID' numbers match the THREADMGMT: numbers in the log:
2688
ntop[18326]: INIT: Parent process is exiting (this is normal)
2689
^^^^^ is the thread that issued the message
2693
ntop[18327]: INIT: Bye bye: I'm becoming a daemon...
2694
(18327 is the 'master' thread created as ntop becomes a daemon)
2698
ntop[18327]: THREADMGMT: Started thread (16386) for network packet analyser
2699
A message is issued for each thread started.
2700
^^^^^ is the 'internal' thread #.
2702
ntop[18331]: THREADMGMT: Packet processor thread running...
2703
^^^^^ is the child thread. Each one issues a message as it starts up
2707
ntop[18327]: THREADMGMT: Started thread (32771) for idle hosts detection
2708
ntop[18332]: THREADMGMT: Idle host scan thread running...
2709
ntop[18327]: THREADMGMT: Started thread (49156) for DNS address resolution
2710
ntop[18333]: THREADMGMT: Address resolution thread running...
2711
ntop[18334]: THREADMGMT: rrd thread (65541) started
2712
ntop[18327]: THREADMGMT: Started thread (81926) for web server
2713
ntop[18335]: THREADMGMT: web connections thread (18335) started...
2714
ntop[18327]: THREADMGMT: Started thread (98311) for network packet sniffing on eth1
2715
ntop[18336]: THREADMGMT: pcap dispatch thread running...
2716
ntop[18327]: THREADMGMT: Started thread (114696) for network packet sniffing on eth2
2717
ntop[18337]: THREADMGMT: pcap dispatch thread running...
2724
UID PID PPID STAT TIME is
2725
501 18327 1 S 00:00:00 Master
2726
501 18330 18327 S 00:00:00 (internal used by POSIX)
2727
501 18331 18330 S 00:00:05 Packet processor
2728
501 18332 18330 S 00:00:45 Idle Host Scan
2729
501 18333 18330 S 00:00:00 Address Resolution
2730
501 18334 18330 S 00:00:06 rrd
2731
501 18335 18330 S 00:00:00 Web Server
2732
501 18336 18330 R 00:00:32 eth1
2733
501 18337 18330 S 00:00:41 eth2
2735
If you connect to the running ntop via gdb, you can see this:
2738
$ gdb /usr/bin/ntop 18327
2742
^^^^^^^^^^^^ Shows all the threads and their current state
2746
9 Thread 114696 (LWP 18337) 0x40255c68 in recvfrom () from
2747
/lib/i686/libpthread.so.0
2748
8 Thread 98311 (LWP 18336) 0x40255c68 in recvfrom () from
2749
/lib/i686/libpthread.so.0
2750
7 Thread 81926 (LWP 18335) 0x420dcc31 in select () from
2752
6 Thread 65541 (LWP 18334) 0x420b0226 in nanosleep () from
2754
5 Thread 49156 (LWP 18333) 0x40252a35 in __pthread_sigsuspend ()
2755
from /lib/i686/libpthread.so.0
2756
4 Thread 32771 (LWP 18332) 0x420b0226 in nanosleep () from
2758
3 Thread 16386 (LWP 18331) 0x40252a35 in __pthread_sigsuspend ()
2759
from /lib/i686/libpthread.so.0
2760
2 Thread 32769 (LWP 18330) 0x420db1a7 in poll () from
2762
1 Thread 16384 (LWP 18327) 0x420b0226 in nanosleep () from
2769
^^^^^^^^ switch to thread 2 and see it's state
2772
[Switching to thread 2 (Thread 32769 (LWP 18330))]#0 0x420db1a7 in
2775
poll () from /lib/i686/libc.so.6
2781
^^^^^^^^^^ check the call stack
2784
#0 0x420db1a7 in poll () from /lib/i686/libc.so.6
2785
#1 0x4024f9de in __pthread_manager () from /lib/i686/libpthread.so.0
2788
^^^^^^^^^^^^^^^^^ running __pthread_manager
2793
All the threads seem to be running ok.
2797
Check if there's one that looks like this:
2801
4 Thread 32771 (LWP 27295) 0x420cd207 in sched_yield () from
2805
Let ntop run a few more seconds (cont command), then check again.
2808
If it's frozen in the sched_yield, you're probably tripping a deadlock
2809
situation that we've seen but don't understand - There's a lot of
2810
stuff on the 'net, including what seems to be the same problem with
2811
other resource intensive tools but no clear answers.
2814
This happens most often on RedHat Linux 8.0 (9 uses a different
2815
threading library and the issue hasn't been reported there).
2818
Regardless, if you see the deadlock or just have a hung ntop, there is a
2819
run time option to try: --disable-schedyield. This option disables the
2820
calls at a slight penalty to ntop's interactivness. If you're experiencing
2821
the deadlocks, try it.
2824
And, especially if you're running something other than RedHat 8, please
2825
let the ntop-dev list know about it.
2830
But what about SQL and mySQL
2834
Removed in 2.1.50+ versions - use rrd
2839
But I really, really, need the data in an sql database.
2843
If you are only interested in saving your netflow data in MySQL, use the
2844
script ntop/NetFlow/netFlowClient.pl (netflow v5). With few additional lines
2845
you could save your data in flat files, forward the netflow data or whatever.
2848
What this script does it set itself up as a netflow collector and sql
2849
inserter. The main loop just accepts a netflow packet and inserts the flow(s)
2853
To use this with a single instance of ntop, just set ntop up as a netflow
2854
sender, directed at the script (e.g. 127.0.0.1 on any port you like).
2855
Configure the script with the port # and run it.
2858
The same idea would work with sFlow, you would just have to change the packet
2859
decoding part of the script.
2863
Q: How does ntop use lsof? nmap?
2867
ntop no longer uses these external tools.
2870
OS fingerprinting was replaced by ettercap.
2873
If you need lsof data, you should ssh to the host and run it locally (this
2874
allows the sysadmin to put appropriate security on lsof).
2879
Can I set the admin password from a script?
2883
Yes, you can call ntop with the option:
2886
ntop --set-admin-password=password
2891
What's this warning about ownership?
2895
The first time you run make install and ntop creates a new
2896
directory for ntop's files, there's a problem. So you'll
2897
see this warning box:
2901
************************************************************
2902
************************************************************
2906
WARNING: This install created a directory for the ntop
2907
files and databases:
2915
This directory MUST be owned by the user
2916
which you are going to use to run ntop.
2920
The command you must issue is something like:
2924
chown -R ntop.ntop <directory>
2925
or chown -R ntop:users <directory>
2929
man chown to check the syntax for YOUR system
2933
************************************************************
2934
************************************************************
2937
Since root created the directory, root is the owner. And since we don't
2938
know - yet - what user ntop is going to be run as, we can't issue the
2939
chown (CHange OWNership) command for you.
2944
And if I don't do this?
2948
ntop won't run. Typically you get a message about a bad -P file or
2949
endless prompts for the admin password.
2954
I can't merge interfaces (-M option)?
2958
Check your plugins and see if either netFlow or sFlow is active.
2959
Regardless of whether you're using them, if they're active, they
2960
(silently) force the -M switch on.
2969
-u root means that you are running ntop as root. It means you don't drop
2970
root's superuser privledges, so pretty much you can read/write any file.
2971
It's not a good idea. While we're not aware of any security problems with
2972
ntop, programs that run as root are targets.
2975
-u ntop (or -u whatever) means you run as a normal user and can be assigned
2976
only the privledges necessary to run ntop. It also means you can only read/
2977
write files as ntop. So less is exposed.
2980
For even better security, the -u userid should not have a valid shell, so
2981
people can't use it to login.
2986
What are the options that reduce ntop's workload?
2990
These options turn off certain processing (and thus limit ntop's
2991
functionality), and may be appropriate for high volume installations.
2994
-b | --disable-decoders
2998
This flag disables protocol decoders. Use it for better performance
2999
or if you feel ntop has problems handling these protocols in your
3004
This switch disables code in a number of places throughout ntop, code
3005
which analyzes specific protocols, but can place additional load on the
3006
host. This switch could be used to run ntop on low-end CPUs or where
3007
ntop is acting as a collector (netFlow or sFlow) and the GUI is not
3012
Disabled is the analysis of:
3016
DNS Sniffing - where ntop captures DNS information from other hosts'
3017
requests to reduce the # of DNS requests ntop must -
3024
AppleTalk -- resource intensive protocol analysis of less
3025
bootp/dhcp / common protocols.
3030
http (80) - Request success/failure counting on port 80 and other
3031
analysis, including "Virtual Host".
3035
ftp passive session tracking.
3039
"Wrong Port" monitoring for: http, ftp and smtp (used with the
3040
-q | --create-suspicious-packets option to dump "suspicious"
3041
packets to an analysis file) With this option, ntop checks
3042
the payload for each new connection, looking for text usually
3043
present in http, ftp or smtp requests. If these are not on the
3044
"normal" ports (http's 80, ntop's 3000 or squid's 3128, ftp's
3045
21 or smtp's 25) (or there is a non-ftp or smtp request on the
3046
standard ports), the packet is logged.
3049
-g | --track-local-hosts
3053
Use this flag to tell ntop that you care only about local hosts (use
3054
-m | -- local-subnets to specify local nets). This flag is useful when
3055
ntop sees many hosts (e.g. border gateway) but only the local ones need
3060
This switch disables code in a number of places throughout ntop, code
3061
which allows ntop to track "foreign" hosts (that is ones not local
3062
according to the IP address(es) of ntop's interfaces or set pseudo-local
3063
by -m | -- local-subnets).
3067
Basically, ntop doesn't bother to do DNS resolution on these addresses
3068
and, for purposes of various counts, uses the "other" bucket instead of
3069
creating a unique hash table bucket for the specific host.
3073
This switch could be used to run ntop on low-end CPUs or where ntop is
3074
acting as a collector (netFlow or sFlow) and the GUI is not required.
3081
Specifies that ntop should not trust MAC addresses but just IP addresses.
3082
This option is useful whenever ntop is started on an interface where MAC
3083
(Media Access Controller - the low-level Ethernet address) addresses can
3084
not really be trusted (e.g. port/VLAN mirror in Switched Ethernet
3089
Certain processing is performed differently:
3093
Hash search is via IP not MAC
3097
Certain capabilities are disabled:
3101
Analysis of bootp/dhcp requests
3102
localRoutersList.html report
3103
Wrong net mask log message and flag
3104
Analysis of non-tcp/udp protocols like NetWare and Spanning Tree
3105
Router listing on Host Detailed report.
3106
Traffic Matrix report
3110
(Note that this list is subject to change as we learn more about protocols
3111
that do/do not depend on the MAC address)
3115
See also -z | --disable-sessions
3118
-z | --disable-sessions
3122
This flag disables tcp session tracking. Use it for better performance or
3123
when you don't really need the tracking of sessions.
3127
Also, in situations where the MAC addresses cannot be trusted, ntop may
3128
- or may not - be able to accurately track tcp sessions. There is no easy
3129
way to tell, so this switch puts control back into the users' hands.
3133
In versions after 2.0 up to & including 2.1.2, the -j |
3134
--border-sniffer-mode flag (predecessor of -o | --no-mac) always turned
3135
this off. Many users wanted to try turning session tracking back on, and
3136
did via code patches with mixed results.
3140
Suggested usage: If you enable -o | --no-mac, try running ntop with
3141
sessions enabled. If the data looks reasonable, congratulations - your
3142
network allows session tracking. If the data does not look reasonable,
3143
then you will also need to disable session tracking with this switch.
3148
-s | --no-promiscuous doesn't work
3152
It should work - it's passed to pcap_open_live. Understand that it does mean
3153
ntop sees a lot less comprehensive view of the traffic. You won't see
3154
anything different unless you do an ifconfig on the interface. Note that
3155
while the parameter specifies if the interface is to be put into promiscuous
3156
mode, even if this parameter is false, the interface could well be in
3157
promiscuous mode for some other reason.
3160
If it fails, you'll see a message and ntop will refuse to startup
3165
How does -m | --local-subnets work?
3169
This flag allows users to specify the subnets whose traffic is considered
3170
local (called "pseudoLocal" internally).
3176
<network address>/<# subnet mask bits>[,<network address>/<# subnet
3180
For instance "131.114.21.0/24,10.0.0.0/255.0.0.0".
3185
(followup) but what does it MEAN?
3189
Surprisingly, it means EXACTLY what it says. Treat traffic on the listed
3193
-m relates to the traffic you see on the wire at the TCP/IP level.
3194
-m tells ntop something it can't determine by itself. And that is to
3195
treat a range of addresses EXACTLY like it was local.
3198
For example, on my Cable Modem, I see broadcasts for a number of subnets
3199
that AT&T (now Comcast) has assigned to this area (I don't see the
3200
traffic just the broadcasts).
3203
If you have VLANs or simply network overlays (two or more networks on the
3204
same wire, but with separate address spaces). etc.
3207
Those are the cases where you use -m. To tell ntop to treat that traffic
3216
A ntop differentiates between local traffic and remote traffic. There are
3217
actually four classes (although only three are routinely reported) L->L L->R
3218
R->L and R->R. Some additional processing is done and some additional
3219
reporting is available for L traffic.
3224
I'm confused. Explain, please!
3228
Suppose your IP is 1.2.3.4 with a 255.255.255.0 netmask (a/k/a 1.2.3.4/24)
3231
Under the TCP/IP protocol, traffic with any address 1.2.3.1 -> 1.2.3.254 does
3232
not get routed. It's "local".
3235
Your buddy is at 1.2.3.9 and the router is 1.2.3.1, so your network looks
3240
world-----+ Router +--1.2.3.1--------------------------------------
3241
+dog +--------+ | 1.2.3.4 | 1.2.3.9
3244
+--------+ +--------+
3246
+--------+ +--------+
3249
Say you send a packet to your buddy at 1.2.3.9. You build a packet with
3250
SRC=1.2.3.4 DST=1.2.3.9 and your data and cast it out the wire. (For
3251
purposes of this illustration, ignore the fact the your TCP stack would
3252
recognize the "local" nature of the packet and actually use another, lower
3253
level protocol, called Ethernet to deliver it.)
3256
The router (1.2.3.1) looks at it, does the math and ignores it - it's local
3257
Your buddy (1.2.3.9) looks at it, says - gee, that's me and reads it
3260
This is L->L traffic.
3263
Now you send a packet to ntop.org at 131.114.21.9. Again, SRC=1.2.3.4 and
3264
Now DST=131.114.21.9.
3267
The router (1.2.3.1) looks at it, does the math and says - oops, I have to
3268
send it out to the world. Your buddy (1.2.3.9) looks at it, says - gee that's
3269
NOT me and ignores it
3272
This is L->R traffic.
3275
Now it's perfectly possible to have multiple (physical) networks on the same
3276
physical wire. Say that your ISP chooses to put 1.2.4.1-1.2.4.254
3277
(1.2.4.0/24) on the same wire. (Why would they do this? - maybe it's a big
3278
pipe and only a few users or whatever).
3281
A packet from 1.2.4.4 -> 1.2.4.9 is seen by
3284
The router - no, that too is local, ignore it
3285
You (1.2.3.4): (1.2.4.9) - not me - ignore it
3286
Buddy (1.2.3.9) - um... 1.2.4.9 - not me - ignore it
3289
And that's perfectly legal.
3292
But what if you are the ISP and you want ntop to see ALL the traffic on that
3293
wire? ntop will figure out from it's own IP address that the 1.2.3.0/24
3294
traffic is local, but it will classify the 1.2.4.0/24 as REMOTE.
3297
And that is what the --local-subnets switch does. It tells ntop to treat
3298
that 1.2.4.0/24 traffic as local.
3301
If there isn't any other traffic on the wire, then telling ntop to treat it
3302
as local won't change a thing.
3305
You can always use a packet sniffer, such as tcpdump to scan the traffic on
3306
the wire and see what's really there...
3315
ntop is designed as a hybrid packet analyzer, not a pure Ethernet analyzer
3316
(layer 2) nor a pure TCP/IP analyzer (layer 3). Most of ntop's displayed
3317
counts are at the TCP/IP level, and that's what confuses people. Internally,
3318
ntop works both at the level of the Ethernet frame and the TCP/IP packet.
3321
A single MAC address can be associated with multiple TCP/IP addresses. The
3322
MAC address -- unless something is horribly wrong on the network or with the
3323
hardware or somebody is deliberately spoofing it -- is guaranteed to be
3324
unique and refers to a physical host or network interface. For many reports,
3325
ntop displays the information using the MAC address to separate physical
3326
devices. Other data is accumulated and displayed at the TCP/IP (level 3)
3330
-m relates to the traffic you see on the wire at the TCP/IP level.
3331
-m tells ntop something it can't determine by itself. And that is to treat
3332
that range of addresses EXACTLY like it was local.
3335
For example, on my Cable Modem, I see broadcasts for a number of subnets
3336
that AT&T has assigned to this area (I don't see the traffic, but you get
3337
the picture) in an overlay structure (two or more networks on the
3338
same wire, but with separate address spaces).
3343
What about multicast traffic?
3347
Multicast traffic uses the 224.0.0.0/4 address range (that is all addresses
3348
between 224.0.0.0 and 239.255.255.255 - see RFC 1112). By default then,
3349
all multicast traffic is treated as 'Remote' by ntop.
3352
Your actual network topology may be such that multicast traffic could
3353
all be local, all be remote or a mixture. You can use the -m |
3354
--local-subnets parameter to force some (or all) multicast groups
3355
to be counted as 'Local' traffic.
3364
VLAN traffic is also a special case. ntop treats all traffic within your
3365
machine's netmask definition as 'Local'. For instance, you may have a /16
3366
network (netmask of 255.255.0.0), and you are using VLANs to distribute
3367
the traffic. In this case ntop will see the a.b.c.d/16 address and classify
3368
all traffic within this /16 network as 'Local'.
3371
Don't design your network that way.
3383
Use an un-numbered interface, so that ntop doesn't assign any implicit
3384
'Local' addresses. Then use the -m | --local-subnets parameter to
3385
define what is truly 'Local'. As long as there aren't too many
3386
'Local' networks, this should work. I run something sort of like this
3387
(but using /24s not subdividing a /16) for my development network.
3392
What are the default protocols ntop monitors?
3396
(These are the ones ntop monitors if the user does not supply a -p parameter)
3397
Check addDefaultProtocols() in ntop.c around line 520.
3398
The current list (August 2003) is
3408
HTTP http www https 3128 /* 3128 is HTTP cache */
3411
NBios-IP netbios-ns netbios-dgm netbios-ssn
3412
Mail pop-2 pop-3 pop3 kpop smtp imap imap2
3416
NFS mount pcnfs bwnfs nfsd nfsd-status
3419
Gnutella 6346 6347 6348
3423
Messenger 1863 5000 5001 5190-5193
3426
Note that the names come from /etc/services (or your system's equivalent).
3427
If you add protocols to /etc/services, you can refer to them by name on the
3431
The list changes over time as P2P protocols appear and disappear. Check the
3432
cvs and diff ntop.c (around line 550 in void addDefaultProtocols() if you
3438
What about protocol XYZZY?
3442
The analysis of protocols is very limited and unsophisticated. But,
3443
theoretically, if it's there in plain text, we could report on it.
3444
The more work you can do up front in identifying the protocol (e.g. port #s,
3445
header structure, etc.), the easier it would be to add.
3450
How can I run ntop without being root?
3454
A very simple way of doing this is:
3462
This makes ntop read-only for everyone and sets the setuid and setguid bits.
3465
Do not forget to use the -u flag so that ntop changes user as soon as it
3469
Understand that setting the Setuid and Setguid bits allows ANY user to run
3470
ntop and it will run with ROOT privileges. This is very powerful, and often
3471
a source of security exposure - many system hardening scripts and
3472
recommendations tell you to look for and remove the setuid and setguid bits.
3475
DO NOT suid UNLESS YOU UNDERSTAND THE RISKS!
3478
REPEAT: DO NOT DO THIS, IT IS A BAD IDEA!
3481
Also, there are unconfirmed reports of this method problems, causing a
3484
"socket: operation not permitted"
3485
message. Probably related to something in the OS checking for real root
3486
not suid to open the interface in promiscuous mode.
3491
I am using a /16 (/25 or whatever) mask and I get this message:
3494
Truncated network size to 1024 hosts (real netmask 255.255.255.0)
3498
Yes. ntop limits each network to 1024 hosts (a /24). If you need more, alter
3499
the #define for MAX_SUBNET_HOSTS in globals-defines.h and recompile. Space
3500
has to be reserved for this many hosts for each network, so the limit exists
3501
to keep memory usage from growing to absurd levels on people with "class A"
3502
(/8) interfaces (e.g. 10. or Cable Modems, etc.).
3504
<h2>Running - On-going</h2>
3508
Explain L and R - why doesn't ntop double count?
3512
Classification is all based on what ntop SEES in the packets. ntop sees
3513
packets and ONLY packets. Packets have a FROM and a TO address. Which
3514
packets ntop sees is determined by the interfaces it is monitoring.
3517
Traffic (packets) is classified based on the joint classification of the
3518
FROM address (L or R) and the TO address (L or R).
3521
Only in L->L traffic will ntop see sent=rcvd and 'double count'.
3525
Host: 192.168.1.x www.yahoo.com
3528
192.168.1.x>www.yahoo.com
3529
HTTP GET ... 30 . . . . . . 30
3533
www.yahoo.com>192.168.1.x
3534
HTTP 200 . . . 8 8 . . .
3538
www.yahoo.com>192.168.1.x . . .200 200 . . .
3548
Why does ntop use so much memory ?
3552
ntop holds a lot of information about each host it has seen in an in-memory
3553
table. Periodically, it looks at all the entries in the table and flushes any
3554
which have been idle for a period of time.
3557
You can change the sizing of the table and the flushing interval via #define
3558
statements in globals-defines.h.
3561
But realistically, ntop needs enough memory to hold information about what's
3562
active on YOUR network.
3565
To reduce memory, monitor fewer protocols or use the filter (-B "bpf filter")
3566
option to monitor only parts of the network.
3569
There have been a couple of discussions on the ntop mailing list about ntop's
3570
memory usage - you might read them (search on gmane).
3575
So ntop's memory usage is dependent upon?
3579
ntop's memory usage for host tables depends on the # of hosts it sees in
3580
packet traffic. This is NOT, repeat NOT controllable by ntop in ANY way.
3581
If a user kicks off a port scan, 100s of hosts appear. If somebody does a
3582
DOS attack against you, 1000s of hosts 'appear'. If a user searches Kazza
3583
for an obscure song, it can probe 4K hosts. etc.
3586
Lots of those hosts appear, have a few bytes of traffic and then disappear.
3587
Each host has a variable amount of memory - there's a base structure, some
3588
optional counter structures and a large # of pointer fields, which may or
3589
may not be valued for any given host. It depends on the # of active
3590
sessions and a lot of other things, but 8-20K is a good guess - I usually
3591
use 12K as an guestimating size. Similarly, sessions may appear and
3592
disappear (http: opens a lot, does a small retrieval and closes them), ssh
3593
may last for days. etc. Memory is consumed tracking them too.
3598
So what does the purge do?
3602
ntop purges idle hosts. Period.
3605
Idle being defined as having not had packet traffic for a #define able
3606
period, 5 minutes by default.
3609
Because of the amount of linked data, these purges take time (lots of
3610
free() calls on all those char* values), so we don't purge in 'real time'.
3611
First we build a list of idle hosts, then we purge from that list.
3612
Any idle host is eligible for purge (unless you tell ntop not to purge idle
3613
hosts, which is usable only on small networks).
3616
Over time, all idle hosts are purged. Only to be perturbed by the
3617
next burst of activity - say a port scan or everybody logging in back
3618
in after lunch. Eventually, there's some form of steady state, but it's
3619
HIGHLY dependent upon network activity. Which, remember, is external to
3620
ntop and can't be predicted.
3629
Think about the overhead of sorting this huge structure by 'last packet
3630
seen time'. 1GB of ram is something like 80K+ hosts and takes a long
3631
time to sort (let alone free). During which time, on that busy network,
3632
a couple of dozen packets are processed... Meaning maybe your list of idle
3638
So how about a hard memory limit?
3642
There's no way to make a hard limit without purging ACTIVE hosts (or
3643
non-IDLE given ntop's definition of idle).
3646
Think about it ... you're at that 1GB limit and you find a new host.
3647
Do you kick off an interim purge (with it's huge overhead?) And wait
3648
2 or 3 s for an available slot?? While 1000s of other packets appear??
3657
It might, might, be possible as a soft limit - but it's got a lot of
3661
First off, tracking memory usage of the hosts tables is itself a huge
3662
job. There are multiple places were stuff is purged, added to the
3663
structures as pointers, etc. and there's a queue of purged entries
3664
for reuse to cut down on the malloc() calls.
3667
Secondly, the purge is resource intensive, and has been the cause of
3668
deadlocks before - you don't dare lock the structures for too long -
3669
packets keep arriving, and FAST on the busy network that has the memory
3670
issues in the first place. Since you can't lock for long, you can only
3671
purge a small # of entries.
3676
Why does ntop drop packets?
3680
Short Answer: You need a faster processor. Maybe.
3684
Long Answer: There are four places packets drop "in" ntop. One in
3685
the NIC, one in the OS kernel, one in the libpcap library and one
3689
First off, this is largely NOT controlled by ntop. It's inside the network
3690
card, the network card driver and libpcap. All ntop does is use the stats
3691
provided by libpcap, pcap_stats:
3695
"int pcap_stats() returns 0 and fills in a pcap_stat struct. The
3696
values represent packet statistics from the start of the run to
3697
the time of the call. If there is an error or the under lying
3698
packet capture doesn't support packet statistics, -1 is returned
3699
and the error text can be obtained with pcap_perror() or
3703
to get the value and reports it in report.con the Stats | Traffic
3704
page, some in the configuration report (info.html) and also on
3705
the problem report skeleton.
3708
The information on the Stats | Traffic page is simply the best available.
3709
However, this data is not always easy to obtain nor interpret.
3712
It looks great, but the reality is that the stats provided by libpcap
3722
The network card (NIC) reads packets from the wire into a small buffer.
3723
That buffer is emptied by the OS into it's own buffers which are then
3724
passed to libpcap. libpcap filters the packets (if requested) and
3725
passes the packets to ntop.
3728
Packets may be dropped at any or all of these stages, even on a system
3729
that does not appear to be exceptionally busy.
3734
How can packets be lost in the NIC?
3738
A NIC has a small buffer - modern cards have 8K, 12K, even more buffer
3739
space. But if traffic comes in off the wire faster than the processes
3740
are pulling it out of the NIC, well that buffer gets over-written and
3741
packets get dropped.
3744
Every time a packet comes in (or on some newer cards after a few packets
3745
are recevied), the NIC interrupts the processor (CPU) to tell it to do
3746
something. This isn't a problem - some NICs with larger buffers
3747
internally queuing a number of packets before interrupting the OS to
3751
Check ifconfig for this:
3755
eth0 Link encap:Ethernet HWaddr 00:D0:09:77:85:B9
3756
inet addr:192.168.42.6 Bcast:192.168.42.255 Mask:255.255.255.0
3757
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
3758
RX packets:3892397 errors:30 dropped:0 overruns:0 frame:33
3760
TX packets:473009 errors:0 dropped:0 overruns:0 carrier:0
3762
collisions:1073 txqueuelen:100
3763
RX bytes:2606704447 (2485.9 Mb) TX bytes:70474880 (67.2 Mb)
3764
Interrupt:11 Base address:0xc000
3767
Now, if it's an occasional burst, losing 1 or 2 packets won't kill
3768
you. TCP/IP recovers. And ntop's statistics aren't life-critical.
3769
If, however, it's continuous, on-going and the count is growing - i.e.
3770
the NIC/CPU combo can't keep up with the AVERAGE network flow?
3777
Upgrade the Processor or NIC. Maybe.
3782
Can you tell if the NIC is the bottleneck?
3786
Probably not. Different NIC cards (and NIC card drivers) record different
3787
information. Different tools present pieces and parts of it differently.
3790
For example, a runt packet - one that is too short to really be a packet
3791
is supposed to be discarded according to the tcp/ip standard. But do you
3792
count it as a packet received??
3795
On many systems, interface level (NIC) statistics are available through
3796
the ifconfig (or similar) command. But what is available and what they
3797
mean can be different - even though they're presented in the same format.
3798
Different programs can read the 'same' data and show different things.
3801
For example - eth1 is an Intel Ethernet Pro/100, eth2 a 3c905...
3805
Kernel Interface table
3806
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
3807
eth1 1500 0 50752227 0 0 0 0 0 0 0 BMPRU
3808
eth2 1500 0 145053154 0 0 0 0 0 0 0 BMPRU
3811
No errors - great, right? But look at ifconfig, a few seconds earlier:
3815
eth1 Link encap:Ethernet HWaddr 00:03:47:B1:62:27
3818
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
3819
RX packets:50754251 errors:0 dropped:0 overruns:0 frame:3454146
3820
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
3821
collisions:0 txqueuelen:100
3822
RX bytes:667103055 (636.1 Mb) TX bytes:0 (0.0 b)
3823
Interrupt:9 Base address:0x1000
3826
eth2 Link encap:Ethernet HWaddr 00:60:97:04:30:33
3829
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
3830
RX packets:145056087 errors:0 dropped:0 overruns:0 frame:0
3831
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
3832
collisions:0 txqueuelen:100
3833
RX bytes:1784472399 (1701.8 Mb) TX bytes:0 (0.0 b)
3834
Interrupt:9 Base address:0xb800
3837
If I'm reading the code right, then the frame:nnnn count is set here:
3841
sp->stats.rx_frame_errors += le32_to_cpu(sp->lstats->rx_align_errs);
3844
Meaning? No clue - the writer of the driver had to sign an NDA and so
3845
couldn't explain a lot of what the driver does. Besides, that data
3846
isn't available to ntop anyway.
3851
How can packets can be lost in the kernel?
3855
Each time that interrupt occurs, the kernel processes it by moving
3856
the data from the NIC to a kernel buffer, then re-enable interrupts.
3862
Actually, in Linux (and other OSes), the Kernel interrupt handler is
3863
broken in half - called in Linux the top and bottom. The bottom
3864
interrupt works with processor interrupts off to grab the data and
3865
buffer it and does only minimal processing as fast as possible so
3866
interrupts can be turned back on. Then the top half is scheduled
3867
and processes as a Kernel process (high priority), but it is less
3871
However, if the kernel can't process the bottom half in time - because
3872
there isn't enough memory and/or the processor isn't fast enough to
3873
respond to the interrupt, you do have a problem. The small buffer
3874
in the NIC will overflow and packets are dropped (this is the ONE place
3875
where a better NIC, with a larger buffer, MIGHT help).
3878
While there are LOTS of possible causes, if the kernel is *routinely*
3879
dropping packets, it's almost certainly an interrupt/processor
3880
speed/buffering issue.
3883
So, I guess what I'm saying is that the dropped: count from ifconfig
3884
might not be the NIC's fault - and that's why a faster processor is a
3885
better choice than an expensive server class NIC.
3890
But at least I can trust the libpcap reported counts, right?
3894
Nope. You need to treat the pcap reported drops with more than a few
3895
grains of salt. See this thread, for example:
3898
http://www.tcpdump.org/lists/workers/2001/07/msg00018.html
3900
http://www.mcabee.org/lists/snort-users/Jan-02/msg00771.html
3903
There's a lot of other stuff about pcap problems, especially from
3904
snort (another package that stresses libpcap) -
3905
STFW for "libpcap ps_drop".
3908
See, the call to pcap_stats reads internal counters - maybe they come
3909
from the NIC and maybe they're just maintained by the kernel. That's a
3910
function of how the low level NIC driver is written to handle certain
3911
calls from higher level drivers. So it's a function of the specific
3912
NIC card, something we try to hide from everyone, ntop included.
3915
Ultimately, some piece of hardware or software SHOULD be counting packets
3916
and dropped packets.
3919
But, remember also, that - AT THE INSTANT OF THE pcap_stats call -
3920
there can be packets queued in any of these buffers (NIC, kernel, libpcap).
3923
Put the two together and I wouldn't trust 'em.
3926
Want more fear? Read the comments through out the libpcap code. Like
3927
this gem from pcap-linux.c:
3931
* Get the statistics for the given packet capture handle.
3932
* Reports the number of dropped packets iff the kernel supports
3933
* the PACKET_STATISTICS "getsockopt()" argument (2.4 and later
3934
* kernels, and 2.2[.x] kernels with Alexey Kuznetzov's turbopacket
3935
* patches); otherwise, that information isn't available, and we lie
3936
* and report 0 as the count of dropped packets.
3939
And this from pcap-bpf.c:
3944
* "ps_recv" counts packets handed to the filter, not packets
3945
* that passed the filter. This includes packets later dropped
3946
* because we ran out of buffer space.
3948
* "ps_drop" counts packets dropped inside the BPF device
3949
* because we ran out of buffer space. It doesn't count
3950
* packets dropped by the interface driver. It counts
3951
* only packets that passed the filter.
3953
* Both statistics include packets not yet read from the kernel
3954
* by libpcap, and thus not yet seen by the application.
3958
As you see from the comments in the code, the interpretation of even
3959
those counts differs between operating systems and even between minor versions
3960
of the same OS (e.g. Linux 2.4.8 vs. 2.4.9). For example, some systems
3961
do not maintain a dropped count and will always report zero. Differences
3962
may also occur on the same system for different NIC drivers.
3965
If a BPF filter (-B option) is in place, the differences between OSes are
3981
Sure. ntop runs multiple threads (we call them "NPS - Network Packet Sniffer"
3982
or something similar), one to handle each incomming device. These operate
3983
much like the bottom-half interrupt - they accept the packet and queue it
3984
to another thread ("NPA - Network Packet Analyzer") for the analysis.
3987
Ultimately, we're interested in the counter droppedPkts, which is
3988
incremented in only one place, pbuf.c around 1398, which this is where
3989
NPS is trying to queue a packet for NPA.
3992
Now, you can increase PACKET_QUEUE_LENGTH
3996
ntop.h: 693 #define PACKET_QUEUE_LENGTH 2048
3999
but if you're routinely dropping packets here it's because ntop can't
4000
keep up with the flow. Increasing the queue length will ONLY help if
4001
it's an occasional huge peak with times where the network is quiet
4002
enough to allow you to work off the queue. And each packet buffer
4003
in use takes up memory - (about 1.5MB for a queue of size 2048).
4006
The instantaneous and maximum value for the queue are reported in
4007
the configuration report:
4011
# Queued Pkts to Process 0
4015
But, again, the best answer for dropped packets is probably a
4016
faster processor... (Upgrading to an expensive faster NIC with a
4017
larger internal buffer is rarely the best "bang for the buck" - if
4018
you were running a server, then a server class NIC is a good idea,
4019
but for workstations or network monitors, etc. you just need something
4020
that can keep up with the network flow.)
4025
So what do you show?
4029
The kicker is that accurate counts of raw and dropped packets do not exist
4030
or are not available without using low-level, system specific logic.
4033
The counts that ARE available in a system-independent way are what is
4034
reported in the statistics on the Stats | Traffic page.
4039
So what is reported?
4043
ntop reports the packet and dropped counts as reported by libpcap and the
4044
received, dropped and processed counts it maintains internally.
4049
So what does ntop do with what it does receive?
4053
ntop processes or queues all packets received from libpcap but may drop
4054
packets if the processing queue fills up. Losing a few packets inside
4055
ntop due to a rare burst of traffic is just that - rare, and is not a
4059
If you consistently see packets dropped by ntop then you probably need
4060
to use a faster processor (increasing the buffer size beyond the default
4061
of 2K packets will usually not help).
4070
You can monitor the queue size on the 'Configuration' (info.html) page.
4075
What about the other dropped items?
4079
If you consistently see packets dropped at either the interface or
4080
libpcap level, there is not much we can offer in the way of help for you.
4083
The best suggestion is to try another NIC or a faster machine.
4092
Some NICs - especially ISA ones - are just too slow at moving packets
4093
off of the card. Measurements I did on an old SMC 10BaseT card in 1993
4094
showed that the best it could do - ISA bus, windows overhead, etc. all
4095
rolled together was about 1.7Mbps.
4098
Memory bus speeds (e.g. PC100 vs PC133, DDR333 vs DDR400, etc.) can also
4099
affect moving packets from the NIC to main memory.
4104
Won't a faster CPU help?
4108
Maybe. Some network card drivers are processor intensive - and would
4109
benefit - but others offload most of the processing to the NIC, and so a
4110
faster CPU wouldn't matter.
4113
Even a fancy (read as expensive) NIC may not work well - the drivers
4114
for the NIC on one OS may take advantage of features the card provides
4115
and be 'faster', while the driver for the same NIC on another OS may
4116
not take advantage of these features and be 'slower'.
4128
So, remember - ntop drops packets, the kernel drops packets, libpcap drops
4129
packets and none of 'em do it the same way. Don't bet the farm on counting
4130
every packet with absolute accuracy and use ntop the way it was meant to
4131
be used - showing the overall usage and flows on the network.
4134
Still it's not all gloom and doom!
4137
Even if you're only processing 90% of the traffic, since the drops are
4138
pretty random, it's a decent bet that if 90% of what you DO see is MP3s,
4139
then 90% of the whole traffic flow is probably MP3s.
4144
ntop stops capturing packets, except ARP and other broadcasts. Why?
4148
Check if you have a daemon running that periodically checks for and
4149
resets interfaces in promiscuous mode? If that happens, all you
4150
would see were broadcast packets like ARPs...
4153
Check back in the log and see if there is a message about the interface
4154
changing status. Determine why.
4159
How much horsepower do I need to run ntop on a network of size x?
4163
Nobody really knows. ntop needs enough memory to store the active
4164
hosts and enough cpu to keep up with the average packet flow. The
4165
buffer will handle the occasional peak, but if you see frequent
4166
lost packets, you're in trouble.
4169
Note that a few packets occasionally lost isn't a big deal for most
4170
users. After all, the network itself has losses - I've seen my AT&T
4171
Broadband connection have spurts of 30% packet loss. Ideally in a
4172
LAN environment, the packet loss should be down in the small #s...
4173
the Ethernet standard allows 1 error in 100,000,000(10^8), but most
4174
vendors beat that by a long margin (even as high as 1 in 10^12).
4177
Of course, those are lab measurements. In the real world? Not that good.
4178
Electrical noise can be a real bugaboo. Remember, at a certain point, if
4179
the NIC doesn't understand what it's seeing, it throws it away and
4180
declares an error. The key is to keep up with the traffic.
4183
Similarly, the OS kernel does the same thing in it's interrupt handling
4184
(throw away packets). Last resort, but better than hanging up the whole
4188
ntop drops packets when the queue gets longer than the permitted length.
4189
You can see this in the configuration page as # Queued Pkts to Process
4190
and # Max Queued Pkts.
4193
One or two or a small number (you pick your tolerance) is ok, but constant
4194
losses isn't. What I'm saying is that as long as ntop can keep up with the
4195
NIC, then the data is as good as it gets... if ntop can't keep up, then the
4196
data isn't very good.
4199
If you have measurements - network size, traffic flow and %CPU used (with
4200
the hardware info, of course), shoot them over to us on ntop and someday
4201
maybe we'll be able to give better #s.
4206
What about my Frobozz Model xx Magic Network card? Is it good enough?
4210
Probably. Well, a lot of the cheapos just don't have the buffering
4211
and cpu offload of a 3c905c or such. If the network isn't that busy,
4212
anything will do. For a busy network, buy a decent PCI NIC.
4221
No clue. Remember that you can suck a lot more traffic over that
4222
network than an old PC can handle (i.e. the bandwidth limitations
4223
of 32bit PCI and PC100/133 RAM, heck even PC2700 DDR).
4228
Do "zero copy" drivers help?
4232
Yeah. Maybe. Once upon a time, I read about "zero copy" - look here
4233
http://people.freebsd.org/~ken/zero_copy/ for the FreeBSD stuff. Quoting:
4237
"What is "zero copy"?
4241
Zero copy is a misnomer, or an accurate description, depending on how
4246
In the normal case, with network I/O, buffers are copied from the user
4247
process into the kernel on the send side, and from the kernel into
4248
the user process on the receiving side.
4252
That is the copy that is being eliminated in this case. The DMA or
4253
copy from the kernel into the NIC, or from the NIC into the kernel is
4254
not the copy that is being eliminated. In fact you can't eliminate
4255
that copy without taking packet processing out of the kernel altogether.
4256
(i.e. the kernel has to see the packet headers in order to determine
4257
what to do with the payload)
4261
Memory copies from userland into the kernel are one of the
4262
largest bottlenecks in network performance on a BSD system, so
4263
eliminating them can greatly increase network throughput, and
4264
decrease system load when CPU or memory bandwidth isn't the
4268
What's that mean? It means that BEST CASE, you have to copy the data
4269
NIC->Kernel and without zero copy, it happens TWICE. Then, once you're
4270
in the kernel, it has to hand the data off to libpcap (another copy)
4271
and from libpcap to ntop. So we're moving the data 3 or 4 times...
4275
Let's do some off the cuff math. Looking here
4278
http://www6.tomshardware.com/mainboard/20020501/ddr400vsrambus-05.html
4279
shows a table of memory types and max bandwidth (picking a few):
4283
Label Name Effective Clock Data Bus Bandwidth
4284
PC100 SDRAM 100 MHz 64 Bit 0,8 GB/s
4285
PC133 SDRAM 133 MHz 64 Bit 1,06 GBb/s
4286
PC2700 DDR333 166 MHz 64 Bit 2,7 GB/s
4289
See the problem? A fully loaded GigE link is 1 Gb/s. 4x that is 0.5
4290
GB/s - so if ALL that's going on is the capture of packets from the network,
4291
the CPU can keep up. Maybe. Those bandwidth numbers are theoretical, best
4292
case (nice sequential access). Throw in some other system activity, cache
4293
misses and CAS/RAS issues... and um...
4296
The moral is that if you're going to use ntop to monitor big fat links,
4297
you need screaming fast iron.
4302
Can I disable logging? Totally?
4306
Sort of - if you run single threaded, without the -d or -L options.
4307
Multithreaded? No. If ntop creates child threads, they don't have
4308
terminal access and have to have some way of reporting things.
4313
I'm seeing weird "hosts" on my network with names like
4314
"Bridge Sp. Tree/OSI Route".
4319
There is a list of "special" MAC address prefixes in vendor.c,
4320
specialMacInfo[]. There are blocks of MAC addresses reserved (sometimes not
4321
formally) for special uses, such as sharing information about Spanning Tree
4322
for bridges. These do not have an IP address - they operate at a lower
4323
level - so nothing gets displayed in some of ntop's fields.
4326
A reference about protocols at the wire level is here:
4329
http://www.oreillynet.com/pub/a/network/2001/03/02/net_2nd_lang.html
4332
If you only want to see TCP/IP, then I suggest you use -B "ip" to filter
4333
only TCP/IP protocol on your ntop line...
4338
How do I see fully qualified names for all my hosts? Some are netbios
4343
ntop doesn't SEND NetBIOS queries, it sniffs them off the traffic already on
4347
There is only ONE case where ntop uses the NetBIOS names, which is if
4348
it can't resolve them via DNS (both it's own queries and from sniffing
4349
responses to other's queries off the network).
4352
So, if you have a properly functioning DNS, you'll see DNS names. If
4353
these are (for example) internal names, unknown to the DNS server, you'll
4354
see NetBIOS names if they are available. Lastly, you'll get IP addresses...
4357
If you do have a DNS, and the name is resolved as part of the default
4358
domain, you won't see a fully qualified name back from the DNS, so ntop
4359
won't have that information.
4362
So, on a real network you'll often get a mix of name resolution types:
4366
Host IP Address MAC Address
4368
netnews.attbi.com 63.240.76.16
4369
tigger.homeportal.2wire.net 192.168.0.xx 00:D0:09:xx:xx:xx
4370
homeportal.homeportal.2wire.net 192.168.0.1 00:D0:9E:xx:xx:xx
4371
swallowtail 192.168.0.XX 00:A0:CC:xx:xx:xx SWTL [DMN]
4372
12-xxx-xxx-xxx.client.attbi.com 12.xxx.xxx.xxx 00:D0:9E:xx:xx:xx
4373
12-xxx-xxx-yyy.client.attbi.com 12.xxx.xxx.yyy
4378
What does this log message (and others like it) mean?
4379
**WARNING** releaseMutex() call with an UN-LOCKED mutex [hash.c:559] last
4382
unlock [pid 22176, pbuf.c:2598]
4386
Those messages are part of an error check in our mutex handling routines.
4389
Actually they pretty much mean what they say.
4392
releaseMutex() call with an UN-LOCKED mutex means that the corresponding
4393
accessMutex() call never occured.
4396
releaseMutex() call with an UN-INITIALIZED mutex means that the
4397
access/release occured before the createMutex().
4400
The file/line comments, [hash.c:559] last unlock [pid 22176, pbuf.c:2598],
4401
tell you where the access/release was called from (e.g. hash.c @ 559) and
4402
where the last recorded release was.
4405
There are others, look in leaks.c for the entire set.
4410
How serious are they?
4414
None of these stop ntop from processing, but they're indications of
4415
unprotected accesses to shared data areas, which could lead to lost counts.
4418
Now understand that there's one set of conditions where I believe it doesn't
4419
matter, and that's when there are multiple NICs and multiple processors.
4420
Under some circumstances - not well understood - gcc with the -O2 option
4421
reorders the executable code in such a way as to cause these messages.
4425
But for most users, these warning messages shouldn't be ignored if they occur
4429
The problem is that a POSIX mutex doesn't allow for additional data,
4430
such as we're using to track the access / release information. So that
4431
data is, itself protected by a single global mutex. You can't hold that
4432
global mutex across an access call, or you'll deadlock ntop (either through
4433
normal mutex processing or something called 'priority inversion').
4436
So we use this pattern instead:
4440
access(stateChangeMutex)
4442
release(stateChangeMutex)
4446
access(mutex) or release(mutex)
4450
access(stateChangeMutex)
4452
release(stateChangeMutex)
4455
The problem is that these updates aren't atomic, so it's possible to have
4456
the state data updated by another thread:
4460
---------thread A--------- ---------thread B---------
4461
access(stateChangeMutex)
4463
access(stateChangeMutex)
4465
release(stateChangeMutex)
4468
release(stateChangeMutex)
4473
access(stateChangeMutex)
4475
release(stateChangeMutex)
4479
access(stateChangeMutex)
4481
release(stateChangeMutex)
4485
Unfortunately, this is equally likely:
4489
---------thread A--------- ---------thread B---------
4490
access(stateChangeMutex)
4492
access(stateChangeMutex)
4494
release(stateChangeMutex)
4497
release(stateChangeMutex)
4502
access(stateChangeMutex)
4504
release(stateChangeMutex)
4505
access(stateChangeMutex)
4507
release(stateChangeMutex)
4510
So at the end, you have an inaccurate picture in the state table.
4519
There's a good set of articles on POSIX threads at
4522
http://www-106.ibm.com/developerworks/library/l-posix1/,
4523
http://www-106.ibm.com/developerworks/library/l-posix2/ and
4524
http://www-106.ibm.com/developerworks/library/l-posix3/.
4529
What does the message "URL security(1): ERROR: Found percent in
4530
URL...DANGER... rejecting request" mean?
4534
It means that ntop received a request with a percent sign (%) in it, often
4535
used as part of Unicode exploits against various web servers. Since there is
4536
no situation where ntop should process this, we reject it.
4537
URLsecurity in http.c is the place where these tests occur.
4542
What does the message "Rejected request from address x.y.z.t (it previously
4543
sent ntop a bad request)" mean?
4547
Once you send ntop a request that URLsecurity rejects, the sending address
4548
goes into a ring buffer on a 5 minute timeout where we simply drop subsequent
4549
requests... rather than waste cycles ignoring an attack...
4554
What are the other URL security(#) codes?
4558
1. Found a % in the request (Unicode problems)
4559
2. Found a parameter type code (//, &&, ??)
4560
3. Found a directory transversal code (..)
4561
4. Found a prohibited (RFC1945) character
4562
5. Found a bad extension
4567
ntop doesn't report any traffic at all.
4571
Understand how ntop works: It simply listens on the interface(s) for
4572
packets, then counts and interprets them. If there aren't any packets, ntop
4573
doesn't count things.
4576
ntop does not sample. It processes every packet it sees and counts them.
4577
Only if there is more traffic than ntop can handle for a long period of time
4578
will the packet queue hit it's limit and packets be lost. But this is still
4582
Make sure that there's traffic on the interface(s) you are using. You can
4583
use tcpdump or a similar network sniffer tool to check.
4586
If you are on a segmented network (i.e. switched), you may not see traffic
4587
that isn't destined for the ntop machine unless you configure the switch to
4588
set the port for the ntop host into "mirror" or "management" mode (different
4589
vendors call it different things, but it's a mode where ALL traffic is copied
4590
to a specific port, regardless of which port the destination host is on).
4593
If there is more than one interface in the ntop host, perhaps you aren't
4594
listening on the one that has traffic? Check using ifconfig:
4597
eth0 Link encap:Ethernet HWaddr 00:D0:09:77:85:B9
4600
inet addr:192.168.0.34 Bcast:192.168.0.255 Mask:255.255.255.0
4601
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
4602
RX packets:1105906 errors:0 dropped:0 overruns:0 frame:0
4603
TX packets:601935 errors:0 dropped:0 overruns:0 carrier:0
4604
collisions:0 txqueuelen:100
4605
RX bytes:119869887 (114.3 Mb) TX bytes:112203781 (107.0 Mb)
4606
Interrupt:11 Base address:0xc000
4609
If the RX and TX numbers are increasing, this shows that traffic IS
4613
If you have an unnumbered interface (listening only), remember you need to
4614
use -m to tell ntop what is local and what isn't:
4617
eth1 Link encap:Ethernet HWaddr 00:30:F1:54:55:00
4620
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
4621
RX packets:1596612 errors:0 dropped:0 overruns:0 frame:0
4622
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
4623
collisions:0 txqueuelen:100
4624
RX bytes:566953031 (540.6 Mb) TX bytes:0 (0.0 b)
4627
You can select an interface using the '-i' flag, e.g. -i eth1 or
4633
ntop doesn't understand xxxxx?
4637
True. IP Packets have a source address & port and a destination address &
4638
port... you MUST get your head out of the application layers and revert to
4639
that simple concept.
4642
How does Apache handle virtual hosts? It analyzes the flow at the
4643
application level (layer 4) not the wire/packet/protocol (layers 1, 2 and
4644
3). It does this by re-assembling packets into a layer 4 message (e.g. GET
4645
http://virtual.host.name.com/page.html)...
4648
Now there are some layer 4 analysis routines - virtual hosts was added in
4649
2.2 (and the folks who have virtual hosts have been pretty pleased), ftp,
4650
http, and some others - mostly looking for traffic on non-standard
4654
So, since ntop works at the packet level, it doesn't understand virtual
4655
hosts. Unless it's SPECIFICALLY coded for. ntop is a NETWORK analyzer, not
4656
an application level one.
4661
tcpwrappers doesn't work
4665
Oh yes it does... for http: connections
4668
1) You have to configure it this way before compiling ntop:
4671
./configure --enable-tcpwrap
4674
2) You must have the headers and libraries installed on the build machine
4677
(and on the execution machine if they aren't the same).
4680
Remember to make the appropriate entries in hosts.allow (e.g.
4681
ntop:192.168.0.) and hosts.deny (e.g. ntop:ALL)
4684
However, tcpwrappers and https:// is known not to work - see docs/KNOWN_BUGS
4689
My filter doesn't work! I'm running ntop like this:
4692
/usr/local/bin/ntop -u nobody -L -d -E -w 3000 -S 2 \
4693
-m 192.168.10.0/24,xxx.xxx.xxx.xxx/32 \
4695
(src net 192.168.10.0/24 or src host xxx.xxx.xxx.xxx ) \
4696
and not dst net 192.168.10.0/24
4700
Yup, it doesn't work. Use the -B option and put the filter in quotes:
4703
-B "(src net 192.168.10.0/24 or src host xxx.xxx.xxx.xxx ) and
4704
not dst net 192.168.10.0/24"
4707
ntop used to assume anything it didn't recognize was a filter. But not since
4708
2.1.3. If you try this now, you should see a log warning that says maybe you
4714
I have experienced problems defining multiple filters: ntop reports 'syntax
4719
If you believe the filter is syntactically correct then it's likely that the
4720
Libpcap you have used has been compiled using an old non-reentrant version of
4721
flex. Please make sure you're using version 2.5.4 or above.
4726
Can you give some additional examples of filters?
4730
man tcpdump -- see "expression"
4733
A couple of simple examples, courtesy of B. Loic:
4737
-B "host not 192.168.1.100 and not 192.168.1.101"
4740
to exclude hosts 192.168.1.100 and 192.168.1.101 from tracking (FQDN
4741
such as www.yahoo.com will work too).
4744
If you need to exclude a full IP range, you will want to use something like
4748
-B "net not 192.168.1.0/24"
4750
<h2>Running - Web Server</h2>
4754
ntop shows an older, single menu interface
4758
If ntop is unable to find the file index.html it generates the page
4759
internally. That page refers to 'leftindex.html' which is the all-in-one menu
4760
you see, similar to the v1.3 menu.
4763
To find the html files, ntop looks in the html subdirectory in two places:
4767
1. In the current directory (i.e. ./html),
4769
2. In '[prefix]/share/ntop/html'
4770
(where [prefix] is set by the --prefix option of your ./configure
4778
1. Is manually installing ntop in an unusual place, having forgotten to
4779
update DATAFILE_DIR in config.h. Or forgetting to copy the html
4780
subdirectories, etc.
4784
2. Forgetting to run './autogen.sh -1' first and 'make install' last when
4785
first building ntop from source.
4789
3. Running ntop with an explicit path from somewhere other that the
4790
directory it's installed into. For example, if you install ntop
4791
into /root/ntop, but run it like this:
4800
It will look 1st in /usr/bin/html and then in [prefix]/share/ntop
4801
and not find the html files in /root/ntop/html!
4804
This often occurs when running ntop as a daemon, because the current
4805
working directory of the script is not what you expect it to be!
4810
Why does ntop display bits of my web site, instead of its own pages?
4814
ntop is designed to search the current working directory for data files,
4815
such as the html subdirectory, before it searches the default directories.
4821
You are one of those rare souls who happen to have had an unrelated
4822
subdirectory 'html' with a file named 'index.html' as a subdirectory
4823
of the current working directory at the time that you launched ntop.
4824
cd to an acceptable directory, such as /usr/share/ntop, before
4830
What are High/Medium/Low risk flags
4834
They are set in reportUtils.c based on fairly self-obvious functions
4835
Well documented in the help.html page, reachable by clicking on
4836
the problem descriptions or via http://127.0.0.1:3000/help.html
4839
Often seen if you are monitoring a backbone or common network (high)
4840
or if you have cloned MAC addresses for, say, a home Firewall box.
4845
What does the "Users" flag mean on a host?
4849
If you go to the "Info about host xxxx" page, there will be data
4850
in the "Known Users" section, if it's acting as a server for certain
4854
In sessions.c, the function updateHostUsers() is used to maintain the list
4855
of "users" of a host. In handleSession(), as part of the protocol level
4856
analysis, the "user" information for various protocols is pulled out of the
4857
packets. Stuff like the "X-Kazaa-Username" header, the "MAIL FROM:" header,
4861
We tag users as one or more of the following types:
4864
P2P_USER, SMTP_USER, FTP_USER, POP_USER, IMAP_USER
4867
Note that for P2P, we also record - where possible - whether this user is
4868
in P2P_UPLOAD_MODE and/or P2P_DOWNLOAD_MODE.
4873
Why are some of the host names in different colors?
4877
Colors are used on several of the ntop pages to convey extra
4878
information to the user. (in particular the ACTIVE TCP SESSIONS
4879
and the LOCAL HOST STATS pages). There are five colors used to
4880
depict how long ago the host was first seen by ntop.
4883
The pages which display these colors use a html style sheet called
4884
style.css located in the normal html subdirectory (where ntop is
4885
installed). This happens by setting the 'class=' parameter of
4886
the html 'A' (Anchor or hyper-link) tag. The style sheet defines
4891
Age of host 'class' name Color code Color description
4893
-------------------------------------------------------------------
4894
0-5 A.age0min { color:#FF0000 } Red
4895
5-15 A.age5min { color:#FF00FF } Fuchsia/Magenta
4896
15-30 A.age15min { color:#FF7F00 } Coral (lt orange)
4897
30-60 A.age30min { color:#007FFF } Slate blue
4898
60+ A.age60min { color:#0000FF } Blue
4901
The color legend is displayed on the About | Configuration page
4907
What does the P2P flag mean on a host?
4911
If ntop knows enough to tag you as a P2P user, it's also looking at the
4912
other headers to see if it can track what files you're exchanging. If a host
4913
(i.e. a workstation) downloads a file from another host ("server"), the file
4914
name is recorded in the list ntop maintains for both of them.
4917
If a host has at least one file name recorded, it's tagged with the "P2P"
4923
What does a "Virtual Host" mean.
4927
If a single instance of a web server handles many web sites, all of the
4928
references resolve to the same name. The web server uses the "Host:"
4929
header to determine which "index.html" page to serve up.
4932
ntop monitors port 80 (http:) exchanges and looks for the Host: which allows
4933
it to build a list of virtual hosts being handled by the web server.
4935
<h2>Running - Web Server (https:)</h2>
4939
SSL is not working! I have the following error in the log/terminal:
4942
10/Jun/2002 22:58:17 Started thread (6151) for network packet sniffing on
4943
eth0.1700:error:140EC0AF:SSL routines:SSL2_READ_INTERNAL:non sslv2
4944
initial packet:s2_pkt.c:187:
4948
You forgot to put https:// instead of http:// in the URL you put in your
4954
Unable to find SSL certificate 'ntop-cert.pem'
4958
ntop looks such file under the current working directory, then /etc or in
4959
Whatever directory you configured with ./configure.
4962
If you want a personal certificate, you need to create it by:
4969
It should be installed as part of "make install". If you have a special
4970
Certificate or it's not present, do it (one-time) manually:
4973
For example to install it under /usr/local/etc, do:
4976
mkdir /usr/local/etc
4977
cp /usr/local/bin/ntop-cert.pem /usr/local/etc/ntop
4984
Q: What is the ssl watchdog?
4985
A: Short answer: There are reported problems w/ the ntop web server hanging when
4986
accessed via ssl (https://) from Netscape 6.2.2 (Win2K) (and
4991
The ssl "watchdog" keeps an eye on the web server - it waits
4992
for 3 seconds and then if the SSL_accept call (openSSL) hasn't
4993
finished, it aborts it. This leaves the user with nothing on
4994
their web browser, but at least ntop's web server continues on.
4998
There is no known way to send something back to the user. DON'T
4999
EVEN ASK. It's not in ntop, it's the browser-server handshake
5000
that's hung. So, it looks - to the user - like a failed
5001
connection. S'be'it...
5004
If you are using https:// and seem to have the problem, run ntop with the
5005
--ssl-watchdog command line parameter... The item to look for on the
5006
configuration page (info.html) is:
5010
# HTTPS Request Timeouts
5013
Or messages in the log:
5016
...: SSLWDERROR: Watchdog timer has expired. Aborting request, but ntop
5019
processing continues!
5022
You can also enable it via a ./configure parameter (./configure --help |
5023
less) if it's something you're going to always require.
5032
The problem is that ntop's web server is single threaded until we determine
5033
that the request is simply one that will be reading data. At that point we
5034
fork to generate the page. But the basic "accept a request" code is single
5035
threaded. This happens all but instantaneously and hasn't been a problem
5039
The code is pretty basic and pretty common:
5043
select() to wait for a connection, then
5044
ssl_accept() to fire up a "server", meaning the ssl handshake.
5048
Then process the http request (i.e. the GET and associated headers).
5051
With Netscape 6.2.2 (and others), there seems to be a bug in the Netscape
5052
code (ntop's is identical to other projects like sshd).
5055
According to something I read - but now can't find again - Netscape doesn't
5056
accept a legal combination of options on the handshake back from openSSL and
5057
hangs in a deadly embrace. Supposedly openSSL 0.9.6c (or was it d - it's not
5058
in the changelog) built in a patch. However, I didn't find the new version
5059
changed the behavior.
5062
There is stuff about a bug w/ Netscape 4.x on the openSSL website, but I'm
5063
not having trouble with Netscape 4.x.
5066
I don't understand the details and really don't care to find out. It boils
5067
down to a hang in a call, SSL_accept() that doesn't have a timeout parameter.
5071
Because the code is invasive, I built it (like the SIGPIPE stuff) so you can
5072
turn it on at ./configure time:
5076
--enable-sslwatchdog Watchdog for ssl hangups (Netscape 6.2.2)
5080
or via a command line option:
5084
--ssl-watchdog Use ssl watchdog (NS6 problem)
5087
With the "fix", ntop's web server hangs for at most 3 seconds, then continues
5088
on. The user gets nada - and I don't know a way to send them anything,
5089
because we haven't retrieved the request yet nor done the handshake (so there
5090
isn't a TCP connection!)
5093
It only affects https:// requests and I've coded the watchdog so it doesn't
5094
activate unless we have openSSL and either the compile or runtime parameter
5095
set. If you don't get https:// requests, it's just another idle thread.
5098
The fix is working for me... What I've tested (and the results with and
5099
without the watchdog):
5104
MS Internet Explorer 5.5 - ok
5107
Netscape 6.2.2 - user gets no response
5108
- old: ntop webserver hung and must restart ntop!!
5109
Opera 6.03 - user gets a partial response
5110
- old: browser says "setting up secure connection" and
5111
never continues, but ntop's webserver is ok
5112
(SOMETIMES you get SSL errors in log, esp.
5113
if you cancel the browser)
5118
Konqueror 2.2.2 - ok
5121
Galeon 1.2.5 - almost complete response, browser session is toast
5123
- old: user gets nothing, but the ntop webserver is ok
5124
Opera 6.0B1 - user gets a partial response, but browser session is ok
5125
- old: browser says "setting up secure connection" and never
5126
continues, but ntop's webserver is ok.
5128
<h2>Running - Web Server - Security</h2>
5132
I'm being prompted for a userid/password, what do I enter.
5136
The default admin userid is 'Admin' (without the quotes) and the password
5137
is whatever you set on the 1st run of ntop (look in this FAQ for
5138
--set-admin-password).
5143
Why create Userids (beyond the Admin id created by --set-admin-password)
5147
Multiple users allow you to control who can alter ntop's performance and/or
5148
view specific information. If you look on the "Admin" tab, you will see that
5149
you can create additional users and also control which URLs can be executed
5153
Userids could allow, for example, an ISP to allow users to access SOME
5154
network performance statistics, but not the proprietary stuff...
5157
Suppose you want to restrict who accesses the Multicast statistics page,
5158
multicastStats.html.
5161
ntop uses terminal wildcards matching the names, so multicast is treated as
5162
multicast* and matches multicastStats.html plus any other name beginning
5170
2nd add "multicast" to the list of controlled screens and allow admin
5173
and the new user to access it (note the * wildcard is automatically
5177
Try and access the screen and you are prompted for a userid/password...
5180
Look in http.c for all the names and #defines used...
5185
So, How do I restrict access to the main http or https ntop web page?
5189
To stop everyone from logging into ntop, do the following:
5191
Select URL's then "Add Url"
5192
Don't fill in anything (the wildcard * is implied)
5193
Select only the users who you want to authorize (hold control key and
5194
click on user to add more users if you added users)
5197
and click on "Add Url"
5200
You will see URL '*' is added, e.g.
5211
Then only users who know the user id and password (remember to keep the .db
5212
file secure!) will have access.
5217
How good is the default security ntop provides through the web server.
5224
The default ntop configuration is not appropriate if you put ntop in a
5225
publicly reachable location. We assume that ntop is either running in a
5226
small, trusted, LAN or that you've used other tools such as firewalls to
5227
protect the ntop web server.
5230
The userid/password scheme is good enough to prevent you from accidentally
5231
shutting down ntop or getting into 'dangerous' places. But that's really
5235
Also, the security of the ntop web server is only as good as the security of
5236
the passwords file, ntop_pw.db - only the ntop -u userid should be able to
5237
read from or write to it.
5240
Read man crypt for information on the security of the encrypted password.
5245
The plugins aren't very secure.
5254
How do I prevent users from turning plugins on/off?
5258
The default configuration of ntop does not protect the plugin pages - no
5259
password is required to access showPlugins.html.
5262
This allows any user who can connect to the ntop web server to view reports
5263
FROM the plugins, but also allows them to make plugin configuration changes.
5266
This may not be desirable. You may wish to add additional URLs to the
5267
Default list of those which require entry of a userid/password.
5270
You can prevent unauthorized individuals from turning plugins on/off by
5271
adding this URL: "showPlugins.html?" to the list via Add URL.
5276
Ok, but they can still get into the configuration pages and change things.
5280
Yes. Add the following URLs to the controlled list:
5290
This will keep everybody who doesn't know the userid/password out of the
5291
configurable plugins. Unfortunately, it will also prevent them from seeing
5292
the rrd graphs, because those are created out of the rrd plugin.
5296
Instead of plugins/rrdPlugin*, create these:
5300
plugins/rrdPlugin?d*
5301
plugins/rrdPlugin?h*
5302
plugins/rrdPlugin?i*
5303
plugins/rrdPlugin?r*
5306
It's still not perfect, the reasons why are left as an exercise for the
5312
I created a new user, adminp for administering the plugins and ntop is
5313
also accepting the admin userid/password.
5317
Yes, the matching of userid's isn't too swift. It's better to make sure
5318
that there are NO common initial substrings among ANY of the userids.
5322
Q: How can I use Apache (with it's security, etc.) to serve up ntop pages?
5323
A: (Toby Johnson [public@tobiasly.com], Sun 10Nov2002)
5326
A while back, I had written about the possibility of configuring ntop to use
5327
only relative URL's, in order to facilitate proxying ntop's web interface
5328
through Apache. I have decided it's easier to simply use Apache's ability to
5329
rewrite ntop's URL's when necessary. So, based on my experience, here is a
5330
mini-HOWTO on how to proxy ntop through Apache.
5336
Proxying ntop's web interface through a secure Apache virtual host is a
5337
convenient way to make use of any existing security measures you may already
5338
have. In my case, I wanted to be able to access ntop from anywhere outside
5339
my LAN, but opening another port on my server for ntop's dedicated web
5340
server wasn't an option.
5343
I already had a password-protected, secure web server that I use for admin
5344
purposes -- I'll call it https://admin.tobiasly.com. I wanted ntop's web
5345
interface to appear as a subdirectory under this host:
5346
https://admin.tobiasly.com/ntop/ .
5349
Here's how to configure such a setup. Change the server names and ports to
5350
match your own. I'm assuming that you already have a working, secure Apache
5351
virtual host (using HTTPS).
5354
First, pick a port for ntop's HTTP server. I'll use 15123. You won't need
5355
ntop's built-in HTTPS server, since you're proxying its content through a
5356
pre-existing Apache HTTPS server. Configure ntop to start with the correct
5357
HTTP port, and with HTTPS disabled. Something like "ntop -d -w 15123 -W 0".
5358
(See the ntop man page for more startup options.)
5361
Now, you need to tell Apache that anything under the /ntop/ URL should be
5362
proxied to the ntop web server. In my case, the Apache server is running on
5363
the same machine as ntop, so it's just a proxy to a different port on
5364
localhost. In your Apache secure host configuration, add a line like this:
5368
ProxyPass /ntop/ http://localhost:15123/
5371
Now, whenever Apache receives a request for something like
5372
"https://secure.tobiasly.com/ntop/home.html", it will proxy this request to
5373
the location "http://localhost:15123/home.html". Ntop will take it from
5374
there, generate the web content, and pass the result back to Apache. Then
5375
Apache passes that result back to the original client.
5378
It's important to note that you don't need to open port 15123 to the
5379
outside, since the connection actually goes through your existing Apache
5380
port, and then is transparently proxied by Apache on the server itself. Of
5381
course, you don't even have to run ntop on the same machine; as long as the
5382
Apache server can connect to ntop's port, it'll work.
5385
This is not the same as URL redirection. As far as your web browser knows,
5386
everything is going through https://secure.tobiasly.com/ntop/. The Apache
5387
server does all the proxy work behind the scenes, and simply serves up the
5388
results to the requesting client. And since the "outward-facing" server is
5389
Apache instead of ntop, you'll be using your existing Apache secure server
5390
certificate, instead of ntop's ntop-cert.pem.
5393
Everything appears to work OK at first, but we quickly run into a problem:
5394
some of the URL's that ntop generates are absolute. For example, to draw bar
5395
graphs, ntop's web pages will request the image "/gauge.jpg". This would
5396
translate into "https://secure.tobiasly.com/gauge.jpg". Also, host info
5397
pages are absolute. If I click on the host "10.1.2.3", it tries to take me
5398
to the page "https://secure.tobiasly.com/10.1.2.3.html".
5401
This is a big problem, because unless the URL is underneath the /ntop/
5402
directory, Apache doesn't know that it needs to proxy the request to ntop,
5403
and you get broken links. Luckily, Apache has the Rewrite module that lets
5404
us fool with requested URL's. In order to get the required URL's rewritten,
5405
add the following to your Apache secure virtual host configuration:
5410
RewriteCond %{HTTP_REFERER} tobiasly.com/ntop
5411
RewriteCond %{REQUEST_URI} !^/ntop
5412
RewriteRule ^/(.*)$ http://secure.tobiasly.com/ntop/$1 [L,P]
5415
In English, this basically says "If I get a URL request that comes from a
5416
page that has tobiasly.com/ntop in it, and that request doesn't begin with
5417
/ntop, rewrute the URL to begin with http://secure.tobiasly.com/ntop/, and
5418
pass this rewritten URL to the Proxy engine." At this point, the Proxy
5419
engine will see that it is getting a URL that begins with /ntop/, and
5420
correctly pass it to the ntop web server. Rewriting the request to begin
5421
with HTTP instead of HTTPS may seem incorrect, but since that URL will be
5422
handed directly to the Proxy engine, it can't be HTTPS or ntop's web server
5423
will not recognize it.
5426
Now, you should be able to simply connect to
5427
https://secure.tobiasly.com/ntop/ , and you're ready to go!
5429
<h2>Running - Web Server - i18n</h2>
5433
Is ntop localized for language x? (i18n)
5437
No. ntop wasn't really written with i18n in mind.
5440
Most of the text is generated in-line, on the fly. Plus ntop must
5441
dynamically support multiple locales simultaneously.
5444
However, beginning with v2.1.56 (2.2 development release), there is limited,
5445
optional, i18n support in ntop.
5450
So, what internationalization (i18n) support does ntop provide.
5454
The key word is LIMITED
5457
This only applies to the pages that are pulled from .html files, NOT those
5458
created internally. This includes the menus and the few static text pages,
5459
but none of the pages with interesting data on them.
5462
The localized pages must be placed in parallel directories to the existing
5466
For example, if ntop is installed in /usr/share/ntop, the html files are in
5467
/usr/share/ntop/html.
5470
To support them Canadians, then, you would need to create a
5471
/usr/share/ntop/html_en_CA AND that locale would need to be installed on the
5475
Note that there are NO i18n files distributed with ntop (yet!)
5478
At ./configure time, you enable support via --enable-i18n. ntop MUST be told
5479
how to find the locale files. In ./configure, a "standard" location is
5483
(Initially only the value for FreeBSD is populated). All others assume the
5484
"default", /usr/lib/locale. If that isn't right for your OS, then you MUST
5485
use the optional parameter --with-localedir= to tell ntop where to find the
5489
At run time, ntop scans the host for the installed locales (locale -a should
5490
- on most systems give you a list) and checks if a comparable html_cc_XX
5494
This builds a list of supported languages, which (along with i18n status) is
5495
shown on the configuration pages, info.html and textinfo.html.
5498
When an http request is made, your browser sends a list of languages it is
5499
willing to accept in the http Accept-Language: header.
5502
(check View | Internet Options | Languages in IE to see what you're sending)
5509
Accept-Languages: en_US, en
5512
Means that you prefer US English, but will accept any English dialect if US
5513
English isn't available.
5516
Be aware that the locale settings and Accept-Language settings are not well
5517
standardized, nor common and may not necessarily map very cleanly. You
5518
should see what's defined (perhaps it's locale 'german' instead of 'gr') and
5519
make or link directories as necessary. You can always create the directory
5520
you tell ntop to use via --with-localedir= in the /usr/share/ntop structure
5521
and create links from there to the real locale directories!
5524
Limits in the per-request and total # of languages to support are in
5528
Because of directory structure limits, a lack of interest in multiple
5529
character sets, etc. the locale and accept-language headers are coerced into
5533
locales are ll[_XX][.char][@modifier]
5537
ll - language, usually the 2 character ISO abrev., such as us, it.
5538
XX - dialect (often a country), such as CA or US (en_US != en_CA)
5539
char - character set (we sort of assume UTF-8)
5543
Accept-Language: values are ll-XX or ll or ll-*
5546
Once the user makes a request, each page pulled is checked:
5550
1. For each of the Accept-Language values.
5551
2. For the ntop host locale value.
5552
3. In the ntop default (English) set.
5555
These checks are performed for each of the libraries specified in the config
5556
value (CFG_DATAFILE_DIR).
5561
What about the country flags.
5565
There are other sets available on the web, of different quality and size.
5566
Rather than chase down permissions and rights, we'll stick with what we have
5567
but let you know here of other options.
5570
If you find a set you like, just download them and replace the xx.gif files
5571
in .../html/statsicons/flags
5574
Much better, but about 4x larger:
5577
http://users.skynet.be/hermandw/fl/smalgifs.html
5580
Same height, but wider (so they look better):
5583
http://www.kidlink.org/www/miniflags.html
5588
What pages can be customized?
5592
ls /usr/share/ntop/html/*.html (or wherever the ntop pages are installed):
5600
Note: There is no real benefit, except maybe the title in index.html so
5601
you can see that it really does work!
5627
faq.html - lots of work
5628
help.html - good candidate
5629
ntop.html - splash page
5634
Also, remember that a file overrides ntop's internal page generation, so you
5635
can also use this facility to override ANY of ntop's pages and return a
5636
customized page (perhaps you don't want users seeing them?).
5638
<h2>Running - Web Server - p3p</h2>
5646
P3P is a W3C recommendation - http://www.w3.org/TR/P3P/ - for specifying how
5647
an application(typically a web site) handles personally identifiably
5648
information. What information the site collects and what it does with the
5652
p3p is pretty complex! There are basically two ways to enable an application
5653
for p3p. One is to add another HTTP header, P3P:. The second is to support a
5654
well-known file location, /w3c/p3p.xml (like robots.txt).
5657
Browser support is pretty spotty, as is web site adoption.
5660
Some 3rd party browsers have some support... up to CrazyBrowser which claims
5661
"full support", whatever that means...
5666
So why put P3P into ntop?
5670
It's coming. P3P is gradually making it's way into the top web sites -
5671
right now (Dec2002), for example dell.com supports it and yahoo.com doesn't.
5676
Ok, but what's that got to do with ntop?
5680
Since ntop collects personally identifiable data in it's access log (-a
5681
option) and it's various reports and makes those available to pretty much
5682
anyone in the default configuration, it's probably not a bad idea to OFFER
5683
some support. Especially if you're running ntop at a site that has started
5684
to support P3P, if you don't have a mechanism for your own policies
5685
you'll have to adhere to corporate ones. And that could require massive
5695
Since ntop doesn't send the P3P: header, IE6 ignores ntop wrt p3p. Besides,
5696
IE6 uses p3p to block 3rd party cookies. If you want to see the p3p stuff,
5697
it's view | privacy report in the menus. If the site's policies don't match
5698
your settings, there will be a red "do not enter" icon in the third box on
5699
the bottom right of the IE6 window - double click on it to see the report.
5700
See http://support.microsoft.com/default.aspx?scid=KB;en-us;q293513
5709
Unknown if it's enabled by default. Mozilla had support, ripped it out in
5710
Feb 2002 and put a new version back in.
5719
See their home pages or search the web. One that I know that claims "full
5720
support" (whatever that means) is at http://www.crazybrowser.com/
5729
A browser-add-on, AT&T's privacy bird (http://www.privacybird.com/), that I'm
5730
playing with is a lot more aggressive in supporting p3p. If Privacy bird
5731
doesn't see the P3P: header, it then requests the "well known" file,
5732
/w3c/p3p.xml file and gets nailed by ntop as a hostile application, since we
5733
don't have support for returning .xml files (yet).
5738
So when & how does ntop support p3p?
5742
A patch in the cvs on 4Dec2002 adds minimal support for p3p -- specifically:
5746
1) ntop will respond to queries for /w3c/p3p.xml and ntop.p3p -- returning
5747
the ntop.p3p file, IF ONE EXISTS.
5751
If the file does not exist, a 404 error is generated (vs. pre 4Dec2002
5752
behavior of adding the address to the myGlobals.weDontWantToTalkWithYou
5757
2) New parameters, --p3p-cp and --p3p-uri allow you to return the P3P:
5758
header with either or both of the parameters (cp="" or policyref="")
5763
ntop doesn't validate the text in any way other than the usual
5764
stringSanityCheck().
5767
This allows me to run the Privacy Bird and still talk to ntop. I'll admit
5768
that option #2 is speculative, since I really don't have much of a way to
5774
But there isn't a sample .p3p file provided.
5781
Please note that there is no sample file provided. This is not an oversight.
5784
After careful consideration, I am not providing one. The reason is that a
5785
.p3p file is intended to be a legal contract between your site and your users.
5786
While I could provide a default file that has the right tags - as I
5787
understand p3p - for the data ntop collects and stores, I don't want the
5788
responsibility and/or liability.
5791
If anyone wants this "sample p3p file", I will make it available for a fee,
5792
Provided your organization - through an appropriate officer, in writing:
5796
1) Acknowledges that Luca Deri, Burton Strauss and other developers of
5797
ntop have no liability for any use(s) you make of the sample p3p file
5798
or anything you derive from it.
5802
2) You will defend us - at your expense - from any lawsuit, arbitration
5803
proceeding, etc. filed in conjunction with your use of the sample p3p
5808
3) You will pay any judgments, legal expenses, etc. related to any
5809
lawsuit, arbitration proceeding, etc. in conjunction with your use of
5810
the sample p3p file.
5813
Since your legal department would be nuts to agree to that I doubt it will
5819
So How do I create a .p3p file?
5823
There are tools available to create p3p policy files - search the web for
5824
'p3p editor'. One that I've used is a zero cost albeit beta tool, p3peditor
5825
from IBM (http://www.alphaworks.ibm.com/tech/p3peditor).
5827
<h2>Networks, Network cards and Networking</h2>
5831
My security people won't let me run in promiscuous mode.
5838
Or, use the -s option and accept the limitations...
5841
Ask them "honestly, what is the problem" - other than having an interface
5842
in promiscuous mode is a signature of a sniffer and security folks look for
5843
unauthorized sniffers?
5846
ntop needs promiscuous mode so that it sees the full range of traffic. Any
5847
similar product will do the same thing.
5850
If the security people think traffic on the wire is secure, they're wrong!
5851
Face facts - just about every Windows user, except for 2K/XP Pro (and then
5852
only if TBTP have especially locked them down) can install the windows
5853
version of tcpdump...
5856
If it's a checklist item, just gen up a form to "authorize" it, have the
5857
boss and VP/CIO sign it and give it to them.
5862
What is Ethernet and TCP/IP and how do they differ?
5866
Both are protocols - that is the definition of how
5867
to interpret bits on wires (or in packets) into
5868
meaningful conversations.
5871
Ethernet is the lower level, wire (or wireless) protocol,
5872
concerned with moving the physical bits of data.
5875
TCP/IP is the higher-level protocol, which explains
5876
how to interpret the block of bits (frame).
5879
TCP/IP uses a familiar 32-bit "IP" address, e.g.
5883
Ethernet uses a less familiar, 48 bit unique to the NIC
5884
(some times called "burned in") address, e.g.
5885
00:40:05:DE:AD:00. This is called the MAC (Media
5886
Access Control) address.
5889
FYI: The official IEEE MAC address lookup is at
5892
http://standards.ieee.org/regauth/oui/index.shtml
5893
(Look up the first six digits, separated by -s, e.g. 00-40-05)
5898
OK, but how is stuff sent from my computer to, say, Yahoo!?
5902
First off, your computer does a lookup - using a service
5903
called DNS (Domain Name Service) to convert www.yahoo.com
5904
to a numeric value, such as 66.218.71.80.
5907
Then it builds a collection of characters that says send
5908
this data from me, 192.168.0.1 to Yahoo at 66.218.71.80.
5909
This is called a packet. That gets wrapped in an Ethernet
5910
frame (addressed from 00:40:05:DE:AD:00 to the MAC address
5911
of the local gateway router, 0:d0:9e:6:38:00 and squirts it
5915
Packets are forwarded step by step along a path from you
5916
to Yahoo by computers called routers. This is done based
5917
on the 32 bit IP address and the router's knowledge of the
5921
Each router sees a Ethernet frame addressed to it (by
5922
MAC address), checks the TCP/IP address to figure out
5923
where to send it next, re-wraps the TCP/IP packet in a new
5924
Ethernet frame (with the from MAC as it's own and the to
5925
MAC as the next hop).
5928
This happens until the TCP/IP packet reaches the final
5929
segment (the last router). Once it reaches a router that
5930
knows it has addresses 66.218.71.0-66.218.71.255 on one
5931
of it's interface, the routing stops using the TCP/IP
5935
The last hop is done (like each intermediate hop - at the
5936
lowest level) based on the MAC address! Specifically, the
5937
last router does an "ARP" (Address Resolution Protocol") query,
5938
to find out "Who Has" address 66.218.71.80. The NIC responds
5939
with it's MAC address:
5943
arp who-has www.yahoo.com tell router
5944
arp reply www.yahoo.com is-at 0:d0:9e:6:38:00
5947
And the packet is routed to that address.
5950
Alright, that's a bit simplified, but see Douglas Comer,
5951
"Internetworking with TCP/IP, volume I", page 25 and 73ff.
5960
OK, gang time to teach Ethernet & TCP/IP basics one more time.
5964
Suppose you have a network that looks like this (we'll use
5965
impossible addresses 288 - just pretend it's ok):
5969
(ext) 288.1.1.1 (int) 288.2.2.1
5971
World+Dog ------------ + ISA + ------- LAN ----- WS 288.2.2.2
5974
me 299.0.0.1 \----------- DMZ ----- MAIL 277.1.1.2
5978
ISA can be acting solely as a router or it can be acting as a NAT device.
5979
That's irrelevant, so we assume it's not.
5982
I send you a packet. It travels the Internet and arrives at your 288.1.1.1
5983
the ISA(router) with src=299.0.0.1, dst=288.2.2.2.
5986
Like every router along the way, ISA(router) looks at the destination
5987
address and realizes it has to route the packet on to 288.2.2.2. So the
5988
ISA(router) sends the packet on, out the best interface to reach 288.2.2.2.
5991
Remember, however, the TCP/IP packet is wrapped in a lower level (Ethernet)
5992
packet at the wire level. Read your TCP/IP and Ethernet standards - the
5993
actual delivery of packets over links is this Ethernet level and it uses the
5997
This "Ethernet" packet is actually what travels hop to hop to hop (you can
5998
even see these headers if you have visibility to the traffic - it's called
5999
the link level header by tcpdump and you'll see the 48 bit MAC addresses if
6000
you use the -e parameter).
6003
In order to be able to handle the Ethernet level signaling, each router
6004
rewrites the packet so that the 48 bit source MAC address it it's own
6005
(from-router that is) and the destination MAC address is the one that
6006
from-router has in it's tables for to-router (the next hop).
6009
So the packet looks like this, where the srcMAC and dstMAC get rewritten
6010
each hop, so that the routers on both ends of the link know whom it's
6014
Hop1 (srcMAC=00:00:00:aa:aa:aa dstMAC=00:00:00:bbbbb:bb frame=IP
6015
data=(src=299.1.1.1 dst=288.2.2.2 data="Hi!")
6016
Hop2 (srcMAC=00:00:00:bb:bb:bb dstMAC=00:00:00:cc:cc:cc frame=IP
6017
data=(src=299.1.1.1 dst=288.2.2.2 data="Hi!")
6018
Hop3 (srcMAC=00:00:00:cc:cc:cc dstMAC=00:00:00:dd:dd:dd frame=IP
6019
data=(src=299.1.1.1 dst=288.2.2.2 data="Hi!")
6022
Notice how the TCP/IP stuff isn't changed. But the MAC address is.
6025
At each hop, the NIC card, operating at the Ethernet level, sees its own MAC
6026
address and knows to accept the packet. It passes it up the protocol stack,
6027
where the next layer (TCP/IP) realizes it needs to be routed further on...
6030
Ultimately, the packet gets delivered to some service listening on your WS.
6033
Here's a packet capture to show you:
6036
# tcpdump -Xx -c1 -i eth0 -e
6037
tcpdump: listening on eth0
6038
11:49:10.809890 0:3:47:b1:xx:xx 0:e0:18:b4:yy:yy ip 118:
6039
tigger.ssh > zebra.2714:
6040
P 1824243567:1824243631(64) ack 2328789523 win 11792 (DF) [tos 0x10]
6041
0x0000 4510 0068 b305 4000 4006 b1e4 c0a8 2a24 E..h..@.@.....*$
6042
0x0010 c0a8 2a21 0016 0a9a 6cbb bf6f 8ace 8213 ..*!....l..o....
6043
0x0020 5018 2e10 ee1a 0000 469a 3e34 eda7 549e P.......F.>4..T.
6044
0x0030 0ec4 4847 8983 fb4f 65ea 5c3e 0bbe c325 ..HG...Oe.\>...%
6045
0x0040 7db8 9954 dae1 55b6 54f9 cdfd ac07 a2b5 }..T..U.T.......
6049
So this says, the packet came from tigger (MAC address 0:3:47:b1:xx:xx) ->
6050
zebra (MAC address 0:e0:18:b4:yy:yy)
6053
Within that is the tcp/ip packet, from c0a82a24 -> c0ae2a21
6054
(192.168.42.36 -> 192.168.42.33)
6057
Here's another one, from tigger -> router.
6060
# tcpdump -Xx -c1 -i eth0 -e host 192.168.42.1
6061
tcpdump: listening on eth0
6062
11:52:48.712750 0:3:47:b1:aa:aa 0:d0:9e:6:bb:bb ip 72:
6063
tigger.32782 > homeportal.gateway.2wire.net.domain:
6064
41356+ A? cvs.ntop.org. (30) (DF)
6065
0x0000 4500 003a bf7e 4000 4011 a5be c0a8 2a24 E..:.~@.@.....*$
6066
0x0010 c0a8 2a01 800e 0035 0026 ce2e a18c 0100 ..*....5.&......
6067
0x0020 0001 0000 0000 0000 0363 7673 046e 746f .........cvs.nto
6068
0x0030 7003 6f72 6700 0001 0001 p.org.....
6071
(0035 = port 53, so it's a dns query)
6074
And one more, from cvs.ntop.org -> tigger (which has to have passed through
6078
# tcpdump -Xx -c1 -i eth0 -e "not src net 192.168.42.0/24"
6079
tcpdump: listening on eth0
6080
11:53:39.688806 0:d0:9e:6:bb:bb 0:3:47:b1:aa:aa ip 69:
6081
195.31.151.66.cvspserver > tigger.42964:
6082
P 2566885448:2566885451(3) ack 2903504154 win 24616 <nop,nop,timestamp
6083
389837493 85533859> (DF)
6084
0x0000 4500 0037 5f3c 4000 2906 ad56 c31f 9742 E..7_<@.)..V...B
6085
0x0010 c0a8 2a24 0961 a7d4 98ff 9048 ad0f f51a ..*$.a.....H....
6086
0x0020 8018 6028 279a 0000 0101 080a 173c 72b5 ..`('........<r.
6087
0x0030 0519 24a3 6f6b 0a ..$.ok.
6090
See the MAC address? It's the routers, not cvs.ntop.org's
6099
Because that's sometimes a problem you'll have with ntop. See ntop is
6100
nosy, so it puts the interface into promiscuous mode, where every
6101
packet - addressed to the ntop host or not - is processed. Now the
6102
next layer up, the tcp/ip layer will throw away any 'junk' (You can
6103
just hear it going tisk, tisk, tisk). But libpcap can intercept them
6104
at the Ethernet level and feed them to ntop...
6107
For REMOTE hosts, ntop uses the IP address as it's the only valid data.
6108
But for LOCAL hosts, ntop prefers to use the MAC address as a way of
6109
resolving multi-homed or multiply addressed hosts.
6112
See if you have two IP addresses assigned to the same host on your local
6113
network, say 192.168.42.42 and 192.168.42.43, how is ntop to tell they're
6114
the same host? Well, the MAC addresses are the same... (for some
6115
manufacturers, e.g. Sun, ALL of the interfaces on a host use the same MAC
6119
read getHostInfo() in hash.c.
6123
/* This is a local address hence this is a potential
6128
if((el->hostIpAddress.s_addr != 0x0)
6129
&& (el->hostIpAddress.s_addr != hostIpAddress->s_addr)) {
6131
FD_SET(FLAG_HOST_TYPE_MULTIHOMED, &el->flags);
6135
i.e. if the address we've stored for this host doesn't match this one,
6140
} else if((hostIpAddress != NULL)
6141
&& (el->hostIpAddress.s_addr == hostIpAddress->s_addr)) {
6142
/* Spoofing or duplicated MAC address:
6143
two hosts with the same IP address and different MAC
6149
if(!hasDuplicatedMac(el)) {
6150
FD_SET(FLAG_HOST_DUPLICATED_MAC, &el->flags);
6156
setSpoofingFlag = 1;
6162
If the addresses DO match, we've had two MAC addresses, so this is being
6171
So why do I get bad output?
6175
If, somehow, you've confused ntop - for example telling it that
6176
277.1.1.0/24 in the ascii art example (above) is local, then ntop
6177
is going to believe you. And it will see a packet with the
6178
277.1.1.1 IP and a MAC address. And use that. Only it's not the MAC
6179
address of the MAIL host, it's really the MAC address of ISA.
6182
No matter, ntop doesn't know this -- all it sees is the packets and
6183
the data you gave it. So later on, when it sees a packet with the
6184
same MAC address, but a different IP, well, it will assume that it's
6185
the same host... and the data will all be lumped together.
6190
Does that explain why I'm seeing xxxx as multihomed?
6194
Maybe. Remember - it only takes one packet, not even an ack, for
6195
ntop to create a host record. If that's wrong, it will carry
6196
forward - and you'll probably see the host tagged as 'Multihomed'
6197
when correct packets show up. Say:
6201
Host 1: IP 192.168.1.1 MAC 00:00:00:aa:aa:aa
6202
Host 3: IP 192.168.1.3 MAC 00:00:00:cc:cc:cc
6205
If somebody has the incorrect hosts table, dns, cached, whatever
6206
but has the info that Host 1 is 192.168.1.3 and is on the same
6207
subnet, then it will send a packet where the Ethernet layer and
6208
the ip are nonsense. But because it's on the same wire, the ip
6212
(Ethernet from:00:00:00:dd:dd:dd to:00:00:00:aa:aa:aa)
6215
(tcp s=192.168.1.4 d=192.168.1.3)
6218
ntop will read both out of the packet and create the association
6222
192.168.1.3=00:00:00:aa:aa:aa
6225
Since it doesn't know better.
6231
(Ethernet from:00:00:00:ee:ee:ee to:00:00:00:cc:cc:cc)
6234
(tcp s=192.168.1.5 d=192.168.1.3)
6237
It will create the multihomed association...
6242
So what's a hub vs. a Switch
6246
A hub is a device that links a bunch of computers together
6247
at the wire (Ethernet) level. Logically, Ethernet is a bus,
6248
that is everybody sees all the traffic, just like cars crossing
6249
under a highway bridge. Physically, Ethernet is wired like
6250
a star - with all the wires coming back to a central "hub".
6251
The hub is just the device that makes the electric star look
6255
Switches and Hubs operate at the Ethernet level, not TCP/IP.
6259
Watch out for 'Switched hubs', which are hubs that include an
6260
internal switch between 2 or more segments (for example, BUT
6261
NOT LIMITED TO a 10BaseT and 100BaseT) segment. These are hubs
6262
within a segment, but switches across segments. ntop may not
6263
see the traffic you expect if you have a 'switched hubs' and
6264
manufacturers are pretty bad about marking them. See
6265
http://article.gmane.org/gmane.linux.ntop.general/5081
6269
A switch is a smart hub.
6272
Switches improve performance by creating a virtual Ethernet
6273
bus for the duration of the packet that joins JUST the source
6274
and destination ports.
6277
A switch operates via an internal table of MAC addresses.
6278
It learns (or is programmed) that 0:d0:9e:6:38:00 is on
6279
port 1, while 00:40:05:DE:AD:00 is on port 3.
6282
A packet coming in port 1, destined for 00:40:05:DE:AD:00
6283
is sent out ONLY port 3.
6286
If the switch doesn't know (or the packet is a broadcast),
6287
it gets sent out all ports.
6290
This doesn't make for MORE bandwidth, but it does use it
6291
more efficiently. That is in addition to the session between
6292
ports 1 and 3 at 100Mbps, a second, simultaneous 100Mbps
6293
session can occur between ports 2 and 4.
6298
How do I use ntop in a switched network?
6302
First off, you need to be or have the support of
6303
your network administrator. (Yes, you can do something
6304
called "ARP poisoning" to - maybe - get the switch to send
6305
you all the traffic, but that's beyond this FAQ... STFW)
6308
Many switches (although not the USD$50 cheap "workgroup" units)
6309
have a special port or mode, where by all the traffic for the
6310
entire network gets copied out that port, in addition to the
6311
normal switch action.
6314
When you invoke the monitoring mode (called span, mirror, monitor,
6315
analysis, etc.), you are forcing the entire switch bandwidth out one
6316
port. This may exceed the bandwidth of the port. 100Mbps+100Mbps
6320
Traffic that is being sent to the monitoring port in excess of the
6321
capacity of that port is usually dropped. It should NOT slow down
6322
the switch on other ports.
6325
Some switches have some buffering capability and it *may* be able to
6326
keep up with an occasional burst of traffic, as long as the average
6327
is below the port capacity and the buffer isn't exceeded.
6330
See, for example, http://www.cisco.com/warp/public/473/41.html#archXL.
6333
One list of switch manufacturers is the document is titled "REFERENCE:
6334
Configuring a Switch to Monitor All Traffic" from Elron Software. (The
6335
URL is long, do a Google search for "site:elronsoftware.com wi6038").
6337
<h2>Dumping data</h2>
6341
Can I use ntop from php/perl?
6345
Yes you can. Please see the www directory under the ntop source tree.
6349
Look at the Admin | Dump Data page.
6351
<h2>rrd (myrrd)</h2>
6355
How do I save data between runs?
6368
There's a 12 page writeup on what rrd is and what ntop does with it.
6369
A pdf version is posted at SourceForge in the "Documentation" release.
6370
Download it and read it.
6379
Yup - the pretty pictures won't work in this FAQ.
6388
ntop includes a frozen and slightly patched version of rrd 1.0.42 in the
6389
ntop source tree. This is called myrrd.
6392
As of rrdtool 1.0.46 was released 04-Jan-2004.
6401
You should not need to do anything to get rrd (see myrrd, above).
6404
The home page for rrd is
6405
http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/
6408
rpm's are available at
6409
http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/pub
6414
What about the multi-threaded development version?
6418
Stay away. I only experimented with it a little bit, but it was not
6423
Q: I've enabled the rrd plugin and there's no data ... there are messages in the log:
6429
argv[1]: ...rrd/matrix/12.239.98.199/12.239.181.175/pkts.rrd
6430
argv[2]: 1037289548:1
6431
rrd_create(...) error: creating '...': No such file or directory
6432
rrd_update(...) error: opening '...': No such file or directory
6436
A: Create the rrd directory and make sure that the -u userid has read/write
6437
access to it (typically /usr/share/ntop/rrd).
6442
rrdPlugin - problem with rrd/myrrd?
6446
By default, ntop's Makefile binds the static libmyrrd library to create ntop's
6447
rrdPlugin shared library. THIS IS DELIBERATE so that you use the myrrd library
6448
and not some other version of rrd that's installed somewhere else on your system.
6451
Sometimes this causes problems, where there are special tricks required to tell
6452
(a non gnu ld) loader about static (.a) libraries, which ntop doesn't have in
6453
the Makefile nor the configureextra files.
6456
As a SHORT TERM WORK-AROUND, you can TRY this:
6467
all: $(LIBRRD) libmyrrd.so
6468
^^^^^^^^^^^ add this
6475
libmyrrd.so: $(OBJECTS)
6476
<tab>ld -shared -o libmyrrd.so $(OBJECTS)
6479
Now do make. You should see a libmyrrd.so file.
6482
The main 'make' should now complete. Copy that libmyrrd.so file where the other
6483
ntop library files are, and it MIGHT work.
6486
However, the whole idea behind having a static libmyrrd.a is to prevent version
6487
conflicts and use a stable version of rrd.
6490
The right fix is to get the configureextra/<whatever> file changed.
6492
<h2>netFlow and sFlow</h2>
6496
How do I access netFlow or sFlow data from ntop?
6500
You need to configure ntop as a listener (it can also be a collector, but
6501
that data shows up in the receiving interface, not under netFlow/sFlow).
6504
First, use the appropriate plugin to set the parameters - basically the port
6505
you want ntop to listen on. Then, using the Admin | Set Interface menu item,
6506
switch ntop to report on the sFlow/netFlow pseudo-device (NetFlow-device or
6512
Is there any parameter to set to tell sFlow which interface/ip address
6513
to use when exporting the flows?
6517
No. All ntop does is send a packet to the network addressed to the
6518
destination you request.
6521
Typically if the ntop host is multihomed, the routing service will pick the
6522
the MOST SPECIFIC route with the lowest metric # that is selected. E.g., if
6523
this is the routing table:
6526
Kernel IP routing table
6527
Destination Gateway Genmask Flags Metric Ref Use Iface
6528
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
6529
192.168.2.129 0.0.0.0 255.255.255.128 U 0 0 0 eth2
6530
192.168.2.146 0.0.0.0 255.255.255.255 U 0 0 0 eth1
6531
192.168.2.146 0.0.0.0 255.255.255.255 U 1 0 0 eth2
6532
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
6533
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
6536
A packet to 192.168.2.146 goes via eth1 (equally specific routes, so it
6537
chooses based on the metric 0 vs. 1)
6540
A packet to 192.168.2.145 goes via eth2 (192.168.2.129/25 is more specific
6541
than 192.168.2.0/24)
6544
A packet to 192.168.2.46 goes via eth0
6547
A packet to 10.1.1.1 goes via eth0 (the gateway is the least specific route,
6548
but it is the best match)
6551
But how it goes out (and thus the source IP address) is totally up to the OS.
6552
Just be aware when it gets to the sflow collector, it might have an
6553
unexpected ip address as the source.
6559
Which versions of netFlow.
6564
And v1/v7/v9 - in that internally a v1/v7/v9 flow is copied to a v5 buffer and then
6565
processed. We default/ignore fields that are different.
6566
And nFlow - similar conversion.
6571
netFlow doesn't work.
6575
You MUST make sure the ntop plugin is ACTIVE. With the change to allow
6576
setting parameters while inactive, it's easy to miss that last step.
6577
If you don't activate the plugin, you'll still have the netflow-device, but
6583
What's Virtual NetFlow Interface?
6587
Be sure and set it. It's important for pseudo-local classification, which
6588
affects L R reporting. You need to set it to the (network) and mask for
6589
the netFlow collector. So ntop knows 'where' the data is coming from.
6594
'splain some more, Lucy...
6601
It's best to think of netFlow like this:
6604
The physical interface which is monitoring the packets is like a
6605
temperature probe you stick into a roast.
6608
Even though the display of the data can be right there at the probe, or
6609
the other end of a (long) wire, or somewhere entirely elsewhere via a
6610
wireless connection, the probe is monitoring at the tip. If it says 145F,
6611
that's the temperature of the meat - not the oven and not the kitchen.
6614
Similarly, the netFlow data ntop is receiving is based on the probe
6618
So, if you have a router and are monitoring a single interface to collect
6619
netFlow data, then the ip address you want to give to ntop is that of
6620
the router interface.
6623
If you are monitoring a router with more than one interface, you will
6624
need to give ntop ONE of those addresses and use the -m | --local-subnets
6625
option to tell it that the other addresses are also local.
6630
Where is info about netflow?
6634
Dale Reed pointed out a good tech doc (no flak, just the formats) for netflow
6641
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_2_0/nfc_ug/nfcform.htm
6644
(As of Oct2003, it includes v8 and is here:)
6647
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_3_0/nfc_ug/nfcform.htm
6652
How Do I Enable NetFlow Data Export on a Cisco Device?
6656
To enable netFlow Data Export (NDE) from a Cisco device to an ntop netFlow
6657
receiver on port 2055 (default) at address 10.1.1.1:
6661
ip flow-export destination 10.1.1.1 2055
6662
ip flow-export version 5
6665
You may want to designate the source interface, e.g.:
6669
ip flow-export source Ethernet0
6672
Enable netFlow on each interface to be monitored. netFlow normally only
6673
captures data from each incoming packet, so to see traffic in both directions
6674
netFlow must be enabled on both the incoming and outgoing interfaces. As an
6675
example, for an Internet access router this would mean enabling netFlow on
6676
both the internal (e.g. Ethernet) and the external (e.g. ISDN / Frame Relay
6690
By default netFlow will only export flow statistics shortly after the flow
6691
Terminates or when 30 minutes have elapsed. In many environments, you want
6692
ntop to be a bit more up to date. To change the timeout to five minutes:
6696
ip flow-cache timeout active 5
6699
The following 'show' commands are useful for examining netFlow statistics
6700
directly on the Cisco box and may assist when setting up ntop:
6706
show ip cache verbose flow
6709
Obviously, there is a lot more to it than this, for more information, see the
6710
Cisco web site: http://www.cisco.com/go/netflow
6713
(Created by sholmes at snapshot, 02Feb2003)
6723
The core component of the sFlow toolkit is the sflowtool command line
6724
utility. sflowtool interfaces to utilities such as tcpdump, ntop and Snort
6725
for detailed packet tracing and analysis, NetFlow compatible collectors for
6726
IP flow accounting, and provides text based output that can be used in
6727
scripts to provide customized analysis and reporting and for integrating with
6728
other tools such as MRTG or rrdtool.
6734
http://www.inmon.com/sflowTools.htm
6735
http://www.faqs.org/rfcs/rfc3176.html
6740
I have activated the sFlow plugin in ntop. But it doesn't seem to
6741
generate any output based on the collected sflow datagrams.
6745
sFlow can be a collector or a receiver or both, depending on the
6746
settings configured via the plugin.
6749
If you configure ntop as an sFlow collector, it will use sFlow data
6750
for generating reports, treating the remote collector(s) as another
6751
network interface - see Admin | Switch NIC.
6753
<h2>snapshot, cvs and the Wiki</h2>
6757
What was "snapshot"?
6761
Snapshot was a community FAQ and documentation resource at
6762
http://snapshot.ntop.org. It's was also the site of "the snapshots".
6765
Unfortunately, snapshot seems to have 'Gone to Atlanta' (404), with
6766
the web server no longer responding in February 2004.
6769
Nicolai Petri's efforts were appreciated. But snapshot was an effort
6770
of love by a gentleman who hasn't had time for the effort in quite
6776
Is there a community resource that replaces (enhances) snapshot.
6780
Yes. There is now an ntop Wiki at
6783
http://www.burtonstrauss.com/pmwiki/pmwiki.php?pagename=Ntop.HomePage
6784
Whether it remains available depends on whether people contribute.
6789
What was "a snapshot" or "the snapshots"?
6793
A snapshot was a dump of the ntop cvs structure, automatically generated
6794
every day at 5 minutes after midnight (Pisa time).
6797
Snapshots were named with their creation date, in the form of
6801
Snapshots were neither polished nor even "releases". They contained any
6802
update(s) checked into the cvs during the prior day. No more, no less.
6805
cvs checkins (commits) are usually tested by the developer, but perhaps only
6806
in one (limited) environment. Occasionally a file is missed or a typo occurs
6807
and a snapshot wouldn't compile. Snapshots frequently introduced bugs that aren't
6808
apparent on a quick review. Snapshots were basically a point-in-time capture
6809
of the moving development environment. No more and no less.
6812
With release 2.2, rapid development occurred after general release and using
6813
the latest snapshot was your best bet. With 3.0, after a short period of stability
6814
(releases 2.2b and 2.2c), the development again outpaced the stable version and
6815
using the cvs again was almost manditory.
6818
If the 3.0 release doesn't work, drop by the mailing lists and check the back
6819
traffic to see if this is a common problem. If it's not, try the latest
6820
snapshot or ask for a recommendation of which version is the best to use.
6823
As with 2.2, we plan to have a cvs branch to allow for 3.0a/b/c
6824
releases while 3.1 is being developed (3.1.1, 3.1.2, etc.).
6827
Note that the ntop_2_2_patches branch broke the snapshot extract script, so
6828
snapshots ARE NO LONGER RECOMENDED OR SUPPORTED.
6830
<h2>Old answers, but goodies</h2>
6838
Obsolete code is code that is no longer being maintained nor part of ntop,
6839
but it's stuck off in that directory because 1) storage is cheap and 2) it
6840
might have usage someday and 3) somebody might be interested in resurrecting
6844
Code in obsolete/ IS NOT MAINTAINED, even minimally.
6847
Specifics? (As of June 2002)
6851
Various programs and functions which supported "rules" were determined to
6852
be obsolete were removed from ntop in late March 2002. This included a
6853
substantial number of lines of code, which was simply removed. Entire
6854
modules were placed into the obsolete/ directory.
6863
Various plugin programs, which were no longer being supported, were
6864
removed from ntop in late March 2002. These entire modules were placed
6865
into the obsolete/ directory.
6872
Various lines of code (totaling a substantial number, widely scattered
6873
Throughout ntop), which had provided compile-time selectable support
6874
(#define ENABLE_NAPSTER) for analysis of the (late) Napster protocol were
6875
removed on 4Apr2002.
6880
I get an error, libtool: link: CURRENT `-release' is not a nonnegative
6885
This is an autoconf problem. It should be fixed.
6886
The whole set of messages is typically:
6890
> libtool: link: CURRENT `-release' is not a nonnegative integer
6891
> libtool: link: `-release' is not valid version information
6892
> make[2]: *** [libntop.la] Error 1
6893
> make[2]: Leaving directory `/usr/local/src/ntop'
6894
> make[1]: *** [all-recursive] Error 1
6895
> make[1]: Leaving directory `/usr/local/src/ntop'
6896
> make: *** [all-recursive-am] Error 2
6903
"AFAIK this is a bug of autoconf that's not able to expand some macros,
6904
namely those that contain the version number. The workaround is to
6905
downgrade to the previous autoconf version."
6910
- downgrade to a stable autoconf version
6911
- edit all the ntop Makefile(s), add "0:0:0" behind any
6912
occurrence of "version-info" and "2.0" behind
6919
1) Burton posted a personal patch to do the above for Makefile.am on
6922
Thu Dec 20 2001 - "Compile problems with -release". Check the ntop-dev
6926
2) Older versions (e.g. Slackware 7.xx) of Linux installations have older
6929
versions of automake, which don't exhibit the bug.
6932
3) (Sean O'Neill) "I cheated a bit and hacked libtool by changing the
6945
4) The new ./configure scripts - call it versions after Nov2002 - fix this.
6949
Q, How to Build the (obsolete) RMON plugin
6953
Without any guarantees...
6957
0) Please do NOT use a precompiled UCD package unless you know what you're
6962
1) Fetch UCD-SNMP [See http://net-snmp.sourceforge.net/developer.html]
6966
2) Compile the stuff as specified as follows :
6967
[see also http://net-snmp.sourceforge.net/tutorial/toolkit/demon/]
6968
> ./configure --with-mib-modules="agentx"
6974
3) Once you this stuff ready you can build the ntop/RMON plugins.
6982
5) The ntop/RMON plugin listens on port 161 (the default SNMP port).
6983
If you want to test the agent you can use the 'tkMib' tool that comes
6984
with UCD-SNMP [see http://net-snmp.sourceforge.net/tkmib.jpg].
6987
NOTE: If you use tkMib do not forget to do "setenv MIBS ALL" (csh shells),
6990
otherwise you won't see the RMON MIB.
6993
How to Build the RMON plugin (bis) created 04/03 2002 by pierlo
6996
The following works with :
7006
* Make sure that ntop works properly
7010
* Make sure that openSSL & openSSL libraries are correctly installed
7011
(no WARNING when ntop is started !). If not, download and install
7012
the latest versions)
7016
* fetch & install UCD-SNMP :
7017
tar -xvzf XXXXX.tar.gz
7018
./configure --enable-shared
7025
1. uncomment lines around 474 and 1035 in configure.in file :
7029
dnl>OPTIONAL UCD-SNMP
7030
dnl>AC_HAVE_HEADERS(ucd-snmp/ucd-snmp-agent-includes.h)
7032
dnl> check for `UCD-SNMP' library by University of California
7033
[http://ucd-snmp.ucdavis.edu]
7034
dnl>AC_CHECK_LIB(ucdagent, register_mib, [AC_DEFINE(HAVE_SNMP)
7035
SNMPLIBS="-L/usr/local/lib -lsnmp -lucdagent -lucdmibs"],
7036
, -lsnmp -lucdagent -lucdmibs $LIBS $MORELIBS)
7040
(remove the dnl> from the AC_ lines)
7044
* in /ntop/plugins/rmonPlugin.c file, replace :
7048
line 702 approx. : droppedPackets with droppedPkts
7049
(there is only one occurence, so it may not be difficult to find)
7054
if (header_simple_table (vp,name,length,exact,var_len,
7055
write_method,numDevices)
7063
if (header_simple_table(vp,name,length,exact,var_len,
7064
write_method,myGlobals.numDevices)
7072
long_ret = (long)(device[ifNum]
7080
long_ret = (long)(myGlobals.device[ifNum]
7084
(lines 690 to 782 approx., about 13 occurences to change)
7088
2. launch /ntop/autogen.sh -1
7092
3. launch /ntop/configure
7100
* there is no warning about openSSL libraries !
7104
* the following checks are successful :
7105
" Step 4. Looking for both required and optional system headers....
7107
checking for ucd-snmp/ucd-snmp-agent-includes.h... yes"
7112
"Step 7. Looking for optional GPLed libraries....
7114
checking for register_mib in -lucdagent... yes"
7118
-> NO warning about openSSL libraries here ! If any trouble,
7119
check config.log file, which may help to get round the problem...
7120
Looking at ls.so.conf file and checking libraries pathes may also be
7125
3. edit /ntop/plugins/Makefile : replace every ocurence of "icmpPlugin"
7130
4. Launch /ntop/plugins/make
7134
5. Theoretically, RMON plugin is built and is ready to work ! If you have
7135
a error message like "undefined symbol..." when ntop started...
7136
I don't know how to fix it.
7140
Hope I didn't forget anything... Have fun !
7149
I don't understand -j | --border-sniffer-mode
7153
Welcome to the club <grin />
7156
Quoting from Luca's comment:
7159
"-j is used when you are starting ntop on a mirrored interface where you
7160
cannot trust MAC addresses."
7163
ntop uses MAC addresses for many things to differentiate among machines.
7164
IP addresses and names can mean many things, but hardware addresses are
7165
supposed to be unique. This is usually true, but gets hairy when you
7166
introduce a switch into the network which is also copying all of the
7167
packets it sees to a monitoring port.
7170
Understand how a switch works: In short, a switch monitors the network it
7171
sees and knows which mac address(es) are on which ports. When it received a
7172
packet, it forwards it to only that port. Broadcasts are forwarded to all
7176
So an ntop instance, sniffer, whatever only sees a fraction of the traffic.
7179
In many managed switches, there is an option for a "repeater" or "monitoring"
7180
or "spanned" port, which receives all traffic, so that network monitoring can
7184
However, When the switch sends out packets on the monitoring port, it must
7185
rewrite them to be valid Ethernet packets with a valid (i.e. the switch's)
7186
MAC address and ntop gets confused.
7192
1. -j usually requires you to specify the local network (-m) as a mirrored
7195
interface might have a wrong/ip-less/privare IP address.
7198
2. -j disables some features as TCP session tracking etc.
7201
In future versions -j will disappear and it will be replaced with more flags
7202
for better controlling all these options.
7205
With multiple switches in a hierarchy, you have to place the ntop instance
7206
or instances carefully, depending upon what you want to monitor.
7209
For example, most lans have a switch in each area with its uplink connected
7210
to a backbone switch. Servers and gateways are then placed off one or more
7211
backbone ports. This keeps departmental traffic isolated from each other,
7212
while making enterprise wide and inter-department traffic feasible. ntop
7213
would have to be monitoring the backbone switch, but you would need to be
7214
aware of what ntop is NOT seeing and place additional monitors.
7217
For example, you could place additional ntop instances in the departments,
7218
using the netflow or sFlow plugins to receive flow information from them
7219
which wouldn't be visible to the backbone instance. (I'll note that I haven't
7220
actually tried this, myself. -----Burton)
7225
When I run with -j | --border-sniffer-mode, there are different menus.
7232
The menus are just html files. There is a set for regular mode and a
7233
j_xxx.html set for border sniffer mode. Why? Because there are things
7234
that simply don't work in border-sniffer-mode, so why let the user
7235
request those pages.
7240
OK, but it changed after 2.1.2 (i.e. in 2.1.50) what are the NEW parameters?
7244
There were four new parameters introduced when -j | --border-sniffer-mode
7245
was removed. Whether the old parameter really did all the same things as
7246
the new ones is irrelevant and left to code-archeologists. What matters
7247
is what the new ones are and what they do!
7252
What was the -S option?
7256
The -S option was the --store-mode option, or the "Persistent storage mode"
7257
Ntop's internal structures are basically an array of devices (network
7258
interfaces), which contains an array of hosts (specific machines seen on the
7262
So device[0] is the 1st network interface, and device[2] the third.
7263
device[0].host[0] would be, say, the local file server and device[0].host[1]
7264
would be a simple host. device[1].host[1] is a completely different set of
7265
counts from device[0].host[1].
7268
The -S options tells ntop to store information about a specific host in a
7269
database from run to run (-S 0 none, -S 1 all and -S 2 only local hosts).
7272
This is only the count information about the host and does not store the
7273
information about a device (a network interface). Further, items of
7274
dynamically allocated storage (the devices name) are not stored.
7277
Data is retrieved on a subsequent run ONLY when traffic is seen from that
7278
host after the restart. (I suppose you could script a ping to each host you
7279
care about and force the reload that way, but it hasn't been tested...)
7282
So if you go into the host details (e.g. the 192.168.1.1.html page) you
7283
should see prior-run information.
7286
But if you're looking for device throughput to be preserved... nope...
7289
Also, ntop stores the information during 1) reset and 2) shutdown. So if ntop
7290
crashes, the persistent data will be lost.
7293
This option was removed from ntop in the 2.1.52 development version.
7298
What was the -A option, a/k/a --accuracy-level?
7302
This option was used to set ntop into various modes which performed less
7303
processing, in order to handle higher traffic volumes.
7306
It was added on 14Dec2001 (just before v2.0) and was removed on 11Mar2002,
7307
although traces survived in usage() until April 2002.
7310
Note that the CODE remains in initialize.c for use by EXPERTS if necessary.
7315
What was the --no-admin-password-hint option?
7319
This option was used to remove the hint text from the administrative password
7323
It was added 4Feb2002 and removed 8Mar2002 (the last traces, in usage(), were
7324
removed on 4Apr2002).
7329
During the ntop 2.2 development cycle,
7330
we did development/testing under:
7331
Solaris 2.5, 7 and 8 (i86)
7335
During the ntop 3.0 development cycle,
7336
we did development/testing under:
7337
Solaris 8 (i86) and 9
7342
How do I install the ntop package on Solaris?
7346
For instance do 'pkgadd -d ntop-2.2-solaris.i386'
7351
What c compiler do I need?
7355
Sun's cc or gnu's gcc.
7360
What about /usr/ucb/cc is that the one?
7364
No. cc is software you pay for. /usr/ucb/cc is a stub compiler and good for,
7365
recompiling the kernel and absolutely nothing else.
7368
The cc I mean is Sun's Commercial Compiler.
7374
When I type 'make' it complains about a makefile error.
7378
Always remember to use gnu make.
7381
On many *BSD systems which have other 'make's, gnu make is called gmake.
7382
Try make --version -- if it shows a Gnu version stamp you're ok, otherwise
7385
<h2>BSD - FreeBSD</h2>
7388
During the ntop 2.2 development cycle,
7389
we did development/testing under:
7395
Users reported success with:
7401
During the ntop 3.0 development cycle,
7402
we did development/testing under:
7408
Users reported success with:
7415
I can't compile ntop under FreeBSD 5.0 or 5.1.
7419
In some situations, we produce gcc link lines which expose a conflict 'tween
7420
FreeBSD 5.x and libtool.
7423
You will see the following error messages:
7427
expr: illegal option -- l
7428
usage: expr [-e] expression
7432
See the release notes for FreeBSD 5.0 and the expr(1) man page:
7436
http://www.freebsd.org/releases/5.0R/DP2/relnotes-i386.html
7437
http://www.freebsd.org/cgi/man.cgi?query=expr&sektion=1&manpath=FreeBSD+5.0-current
7440
Solve this by setting the compatibility flag before running make.
7444
$ export EXPR_COMPAT=Y
7447
configure.in and configure have been updated to do warn you to do this.
7452
I get "ntop: /dev/bpf0: Device not configured", what's wrong?
7456
This is because bfpX has not been configured inside the generic bsd-kernel
7460
If you use generic kernel config file put "pseudo-device bpfilter 16" in
7461
kernel config file and rebuild the kernel.
7466
I remember rumors about something not being right under FreeBSD with
7471
Yes. See FreeBSD bug bin/17437 at
7472
http://www.FreeBSD.org/cgi/query-pr.cgi?pr=17437
7475
Basically, due to limits in FreeBSD, there is no pthread_atfork() function.
7476
So, when ntop does it's fork() call to create http pages, it can't fixup
7477
the Mutexes. It wrong and could conceivably cause problems.
7480
However - ntop ran for years without the pthread_atfork() code, so we're
7481
no worse off in 3.0 under FreeBSD than in 2.2 or 2.1...
7484
There was a flurry of problems late in the 3.0 development cycle having to
7485
do with a seeming deadlock of the ntop web server (it's actually not dead,
7486
just walking at about 0.001KPH).
7489
Thanks to Yeoman efforts by Stanley Hopcroft, Michal Meloun and, well, me,
7490
we have a work-around.
7493
If you're running under FreeBSD, use the flag, --set-pcap-nonblocking.
7496
For more on this, read the threads at gmane - look for "FreeBSD and pthreads" -
7497
that's probably the best summary. But there's stuff on this back at least to
7498
October 2003 - look for Stanley's problems with CPU usage.
7503
Um... something about bad fds?
7507
Oh yes, see bug bin/51535: uthreads bug: new opened files may get stale fcntl flags
7510
They fixed the code, sort of:
7515
------- --------------
7523
There's a work-around in ntop, called the HAVE_FILEDESCRIPTORBUG fix.
7524
If you even might possibly need it, it should be set in configureextra/ but
7525
go ahead and set it anyway, it can't hurt.
7527
<h2>BSD - OpenBSD</h2>
7530
During the ntop 3.0 development cycle,
7531
we tried development/testing under:
7541
3.1 - I could never make it work. Problem seems to be that the gnu tools such
7542
as ld don't support a.out systems very well.
7546
3.4 - Should work. Julien Touche <julien.touche@lycos.com> sweated buckets
7547
to make this work and reported that it did in January 2004.
7549
<h2>BSD - NetBSD</h2>
7552
During the ntop 2.3 development cycle,
7553
we tried development/testing under:
7565
Some testing was done using - ntop works only in SINGLE THREADED mode and so
7575
There isn't (yet) a standard POSIX thread package for NetBSD. Both "proven"
7576
and "unproven" threads have issues. One user was bound and determined to
7577
make GNU Pth work, but pth isn't quite POSIX threads and he's didn't get
7583
But there IS a POSIX threads...
7587
Yes. And when NetBSD -current finally incorporates the POSIX threads (its
7588
been committed but not yet part of a release) this should be revisited.
7590
<h2>Linux - all</h2>
7593
During the ntop 2.2 development cycle,
7594
we did development and/or testing under:
7596
LinuxFromScratch 3.0pre3
7597
RedHat AS2.1, 7.2, 7.3, 8.0
7601
During the ntop 3.0 development cycle,
7602
we did development and/or testing under:
7604
Gentoo 1.4 (rc5 and released)
7605
LinuxFromScratch 3.0pre3
7607
RedHat AS2.1, 7.3, 8.0 and 9
7613
And loads more - see the list above.
7617
Others should certainly work and there
7618
are many user reports of success.
7620
<h2>Linux - RedHat</h2>
7628
When RH9 came out with NPTL, we had lots of problems. NPTL is much closer
7629
to POSIX threads, but very different from the old linuxthreads. At the same
7630
time, we had problems with the glibc 2.3.x (vs. 2.2.x) update.
7633
By the end of the development cycle, a couple of memory management fixes
7634
seem to have made the NPTL/glibc problems go away. But if they're still out
7635
there, they are quite nasty. Random unexplained BOMBs and such.
7638
If you hit these problems, you can try disabling NPTL via this flag.
7639
Before both ./configure AND make, set the following:
7643
export LD_ASSUME_KERNEL=2.4.1"
7646
This forces the use of the old linuxthreads library.
7649
This flag may also do something to glibc, but it's undocumented and we
7650
never could really figure it out. For that run time behavior change
7651
to happen, you would also have to have the LD_ASSUME_KERNAL flag set
7664
A lot of them seemed to go away when we fixed a free() that occurs in
7665
a fork()ed child of memory malloc()ed in the parent. Under Linux, the
7666
fork() gets a copy of memory, but a technique called copy-on-write is used
7667
to reduce the time the fork() takes.
7670
We suspected that the free() was corrupting the parent's memory structures,
7671
but this isn't supposed to be possible and we couldn't nail it down enough
7672
to report it to the glibc people.
7677
What can I do to help?
7681
There is code in leaks.c tagged "DIAGNOSTIC". Turn it on, collect a set of
7682
potential problems and report them. However, this code isn't that bright.
7683
It will report all the free() calls in fork()ed children, even those that
7684
are legit (i.e. the malloc() was also in for fork()ed child).
7689
"application bug: ntop(...) has SIGCHLD set to SIG_IGN but calls wait().
7690
(See the NOTES section of 'man 2 wait'). Workaround activated."
7693
This message and the NOTES section of the man page lead me to believe
7694
that the problem is handled but the kernel feels the need to report it
7699
Read the NOTES section. The problem has been handled, but the kernel
7700
feels the need to report it from time to time. See the article at
7701
http://article.gmane.org/gmane.linux.ntop.general/5304
7706
libpng version conflicts?
7712
<h2>Win32 - Common</h2>
7716
Where can I find GDBM for Windows?
7720
GDBM for windows can be found at http://www.roth.net/libs/gdbm/
7725
ntop -i1 ... doesn't work
7729
ntop has special parameters under Win32
7733
Under win32 there are TWO COMPLETELY SEPARATE TYPES OF PARAMETERS.
7737
There are the parameters to the win32 stub AND there are parameters to ntop
7742
AFTER THE win32 parameters are the ntop parameters in the standard (Unix)
7747
ntop /c <normal parms> runs ntop INTERACTIVELY with the specified ntop
7752
ntop /i <parameters> installs ntop as a service to run with the specified parameters
7756
ntop /d deletes the ntop service
7759
Remember, ntop /i and ntop /d don't actually run the service - you need to
7765
How do I figure out what my network interface numbers are for the -I
7770
(Thanks to jac engel [jacengel@home.nl] for the example)
7773
If you only have ONE network interface, it doesn't matter as the default is
7774
fine. However, that's the RARE case. Most people have multiple network
7775
interfaces (NICs), with virtual ones for VPNs, Dialup Networking, etc.
7778
The Windows tools ipconfig, winipcfg and the Device Manager (depending on
7779
which version of Windows you have) will probably show you them. However,
7780
it's easier and better to use ntop to show you how ntop sees the network
7784
If you start ntop /c (interactive mode, with only the default parameters) it
7785
Will display all your network interfaces (NICs), like this:
7789
Running ntop for Win32.
7790
Wait please: ntop is coming up...
7791
23/Aug/2002 20:43:55 Initializing IP services...
7792
23/Aug/2002 20:43:55 Initializing GDBM...
7793
23/Aug/2002 20:43:55 Initializing network devices...
7794
23/Aug/2002 20:43:55 Found interface [index=0] '\Device\Packet_{14...1C}'
7795
23/Aug/2002 20:43:55 Found interface [index=1] '\Device\Packet_{86...B4}'
7796
23/Aug/2002 20:43:55 Found interface [index=2] '\Device\Packet_NdisWanIp'
7797
23/Aug/2002 20:43:57 ntop v.2.1 MT [WinNT/2K/XP] (11/07/2002 build)
7798
23/Aug/2002 20:43:57 Listening on [3F1C}\Device\Packet_{14...1C}
7802
By default, ntop will use the lowest numbered interface. Because #s are
7803
assigned based on the sequence cards are discovered, and this is altered if
7804
cards are removed and added, this is often not what you want.
7808
After you figure out which NIC you want, start ntop /c -i1 or -i2 or
7814
OK, but how to I translate \Device\Packet_xxxxx to my Froboz ModelT network
7815
card and not the Fubar27 that's on the motherboard.
7819
ntop should report both the index and the human readable information.
7823
A Google search on script "CurrentVersion\NetworkCards" finds a couple of
7824
scripts/utilities that might work in various environments.
7831
You're going to need to view the registry. All the usual warnings - back up
7835
If you damage the registry, you may not be able to reboot the computer.
7838
You're not going to CHANGE anything, but an inadvertent keystroke could be
7839
disaster ... BE CAREFUL!
7842
Under WinNT/2K, to find the interface name of your NIC look in the registry
7846
HKLM\Software\Microsoft\Windows NT\Currentversion\NetworkCards\
7847
The two subkeys, Servicename and the Description tells you which id maps to
7853
Where does ntop look for html (and gif) files under Win32?
7857
ntop looks in two places. The first is the current directory and the second
7858
is configurable through a constant in ntop_win32.h, #define DATAFILE_DIR "."
7861
Note that the current directory, or ".", may not be what you expect.
7864
When running ntop as a Win32 service, "." is %SystemRoot%\system32, meaning
7865
that ntop looks in %SystemRoot%\system32\html for the .html and .gif files.
7868
When running ntop from the command line,
7872
ntop /c parameters...
7875
"." is whatever directory is current. This means that if you run ntop with a
7876
full, explicit path (c:\ntopnew\ntop /c ...) there may be an unexpected
7877
difference between what ntop finds for "." and what you THINK "." is! This
7878
will lead to missing .html and .gif files.
7881
If you wish to have ntop look in a specific place for the files, the best
7886
1) Create a .bat file to run ntop which does a cd to the expected directory
7888
2) Edit ntop_win32.c and then recompile.
7891
Note that the settings for DATAFILE_DIR (and other constants) are reported on
7892
the text version of the configuration page, textinfo.html.
7894
<h2>Win32 (MinGW) (Windows)</h2>
7898
What's the scoop with ntop on Windows?
7905
ntop for Windows 95/98/ME/NT/2K is also provided as a binary application with
7906
limited capture capability (1000 packets). This is intended to allow
7907
demonstration of ntop for people without access to a Unix system.
7910
We call this version Win32 after the old official name of the Windows library.
7913
If you want to use the full version with unlimited packet capture you can
7918
* Recompile ntop from the source by yourself (Luca says just open the
7919
files in MS Visual C++ 6.0 and press compile)
7920
* Register your ntop for Windows 95/98/NT/2K copy by paying a
7921
convenience fee to receive the prebuilt executable.
7924
If you decide to register your copy, Luca will send you an URL from which
7925
you can download the full version periodically.
7930
So where did MinGW come in?
7934
All of the necessary open software tools have been ported to run under
7935
windows (sort of), so it is theoretically possible to build and run ntop
7939
However, Windows and *nix are very, very different internally. So we have
7940
to use special versions of the packet capture library (winpcap instead of
7941
libpcap). And we needed our standard tools (gcc et al), plus some 'glue'
7942
so we could make *nix calls and have Windows things happen.
7945
For the tools and glue, there are three choices: native, Cygwin and MinGW.
7948
Native means you put lots of #ifdefs in to make Windows calls where you
7952
Cygwin is a shim - it's a Windows dll (Dynamic Link Library) that pretends
7953
to support the *nix calls and then does the right Windows things for you.
7956
MinGW is a project to create native Windows tools and executables from
7960
Each of these have limits, pluses and minuses. For example, Cygwin's dll
7961
has caused all sorts of problems (dlls and their *nix equivalent, shared
7962
libraries, usually do). MinGW has some limits. As MinGW grew, ntop for
7963
Win32(MinGW) got closer to ntop under *nix. Native means supporting two
7964
'separate' code bases.
7967
Luca actually picked a hybrid - he uses Microsoft Visual C++ 6.0 - which
7968
has it's own (albeit incomplete) shim layer. As long as you stay within
7969
the limits of the shim, the same code works across platforms. In other
7970
places you have to make thinks like Windows wants them. How close are
7974
The advantage of the hybrid was that is was also pretty close to working
7975
under MinGW - creating native executables from the base code using free
7976
tools. So people sent in patches and it pretty much worked. Up until
7977
2.1.3, that is. But it was never officially more than an 'it also runs'.
7980
After 2.1.3, Luca embarked on a process of bringing the WIN32 and *nix
7981
code closer together. Surprisingly, this actually broke MinGW!
7986
Where do I get MinGW?
7990
The MinGW home page is http://www.mingw.org. Quoting:
7994
"MinGW is a collection of header files and import libraries that
7995
allow one to use GCC and produce native Windows32 programs that do
7996
not rely on any 3rd-party DLLs. The current set of tools include
7997
GNU Compiler Collection (GCC), GNU Binary Utilities (Binutils),
7998
GNU debugger (Gdb) , GNU make, and a assorted other utilities. We
7999
are currently working on creating a complete set of Mingw-hosted
8000
GNU toolchain, and looking for volunteers."
8005
Does ntop work under Cygwin?
8009
The .exe distributed through ntop.org is built with Visual C++ 6.0.
8010
It proved just barely possible to use the same code under MinGW.
8011
Forget about cygwin.
8016
Does ntop (v3.0) work under MinGW?
8020
No - There are problems with versions of ntop after 2.1.3 under MinGW -
8026
When I type 'make' it complains about a makefile error.
8029
A: Remember to use -f Makefile.MinGW or whatever is appropriate - see
8035
Mingw make of Ntop fails when using the single-file distribution
8036
MinGW-1.1.tar.gz with make errors about version.c like :
8039
zsh: no matches found: *version
8040
make: *** [version.c] Error 1
8044
Be sure that your PATH setting in the DOS command box of the Mingw bin
8045
directory ends with a backslash.
8049
set path=C:\Mingw\bin\;%path%
8051
set path=C:\Mingw\bin;%path%
8054
<h2>Win32 (MS Visual C++)</h2>
8055
<h2>Other platforms</h2>
8060
During the 2.2 development cycle, some work was done to make ntop work under
8061
-UX 11 without breaking the HP-UX 10.20 support (limited as it was). During
8062
the 3.0 development cycle, HP-UX was not considered.
8066
It will almost certainly fail.
8070
IRIX (v1.3 information)
8071
=-=-=-=-=-=-=-=-=-=-=-=-
8072
During the ntop 2.2 and 3.0 development cycles, IRIX was not considered.
8076
It will almost certainly fail.
8081
During the ntop 2.2 and 3.0 development cycles, Digital UNIX was not considered.
8085
It will almost certainly fail.
8090
During the ntop 2.2 and 3.0 development cycles, AIX was not considered.
8094
It will almost certainly fail.
8100
Bad things - I see the following messages:
8103
libpng warning: Application was compiled with png.h from libpng-1.0.x
8104
libpng warning: Application is running with png.c from libpng-1.2.x
8105
gd-png: fatal libpng error: Incompatible libpng version in application
8110
You have a version problem with libpng.
8113
First off, following the instructions in BUILD-NTOP.txt should work just
8114
fine. These problems come about when you have libpng installed (i.e. using
8118
1. If you are compiling from source, you may have png.h left over from the
8121
earlier version of libpng. Remove it.
8124
2. (Most common under RedHat). RedHat 7.2 installs a libgd.so.1.8.4 library,
8127
which was compiled against 1.0.x series of libpng (which is fine, because
8128
RedHat 7.2 includes libpng-1.0.12).
8131
Updating RedHat to newer (RawHide) packages for libpng,
8132
http://www.rpmfind.net//linux/RPM/rawhide/1.0/i386/RedHat/RPMS/libpng-1.2.2-5.i386.html,
8133
should work. However, there are reports of version conflicts and required
8134
updates to multiple packages. Proceed with caution (especially if you decide
8135
to uninstall 1.2.2-5).
8136
Also, do not use --nodeps or --force, as this can leave you with two
8137
partially installed versions (see item #1, above).
8140
3. (Slackware) Users have reported this error from an older header file in
8144
Make sure to run "make install" in the libpng directory so that the latest
8145
files are in the common library locations. You can do this with buildAll.sh,
8146
just navigate back down to the libpng-1.2.x directory first.
8149
4. If you are building ntop on one machine and running on another, they may
8152
have different libpng.so versions. Even if you think you are using the
8153
static linked version (buildAll.sh), be careful - see the entry (above) on
8154
"make install" for libpng.
8159
When I run ./configure, it finds png.h but not libpng:
8162
*******************************************************************
8164
* ERROR: libpng header or library routines are missing
8165
* (yes means it was found, no means it was not found)
8168
* png_read_info() in -lpng...
8170
*>>> No way to proceed.
8172
*??? Install libpng (and/or libpng-devel), check www.libpng.org
8173
*??? and Rerun ./configure
8175
*******************************************************************
8179
You're missing libpng.so. Look for it (locate libpng) and tell ntop
8180
where it is via the --with-png-lib= parameter.
8185
I seem to be missing libpng.so - when I do locate libpng, it finds:
8188
/usr/lib/libpng.so.3
8189
/usr/lib/libpng.so.3.1.2.2
8190
/usr/lib/libpng12.so.0
8191
/usr/lib/libpng12.so.0.1.2.2
8192
/usr/lib/libpng.so.2.1.0.13
8197
Yeah. Send RedHat a nasty gram.
8202
I don't understand...
8206
In a normal libpng install, say from the source, you would have - in
8207
addition to the .so.n.n.n.n files - a symlink named libpng.so, like this:
8211
lrwxrwxrwx 1 root root 19 Apr 23 15:46 libpng.so -> libpng12.so.0.1.2.2
8214
But, that link seems to be missing. Without it, -lpng doesn't properly
8215
resolve and you get the ./configure error.
8224
RedHat ships Linux with both versions of libpng, a 1.0.x and a 1.2.x version.
8231
$ rpm -qa | grep libpng
8234
And you'll see the libpng 1.0.x run time:
8239
libpng-devel-1.2.2-8
8243
Dig into the files installed by them and you'll not find libpng.so.
8246
Since they're incompatible RedHat doesn't create the libpng.so link.
8247
Instead they patch the makefiles to point the various packages at one or the
8248
other .so file they install. This allows them to ship packages that require
8252
It works fine unless you try and install something other than via an rpm.
8253
Then you're missing the libpng.so file that normal packages look for...
8256
Best bet is to create a symbolic link from the libpng.so.xxxx installed
8257
by the package which matches the -devel (because that's where png.h is
8261
ln -s /usr/lib/libpng.so.3.1.2.2 /usr/lib/libpng.so
8264
And remember this in case you update the libpng rpm's in the future.
8266
<h2>Silly Season</h2>
8276
<h2>HowTo Ask For Help (ntop mailing lists)</h2>
8279
WTO ask for help on the ntop or ntop-dev mailing lists:
8287
ntop is for user questions - "How to I install", "data isn't being recorded",
8292
ntop-dev is for code and development questions. The ntop-dev list goes to fewer
8293
people, those who have self-selected themselves to be interested in ntop at the
8298
Discussions about the current cvs version belong in ntop-dev.
8302
If a discussion gets too technical, you may be asked to "move it to ntop-dev".
8303
Please honor that request (even if you have to subscribe for a while - ntop-dev
8304
is fairly low traffic).
8308
There used to be mailing lists and trackers at SourceForge, which were rarely
8309
looked at and have been discontinued. Use the ntop and ntop-dev lists (go to
8310
http://www.ntop.org to signup for them).
8314
OFFICIAL vs UNOFFICIAL
8318
A response from Luca Deri should be considered official. He is the author of
8319
ntop and controls the project and it's destiny.
8323
***Please understand that the mailing lists are a community support effort***
8327
Besides Luca Deri, a number of people answer questions to the best of our
8328
ability. None of the rest of the people who may respond to your question on ntop
8329
or ntop-dev are able to respond "officially".
8333
Likewise, this HOWTO is unofficial.
8337
Everyone is welcome to help with the evolution of ntop - that is to find
8338
problems, create and test patches and send them in to patches@ntop.org for
8339
inclusion. There are a small number of people with write access to the cvs,
8340
but anything we commit is subject to being ripped out by Luca for any reason...
8341
or no reason at all...
8349
ONE QUESTION per message, and you MUST use meaningful message subjects - one's
8350
that would have helped YOU find the prior discussion of this or a similar
8351
problem in the archives. Titles such as "urgent" or "ntop problem" will often
8352
not get a response - it may be urgent to you but it's probably not an issue
8357
WE STRONGLY SUGGEST YOU USE THE BUILT IN AUTOMATICALLY GENERATED PROBLEM
8358
REPORT (About | "bug icon"). This includes most of the internal configuration
8359
data we ask for (and more) and has blank spots for you to fill it.
8363
Generate one, cut & paste into your mail client, edit the data and sent it.
8367
Beyond that, don't worry -- it's about information, not format.
8375
Despite any individual's frequent postings, nobody is "responsible" for
8376
answering your question. It's all on a "best efforts" basis. This is equally
8377
true of the entries in ntop's Wiki. Our responses may be incomplete, inaccurate,
8378
even dead wrong. Caveat Emptor! The only "guarantee" is that free support will
8379
be worth what you've paid for it. It may be worth MORE, it won't be worth
8384
Just because you post a question does NOT mean that you are OWED an answer.
8388
If nobody answers, then maybe it's because:
8393
* You've asked the same question multiple times and it's already been
8397
* You have been asked for additional information and are unable/unwilling
8402
or, well, any one of a dozen other reasons.
8406
Asking the same question multiple times - or asking it again because you don't
8407
like the answer you received - is a slap in the face of the person who took the
8408
time to answer you in the first place and will more than likely not get a
8409
different response. If you're not sure that your message posted, check the
8410
archives to see if your message is there -- please don't just keep reposting it.
8414
You can always use gmane (http://www.gmane.org) to see the last 600 or so
8415
postings to the lists.
8419
Please direct all original postings and subsequent replies to the list, not to
8420
someone privately. Most of us will reply solely to the mailing list, unless
8421
you specifically request otherwise. If you do request otherwise, the individual
8422
you sent it to may choose not to respond. Our posting here is NOT a public
8423
invitation to invade our e-mail boxes for your free private support.
8427
THE BACK AND FORTH PROCESS
8431
"Why don't you just fix my problem instead of asking for more information?"
8435
Understand that we can't see your machine (and wouldn't want the
8436
responsibility of sshing into somebody else's box as root). The only
8437
information we have is what you post and the responses to our questions. Few
8438
failures in ntop are related to the core processing routines - so if you're
8439
having a problem, it's most likely because of some combination of your network
8440
and your ntop configuration. It may be unique to you -- and only with YOUR help
8449
Releases are hosted at SourceForge.
8453
At the time of this writing the stable version is 3.0. What support is available
8454
is for the development version ("the cvs"). All support is in the form of
8455
fixing things in the cvs.
8459
However we also attempt to support the current "stable" release (3.0).
8463
Older versions are not supported -- especially 1.3 and the 2.0.99 series of
8464
2.1 release candidates. If you have a problem with them, please obtain the
8465
current cvs version and see if it's still a problem. Unlike certain much larger
8466
projects, we don't fix things in older versions - there simply aren't enough
8467
resources available.
8471
intop is not supported. It's gone and no longer in the cvs. For a look at
8472
Rocco's new, work-in-progress, download ntcsh, the ntop enabled tcsh shell.
8476
Please understand that the only way to fix your problem may be a source patch,
8477
which you will have to apply, compile, install and test against the cvs version
8478
prior to it's inclusion in the cvs.
8482
If you aren't capable of or willing to do these steps -- for whatever reason --
8483
then you should not be compiling from the cvs.
8491
The cvs is at http://cvs.ntop.org, userid is anonymous, password ntop.
8495
The cvs is a DEVELOPMENT version. The code in the cvs is subject to rapid
8496
change. At any point in time, it may not compile. It may not compile with
8497
certain options or on some platforms. s'be'it -- it's a DEVELOPMENT version.
8505
The actual flow of ntop development was
8506
2.1 -> 2.1.1 -> 2.1.2 -> 2.1.50 -> 2.1.51...
8510
Version 2.1.3 was provided by Dennis Schoen [ds@teuto.net] as part of the Debian
8511
project. Dennis (manually) maintains a bitkeeper tree, based on 2.1.2 with
8512
various patches which - in HIS opinion - were important enough to be back
8513
ported. Releases in this tree are identified as 2.1.2-n. Dennis reports you
8514
can obtain his current version via:
8518
bk clone bk://ntop.teuto.net:ntop-debian ntop-stable
8522
Version 2.1.3 is an export from Dennis' tree with the version number changed and
8523
is equivalent to 2.1.2-1. Dennis' graciously provided the extract and we
8524
accepted with thanks!
8532
The actual flow of ntop development was 2.1 -> 2.1.1 -> 2.1.2 -> 2.1.50
8533
-> 2.1.51..59 -> 2.1.90..92 -> 2.2
8536
after 2.2, came 2.2a/2.2b (Win32 only), then 2.2c. These were branches,
8537
containing unique 2.2 fixes and back-ports of some critical items.
8545
The actual flow of ntop development was 2.2.1..4 ->
8546
-> 2.2.90..99 -> 3.0pre1 -> 3.0
8554
If you want better than "best-efforts" support, contact the individual you
8555
Desire support from off-list to make financial arrangements. Please understand
8556
that people are doing development in areas that are of personal interest to
8557
them, to improve ntop.
8558
If you want to discuss payment for support or a specific change that is of
8559
Interest to you, feel free to email the individual off-list - some of us are
8560
Computer consultants and can be bought, with the understanding that the work
8561
product is offered back to the community in the spirit of the open source
8562
movement and the strictures of the GPL.
8566
SO WHAT INFORMATION SHOULD I POST?
8574
1. Please review the output from ./configure.
8578
We all have the bad habit of skipping over this, but there are often
8579
warnings which explain why things don't work. ntop tries to build itself by
8580
turning off features where the required libraries and/or headers aren't
8582
The minimum required set is just that - minimal. This is often the source
8583
of "feature x or switch y doesn't work" reports.
8587
2. Please review the docs/FAQ file.
8591
3. Please review back message traffic from the mailing lists.
8595
Yes, we know that there isn't a search function at ntop.org. Did you know
8596
that the lists are spidered every couple of months or so and can be
8597
searched through Google?? For example, "site:lists.ntop.org rpm" will find
8598
mail list messages with the word "rpm" in them.
8602
Do you know about gmane (http://www.gmane.org) has archives (searchable) of
8603
the ntop lists going back into late 2001. The lists are called
8607
gmane.linux.ntop.devel
8608
gmane.linux.ntop.general
8612
You can read these online (the last 600 messages or so) or through the nntp
8621
Do not worry about posting TOO much information - we're pretty good at filtering
8626
WE STRONGLY SUGGEST YOU USE THE BUILT IN AUTOMATICALLY GENERATED PROBLEM
8627
REPORT (About | "bug icon"). This includes most of the internal configuration
8628
data we ask for (and more) and has blank spots for you to fill it.
8632
Generate one, cut & paste into your mail client, edit the data and sent it.
8636
If you can't or won't use the automated problem report (say, for example you
8637
can't get ntop up to generate it) - don't worry -- it's about information, not
8638
format. Send us what you can, organized this way:
8642
1. A brief summary of the problem.
8647
The EXACT command line you use to invoke ntop.
8648
If it's in a script, cut & paste it and
8649
resolve all the variables!
8653
Error Messages: Cut & paste the exact text.
8654
If it's in the log, give us 15 or 20 lines before.
8658
The exact URL you used from the browser.
8663
ntop version, source and any applied patches
8667
If you've compiled from the source, say so!
8671
If you're using a package (such as an .rpm), where
8672
did you get it from and what is the EXACT name,
8673
version information and date? (for example, post
8674
the output from rpm -q ntop -i)
8682
gcc version (e.g. gcc --version)
8683
(For ./configure problems, the versions for autoconf, automake and
8692
Any major upgrades (kernel, networking, etc.)
8696
What else is running
8701
Type & # of processors
8709
# network interfaces and types (vendor, bus, etc.)
8714
Roughly where are the interface(s) you're monitoring
8715
(Public Internet, Private LAN, what?)
8719
What's the bandwidth (e.g. 10 Mbps University internet,
8720
1.5 Mbps T1, Cable Modem capped at 1.5Mbps, 56K dialup)
8724
How many machines (traffic sources/destinations) and users
8728
(If you're uncomfortable giving specifics, then leave it generic, but the
8729
information is necessary to allow efficient use of the community's time helping
8730
YOU with YOUR problem)
8738
Please let us know if our help fixed the problem, didn't solve it or enabled you
8739
to solve it yourself and what the result was. The historical record of the ntop
8740
and ntop-dev archives is the complete chain from problem to resolution.
8744
(Originally posted on 07Jan2002 to ntop and ntop-dev, updated. This is version 12April2003)
8746
<h2>GDB ultraMini-tutorial - Running ntop under gdb (debugger)</h2>
8749
The very best way to debug a segmentation fault in ntop is to use gdb. The
8750
Standard ntop compile already has the flags necessary to do this set.
8754
(Note - if you don't have gdb, or aren't compiling yourself, this won't work)
8758
> gdb /usr/bin/ntop (or wherever ntop is installed)
8760
(gdb) set args (your usual arg string) -K
8764
[That is, add the -K argument. While you are at it, don't give it the -d
8765
argument and add -u root (replace any existing -u value) - yes, it's insecure
8766
running as root, but you're not planning on doing this in production nor as a
8771
it will run... when it bombs...
8775
(gdb) list [this shows where in the code it died]
8779
(gdb) info stack [this shows the call stack]
8783
if there are any variables involved, you can print them:
8787
(gdb) print deviceId
8791
[gdb can handle pretty complex arguments in the print command, so you can say
8792
"print myGlobals.device[0].hash_hostTraffic[myGlobals.broadcastEntryIdx]"
8793
if that's what it bombed on.]
8797
"bt full" does a decent job of printing the stack and the back trace and the
8798
local variables at each level. Just make sure you are in the thread you are
8804
#0 0x40592557 in __libc_pause () from /lib/i686/libc.so.6
8806
#1 0x4046b5a3 in pause () at wrapsyscall.c:123
8807
result = -1073743680
8809
#2 0x0804ac1b in main (argc=22, argv=0xbffffa44) at main.c:928
8811
argv = (char **) 0x0
8814
ifStr = "eth0,eth1", '\000'
8815
lastTime = 1025633918
8816
#3 0x404f3647 in __libc_start_main (main=0x804a74c , argc=22, ubp_av=0xbffffa44,
8817
init=0x8049600 <_init>, fini=0x804d000 <_fini>, rtld_fini=0x4000dcd4 <_dl_fini>,
8818
stack_end=0xbffffa3c) at ../sysdeps/generic/libc-start.c:129
8819
ubp_av = (char **) 0xbffffa44
8820
fini = (void (*)()) 0x40016b4c <_dl_debug_mask>
8821
rtld_fini = (void (*)()) 0xbffff87c
8822
ubp_ev = (char **) 0xbffffaa0
8827
gdb has all kinds of included help, and frankly that's all I know...
8828
Here are some extracts and examples:
8832
(gdb) help info thread
8833
IDs of currently known threads.
8838
13 Thread 11276 (LWP 8967) 0x405f651e in __select () from
8840
12 Thread 10251 (LWP 8966) 0x405f651e in __select () from
8842
11 Thread 9226 (LWP 8965) 0x405f651e in __select () from
8844
10 Thread 8201 (LWP 8964) 0x405f651e in __select () from
8846
9 Thread 7176 (LWP 8963) 0x405f651e in __select () from
8848
8 Thread 6151 (LWP 8962) 0x405ca071 in __libc_nanosleep () from
8850
7 Thread 5126 (LWP 8961) 0x4053db85 in __sigsuspend (set=0x4300998c)
8851
at ../sysdeps/unix/sysv/linux/sigsuspend.c:45
8852
6 Thread 4101 (LWP 8960) 0x405ca071 in __libc_nanosleep () from
8854
5 Thread 3076 (LWP 8959) 0x405ca071 in __libc_nanosleep () from
8856
4 Thread 2051 (LWP 8958) 0x405ca071 in __libc_nanosleep () from
8858
3 Thread 1026 (LWP 8957) 0x4053db85 in __sigsuspend (set=0x4100967c)
8859
at ../sysdeps/unix/sysv/linux/sigsuspend.c:45
8860
2 Thread 2049 (LWP 8956) 0x405f4e17 in __poll (fds=0x823dbec, nfds=1,
8862
at ../sysdeps/unix/sysv/linux/poll.c:63
8863
* 1 Thread 1024 (LWP 8952) 0x405ca027 in __libc_pause () from
8868
The * indicates the current thread. Switch with this:
8876
Once you have a thread selected, you can look at the call stack:
8881
Examining the stack.
8882
The stack is made up of stack frames. Gdb assigns numbers to stack frames
8883
counting from zero for the innermost (currently executing) frame.
8887
At any time gdb identifies one frame as the "selected" frame.
8888
Variable lookups are done with respect to the selected frame.
8889
When the program being debugged stops, gdb selects the innermost frame.
8890
The commands below can be used to select other frames by number or address.
8898
backtrace -- Print backtrace of all stack frames
8899
bt -- Print backtrace of all stack frames
8900
down -- Select and print stack frame called by this one
8901
frame -- Select and print a stack frame
8902
return -- Make selected stack frame return to its caller
8903
select-frame -- Select a stack frame without printing anything
8904
up -- Select and print stack frame that called this one
8908
Type "help" followed by command name for full documentation.
8909
Command name abbreviations are allowed if unambiguous.
8911
#0 0x4053db85 in __sigsuspend (set=0x4300998c) at
8912
../sysdeps/unix/sysv/linux/sigsuspend.c:45
8913
#1 0x404db1c9 in __pthread_wait_for_restart_signal (self=0x43009be0) at
8915
#2 0x404dc1ec in __new_sem_wait (sem=0x804d5c8) at restart.h:34
8916
#3 0x402960e0 in waitSem (semId=0x804d5c8) at util.c:1126
8917
#4 0x4027ae0f in dequeueAddress (notUsed=0x0) at address.c:425
8918
#5 0x404d8c6f in pthread_start_thread (arg=0x43009be0) at manager.c:284
8922
And select a specific frame via:
8926
(gdb) select-frame 4
8931
List specified function or line.
8932
With no argument, lists ten more lines after or around previous listing.
8933
"list -" lists the ten lines before a previous ten-line listing.
8934
One argument specifies a line, and ten lines are listed around that line.
8935
Two arguments with comma between specify starting and ending lines to list.
8936
Lines can be specified in these ways:
8937
LINENUM, to list around that line in current file,
8938
FILE:LINENUM, to list around that line in that file,
8939
FUNCTION, to list around beginning of that function,
8940
FILE:FUNCTION, to distinguish among like-named static functions.
8941
*ADDRESS, to list around the line containing that address.
8942
With two args if one is empty it stands for ten lines away from the other
8944
(gdb) list address.c:425
8946
421 while((myGlobals.addressQueueLen == 0)
8947
422 && (myGlobals.capturePackets) /* Courtesy of Wies-Software
8948
<wies@wiessoft.de> */
8950
424 #ifdef USE_SEMAPHORES
8951
425 waitSem(&myGlobals.queueAddressSem);
8953
427 waitCondvar(&myGlobals.queueAddressCondvar);
8955
429 key_data.dptr = data_data.dptr = NULL;
8960
Print value of expression EXP.
8961
Variables accessible are those of the lexical environment of the selected
8962
stack frame, plus all those whose scope is global or an entire file.
8966
$NUM gets previous value number NUM. $ and $$ are the last two values.
8967
$$NUM refers to NUM'th value back from the last one.
8968
Names starting with $ refer to registers (with the values they would have
8969
if the program were to return to the stack frame now selected, restoring
8970
all registers saved by frames farther in) or else to debugger
8971
"convenience" variables (any such name not a known register).
8972
Use assignment expressions to give values to convenience variables.
8976
{TYPE}ADREXP refers to a datum of data type TYPE, located at address ADREXP.
8977
@ is a binary operator for treating consecutive data objects
8978
anywhere in memory as an array. FOO@NUM gives an array whose first
8979
element is FOO, whose second element is stored in the space following
8980
where FOO is stored, etc. FOO must be an expression whose value
8985
EXP may be preceded with /FMT, where FMT is a format letter
8986
but no count or size letter (see "x" command).
8990
(gdb) print key_data
8991
$3 = {dptr = 0x0, dsize = 1076452514}
8992
(gdb) print data_data
8993
$4 = {dptr = 0x0, dsize = 4}
8997
Original version Luca Deri, 1999-2001
8998
Updated Burton M. Strauss III 2002, 2003, 2004
9000
<!-- Total Lines........ 6121 -->
9002
<!-- (skipped) --s...... 75 -->
9003
<!-- (skipped) ==s...... 16 -->
9004
<!-- (skipped) header... 50 -->
9005
<!-- empty ("")......... 1697 -->
9006
<!-- empty (//)......... 6 -->
9007
<!-- Sections........... 0 -->
9008
<!-- Q:................. 248 -->
9009
<!-- A:................. 256 -->
9010
<!-- Normal text........ 2044 -->
9011
<!-- Preformatted text.. 1693 -->
9012
<!-- Updated.xxmmmyyyy.. 0 -->
9013
<!-- Added.xxmmmyyyy.... 0 -->
9014
<!-- ...........TOTAL... 6085 -->