4
<!-- Manpage converted by man2html 3.0.1 -->
5
ntop - display top network users
10
<B>ntop</B> [<B>-c</B>] [<B>-E</B>] [<B>-r</B> <I>refresh</I> <I>time</I>] [<B>-R</B> <I>filter</I> <I>rules</I>] [<B>-f</B>
11
<I>traffic</I> <I>dump</I> <I>file</I>] [<B>-n</B>] [<B>-N</B>] [<B>-M</B>] [<B>-q</B>] [<B>-p</B>] <I>TCP/UDP</I> <I>proto�</I>
12
<I>cols</I> <I>to</I> <I>monitor</I>] [<B>-i</B> <I>interface</I>] [<B>-e</B> <I>num</I> <I>rows</I>] [<B>-w</B> <I>HTTP</I>
13
<I>IP:port</I>] [<B>-W</B> <I>HTTPS</I> <I>IP:port</I>] [<B>-d</B>] [<B>-S</B>value<B>]</B> [<B>-P</B> <I>dbpath]</I> [<B>-m</B>
14
<I>local</I> <I>subnet</I>] [<B>-a</B> <I>access</I> <I>log</I> <I>file</I> <I>path</I>] [<B>-b</B> <I>client:port</I> <I>DB</I>
15
<I>client</I>] [<B>-g</B> <I>client:port</I> <I>NetFlow</I> <I>Collector</I>] [<B>-t</B> <I>trace</I>
16
<I>level</I>] [<B>-u</B> <I>user</I> <I>name</I>] [<B>-l</B> <I>dump</I> <I>file</I> <I>name</I>] [<B>-U</B> <I>mapper.pl</I>
17
<I>URL</I>] [<B>-F</B> <I>flow</I> <I>filter</I> <I>expression</I>] [<B>filter</B> <B>expression</B>]
21
<H2>DESCRIPTION</H2><PRE>
22
<B>ntop</B> shows the current network usage. It displays a list
23
of hosts that are currently using the network and reports
24
information concerning the (IP and non-IP) traffic gener�
25
ated by each host. <B>ntop</B> can be started either in a termi�
26
nal window (see <B>intop</B> ) or in web mode. In the latter
27
case, a web browser is needed to use the program.
33
<H2>COMMAND-LINE OPTIONS</H2><PRE>
35
By default idle hosts are periodically purged from mem�
36
ory. Use this flag to prevent idle hosts from being
37
purged from memory. NOTE: if idle hosts are kept in mem�
38
ory you can experience severe memory usage.
42
By default ntop does not take advance of lsof/nmap even
43
if present. Use this flag if you want make ntop aware of
44
such tools (if present).
48
Specifies the filter rules used by ntop for emitting
49
alerts and warnings when the traffic matches the speci�
50
fied rules. Shall you need further details about filter
51
rules, please refer to ntop-rules (8) man page.
55
Specifies the delay (in seconds) between screen updates
56
(the default is 3 seconds). If the -l flag is used, it
57
specifies how often entries are logged in the log file.
58
Please note that if the delay is very short (1 second for
59
instance), ntop might not be able to process all the net�
63
Specifies the file containing tcpdump captured traffic
64
that has to be used by ntop. Note: if you specify -f ntop
65
will not capture any traffic after the file has been
66
read. This option is mostly used for debug purposes.
70
Forces ntop not to use nmap (if it is installed).
74
Forces ntop not to merge network interfaces together.
75
This means that ntop will collect statistics for each
76
interface and will not merge data together.
80
Forces ntop to create a file ntop-suspicious-
81
pkts.XXX.pcap (XXX is the interface name) for each net�
82
work interface where are stored suspicious packets. The
83
file is in pcap format (tcpdump).
87
This causes <B>ntop</B> to show numeric IP addresses instead of
88
the symbolic names. This option can useful when the DNS
89
is not present or quite slow. You can toggle the address
90
format (numeric vs. symbolic) by pressing the <B>n</B> key while
91
<B>ntop</B> is running.
95
It is used to specify the TCP/UDP protocols that <B>ntop</B>
96
will monitor. The format is <label>=<protocol list> [,
97
<label>=<protocol list>], where label is used to symboli�
98
cally identify the <protocol list>. The format of <proto�
99
col list> is <protocol>[|<protocol>], where <protocol> is
100
either a valid protocol specified inside the /etc/ser�
101
vices file or a numeric port range (e.g. 80, or
102
6000-6500). If the -p flag is omitted the following
103
default value is used: "FTP=ftp|ftp-
104
data,HTTP=http|www|https,DNS=name|domain,Telnet=tel�
105
net|login,NBios-IP=netbios-ns|netbios-dgm|netbios-
106
ssn,Mail=pop-2|pop-3|kpop|smtp|imap|imap2,SNMP=snmp|snmp-
107
trap,NEWS=nntp,NFS=mount|pcnfs|bwnfs|nfs|nfsd-sta�
108
tus,X11=6000-6010,SSH=ssh". If the <protocol list> is
109
very long you may store in a file (for instance proto�
110
col.list) the value of the <protocol list> and specify
111
the file name instead of the <protocol list> (in above
112
example you will invoke 'ntop -p protocol.list').
115
Specifies the network interface used by <B>ntop</B> If multiple
116
interfaces are used (this feature is available only if
117
ntop is compiled with thread support) they have to be
118
separated with a comma. For instance -i "eth0,lo". Traf�
119
fic information obtained by all the interfaces is merged
120
together as if the traffic would have been produced by
121
one interface. Use the -M flag for not merging traffic.
125
Is the maximum number of HTML table rows that <B>ntop</B> will
130
<B>ntop</B> sports and embedded web server so that users can
131
attach their web browsers to the specified port and
132
browse traffic information remotely. Supposing to start
133
<B>ntop</B> at the port <B>3000</B> (default port), the URL to access
134
is http://hostname:3000/. Users and URLs to protect with
135
passwords are stored in a database file. By default
136
user/URL administration are accessible uniquely by the
137
user <B>admin</B> with password <B>admin</B> Passwords are stored in an
138
encrypted form into the database for further security.
139
Please note that an HTTP server is NOT needed but it's
140
embedded into the application. If -w is set to 0 the HTTP
141
port will not be enabled ('-w 0' is accepted only if <B>ntop</B>
142
has been compiled with HTTPS support and <B>ntop</B> has not
143
been started with '-W 0' [see below]). You can also use
144
the IP:Port notation to bind ntop to the specified IP-
145
Address, e.g. <B>-w</B> <B>127.0.0.1:3000</B>
149
If <B>ntop</B> has been compiled with HTTPS support (via
150
OpenSSL), this flag can be used to set the HTTPS port
151
(default <B>3001</B> ). If the user specifies '-W 0', HTTPS sup�
152
port is disabled. Some examples: 1. <B>ntop</B> <B>-w</B> <B>80</B> <B>-W</B> <B>443</B>
153
(both HTTP and HTTPS have been enabled at their default
154
ports) 2. <B>ntop</B> <B>-w</B> <B>0</B> <B>-W</B> <B>443</B> (HTTP disabled, HTTPS enabled
155
at the default port). You can also use the IP:Port nota�
156
tion to bind ntop to the specified IP-Address, e.g. <B>-w</B>
157
<B>127.0.0.1:3001</B>
162
This flag causes ntop to become a daemon, i.e. it is
163
started in background and detached from the terminal.
167
store hosts, 1 = store all hosts, 2 = store only local
168
hosts. This flag allows ntop not to loose traffic stats
169
across multiple ntop sessions. Please note that informa�
170
tion about TCP session is (obviously) lost.
174
This allows to specify where db-files are searched or
175
created (default "."). In addition DBPATH/html is added
176
to the searchlist for the WEB-files
180
This flag allows users to specify the subnets whose traf�
181
fic is considered local. The format is <network
182
address>/<# subnet mask bits>[,<network address>/<# sub�
183
net mask bits>]. For instance
184
"131.114.21.0/24,10.0.0.0/255.0.0.0".
188
By default <B>ntop</B> logs HTTP accesses in the file
189
ntop.access.log in the current directory. Use this flag
190
to specify the path of the file where HTTP accesses will
191
be logged. Each log entry is in Apache-like style. The
192
only difference between Apache and <B>ntop</B> is that .B ntop
193
added a new column has been added. Such column contains
194
the time (in milliseconds) that ntop needed in order to
199
Exports <B>ntop</B> traffic information into a SQL database. The
200
flag specifies (in http-like host format) the address
201
(IP:port) of a SQL client. The database/ directory part
202
of ntop contains a few clients. Please use one of those.
206
Exports <B>ntop</B> traffic information in Cisco NetFlow V5
207
(http://www.cisco.com/warp/pub�
208
lic/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm) format. The
209
flag specifies (in http-like host format) the address
210
(IP:port) of a NetFlow client such as ftp://ftp.net.ohio-
211
state.edu/users/maf/cisco/.
215
Specifies the user <B>ntop</B> should run as after it initial�
216
izes. The value specified may be either a username or a
217
numeric user id. The group id used will be the primary
218
group of the user specified.
219
Dumps the network traffic captured by ntop in a file in
220
pcap format (useful for debug).
224
It specifies the UTR of the mapper.pl utility (it's part
225
of the ntop distribution [see www/Perl/mapper.pl] for
226
displaying host location.
230
This flag specifies the level of <B>ntop</B> tracings on stdout.
231
The trace level ranges between 0 (no trace) and 5 (full
232
debug tracings). The default trace value is 3. The higher
233
is the trace level the more information are printed.
234
Trace level 1 is used to print errors only, level 2 for
235
both warnings and errors, and so on.
239
It is used to specify network flows similar to more pow�
240
erful applications such as NeTraMet. A flow is a stream
241
of captured packets that match a specified rule. The for�
242
mat is <flow-label>='<matching expression>'[,<flow-
243
label>='<matching expression>'], where the label is used
244
to symbolically identify the flow specified by the
245
expression. The expression format is specified in the
246
appendix. If an expression is specified, then the infor�
247
mation concerning flows can be accessed following the
248
HTML link named 'List NetFlows'. For instance suppose to
249
define two flows with the following expression "Luca�
250
Hosts='host jake.unipi.it or host
251
pisanino.unipi.it',GatewayRoutedPkts='gateway gate�
252
way.unipi.it'". All the traffic sent/received by hosts
253
jake.unipi.it or pisanino.unipi.it is collected by <B>ntop</B>
254
and added to the LucaHosts flow, whereas all the packet
255
routed by the gateway gateway.unipi.it are added to the
256
GatewayRoutedPkts flow. If the flows list is very long
257
you may store in a file (for instance flows.list) the
258
list of flows and specify the file name instead of the
259
flows list (in above example you will invoke 'ntop -F
265
<B>filter</B> <B>expression</B>
266
<B>ntop</B> , similar to what tcpdump does, allows users to
267
specify an expression that restricts the type of traffic
268
handled by <B>ntop</B> hence to select only the traffic of
269
interest. For instance, suppose to be interested only in
270
the traffic generated/received by the host jake.unipi.it.
271
the <B>tcpdump</B> man page for further information about this
278
<H2>WEB VIEWS</H2><PRE>
279
While <B>ntop</B> is running, multiple users can access the traf�
280
fic information using conventional web browsers. The main
281
HTML page, is divided is two frames. The left frame allows
282
users to select the traffic view that will be displayed in
283
the right frame. Available sections are: sort traffic by
284
data sent, sort traffic by data received, traffic statis�
285
tics, active hosts list, remote to local (i.e. inside the
286
subnet defined for the network board from which the pro�
287
gram is currently sniffing) IP traffic, local to remote IP
288
traffic, local to local IP traffic, list of active TCP
289
sessions, IP protocol distribution statistics, IP protocol
290
usage, IP traffic matrix.
296
<B>ntop</B> is based on the libpcap library that can be found at
297
http://www.tcpdump.org/. The Win32 version makes use of
298
libpcap for Win32 that can be downloaded from
299
http://www.netgroup.polito.it/WinPcap/install/).
303
<H2>SEE ALSO</H2><PRE>
304
<B>intop(1)</B>, <B>ntop-rules(8)</B>, <B>top(1)</B>, <B>ngrep(8)</B>, <B>tcpdump(8)</B>.
305
<B>netramet</B>(http://www.auckland.ac.nz/net/Account�
306
ing/ntm.Release.note.html).
311
Please send bug reports to the ntop mailing list
312
<ntop@ntop.org>. ntop's author is Luca Deri
313
<deri@ntop.org>.
334
Man(1) output converted with
335
<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a>