1
.\" This file Copyright 1998-2003 Luca Deri <deri@ntop.org>
12
.TH NTOP 8 "December 2003 (ntop 3.0)"
14
ntop \- display top network users
18
.RB [ -a | --access-log-file
20
.RB [ -b | --disable-decoders ]
21
.RB [ -c | --sticky-hosts]
22
.RB [ -f | --traffic-dump-file
24
.RB [ -g | --track-local-hosts ]
25
.RB [ -h | --help ]-file
26
.RB [ -j | --create-other-packets ]
27
.RB [ -k | --filter-expression-in-extra-frame ]
30
.RB [ -m | --local-subnets
32
.RB [ -n | --numeric-ip-addresses ]
34
.RB [ -p | --protocols
36
.RB [ -q | --create-suspicious-packets ]
37
.RB [ -r | --refresh-time
39
.RB [ -s | --no-promiscuous ]
40
.RB [ -t | --trace-level
43
.IR <max_num_hash_entries> ]
44
.RB [ -w | --http-server
46
.RB [ -z | --disable-sessions ]
47
.RB [ -A | --set-admin-password
49
.RB [ -B | --filter-expression
55
.RB [ -F | --flow-spec
57
.RB [ -M | --no-interface-merge ]
58
.RB [ -O | ----output-packet-path ]
59
.RB [ -P | --db-file-path
61
.RB [ -Q | --spool-file-path
67
.IR <max_num_TCP_sessions> ]
68
.RB [ --disable-instantsessionpurge ]
69
.RB [ --disable-schedyield ]
70
.RB [ --disable-stopcap ]
71
.RB [ --disable-mutexextrainfo ]
72
.RB [ --skip-version-check ]
78
.RB [ -i | --interface
82
.RB [ -K | --enable-debug ]
84
.RB [ --pcap_setnonblock ]
87
.RB [ --webserver-queue
92
.RB [ -i | --interface
97
.RB [ -W | --https-server
102
shows the current network usage. It displays a list of hosts that are
103
currently using the network and reports information concerning the (IP and non-IP)
104
traffic generated by each host.
106
may operate as a front-end collector (sFlow and/or netFlow plugins) or as a stand-alone
107
collector/display program. A web browser is needed to access the information captured by the
112
is a hybrid layer 2 / layer 3 network monitor, that is by default it uses the layer 2 Media
113
Access Control (MAC) addresses AND the layer 3 tcp/ip addresses.
115
is capable of associating the two, so that ip and non-ip traffic (e.g. arp, rarp) are combined
116
for a complete picture of network activity.
119
.SH "COMMAND\-LINE OPTIONS"
124
is copied - ignoring line breaks and comment lines (anything following a #) - into the
127
behaves as if all of the text had simply been typed directly on the command line.
128
For example, if the command line is "-t 3 @d -u ntop" and file d contains
129
just the line '-d', then the effective command line is -t 3 -d -u ntop.
130
Multiple @s are permitted. Nested @s (an @ inside the file) are not permitted.
134
options are "sticky", that is they just set an internal flag. Invoking
135
them multiple times doesn't change
137
behavior. However, options that set a value, such as --trace-level, will use the LAST value
138
given: --trace-level 2 --trace-level 3 will run as --trace-level 3.
140
.It2 -a --access-log-file
143
does not maintain a log of HTTP requests to the internal web server.
144
Use this parameter to request logging and to specify the location of the file where these
145
HTTP requests are logged.
147
Each log entry is in Apache-like style.
148
The only difference between Apache and
150
logs is that an additional column has been added which has the time (in milliseconds) that
152
needed to serve the request.
153
Log entries look like this:
156
192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET / HTTP/1.1" 200 1489 4
157
192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET /index_top.html HTTP/1.1" 200 1854 4
158
192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET /index_inner.html HTTP/1.1" 200 1441 7
159
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /index_left.html HTTP/1.1" 200 1356 4
160
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /home_.html HTTP/1.1" 200 154/617 9
161
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /home.html HTTP/1.1" 200 1100/3195 10
162
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /About.html HTTP/1.1" 200 2010 10
165
This parameter is the complete file name of the access log. In prior releases it was
166
erroneously called --access-log-path.
168
.It2 -b --disable-decoders
169
This parameter disables protocol decoders.
171
Protocol decoders examine and collect information about layer 2 protocols such as
172
NetBIOS or Netware SAP, as well as about specific tcp/ip (layer 3) protocols, such as
175
This support is specifically coded for each protocol and is different from the
176
capability to count raw information (packets and bytes) by protocol specified by the
177
-p | --protocols parameter, below.
179
Decoding protocols is a significant consumer of resources. If the
181
host is underpowered or monitoring a very busy network, you may wish to disable
182
protocol decoding via this parameter.
183
It may also be appropriate to use this parameter if you believe that
185
has problems handling some protocols that occur on your network.
187
Even if decoding is disabled, ftp-data traffic is still decoded to look for
188
passive ftp port commands.
190
.It2 -c --sticky-hosts
191
Use this parameter to prevent idle hosts from being purged from memory.
193
By default idle hosts are periodically purged from memory.
194
An idle host is identified when no packets from or to that host have been
195
monitored for the period of time defined by the value of
196
PARM_HOST_PURGE_MINIMUM_IDLE in globals-defines.h.
198
If you use this option, all hosts - active and idle - are retained in
199
memory for the duration of the
203
P2P users, port scans, popular web servers and other activity will cause
205
to record data about a large number of hosts.
206
On an active network, this will consume a significant - and always growing -
208
It is strongly recommended that you use a filtering expression to limit the
209
hosts which are stored if you use --sticky-hosts.
211
The idle purge is a statistical one - a random selection of the eligible
212
hosts will be purged during each cycle. Thus it is possible on a busy system
213
for an idle host to remain in the
215
tables and appear 'active' for some considerable time after it is truly idle.
218
This parameter causes ntop to become a daemon, i.e. a task which runs in the
219
background without connection to a specific terminal.
222
other than as a casual monitoring tool, you probably will want to use
226
If you are running as a daemon, the messages from
228
will be 'printed' on to stdout and thus dropped.
229
You probably don't want to do this.
230
So remember to also use the -L or --use-syslog options to save the
231
messages into the system log.
233
.It2 -e --max-table-rows
234
This defines the maximum number of lines that
236
will display on each generated HTML page. If there are more lines to be
237
displayed than this setting permits, only part of the data will be displayed.
238
There will be page forward/back arrows placed at the bottom of the page
239
for navigation between pages.
241
.It2 -f --traffic-dump-file
244
captures traffic from network interface cards (NICs) or from netFlow/sFlow
247
can also read data from a file - typically a tcpdump capture or the output from
250
packet capture options.
254
will not capture any traffic from NICs during or after the file has been read.
255
netFlow/sFlow capture - if enabled - would still be active.
257
This option is mostly used for debug purposes.
259
.It2 -g --track-local-hosts
262
tracks all hosts that it sees from packets captured on the various NICs.
263
Use this parameter to tell
265
to capture data only about local hosts. Local hosts are defined based on
266
the addresses of the NICs and those networks identified as local via the
267
-m | --local-subnets parameter.
269
This parameter is useful on large networks or those that see many hosts,
270
(e.g. a border router or gateway), where information about remote hosts is
271
not desired/required to be tracked.
274
Print help information for
276
including usage and parameters.
279
Specifies the network interface or interfaces to be used by
281
for network monitoring.
283
If multiple interfaces are used (this feature is available only if ntop is compiled with
284
thread support) their names must be separated with a comma. For instance -i "eth0,lo".
286
If not specified, the default is the first Ethernet device, e.g. eth0. The specific
287
device that is 'first' is highly system dependent. Especially on systems where the
288
device name reflects the driver name instead of the type of interface.
290
By default, traffic information obtained by all the interfaces is merged together as if
291
the traffic was seen by only one interface.
292
Use the -M parameter to keep traffic separate by interface.
294
Under Windows, the parameter value is either the number of the interface or its name, e.g.
295
{6252C14C-44C9-49D9-BF59-B2DC18C7B811}.
298
-h to see a list of interface name-number mappings (at the end of the help information).
300
.It2 -j --create-other-packets
301
This parameter causes
303
to create a dump file of the 'other' network traffic captured.
304
One file is created for each network interface where
305
'other' packets are found. The file is in tcpdump (pcap) format and is named
306
<path>/ntop-other-pkts.<device>.pcap, where <path> is defined by the
307
-O | --output-packet-path parameter.
308
This file is useful for understanding these unclassifed packets.
310
.It2 -k --filter-expression-in-extra-frame
311
When this parameter is used, the current filter expression is displayed in an extra frame
312
and thus is always visible. This extra frame contains other information, including the
313
report creation date,
315
version information and the active interfaces.
318
This parameter causes a dump file to be created of the network traffic captured by
320
in tcpdump (pcap) format. This file is useful for debug, and may be read back into
322
by the -f | --traffic-dump-file parameter. The dump is made after processing any
325
never even sees filtered packets).
327
The output file will be named
328
.I <path>/<log>.<device>.pcap
331
), where <path> is defined by the -O | --output-packet-path parameter and <log> is
332
defined by this -l | --pcap-log parameter.
334
.It2 -m --local-subnets
336
determines the ip addresses and netmasks for each active interface. Any traffic on
337
those networks is considered local. This parameter allows the user to define additional
338
networks and subnetworks whose traffic is also considered local in
340
reports. All other hosts are considered remote.
342
Commas separate multiple network values.
343
Both netmask and CIDR notation may be used, even mixed together, for instance
344
"131.114.21.0/24,10.0.0.0/255.0.0.0".
346
The local subnet - as defined by the interface address(es) - is/are always local
347
and do not need to be specified. If you do give the same value as a NIC's local
348
address, a harmless warning message is issued.
350
.It2 -n --numeric-ip-addresses
353
resolves IP addresses using a combination of active (explicit) DNS queries and
354
passive sniffing. Sniffing of DNS responses occurs when
356
receives a network packet containing the response to some other user's DNS query.
358
captures this information and enters it into
360
DNS cache, in expectation of shortly seeing traffic addressed to that host. This way
362
significantly reduces the number of DNS queries it makes.
364
This parameter causes
366
to skip DNS resolution, showing only numeric IP addresses instead of the symbolic
368
This option can useful when the DNS is not present or quite slow.
372
is a hybrid layer 2/3 network monitor. That is, it uses both the lower level, physical
373
device address - the MAC (Media Access Control) address - and the higher level,
374
logical, tcp/ip address (the familiar www.ntop.org or 131.114.21.9 address).
377
to link the logical addresses to a physical machine with multiple addresses
378
(This occurs with virtual hosts or additional addresses assigned to the interface, etc.)
379
to present consolidated reporting.
381
This parameter specifies that
383
should not trust the MAC addresses but just use the IP addresses.
385
Normally, since the MAC address must be globally unique, the dual nature of
387
is a benefit and provides far better information about the network than is available via
388
a pure layer 2 or pure layer 3 monitor.
390
Under certain circumstances - whenever
392
is started on an interface where MAC addresses cannot be really trusted - you may
395
Situations which may require this option include port/VLAN mirror, some cases with
396
switches and spanning tree protocol, and (reportedly) some specific models of Ethernet
397
switches which re-write MAC addresses of the packets they process.
398
Normally, you discover that this option is necessary when you observe that hosts seem
399
to change their addresses or information about different machines get lumped together.
401
Note that with this option, information which is dependent upon the MAC
402
addresses (non tcp/ip protocols like IPX) will not be collected nor displayed.
405
This parameter is used to specify the TCP/UDP protocols that
407
will monitor. The format is <label>=<protocol list> [, <label>=<protocol list>], where
408
label is used to symbolically identify the <protocol list>. The format of <protocol list>
409
is <protocol>[|<protocol>], where <protocol> is either a valid protocol specified inside the
410
/etc/services file or a numeric port range (e.g. 80, or 6000-6500).
412
A simple example is --protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-data", which
413
reduces the protocols displayed on the "IP" pages to three:
416
Host Domain Data HTTP FTP Other IP
417
ns2.attbi.com <flag> 954 63.9 % 0 0 954
418
64.124.83.112.akamai.com <flag> 240 16.1 % 240 0 0
419
64.124.83.99.akamai.com <flag> 240 16.1 % 240 0 0
420
toolbarqueries.google.com <flag> 60 4.0 % 60 0 0
423
If the <protocol list> is very long you may store it in a file (for instance protocol.list).
424
To do so, specify the file name instead of the <protocol list> on the command line. e.g.
425
.B ntop -p protocol.list
427
If the -p parameter is omitted the following default value is used:
431
HTTP=http|www|https|3128 3128 is Squid, the HTTP cache
434
NBios-IP=netbios-ns|netbios-dgm|netbios-ssn
435
Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2
439
NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status
443
Peer-to-Peer Protocols
444
----------------------
445
Gnutella=6346|6347|6348
448
DirectConnect=0 Dummy port as this is a pure P2P protocol
453
Messenger=1863|5000|5001|5190-5193
456
NOTE: To resolve protocol names to port numbers, they must be specified in
457
the system file used to list tcp/udp protocols and ports, which is typically
458
/etc/services file. You will have to match the names in that file, exactly.
459
Missing or unspecified (non-standard) ports must be specified by number, such
460
as 3128 in our examples above.
462
If you have a file named /etc/protocols, don't get confused by it, as that's
463
the Ethernet protocol numbers, which are not what you're looking for.
465
.It2 -q --create-suspicious-packets
468
to create a dump file of suspicious packets.
470
There are many, many, things that cause a packet to be labeled as 'suspicious', including:
473
Detected ICMP fragment
474
Detected Land Attack against host
475
Detected overlapping/tiny packet fragment
476
Detected traffic on a diagnostic port
477
Host performed ACK/FIN/NULL scan
478
Host rejected TCP session
479
HTTP/FTP/SMTP/SSH detected at wrong port
480
Malformed TCP/UDP/ICMP packet (packet too short)
482
Received a ICMP protocol Unreachable from host
483
Sent ICMP Administratively Prohibited packet to host
484
Smurf packet detected for host
485
TCP connection with no data exchanged
486
TCP session reset without completing 3-way handshake
487
Two MAC addresses found for the same IP address
488
UDP data to a closed port
489
Unknown protocol (no HTTP/FTP/SMTP/SSH) detected (on port 80/21/25/22)
493
When this parameter is used, one file is created for each network interface where
494
suspicious packets are found. The file is in tcpdump (pcap) format and is named
495
<path>/ntop-suspicious-pkts.<device>.pcap, where <path> is defined by the
496
-O | --output-packet-path parameter.
498
.It2 -r --refresh-time
499
Specifies the delay (in seconds) between automatic screen updates for those
500
generated HTML pages which support them. This parameter allows you to leave
501
your browser window open and have it always displaying nearly real-time data from
504
The default is 3 seconds. Please note that if the delay is very short (1 second
507
might not be able to process all of the network traffic.
509
.It2 -s --no-promiscuous
510
Use this parameter to prevent
512
from setting the interface(s) into promiscuous mode.
514
An interface in promiscuous mode will accept ALL Ethernet frames, regardless of
515
whether they directed (addressed) to the specific network interface (NIC) or not.
516
This is an essential part of enabling
518
to monitor an entire network. (Without promiscuous mode,
520
will only see traffic directed to the specific host it is running on, plus
521
broadcast traffic such as the arp and dhcp protocols.
523
Even if you use this parameter, the interface could well be in promiscuous mode if
524
another application enabled it.
527
passes this setting on to libpcap, the packet capture library. On many systems,
528
a non-promiscuous open of the network interface will fail,
529
since the libpcap function on most systems require it to capture raw packets
532
captures raw packets so that we may view and analyze the layer 2 - MAC - information).
534
Thus on most systems,
536
must probably still be started as root, and this option is largely ornamental. If
537
it fails, you will see a ***FATALERROR*** message referring to pcap_open_live() and
538
then an information message, "Sorry, but on this system, even with -s, it appears
539
that ntop must be started as root".
541
.It2 -t --trace-level
542
This parameter specifies the 'information' level of messages that you wish
544
to display (on stdout or to the log).
545
The higher the trace level number the more information that is displayed.
546
The trace level ranges between 0 (no trace) and 5 (full debug tracings).
548
The default trace value is 3.
550
Trace level 0 is not quite zero messages. Fatal errors and certain startup/shutdown
551
messages are always displayed.
552
Trace level 1 is used to display errors only, level 2 for both errors and warnings, and
553
level 3 displays error, warning and informational messages.
555
Trace level 4 is called 'noisy' and it is - generating many messages about the internal
558
Trace level 5 and above are 'noisy' plus extra logs, i.e. all possible messages, with a
559
file:line tag prepended to every message.
564
should run as after it initializes.
567
must normally be started as root so that it has sufficient privileges to open the
568
network interfaces in promiscuous mode and to receive raw frames.
569
See the discussion of -s | --no-promiscuous above, if you wish to try starting
573
Shortly after starting up,
575
becomes the user you specify here, which normally has substantially reduced privileges,
576
such as no login shell. This is the userid which owns
578
database and output files.
580
The value specified may be either a username or a numeric user id.
581
The group id used will be the primary group of the user specified.
583
If this parameter is not specified, ntop will try to switch first to 'nobody' and then
584
to 'anonymous' before giving up.
586
NOTE: This should not be root unless you really understand the security risks. In order
587
to prevent this by accident, the only way to run
589
as root is to explicitly specify -u root.
595
creates a new hash/list entry for each new host/TCP session seen. In case of DOS (Denial Of Service) an attacker can easily exhaust all the host available memory because ntop is creating entries for dummy hosts. In order to avoid this you can set an upper limit in order to limit the memory ntop can use.
597
.It2 -w --http-server
598
.It2 -W --https-server
600
offers an embedded web server to present the information that has been so painstakingly
602
An external HTTP server is NOT required NOR supported. The
604
web server is embedded into the application.
605
These parameters specify the port (and optionally the address (i.e. interface))
610
For example, if started with -w 3000 (the default port), the URL to access
612
is http://hostname:3000/. If started with a full specification, e.g. -w 192.168.1.1:3000,
614
listens on only that address/port combination.
616
If -w is set to 0 the web server will not listen for http:// connections.
618
-W operates similarly, but controls the port for the https:// connections.
623
(this is the default setting) HTTP requests on port 3000 and no HTTPS.
626
Both HTTP and HTTPS have been enabled on their most common ports.
629
HTTP disabled, HTTPS enabled on the common port.
631
Certain sensitive, configuration pages of the
633
web server are protected by a userid/password. By default, these are the
634
user/URL administration, filter, shutdown and reset stats are password protected
635
and are accessible initially only to user
637
with a password set during the first run of
640
Users can modify/add/delete users/URLs using ntop itself - see the Admin tab.
642
The passwords, userids and URLs to protect with passwords are stored in a database file.
643
Passwords are stored in an encrypted form in the database for further security. Best
644
practices call for securing that database so that only the
648
There is a discussion in docs/FAQ about further securing the
652
.It2 -z --disable-sessions
653
This parameter disables TCP session tracking.
654
Use it for better performance or when you don't really need/care to track sessions.
656
.It2 -A --set-admin-password
657
This parameter is used to start
659
, set the admin password and quit. It is quite useful for installers that need
660
to automatically set the password for the admin user.
662
-A and --set-admin-password (without a value) will prompt the user for the password.
664
You may also use this parameter to set a specific value using --set-admin-password=value.
665
.B The = is REQUIRED and no spaces are permitted!
667
If you attempt to run
669
as a daemon without setting a password, a FATAL ERROR message is generated and
673
.It2 -B --filter-expression
674
Filters allows the user to restrict the traffic seen by
676
on just about any imaginable item.
678
The filter expression is set at run time by this parameter, but it may be
681
run on the Admin | Change Filter web page.
685
, where the quotes are
689
The syntax of the filter expression uses the same BPF (Berkeley Packet Filter)
690
expressions used by other packages such as tcpdump
692
For instance, suppose you
693
are interested only in the traffic generated/received by the host jake.unipi.it.
695
can then be started with the following filter:
697
.B ntop -B "src host jake.unipi.it or dst host jake.unipi.it"
701
.B ntop -B "host jake.unipi.it or host jake.unipi.it"
703
See the 'expression' section of the
705
man page - usually available at http://www.tcpdump.org/tcpdump_man.html - for
706
further information and the best quick guide to BPF filters currently available.
710
This instruments ntop to be used in two configurations: host and network mode. In host mode (default) ntop works as usual: the IP addresses received are those of real hosts. In host mode the IP addresses received are those of the C-class network to which the address belongs. Using ntop in network mode is extremely useful when installed in a traffic exchange (e.g. in the middle of the Internet) whereas the host mode should be used when ntop is installed on the edge of a network (e.g. inside a company). The network mode significantly reduces the amount of work ntop has to perform and it has to be used whenever ntop is used to find out how the network traffic flows and not to pin-point specific hosts.
714
This identifies the local domain suffix, e.g. ntop.org. It may be necessary, if
716
is having difficulty determining it from the interface.
719
It is used to specify network flows similar to more powerful applications such as NeTraMet.
720
A flow is a stream of captured packets that match a specified rule. The format is
722
.B "<flow-label>='<matching expression>'[,<flow-label>='<matching expression>']"
724
, where the label is used to symbolically identify the flow specified by the expression.
725
The expression format is specified in the appendix. If an expression is specified, then
726
the information concerning flows can be accessed following the HTML link named 'List NetFlows'.
728
For instance define two flows with the following expression
729
.B "LucaHosts='host jake.unipi.it or host pisanino.unipi.it',GatewayRoutedPkts='gateway gateway.unipi.it'".
731
All the traffic sent/received by hosts jake.unipi.it or pisanino.unipi.it is collected by
733
and added to the LucaHosts flow, whereas all the packet routed by the gateway gateway.unipi.it
734
are added to the GatewayRoutedPkts flow. If the flows list is very long you may store in a
735
file (for instance flows.list) and specify the file name instead of the actual flows list
736
(in the above example, this would be 'ntop -F flows.list').
738
Note that the double quotations around the entire flow expression are required.
740
.It2 -K --enable-debug
741
Use this parameter to simplify application debug. It does three things:
742
1. Does not fork() on the "read only" html pages.
743
2. Displays mutex values on the configuration (info.html) page.
744
3. (If available - glibc/gcc) Activates an automated backtrace on application errors.
746
.It2 -L --use-syslog=facility
747
Use this parameter to send log messages to the system log instead of stdout.
749
-L and the simple form --use-syslog use the default log facility, defined as
750
LOG_DAEMON in the #define symbol DEFAULT_SYSLOG_FACILITY in globals-defines.h.
752
The complex form, --use-syslog=facility will set the log facility to whatever
753
value (e.g. local3, security) you specify.
754
.B The = is REQUIRED and no spaces are allowed!
756
This setting applies both to
758
and to any child fork()ed for reporting. If this parameter is not specified, any
759
fork()ed child will use the default value and will log it's messages to the
760
system log (this occurs because the fork()ed child must give up it's access
761
to the parents stdout).
763
Because various systems do not make the permissible names available, we have
764
a table at the end of globals-core.c. Look for myFacilityNames.
766
.It2 -M --no-interface-merge
769
merges the data collected from all of the interfaces (NICs) it is monitoring into a
770
single set of counters.
772
If you have a simple network, say a small LAN with a connection to the internet,
773
merging data is good as it gives you a better picture of the whole network.
774
For larger, more complex networks, this may not be desirable.
775
You may also have other reasons for wishing to monitor each interface separately,
776
for example DMZ vs. LAN traffic.
778
This option instructs
780
not to merge network interfaces together. This means that
782
will collect statistics for each interface and report them separately.
784
Only ONE interface may be reported on at a time - use the
785
.B Admin | Switch NIC
786
option on the web server to select which interface to report upon.
788
Note that activating either the netFlow and/or sFlow plugins will force the
789
setting of -M. Once enabled, you cannot go back.
791
.It2 -O --output-packet-path
792
This parameter defines the base path for the ntop-suspicious-pkts.XXX.pcap and
793
normal packet dump files.
795
If this parameter is not specified, the default value is the config.h parameter
796
CFG_DBFILE_DIR, which is set during ./configure from the --localstatedir= parameter.
797
If --localstatedir is not specified, it defaults to the --prefix value plus /var
798
(e.g. /usr/local/var).
800
Be aware that this may not be what you expect when running
802
as a daemon or Windows service. Setting an explicit and absolute path value is
804
recommended if you use this facility.
806
.It2 -P --db-file-path
807
.It2 -Q --spool-file-path
808
These parameters specify where
810
stores database files.
812
There are two types, 'temporary' - that is ones which need not be retained
817
run, and 'permanent', which must be retained (or recreated).
819
The 'permanent' databases are the preferences, "prefsCache.db" and the password
820
file, "ntop_pw.db". These are stored in the -P | --db-file-path specified location.
822
Certain plugins use the -P | --db-file-path specified location for their database
823
("LsWatch.db") or (as a default value) for files (.../rrd/...).
825
The 'temporary' databases are the address queue, "addressQueue.db", the cached DNS
826
resolutions, "dnsCache.db" and the MAC prefix (vendor table), "macPrefix.db".
828
If only -P | --db-file-path is specified, it is used for both types of databases.
830
The directories named must allow read/write and
833
user. For security, nobody else should have even read access to these files.
835
Note that the default value is the config.h parameter CFG_DBFILE_DIR.
836
This is set during ./configure from the --localstatedir= parameter.
837
If --localstatedir is not specified, it defaults to the --prefix value plus /var
838
(e.g. /usr/local/var).
840
This may not be what you expect when running
842
as a daemon or Windows service.
844
Note that on versions of
846
prior to 2.3, these parameters defaulted to "." (the current working directory, e.g.
847
the value returned by the pwd command) and caused havoc as it was different when
849
was run from the command line, vs. run via cron, vs. run from an initialization
852
Setting an explicit and absolute path value is
857
Specifies the URL of the mapper.pl utility.
861
creates a clickable hyperlink on the 'Info about host xxxxxx' page to this URL by appending
863
Any type of host lookup could be performed, but this is intended to lookup the geographical
864
location of the host.
866
A cgi-based mapper interface to http://www.multimap.com is part of the
868
distribution [see www/Perl/mapper.pl]).
873
version information and then exits.
875
.It2 -W --https-server
876
(See the joint documentation with the -w parameter, above)
878
.It --disable-instantsessionpurge
880
sets completed sessions as 'timed out' and then purge them almost instantly, which is
881
not the behavior you might expect from the discussions about purge timeouts. This switch
882
makes ntop respect the timeouts for completed sessions. It is NOT the default because
883
a busy web server may have 100s or 1000s of completed sessions and this would significantly
884
increase the amount of memory
888
.It --disable-mutexextrainfo
890
stores extra information about the locks and unlocks of the protective mutexes it uses. Since
892
uses fine-grained locking, this information is updated frequently. On some OSes, the system
893
calls used to collect this informatio (getpid() and gettimeofday()) are expensive. This option
894
disables the extra information. It should have no processing impact on
898
actually deadlock, we would lose the information that sometimes tells us why.
900
.It --disable-schedyield
902
uses sched_yield() calls for better interactive performance. Under some situations, primarily
903
under RedHat Linux 8.0, this can deadlock, causing the
905
web server to stop responding, although
907
appears to still be operational according to the ps command. Use this switch to disable
908
these calls, IF you are seeing deadlocks.
910
.It --disable-stopcap
913
to the old (v2.1) behavior on a memory error.
914
The default of stopcap enabled makes the web interface available albeit with static
919
.It --pcap_setnonblock
920
On some platforms, the select() call
922
uses to wait for web server requests will hang. This option sets the non-blocking
923
option (assuming it's available in the version of libpcap that is installed).
924
While this fixes the problem, it also signifcantly increases the cpu usage of
926
(by turing an interupt driven process into a poll). If the web server hangs,
929
seems to keep runing just fine, try this option. It's know to be an issue under
932
.It --skip-version-check
935
accesses a remote file to periodically check if the most current version is running.
936
This option disables that check. Please review the privacy notice at the bottom of
937
this page for more information.
938
By default, the recheck period is slightly more than 15 days. This can be adjusted
939
via a constant in globals-defines.h. If the result of the initial check indicates that
942
version is a 'new development' version (that is newer than the latest published
943
development version), the recheck is disabled. This is because which fixes and
944
enhancements were present/absent from the code.
946
NOTE: At present, the recheck does not work under Windows.
951
generates displayable but not great html. There are a number of tags we do not
952
generate because they cause problems with older browsers which are still commonly
953
used or are important to look good on real-world browsers.
956
to generate 'BETTER' (but not perfect) w3c compliant html 4.01 output. This in no
957
way addresses all of the compatibility and markup issues. Over time, we would like
960
more compatible, but it will never be 100%. If you find any issues, please report
966
is running, multiple users can access the traffic information using their web browsers.
968
does not generate 'fancy' or 'complex' html, although it does use frame, shallowly nested
969
tables and makes minimal use of Cascading Style Sheets.
971
We do not expect problems with any current web browser, but
972
our ability to test less common ones is very limited.
974
The main HTML page is divided into three frames. Beginning with release 2.3, the menus have
975
been compacted to small text selections stacked on top of each other.
977
The top frame is a 'tabbed' navigation bar, containing broad items such as 'Total', 'Sent'
979
The middle frame is the detailed navigation or menu bar, containing the items relevant to
980
the top selection, for example "IP" traffic statistics from a "Totals" menu.
981
The resulting data is displayed in the bottom frame.
983
In documentation and this man page, when we refer to a page such as Admin | Switch NIC, we
984
mean the Broad category "Admin" and the detailed item "Switch NIC" on that Admin menu.
988
requires a number of external tools and libraries to operate.
989
Certain other tools are optional, but add to the program's capabilities.
991
.It --webserver-queue
992
Specifies the maximum number of web server requests for the tcp/ip stack to retain in
993
it's queue awaiting delivery to the
995
web server. Requests in excess of this queue may be dropped (allowing for retransmission) or
996
rejected at the tcp/ip stack level, depending upon the OS.
997
Whatever happens, happens at the OS level, without any information being delivered to
1000
Required libraries include:
1003
from http://www.tcpdump.org/
1005
The Windows version makes use of
1007
(libpcap for Windows) which may be downloaded from
1008
http://winpcap.polito.it/install/default.htm.
1010
WARNING: The 2.x releases of
1012
will NOT support SMP machines.
1016
from http://www.gnu.org/software/gdbm/gdbm.html
1020
requires a POSIX threads library. Although a single-threaded version of
1022
can be built from the source if requested during ./configure, it is not
1023
recommended for more than trivial usage.
1028
library, for the creation of png files, available at
1029
http://www.boutell.com/gd/.
1031
supports both gd 1.X and 2.X
1035
library, for the creation of png files, available at http://www.libpng.org/pub/png/libpng.html.
1037
supports both the 1.0.x series and the 1.2.x series of libpng, but cautions users that there
1038
are incompatibilities if you compile with one and run with the other. Please read the
1039
discussion in docs/FAQ before reporting ANY problem with libpng.
1041
(if an https:// server is desired)
1043
from the OpenSSL project available at http://www.openssl.org.
1048
library is required by the rrd plugin. rrdtool creates 'Round-Robin databases' which are
1049
used to store and graph historical data in a format that permits long duration retention
1050
without growing larger over time.
1051
The rrdtool home page is http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/
1054
includes a patched and frozen version of rrdtool 1.0.42 in the myrrd/ directory. Users of
1056
v2.3 should not need to specifically install rrdtool.
1061
Plugin is courtesy of and supported by InMon Corporation, http://www.inmon.com/sflowTools.htm.
1064
There are other optional libraries. See the output of ./configure for a fuller listing.
1067
Tool locations are current as of July 2003 - please send email to
1068
report new locations or dead links.
1078
By default at startup and at periodic intervals, the
1080
program will retrieve a file containing current ntop program version information.
1081
Retrieving this file allows this
1083
instance to confirm that it is running the most current version.
1085
The retrieval is done using standard http:// requests, which will create log
1086
records on the hosting system. These log records do contain information which
1087
identifies a specific
1089
site. Accordingly, you are being notified that this individually identifiable
1090
information is being transmitted and recorded.
1092
You may request - via the
1093
.B --skip-version-check
1094
run-time option - that this check be eliminated. If you use this option, no
1095
individually identifiable information is transmitted or recorded, because the
1096
entire retrieval and check is skipped.
1098
We ask you to allow this retrieval and check, because it benefits both you and the
1100
developers. It benefits you because you will be automatically notified
1103
program version is obsolete, becomes unsupported or is no longer current.
1104
It benefits the developers of
1106
because it allows us to determine the number of active
1108
instances, and the operating system/versions that users are running
1110
under. This allows us to focus development resources on systems like those our
1115
The individually identifiable information is contained in the web server log
1116
records which are automatically created each time the version file is retrieved.
1117
This is a function of the web server and not of
1119
, but we do take advantage of it.
1120
The log record shows the IP address of the requestor (the
1122
instance) and a User-Agent header field. We place information in the User-Agent
1126
host/<name from config.guess>
1128
release/<of the distro, also if one>
1129
kernrlse/<kernel version or release>
1131
config() <condensed parameters from ./configure>
1132
run() <condensed flags - no data - from the execution line>
1137
access/<http, https, both or none>
1138
interfaces() <given interface names>
1142
ntop/2.2.98 host/i686-pc-linux-gnu distro/redhat release/9 kernrlse/2.4.20-8smp
1143
GCC/3.2.2 config(i18n) run(i; u; P; w; t; logextra; m; instantsessionpurge;
1144
schedyield; d; usesyslog=; t) gdbm/1.8.0 openssl/0.9.7a zlib/1.1.4
1145
access/http interfaces(eth0,eth1)
1147
Distro and release information is determined at compile time and consists of
1148
information typically found in the /etc/release (or similar) file. See the
1150
tool linuxrelease for how this is determined.
1152
gcc compiler version (if available) is the internal version #s for the gcc
1153
compiler, e.g. 3.2.3.
1155
kernrlse is the Linux Kernel version or the xBSD 'release' such as 4.9-RELEASE
1156
and is determined from the uname data (if it's available).
1158
The ./configure parameters are stripped of directory paths, leading -s, etc. to
1159
create a short form that shows us what ./configure parameters people are using.
1161
Similarly, the run time parameters are stripped of data and paths, just showing
1162
which flags are being used.
1164
The libpcap, gdbm, openssl and zlib versions come from the strings returned by the various
1165
inquiry functions (if they're availabe).
1167
Here's a sample log record:
1169
67.xxx.xxx.xxx - - [28/Dec/2003:12:11:46 -0500] "GET /version.xml HTTP/1.0"
1170
200 1568 www.burtonstrauss.com "-" "ntop/2.2.98 host/i686-pc-linux-gnu
1171
distro/redhat release/9 kernrlse/2.4.20-8smp GCC/3.2.2 config(i18n)
1172
run(i; u; P; w; t; logextra; m; instantsessionpurge; schedyield; d;
1173
usesyslog=) libpcap/0.8 gdbm/1.8.0 openssl/0.9.7a zlib/1.1.4 access/http
1174
interfaces(eth0,eth1,eth2)" "-"
1177
Please send bug reports to the ntop-dev <ntop-dev@ntop.org> mailing list. The
1178
ntop <ntop@ntop.org> mailing list is used for discussing ntop usage issues. In
1179
order to post messages on the lists a (free) subscription is required in order
1180
to limit/avoid spam. Please do NOT contact the author directly unless this is
1181
a personal question.
1183
Commercial support is available under request. Please see the ntop site for further info.
1185
Please send code patches to <patch@ntop.org>.
1188
ntop's author is Luca Deri (http://luca.ntop.org/) who can be reached at <deri@ntop.org>.
1191
ntop is distributed under the GNU GPL licence (http://www.gnu.org/).
1194
The author acknowledges the Centro Serra of the University of Pisa, Italy (http://www-serra.unipi.it/) for
1195
hosting the ntop sites (both web and mailing lists), and Burton Strauss
1196
<burton@ntopsupport.com> for his help and user assistance. Many thanks to Stefano
1197
Suin <stefano@ntop.org> and Rocco Carbone <rocco@ntop.org> for contributing to