1
<!-- Creator : groff version 1.18.1 -->
2
<!-- CreationDate: Wed Aug 31 11:25:44 2005 -->
5
<meta name="generator" content="groff -Thtml, see www.gnu.org">
6
<meta name="Content-Style" content="text/css">
8
<!-- Added by insertssi -->
9
<link rel=stylesheet href="/style.css" type="text/css">
10
<!--#include virtual="/menuHead.html" -->
13
<!--#include virtual="/menuBody.html" -->
15
<h1 align=center>NTOP</h1>
16
<a href="#NAME">NAME</a><br>
17
<a href="#SYNOPSIS">SYNOPSIS</a><br>
18
<a href="#DESCRIPTION">DESCRIPTION</a><br>
19
<a href="#COMMAND−LINE OPTIONS">COMMAND−LINE OPTIONS</a><br>
20
<a href="#WEB VIEWS">WEB VIEWS</a><br>
21
<a href="#NOTES">NOTES</a><br>
22
<a href="#SEE ALSO">SEE ALSO</a><br>
23
<a href="#PRIVACY NOTICE">PRIVACY NOTICE</a><br>
24
<a href="#USER SUPPORT">USER SUPPORT</a><br>
25
<a href="#AUTHOR">AUTHOR</a><br>
26
<a href="#LICENCE">LICENCE</a><br>
27
<a href="#ACKNOWLEDGMENTS">ACKNOWLEDGMENTS</a><br>
33
<table width="100%" border=0 rules="none" frame="void"
34
cols="2" cellspacing="0" cellpadding="0">
35
<tr valign="top" align="left">
38
<p>ntop − display top network users</p>
41
<a name="SYNOPSIS"></a>
44
<table width="100%" border=0 rules="none" frame="void"
45
cols="2" cellspacing="0" cellpadding="0">
46
<tr valign="top" align="left">
49
<p><b>ntop</b> [<b>@filename</b>]
50
[<b>-a</b>|<b>--access-log-file</b> <i><path></i>]
51
[<b>-b</b>|<b>--disable-decoders</b>]
52
[<b>-c</b>|<b>--sticky-hosts</b>]
53
[<b>-e</b>|<b>--max-table-rows</b>]
54
[<b>-f</b>|<b>--traffic-dump-file</b> <i>file></i>]
55
[<b>-g</b>|<b>--track-local-hosts</b>]
56
[<b>-h</b>|<b>--help</b>]
57
[<b>-j</b>|<b>--create-other-packets</b>]
58
[<b>-l</b>|<b>--pcap-log</b> <i><path></i>]
59
[<b>-m</b>|<b>--local-subnets</b> <i><addresses></i>]
60
[<b>-n</b>|<b>--numeric-ip-addresses</b>]
61
[<b>-o</b>|<b>--no-mac</b>] [<b>-p</b>|<b>--protocols</b>
63
[<b>-q</b>|<b>--create-suspicious-packets</b>]
64
[<b>-r</b>|<b>--refresh-time</b> <i><number></i>]
65
[<b>-s</b>|<b>--no-promiscuous</b>]
66
[<b>-t</b>|<b>--trace-level</b> <i><number></i>]
67
[<b>-x</b> <i><max_num_hash_entries></i>]
68
[<b>-w</b>|<b>--http-server</b> <i><port></i>]
69
[<b>-z</b>|<b>--disable-sessions</b>]
70
[<b>-A</b>|<b>--set-admin-password</b> <i>password</i>]
71
[<b>-B</b>|<b>--filter-expression</b> <i>expression</i>]
72
[<b>-C</b> <i><config</i>mode><i>]</i>
73
[<b>-D</b>|<b>--domain</b> <i><name></i>]
74
[<b>-F</b>|<b>--flow-spec</b> <i><specs></i>]
75
[<b>-M</b>|<b>--no-interface-merge</b>]
76
[<b>-N</b>|<b>--wwn-map]</b>
77
[<b>-O</b>|<b>----output-packet-path</b>]
78
[<b>-P</b>|<b>--db-file-path</b> <i><path></i>]
79
[<b>-Q</b>|<b>--spool-file-path</b> <i><path></i>]
80
[<b>-U</b>|<b>--mapper</b> <i><URL></i>]
81
[<b>-V</b>|<b>--version]</b> [<b>-X</b>
82
<i><max_num_TCP_sessions></i>]
83
[<b>--disable-instantsessionpurge</b>]
84
[<b>--disable-mutexextrainfo</b>]
85
[<b>--disable-schedyield</b>] [<b>--disable-stopcap</b>]
86
[<b>--fc-only</b>] [<b>--instance</b>] [<b>--no-fc</b>]
87
[<b>--no-invalid-lun</b>] [<b>--p3p-cp</b>]
88
[<b>--p3p-uri</b>] [<b>--skip-version-check</b>]
89
[<b>--w3c</b>] [<b>-4</b>|<b>--ipv4]</b>
90
[<b>-6</b>|<b>--ipv6]</b></p>
94
<p>[<b>-d</b>|<b>--daemon</b>] [<b>-i</b>|<b>--interface</b>
95
<i><name></i>] [<b>-u</b>|<b>--user</b>
96
<i><user></i>] [<b>-K</b>|<b>--enable-debug</b>]
97
[<b>-L</b>] [<b>--pcap_setnonblock</b>]
98
[<b>--use-syslog=</b> <i><facility></i>]
99
[<b>--webserver-queue</b> <i><number></i>]</p>
101
<p>Windows option:</p>
103
<p>[<b>-i</b>|<b>--interface</b>
104
<i><number|name></i>]</p>
106
<p>OpenSSL options:</p>
108
<p>[<b>-W</b>|<b>--https-server</b> <i><port></i>]
109
[<b>--ssl-watchdog</b>]</p>
112
<a name="DESCRIPTION"></a>
115
<table width="100%" border=0 rules="none" frame="void"
116
cols="2" cellspacing="0" cellpadding="0">
117
<tr valign="top" align="left">
118
<td width="10%"></td>
120
<p><b>ntop</b> shows the current network usage. It displays
121
a list of hosts that are currently using the network and
122
reports information concerning the (IP and non-IP) traffic
123
generated and received by each host. <b>ntop</b> may operate
124
as a front-end collector (sFlow and/or netFlow plugins) or
125
as a stand-alone collector/display program. A web browser is
126
needed to access the information captured by the <b>ntop</b>
129
<p><b>ntop</b> is a hybrid layer 2 / layer 3 network
130
monitor, that is by default it uses the layer 2 Media Access
131
Control (MAC) addresses AND the layer 3 tcp/ip addresses.
132
<b>ntop</b> is capable of associating the two, so that ip
133
and non-ip traffic (e.g. arp, rarp) are combined for a
134
complete picture of network activity.</p>
137
<a name="COMMAND−LINE OPTIONS"></a>
138
<h2>COMMAND−LINE OPTIONS</h2>
140
<table width="100%" border=0 rules="none" frame="void"
141
cols="2" cellspacing="0" cellpadding="0">
142
<tr valign="top" align="left">
143
<td width="10%"></td>
145
<p><b>@filename</b></p></td>
148
<table width="100%" border=0 rules="none" frame="void"
149
cols="2" cellspacing="0" cellpadding="0">
150
<tr valign="top" align="left">
151
<td width="13%"></td>
153
<p>The text of <b>filename</b> is copied - ignoring line
154
breaks and comment lines (anything following a #) - into the
155
command line. <b>ntop</b> behaves as if all of the text had
156
simply been typed directly on the command line. For example,
157
if the command line is "-t 3 @d -u ntop" and file
158
d contains just the line ’-d’, then the
159
effective command line is -t 3 -d -u ntop. Multiple @s are
160
permitted. Nested @s (an @ inside the file) are not
163
<p>Remember, most <b>ntop</b> options are
164
"sticky", that is they just set an internal flag.
165
Invoking them multiple times doesn’t change
166
<b>ntop’s</b> behavior. However, options that set a
167
value, such as --trace-level, will use the LAST value given:
168
--trace-level 2 --trace-level 3 will run as --trace-level
171
<p>Beginning with 3.1, many command-line options may also be
172
set via the web browser interface. These changes take effect
173
on the next run of and on each subsequent run until
178
<table width="100%" border=0 rules="none" frame="void"
179
cols="2" cellspacing="0" cellpadding="0">
180
<tr valign="top" align="left">
181
<td width="10%"></td>
183
<p><b>-a | --access-log-file</b></p></td>
186
<table width="100%" border=0 rules="none" frame="void"
187
cols="2" cellspacing="0" cellpadding="0">
188
<tr valign="top" align="left">
189
<td width="13%"></td>
191
<p>By default <b>ntop</b> does not maintain a log of HTTP
192
requests to the internal web server. Use this parameter to
193
request logging and to specify the location of the file
194
where these HTTP requests are logged.</p>
196
<p>Each log entry is in Apache-like style. The only
197
difference between Apache and <b>ntop</b> logs is that an
198
additional column has been added which has the time (in
199
milliseconds) that <b>ntop</b> needed to serve the request.
200
Log entries look like this:</p>
202
<pre>192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET / HTTP/1.1" 200 1489 4
203
192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET /index_top.html HTTP/1.1" 200 1854 4
204
192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET /index_inner.html HTTP/1.1" 200 1441 7
205
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /index_left.html HTTP/1.1" 200 1356 4
206
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /home_.html HTTP/1.1" 200 154/617 9
207
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /home.html HTTP/1.1" 200 1100/3195 10
208
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /About.html HTTP/1.1" 200 2010 10
211
<p>This parameter is the complete file name of the access
212
log. In prior releases it was erroneously called
213
--access-log-path.</p>
217
<table width="100%" border=0 rules="none" frame="void"
218
cols="2" cellspacing="0" cellpadding="0">
219
<tr valign="top" align="left">
220
<td width="10%"></td>
222
<p><b>-b | --disable-decoders</b></p></td>
225
<table width="100%" border=0 rules="none" frame="void"
226
cols="2" cellspacing="0" cellpadding="0">
227
<tr valign="top" align="left">
228
<td width="13%"></td>
230
<p>This parameter disables protocol decoders.</p>
232
<p>Protocol decoders examine and collect information about
233
layer 2 protocols such as NetBIOS or Netware SAP, as well as
234
about specific tcp/ip (layer 3) protocols, such as DNS, http
237
<p>This support is specifically coded for each protocol and
238
is different from the capability to count raw information
239
(packets and bytes) by protocol specified by the -p |
240
--protocols parameter, below.</p>
242
<p>Decoding protocols is a significant consumer of
243
resources. If the <b>ntop</b> host is underpowered or
244
monitoring a very busy network, you may wish to disable
245
protocol decoding via this parameter. It may also be
246
appropriate to use this parameter if you believe that
247
<b>ntop</b> has problems handling some protocols that occur
250
<p>Even if decoding is disabled, ftp-data traffic is still
251
decoded to look for passive ftp port commands.</p>
255
<table width="100%" border=0 rules="none" frame="void"
256
cols="2" cellspacing="0" cellpadding="0">
257
<tr valign="top" align="left">
258
<td width="10%"></td>
260
<p><b>-c | --sticky-hosts</b></p></td>
263
<table width="100%" border=0 rules="none" frame="void"
264
cols="2" cellspacing="0" cellpadding="0">
265
<tr valign="top" align="left">
266
<td width="13%"></td>
268
<p>Use this parameter to prevent idle hosts from being
269
purged from memory.</p>
271
<p>By default idle hosts are periodically purged from
272
memory. An idle host is identified when no packets from or
273
to that host have been monitored for the period of time
274
defined by the value of PARM_HOST_PURGE_MINIMUM_IDLE in
275
globals-defines.h.</p>
277
<p>If you use this option, all hosts - active and idle - are
278
retained in memory for the duration of the <b>ntop</b>
281
<p>P2P users, port scans, popular web servers and other
282
activity will cause <b>ntop</b> to record data about a large
283
number of hosts. On an active network, this will consume a
284
significant - and always growing - amount of memory. It is
285
strongly recommended that you use a filtering expression to
286
limit the hosts which are stored if you use
289
<p>The idle purge is a statistical one - a random selection
290
of the eligible hosts will be purged during each cycle. Thus
291
it is possible on a busy system for an idle host to remain
292
in the <b>ntop</b> tables and appear ’active’
293
for some considerable time after it is truly idle.</p>
297
<table width="100%" border=0 rules="none" frame="void"
298
cols="2" cellspacing="0" cellpadding="0">
299
<tr valign="top" align="left">
300
<td width="10%"></td>
302
<p><b>-d | --daemon</b></p></td>
305
<table width="100%" border=0 rules="none" frame="void"
306
cols="2" cellspacing="0" cellpadding="0">
307
<tr valign="top" align="left">
308
<td width="13%"></td>
310
<p>This parameter causes ntop to become a daemon, i.e. a
311
task which runs in the background without connection to a
312
specific terminal. To use <b>ntop</b> other than as a casual
313
monitoring tool, you probably will want to use this
316
<p><b>WARNING:</b> If you are running as a daemon, the
317
messages from <b>ntop</b> will be ’printed’ on
318
to stdout and thus dropped. You probably don’t want to
319
do this. So remember to also use the -L or --use-syslog
320
options to save the messages into the system log.</p>
324
<table width="100%" border=0 rules="none" frame="void"
325
cols="2" cellspacing="0" cellpadding="0">
326
<tr valign="top" align="left">
327
<td width="10%"></td>
329
<p><b>-e | --max-table-rows</b></p></td>
332
<table width="100%" border=0 rules="none" frame="void"
333
cols="2" cellspacing="0" cellpadding="0">
334
<tr valign="top" align="left">
335
<td width="13%"></td>
337
<p>This defines the maximum number of lines that <b>ntop</b>
338
will display on each generated HTML page. If there are more
339
lines to be displayed than this setting permits, only part
340
of the data will be displayed. There will be page
341
forward/back arrows placed at the bottom of the page for
342
navigation between pages.</p>
346
<table width="100%" border=0 rules="none" frame="void"
347
cols="2" cellspacing="0" cellpadding="0">
348
<tr valign="top" align="left">
349
<td width="10%"></td>
351
<p><b>-f | --traffic-dump-file</b></p></td>
354
<table width="100%" border=0 rules="none" frame="void"
355
cols="2" cellspacing="0" cellpadding="0">
356
<tr valign="top" align="left">
357
<td width="13%"></td>
359
<p>By default, <b>ntop</b> captures traffic from network
360
interface cards (NICs) or from netFlow/sFlow probes.
361
However, <b>ntop</b> can also read data from a file -
362
typically a tcpdump capture or the output from one of the
363
<b>ntop</b> packet capture options.</p>
365
<p>if you specify -f, <b>ntop</b> will not capture any
366
traffic from NICs during or after the file has been read.
367
netFlow/sFlow capture - if enabled - would still be
370
<p>This option is mostly used for debug purposes.</p>
374
<table width="100%" border=0 rules="none" frame="void"
375
cols="2" cellspacing="0" cellpadding="0">
376
<tr valign="top" align="left">
377
<td width="10%"></td>
379
<p><b>-g | --track-local-hosts</b></p></td>
382
<table width="100%" border=0 rules="none" frame="void"
383
cols="2" cellspacing="0" cellpadding="0">
384
<tr valign="top" align="left">
385
<td width="13%"></td>
387
<p>By default, <b>ntop</b> tracks all hosts that it sees
388
from packets captured on the various NICs. Use this
389
parameter to tell <b>ntop</b> to capture data only about
390
local hosts. Local hosts are defined based on the addresses
391
of the NICs and those networks identified as local via the
392
-m | --local-subnets parameter.</p>
394
<p>This parameter is useful on large networks or those that
395
see many hosts, (e.g. a border router or gateway), where
396
information about remote hosts is not desired/required to be
401
<table width="100%" border=0 rules="none" frame="void"
402
cols="2" cellspacing="0" cellpadding="0">
403
<tr valign="top" align="left">
404
<td width="10%"></td>
406
<p><b>-h | --help</b></p></td>
409
<table width="100%" border=0 rules="none" frame="void"
410
cols="2" cellspacing="0" cellpadding="0">
411
<tr valign="top" align="left">
412
<td width="13%"></td>
414
<p>Print help information for <b>ntop,</b> including usage
419
<table width="100%" border=0 rules="none" frame="void"
420
cols="2" cellspacing="0" cellpadding="0">
421
<tr valign="top" align="left">
422
<td width="10%"></td>
424
<p><b>-i | --interface</b></p></td>
427
<table width="100%" border=0 rules="none" frame="void"
428
cols="2" cellspacing="0" cellpadding="0">
429
<tr valign="top" align="left">
430
<td width="13%"></td>
432
<p>Specifies the network interface or interfaces to be used
433
by <b>ntop</b> for network monitoring.</p>
435
<p>If multiple interfaces are used (this feature is
436
available only if ntop is compiled with thread support)
437
their names must be separated with a comma. For instance -i
438
"eth0,lo".</p>
440
<p>If not specified, the default is the first Ethernet
441
device, e.g. eth0. The specific device that is
442
’first’ is highly system dependent. Especially
443
on systems where the device name reflects the driver name
444
instead of the type of interface.</p>
446
<p>By default, traffic information obtained by all the
447
interfaces is merged together as if the traffic was seen by
448
only one interface. Use the -M parameter to keep traffic
449
separate by interface.</p>
451
<p>If you do not want <b>ntop</b> to monitor any interfaces,
454
<p>Under Windows, the parameter value is either the number
455
of the interface or its name, e.g.
456
{6252C14C-44C9-49D9-BF59-B2DC18C7B811}. Run <b>ntop</b> -h
457
to see a list of interface name-number mappings (at the end
458
of the help information).</p>
462
<table width="100%" border=0 rules="none" frame="void"
463
cols="2" cellspacing="0" cellpadding="0">
464
<tr valign="top" align="left">
465
<td width="10%"></td>
467
<p><b>-j | --create-other-packets</b></p></td>
470
<table width="100%" border=0 rules="none" frame="void"
471
cols="2" cellspacing="0" cellpadding="0">
472
<tr valign="top" align="left">
473
<td width="13%"></td>
475
<p>This parameter causes <b>ntop</b> to create a dump file
476
of the ’other’ network traffic captured. One
477
file is created for each network interface where
478
<path>/ntop-other-pkts.<device>.pcap, where
479
<path> is defined by the -O | --output-packet-path
480
parameter. This file is useful for understanding these
481
unclassifed packets.</p>
485
<table width="100%" border=0 rules="none" frame="void"
486
cols="2" cellspacing="0" cellpadding="0">
487
<tr valign="top" align="left">
488
<td width="10%"></td>
490
<p><b>-l | --pcap-log</b></p></td>
493
<table width="100%" border=0 rules="none" frame="void"
494
cols="2" cellspacing="0" cellpadding="0">
495
<tr valign="top" align="left">
496
<td width="13%"></td>
498
<p>This parameter causes a dump file to be created of the
499
network traffic captured by <b>ntop</b> in tcpdump (pcap)
500
format. This file is useful for debug, and may be read back
501
into <b>ntop</b> by the -f | --traffic-dump-file parameter.
502
The dump is made after processing any filter expression (
503
never even sees filtered packets).</p>
505
<p>The output file will be named
506
<i><path>/<log>.<device>.pcap</i>
507
(Windows: <i><path>/<log>.pcap</i> ), where
508
<path> is defined by the -O | --output-packet-path
509
parameter and <log> is defined by this -l | --pcap-log
514
<table width="100%" border=0 rules="none" frame="void"
515
cols="2" cellspacing="0" cellpadding="0">
516
<tr valign="top" align="left">
517
<td width="10%"></td>
519
<p><b>-m | --local-subnets</b></p></td>
522
<table width="100%" border=0 rules="none" frame="void"
523
cols="2" cellspacing="0" cellpadding="0">
524
<tr valign="top" align="left">
525
<td width="13%"></td>
527
<p><b>ntop</b> determines the ip addresses and netmasks for
528
each active interface. Any traffic on those networks is
529
considered local. This parameter allows the user to define
530
additional networks and subnetworks whose traffic is also
531
considered local in <b>ntop</b> reports. All other hosts are
532
considered remote.</p>
534
<p>Commas separate multiple network values. Both netmask and
535
CIDR notation may be used, even mixed together, for instance
536
"131.114.21.0/24,10.0.0.0/255.0.0.0".</p>
538
<p>The local subnet - as defined by the interface
539
address(es) - is/are always local and do not need to be
540
specified. If you do give the same value as a NIC’s
541
local address, a harmless warning message is issued.</p>
545
<table width="100%" border=0 rules="none" frame="void"
546
cols="2" cellspacing="0" cellpadding="0">
547
<tr valign="top" align="left">
548
<td width="10%"></td>
550
<p><b>-n | --numeric-ip-addresses</b></p></td>
553
<table width="100%" border=0 rules="none" frame="void"
554
cols="2" cellspacing="0" cellpadding="0">
555
<tr valign="top" align="left">
556
<td width="13%"></td>
558
<p>By default, <b>ntop</b> resolves IP addresses using a
559
combination of active (explicit) DNS queries and passive
560
sniffing. Sniffing of DNS responses occurs when <b>ntop</b>
561
receives a network packet containing the response to some
562
other user’s DNS query. <b>ntop</b> captures this
563
information and enters it into <b>ntop’s</b> DNS
564
cache, in expectation of shortly seeing traffic addressed to
565
that host. This way <b>ntop</b> significantly reduces the
566
number of DNS queries it makes.</p>
568
<p>This parameter causes <b>ntop</b> to skip DNS resolution,
569
showing only numeric IP addresses instead of the symbolic
570
names. This option can useful when the DNS is not present or
575
<table width="100%" border=0 rules="none" frame="void"
576
cols="2" cellspacing="0" cellpadding="0">
577
<tr valign="top" align="left">
578
<td width="10%"></td>
580
<p><b>-o | --no-mac</b></p></td>
583
<table width="100%" border=0 rules="none" frame="void"
584
cols="2" cellspacing="0" cellpadding="0">
585
<tr valign="top" align="left">
586
<td width="13%"></td>
588
<p><b>ntop</b> is a hybrid layer 2/3 network monitor. That
589
is, it uses both the lower level, physical device address -
590
the MAC (Media Access Control) address - and the higher
591
level, logical, tcp/ip address (the familiar www.ntop.org or
592
131.114.21.9 address). This allows <b>ntop</b> to link the
593
logical addresses to a physical machine with multiple
594
addresses (This occurs with virtual hosts or additional
595
addresses assigned to the interface, etc.) to present
596
consolidated reporting.</p>
598
<p>This parameter specifies that <b>ntop</b> should not
599
trust the MAC addresses but just use the IP addresses.</p>
601
<p>Normally, since the MAC address must be globally unique,
602
the dual nature of <b>ntop</b> is a benefit and provides far
603
better information about the network than is available via a
604
pure layer 2 or pure layer 3 monitor.</p>
606
<p>Under certain circumstances - whenever <b>ntop</b> is
607
started on an interface where MAC addresses cannot be really
608
trusted - you may require this option.</p>
610
<p>Situations which may require this option include
611
port/VLAN mirror, some cases with switches and spanning tree
612
protocol, and (reportedly) some specific models of Ethernet
613
switches which re-write MAC addresses of the packets they
614
process. Normally, you discover that this option is
615
necessary when you observe that hosts seem to change their
616
addresses or information about different machines get lumped
619
<p>Note that with this option, information which is
620
dependent upon the MAC addresses (non tcp/ip protocols like
621
IPX) will not be collected nor displayed.</p>
625
<table width="100%" border=0 rules="none" frame="void"
626
cols="2" cellspacing="0" cellpadding="0">
627
<tr valign="top" align="left">
628
<td width="10%"></td>
630
<p><b>-p | --protocols</b></p></td>
633
<table width="100%" border=0 rules="none" frame="void"
634
cols="2" cellspacing="0" cellpadding="0">
635
<tr valign="top" align="left">
636
<td width="13%"></td>
638
<p>This parameter is used to specify the TCP/UDP protocols
639
that <b>ntop</b> will monitor. The format is
640
<label>=<protocol list> [,
641
<label>=<protocol list>], where label is used to
642
symbolically identify the <protocol list>. The format
643
of <protocol list> is
644
<protocol>[|<protocol>], where <protocol>
645
is either a valid protocol specified inside the
646
/etc/services file or a numeric port range (e.g. 80, or
649
<p>A simple example is
650
--protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-data",
651
which reduces the protocols displayed on the "IP"
654
<pre>Host Domain Data HTTP FTP Other IP
655
ns2.attbi.com <flag> 954 63.9 % 0 0 954
656
64.124.83.112.akamai.com <flag> 240 16.1 % 240 0 0
657
64.124.83.99.akamai.com <flag> 240 16.1 % 240 0 0
658
toolbarqueries.google.com <flag> 60 4.0 % 60 0 0
661
<p>If the <protocol list> is very long you may store
662
it in a file (for instance protocol.list). To do so, specify
663
the file name instead of the <protocol list> on the
664
command line. e.g. <b>ntop -p protocol.list</b></p>
666
<p>If the -p parameter is omitted the following default
669
<pre> FTP=ftp|ftp-data
670
HTTP=http|www|https|3128 3128 is Squid, the HTTP cache
673
NBios-IP=netbios-ns|netbios-dgm|netbios-ssn
674
Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2
678
NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status
682
Peer-to-Peer Protocols
683
----------------------
684
Gnutella=6346|6347|6348
687
DirectConnect=0 Dummy port as this is a pure P2P protocol
692
Messenger=1863|5000|5001|5190-5193
695
<p>NOTE: To resolve protocol names to port numbers, they
696
must be specified in the system file used to list tcp/udp
697
protocols and ports, which is typically /etc/services file.
698
You will have to match the names in that file, exactly.
699
Missing or unspecified (non-standard) ports must be
700
specified by number, such as 3128 in our examples above.</p>
702
<p>If you have a file named /etc/protocols, don’t get
703
confused by it, as that’s the Ethernet protocol
704
numbers, which are not what you’re looking for.</p>
708
<table width="100%" border=0 rules="none" frame="void"
709
cols="2" cellspacing="0" cellpadding="0">
710
<tr valign="top" align="left">
711
<td width="10%"></td>
713
<p><b>-q | --create-suspicious-packets</b></p></td>
716
<table width="100%" border=0 rules="none" frame="void"
717
cols="2" cellspacing="0" cellpadding="0">
718
<tr valign="top" align="left">
719
<td width="13%"></td>
721
<p>This parameter tells <b>ntop</b> to create a dump file of
722
suspicious packets.</p>
724
<p>There are many, many, things that cause a packet to be
725
labeled as ’suspicious’, including:</p>
727
<pre> Detected ICMP fragment
728
Detected Land Attack against host
729
Detected overlapping/tiny packet fragment
730
Detected traffic on a diagnostic port
731
Host performed ACK/FIN/NULL scan
732
Host rejected TCP session
733
HTTP/FTP/SMTP/SSH detected at wrong port
734
Malformed TCP/UDP/ICMP packet (packet too short)
736
Received a ICMP protocol Unreachable from host
737
Sent ICMP Administratively Prohibited packet to host
738
Smurf packet detected for host
739
TCP connection with no data exchanged
740
TCP session reset without completing 3-way handshake
741
Two MAC addresses found for the same IP address
742
UDP data to a closed port
743
Unknown protocol (no HTTP/FTP/SMTP/SSH) detected (on port 80/21/25/22)
747
<p>When this parameter is used, one file is created for each
748
network interface where suspicious packets are found. The
749
file is in tcpdump (pcap) format and is named
750
<path>/ntop-suspicious-pkts.<device>.pcap, where
751
<path> is defined by the -O | --output-packet-path
756
<table width="100%" border=0 rules="none" frame="void"
757
cols="2" cellspacing="0" cellpadding="0">
758
<tr valign="top" align="left">
759
<td width="10%"></td>
761
<p><b>-r | --refresh-time</b></p></td>
764
<table width="100%" border=0 rules="none" frame="void"
765
cols="2" cellspacing="0" cellpadding="0">
766
<tr valign="top" align="left">
767
<td width="13%"></td>
769
<p>Specifies the delay (in seconds) between automatic screen
770
updates for those generated HTML pages which support them.
771
This parameter allows you to leave your browser window open
772
and have it always displaying nearly real-time data from
775
<p>The default is 3 seconds. Please note that if the delay
776
is very short (1 second for instance), <b>ntop</b> might not
777
be able to process all of the network traffic.</p>
781
<table width="100%" border=0 rules="none" frame="void"
782
cols="2" cellspacing="0" cellpadding="0">
783
<tr valign="top" align="left">
784
<td width="10%"></td>
786
<p><b>-s | --no-promiscuous</b></p></td>
789
<table width="100%" border=0 rules="none" frame="void"
790
cols="2" cellspacing="0" cellpadding="0">
791
<tr valign="top" align="left">
792
<td width="13%"></td>
794
<p>Use this parameter to prevent from setting the
795
interface(s) into promiscuous mode.</p>
797
<p>An interface in promiscuous mode will accept ALL Ethernet
798
frames, regardless of whether they directed (addressed) to
799
the specific network interface (NIC) or not. This is an
800
essential part of enabling <b>ntop</b> to monitor an entire
801
network. (Without promiscuous mode, <b>ntop</b> will only
802
see traffic directed to the specific host it is running on,
803
plus broadcast traffic such as the arp and dhcp
806
<p>Even if you use this parameter, the interface could well
807
be in promiscuous mode if another application enabled
810
<p><b>ntop</b> passes this setting on to libpcap, the packet
811
capture library. On many systems, a non-promiscuous open of
812
the network interface will fail, since the libpcap function
813
on most systems require it to capture raw packets (
814
<b>ntop</b> captures raw packets so that we may view and
815
analyze the layer 2 - MAC - information).</p>
817
<p>Thus on most systems, <b>ntop</b> must probably still be
818
started as root, and this option is largely ornamental. If
819
it fails, you will see a ***FATALERROR*** message referring
820
to pcap_open_live() and then an information message,
821
"Sorry, but on this system, even with -s, it appears
822
that ntop must be started as root".</p>
826
<table width="100%" border=0 rules="none" frame="void"
827
cols="2" cellspacing="0" cellpadding="0">
828
<tr valign="top" align="left">
829
<td width="10%"></td>
831
<p><b>-t | --trace-level</b></p></td>
834
<table width="100%" border=0 rules="none" frame="void"
835
cols="2" cellspacing="0" cellpadding="0">
836
<tr valign="top" align="left">
837
<td width="13%"></td>
839
<p>This parameter specifies the ’information’
840
level of messages that you wish <b>ntop</b> to display (on
841
stdout or to the log). The higher the trace level number the
842
more information that is displayed. The trace level ranges
843
between 0 (no trace) and 5 (full debug tracings).</p>
845
<p>The default trace value is 3.</p>
847
<p>Trace level 0 is not quite zero messages. Fatal errors
848
and certain startup/shutdown messages are always displayed.
849
Trace level 1 is used to display errors only, level 2 for
850
both errors and warnings, and level 3 displays error,
851
warning and informational messages.</p>
853
<p>Trace level 4 is called ’noisy’ and it is -
854
generating many messages about the internal functioning of
855
<b>ntop.</b> Trace level 5 and above are ’noisy’
856
plus extra logs, i.e. all possible messages, with a
857
file:line tag prepended to every message.</p>
861
<table width="100%" border=0 rules="none" frame="void"
862
cols="2" cellspacing="0" cellpadding="0">
863
<tr valign="top" align="left">
864
<td width="10%"></td>
866
<p><b>-u | --user</b></p></td>
869
<table width="100%" border=0 rules="none" frame="void"
870
cols="2" cellspacing="0" cellpadding="0">
871
<tr valign="top" align="left">
872
<td width="13%"></td>
874
<p>Specifies the user <b>ntop</b> should run as after it
877
<p><b>ntop</b> must normally be started as root so that it
878
has sufficient privileges to open the network interfaces in
879
promiscuous mode and to receive raw frames. See the
880
discussion of -s | --no-promiscuous above, if you wish to
881
try starting <b>ntop</b> as a non-root user.</p>
883
<p>Shortly after starting up, <b>ntop</b> becomes the user
884
you specify here, which normally has substantially reduced
885
privileges, such as no login shell. This is the userid which
886
owns <b>ntop’s</b> database and output files.</p>
888
<p>The value specified may be either a username or a numeric
889
user id. The group id used will be the primary group of the
892
<p>If this parameter is not specified, ntop will try to
893
switch first to ’nobody’ and then to
894
’anonymous’ before giving up.</p>
896
<p>NOTE: This should not be root unless you really
897
understand the security risks. In order to prevent this by
898
accident, the only way to run <b>ntop</b> as root is to
899
explicitly specify -u root. <b>Don’t do it.</b></p>
903
<table width="100%" border=0 rules="none" frame="void"
904
cols="2" cellspacing="0" cellpadding="0">
905
<tr valign="top" align="left">
906
<td width="10%"></td>
908
<p><b>-x</b></p></td>
911
<table width="100%" border=0 rules="none" frame="void"
912
cols="2" cellspacing="0" cellpadding="0">
913
<tr valign="top" align="left">
914
<td width="10%"></td>
916
<p><b>-X</b></p></td>
919
<table width="100%" border=0 rules="none" frame="void"
920
cols="2" cellspacing="0" cellpadding="0">
921
<tr valign="top" align="left">
922
<td width="13%"></td>
924
<p><b>ntop</b> creates a new hash/list entry for each new
925
host/TCP session seen. In case of DOS (Denial Of Service) an
926
attacker can easily exhaust all the host available memory
927
because ntop is creating entries for dummy hosts. In order
928
to avoid this you can set an upper limit in order to limit
929
the memory ntop can use.</p>
933
<table width="100%" border=0 rules="none" frame="void"
934
cols="2" cellspacing="0" cellpadding="0">
935
<tr valign="top" align="left">
936
<td width="10%"></td>
938
<p><b>-w | --http-server</b></p></td>
941
<table width="100%" border=0 rules="none" frame="void"
942
cols="2" cellspacing="0" cellpadding="0">
943
<tr valign="top" align="left">
944
<td width="10%"></td>
946
<p><b>-W | --https-server</b></p></td>
949
<table width="100%" border=0 rules="none" frame="void"
950
cols="2" cellspacing="0" cellpadding="0">
951
<tr valign="top" align="left">
952
<td width="13%"></td>
954
<p><b>ntop</b> offers an embedded web server to present the
955
information that has been so painstakingly gathered. An
956
external HTTP server is NOT required NOR supported. The
957
<b>ntop</b> web server is embedded into the application.
958
These parameters specify the port (and optionally the
959
address (i.e. interface)) of the <b>ntop</b> web server.</p>
961
<p>For example, if started with -w 3000 (the default port),
962
the URL to access <b>ntop</b> is http://hostname:3000/. If
963
started with a full specification, e.g. -w 192.168.1.1:3000,
964
<b>ntop</b> listens on only that address/port
967
<p>If -w is set to 0 the web server will not listen for
968
http:// connections.</p>
970
<p>-W operates similarly, but controls the port for the
971
https:// connections.</p>
973
<p>Some examples:</p>
975
<p><b>ntop -w 3000 -W 0</b> (this is the default setting)
976
TP requests on port 3000 and no HTTPS.</p>
978
<p><b>ntop -w 80 -W 443</b> Both HTTP and HTTPS have been
979
enabled on their most common ports.</p>
981
<p><b>ntop -w 0 -W 443</b> HTTP disabled, HTTPS enabled on
984
<p>Certain sensitive, configuration pages of the <b>ntop</b>
985
web server are protected by a userid/password. By default,
986
these are the user/URL administration, filter, shutdown and
987
reset stats are password protected and are accessible
988
initially only to user <b>admin</b> with a password set
989
during the first run of <b>ntop.</b></p>
991
<p>Users can modify/add/delete users/URLs using ntop itself
992
- see the Admin tab.</p>
994
<p>The passwords, userids and URLs to protect with passwords
995
are stored in a database file. Passwords are stored in an
996
encrypted form in the database for further security. Best
997
practices call for securing that database so that only the
998
<b>ntop</b> user can read it.</p>
1000
<p>There is a discussion in docs/FAQ about further securing
1001
the <b>ntop</b> environment.</p>
1004
<!-- INDENTATION -->
1005
<table width="100%" border=0 rules="none" frame="void"
1006
cols="2" cellspacing="0" cellpadding="0">
1007
<tr valign="top" align="left">
1008
<td width="10%"></td>
1010
<p><b>-z | --disable-sessions</b></p></td>
1012
<!-- INDENTATION -->
1013
<table width="100%" border=0 rules="none" frame="void"
1014
cols="2" cellspacing="0" cellpadding="0">
1015
<tr valign="top" align="left">
1016
<td width="13%"></td>
1018
<p>This parameter disables TCP session tracking. Use it for
1019
better performance or when you don’t really need/care
1020
to track sessions.</p>
1023
<!-- INDENTATION -->
1024
<table width="100%" border=0 rules="none" frame="void"
1025
cols="2" cellspacing="0" cellpadding="0">
1026
<tr valign="top" align="left">
1027
<td width="10%"></td>
1029
<p><b>-A | --set-admin-password</b></p></td>
1031
<!-- INDENTATION -->
1032
<table width="100%" border=0 rules="none" frame="void"
1033
cols="2" cellspacing="0" cellpadding="0">
1034
<tr valign="top" align="left">
1035
<td width="13%"></td>
1037
<p>This parameter is used to start <b>ntop</b> , set the
1038
admin password and quit. It is quite useful for installers
1039
that need to automatically set the password for the admin
1041
<!-- INDENTATION -->
1042
<p>-A and --set-admin-password (without a value) will prompt
1043
the user for the password.</p>
1044
<!-- INDENTATION -->
1045
<p>You may also use this parameter to set a specific value
1046
using --set-admin-password=value. <b>The = is REQUIRED and
1047
no spaces are permitted!</b></p>
1048
<!-- INDENTATION -->
1049
<p>If you attempt to run <b>ntop</b> as a daemon without
1050
setting a password, a FATAL ERROR message is generated and
1051
<b>ntop</b> stops.</p>
1054
<!-- INDENTATION -->
1055
<table width="100%" border=0 rules="none" frame="void"
1056
cols="2" cellspacing="0" cellpadding="0">
1057
<tr valign="top" align="left">
1058
<td width="10%"></td>
1060
<p><b>-B | --filter-expression</b></p></td>
1062
<!-- INDENTATION -->
1063
<table width="100%" border=0 rules="none" frame="void"
1064
cols="2" cellspacing="0" cellpadding="0">
1065
<tr valign="top" align="left">
1066
<td width="13%"></td>
1068
<p>Filters allows the user to restrict the traffic seen by
1069
<b>ntop</b> on just about any imaginable item.</p>
1070
<!-- INDENTATION -->
1071
<p>The filter expression is set at run time by this
1072
parameter, but it may be changed during the <b>ntop</b> run
1073
on the Admin | Change Filter web page.</p>
1074
<!-- INDENTATION -->
1075
<p>The basic format is <b>-B filter</b> , where the quotes
1076
are <b>REQUIRED</b></p>
1077
<!-- INDENTATION -->
1078
<p>The syntax of the filter expression uses the same BPF
1079
(Berkeley Packet Filter) expressions used by other packages
1081
<!-- INDENTATION -->
1082
<p>For instance, suppose you are interested only in the
1083
traffic generated/received by the host jake.unipi.it.
1084
<b>ntop</b> can then be started with the following
1086
<!-- INDENTATION -->
1087
<p><b>ntop -B src host jake.unipi.it or dst host
1088
jake.unipi.it</b></p>
1089
<!-- INDENTATION -->
1090
<p>or in shorthand:</p>
1091
<!-- INDENTATION -->
1092
<p><b>ntop -B host jake.unipi.it or host
1093
jake.unipi.it</b></p>
1094
<!-- INDENTATION -->
1095
<p>See the ’expression’ section of the
1096
<b>tcpdump</b> man page - usually available at
1097
http://www.tcpdump.org/tcpdump_man.html - for further
1098
information and the best quick guide to BPF filters
1099
currently available.</p>
1100
<!-- INDENTATION -->
1101
<p>WARNING: If you are using complex filter expressions,
1102
especially those with =s or meaningful spaces in them, be
1103
sure and use the long option format,
1104
--filter-expression="xxxx" and not -B
1105
"xxxx".</p>
1108
<!-- INDENTATION -->
1109
<table width="100%" border=0 rules="none" frame="void"
1110
cols="2" cellspacing="0" cellpadding="0">
1111
<tr valign="top" align="left">
1112
<td width="10%"></td>
1114
<p><b>-C |</b></p></td>
1116
<!-- INDENTATION -->
1117
<table width="100%" border=0 rules="none" frame="void"
1118
cols="2" cellspacing="0" cellpadding="0">
1119
<tr valign="top" align="left">
1120
<td width="13%"></td>
1122
<p>This instruments ntop to be used in two configurations:
1123
host and network mode. In host mode (default) ntop works as
1124
usual: the IP addresses received are those of real hosts. In
1125
host mode the IP addresses received are those of the C-class
1126
network to which the address belongs. Using ntop in network
1127
mode is extremely useful when installed in a traffic
1128
exchange (e.g. in the middle of the Internet) whereas the
1129
host mode should be used when ntop is installed on the edge
1130
of a network (e.g. inside a company). The network mode
1131
significantly reduces the amount of work ntop has to perform
1132
and it has to be used whenever ntop is used to find out how
1133
the network traffic flows and not to pin-point specific
1137
<!-- INDENTATION -->
1138
<table width="100%" border=0 rules="none" frame="void"
1139
cols="2" cellspacing="0" cellpadding="0">
1140
<tr valign="top" align="left">
1141
<td width="10%"></td>
1143
<p><b>-D | --domain</b></p></td>
1145
<!-- INDENTATION -->
1146
<table width="100%" border=0 rules="none" frame="void"
1147
cols="2" cellspacing="0" cellpadding="0">
1148
<tr valign="top" align="left">
1149
<td width="13%"></td>
1151
<p>This identifies the local domain suffix, e.g. ntop.org.
1152
It may be necessary, if <b>ntop</b> is having difficulty
1153
determining it from the interface.</p>
1156
<!-- INDENTATION -->
1157
<table width="100%" border=0 rules="none" frame="void"
1158
cols="2" cellspacing="0" cellpadding="0">
1159
<tr valign="top" align="left">
1160
<td width="10%"></td>
1162
<p><b>-F | --flow-spec</b></p></td>
1164
<!-- INDENTATION -->
1165
<table width="100%" border=0 rules="none" frame="void"
1166
cols="2" cellspacing="0" cellpadding="0">
1167
<tr valign="top" align="left">
1168
<td width="13%"></td>
1170
<p>It is used to specify network flows similar to more
1171
powerful applications such as NeTraMet. A flow is a stream
1172
of captured packets that match a specified rule. The format
1174
<!-- INDENTATION -->
1175
<p><b><flow-label>=’<matching
1176
expression>’[,<flow-label>=’<matching
1177
expression>’]</b></p>
1178
<!-- INDENTATION -->
1179
<p>, where the label is used to symbolically identify the
1180
flow specified by the expression. The expression is a bpf
1181
(Berkeley Packet Filter) expression. If an expression is
1182
specified, then the information concerning flows can be
1183
accessed following the HTML link named ’List
1184
NetFlows’.</p>
1185
<!-- INDENTATION -->
1186
<p>For instance define two flows with the following
1187
expression <b>LucaHosts=’host jake.unipi.it or host
1188
pisanino.unipi.it’,GatewayRoutedPkts=’gateway
1189
gateway.unipi.it’ .</b></p>
1190
<!-- INDENTATION -->
1191
<p>All the traffic sent/received by hosts jake.unipi.it or
1192
pisanino.unipi.it is collected by <b>ntop</b> and added to
1193
the LucaHosts flow, whereas all the packet routed by the
1194
gateway gateway.unipi.it are added to the GatewayRoutedPkts
1195
flow. If the flows list is very long you may store in a file
1196
(for instance flows.list) and specify the file name instead
1197
of the actual flows list (in the above example, this would
1198
be ’ntop -F flows.list’).</p>
1199
<!-- INDENTATION -->
1200
<p>Note that the double quotations around the entire flow
1201
expression are required.</p>
1204
<!-- INDENTATION -->
1205
<table width="100%" border=0 rules="none" frame="void"
1206
cols="2" cellspacing="0" cellpadding="0">
1207
<tr valign="top" align="left">
1208
<td width="10%"></td>
1210
<p><b>-K | --enable-debug</b></p></td>
1212
<!-- INDENTATION -->
1213
<table width="100%" border=0 rules="none" frame="void"
1214
cols="2" cellspacing="0" cellpadding="0">
1215
<tr valign="top" align="left">
1216
<td width="13%"></td>
1218
<p>Use this parameter to simplify application debug. It does
1219
three things: 1. Does not fork() on the "read
1220
only" html pages. 2. Displays mutex values on the
1221
configuration (info.html) page. 3. (If available -
1222
glibc/gcc) Activates an automated backtrace on application
1226
<!-- INDENTATION -->
1227
<table width="100%" border=0 rules="none" frame="void"
1228
cols="2" cellspacing="0" cellpadding="0">
1229
<tr valign="top" align="left">
1230
<td width="10%"></td>
1232
<p><b>-L | --use-syslog=facility</b></p></td>
1234
<!-- INDENTATION -->
1235
<table width="100%" border=0 rules="none" frame="void"
1236
cols="2" cellspacing="0" cellpadding="0">
1237
<tr valign="top" align="left">
1238
<td width="13%"></td>
1240
<p>Use this parameter to send log messages to the system log
1241
instead of stdout.</p>
1242
<!-- INDENTATION -->
1243
<p>-L and the simple form --use-syslog use the default log
1244
facility, defined as LOG_DAEMON in the #define symbol
1245
DEFAULT_SYSLOG_FACILITY in globals-defines.h.</p>
1246
<!-- INDENTATION -->
1247
<p>The complex form, --use-syslog=facility will set the log
1248
facility to whatever value (e.g. local3, security) you
1249
specify. <b>The = is REQUIRED and no spaces are
1251
<!-- INDENTATION -->
1252
<p>This setting applies both to <b>ntop</b> and to any child
1253
fork()ed for reporting. If this parameter is not specified,
1254
any fork()ed child will use the default value and will log
1255
it’s messages to the system log (this occurs because
1256
the fork()ed child must give up it’s access to the
1257
parents stdout).</p>
1258
<!-- INDENTATION -->
1259
<p>Because various systems do not make the permissible names
1260
available, we have a table at the end of globals-core.c.
1261
Look for myFacilityNames.</p>
1264
<!-- INDENTATION -->
1265
<table width="100%" border=0 rules="none" frame="void"
1266
cols="2" cellspacing="0" cellpadding="0">
1267
<tr valign="top" align="left">
1268
<td width="10%"></td>
1270
<p><b>-M | --no-interface-merge</b></p></td>
1272
<!-- INDENTATION -->
1273
<table width="100%" border=0 rules="none" frame="void"
1274
cols="2" cellspacing="0" cellpadding="0">
1275
<tr valign="top" align="left">
1276
<td width="13%"></td>
1278
<p>By default, <b>ntop</b> merges the data collected from
1279
all of the interfaces (NICs) it is monitoring into a single
1280
set of counters.</p>
1281
<!-- INDENTATION -->
1282
<p>If you have a simple network, say a small LAN with a
1283
connection to the internet, merging data is good as it gives
1284
you a better picture of the whole network. For larger, more
1285
complex networks, this may not be desirable. You may also
1286
have other reasons for wishing to monitor each interface
1287
separately, for example DMZ vs. LAN traffic.</p>
1288
<!-- INDENTATION -->
1289
<p>This option instructs <b>ntop</b> not to merge network
1290
interfaces together. This means that <b>ntop</b> will
1291
collect statistics for each interface and report them
1293
<!-- INDENTATION -->
1294
<p>Only ONE interface may be reported on at a time - use the
1295
<b>Admin | Switch NIC</b> option on the web server to select
1296
which interface to report upon.</p>
1297
<!-- INDENTATION -->
1298
<p>Note that activating either the netFlow and/or sFlow
1299
plugins will force the setting of -M. Once enabled, you
1303
<!-- INDENTATION -->
1304
<table width="100%" border=0 rules="none" frame="void"
1305
cols="2" cellspacing="0" cellpadding="0">
1306
<tr valign="top" align="left">
1307
<td width="10%"></td>
1309
<p><b>-N | --wwn-map</b></p></td>
1311
<!-- INDENTATION -->
1312
<table width="100%" border=0 rules="none" frame="void"
1313
cols="2" cellspacing="0" cellpadding="0">
1314
<tr valign="top" align="left">
1315
<td width="13%"></td>
1317
<p>This options names the file providing the map of WWN to
1321
<!-- INDENTATION -->
1322
<table width="100%" border=0 rules="none" frame="void"
1323
cols="2" cellspacing="0" cellpadding="0">
1324
<tr valign="top" align="left">
1325
<td width="10%"></td>
1327
<p><b>-O | --output-packet-path</b></p></td>
1329
<!-- INDENTATION -->
1330
<table width="100%" border=0 rules="none" frame="void"
1331
cols="2" cellspacing="0" cellpadding="0">
1332
<tr valign="top" align="left">
1333
<td width="13%"></td>
1335
<p>This parameter defines the base path for the
1336
ntop-suspicious-pkts.XXX.pcap and normal packet dump
1338
<!-- INDENTATION -->
1339
<p>If this parameter is not specified, the default value is
1340
the config.h parameter CFG_DBFILE_DIR, which is set during
1341
./configure from the --localstatedir= parameter. If
1342
--localstatedir is not specified, it defaults to the
1343
--prefix value plus /var (e.g. /usr/local/var).</p>
1344
<!-- INDENTATION -->
1345
<p>Be aware that this may not be what you expect when
1346
running <b>ntop</b> as a daemon or Windows service. Setting
1347
an explicit and absolute path value is <b>STRONGLY</b>
1348
recommended if you use this facility.</p>
1351
<!-- INDENTATION -->
1352
<table width="100%" border=0 rules="none" frame="void"
1353
cols="2" cellspacing="0" cellpadding="0">
1354
<tr valign="top" align="left">
1355
<td width="10%"></td>
1357
<p><b>-P | --db-file-path</b></p></td>
1359
<!-- INDENTATION -->
1360
<table width="100%" border=0 rules="none" frame="void"
1361
cols="2" cellspacing="0" cellpadding="0">
1362
<tr valign="top" align="left">
1363
<td width="10%"></td>
1365
<p><b>-Q | --spool-file-path</b></p></td>
1367
<!-- INDENTATION -->
1368
<table width="100%" border=0 rules="none" frame="void"
1369
cols="2" cellspacing="0" cellpadding="0">
1370
<tr valign="top" align="left">
1371
<td width="13%"></td>
1373
<p>These parameters specify where <b>ntop</b> stores
1375
<!-- INDENTATION -->
1376
<p>There are two types, ’temporary’ - that is
1377
ones which need not be retained from <b>ntop</b> run to
1378
<b>ntop</b> run, and ’permanent’, which must be
1379
retained (or recreated).</p>
1380
<!-- INDENTATION -->
1381
<p>The ’permanent’ databases are the
1382
preferences, "prefsCache.db" and the password
1383
file, "ntop_pw.db". These are stored in the -P |
1384
--db-file-path specified location.</p>
1385
<!-- INDENTATION -->
1386
<p>Certain plugins use the -P | --db-file-path specified
1387
location for their database ("LsWatch.db") or (as
1388
a default value) for files (.../rrd/...).</p>
1389
<!-- INDENTATION -->
1390
<p>The ’temporary’ databases are the address
1391
queue, "addressQueue.db", the cached DNS
1392
resolutions, "dnsCache.db" and the MAC prefix
1393
(vendor table), "macPrefix.db".</p>
1394
<!-- INDENTATION -->
1395
<p>If only -P | --db-file-path is specified, it is used for
1396
both types of databases.</p>
1397
<!-- INDENTATION -->
1398
<p>The directories named must allow read/write and file
1399
creation by the <b>ntop</b> user. For security, nobody else
1400
should have even read access to these files.</p>
1401
<!-- INDENTATION -->
1402
<p>Note that the default value is the config.h parameter
1403
CFG_DBFILE_DIR. This is set during ./configure from the
1404
--localstatedir= parameter. If --localstatedir is not
1405
specified, it defaults to the --prefix value plus /var (e.g.
1406
/usr/local/var).</p>
1407
<!-- INDENTATION -->
1408
<p>This may not be what you expect when running <b>ntop</b>
1409
as a daemon or Windows service.</p>
1410
<!-- INDENTATION -->
1411
<p>Note that on versions of <b>ntop</b> prior to 2.3, these
1412
parameters defaulted to "." (the current working
1413
directory, e.g. the value returned by the pwd command) and
1414
caused havoc as it was different when <b>ntop</b> was run
1415
from the command line, vs. run via cron, vs. run from an
1416
initialization script.</p>
1417
<!-- INDENTATION -->
1418
<p>Setting an explicit and absolute path value is
1419
<b>STRONGLY</b> recommended.</p>
1422
<!-- INDENTATION -->
1423
<table width="100%" border=0 rules="none" frame="void"
1424
cols="2" cellspacing="0" cellpadding="0">
1425
<tr valign="top" align="left">
1426
<td width="10%"></td>
1428
<p><b>-U | --mapper</b></p></td>
1430
<!-- INDENTATION -->
1431
<table width="100%" border=0 rules="none" frame="void"
1432
cols="2" cellspacing="0" cellpadding="0">
1433
<tr valign="top" align="left">
1434
<td width="13%"></td>
1436
<p>Specifies the URL of the mapper.pl utility.</p>
1437
<!-- INDENTATION -->
1438
<p>If provided, <b>ntop</b> creates a clickable hyperlink on
1439
the ’Info about host xxxxxx’ page to this URL by
1440
appending ?host=xxxxx. Any type of host lookup could be
1441
performed, but this is intended to lookup the geographical
1442
location of the host.</p>
1443
<!-- INDENTATION -->
1444
<p>A cgi-based mapper interface to http://www.multimap.com
1445
is part of the <b>ntop</b> distribution [see
1446
www/Perl/mapper.pl]).</p>
1449
<!-- INDENTATION -->
1450
<table width="100%" border=0 rules="none" frame="void"
1451
cols="2" cellspacing="0" cellpadding="0">
1452
<tr valign="top" align="left">
1453
<td width="10%"></td>
1455
<p><b>-V | --version</b></p></td>
1457
<!-- INDENTATION -->
1458
<table width="100%" border=0 rules="none" frame="void"
1459
cols="2" cellspacing="0" cellpadding="0">
1460
<tr valign="top" align="left">
1461
<td width="13%"></td>
1463
<p>Prints <b>ntop</b> version information and then
1467
<!-- INDENTATION -->
1468
<table width="100%" border=0 rules="none" frame="void"
1469
cols="2" cellspacing="0" cellpadding="0">
1470
<tr valign="top" align="left">
1471
<td width="10%"></td>
1473
<p><b>-W | --https-server</b></p></td>
1475
<!-- INDENTATION -->
1476
<table width="100%" border=0 rules="none" frame="void"
1477
cols="2" cellspacing="0" cellpadding="0">
1478
<tr valign="top" align="left">
1479
<td width="13%"></td>
1481
<p>(See the joint documentation with the -w parameter,
1485
<!-- INDENTATION -->
1486
<table width="100%" border=0 rules="none" frame="void"
1487
cols="2" cellspacing="0" cellpadding="0">
1488
<tr valign="top" align="left">
1489
<td width="10%"></td>
1491
<p><b>--disable-instantsessionpurge</b></p></td>
1493
<!-- INDENTATION -->
1494
<table width="100%" border=0 rules="none" frame="void"
1495
cols="2" cellspacing="0" cellpadding="0">
1496
<tr valign="top" align="left">
1497
<td width="13%"></td>
1499
<p><b>ntop</b> sets completed sessions as ’timed
1500
out’ and then purge them almost instantly, which is
1501
not the behavior you might expect from the discussions about
1502
purge timeouts. This switch makes ntop respect the timeouts
1503
for completed sessions. It is NOT the default because a busy
1504
web server may have 100s or 1000s of completed sessions and
1505
this would significantly increase the amount of memory
1506
<b>ntop</b> uses.</p>
1509
<!-- INDENTATION -->
1510
<table width="100%" border=0 rules="none" frame="void"
1511
cols="2" cellspacing="0" cellpadding="0">
1512
<tr valign="top" align="left">
1513
<td width="10%"></td>
1515
<p><b>--disable-mutexextrainfo</b></p></td>
1517
<!-- INDENTATION -->
1518
<table width="100%" border=0 rules="none" frame="void"
1519
cols="2" cellspacing="0" cellpadding="0">
1520
<tr valign="top" align="left">
1521
<td width="13%"></td>
1523
<p><b>ntop</b> stores extra information about the locks and
1524
unlocks of the protective mutexes it uses. Since <b>ntop</b>
1525
uses fine-grained locking, this information is updated
1526
frequently. On some OSes, the system calls used to collect
1527
this informatio (getpid() and gettimeofday()) are expensive.
1528
This option disables the extra information. It should have
1529
no processing impact on <b>ntop</b> - however should
1530
<b>ntop</b> actually deadlock, we would lose the information
1531
that sometimes tells us why.</p>
1534
<!-- INDENTATION -->
1535
<table width="100%" border=0 rules="none" frame="void"
1536
cols="2" cellspacing="0" cellpadding="0">
1537
<tr valign="top" align="left">
1538
<td width="10%"></td>
1540
<p><b>--disable-schedyield</b></p></td>
1542
<!-- INDENTATION -->
1543
<table width="100%" border=0 rules="none" frame="void"
1544
cols="2" cellspacing="0" cellpadding="0">
1545
<tr valign="top" align="left">
1546
<td width="13%"></td>
1548
<p><b>ntop</b> uses sched_yield() calls for better
1549
interactive performance. Under some situations, primarily
1550
under RedHat Linux 8.0, this can deadlock, causing the
1551
<b>ntop</b> web server to stop responding, although
1552
<b>ntop</b> appears to still be operational according to the
1553
ps command. Use this switch to disable these calls, IF you
1554
are seeing deadlocks.</p>
1557
<!-- INDENTATION -->
1558
<table width="100%" border=0 rules="none" frame="void"
1559
cols="2" cellspacing="0" cellpadding="0">
1560
<tr valign="top" align="left">
1561
<td width="10%"></td>
1563
<p><b>--disable-stopcap</b></p></td>
1565
<!-- INDENTATION -->
1566
<table width="100%" border=0 rules="none" frame="void"
1567
cols="2" cellspacing="0" cellpadding="0">
1568
<tr valign="top" align="left">
1569
<td width="13%"></td>
1571
<p>Return <b>ntop</b> to the old (v2.1) behavior on a memory
1572
error. The default of stopcap enabled makes the web
1573
interface available albeit with static content until
1574
<b>ntop</b> is shutdown.</p>
1577
<!-- INDENTATION -->
1578
<table width="100%" border=0 rules="none" frame="void"
1579
cols="2" cellspacing="0" cellpadding="0">
1580
<tr valign="top" align="left">
1581
<td width="10%"></td>
1583
<p><b>--fc-only</b></p></td>
1585
<!-- INDENTATION -->
1586
<table width="100%" border=0 rules="none" frame="void"
1587
cols="2" cellspacing="0" cellpadding="0">
1588
<tr valign="top" align="left">
1589
<td width="13%"></td>
1591
<p>Display only Fibre Channel statistics.</p>
1594
<!-- INDENTATION -->
1595
<table width="100%" border=0 rules="none" frame="void"
1596
cols="2" cellspacing="0" cellpadding="0">
1597
<tr valign="top" align="left">
1598
<td width="10%"></td>
1600
<p><b>--instance</b></p></td>
1602
<!-- INDENTATION -->
1603
<table width="100%" border=0 rules="none" frame="void"
1604
cols="2" cellspacing="0" cellpadding="0">
1605
<tr valign="top" align="left">
1606
<td width="13%"></td>
1608
<p>You can run multiple instances of <b>ntop</b>
1609
simultaneously by specifying different -P values (typically
1610
through separate ntop.conf files). If you set a value for
1611
this parameter (available only on the command line), you (1)
1612
display the ’instance’ name on every web page
1613
and (2) alter the log prefix from "NTOP" to your
1615
<!-- INDENTATION -->
1616
<p>If you want to make the tag more obvious, create a
1617
.instance class in style.css, e.g.:</p>
1618
<!-- INDENTATION -->
1619
<p>.instance { color: #666666; font-size: 18pt; }</p>
1620
<!-- INDENTATION -->
1621
<p>Note (UNIX): To run completely different versions of the
1622
<b>ntop</b> binary, you need to compile and install into a
1623
different library (using ./configure --prefix) and then
1624
specify the LD_LIBRARY_PATH before invoking, e.g.</p>
1625
<!-- INDENTATION -->
1626
<p>LD_LIBRARY_PATH=/devel/lib/ntop/:... /devel/bin/ntop
1628
<!-- INDENTATION -->
1629
<p>If present, a file of the form
1630
<instance>_ntop_logo.gif will be used instead of the
1631
normal ntop_logo.gif. This is tested for ONLY once, at the
1632
beginning of the run. The EXACT word(s) of the --instance
1633
flag are used, without testing if they make a proper file
1634
name. If - for any reason - the file is not found, an
1635
informational message is logged and the normal logo file is
1636
used. To construct your own logo, make it a 300x40
1637
transparent gif.</p>
1638
<!-- INDENTATION -->
1639
<p>NOTE: On the web pages, <b>ntop</b> uses the dladdr()
1640
function. The original Solaris routine had a bug, replicated
1641
in FreeBSD (and possibly other places) where it uses the
1642
ARGV[0] value - which might be erroneous - instead of the
1643
actual file name. If the ’running from’ value
1644
looks bogus but the ’libaries in’ value looks
1645
ok, go with the libarary.</p>
1648
<!-- INDENTATION -->
1649
<table width="100%" border=0 rules="none" frame="void"
1650
cols="2" cellspacing="0" cellpadding="0">
1651
<tr valign="top" align="left">
1652
<td width="10%"></td>
1654
<p><b>--no-fc</b></p></td>
1656
<!-- INDENTATION -->
1657
<table width="100%" border=0 rules="none" frame="void"
1658
cols="2" cellspacing="0" cellpadding="0">
1659
<tr valign="top" align="left">
1660
<td width="13%"></td>
1662
<p>Disable processing & Display of Fibre Channel</p>
1665
<!-- INDENTATION -->
1666
<table width="100%" border=0 rules="none" frame="void"
1667
cols="2" cellspacing="0" cellpadding="0">
1668
<tr valign="top" align="left">
1669
<td width="10%"></td>
1671
<p><b>--no-invalid-lun</b></p></td>
1673
<!-- INDENTATION -->
1674
<table width="100%" border=0 rules="none" frame="void"
1675
cols="2" cellspacing="0" cellpadding="0">
1676
<tr valign="top" align="left">
1677
<td width="13%"></td>
1679
<p>Don’t display Invalid LUN information.</p>
1682
<!-- INDENTATION -->
1683
<table width="100%" border=0 rules="none" frame="void"
1684
cols="2" cellspacing="0" cellpadding="0">
1685
<tr valign="top" align="left">
1686
<td width="10%"></td>
1688
<p><b>--p3p-cp</b></p></td>
1690
<!-- INDENTATION -->
1691
<table width="100%" border=0 rules="none" frame="void"
1692
cols="2" cellspacing="0" cellpadding="0">
1693
<tr valign="top" align="left">
1694
<td width="10%"></td>
1696
<p><b>--p3p-uri</b></p></td>
1698
<!-- INDENTATION -->
1699
<table width="100%" border=0 rules="none" frame="void"
1700
cols="2" cellspacing="0" cellpadding="0">
1701
<tr valign="top" align="left">
1702
<td width="13%"></td>
1704
<p>P3P is a W3C recommendation - http://www.w3.org/TR/P3P/ -
1705
for specifying personal information a site collects and what
1706
it does with the information. These parameters allow to
1707
return P3P information. We do not supply samples.</p>
1710
<!-- INDENTATION -->
1711
<table width="100%" border=0 rules="none" frame="void"
1712
cols="2" cellspacing="0" cellpadding="0">
1713
<tr valign="top" align="left">
1714
<td width="10%"></td>
1716
<p><b>--pcap_setnonblock</b></p></td>
1718
<!-- INDENTATION -->
1719
<table width="100%" border=0 rules="none" frame="void"
1720
cols="2" cellspacing="0" cellpadding="0">
1721
<tr valign="top" align="left">
1722
<td width="13%"></td>
1724
<p>On some platforms, the <b>ntop</b> web server will hang
1725
or appear to hang (it actually just responds incredibly
1726
slowly to the first request from a browser session), while
1727
the rest of <b>ntop</b> runs just fine. This is known to be
1728
an issue under FreeBSD 4.x.</p>
1729
<!-- INDENTATION -->
1730
<p>This option sets the non-blocking option (assuming
1731
it’s available in the version of libpcap that is
1733
<!-- INDENTATION -->
1734
<p>While this works around the problem (by turing an
1735
interupt driven process into a poll), it also MAY
1736
signifcantly increases the cpu usage of <b>ntop.</b>
1737
Although it does not actually interfere with other work,
1738
seeing <b>ntop</b> use 80-90% or more of the cpu is not
1739
uncommon - don’t say we didn’t warn you.</p>
1740
<!-- INDENTATION -->
1741
<p><b>THIS OPTION IS OFFICIALLY UNSUPPORTED</b> and used at
1742
your own risk. Read the docs/FAQ write-up.</p>
1745
<!-- INDENTATION -->
1746
<table width="100%" border=0 rules="none" frame="void"
1747
cols="2" cellspacing="0" cellpadding="0">
1748
<tr valign="top" align="left">
1749
<td width="10%"></td>
1751
<p><b>--skip-version-check</b></p></td>
1753
<!-- INDENTATION -->
1754
<table width="100%" border=0 rules="none" frame="void"
1755
cols="2" cellspacing="0" cellpadding="0">
1756
<tr valign="top" align="left">
1757
<td width="13%"></td>
1759
<p>By default, <b>ntop</b> accesses a remote file to
1760
periodically check if the most current version is running.
1761
This option disables that check. Please review the privacy
1762
notice at the bottom of this page for more information. By
1763
default, the recheck period is slightly more than 15 days.
1764
This can be adjusted via a constant in globals-defines.h. If
1765
the result of the initial check indicates that the
1766
<b>ntop</b> version is a ’new development’
1767
version (that is newer than the latest published development
1768
version), the recheck is disabled. This is because which
1769
fixes and enhancements were present/absent from the
1771
<!-- INDENTATION -->
1772
<p>NOTE: At present, the recheck does not work under
1776
<!-- INDENTATION -->
1777
<table width="100%" border=0 rules="none" frame="void"
1778
cols="2" cellspacing="0" cellpadding="0">
1779
<tr valign="top" align="left">
1780
<td width="10%"></td>
1782
<p><b>--ssl-watchdog</b></p></td>
1784
<!-- INDENTATION -->
1785
<table width="100%" border=0 rules="none" frame="void"
1786
cols="2" cellspacing="0" cellpadding="0">
1787
<tr valign="top" align="left">
1788
<td width="13%"></td>
1790
<p>Enable a watchdog for webserver hangs. These usually
1791
happen when connecting with older browsers. The user gets
1792
nothing back and other users can’t connect.
1793
Internally, packet processing continues but there is no way
1794
to access the data through the web server or shutdown ntop
1795
cleanly. With the watchdog, a timeout occurs after 3
1796
seconds, and processing continues with a log message.
1797
Unfortunately, the user sees nothing - it just looks like a
1798
failed connection. (also available as a ./configure option,
1799
--enable-sslwatchdog)</p>
1802
<!-- INDENTATION -->
1803
<table width="100%" border=0 rules="none" frame="void"
1804
cols="2" cellspacing="0" cellpadding="0">
1805
<tr valign="top" align="left">
1806
<td width="10%"></td>
1808
<p><b>--w3c</b></p></td>
1810
<!-- INDENTATION -->
1811
<table width="100%" border=0 rules="none" frame="void"
1812
cols="2" cellspacing="0" cellpadding="0">
1813
<tr valign="top" align="left">
1814
<td width="13%"></td>
1816
<p>By default, <b>ntop</b> generates displayable but not
1817
great html. There are a number of tags we do not generate
1818
because they cause problems with older browsers which are
1819
still commonly used or are important to look good on
1820
real-world browsers. This flag tells <b>ntop</b> to generate
1821
’BETTER’ (but not perfect) w3c compliant html
1822
4.01 output. This in no way addresses all of the
1823
compatibility and markup issues. Over time, we would like to
1824
make <b>ntop</b> more compatible, but it will never be 100%.
1825
If you find any issues, please report them to ntop-dev.</p>
1828
<!-- INDENTATION -->
1829
<table width="100%" border=0 rules="none" frame="void"
1830
cols="2" cellspacing="0" cellpadding="0">
1831
<tr valign="top" align="left">
1832
<td width="10%"></td>
1834
<p><b>-4 | --ipv4</b></p></td>
1836
<!-- INDENTATION -->
1837
<table width="100%" border=0 rules="none" frame="void"
1838
cols="2" cellspacing="0" cellpadding="0">
1839
<tr valign="top" align="left">
1840
<td width="13%"></td>
1842
<p>Use IPv4 connections.</p>
1845
<!-- INDENTATION -->
1846
<table width="100%" border=0 rules="none" frame="void"
1847
cols="2" cellspacing="0" cellpadding="0">
1848
<tr valign="top" align="left">
1849
<td width="10%"></td>
1851
<p><b>-6 | --ipv6</b></p></td>
1853
<!-- INDENTATION -->
1854
<table width="100%" border=0 rules="none" frame="void"
1855
cols="2" cellspacing="0" cellpadding="0">
1856
<tr valign="top" align="left">
1857
<td width="13%"></td>
1859
<p>Use IPv6 connections</p>
1862
<a name="WEB VIEWS"></a>
1864
<!-- INDENTATION -->
1865
<table width="100%" border=0 rules="none" frame="void"
1866
cols="2" cellspacing="0" cellpadding="0">
1867
<tr valign="top" align="left">
1868
<td width="10%"></td>
1870
<p>While <b>ntop</b> is running, multiple users can access
1871
the traffic information using their web browsers.
1872
<b>ntop</b> does not generate ’fancy’ or
1873
’complex’ html, although it does use frames,
1874
shallowly nested tables and makes some use of JavaScript and
1875
Cascading Style Sheets.</p>
1876
<!-- INDENTATION -->
1877
<p>Beginning with release 3.1, the menus are cascading
1878
dropdowns via JSCookMenu. With release 3.2, this extends to
1880
<!-- INDENTATION -->
1881
<p>We do not expect problems with any current web browser,
1882
but our ability to test with less common ones is very
1883
limited. Testing has included Firefox and Internet Explorer,
1884
with very limited testing on other current common browsers
1886
<!-- INDENTATION -->
1887
<p>In documentation and this man page, when we refer to a
1888
page such as Admin | Switch NIC, we mean the Broad category
1889
"Admin" and the detailed item "Switch
1890
NIC" on that Admin menu.</p>
1893
<a name="NOTES"></a>
1895
<!-- INDENTATION -->
1896
<table width="100%" border=0 rules="none" frame="void"
1897
cols="2" cellspacing="0" cellpadding="0">
1898
<tr valign="top" align="left">
1899
<td width="10%"></td>
1901
<p><b>ntop</b> requires a number of external tools and
1902
libraries to operate. Certain other tools are optional, but
1903
add to the program’s capabilities.</p>
1906
<!-- INDENTATION -->
1907
<table width="100%" border=0 rules="none" frame="void"
1908
cols="2" cellspacing="0" cellpadding="0">
1909
<tr valign="top" align="left">
1910
<td width="10%"></td>
1912
<p><b>--webserver-queue</b></p></td>
1914
<!-- INDENTATION -->
1915
<table width="100%" border=0 rules="none" frame="void"
1916
cols="2" cellspacing="0" cellpadding="0">
1917
<tr valign="top" align="left">
1918
<td width="13%"></td>
1920
<p>Specifies the maximum number of web server requests for
1921
the tcp/ip stack to retain in it’s queue awaiting
1922
delivery to the <b>ntop</b> web server. Requests in excess
1923
of this queue may be dropped (allowing for retransmission)
1924
or rejected at the tcp/ip stack level, depending upon the
1925
OS. Whatever happens, happens at the OS level, without any
1926
information being delivered to <b>ntop</b></p>
1927
<!-- INDENTATION -->
1928
<p>Required libraries include:</p>
1929
<!-- INDENTATION -->
1930
<p><b>libpcap</b> from http://www.tcpdump.org/, version
1931
0.7.2 or newer. 0.8.3 or newer is strongly recommended.</p>
1932
<!-- INDENTATION -->
1933
<p>The Windows version makes use of <b>WinPcap</b> (libpcap
1934
for Windows) which may be downloaded from
1935
http://winpcap.polito.it/install/default.htm.</p>
1936
<!-- INDENTATION -->
1937
<p>WARNING: The 2.x releases of <b>WinPcap</b> will NOT
1938
support SMP machines.</p>
1939
<!-- INDENTATION -->
1941
http://www.gnu.org/software/gdbm/gdbm.html</p>
1942
<!-- INDENTATION -->
1943
<p><b>ntop</b> requires a POSIX threads library. As of
1944
<b>ntop</b> 3.2, the single-threaded version of <b>ntop</b>
1945
is no longer available.</p>
1946
<!-- INDENTATION -->
1947
<p>The <b>gd</b> 2.x library, for the creation of png files,
1948
available at http://www.boutell.com/gd/.</p>
1949
<!-- INDENTATION -->
1950
<p>The <b>libpng</b> 1.2.x library, for the creation of png
1952
http://www.libpng.org/pub/png/libpng.html.</p>
1953
<!-- INDENTATION -->
1954
<p><b>ntop</b> should support both gd 1.X and libpng 1.0.x
1955
libraries but this has not been tested. Note that there are
1956
incompatibilities if you compile with one version of these
1957
libraries and then run with the other. Please read the
1958
discussion in docs/FAQ before reporting ANY problems of this
1960
<!-- INDENTATION -->
1961
<p>(if an https:// server is desired) <b>openSSL</b> from
1962
the OpenSSL project available at http://www.openssl.org.</p>
1963
<!-- INDENTATION -->
1964
<p>The <b>rrdtool</b> library is required by the rrd plugin.
1965
rrdtool creates ’Round-Robin databases’ which
1966
are used to store and graph historical data in a format that
1967
permits long duration retention without growing larger over
1968
time. The rrdtool home page is
1969
http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/</p>
1970
<!-- INDENTATION -->
1971
<p><b>ntop</b> includes a limited version of rrdtool 1.0.49
1972
in the myrrd/ directory. Users of <b>ntop</b> 3.2 should not
1973
need to specifically install rrdtool.</p>
1974
<!-- INDENTATION -->
1975
<p>The <b>sflow</b> Plugin is courtesy of and supported by
1976
InMon Corporation, http://www.inmon.com/sflowTools.htm.</p>
1977
<!-- INDENTATION -->
1978
<p>There are other optional libraries. See the output of
1979
./configure for a fuller listing.</p>
1980
<!-- INDENTATION -->
1981
<p>Tool locations are current as of August 2005 - please
1982
send email to report new locations or dead links.</p>
1985
<a name="SEE ALSO"></a>
1987
<!-- INDENTATION -->
1988
<table width="100%" border=0 rules="none" frame="void"
1989
cols="2" cellspacing="0" cellpadding="0">
1990
<tr valign="top" align="left">
1991
<td width="10%"></td>
1993
<p><b>top</b>(1), <b>tcpdump</b>(8). <b>pcap</b>(3).</p>
1996
<a name="PRIVACY NOTICE"></a>
1997
<h2>PRIVACY NOTICE</h2>
1998
<!-- INDENTATION -->
1999
<table width="100%" border=0 rules="none" frame="void"
2000
cols="2" cellspacing="0" cellpadding="0">
2001
<tr valign="top" align="left">
2002
<td width="10%"></td>
2004
<p>By default at startup and at periodic intervals, the
2005
<b>ntop</b> program will retrieve a file containing current
2006
ntop program version information. Retrieving this file
2007
allows this <b>ntop</b> instance to confirm that it is
2008
running the most current version.</p>
2009
<!-- INDENTATION -->
2010
<p>The retrieval is done using standard http:// requests,
2011
which will create log records on the hosting system. These
2012
log records do contain information which identifies a
2013
specific <b>ntop</b> site. Accordingly, you are being
2014
notified that this individually identifiable information is
2015
being transmitted and recorded.</p>
2016
<!-- INDENTATION -->
2017
<p>You may request - via the <b>--skip-version-check</b>
2018
run-time option - that this check be eliminated. If you use
2019
this option, no individually identifiable information is
2020
transmitted or recorded, because the entire retrieval and
2021
check is skipped.</p>
2022
<!-- INDENTATION -->
2023
<p>We ask you to allow this retrieval and check, because it
2024
benefits both you and the <b>ntop</b> developers. It
2025
benefits you because you will be automatically notified if
2026
the <b>ntop</b> program version is obsolete, becomes
2027
unsupported or is no longer current. It benefits the
2028
developers of <b>ntop</b> because it allows us to determine
2029
the number of active <b>ntop</b> instances, and the
2030
operating system/versions that users are running <b>ntop</b>
2031
under. This allows us to focus development resources on
2032
systems like those our users are using <b>ntop</b> on.</p>
2033
<!-- INDENTATION -->
2034
<p>The individually identifiable information is contained in
2035
the web server log records which are automatically created
2036
each time the version file is retrieved. This is a function
2037
of the web server and not of <b>ntop</b> , but we do take
2038
advantage of it. The log record shows the IP address of the
2039
requestor (the <b>ntop</b> instance) and a User-Agent header
2040
field. We place information in the User-Agent header as
2042
<!-- INDENTATION -->
2043
<p>ntop/<version> host/<name from config.guess>
2044
distro/<if one> release/<of the distro, also if
2045
one> kernrlse/<kernel version or release>
2046
GCC/<version> config() <condensed parameters from
2047
./configure> run() <condensed flags - no data - from
2048
the execution line> libpcap/<version>
2049
gdbm/<version> openssl/<version>
2050
zlib/<version> access/<http, https, both or
2051
none> interfaces() <given interface names></p>
2052
<!-- INDENTATION -->
2054
<!-- INDENTATION -->
2055
<p>ntop/2.2.98 host/i686-pc-linux-gnu distro/redhat
2056
release/9 kernrlse/2.4.20-8smp GCC/3.2.2 config(i18n) run(i;
2057
u; P; w; t; logextra; m; instantsessionpurge; schedyield; d;
2058
usesyslog=; t) gdbm/1.8.0 openssl/0.9.7a zlib/1.1.4
2059
access/http interfaces(eth0,eth1)</p>
2060
<!-- INDENTATION -->
2061
<p>Distro and release information is determined at compile
2062
time and consists of information typically found in the
2063
/etc/release (or similar) file. See the <b>ntop</b> tool
2064
linuxrelease for how this is determined.</p>
2065
<!-- INDENTATION -->
2066
<p>gcc compiler version (if available) is the internal
2067
version #s for the gcc compiler, e.g. 3.2.3.</p>
2068
<!-- INDENTATION -->
2069
<p>kernrlse is the Linux Kernel version or the xBSD
2070
’release’ such as 4.9-RELEASE and is determined
2071
from the uname data (if it’s available).</p>
2072
<!-- INDENTATION -->
2073
<p>The ./configure parameters are stripped of directory
2074
paths, leading -s, etc. to create a short form that shows us
2075
what ./configure parameters people are using.</p>
2076
<!-- INDENTATION -->
2077
<p>Similarly, the run time parameters are stripped of data
2078
and paths, just showing which flags are being used.</p>
2079
<!-- INDENTATION -->
2080
<p>The libpcap, gdbm, openssl and zlib versions come from
2081
the strings returned by the various inquiry functions (if
2082
they’re availabe).</p>
2083
<!-- INDENTATION -->
2084
<p>Here’s a sample log record:</p>
2085
<!-- INDENTATION -->
2086
<p>67.xxx.xxx.xxx - - [28/Dec/2003:12:11:46 -0500] "GET
2087
/version.xml HTTP/1.0" 200 1568 www.burtonstrauss.com
2088
"-" "ntop/2.2.98 host/i686-pc-linux-gnu
2089
distro/redhat release/9 kernrlse/2.4.20-8smp GCC/3.2.2
2090
config(i18n) run(i; u; P; w; t; logextra; m;
2091
instantsessionpurge; schedyield; d; usesyslog=) libpcap/0.8
2092
gdbm/1.8.0 openssl/0.9.7a zlib/1.1.4 access/http
2093
interfaces(eth0,eth1,eth2)" "-"</p>
2096
<a name="USER SUPPORT"></a>
2097
<h2>USER SUPPORT</h2>
2098
<!-- INDENTATION -->
2099
<table width="100%" border=0 rules="none" frame="void"
2100
cols="2" cellspacing="0" cellpadding="0">
2101
<tr valign="top" align="left">
2102
<td width="10%"></td>
2104
<p>Please send bug reports to the ntop-dev
2105
<ntop-dev@ntop.org> mailing list. The ntop
2106
<ntop@ntop.org> mailing list is used for discussing
2107
ntop usage issues. In order to post messages on the lists a
2108
(free) subscription is required to limit/avoid spam. Please
2109
do NOT contact the author directly unless this is a personal
2111
<!-- INDENTATION -->
2112
<p>Commercial support is available upon request. Please see
2113
the ntop site for further info.</p>
2114
<!-- INDENTATION -->
2115
<p>Please send code patches to <patch@ntop.org>.</p>
2118
<a name="AUTHOR"></a>
2120
<!-- INDENTATION -->
2121
<table width="100%" border=0 rules="none" frame="void"
2122
cols="2" cellspacing="0" cellpadding="0">
2123
<tr valign="top" align="left">
2124
<td width="10%"></td>
2126
<p>ntop’s author is Luca Deri (http://luca.ntop.org/)
2127
who can be reached at <deri@ntop.org>.</p>
2130
<a name="LICENCE"></a>
2132
<!-- INDENTATION -->
2133
<table width="100%" border=0 rules="none" frame="void"
2134
cols="2" cellspacing="0" cellpadding="0">
2135
<tr valign="top" align="left">
2136
<td width="10%"></td>
2138
<p>ntop is distributed under the GNU GPL licence
2139
(http://www.gnu.org/).</p>
2142
<a name="ACKNOWLEDGMENTS"></a>
2143
<h2>ACKNOWLEDGMENTS</h2>
2144
<!-- INDENTATION -->
2145
<table width="100%" border=0 rules="none" frame="void"
2146
cols="2" cellspacing="0" cellpadding="0">
2147
<tr valign="top" align="left">
2148
<td width="10%"></td>
2150
<p>The author acknowledges the Centro Serra of the
2151
University of Pisa, Italy (http://www-serra.unipi.it/) for
2152
hosting the ntop sites (both web and mailing lists), and
2153
Burton Strauss <burton@ntopsupport.com> for his help
2154
and user assistance. Many thanks to Stefano Suin
2155
<stefano@ntop.org> and Rocco Carbone
2156
<rocco@ntop.org> for contributing to the project.</p>