~ubuntu-branches/ubuntu/trusty/ntop/trusty : revision 5

6

7

8

9

10

11

9

10

11

12

13

12

14

</head>

13

14

15

16

17

15

18

This is an unsophisticated, automated conversion of the source file, docs/FAQ into html.

16

19

Please report problems to the ntop-dev mailing list.

17

20

But remember, it's not about making it look good, it's about making the content available.

18

21

<hr>

19

22

20

21

22

Q.

23

Where can I find ntop?

24

25

26

A.

27

The official website can be found at http://www.ntop.org/.

28

29

30

31

Q.

32

Where do I get the source?

33

34

35

A.

36

SourceForge -- http://sourceforge.net/projects/ntop/

37

38

39

There is also a cvs (current development) maintained at cvs.ntop.org.

23

<h2>TOP 10 - the questions everyone asks...</h2>

24

25

Q0.  I downloaded the source and ./configure doesn't work.

26

A.  Yup.

27

There is a long history of warfare between the versions of the GNU

28

autotools we use to build the distribution files and the ones installed

29

on your host. So during the 3.3 development cycle, Luca finally gave in

30

and stopped distributing a generated configure file.

31

32

Instead there is a script, autogen.sh, which uses the version(s) of the

33

tools installed on your system to create configure and then run it.

34

35

Yes, this means you MUST have the following tools installed:

36

37

38

<pre>

39

libtool

40

automake

41

m4

42

autoconf

43

</pre>

44

We are talking only about people who are compiling from source. Those

45

tools are pretty much required for ANY source. Live with it.

46

47

48

Q1(a).  Can I store data in a SQL database?

49

50

Q1(b).  When ntop stops I lose all my data. Why?

51

52

Q1(c).  Why doesn't the -S option work?

53

A.  ntop used to optionally store some data in a SQL database. The code was broken, difficult to maintain, etc. and was removed. A LONG TIME AGO.

54

If you are reading about this in 'some' documentation - update.

55

56

Current ntop is 3.1, which is the only version we support.

57

58

There are scripts that various users have offered to take the data dump

59

and insert it into a SQL database. Search the back traffic on the mailing

60

list for them.

61

62

Yes, ntop uses memory based structures to hold usage data and they are lost

63

when you reset or restart ntop.

64

65

Persistent storage is in the RRD databases - there's a paper @ SourceForge

66

that explains them.

67

68

There was another option for some persistence - it was -S - look in FAQarchive

69

for an article about it, "What was the -S option?".

70

71

72

Q2.  The archive isn't indexed, so I can't search it.

73

A.  Yes, but it's easy to search using search engines or mail archives.

74

Google: You need to restrict the search to the U of Pisa mail list

75

gateway, i.e.:

76

77

78

<pre>

79

site:listgateway.unipi.it ntop freebsd

80

</pre>

81

Two 'mail archive' sites that I know of (as of March 2005) are:

82

83

gmane: http://search.gmane.org (our lists are renamed as gmane.linux.ntop.general

84

and gmane.linux.ntop.devel).

85

86

The Mail Archive:

87

88

89

<pre>

90

http://www.mail-archive.com/ntop-dev@unipi.it/

91

http://www.mail-archive.com/ntop@unipi.it/

92

</pre>

93

94

Q3.  ntop crashed and the last log message is "xxxxx".

95

A.  Sorry, that's useless. ntop is multi-threaded and processes 100s or 1000s of packets per second. The last log message is probably from the wrong thread

96

and many seconds out of date.

97

98

To capture the true 'failure point information', you need to run under the

99

debugger (gdb) and send us the various outputs. Instructions are at the bottom

100

of this document. Look for "GDB ultraMini-tutorial".

101

102

Yes, you will need the source and a compiler.

103

104

105

Q3(a).  What about the backtrace?

106

A.  Again, probably useless. Use gdb and capture the full failure point info. If you want to see more, look for "Q. What about the backtrace?" below.

107

108

109

Q4.  I'm running out of memory.

110

A.  Basically ntop uses a lot of memory - it stores a chunk of information about each and every host it's monitoring. See "Q. Why does ntop use so much memory ?" and

111

the following articles below.

112

113

114

Q5.  Dropped packets?

115

A.  There are lots of reasons - look for "Q. Why does ntop drop packets?" below. Short version, is that as long as it's random, the information you glean from ntop

116

(32% of our usage is P2P Music) is still valid. But you are probably understating

117

any problems.

118

119

120

Q6.  The docs at ntop.org say ...

121

A.  Stop right there. They're out of date (notice, for example, the man page is July 2002?).

122

123

The only current stuff is this FAQ (which gets out of date quickly) the other files

124

in the distribution and the mailing lists.

125

126

You can access the updated FAQ from docs/FAQ in the cvs or from your ntop instance

127

(click on the (?) icon in the "About" menu and read down 1/2 a page or so.

128

129

130

Q7.  How do I report a problem?

131

A.  Best way is to use the PR (Problem Report) form - it automatically includes a lot of the important information about your ntop instance. In the "About" menu, click on the

132

"Bug" icon. This generates a text form you can copy into your email program, update

133

and send.

134

135

136

Q8.  HACK ALERT HACK ALERT - ntop is sending information to some machine called "jake".

137

A.  Chill. Take a deep breath.

138

Jake is the cannonical name for version.ntop.org. All you are seeing is the version

139

check. See "Q. What's with the version check?" below.

140

141

142

Q9.  The program asks for password for "ntop HTTP server". When I started NTOP for the first time, it asked me to set admin password, and i put "xxxxxxxx". The user is "xxxxxxxxxx"

143

but I get "Unauthorized to access the document". Why?

144

145

A.  The correct user to specify for the ntop web server is admin. The -u value in the command line or parameter file is the account ntop runs under.

146

147

148

Q10.  I'm not getting any rrd output.

149

A.  First, make sure that the plugin is installed (you should see it in the web interface under plugins). Make sure it is configured and active.

150

151

The default configuration does NOT include per-host .rrd files, because these can take

152

up a lot of space. But you probably want them and at the medium or high level of detail.

153

154

155

Q11.  Single Threaded ntop?

156

A.  Gone. Poof. We're in a multi-threaded world, so live with it.

157

158

Q.  Where can I find ntop?

159

A.  The official website can be found at http://www.ntop.org/.

160

161

Q.  Where do I get the source?

162

A.  SourceForge -- http://sourceforge.net/projects/ntop/

163

There is also a cvs (current development) maintained at cvs.ntop.org.

40

164

(instructions are on the download page of www.ntop.org)

41

165

42

43

<pre>

44

DO NOT (under ANY circumstances) USE THE SOURCE FILES FROM

45

http://snapshot.ntop.org!!!!! They are broken, incomplete and

46

WILL NOT WORK. (See 'snapshot, cvs and the Wiki' below)

47

</pre>

48

49

50

Q.

51

What is ntop?

52

53

54

A.

55

ntop is an open source network top - it monitors a network and collects

56

information about the protocols and hosts for display.

57

58

59

60

Q.

61

Um, so it's like mrtg (http://people.ee.ethz.ch/~oetiker/webtools/mrtg/)?

62

63

64

A.

65

Yes and no...

66

67

68

Yes in that both are analyzers of network packets.

69

70

71

Yes in that both display information about your network.

72

73

74

No in that they take very different approaches to collecting information.

75

76

77

No in that they display different types of information.

78

79

80

81

Q.

82

So mrtg...

83

84

85

A.

86

mrtg creates a picture of the network centered on the device on the link

87

between devices (and aggregations of devices and links).

88

89

90

Tobias (Tobi) Oetiker describe mrtg as:

166

167

Q.  What is ntop?

168

A.  ntop is an open source network top - it monitors a network and collects information about the protocols and hosts for display.

169

170

171

Q.  Um, so it's like mrtg (http://people.ee.ethz.ch/~oetiker/webtools/mrtg/)?

172

A.  Yes and no...

173

Yes in that both are analyzers of network packets.

174

175

Yes in that both display information about your network.

176

177

No in that they take very different approaches to collecting information.

178

179

No in that they display different types of information.

180

181

182

Q.  So mrtg...

183

A.  mrtg creates a picture of the network centered on the device on the link between devices (and aggregations of devices and links).

184

185

Tobias (Tobi) Oetiker describe mrtg as:

91

186

92

187

93

188

<pre>

97

192

representation of this traffic."

98

193

</pre>

99

194

100

101

Q.

102

And mrtg works how?

103

104

105

A.

106

mrtg reads the counters maintained by various devices such as routers, using

107

a protocol called 'snmp' (Simple Network Monitoring Protocol). The

195

Q.  And mrtg works how?

196

A.  mrtg reads the counters maintained by various devices such as routers, using a protocol called 'snmp' (Simple Network Monitoring Protocol). The

108

197

management information bases (MIBs) read using snmp, contain incredibly

109

198

detailed information about the packets the device has seen and what it has

110

199

done with them.

111

200

112

113

Again, quoting Tobi:

114

115

116

"MRTG ... uses SNMP to read the traffic counters of your routers and

117

201

Again, quoting Tobi:

202

203

118

204

<pre>

119

... which logs the traffic data and creates beautiful graphs representing

120

the traffic on the monitored network connection."

205

"MRTG ... uses SNMP to read the traffic counters of your routers and

206

... which logs the traffic data and creates beautiful graphs representing

207

the traffic on the monitored network connection."

121

208

</pre>

122

123

mrtg is focused on 'layer 2' (the tcp/ip and other low level protocol).

124

125

126

127

Q.

128

And ntop?

129

130

131

A.

132

ntop doesn't use snmp - it's not a device centric view of the network.

133

Instead ntop actually processes the network packets directly.

134

135

136

137

Q.

138

What's wrong with snmp?

139

140

141

A.

142

Nothing.

143

144

145

snmp is a pull protocol, that is a monitoring tool has to pull the

209

mrtg is focused on 'layer 2' (the tcp/ip and other low level protocol).

210

211

212

Q.  And ntop?

213

A.  ntop doesn't use snmp for it's main analysis - it's not a device centric view of the network. Instead ntop actually processes the network packets

214

directly.

215

216

217

Q.  What's wrong with snmp?

218

A.  Nothing. As of 3.1, ntop has some sort of snmp plugin.

219

It's just different.

220

221

snmp is a pull protocol, that is a monitoring tool has to pull the

146

222

information from the device. snmp has 'traps' that is alert messages which

147

223

can be sent out, but the MIB data has to be read by the monitoring tool from

148

224

the device.

149

225

150

151

snmp is an older protocol, from the dawn of the network era and it has some

226

snmp is an older protocol, from the dawn of the network era and it has some

152

227

minor issues of security and complexity and verbosity. But it's a critical

153

228

network protocol, used successfully by 1000s of ISPs to monitor AND CONTROL

154

229

vast networks.

155

230

156

157

From our perspective, the problems with snmp are minor -

158

159

160

<pre>

161

It can use a lot of bandwidth - especially if you're reading from devices

162

on the far side of slow links.

163

</pre>

164

165

<pre>

166

Pulling data out of MIBs is a complex process. MIBs can be specified in

167

an RFC, or be unique to a vendor/device.

168

</pre>

169

170

<pre>

171

An snmp-based tool either has to restrict itself to the common MIBs,

172

or (most often for vendor tools) it be updated whenever a new device

173

must be supported or a MIB changes.

174

</pre>

175

176

<pre>

177

This makes snmp-based tools complex, because data may be unavailable

178

in certain versions of seemingly similar devices, etc. For example,

179

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

180

is a page which links to the specific MIBs supported by various

181

Cisco devices.

182

</pre>

231

From our perspective, the problems with snmp are minor -

232

233

It can use a lot of bandwidth - especially if you're reading from devices

234

on the far side of slow links.

235

236

Pulling data out of MIBs is a complex process. MIBs can be specified in

237

an RFC, or be unique to a vendor/device.

238

239

An snmp-based tool either has to restrict itself to the common MIBs,

240

or (most often for vendor tools) it be updated whenever a new device

241

must be supported or a MIB changes.

242

243

This makes snmp-based tools complex, because data may be unavailable

244

in certain versions of seemingly similar devices, etc. For example,

245

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

246

is a page which links to the specific MIBs supported by various

247

Cisco devices.

248

183

249

184

185

Q.

186

So why hasn't ntop 'won'?

187

188

189

A.

190

mrtg excels at monitoring 100s or 1000s of network devices (routers,

191

switches, etc.) and presenting that information over long periods of time.

192

193

194

ntop doesn't do a good job of showing multiple 'networks' - it's really

250

Q.  So why hasn't ntop 'won'?

251

A.  mrtg excels at monitoring 100s or 1000s of network devices (routers, switches, etc.) and presenting that information over long periods of time.

252

253

ntop doesn't do a good job of showing multiple 'networks' - it's really

195

254

focused on aggregating a picture of a single network. And for drilling down

196

255

into that picture or presenting it over long periods of time.

197

256

198

199

The processing of packets requires a lot more computer resources than just

257

The processing of packets requires a lot more computer resources than just

200

258

reading counters from devices. On the plus side, this gives much more

201

259

detailed information - for example ntop sees the actual web server request

202

260

instead of just that there was traffic on port 80. On the minus side, it's

204

262

available for ntop. An ISP using ntop to monitor a couple of T3s needs a

205

263

FAST computer and A LOT of memory.

206

264

207

208

ntop also requires access to the physical network (either directly via a

265

ntop also requires access to the physical network (either directly via a

209

266

network card or indirectly via a netFlow/sFlow probe). This limits ntop's

210

267

(usefullness|ability) to work across sites.

211

268

212

213

Once you learn what they do (mrtg and ntop), you'll probably discover that

269

Once you learn what they do (mrtg and ntop), you'll probably discover that

214

270

You need both.

215

271

216

272

217

218

Q.

219

What's this 'layer' crud?

220

221

222

A.

223

Network layers come from a widely cited but never implemented model, the OSI

224

(Open System Interconnect ) networking model from the ISO (International

273

Q.  What's this 'layer' crud?

274

A.  Network layers come from a widely cited but never implemented model, the OSI (Open System Interconnect ) networking model from the ISO (International

225

275

Standards Organization).

226

276

227

228

Google for it - for example

277

Google for it - for example

229

278

230

279

<pre>

231

280

http://www.ussg.iu.edu/usail/network/nfs/network_layers.html

232

281

</pre>

233

282

234

235

Q.

236

So ntop is like netFlow (Cisco), sFlow (RFC 3176, http://www.sflow.org) or

237

RMON (HP)?

238

239

240

A.

241

Not really, actually those are all protocols for sending and receiving

242

information about the network.

243

244

245

ntop has lots in common with the tools that USE those protocols.

246

247

248

And there are lots of tools - some proprietary, many open source.

249

250

251

The devices/programs that collect the information and send it out in netFlow,

283

Q.  So ntop is like netFlow (Cisco), sFlow (RFC 3176, http://www.sflow.org) or RMON (HP)?

284

285

A.  Not really, actually those are all protocols for sending and receiving information about the network.

286

287

ntop has lots in common with the tools that USE those protocols.

288

289

And there are lots of tools - some proprietary, many open source.

290

291

The devices/programs that collect the information and send it out in netFlow,

252

292

sFlow or RMON format are usually called (by me) 'probes'. The devices and/or

253

293

programs that receive the netFlow, sFlow or RMON formatted information and do

254

294

things with it are called 'collectors' (if they process it and forward it on)

255

295

or called 'displays'.

256

296

257

258

In fact, ntop can receive netFlow packets and both send and receive sFlow

297

In fact, ntop can receive netFlow packets and both send and receive sFlow

259

298

packets. It can be a 'probe' or a 'display'. (ntop used to be able to send

260

299

netFlow packets - that was removed 2004-03 by Luca).

261

300

262

301

263

264

Q.

265

So ntop is like Nagios or Ipswitch's - WhatsUp Gold?.

266

267

268

A.

269

Nope - those are layer 4 and higher (application) monitoring programs.

270

302

Q.  So ntop is like Nagios or Ipswitch's - WhatsUp Gold?.

303

A.  Nope - those are layer 4 and higher (application) monitoring programs.

271

304

272

273

Q.

274

So it's like ...

275

276

277

A.

278

Enough already - if you search Freshmeat.net,

279

http://freshmeat.net/search/?q=network+monitor&section=projects

305

Q.  So it's like ...

306

A.  Enough already - if you search Freshmeat.net, http://freshmeat.net/search/?q=network+monitor&section=projects

280

307

you will find (as of 18Aug2003):

281

308

282

309

283

310

<pre>

284

311

Topic :: System :: Networking :: Monitoring (654 projects)

285

312

</pre>

286

287

We'll be here all day. ntop is ntop.

313

We'll be here all day. ntop is ntop.

288

314

289

315

290

291

Q.

292

Ok, so ntop is a unique TCP/IP analyzer.

293

294

295

A.

296

Not exactly.

297

298

299

First off, ntop pretty much doesn't care about the lowest (layer 1 or wire)

316

Q.  Ok, so ntop is a unique TCP/IP analyzer.

317

A.  Not exactly.

318

First off, ntop pretty much doesn't care about the lowest (layer 1 or wire)

300

319

layer. It leaves dealing with that to a library, libpcap, which hides most

301

320

of that.

302

321

303

304

ntop is designed as a hybrid packet analyzer, not a pure Ethernet analyzer

322

ntop is designed as a hybrid packet analyzer, not a pure Ethernet analyzer

305

323

(layer 2) nor a pure TCP/IP analyzer (layer 3).

306

324

307

308

ntop gets the data at the layer 2 (frame) level, which could be Ethernet

325

ntop gets the data at the layer 2 (frame) level, which could be Ethernet

309

326

or another protocol. Beyond Ethernet, ntop has minimal smarts about FDDI,

310

327

PPP, RAW and TOKEN-RING frames. That is, at least enough for some basic

311

328

counts or to extract the (layer 3) TCP/IP data in side.

312

329

313

314

ntop 3.0 adds TWO (three?) HUGE areas of new protocol support.

330

ntop 3.0 adds TWO (three?) HUGE areas of new protocol support.

315

331

316

317

ntop 3.0 supports IPv6, thanks to code contributed by Olivier Festor

332

ntop 3.0 supports IPv6, thanks to code contributed by Olivier Festor

318

333

<Olivier.Festor@loria.fr> and Abdelkader Lahmadi <Abdelkader.Lahmadi@loria.fr>

319

334

of the MADYNES Research Time (Managing DYnamic NEtworks and Services), see

320

335

http://madynes.loria.fr/.

321

336

322

323

ntop 3.0 has more than a fair amount of smarts about FibreChannel and SCSI

337

ntop 3.0 has more than a fair amount of smarts about FibreChannel and SCSI

324

338

thanks to code contributed by Dinesh G Dutt <ddutt@cisco.com> of Cisco.

325

339

326

327

However, since most of ntop's displayed counts are at the TCP/IP level, it

340

However, since most of ntop's displayed counts are at the TCP/IP level, it

328

341

confuses people into thinking ntop is purely a TCP/IP analyzer.

329

342

330

331

ntop is a traffic monitor with it's own network interfaces, which monitors

343

ntop is a traffic monitor with it's own network interfaces, which monitors

332

344

what it sees (or is told about through netFlow or sFlow probes).

333

345

334

346

335

336

Q.

337

ntop runs under?

338

339

340

A.

341

ntop is known to work under Linux, Mac OS X, FreeBSD, OpenBSD (3.4, nothing

342

earlier) NetBSD (with issues) and Win32.

343

344

345

ntop development is done primarily on RedHat Linux and Mac OS.

346

347

348

Luca also does a port to Win32 (MS Visual C++) and works in the Sun

349

Solaris environment.

350

351

352

I (Burton) usually work under RedHat Linux, but have a multi-boot system

353

for testing that runs various Linux distros, FreeBSD (4.9 and 5.2),

354

NetBSD, Solaris 8 i86 and OpenBSD.

355

356

357

During the ntop 3.0 development cycle, we did some development and

358

testing on various platforms. Here's data from the version.xml log

359

showing what people were running while testing 2.2.98 and 2.2.99:

360

361

362

<pre>

363

count OS Version

364

------- ------- --------------

365

492 Linux

366

90 Windows WinNT/2K/XP

367

11 FreeBSD 4.9

368

9 Solaris 9

369

7 Darwin 7.2.0

370

6 FreeBSD 5.2

371

6 FreeBSD 5.1

372

</pre>

373

374

<pre>

375

and <5 records for FreeBSD 4.6.2, 4.8, 5.0, 5.2.1; OpenBSD 3.4;

376

and Solaris 8.

377

</pre>

378

379

So:

380

381

382

<pre>

383

Solaris 8 / 9 work, 2.6 and 7 probably would...

384

FreeBSD 4.6.2/4.8/4.9 and 5.1/5.2

385

OpenBSD 3.4

386

</pre>

387

388

NetBSD doesn't seem to have been tested.

389

390

391

Lots of Different Linuxes... of the ones we recognize:

392

393

394

<pre>

395

count Distro Release

396

------- --------- --------

397

141 redhat 9

398

42 fedora 1

399

39 slackware 9.1.0

400

38 redhat 7.3

401

26 redhat 8.0

402

15 debian (probably 3.0)

403

11 mandrake 9.2

404

10 suse 9.0

405

10 slackware 9.0.0

406

9 redhat 7.2

407

8 debian 3.0

408

7 redhat 2.1AS

409

6 mandrake 9.1

410

5 suse 8.2

411

5 redhat 3

412

</pre>

413

414

and < 5 records for arch 0.6; aurora 1.0; aurox 9.2; fedora 0.95;

415

gentoo 1.4.2.9, 1.4.3.10 and 1.4.3.12; immunix 7.0; mandrake 8.1 and 8.2;

416

pld 1.1; redhat 1, 2.1, 6.2, 7.0, 7.1; slackware 7.1.0, 8.1 and 9.0-beta;

417

suse 6.3, 7.0, 8.0 and 8.1; and yellowdog 3.0.

418

419

420

<pre>

421

Running under pretty much any *nix is at least theoretically possible.

422

But it takes interested party/parties and access to resources - some of the

423

things that ntop does such as libpcap and loading plugins are tied tighter

424

to the OS than you might like.

425

</pre>

426

427

<pre>

428

There are sections below about each specific OS.

347

Q.  ntop runs under?

348

A.  ntop is known to work under Linux, Mac OS X, FreeBSD, Solaris and Win32.

349

ntop development is done primarily on Fedora Linux.

350

351

Luca also does a port to Win32 (MS Visual C .Net) and used to work in the Sun

352

Solaris environment. He also seems to work with FreeBSD 5.4.

353

354

I (Burton) usually work under Fedora Linux, but use Microsoft's VPC 2004 and

355

VMware Workstation 5 to test under other Linux distros and OSes.

356

357

Our users run under many other platforms - Here's data from the version.xml log

358

records showing what people were running while testing 3.2:

359

360

(This data covered approximately the first two weeks of July 2005)

361

362

363

<pre>

364

count version

365

------- -------

366

16684 3.1

367

10960 3.0

368

345 3.1rc1

369

259 3.1.1

370

etc.

371

</pre>

372

373

<pre>

374

count OS Version

375

------- ------- --------------

376

20509 Linux

377

3566 Windows WinNT/2K/XP

378

1752 Unknown Windowsv3.1

379

1018 Unknown Windowsv3.0

380

266 FreeBSD 5.3

381

234 FreeBSD 5.4

382

219 Darwin 7.7.0

383

</pre>

384

Of course, this is self-selected - people can turn off the logging.

385

386

Linux covers lots of Different Linuxes... of the ones we recognize:

387

388

389

<pre>

390

count Distro Release

391

------- --------- --------

392

3148 suse

393

2637 redhat 9

394

2625 fedora 3

395

2014 fedora 2

396

1541 debian 3.1

397

1373 gentoo 1.4.16

398

613 redhat 3

399

603 fedora 1

400

523 mandrakel 10.2

401

505 gentoo 1.6.12

402

473 redhat 7.3

403

448 mandrakel 10.1

404

428 debian

405

399 redhat 4

406

367 redhat 8.0

407

301 slackware 10.1.0

408

282 slackware 10.0.0

409

</pre>

410

The jump in 'SuSE' may represent nothing more than improved detection

411

in the 3.2/3.1 scripts vs. 3.0. We used to have a huge 'unknown' count.

412

413

414

<pre>

415

Running under pretty much any *nix is at least theoretically possible.

416

But it takes interested party/parties and access to resources - some of the

417

things that ntop does such as libpcap and loading plugins are tied tighter

418

to the OS than you might like.

419

</pre>

420

421

<pre>

422

There are sections below about each specific OS.

429

423

</pre>

430

424

<h2>Features</h2>

431

425

432

433

Q.

434

What determines the features of ntop?

435

436

437

A.

438

<laugh>Whatever Luca wants</laugh>

439

426

Q.  What determines the features of ntop?

427

A.  <laugh>Whatever Luca wants</laugh>

440

428

441

442

Q.

443

Why did you do this "x" instead of feature "y"?

444

445

446

A.

447

Don't know. I could guess...

448

449

450

Imagine you are the network manager for a large University network and have

429

Q.  Why did you do this "x" instead of feature "y"?

430

A.  Don't know. I could guess...

431

Imagine you are the network manager for a large University network and have

451

432

to crack down on users who are illegally exchanging copyrighted files or

452

433

using University resources to run a business without paying for the resources

453

434

being consumed.

454

435

455

456

or

436

or

457

437

458

459

You are a major vendor of infrastructure, whose customers are using networks

438

You are a major vendor of infrastructure, whose customers are using networks

460

439

for new features such as storage area networks and you want to give them

461

440

the ability to monitor these.

462

441

463

464

or

442

or

465

443

466

467

You have a really cool technology that you've just donated to the community

444

You have a really cool technology that you've just donated to the community

468

445

via an RFC and wish to jump-start adoption of it.

469

446

470

471

or

447

or

472

448

473

474

You are moving heavily into IPv6 and need to be able to monitor your 'new'

449

You are moving heavily into IPv6 and need to be able to monitor your 'new'

475

450

network just like you monitored the IPv4 one.

476

451

477

478

or (my favorite)

452

or (my favorite)

479

453

480

481

You really, really, really hate that ntop generates such lousy html code

454

You really, really, really hate that ntop generates such lousy html code

482

455

and you decide to scratch that itch.

483

456

484

485

or (what should happen)

457

or (what should happen)

486

458

487

488

A major corporation, with out resources, time, skills and/or inclination

459

A major corporation, with out resources, time, skills and/or inclination

489

460

to do it themselves sponsors the development of a feature that's critical

490

461

to him/her.

491

462

492

493

or

494

495

496

Then again, it could just be because it's cool...

497

498

499

500

Q.

501

Could ntop do "x"

502

503

504

A.

505

Probably - as long as it doesn't move the tool away from it's purpose and

506

it's strengths, almost anything is possible - especially as a plugin.

507

508

509

510

Q.

511

Will you do "x"

512

513

514

A.

515

Maybe - if it's of interest to a developer, or you provide the code such

516

that it can be merged in, or if you're willing to sponsor the development

463

or

464

465

Then again, it could just be because it's cool...

466

467

468

Q.  Could ntop do "x"

469

A.  Probably - as long as it doesn't move the tool away from it's purpose and it's strengths, almost anything is possible - especially as a plugin.

470

471

472

Q.  Will you do "x"

473

A.  Maybe - if it's of interest to a developer, or you provide the code such that it can be merged in, or if you're willing to sponsor the development

517

474

effort (contact us through http://www.ntop.org/consultancy.html).

518

475

519

476

<h2>Documentation</h2>

520

477

521

522

Q.

523

Why isn't there (any)(more)(better) documentation.

524

525

526

A.

527

(A personal peeve from Burton...)

528

529

530

I get real tired of people complaining that there isn't any documentation

478

Q.  Why isn't there (any)(more)(better) documentation.

479

A.  (A personal peeve from Burton...)

480

I get real tired of people complaining that there isn't any documentation

531

481

and then being unwilling to contribute even the simplest stuff. I've said

532

482

I'll edit and assemble whatever people send me... and since I started working

533

483

with ntop in November 2001, I've received maybe six pages of stuff.

534

484

535

536

I'm trying to get people - who aren't coders - to contribute to ntop the

485

I'm trying to get people - who aren't coders - to contribute to ntop the

537

486

project. The contribution that ANYONE can make is "documentation". A task-

538

487

specific HOWTO... some sample screen shots... An FAQ entry...

539

488

540

541

I've tried being nice.

489

I've tried being nice.

542

490

I've tried asking.

543

491

I've tried shaming people into it.

544

492

545

546

What have I gotten? Zip.

493

What have I gotten? Zip.

547

494

548

549

Nasty is all that's left... This is your fair warning. If you show up on

495

Nasty is all that's left... This is your fair warning. If you show up on

550

496

the ntop mailing lists and complain about documentation, you will get

551

497

blasted.

552

498

553

554

-----Burton

499

-----Burton

555

500

556

501

557

558

Q.

559

Ok, where can I find what does exist.

560

561

562

A.

563

http://www.ntop.org has pointers and some (dated) documents.

564

565

566

The documentation in the docs/ directory, the Documentation files at SourceForge

502

Q.  Ok, where can I find what does exist.

503

A.  http://www.ntop.org has pointers and some (very out-dated) documents.

504

The documentation in the docs/ directory, the Documentation files at SourceForge

567

505

and some at http://www.ntopsupport.com are basically all that there is.

568

506

569

570

Search the ntop mailing lists at gmane, http://search.gmane.org. The lists

507

Search the ntop mailing lists at gmane, http://search.gmane.org. The lists

571

508

are called gmane.linux.ntop.general and gmane.linux.ntop.devel.

572

509

573

574

Please contribute to the ntop community by writing things up for inclusion

510

Please contribute to the ntop community by writing things up for inclusion

575

511

in this FAQ or other documents!

576

512

577

578

You can even do this all by yourself at the ntop Wiki,

579

http://www.burtonstrauss.com/pmwiki/pmwiki.php?pagename=Ntop.HomePage

580

(But note that whether it remains available depends on whether people

581

contribute)

582

583

513

584

585

Q.

586

I can't find a file at SourceForge!

587

588

589

A.

590

You can reach the archives through any SourceForge mirror, e.g.

591

514

Q.  I can't find a file at SourceForge!

515

A.  You can reach the archives through any SourceForge mirror, or the main site:

592

516

593

517

<pre>

594

http://telia.dl.sourceforge.net/sourceforge/ntop/

595

^^^^^ change that qualifier to one that's close to you.

518

http://prdownloads.sourceforge.net/n/nt/ntop

596

519

</pre>

597

598

It has ALL the files unless we explicitly delete them...

520

It has ALL the files unless we explicitly delete them...

599

521

600

522

<h2>Problems</h2>

601

523

602

603

Q.

604

I have a problem...

605

606

607

A.

608

Make sure it's a supported release!

609

610

611

We support only the current versions of ntop. This is either:

524

Q.  I have a problem...

525

A.  Make sure it's a supported release!

526

We support only the current versions of ntop. This is either:

612

527

613

528

614

529

<pre>

615

* the last release, e.g. v3.0.

530

* the last release, e.g. v3.1.

616

531

* the current cvs (cvs.ntop.org)

617

532

* the latest development version posted at SourceForge (if one)

618

533

</pre>

619

620

If you use a port/package and the latest version available for your

534

If you use a port/package and the latest version available for your

621

535

OS is some release candidate from a year ago, sorry. Contact the

622

536

packager and ask them to get current.

623

537

624

625

Luca usually asks people to try the latest cvs (development) version

538

Luca usually asks people to try the latest cvs (development) version

626

539

because problems are frequently already fixed in there.

627

540

628

541

629

630

Q.

631

I'm running something supported and I've tried the latest & greatest.

632

Still, I have a problem.

633

634

635

A.

636

Read the ntop mailing lists.

637

638

639

The ntop mailing lists are at

542

Q.  I'm running something supported and I've tried the latest & greatest. Still, I have a problem.

543

544

A.  Read the ntop mailing lists.

545

The ntop mailing lists are at

640

546

641

547

<pre>

642

548

http://listgateway.unipi.it/mailman/listinfo/ntop

643

and

644

549

http://listgateway.unipi.it/mailman/listinfo/ntop-dev

550

and

551

http://listgateway.unipi.it/mailman/listinfo/ntop-misc

645

552

</pre>

646

647

If you're having non-user problems OR you are using the cvs, you should be

553

If you're having non-user problems OR you are using the cvs, you should be

648

554

reading and posting ntop-dev (for example, the cvs commit messages are posted

649

there).

555

there). Stuff unrelated to baseline ntop (PF_RING) belongs in ntop-misc.

650

556

651

652

You can read the lists through gmane (or other gateways) if you don't

557

You can read the lists through gmane (or other gateways) if you don't

653

558

want to subscribe, but only subscribers can post.

654

559

655

656

You can download the older messages in large chunks from the mailing list

560

You can download the older messages in large chunks from the mailing list

657

561

subscription pages. Look for "To see the collection of prior postings to

658

562

the list".

659

563

660

564

661

662

Q.

663

I looked and I didn't find my problem.

664

665

666

A.

667

Join the mailing list(s) and ask for help.

668

669

670

Before you post, check the "HowTo Ask for Help" at the end of this FAQ.

671

672

673

Please, if at all possible, use the built in PR_ form (the little 'bug' icon

565

Q.  I looked and I didn't find my problem.

566

A.  Join the mailing list(s) and ask for help.

567

Before you post, check the "HowTo Ask for Help" at the end of this FAQ.

568

569

Please, if at all possible, use the built in PR_ form (the little 'bug' icon

674

570

on the 'About' tab).

675

571

676

677

Guidelines for asking questions:

678

679

680

<pre>

681

ONE and only ONE problem / issue / question per message.

682

</pre>

683

684

<pre>

685

With a meaningful subject.

686

</pre>

572

Guidelines for asking questions:

573

574

ONE and only ONE problem / issue / question per message.

575

576

With a meaningful subject.

577

687

578

688

579

<pre>

689

580

The goal is that if you're asking a common question, the

690

581

subject would have allowed you to find it in the back

691

582

traffic for the mailing list.

692

583

</pre>

693

694

<pre>

695

Post the information about your environment we ask for.

696

</pre>

584

Post the information about your environment we ask for.

585

697

586

698

587

<pre>

699

588

We STRONGLY suggest you use the automatically generated "Problem

700

589

Report" form that since it contains much of the necessary information.

701

590

</pre>

702

703

<pre>

704

Make sure you're in a supported environment (./configure --showoses).

705

</pre>

591

Make sure you're in a supported environment (./configure --showoses).

592

706

593

707

594

<pre>

708

595

If it's an unsupported environment, we're interested in your efforts to

709

596

make ntop work, but we don't have the time, resources, knowledge and/or

710

597

interest to do it ourselves.

711

598

</pre>

712

713

<pre>

714

For software 'crashes', please run ntop under the gdb debugger and capture

715

the full failure information.

716

</pre>

599

For software 'crashes', please run ntop under the gdb debugger and capture

600

the full failure information.

601

717

602

718

603

<pre>

719

604

Brief instructions on using gdb are at the end of this file (docs/FAQ).

720

605

</pre>

721

606

722

723

Q.

724

I posted to the list and nobody answered me.

725

726

727

A.

728

ntop is open source, and the lists are a community resource. If nobody

729

answered your question, then nobody knew the answers off-hand and nobody

607

Q.  I posted to the list and nobody answered me.

608

A.  ntop is open source, and the lists are a community resource. If nobody answered your question, then nobody knew the answers off-hand and nobody

730

609

wanted to spend THEIR time solving YOUR problem.

731

610

732

611

733

734

Q.

735

Do you offer paid support?

736

737

738

A.

739

Yes - contact us through http://www.ntop.org/consultancy.html

740

612

Q.  Do you offer paid support?

613

A.  Yes - contact us through http://www.ntop.org/consultancy.html

741

614

<h2>Configuring ntop</h2>

742

615

743

744

Q.

745

What does ./configure do?

746

747

748

A.

749

./configure checks for the tools installed on your system - configuring

750

ntop to compile with the ones you have and skip the ones you don't (or

616

Q.  What does ./configure do?

617

A.  ./configure checks for the tools installed on your system - configuring ntop to compile with the ones you have and skip the ones you don't (or

751

618

to tell you if you're missing something critical).

752

619

753

620

754

755

Q.

756

Why bother - just compile the code.

757

758

759

A.

760

Then you would have to have a machine configured EXACTLY like Luca's.

761

Nothing else would work. Various OSes and Linux distributions package

621

Q.  Why bother - just compile the code.

622

A.  Then you would have to have a machine configured EXACTLY like Luca's. Nothing else would work. Various OSes and Linux distributions package

762

623

the files in different ways and put them in different places. Plus some

763

624

packages put files into directories with release information in them, etc.

764

625

765

626

766

767

Q.

768

OK, so ./configure

769

770

771

A.

772

Is how you tell ntop where to find things. A lot of stuff it can figure

773

out on it's own, but if things get put in 'strange' places, ntop's

627

Q.  OK, so ./configure

628

A.  Is how you tell ntop where to find things. A lot of stuff it can figure out on it's own, but if things get put in 'strange' places, ntop's

774

629

./configure has switches you use to tell where to find things.

775

630

776

631

777

778

Q.

779

And the list is?

780

781

782

A.

783

./configure --help shows the whole list. It's a bit confusing because

784

there are standard options and ntop options mixed in there.

785

786

787

A.

788

So, first let's look at the 'where are things' options. There are two

789

types of files ntop is looking for, '.h' files and libxxxx files.

790

791

792

.h files are also called 'includes' and libxxxx files are called libraries

632

Q.  And the list is?

633

A.  ./configure --help shows the whole list. It's a bit confusing because there are standard options and ntop options mixed in there.

634

635

A.  So, first let's look at the 'where are things' options. There are two types of files ntop is looking for, '.h' files and libxxxx files.

636

637

.h files are also called 'includes' and libxxxx files are called libraries

793

638

or lib files.

794

639

795

796

.h files are the C source for functions provided by the OS or by libraries.

640

.h files are the C source for functions provided by the OS or by libraries.

797

641

They are typically in a directory named /usr/include, but they can be

798

642

placed ANYWHERE.

799

643

800

801

lib files are compiled libraries of these functions (the .h tells ntop

644

lib files are compiled libraries of these functions (the .h tells ntop

802

645

how to call something, the lib file is the actual code). Their names

803

646

usually begin libxxxx (so the library gd is named libgd).

804

647

805

806

By convention, libraries end in .so or .a. A .so library is a shared

648

By convention, libraries end in .so or .a. A .so library is a shared

807

649

library (Windows DLL), where one copy of the library is used by all

808

650

programs that want it's functions. A .a library is a non-shared or

809

651

static library, which must be merged (the technical term is linked)

810

652

with the code.

811

653

812

813

ntop uses both - the myrrd library is a static, .a library. When it

654

ntop uses both - the myrrd library is a static, .a library. When it

814

655

comes to things like libpcap or libgd, we use shared (.so) libraries.

815

656

816

817

Library files are typically placed in /usr/lib, where the gnu linker

657

Library files are typically placed in /usr/lib, where the gnu linker

818

658

(ld), 'knows' automatically how to find them. However, from OS to

819

659

OS and distribution to distribution, there are many other common places.

820

660

Some OSes even have a file telling ld all the places to look.

821

661

822

662

823

824

Q.

825

So ntop looks for these .h and library thingies in a couple of places.

826

What if it doesn't find them?

827

828

829

A.

830

If a basic ./configure can't find something, you'll have to tell ntop

831

where to look.

832

833

834

It's complex and OS/distro dependent. For example, if you install libgd

663

Q.  So ntop looks for these .h and library thingies in a couple of places. What if it doesn't find them?

664

665

A.  If a basic ./configure can't find something, you'll have to tell ntop where to look.

666

667

It's complex and OS/distro dependent. For example, if you install libgd

835

668

from the Sun Freeware site on to a Solaris machine, the files get put

836

669

into /usr/local/include and /usr/local/lib, which are not on the lists

837

670

of 'standard' places for Solaris' versions of gcc (the Gnu c compiler)

838

671

or ld. So to compile ntop, you have to tell gcc to look in these

839

672

additional locations.

840

673

841

842

The things ntop might be looking for are in this part of the

674

The things ntop might be looking for are in this part of the

843

675

./configure --help output:

844

676

845

677

866

698

--with-localedir=DIR LOCALE files located in DIR (i18n)

867

699

+-----------------------------------------------------------------------+

868

700

</pre>

869

870

You can see that there is a pattern, pretty much every --with-xxxxx-root

701

You can see that there is a pattern, pretty much every --with-xxxxx-root

871

702

has a --with-xxxxx-include and --with-xxxxx-lib option.

872

703

873

874

So, if ntop tells you it can't find something, do this - first look for the

704

So, if ntop tells you it can't find something, do this - first look for the

875

705

File on your system:

876

706

877

707

879

709

$ locate pcap.h

880

710

/usr/include/pcap/pcap.h

881

711

</pre>

882

883

(If you don't have locate, this works too:

712

(If you don't have locate, this works too:

884

713

885

714

<pre>

886

715

$ find / -type f -name "pcap.h"

887

716

)

888

717

</pre>

889

890

And then tell ./configure via --with-pcap-include=/usr/include/pcap

718

And then tell ./configure via --with-pcap-include=/usr/include/pcap

891

719

892

893

(Some OSes are smart enough to look in a subdirectory of the standard

720

(Some OSes are smart enough to look in a subdirectory of the standard

894

721

location, but others aren't).

895

722

896

723

897

898

Q.

899

Ok, but why three options?

900

901

902

A.

903

You use either the --with-xxxxx-root option OR either/both of the others

904

at a time. But ntop really only looks at the --with-xxxxx-include and

724

Q.  Ok, but why three options?

725

A.  You use either the --with-xxxxx-root option OR either/both of the others at a time. But ntop really only looks at the --with-xxxxx-include and

905

726

--with-xxxxx-lib options.

906

727

907

908

Internally, --with-xxxxx-root=/a/b/c is translated into

728

Internally, --with-xxxxx-root=/a/b/c is translated into

909

729

--with-xxxxx-lib=/a/b/c/lib and --with-xxxxx-include=/a/b/c/include

910

730

(that's the usual pattern).

911

731

912

913

Now sometimes libraries are installed logically - if the pcap.h file is in

732

Now sometimes libraries are installed logically - if the pcap.h file is in

914

733

/usr/local/pcap/include, the library (libpcap.so) is probably in

915

734

/usr/local/pcap/lib. Sometimes they are not logical and you will have

916

735

to use the split options.

917

736

918

919

The --with-pcap-root=/usr/local/pcap is shorthand for the two options,

737

The --with-pcap-root=/usr/local/pcap is shorthand for the two options,

920

738

--with-pcap-include=/usr/local/pcap/include and

921

739

--with-pcap-lib=/usr/local/pcap/lib.

922

740

923

741

924

925

Q.

926

Oh Ghu - aren't there any short cuts.

927

928

929

A.

930

For the first time you try ./configure, there's a script on SourceForge in

931

The user contributed area that will try to build the ./configure line for

742

Q.  Oh Ghu - aren't there any short cuts.

743

A.  For the first time you try ./configure, there's a script on SourceForge in The user contributed area that will try to build the ./configure line for

932

744

you.

933

745

934

746

935

936

Q.

937

And the OTHER options?

938

939

940

A.

941

There is a set that tells ntop where to install stuff. For simplicity,

942

the two you might want to change are:

747

Q.  And the OTHER options

748

A.  There is a set that tells ntop where to install stuff. For simplicity, the two you might want to change are:

943

749

944

750

945

751

<pre>

948

754

--datadir=DIR read-only architecture-independent data

949

755

[PREFIX/share]

950

756

</pre>

951

952

--prefix tells ntop where to install the various files. The default value

757

--prefix tells ntop where to install the various files. The default value

953

758

is /usr/local, which is where most non-OS software normal goes.

954

759

955

956

A common choice for libraries (such as pcap) is --prefix=/usr, which puts

760

A common choice for libraries (such as pcap) is --prefix=/usr, which puts

957

761

things like .h files in places easier to automatically find (/usr/include).

958

762

--prefix=/usr certainly works for ntop. --prefix=/opt is another choice.

959

763

960

961

The 'proper' choice turns on which model of file organization the OS and

764

The 'proper' choice turns on which model of file organization the OS and

962

765

sysadmin prefer. That's a fight I'm staying out of.

963

766

964

965

--datadir tells ntop where to put its databases and output files. The

767

--datadir tells ntop where to put its databases and output files. The

966

768

default is /usr/share/ntop, but that will give some sysadmin's agita.

967

769

Another popular choice is --datadir=/var, which puts all the files in

968

770

/var/ntop. That may be attractive especially if you make /var/ntop

969

771

a separate partition, so the rrd files don't eat all your disk space.

970

772

971

773

972

973

Q.

974

What's --enable-iknowbetter Override WILLFAIL

975

976

977

A.

978

There are some error messages where it's possible that thing work (now)

979

that didn't used to, or you're doing development and don't want ntop

774

Q.  What's --enable-iknowbetter Override WILLFAIL

775

A.  There are some error messages where it's possible that thing work (now) that didn't used to, or you're doing development and don't want ntop

980

776

to stop you from doing something, or there's an error message that you

981

777

have skipped before without getting bitten.

982

778

983

984

--enable-iknowbetter will print the message but not stop ntop from

779

--enable-iknowbetter will print the message but not stop ntop from

985

780

finishing ./configure.

986

781

987

988

Use it at your own risk.

782

Use it at your own risk.

989

783

990

784

991

992

Q.

993

What are the --enable and --disable options?

994

995

996

A.

997

These (and the with/without options) pretty much do what you think - they

998

enable or disable large chunks of ntop functionality:

785

Q.  What are the --enable and --disable options?

786

A.  These (and the with/without options) pretty much do what you think - they enable or disable large chunks of ntop functionality:

999

787

1000

788

1001

789

<pre>

1002

+--ntop-specific:-------------------------------------------------------+

1003

--disable-mt disable multithread support [default=enabled]

790

+--ntop-specific:------------------------------------------------------------+

1004

791

--enable-sslv3 enable ssl v3 support [default=disabled]

1005

--enable-sslwatchdog enable Watchdog for ssl hang-ups

1006

[default=disabled]

1007

--disable-plugins disable compilation of plugins

1008

[default=enabled]

1009

--enable-static-plugins Enable static linked plugins sntop,

1010

default=dynamic]

792

--enable-sslwatchdog enable Watchdog for ssl hangups [default=disabled]

793

--disable-plugins disable compilation of plugins [default=enabled]

794

--enable-static-plugins Enable static linked plugins sntop, default=dynamic]

1011

795

--enable-ignoresigpipe Ignore SIGPIPE errors [default=do not ignore]

1012

--enable-i18n Enable (limited) internationalization

1013

[default=disabled]

1014

--enable-showoses display OS Support information.

796

--disable-snmp Disable SNMP support [default=disable]

797

--enable-i18n Enable (limited) internationalization [default=disabled]

798

--enable-jumbo-frames Enable Jumbo (9K) Ethernet frames [default=disabled]

1015

799

--disable-ipv6 use IPv6 [default=enabled]

1016

800

+-----------------------------------------------------------------------+

1017

801

</pre>

1021

805

--without-ssl disable HTPPS support [default=enabled]

1022

806

--without-zlib disable zlib [default=enabled]

1023

807

--with-tcpwrap enable use of TCP Wrapper [default=disabled]

808

+-----------------------------------------------------------------------+

1024

809

</pre>

1025

810

1026

1027

Q.

1028

What ELSE?

1029

1030

1031

A.

1032

There are some so called 'environment variables' you can set that change

1033

things too. The common ones are:

811

Q.  What ELSE?

812

A.  There are some so called 'environment variables' you can set that change things too. The common ones are:

1034

813

1035

814

<pre>

1036

815

CC C compiler command

1041

820

headers in a nonstandard directory <include dir>

1042

821

CPP C preprocessor

1043

822

</pre>

1044

1045

You would use these variables to override the choices made by ./configure

823

You would use these variables to override the choices made by ./configure

1046

824

or to help it to find libraries and programs with truly nonstandard

1047

825

names/locations.

1048

826

1049

1050

The best place to look for examples of these environment variables are in

827

The best place to look for examples of these environment variables are in

1051

828

the OS/distribution files in the configureextra directory. For example,

1052

829

(again picking on Solaris), we use LDFLAGS to tell ld to look in some

1053

830

common Solaris locations for libraries via this:

1056

833

<pre>

1057

834

LDFLAGS="-L/usr/local/lib -R/usr/local/lib ${LDFLAGS}"

1058

835

</pre>

1059

1060

What that does is add /usr/local/lib to the locations that ld will check.

836

What that does is add /usr/local/lib to the locations that ld will check.

1061

837

1062

838

1063

1064

Q.

1065

./configure dies in some strange horrible way complaining about version

1066

conflicts, lunar phase or whatever.

839

Q.  ./configure dies in some strange horrible way complaining about version conflicts, lunar phase or whatever.

1067

840

1068

1069

A.

1070

The process of creating portable cross-platform scripts for building

1071

software is ugly and hard and prone to failure. There are tools

841

A.  The process of creating portable cross-platform scripts for building software is ugly and hard and prone to failure. There are tools

1072

842

(released by gnu) to help, named automake, autoconf and libtool.

1073

843

(Collectively the auto* tools).

1074

844

1075

1076

These tools take basic files and generate more complex files based

845

These tools take basic files and generate more complex files based

1077

846

on a series of rules, conventions and macros (much of which is poorly

1078

847

or undocumented). Other processes (e.g. ./configure) take these files

1079

848

and generate more complex files based on a different series of rules,

1082

851

series of rules, conventions and macros - to actually compile the ntop

1083

852

source.

1084

853

1085

1086

There are interdependencies among the tools, partial support for older

854

There are interdependencies among the tools, partial support for older

1087

855

versions in some releases, but not in other releases and many more

1088

856

problems.

1089

857

1090

1091

Different OSes and different Linux distros ship with wildly different

858

Different OSes and different Linux distros ship with wildly different

1092

859

versions. Some even have scripts that attempt to analyze the file and

1093

860

pick the correct version (which just means that trying to code a file

1094

861

with multiple version support confuses the tool).

1095

862

1096

1097

So if you have a basic, total failure of ./configure, it's usually

863

So if you have a basic, total failure of ./configure, it's usually

1098

864

the auto* tools.

1099

865

1100

1101

ntop used to ship with a manual script that rebuilt the generated files

866

ntop used to ship with a manual script that rebuilt the generated files

1102

867

according to the version(s) of the tools installed on the system you were

1103

868

using to build ntop. Thus the standard answer was 'run ./autogen.sh -1'.

1104

869

1105

1106

But, this meant that you had to have these 'developer' tools installed

870

But, this meant that you had to have these 'developer' tools installed

1107

871

and caused much problems and gnashing of teeth.

1108

872

1109

1110

So we spent 100s of hours rebuilding the scripts to be totally independent

873

So we spent 100s of hours rebuilding the scripts to be totally independent

1111

874

of having the tools installed on your system - only to run into problems

1112

875

because the xyz 1.6.1 tool installed by default on OS A isn't quite

1113

876

compatible with the 1.6.3 version on OS B.

1114

877

1115

1116

So we put technology in place to automatically detect tool versions and

878

So we put technology in place to automatically detect tool versions and

1117

879

rebuild the generated files if necessary. That meant you had to have

1118

880

these 'developer' tools installed and caused much problems.

1119

881

1120

1121

So we rebuilt the scripts AGAIN and AGAIN, dropped support for old versions

882

So we rebuilt the scripts AGAIN and AGAIN, dropped support for old versions

1122

883

of the tools and finally reached a point where it works for most reasonably

1123

884

current platforms. This is a compromise:

1124

885

1128

889

Systems that have bleeding edge versions of these tools may break.

1129

890

Systems with very old versions also may break.

1130

891

</pre>

1131

1132

The technology to detect versions and rebuild the script files if

892

The technology to detect versions and rebuild the script files if

1133

893

appropriate is still in there, but it's disabled from normal use.

1134

894

1135

1136

If you have the auto* tools installed and have ./configure problems, you

895

If you have the auto* tools installed and have ./configure problems, you

1137

896

can activate the automatic rebuild feature via:

1138

897

1139

898

1141

900

$ export NTOPAUTOREBUILD=yes

1142

901

$ ./configure ...

1143

902

</pre>

1144

1145

If the rebuild fixes it, that's great. Regardless, please report the

903

If the rebuild fixes it, that's great. Regardless, please report the

1146

904

problem to the ntop mailing list. Please don't paraphrase the messages

1147

905

cut & paste the ACTUAL MESSAGES into your report. Also, please let us

1148

906

know the version(s) of the tools installed on your system:

1156

914

$ libtool --version

1157

915

</pre>

1158

916

1159

1160

Q.

1161

But how does it all hang together?

1162

1163

1164

A.

1165

There's a vsd (Visio)/pdf in the docs directory - ntop-autotools.pdf.

1166

917

Q.  I can't build ntop... (auto* tools)

918

A.  ntop has been tested with and developed for various versions of the "GNU auto* tools" (automake, autoconf and libtool).

919

920

The basic requirements are

921

922

automake 1.6.1 or higher (automake 1.4 and 1.5 may or may not work)

923

autoconf 2.51 or higher (autoconf 2.13 will NOT work)

924

libtool 1.4 or higher

925

926

But that simple statement hides a lot of complexity and many potential

927

problems. Surprisingly, this isn't solely ntop's fault, it's the

928

combination of GNU auto* tools version to version compatiblity and

929

because we're trying to distribute configure and make files that work

930

on all versions. If ntop were less complex or less clever about

931

trying to build a working program even with many components missing,

932

things would work a lot better.

933

934

The big change between autoconf 2.13 and 2.5x generated scripts is that

935

the ./configure and make steps are supposed to run the auto* commands

936

automatically if they're required. As we've seen, this doesn't always

937

work!

938

939

If you run into problems, you can ALWAYS recreate the generated files

940

via this procedure:

941

942

943

<pre>

944

rm -f acinclude.m4 aclocal.m4 Makefile.in config.h.in configure Makefile

945

</pre>

946

947

<pre>

948

find current versions of libtool, config.guess and config.sub and cp

949

them into your working directory.

950

</pre>

951

952

<pre>

953

cat acinclude.m4.ntop libtool.m4.in > acinclude.m4

954

aclocal

955

autoheader

956

autoconf

957

automake --gnu --copy --add-missing

958

</pre>

959

and then:

960

961

962

<pre>

963

./configure ...

964

make

965

make install

966

</pre>

967

as usual.

968

969

970

Q.  But how does it all hang together?

971

A.  There's a vsd (Visio)/pdf in the docs directory - ntop-autotools.pdf.

1167

972

<h2>Compiling ntop</h2>

1168

973

1169

1170

Q.

1171

Which packages/libraries do I need to compile ntop:

1172

974

Q.  Which packages/libraries do I need to compile ntop:

1173

975

1174

976

<pre>

1175

977

Note: In some cases the minimal header files for a tool will be in

1188

990

1189

991

<pre>

1190

992

libpcap

1191

We recommend 0.7.2, but ntop works with most 0.6.x versions.

1192

The newest version, 0.8.x works too - there are ntop fixes since

1193

late 2.2.9x releases for this.

993

We recommend 0.8.3, but ntop works with most 0.7.2 and later versions.

1194

994

</pre>

1195

995

1196

996

<pre>

1202

1002

</pre>

1203

1003

1204

1004

<pre>

1205

gd (1.8.x - stay away from 2.x development versions)

1206

http://www.boutell.com/gd/gd.html

1005

gd

1006

http://www.boutell.com/gd/gd.html - note that many distros have both

1007

the 1.8.x and 2.x series installed for differnt packages that require

1008

them. This occasionally causes problems.

1207

1009

</pre>

1208

1010

1209

1011

<pre>

1221

1023

</pre>

1222

1024

1223

1025

<pre>

1224

gcc

1225

Note: Both gcc 2.95/2.96 and 3.2/3.3 are reported to work. Across a lot

1226

of software, gcc 3.0 had problems - no clue re ntop.

1227

For you folks still running 2.94, I think I fixed all the compile errors,

1228

but upgrade for ghu's sake!

1026

gcc most versions of gcc should work, but there are no promisses.

1229

1027

</pre>

1230

1028

1231

1029

<pre>

1232

libtool 1.4+ (distribution with 1.4.2)

1030

libtool 1.4+ (distribution is built with 1.4.2)

1233

1031

(there are successes reported with 1.3.4 or 1.3.5 -

1234

1032

use --enable-iknowbetter)

1235

1033

</pre>

1236

1034

1237

1035

<pre>

1238

1036

gawk/mawk

1239

Note: If all you have is nawk, then --enable-showoses will not work.

1240

If all you have is original awk, then ./configure will not work.

1037

Note: If all you have is original awk, then ./configure will not work.

1241

1038

</pre>

1242

1039

1243

1244

Q.

1245

Will the "xyz" compiler work instead of gcc?

1246

1247

1248

A.

1249

We explicitly REQUIRE gcc.

1250

1251

1252

We know that under many systems, a compiler called cc is available. On some,

1040

Q.  Will the "xyz" compiler work instead of gcc?

1041

A.  We explicitly REQUIRE gcc.

1042

We know that under many systems, a compiler called cc is available. On some,

1253

1043

it's a symbolic link to gcc, BUT, when invoked as cc, it often triggers 'old'

1254

1044

behaviors for cc compatibility. On others, cc is a retarded compiler just good

1255

1045

enough for compiling the kernel.

1256

1046

1257

1258

The one exception is Sun's cc, which - since Luca used to do a lot of development

1047

The one exception is Sun's cc, which - since Luca used to do a lot of development

1259

1048

on Solaris - was pretty well supported.

1260

1049

1261

1050

1262

1263

Q.

1264

The auto* tools?

1265

1266

1267

A.

1268

Only if you are going to rebuild the distributed script files:

1269

1051

Q.  The auto* tools?

1052

A.  Only if you are going to rebuild the distributed script files:

1270

1053

1271

1054

<pre>

1272

1055

autoconf 2.5+ (distribution with 2.57)

1273

automake 1.6+ (distribution with 1.6.1)

1056

automake 1.6+ (distribution with 1.8.3)

1274

1057

</pre>

1275

1058

1276

1277

Q.

1278

Optional libraries?

1279

1280

1281

A.

1282

Lots. The most common is:

1283

1059

Q.  Optional libraries?

1060

A.  Lots. The most common is:

1284

1061

1285

1062

<pre>

1286

1063

openssl (for https:// support)

1288

1065

Version of openssl installed.

1289

1066

</pre>

1290

1067

1291

1292

Q.

1293

ntop doesn't compile.

1294

1295

1296

A.

1297

Sure, it does - for me :-)

1298

1068

Q.  ntop doesn't compile.

1069

A.  Sure, it does - for me :-)

1299

1070

1300

1301

Q.

1302

Right smarty-pants...

1303

1304

1305

A.

1306

First, check if you're using a supported OS.

1307

1308

1309

The long and short of it is that ntop works under Linux, Mac OS X and

1071

Q.  Right smarty-pants...

1072

A.  First, check if you're using a supported OS.

1073

The long and short of it is that ntop works under Linux, Mac OS X and

1310

1074

FreeBSD.

1311

1075

1312

1313

Luca distributes a Win32 version through http://shop.ntop.org but charges a

1314

convenience fee. Or you can fire up Microsoft's Visual C++ 6.0 and compile

1315

the Win32 version that way. We don't recommend Visual C++ .Net as the

1316

internals of the memory management caused problems.

1317

1318

1319

It works (albeit with severe limitations) on NetBSD.

1320

1321

1322

It works on OpenBSD 3.4 (only).

1323

1324

1325

It used to work under MinGW, but that broke after 2.1.3 and we need somebody

1326

with some technical skills and an interest in MinGW to fix it.

1327

1328

1329

Anything else, you are in untested waters. Some cases we know there are

1076

Luca distributes a Win32 version through http://shop.ntop.org but charges a

1077

convenience fee. Or you can fire up Microsoft's Visual C++ or Visual C++ .Net

1078

and compile the Win32 version that way.

1079

1080

It should work under MinGW - see the BUILD file in docs.

1081

1082

Anything else, you are in untested waters. Some cases we know there are

1330

1083

problems, others we just haven't tested.

1331

1084

1332

1085

1333

1334

Q.

1335

But that was as of 18Aug2003?

1336

1337

1338

A.

1339

Yes. For the latest scoop, run ./configure --enable-showoses

1340

1341

1342

ntop will perform the basic ./configure tests (make sure you have a c

1343

compiler that works, etc.) and then output a table.

1344

1345

1346

This is from a pretty complete 3.0 release (at least as far as OS support

1347

goes):

1348

1349

1350

<pre>

1351

ntop OS Support status extract for version 2.2.91

1352

Run Mon Aug 18 10:00:58 CDT 2003

1353

</pre>

1354

1355

<pre>

1356

config.guess value compiler OS name Status

1357

------------------ --------- --------- ---------------

1358

mingw32* gcc MINGW UNTESTED

1359

cygwin* * CYGWIN WILLFAIL

1360

linux* *gcc LINUX SUPPORTED

1361

solaris2.9* * SOLARIS UNTESTED

1362

solaris2.8* * SOLARIS SUPPORTED

1363

solaris2.5* * SOLARIS UNTESTED

1364

solaris* * SOLARIS UNTESTED

1365

darwin* * DARWIN SUPPORTED

1366

freebsd[45]* *gcc FREEBSD SUPPORTED

1367

freebsd* * FREEBSD UNTESTED

1368

openbsd* * OPENBSD WILLFAIL

1369

netbsd*1.5* gcc NETBSD

1370

netbsd* * NETBSD UNTESTED

1371

hpux11* gcc HPUX WILLFAIL

1372

hpux10* gcc HPUX

1373

aix* * AIX UNTESTED

1374

</pre>

1375

1376

Quoting from the ./configure --enable-showoses output:

1377

1378

1379

<pre>

1380

Status of 'SUPPORTED' means you are:

1381

</pre>

1382

1383

<pre>

1384

Building ntop for a supported platform

1385

This means we expect ntop to work without major issues

1386

</pre>

1387

1388

<pre>

1389

Status of 'UNTESTED' means you are:

1390

</pre>

1391

1392

<pre>

1393

Building ntop for an untested platform

1394

</pre>

1395

1396

<pre>

1397

Untested means that:

1398

</pre>

1399

1400

<pre>

1401

1. A previous version of this OS is supported.

1402

or 2. This version of this OS was supported by a

1403

previous version of ntop.

1404

</pre>

1405

1406

<pre>

1407

./configure applies the same configuration options,

1408

special parameters, etc. as for the prior release.

1409

</pre>

1410

1411

<pre>

1412

For OS .0 releases that is probably a bad bet...

1413

</pre>

1414

1415

<pre>

1416

It could just be that you are compiling an older version

1417

of ntop on a new OS release - check the http://www.ntop.org

1418

site for an update.

1419

</pre>

1420

1421

<pre>

1422

Status of 'WILLFAIL' means you are:

1423

</pre>

1424

1425

<pre>

1426

Attempting to build ntop for an unsupported platform

1427

</pre>

1428

1429

<pre>

1430

>>> This is unsupported.

1431

>>> It will almost certainly fail

1432

(that is why it is listed as 'unsupported' - doh!)

1433

</pre>

1434

1435

<pre>

1436

Status of blank means that the support level depends

1437

upon ntop settings and/or other factors.

1438

</pre>

1439

1440

1441

Q.

1442

Ok, it's a supported release and it still won't compile.

1443

1444

1445

A.

1446

Did you run ./configure? And did it complete successfully?

1447

1448

1449

Usually 'compile' problems for supported platforms are a missing

1086

Q.  Ok, it's a supported environment and it still won't compile.

1087

A.  Did you run ./configure? And did it complete successfully?

1088

Usually 'compile' problems for supported platforms are a missing

1450

1089

(critical) library or header file, but the user ignored (didn't see)

1451

1090

the error/warning message and tried running make anyway.

1452

1091

1453

1454

./configure checks a lot of things. When it's looking for

1092

./configure checks a lot of things. When it's looking for

1455

1093

headers and libraries, ntop will report KEY information and PROBLEMS

1456

1094

in large, set-off, lines:

1457

1095

1474

1112

*

1475

1113

*******************************************************************

1476

1114

</pre>

1477

1478

READ THESE BOXES. Even if you don't read the rest of the output, read

1115

READ THESE BOXES. Even if you don't read the rest of the output, read

1479

1116

the boxes. ntop can work around a lot of problems (missing libraries)

1480

1117

by disabling features that need them. If, for example, you don't have

1481

1118

zlib, ntop will compile a version that doesn't output compressed html

1482

1119

pages. If you don't read the boxes, you will never know.

1483

1120

1484

1485

READ THE MESSAGE BOXES!

1121

READ THE MESSAGE BOXES!

1486

1122

1487

1123

1488

1124

<pre>

1502

1138

* *

1503

1139

*******************************************************************

1504

1140

</pre>

1505

1506

The box will tell you what's wrong, what ntop did and often how to fix it

1141

The box will tell you what's wrong, what ntop did and often how to fix it

1507

1142

if you don't like ntop's fix.

1508

1143

1509

1510

READ THE MESSAGE BOXES!

1144

READ THE MESSAGE BOXES!

1511

1145

1512

1513

Hint: It may sometimes be that you're missing the header files (often those

1146

Hint: It may sometimes be that you're missing the header files (often those

1514

1147

are in a -devel rpm if you're running RedHat)

1515

1148

1516

1517

If you see a message box and don't understand why ("I'm sure that

1149

If you see a message box and don't understand why ("I'm sure that

1518

1150

header file is present"), then look at a file called config.log. Search

1519

1151

for the specific header or library reported in the message box and you will

1520

1152

see the detailed compiler/linker error messages.

1521

1153

1522

1523

For example, ./configure reports:

1154

For example, ./configure reports:

1524

1155

1525

1156

1526

1157

<pre>

1527

1158

checking for linux/if_pppox.h... no

1528

1159

</pre>

1529

1530

The first thing to so is check if it's on your system:

1160

The first thing to so is check if it's on your system:

1531

1161

1532

1162

1533

1163

<pre>

1534

1164

$ locate linux/if_pppox.h

1535

1165

/usr/include/linux/if_pppox.h

1536

1166

</pre>

1537

1538

(If you don't have locate, this works too:

1167

(If you don't have locate, this works too:

1539

1168

1540

1169

<pre>

1541

1170

$ find / -type f -name "ethertype.h"

1542

1171

)

1543

1172

</pre>

1544

1545

Open up config.log and look for if_pppox.h:

1173

Open up config.log and look for if_pppox.h:

1546

1174

1547

1175

1548

1176

<pre>

1578

1206

| #include <linux/if_pppox.h>

1579

1207

configure:13123: result: no

1580

1208

</pre>

1581

1582

You see the actual test program, the actual compile line and the error

1209

You see the actual test program, the actual compile line and the error

1583

1210

messages.

1584

1211

1585

1586

Before reporting it to us, chase down where those missing items are declared:

1212

Before reporting it to us, chase down where those missing items are declared:

1587

1213

1588

1214

1589

1215

<pre>

1591

1217

/usr/include/linux/if_ether.h:#define ETH_ALEN 6

1592

1218

/usr/include/net/ethernet.h:#define ETHER_ADDR_LEN ETH_ALEN

1593

1219

</pre>

1594

1595

And post that information with your error report. The reason is that these

1220

And post that information with your error report. The reason is that these

1596

1221

field definitions are often placed in very different places in different

1597

1222

OSes and even in different distributions.

1598

1223

1599

1600

FWIW, if you look in the older configure.in:

1224

FWIW, if you look in the older configure.in:

1601

1225

1602

1226

1603

1227

<pre>

1604

1228

AC_CHECK_HEADERS([linux/if_pppox.h], [], [], [net/if.h

1605

1229

netinet/if_ether.h])

1606

1230

</pre>

1607

1608

should have been

1231

should have been

1609

1232

1610

1233

1611

1234

<pre>

1612

1235

AC_CHECK_HEADERS([linux/if_pppox.h], [], [], [#include <net/if.h>

1613

1236

#include <netinet/if_ether.h>])

1614

1237

</pre>

1615

1616

because the macro doesn't do the #include automatically.

1238

because the macro doesn't do the #include automatically.

1617

1239

1618

1240

1619

1620

Q.

1621

Nope, it's not ./configure...

1622

1623

1624

A.

1625

If it's not the configuration, then it's usually a problem with your specific

1626

system, either:

1241

Q.  Nope, it's not ./configure...

1242

A.  If it's not the configuration, then it's usually a problem with your specific system, either:

1627

1243

1628

1244

1629

1245

<pre>

1630

1246

- A new release of a supported OS.

1631

1247

- An uncommon option/configuration of a supported OS.

1632

1248

</pre>

1633

1634

In other words, something is different from what we've seen or expected.

1249

In other words, something is different from what we've seen or expected.

1635

1250

1636

1637

Review the output from make. The error message will usually give you a

1251

Review the output from make. The error message will usually give you a

1638

1252

Somewhat cryptic description of what's wrong and where. Look for messages

1639

1253

about missing files. Post as much information as you can - do locates for

1640

1254

the missing files, etc. The more you give us the less we will have to ask

1641

1255

you to provide.

1642

1256

1643

1644

Remember, we can't see your box - all that the people on the list see is the

1257

Remember, we can't see your box - all that the people on the list see is the

1645

1258

information you give in your message.

1646

1259

1647

1260

1648

1649

Q.

1650

Compile dies because it's missing depcomp

1651

1652

1653

A.

1654

automake/autoconf issue. The problem should have been fixed. If not, just

1655

Copy the missing file (or make a symbolic link) into the ntop source

1261

Q.  Compile dies because it's missing depcomp

1262

A.  automake/autoconf issue. The problem should have been fixed. If not, just Copy the missing file (or make a symbolic link) into the ntop source

1656

1263

directory.

1657

1264

1658

1659

It's in /usr/share/automake on my Linux boxes. Another user reports it is in

1265

It's in /usr/share/automake on my Linux boxes. Another user reports it is in

1660

1266

/usr/local/share/automake in sun8.

1661

1267

1662

1663

If you have automake installed, this will do it automatically:

1268

If you have automake installed, this will do it automatically:

1664

1269

1665

1270

1666

1271

<pre>

1667

1272

$ automake --add-missing --gnu -c

1668

1273

</pre>

1669

1274

1670

1671

Q.

1672

Make fails with a message about being unable to create a .deps file.

1673

1674

1675

A.

1676

Check the permissions on the (hidden) .deps (and .libs) directories - if root

1677

owns them your non-root userid may not be able to create files in there.

1678

1679

1680

1681

Q.

1682

Make fails with a message about a missing .deps file

1683

1684

1685

A.

1686

Basically, it's a automake 1.5 bug, related to dependency tracking.

1687

1688

1689

If you don't have automake installed, you shouldn't see this problem.

1690

1691

1692

ntop requires automake 1.6+ - that dependency is EXPLICT in the Makefile.am!

1693

1694

1695

If you do have automake installed, it's possible to hit this problem -

1696

especially if it's one of those Linux distributions that have three versions

1697

of automake installed and a (broken) script that's supposed to figure out

1698

which version to actually run.

1699

1700

1701

Since we distribute ntop with scripts generated from 1.6.3, you would *think*

1702

they should work, regardless of what version of automake is installed.

1703

1704

1705

That's not the case. The problem occurs because automake gets invoked by

1706

./configure to copy the missing gnu files such as depcomp. If you have 1.5

1707

installed, it then remakes the plugins/Makefile as a 1.5 version, which

1708

fails.

1709

1710

1711

The problem should be trapped and worked around, however, so report the

1712

problem to the list.

1713

1714

1715

1716

Q.

1717

Why is the .deps problem mostly happening under FreeBSD?

1718

1719

1720

A.

1721

Because the FreeBSD ports tree only has 1.5, but that's a FreeBSD ports

1722

problem, not ntop's. If you search the FreeBSD lists on Google, there's lots

1723

of traffic about a 1.6 version for FreeBSD, but it doesn't seem to be in the

1724

tree. What's there is:

1725

1726

1727

<pre>

1728

./devel/automake

1729

-- which is 1.5

1730

./devel/automake14

1731

./devel/automake17

1732

-- which does NOT work

1733

</pre>

1734

1735

1736

Q.

1737

So how do I work around the problem?

1738

1739

1740

A.

1741

Install 1.6.3. It's quite easy, does NOT require root. The steps are listed

1742

in the ./configure message, repeated below:

1743

1744

1745

<pre>

1746

Download automake 1.6.3 from gnu

1747

$ wget http://ftp.gnu.org/gnu/automake/automake-1.6.3.tar.gz

1748

</pre>

1749

1750

<pre>

1751

Untar it

1752

$ tar xfvz automake-1.6.3.tar.gz

1753

</pre>

1754

1755

<pre>

1756

Make it

1757

$ cd automake-1.6.3

1758

$ ./configure --prefix=/home/<whatever>/automake163

1759

$ make

1760

$ make install

1761

</pre>

1762

1763

<pre>

1764

Add it to your path (this is bash, but other shells, can do it too)

1765

</pre>

1766

1767

<pre>

1768

$ PATH=/home/<whatever>automake163/bin:$PATH

1769

$ export PATH

1770

</pre>

1771

1772

<pre>

1773

And then untar, ./configure and make ntop.

1774

</pre>

1775

1776

1777

Q.

1778

Make fails with a message like this:

1779

1275

Q.  Make fails with a message about being unable to create a .deps file.

1276

A.  Check the permissions on the (hidden) .deps (and .libs) directories - if root owns them your non-root userid may not be able to create files in there.

1277

1278

1279

Q.  Make fails with a message like this:

1780

1280

<pre>

1781

1281

/bin/ld: Warning: size of symbol `pcap_open_dead' changed from 100 to 67

1782

1282

in pcap.o

1787

1287

make[1]: Leaving directory `/linuxadmin/ntop/ntop2.2.3/ntop-2.2.3'

1788

1288

make: *** [all] Error 2

1789

1289

</pre>

1790

1791

A.

1792

Ah yes, size of symbol...changed. It means you have a conflict between

1793

the version of the shared library (be it libpcap, libgd, whatever) that

1290

A.  Ah yes, size of symbol...changed. It means you have a conflict between the version of the shared library (be it libpcap, libgd, whatever) that

1794

1291

was used to compile ntop with the version that was used to link ntop.

1795

1292

1796

1293

1797

1798

Q.

1799

'splain please...

1800

1801

1802

A.

1803

If you break down a typical link line:

1804

1294

Q.  'splain please...

1295

A.  If you break down a typical link line:

1805

1296

1806

1297

<pre>

1807

1298

gcc -shared address.lo ... ntop_darwin.lo

1814

1305

-Wl,-soname -Wl,libntop-2.2.3.so

1815

1306

-o .libs/libntop-2.2.3.so

1816

1307

</pre>

1817

1818

You see the mix of -L and -l parameters. The -L parameters ADD

1308

You see the mix of -L and -l parameters. The -L parameters ADD

1819

1309

additional places to look for the shared libraries, which are in

1820

1310

addition to the 'standard locations' for the system. The -l

1821

1311

parameters tell which libraries to include.

1822

1312

1823

1824

Read the man pages (man ld, man ld.so, etc.)

1313

Read the man pages (man ld, man ld.so, etc.)

1825

1314

1826

1827

The 'standard locations' are very system dependent, but usually

1315

The 'standard locations' are very system dependent, but usually

1828

1316

include /usr/lib and /lib. PLUS whatever is (under Linux) in the

1829

1317

ld.so.conf file, for example

1830

1318

1836

1324

/usr/lib/qt-3.0.5/lib

1837

1325

/usr/local/lib

1838

1326

</pre>

1839

1840

So, on this system, to resolve a library, ld looks in the -L values:

1327

So, on this system, to resolve a library, ld looks in the -L values:

1841

1328

1842

1329

1843

1330

<pre>

1858

1345

8. /lib

1859

1346

9. /usr/lib

1860

1347

</pre>

1861

1862

Similarly, if you break apart the gcc COMPILE line and scrap the dups,

1348

Similarly, if you break apart the gcc COMPILE line and scrap the dups,

1863

1349

you'll have a different set of places where gcc looks for the .h files.

1864

1350

For those, it's the -I parameters plus whatever is 'standard' on your

1865

1351

system, which is dependent on the specific gcc port:

1866

1352

1867

1868

/bin/sh ./libtool --mode=compile gcc -DHAVE_CONFIG_H -DLINUX

1353

/bin/sh ./libtool --mode=compile gcc -DHAVE_CONFIG_H -DLINUX

1869

1354

1870

1355

<pre>

1871

1356

-I. -I/linuxadmin/ntop/ntop2.2.3/ntop-2.2.3/myrrd

1874

1359

-Wshadow ... -Wnested-externs

1875

1360

-o ntop_darwin.lo

1876

1361

</pre>

1877

1878

Again, read the gcc man page.

1362

Again, read the gcc man page.

1879

1363

1880

1881

A big problem is that - unlike .so files, it's not real clear what

1364

A big problem is that - unlike .so files, it's not real clear what

1882

1365

directories ARE searched for .h files, only that there is a set.

1883

1366

1884

1885

With me so far? Go back to the message... what it means is that:

1367

With me so far? Go back to the message... what it means is that:

1886

1368

1887

1369

1888

1370

<pre>

1891

1373

* From the other set of locations, at link (ld) time, the

1892

1374

library expects the parameter list to be of size 67.

1893

1375

</pre>

1894

1895

Danger, Will Robinson...

1376

Danger, Will Robinson...

1896

1377

1897

1898

The most likely cause of this problem is when you tell ntop to look at

1378

The most likely cause of this problem is when you tell ntop to look at

1899

1379

one location to resolve either the .h or .so and it finds the other,

1900

1380

'automatically' in a 'standard' location, but the two are actually from

1901

1381

incompatible versions.

1902

1382

1903

1904

Say you have libpcap 0.6.2 installed by the os in /usr/lib and

1383

Say you have libpcap 0.6.2 installed by the os in /usr/lib and

1905

1384

/usr/include, but you also install libpcap 0.7.2 in /usr/local/lib and

1906

1385

/usr/local/include.

1907

1386

1911

1390

/usr/include/pcap.h

1912

1391

/usr/local/include/pcap.h

1913

1392

</pre>

1914

1915

and

1393

and

1916

1394

1917

1395

1918

1396

<pre>

1926

1404

/usr/local/lib/libpcap.so.0.7.2

1927

1405

/usr/local/lib/libpcap.so.0.7

1928

1406

</pre>

1929

1930

If all you give ./configure is --with-pcap-header=/usr/local/lib

1407

If all you give ./configure is --with-pcap-header=/usr/local/lib

1931

1408

1932

1409

1933

1410

<pre>

1935

1412

* At link time, it finds the libpcap.so in the 'default',

1936

1413

/usr/lib/libpcap.so which is actually libpcap.so.0.6.2

1937

1414

</pre>

1938

1939

ntop did EXACTLY what you told it to do. The fact that it makes no

1415

ntop did EXACTLY what you told it to do. The fact that it makes no

1940

1416

sense is a problem, so you get the error message.

1941

1417

1942

1418

1943

1944

Q.

1945

So the real solution is?

1946

1947

1948

A.

1949

Give ntop pointers to consistent sets of header and library files, and maybe

1950

don't have multiple versions of the same library installed at once.

1951

1952

1953

1954

Q.

1955

I'm done compiling and it works/doesn't work, what do I do?

1956

1957

1958

A.

1959

make install (You'll typically need to be root for this to work)

1960

1961

1962

1963

Q.

1964

Anything else?

1965

1966

1967

A.

1968

Yes. Run the "census" - this will send us an email telling us what's

1969

working and what's not working. The census sends me the basics - uname

1970

information, autotool versions, version.c. The domain name is blinded,

1971

and the script will show you the file before it's sent (you'll have 10

1972

seconds to press control-c to abort).

1973

1974

1975

If things work ok, then send the census information via

1976

1977

1978

<pre>

1979

make census-ok

1980

</pre>

1981

1982

If you have problems, the create the census information via

1983

1984

1985

<pre>

1986

make census-fail

1987

</pre>

1988

1989

Edit it to describe the problem and send it to census@ntopsupport.com

1990

1991

1992

1993

Q.

1994

I'm seeing a lot of "changing search order for system directory" messages?

1995

1996

1997

A.

1998

It's not a problem, just confusing. This warning, which appears if you

1999

redefine the system include directory, causes lots of confusion. Supposedly,

1419

Q.  So the real solution is?

1420

A.  Give ntop pointers to consistent sets of header and library files, and maybe don't have multiple versions of the same library installed at once.

1421

1422

1423

Q.  I'm done compiling and it works/doesn't work, what do I do?

1424

A.  make install (You'll typically need to be root for this to work)

1425

1426

Q.  I'm seeing a lot of "changing search order for system directory" messages?

1427

A.  It's not a problem, just confusing. This warning, which appears if you redefine the system include directory, causes lots of confusion. Supposedly,

2000

1428

according to this http://gcc.gnu.org/ml/gcc-bugs/2002-10/msg01080.html,

2001

1429

it wasn't fixed in gcc 3.2.0, but should be fixed in gcc 3.2.1.

2002

1430

2003

2004

According to this: http://gcc.gnu.org/onlinedocs/cpp/Invocation.html,

1431

According to this: http://gcc.gnu.org/onlinedocs/cpp/Invocation.html,

2005

1432

it's truly harmless on systems which already have /usr/local/include as

2006

1433

a standard system library:

2007

1434

2017

1444

</pre>

2018

1445

<h2>Other ./configure features</h2>

2019

1446

2020

2021

Q.

2022

How do I update the Vendor Table (MAC address prefixes)?

2023

2024

2025

A.

2026

ntop has (in Makefile), a rule to automatically download the latest vendor

2027

information table from the IEEE, the oui.txt file ntop reads.

2028

2029

2030

If you are seeing unknown MAC address prefixes (the 1st three units), try

1447

Q.  How do I update the Vendor Table (MAC address prefixes)?

1448

A.  ntop has (in Makefile), a rule to automatically download the latest vendor information table from the IEEE, the oui.txt file ntop reads.

1449

1450

If you are seeing unknown MAC address prefixes (the 1st three units), try

2031

1451

the full IEEE table. To rebuild it:

2032

1452

2033

1453

2034

1454

<pre>

2035

1455

# make dnvt

2036

1456

</pre>

2037

2038

and then copy the new oui.txt over the one installed by ntop originally.

1457

and then copy the new oui.txt over the one installed by ntop originally.

2039

1458

2040

2041

Also note that the table changes over time - there are almost 600

1459

Also note that the table changes over time - there are almost 600

2042

1460

Modifications and/or new assignments between the version shipped with

2043

1461

ntop 2.0 and the version on the IEEE site in February 2002.

2044

1462

2045

1463

2046

2047

Q.

2048

How do I update the passive ethernet fingerprint database?

2049

2050

2051

A.

2052

ntop has (in Makefile), a rule to automatically download the latest

2053

ettercap file from SourceForge:

1464

Q.  How do I update the passive ethernet fingerprint database?

1465

A.  ntop has (in Makefile), a rule to automatically download the latest ettercap file from SourceForge:

2054

1466

2055

1467

2056

1468

<pre>

2057

1469

# make dnetter

2058

1470

</pre>

2059

2060

It will also compress the file and tell you how big the old and new files

1471

It will also compress the file and tell you how big the old and new files

2061

1472

were.

2062

1473

2063

1474

2064

2065

Q.

2066

How do I update the IP to Country Code table?

2067

2068

2069

A.

2070

Again, ntop has (in Makefile), a rule to automatically download the

2071

latest data and build the file.

1475

Q.  How do I update the IP to Country Code table?

1476

A.  Again, ntop has (in Makefile), a rule to automatically download the latest data and build the file.

2072

1477

2073

1478

2074

1479

<pre>

2075

1480

# make p2c

2076

1481

</pre>

2077

2078

Note that this is actually a fairly complex script (utils/p2c) and is

1482

Note that this is actually a fairly complex script (utils/p2c) and is

2079

1483

dependent upon data posted to supposedly well known locations by the various

2080

1484

internet number authorities (APNIC, RIPE, etc.)

2081

1485

2082

2083

It's a LOT of data to download so don't do this on a site with a slow

1486

It's a LOT of data to download so don't do this on a site with a slow

2084

1487

link to the internet. Also, read the output carefully and DO NOT apply a

2085

1488

file if there are messages you don't understand.

2086

1489

2087

1490

2088

2089

Q.

2090

But the IP -> CC data is wrong.

2091

2092

2093

A.

2094

Yeah. Most people don't care :-(... it's enough to see various pretty

2095

flags.

2096

2097

2098

Sadly, the registries often post files with errors in them. Some Tier

1491

Q.  But the IP -> CC data is wrong.

1492

A.  Yeah. Most people don't care :-(... it's enough to see various pretty flags.

1493

1494

Sadly, the registries often post files with errors in them. Some Tier

2099

1495

1 ISPs post their own data to elaborate on the registry data. Most ISPs

2100

1496

don't post data. Some entries in the files make 'logical' sense, but not

2101

1497

physical sense.

2102

1498

2103

2104

If you find another set of data, let us know - the shell script is pretty

1499

If you find another set of data, let us know - the shell script is pretty

2105

1500

easy to follow to add another data source.

2106

1501

2107

2108

The user who used to care about this (Mr. Anon E. Mouse) used to send me

1502

The user who used to care about this (Mr. Anon E. Mouse) used to send me

2109

1503

a file of corrections to apply to the file we posted with ntop.

2110

1504

2111

2112

If such a file exists, it would be posted @ SourceForge in the user

1505

If such a file exists, it would be posted @ SourceForge in the user

2113

1506

contributed area.

2114

1507

1508

1509

Q.  I have installed ntop for OSX but I cannot start it as I have installed some libraries using fink and ntop cannot find them.

1510

1511

A.  The easiest thing to do is to do: ln -s /sw/lib/myfinklibrary /usr/local/lib Courtesy of Matthew Scholz <matts@discovery.org>

1512

2115

1513

<h2>Running - Startup</h2>

2116

1514

2117

2118

Q.

2119

ntop won't start - I get this message:

2120

1515

Q.  ntop won't start - I get this message:

2121

1516

<pre>

2122

1517

** FATAL ERROR** ... open of /var/ntop/addressQueue.db failed:

2123

1518

File open error

2124

1519

</pre>

2125

2126

A.

2127

It's either permissions (the ntop -u userid doesn't have read/write access

2128

to that file - common if you're upgrading from 2.2 to 3.0).

1520

A.  It's either permissions (the ntop -u userid doesn't have read/write access to that file - common if you're upgrading from 2.2 to 3.0).

2129

1521

2130

2131

The other cause is that there's still an instance of ntop running. Make

1522

The other cause is that there's still an instance of ntop running. Make

2132

1523

sure you shutdown ntop before starting it.

2133

1524

2134

1525

2135

2136

Q.

2137

What is the function of the 'ntop' script in the build directory - should I

2138

call it or /usr/local/bin/ntop ?

2139

2140

2141

A.

2142

(from the comments in the script):

2143

1526

Q.  What is the function of the 'ntop' script in the build directory - should I call it or /usr/local/bin/ntop ?

1527

1528

A.  (from the comments in the script):

2144

1529

2145

1530

<pre>

2146

1531

# ntop - temporary wrapper script for .libs/ntop

2152

1537

# This wrapper script should never be moved out of the build directory.

2153

1538

# If it is, it will not operate correctly.

2154

1539

</pre>

2155

2156

It allows you to run ntop out of the build directory before doing a "make

1540

It allows you to run ntop out of the build directory before doing a "make

2157

1541

install" by doing all the necessary linkage magic - such as forcing a relink

2158

1542

if it didn't succeed originally - to the files in .libs.

2159

1543

2160

2161

Think of it as simulating make install, but not moving stuff to /usr/local

1544

Think of it as simulating make install, but not moving stuff to /usr/local

2162

1545

or wherever.

2163

1546

2164

2165

Don't use it - it just causes problems...

1547

Don't use it - it just causes problems...

2166

1548

2167

1549

2168

2169

Q.

2170

Which libraries do I need?

2171

2172

2173

A.

2174

To run ntop: glibc, gdbm, libpcap

2175

1550

Q.  Which libraries do I need?

1551

A.  To run ntop: glibc, gdbm, libpcap

2176

1552

<pre>

2177

1553

For https://, add openssl.

2178

1554

For other tools and compile options, add the appropriate libraries.

2179

1555

</pre>

2180

1556

2181

2182

Q.

2183

ntop seems to run, but the web server isn't up.

2184

2185

2186

A.

2187

Set the password - see docs/1STRUN.TXT

2188

2189

2190

2191

Q.

2192

How do you reset Admin password if we lost it?

2193

2194

2195

A.

2196

Delete ntop_pw.db and follow the procedure in docs/1STRUN.txt

2197

2198

2199

2200

Q.

2201

I'm being prompted to set a password, what do I enter.

2202

2203

2204

A.

2205

Anything you want, of 5 or more characters. If ntop can't find the value

2206

in it's database, it will prompt you to set on. If this happens every

1557

Q.  ntop seems to run, but the web server isn't up.

1558

A.  Set the password - see docs/1STRUN.TXT

1559

1560

Q.  How do you reset Admin password if we lost it?

1561

A.  Delete ntop_pw.db and follow the procedure in docs/1STRUN.txt

1562

1563

Q.  I'm being prompted to set a password, what do I enter.

1564

A.  Anything you want, of 5 or more characters. If ntop can't find the value in it's database, it will prompt you to set on. If this happens every

2207

1565

time you start ntop, check the permissions on the ntop_pw.db file.

2208

1566

2209

1567

2210

2211

Q.

2212

How does the @filename option work e.g. /usr/bin/ntop ... @filename ...

2213

2214

2215

A.

2216

The text of 'filename', is copied - ignoring line breaks and

2217

comments (anything following a #) - into the command line.

2218

2219

2220

ntop behaves as if all of the text had simply been typed directly

1568

Q.  Characters after the 8th are being ignored in my password.

1569

A.  Probably. ntop uses the standard crypt() function provided by the OS.

1570

While crypt() is required part of the single unix specification, the

1571

details are implementation dependent. Whatever the limitations of crypt()

1572

are, that what ntop's limits are.

1573

1574

Unfortunately, there's no way to tell programatically what these limits are,

1575

you have to refer to the man page for crypt(3).

1576

1577

There is a "GNU EXTENSION" to crypt() which implies that changing the 'salt'

1578

ntop uses would allow longer passwords. That's set via CONST_CRYPT_SALT in

1579

globals-defines.h, but AFAIK this hasn't been tested.

1580

1581

1582

Q.  How does the @filename option work e.g. /usr/bin/ntop ... @filename ...

1583

A.  The text of 'filename', is copied - ignoring line breaks and comments (anything following a #) - into the command line.

1584

1585

ntop behaves as if all of the text had simply been typed directly

2221

1586

on the command line. Multiple @s are permitted in the command

2222

1587

line, nesting is not. @s in the file will cause an error.

2223

1588

2224

2225

Both are displayed on the info.html report, the "Started as"

1589

Both are displayed on the info.html report, the "Started as"

2226

1590

shows the actual command line ntop was given and the

2227

1591

"Resolved to" shows what ntop processed.

2228

1592

2229

2230

Started as /usr/bin/ntop -i eth0,eth1 @/root/ntop_parms -d -L

1593

Started as /usr/bin/ntop -i eth0,eth1 @/root/ntop_parms -d -L

2231

1594

2232

2233

with /root/ntop_parms containing:

1595

with /root/ntop_parms containing:

2234

1596

2235

1597

2236

1598

<pre>

2244

1606

-E

2245

1607

-K

2246

1608

</pre>

2247

2248

becomes:

1609

becomes:

2249

1610

2250

2251

Resolved to /usr/bin/ntop -i eth0,eth1 -p /usr/share/ntop/protocol.list

1611

Resolved to /usr/bin/ntop -i eth0,eth1 -p /usr/share/ntop/protocol.list

2252

1612

2253

1613

<pre>

2254

1614

-P /usr/share/ntop -w 192.168.42.38 -u ntop --trace-level 3

2255

1615

-m 12.239.0.0/16,10.113.0.0/16 -E -K -d -L

2256

1616

</pre>

2257

2258

Remember, most ntop options are "sticky", that is they just set an

1617

Remember, most ntop options are "sticky", that is they just set an

2259

1618

internal flag. Invoking them multiple times doesn't change ntop's

2260

1619

behavior. However, options that set a value, such as --trace-level,

2261

1620

will use the LAST value given: --trace-level 2 --trace-level 3 will

2262

1621

run as --trace-level 3.

2263

1622

2264

2265

It is recommended that you use FULL pathnames for @filename, since

1623

It is recommended that you use FULL pathnames for @filename, since

2266

1624

ntop may have different effective directories when run in different

2267

1625

ways. However, you may wish to use relative pathnames to take

2268

1626

advantage of the different effective directories (say cron vs.

2269

1627

command line). Just know where you're starting.

2270

1628

2271

1629

2272

2273

Q.

2274

ntop seems to run but I don't see any traffic.

2275

2276

2277

A.

2278

Make sure you aren't running against the loopback (127.0.0.1) interface.

2279

lo shouldn't see much traffic, only that originating on the host destined

1630

Q.  ntop seems to run but I don't see any traffic.

1631

A.  Make sure you aren't running against the loopback (127.0.0.1) interface. lo shouldn't see much traffic, only that originating on the host destined

2280

1632

for it (e.g. ping 127.0.0.1).

2281

1633

2282

1634

2283

2284

Q.

2285

ntop is unable to open its database file. Specifically:

2286

I have following messages while running ntop

1635

Q.  ntop is unable to open its database file. Specifically: I have following messages while running ntop

2287

1636

2288

1637

2289

1638

<pre>

2291

1640

24/Jul/2003 15:15:23 Initializing IP services...

2292

1641

2293

1642

24/Jul/2003 15:15:23 Initializing GDBM...

2294

24/Jul/2003 15:15:23 Database '/var/ntop/addressCache.db' open failed: File

2295

open error

1643

24/Jul/2003 15:15:23 ***FATAL_ERROR*** open of ...name... failed: can't be writer

2296

1644

24/Jul/2003 15:15:23 Possible solution: please use '-P <directory>'

2297

1645

</pre>

2298

2299

A.

2300

Multiple possible choices...

2301

2302

<pre>

2303

1. The directory /var/ntop doesn't exist. Create it or, as the message

2304

says, use the -P parameter to point ntop at another directory.

2305

2. You many not have read/write rights in /var/ntop - if you're running in

2306

non-promiscuous mode from a user other than root.

2307

3. Another instance of ntop may already be running, so it has the file open

2308

and locked.

2309

</pre>

1646

A.  Multiple possible choices...

1647

* Another ntop already running

1648

1649

(Most common) You forgot the -P parameter, and ntop is using a default value that

1650

doesn't exist. Just as the message says, use the -P parameter to point ntop at

1651

the directory you want it to use.

1652

1653

* Some sort of file system problem (non-existent directory, permissions, etc.)

1654

1655

1. The directory shown doesn't exist. Create it.

1656

1657

2. You many not have read/write rights in that directory.

1658

This can occur if you run ntop both as root and (as recommended) as a non-root user.

1659

1660

3. Another instance of ntop may already be running, so it has the file open and locked.

1661

2310

1662

2311

2312

Q.

2313

What's inside the .db files and what's their format?

2314

2315

2316

A.

2317

The files are stored in GDBM format. You can dump their content using tools like

2318

this: http://tboudet.free.fr/dumpgdbm/. In principle you should not be

1663

Q.  What's inside the .db files and what's their format?

1664

A.  The files are stored in GDBM format. You can dump their content using tools like this: http://tboudet.free.fr/dumpgdbm/. In principle you should not be

2319

1665

interested in the file content as they are temporary caches and contain the

2320

1666

configuration as well as the MD5 hash of the web passwords.

2321

1667

2322

2323

I posted a trivial dumpgdbm.c to gmane - search for it.

1668

I posted a trivial dumpgdbm.c to gmane - search for it.

2324

1669

2325

1670

2326

2327

Q.

2328

ntop starts up with this:

2329

WARNING: Discarded network 172.20.0.0/16: this is the local network.

1671

Q.  ntop starts up with this: WARNING: Discarded network 172.20.0.0/16: this is the local network.

2330

1672

2331

2332

A.

2333

No worries. The message means exactly what it says - it's a warning that

2334

you gave the local network as one of the parameter(s) to -m. Since the

1673

A.  No worries. The message means exactly what it says - it's a warning that you gave the local network as one of the parameter(s) to -m. Since the

2335

1674

local networks are always local, ntop doesn't need to make them pseudo-local.

2336

1675

2337

1676

2338

2339

Q.

2340

What are ntop's options?

2341

2342

2343

A.

2344

There are a couple of options that appear only if they're not compiled in,

2345

and a few that depend on various external libraries, e.g. openSSL.

2346

2347

2348

The best way to see what is actually available is to run ntop with the -h or

1677

Q.  What are ntop's options?

1678

A.  There are a couple of options that appear only if they're not compiled in, and a few that depend on various external libraries, e.g. openSSL.

1679

1680

The best way to see what is actually available is to run ntop with the -h or

2349

1681

--help options and see. Also read man ntop.

2350

1682

2351

2352

Here is the FULL set of real, working options as of February 2004

2353

2354

2355

<pre>

2356

-4 | --ipv4

2357

Use IPv4 connections (for the ntop web server)

2358

-6 | --ipv6

2359

Use IPv6 connections (for the ntop web server)

2360

</pre>

2361

2362

<pre>

2363

-a <file> | --access-log-file <file>

2364

File for ntop web server access log

2365

</pre>

2366

2367

<pre>

2368

-b | --disable-decoders

2369

Disable protocol decoders

2370

</pre>

2371

2372

<pre>

2373

-c | --sticky-hosts

2374

Idle hosts are not purged from memory

2375

</pre>

2376

2377

<pre>

2378

-d | --daemon

2379

Run ntop in daemon mode

2380

</pre>

2381

2382

<pre>

2383

-e <number> | --max-table-rows <number>

2384

Maximum number of table rows to report

2385

</pre>

2386

2387

<pre>

2388

-f <file> | --traffic-dump-file <file>

2389

Traffic dump file (see tcpdump)

2390

</pre>

2391

2392

<pre>

2393

-g | --track-local-hosts

2394

Track only local hosts

2395

</pre>

2396

2397

<pre>

2398

-h | --help

2399

Display help and exit

2400

</pre>

2401

2402

<pre>

2403

-i <name> | --interface <name>

2404

Interface name or names to monitor

2405

</pre>

2406

2407

<pre>

2408

-j | --create-other-packets

2409

Create file ntop-other-pkts.XXX.pcap file

2410

</pre>

2411

2412

<pre>

2413

-o | --no-mac

2414

ntop will trust just IP addresses (no MACs)

2415

</pre>

2416

2417

<pre>

2418

-k | --filter-expression-in-extra-frame

2419

Show kernel filter expression in extra frame

2420

</pre>

2421

2422

<pre>

2423

-l <path> | --pcap-log <path>

2424

Dump packets captured to a file (debug only!)

2425

</pre>

2426

2427

<pre>

2428

-m <addresses> | --local-subnets <addresses>

2429

Local subnetwork(s) (see man page)

2430

</pre>

2431

2432

<pre>

2433

-n | --numeric-ip-addresses

2434

Numeric IP addresses - no DNS resolution

2435

</pre>

2436

2437

<pre>

2438

-p <list> | --protocols <list>

2439

List of IP protocols to monitor (see man page)

2440

</pre>

2441

2442

<pre>

2443

-q | --create-suspicious-packets

2444

Create file ntop-suspicious-pkts.XXX.pcap file

2445

</pre>

2446

2447

<pre>

2448

-r <number> | --refresh-time <number>

2449

Refresh time in seconds, default is 120

2450

</pre>

2451

2452

<pre>

2453

-s | --no-promiscuous

2454

Disable promiscuous mode

2455

</pre>

2456

2457

<pre>

2458

-t <number> | --trace-level <number>

2459

Trace level 0-6

2460

</pre>

2461

2462

<pre>

2463

-u <user> | --user <user>

2464

Userid/name to run ntop under (see man page)

2465

</pre>

2466

2467

<pre>

2468

-x <max num hash entries>

2469

Max num. hash entries ntop can handle (default 4294967295)

2470

</pre>

2471

2472

<pre>

2473

-w <port> | --http-server <port>

2474

Web server (http:) port (or address:port) to listen on

2475

</pre>

2476

2477

<pre>

2478

-z | --disable-sessions

2479

Disable TCP session tracking

2480

</pre>

2481

2482

<pre>

2483

-A

2484

Ask admin user password and exit

2485

</pre>

2486

2487

<pre>

2488

--set-admin-password=<pass>

2489

Set password for the admin user to <pass>

2490

</pre>

2491

2492

<pre>

2493

--w3c

2494

Add extra headers to make better html

2495

</pre>

2496

2497

<pre>

2498

-B <filter> | --filter-expression

2499

Packet filter expression, like tcpdump

2500

</pre>

2501

2502

<pre>

2503

-D <name> | --domain <name>

2504

Internet domain name

2505

</pre>

2506

2507

<pre>

2508

-F <spec> | --flow-spec <specs>

2509

Flow specs (see man page)

2510

</pre>

2511

2512

<pre>

2513

-K | --enable-debug

2514

Enable debug mode

2515

</pre>

2516

2517

<pre>

2518

-L

2519

Do logging via syslog

2520

</pre>

2521

2522

<pre>

2523

--use-syslog=<facility>

2524

Do logging via syslog, facility ('=' is REQUIRED)

2525

</pre>

2526

2527

<pre>

2528

-M | --no-interface-merge

2529

Don't merge network interfaces (see man page)

2530

</pre>

2531

2532

<pre>

2533

-N | --wwn-map

2534

Map file providing map of WWN to FCID/VSAN

2535

</pre>

2536

2537

<pre>

2538

-O <path> | --pcap-file-path <path>

2539

Path for log files in pcap format

2540

</pre>

2541

2542

<pre>

2543

-P <path> | --db-file-path <path>

2544

Path for ntop internal database files

2545

</pre>

2546

2547

<pre>

2548

-U <URL> | --mapper <URL>

2549

URL (mapper.pl) for displaying host location

2550

</pre>

2551

2552

<pre>

2553

-V | --version

2554

Output version information and exit

2555

</pre>

2556

2557

<pre>

2558

-X <max num TCP sessions>

2559

Max num. TCP sessions ntop can handle (default 4294967295)

2560

</pre>

2561

2562

<pre>

2563

-W <port> | --https-server <port>

2564

Web server (https:) port (or address:port) to listen on

2565

</pre>

2566

2567

<pre>

2568

--disable-instantsessionpurge

2569

Disable instant FIN session purge

2570

</pre>

2571

2572

<pre>

2573

--disable-mutexextrainfo

2574

Disable extra mutex info

2575

</pre>

2576

2577

<pre>

2578

--disable-schedyield

2579

Turn off sched_yield() calls, if ntop is deadlocking on them

2580

</pre>

2581

2582

<pre>

2583

--disable-stopcap

2584

Capture packets even if there's no memory left

2585

</pre>

2586

2587

<pre>

2588

--fc-only

2589

Display only Fibre Channel statistics

2590

</pre>

2591

2592

<pre>

2593

--no-fc

2594

Disable processing & Display of Fibre Channel

2595

</pre>

2596

2597

<pre>

2598

--no-invalid-lun

2599

Don't display Invalid LUN information

2600

</pre>

2601

2602

<pre>

2603

--p3p-cp

2604

Set return value for p3p compact policy, header

2605

</pre>

2606

2607

<pre>

2608

--p3p-uri

2609

Set return value for p3p policyref header

2610

</pre>

2611

2612

<pre>

2613

--set-pcap-nonblocking

2614

Call pcap_setnonblock

2615

</pre>

2616

2617

<pre>

2618

--skip-version-check

2619

Skip ntop version check

2620

</pre>

2621

2622

<pre>

2623

--ssl-watchdog

2624

Use ssl watchdog (NS6 problem)

2625

</pre>

2626

1683

2627

2628

Q.

2629

-4 and -6?

2630

2631

2632

A.

2633

The default for the ntop web server is to connect to any address and any family

2634

of addresses, so if the NIC has both IPv4 and IPv6 addresses it should respond

1684

Q.  -4 and -6?

1685

A.  The default for the ntop web server is to connect to any address and any family of addresses, so if the NIC has both IPv4 and IPv6 addresses it should respond

2635

1686

to both. Use these to restrict the web server.

2636

1687

2637

1688

2638

2639

Q.

2640

--trace-level?

2641

2642

2643

A.

2644

The settings 0..4 control the amount of information logged or displayed.

2645

5 adds a [MSGIDnnnn] field and 6 adds the file:line where the message originated.

2646

-t 5 can be useful with a log watch type package, -t 6 is mostly for debugging.

2647

2648

2649

-t 5:

1689

Q.  --trace-level?

1690

A.  The settings 0..4 control the amount of information logged or displayed. DETAIL (5) adds a [MSGIDnnnn] field and (VERYNOISY) 6 or greater adds the

1691

file:line where the message originated.

1692

1693

-t 5 can be useful with a log watch type package, -t 6 is mostly for debugging.

1694

1695

-t 5:

2650

1696

2651

1697

<pre>

2652

1698

[MSGID8757584] OSFP: scanFingerprintLoop() checked 1, resolved 1

2653

1699

</pre>

2654

2655

-t 6:

1700

-t 6:

2656

1701

2657

1702

<pre>

2658

1703

[MSGID8757584] [ntop:698] OSFP: scanFingerprintLoop() checked 1, resolved 1

2659

1704

</pre>

1705

With 3.2 we've added VERYNOISY and (7) BEYONDNOISY ... they do pretty much what they

1706

say. Have LOTS of log space available.

1707

2660

1708

2661

2662

Q.

2663

ntop starts up find and then seems to die.

2664

2665

2666

A.

2667

Are the ntop threads still there? Use ps to check, for example:

2668

# ps -C ntop -m -o "uid,pid,ppid,stat,time,command"

1709

Q.  ntop starts up find and then seems to die.

1710

A.  Are the ntop threads still there? Use ps to check, for example: # ps -C ntop -m -o "uid,pid,ppid,stat,time,command"

2669

1711

2670

1712

2671

1713

<pre>

2680

1722

501 18336 18330 R 00:00:32 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf...

2681

1723

501 18337 18330 S 00:00:41 /usr/bin/ntop -i eth1,eth2 @/etc/ntop.conf...

2682

1724

</pre>

2683

2684

The 'PID' numbers match the THREADMGMT: numbers in the log:

1725

The 'PID' numbers match the THREADMGMT: numbers in the log:

2685

1726

2686

1727

2687

1728

<pre>

2695

1736

</pre>

2696

1737

2697

1738

<pre>

2698

ntop[18327]: THREADMGMT: Started thread (16386) for network packet analyser

1739

ntop[18327]: THREADMGMT[t105061296]: SFP: Started thread for fingerprinting

2699

1740

A message is issued for each thread started.

2700

^^^^^ is the 'internal' thread #.

2701

Ignore it

2702

ntop[18331]: THREADMGMT: Packet processor thread running...

2703

^^^^^ is the child thread. Each one issues a message as it starts up

2704

</pre>

2705

2706

<pre>

2707

ntop[18327]: THREADMGMT: Started thread (32771) for idle hosts detection

2708

ntop[18332]: THREADMGMT: Idle host scan thread running...

2709

ntop[18327]: THREADMGMT: Started thread (49156) for DNS address resolution

2710

ntop[18333]: THREADMGMT: Address resolution thread running...

2711

ntop[18334]: THREADMGMT: rrd thread (65541) started

2712

ntop[18327]: THREADMGMT: Started thread (81926) for web server

2713

ntop[18335]: THREADMGMT: web connections thread (18335) started...

2714

ntop[18327]: THREADMGMT: Started thread (98311) for network packet sniffing on eth1

2715

ntop[18336]: THREADMGMT: pcap dispatch thread running...

2716

ntop[18327]: THREADMGMT: Started thread (114696) for network packet sniffing on eth2

2717

ntop[18337]: THREADMGMT: pcap dispatch thread running...

2718

</pre>

2719

2720

So:

1741

t^^^^^^^^^ is the 'internal' thread #. Ignore it

1742

ntop[18331]: THREADMGMT[t105061296]: SFP: Fingerprint scan thread starting [18331]

1743

p^^^^^

1744

is the child pid. Each one issues a message as it starts up

1745

</pre>

1746

So:

2721

1747

2722

1748

2723

1749

<pre>

2731

1757

501 18335 18330 S 00:00:00 Web Server

2732

1758

501 18336 18330 R 00:00:32 eth1

2733

1759

501 18337 18330 S 00:00:41 eth2

2734

i

2735

If you connect to the running ntop via gdb, you can see this:

2736

1760

</pre>

2737

2738

$ gdb /usr/bin/ntop 18327

1761

If you connect to the running ntop via gdb, you can see this:

1762

1763

$ gdb /usr/bin/ntop 18327

2739

1764

(gdb) info threads

2740

1765

2741

1766

<pre>

2762

1787

1 Thread 16384 (LWP 18327) 0x420b0226 in nanosleep () from

2763

1788

/lib/i686/libc.so.6

2764

1789

</pre>

2765

2766

(gdb) thread 2

1790

(gdb) thread 2

2767

1791

2768

1792

<pre>

2769

1793

^^^^^^^^ switch to thread 2 and see it's state

2770

1794

</pre>

2771

2772

[Switching to thread 2 (Thread 32769 (LWP 18330))]#0 0x420db1a7 in

1795

[Switching to thread 2 (Thread 32769 (LWP 18330))]#0 0x420db1a7 in

2773

1796

2774

1797

<pre>

2775

1798

poll () from /lib/i686/libc.so.6

2776

1799

</pre>

2777

2778

(gdb) info stack

1800

(gdb) info stack

2779

1801

2780

1802

<pre>

2781

1803

^^^^^^^^^^ check the call stack

2782

1804

</pre>

2783

2784

#0 0x420db1a7 in poll () from /lib/i686/libc.so.6

1805

#0 0x420db1a7 in poll () from /lib/i686/libc.so.6

2785

1806

#1 0x4024f9de in __pthread_manager () from /lib/i686/libpthread.so.0

2786

1807

2787

1808

<pre>

2788

1809

^^^^^^^^^^^^^^^^^ running __pthread_manager

2789

1810

</pre>

2790

1811

2791

2792

Q.

2793

All the threads seem to be running ok.

2794

2795

2796

A.

2797

Check if there's one that looks like this:

2798

1812

Q.  All the threads seem to be running ok.

1813

A.  Check if there's one that looks like this:

2799

1814

2800

1815

<pre>

2801

1816

4 Thread 32771 (LWP 27295) 0x420cd207 in sched_yield () from

2802

1817

/lib/i686/libc.so.6

2803

1818

</pre>

2804

2805

Let ntop run a few more seconds (cont command), then check again.

1819

Let ntop run a few more seconds (cont command), then check again.

2806

1820

2807

2808

If it's frozen in the sched_yield, you're probably tripping a deadlock

1821

If it's frozen in the sched_yield, you're probably tripping a deadlock

2809

1822

situation that we've seen but don't understand - There's a lot of

2810

1823

stuff on the 'net, including what seems to be the same problem with

2811

1824

other resource intensive tools but no clear answers.

2812

1825

2813

2814

This happens most often on RedHat Linux 8.0 (9 uses a different

1826

This happens most often on RedHat Linux 8.0 (9 uses a different

2815

1827

threading library and the issue hasn't been reported there).

2816

1828

2817

2818

Regardless, if you see the deadlock or just have a hung ntop, there is a

1829

Regardless, if you see the deadlock or just have a hung ntop, there is a

2819

1830

run time option to try: --disable-schedyield. This option disables the

2820

1831

calls at a slight penalty to ntop's interactivness. If you're experiencing

2821

1832

the deadlocks, try it.

2822

1833

2823

2824

And, especially if you're running something other than RedHat 8, please

1834

And, especially if you're running something other than RedHat 8, please

2825

1835

let the ntop-dev list know about it.

2826

1836

2827

1837

2828

2829

Q.

2830

But what about SQL and mySQL

2831

2832

2833

A.

2834

Removed in 2.1.50+ versions - use rrd

2835

2836

2837

2838

Q.

2839

But I really, really, need the data in an sql database.

2840

2841

2842

A.

2843

If you are only interested in saving your netflow data in MySQL, use the

2844

script ntop/NetFlow/netFlowClient.pl (netflow v5). With few additional lines

2845

you could save your data in flat files, forward the netflow data or whatever.

2846

2847

2848

What this script does it set itself up as a netflow collector and sql

2849

inserter. The main loop just accepts a netflow packet and inserts the flow(s)

2850

into sql.

2851

2852

2853

To use this with a single instance of ntop, just set ntop up as a netflow

2854

sender, directed at the script (e.g. 127.0.0.1 on any port you like).

2855

Configure the script with the port # and run it.

2856

2857

2858

The same idea would work with sFlow, you would just have to change the packet

2859

decoding part of the script.

2860

2861

2862

<pre>

2863

Q: How does ntop use lsof? nmap?

2864

</pre>

2865

2866

A.

2867

ntop no longer uses these external tools.

2868

2869

2870

OS fingerprinting was replaced by ettercap.

2871

2872

2873

If you need lsof data, you should ssh to the host and run it locally (this

2874

allows the sysadmin to put appropriate security on lsof).

2875

2876

2877

2878

Q.

2879

Can I set the admin password from a script?

2880

2881

2882

A.

2883

Yes, you can call ntop with the option:

2884

2885

<pre>

2886

ntop --set-admin-password=password

2887

</pre>

2888

2889

2890

Q.

2891

What's this warning about ownership?

2892

2893

2894

A.

2895

The first time you run make install and ntop creates a new

2896

directory for ntop's files, there's a problem. So you'll

1838

Q.  Can I set the admin password from a script?

1839

A.  Yes, you can call ntop with the option:

1840

<pre>

1841

ntop --set-admin-password=password

1842

</pre>

1843

1844

Q.  What's this warning about ownership?

1845

A.  The first time you run make install and ntop creates a new directory for ntop's files, there's a problem. So you'll

2897

1846

see this warning box:

2898

1847

2899

1848

2933

1882

************************************************************

2934

1883

************************************************************

2935

1884

</pre>

2936

2937

Since root created the directory, root is the owner. And since we don't

1885

Since root created the directory, root is the owner. And since we don't

2938

1886

know - yet - what user ntop is going to be run as, we can't issue the

2939

1887

chown (CHange OWNership) command for you.

2940

1888

2941

1889

2942

2943

Q.

2944

And if I don't do this?

2945

2946

2947

A.

2948

ntop won't run. Typically you get a message about a bad -P file or

2949

endless prompts for the admin password.

1890

Q.  And if I don't do this?

1891

A.  ntop won't run. Typically you get a message about a bad -P file or endless prompts for the admin password.

2950

1892

2951

1893

2952

2953

Q.

2954

I can't merge interfaces (-M option)?

2955

2956

2957

A.

2958

Check your plugins and see if either netFlow or sFlow is active.

2959

Regardless of whether you're using them, if they're active, they

1894

Q.  I can't merge interfaces (-M option)?

1895

A.  Check your plugins and see if either netFlow or sFlow is active. Regardless of whether you're using them, if they're active, they

2960

1896

(silently) force the -M switch on.

2961

1897

1898

If you have used the web configuration to set this, you may be

1899

unintentionally overriding your command line.

1900

1901

With v3.2 there are log messages telling you what sets interface

1902

merge.

1903

1904

1905

<pre>

1906

NOTE: Interface merge disabled by default

1907

NOTE: Interface merge enabled by default

1908

NOTE: Interface merge disabled from prefs file

1909

NOTE: Interface merge enabled from prefs file

1910

NOTE: Interface merge disabled due to command line switch

1911

</pre>

2962

1912

2963

2964

Q.

2965

Explain -u.

2966

2967

2968

A.

2969

-u root means that you are running ntop as root. It means you don't drop

2970

root's superuser privledges, so pretty much you can read/write any file.

1913

Q.  Explain -u.

1914

A.  -u root means that you are running ntop as root. It means you don't drop root's superuser privledges, so pretty much you can read/write any file.

2971

1915

It's not a good idea. While we're not aware of any security problems with

2972

1916

ntop, programs that run as root are targets.

2973

1917

2974

2975

-u ntop (or -u whatever) means you run as a normal user and can be assigned

1918

-u ntop (or -u whatever) means you run as a normal user and can be assigned

2976

1919

only the privledges necessary to run ntop. It also means you can only read/

2977

1920

write files as ntop. So less is exposed.

2978

1921

2979

2980

For even better security, the -u userid should not have a valid shell, so

1922

For even better security, the -u userid should not have a valid shell, so

2981

1923

people can't use it to login.

2982

1924

2983

1925

2984

2985

Q.

2986

What are the options that reduce ntop's workload?

2987

2988

2989

A.

2990

These options turn off certain processing (and thus limit ntop's

2991

functionality), and may be appropriate for high volume installations.

2992

2993

2994

-b | --disable-decoders

1926

Q.  What are the options that reduce ntop's workload?

1927

A.  These options turn off certain processing (and thus limit ntop's functionality), and may be appropriate for high volume installations.

1928

1929

-b | --disable-decoders

2995

1930

2996

1931

2997

1932

<pre>

3045

1980

21 or smtp's 25) (or there is a non-ftp or smtp request on the

3046

1981

standard ports), the packet is logged.

3047

1982

</pre>

3048

3049

-g | --track-local-hosts

1983

-g | --track-local-hosts

3050

1984

3051

1985

3052

1986

<pre>

3073

2007

This switch could be used to run ntop on low-end CPUs or where ntop is

3074

2008

acting as a collector (netFlow or sFlow) and the GUI is not required.

3075

2009

</pre>

3076

3077

-o | --no-mac

2010

-o | --no-mac

3078

2011

3079

2012

3080

2013

<pre>

3114

2047

<pre>

3115

2048