~ubuntu-branches/ubuntu/trusty/ntop/trusty

Viewing changes to ntop.html

Committer: Bazaar Package Importer
Author(s): Ola Lundqvist
Date: 2008-06-15 14:38:28 UTC
mfrom: (2.1.11 intrepid)
Revision ID: james.westby@ubuntu.com-20080615143828-oalh84nda2hje4do

Tags: 3:3.3-11

http://bugs.debian.org/479490

Correction of Polish translation encoding, closes: #479490. Thanks
to Christian Perrier <bubulle@debian.org> for the help.

files added:
acinclude.m4.in

autogen.sh

compile

configureextra/SOLARIS10

database.c

debian/compat

debian/patches/ntop.8.v1.diff

debian/po/cs.po

debian/po/eu.po

debian/po/fi.po

debian/po/gl.po

debian/po/ja.po

debian/po/pt.po

debian/ru.po

html/MochiKit

html/MochiKit/Async.js

html/MochiKit/Base.js

html/MochiKit/Color.js

html/MochiKit/DOM.js

html/MochiKit/DateTime.js

html/MochiKit/Format.js

html/MochiKit/Iter.js

html/MochiKit/Logging.js

html/MochiKit/LoggingPane.js

html/MochiKit/MochiKit.js

html/MochiKit/MockDOM.js

html/MochiKit/Signal.js

html/MochiKit/Test.js

html/MochiKit/Visual.js

html/MochiKit/__package__.js

html/PlotKit

html/PlotKit/Base.js

html/PlotKit/Canvas.js

html/PlotKit/EasyPlot.js

html/PlotKit/Layout.js

html/PlotKit/PlotKit.js

html/PlotKit/PlotKit_Packed.js

html/PlotKit/SVG.js

html/PlotKit/SweetCanvas.js

html/PlotKit/SweetSVG.js

html/PlotKit/dummy.svg

html/PlotKit/excanvas.js

html/autosuggest.css

html/autosuggest.js

html/calendar-setup.js

html/calendar.gif

html/calendar.js

html/domLib.js

html/domTT.js

html/edit.gif

html/external.png

html/graph_if.svg

html/graph_zoom.gif

html/img_inquisitor

html/img_inquisitor/as_pointer.gif

html/img_inquisitor/hl_corner_bl.gif

html/img_inquisitor/hl_corner_br.gif

html/img_inquisitor/hl_corner_tl.gif

html/img_inquisitor/hl_corner_tr.gif

html/img_inquisitor/ul_corner_bl.gif

html/img_inquisitor/ul_corner_br.gif

html/img_inquisitor/ul_corner_tl.gif

html/img_inquisitor/ul_corner_tr.gif

html/jscalendar

html/jscalendar/calendar-load.js

html/jscalendar/calendar-setup.js

html/jscalendar/calendar.js

html/jscalendar/lang

html/jscalendar/lang/calendar-en.js

html/marker.gif

html/marker.png

html/skype.gif

html/zoom.js

installer/MacOSX/ntop.package.pmproj

l7-patterns

l7-patterns/100bao.pat

l7-patterns/aim.pat

l7-patterns/aimwebcontent.pat

l7-patterns/applejuice.pat

l7-patterns/ares.pat

l7-patterns/battlefield1942.pat

l7-patterns/battlefield2.pat

l7-patterns/bgp.pat

l7-patterns/biff.pat

l7-patterns/bittorrent.pat

l7-patterns/ciscovpn.pat

l7-patterns/citrix.pat

l7-patterns/counterstrike-source.pat

l7-patterns/cvs.pat

l7-patterns/dayofdefeat-source.pat

l7-patterns/dhcp.pat

l7-patterns/directconnect.pat

l7-patterns/dns.pat

l7-patterns/doom3.pat

l7-patterns/edonkey.pat

l7-patterns/fasttrack.pat

l7-patterns/finger.pat

l7-patterns/freenet.pat

l7-patterns/ftp.pat

l7-patterns/gkrellm.pat

l7-patterns/gnucleuslan.pat

l7-patterns/gnutella.pat

l7-patterns/goboogy.pat

l7-patterns/gopher.pat

l7-patterns/h323.pat

l7-patterns/halflife2-deathmatch.pat

l7-patterns/hddtemp.pat

l7-patterns/hotline.pat

l7-patterns/http.pat

l7-patterns/ident.pat

l7-patterns/imap.pat

l7-patterns/ipp.pat

l7-patterns/irc.pat

l7-patterns/jabber.pat

l7-patterns/kugoo.pat

l7-patterns/live365.pat

l7-patterns/lpd.pat

l7-patterns/msn-filetransfer.pat

l7-patterns/msnmessenger.pat

l7-patterns/mute.pat

l7-patterns/napster.pat

l7-patterns/nbns.pat

l7-patterns/ncp.pat

l7-patterns/netbios.pat

l7-patterns/nntp.pat

l7-patterns/ntp.pat

l7-patterns/openft.pat

l7-patterns/poco.pat

l7-patterns/pop3.pat

l7-patterns/pressplay.pat

l7-patterns/qq.pat

l7-patterns/quake-halflife.pat

l7-patterns/quake1.pat

l7-patterns/rdp.pat

l7-patterns/rlogin.pat

l7-patterns/rtsp.pat

l7-patterns/shoutcast.pat

l7-patterns/sip.pat

l7-patterns/skypeout.pat

l7-patterns/skypetoskype.pat

l7-patterns/smb.pat

l7-patterns/smtp.pat

l7-patterns/snmp.pat

l7-patterns/socks.pat

l7-patterns/soribada.pat

l7-patterns/soulseek.pat

l7-patterns/ssdp.pat

l7-patterns/ssh.pat

l7-patterns/ssl.pat

l7-patterns/subspace.pat

l7-patterns/telnet.pat

l7-patterns/tesla.pat

l7-patterns/tftp.pat

l7-patterns/tls.pat

l7-patterns/tsp.pat

l7-patterns/validcertssl.pat

l7-patterns/vnc.pat

l7-patterns/whois.pat

l7-patterns/x11.pat

l7-patterns/xboxlive.pat

l7-patterns/xunlei.pat

l7-patterns/yahoo.pat

l7-patterns/zmaap.pat

l7.c

packages/Fedora

packages/Fedora/README

packages/Fedora/ntop.spec

packages/Makefile.debian

packages/debian

packages/debian/COPYRIGHT

packages/debian/README

packages/debian/README.Debian

packages/debian/README.target

packages/debian/changelog

packages/debian/conffiles

packages/debian/control

packages/debian/dirs

packages/debian/docs

packages/debian/etc

packages/debian/etc/init.d

packages/debian/etc/init.d/ntop

packages/debian/files

packages/debian/postinst

packages/debian/postrm

packages/debian/preinst

packages/debian/prerm

packages/debian/rules

packages/debian/substvars

packages/debian/usr

plugins/remotePlugin.c

utils/AS-list.sh

files removed:
configureextra/LINUXfedora

configureextra/LINUXslackware

html/bar.gif

html/copyright.png

html/menubar.png

html/menubar_j.png

html/menuline.png

html/modifyUser.gif

html/pie-error.png

installer/MacOSX/ntop.package.pmsp

libtool

myrrd

myrrd/Makefile.am

myrrd/Makefile.in

myrrd/config.h

myrrd/config_aux.h

myrrd/dummy.c

myrrd/gdlucidab10.c

myrrd/gdlucidab10.h

myrrd/gdlucidab12.c

myrrd/gdlucidab12.h

myrrd/gdlucidab12l2.c

myrrd/gdlucidab12l2.h

myrrd/gdlucidab14.c

myrrd/gdlucidab14.h

myrrd/gdlucidan10.c

myrrd/gdlucidan10.h

myrrd/gdlucidan10l2.c

myrrd/gdlucidan10l2.h

myrrd/gdlucidan12.c

myrrd/gdlucidan12.h

myrrd/gdlucidan14.c

myrrd/gdlucidan14.h

myrrd/gdpng.c

myrrd/gifsize.c

myrrd/ntconfig.h

myrrd/parsetime.c

myrrd/parsetime.h

myrrd/pngsize.c

myrrd/rrd.h

myrrd/rrd_create.c

myrrd/rrd_diff.c

myrrd/rrd_error.c

myrrd/rrd_fetch.c

myrrd/rrd_format.c

myrrd/rrd_format.h

myrrd/rrd_graph.c

myrrd/rrd_graph.h

myrrd/rrd_last.c

myrrd/rrd_open.c

myrrd/rrd_tool.h

myrrd/rrd_update.c

plugins/NTOP-MIB.txt

plugins/README.SNMP

plugins/globals-structtypes.xml

plugins/libnfsPlugin.la

plugins/snmpPlugin.c

plugins/xml_g_intf.inc

plugins/xml_g_invoke.inc

plugins/xml_g_multithread.inc

plugins/xml_s_ntopinterface.inc

plugins/xml_s_simpleprototrafficinfo.inc

plugins/xmldumpPlugin.c

utils/census.sh

files modified:
AUTHORS

COPYING

ChangeLog

INSTALL

Makefile.am

Makefile.in

acinclude.m4

aclocal.m4

address.c

admin.c

config.guess

config.h.in

config.sub

configure *

configure.in

configureextra/LINUXredhat9

dataFormat.c

debian/changelog

debian/control

debian/copyright

debian/init

debian/postinst

debian/postrm

debian/rules

depcomp

docs/BUILD-NTOP.txt

docs/FAQ

docs/FAQarchive

docs/INSTALL

docs/ntop-autotools.pdf *

emitter.c

etter.finger.os.gz

faq.html

fcReport.c

fcUtils.c *

fcUtils.h *

globals-core.c

globals-core.h

globals-defines.h *

globals-report.c

globals-report.h

globals-structtypes.h *

graph.c

hash.c

html/brocade.gif *

html/bulb.gif *

html/disk.gif *

html/emulex.gif *

html/faq.html

html/functions.js

html/hostSortNote.html

html/initiator.gif *

html/lock.png

html/mail.gif

html/ntop.html

html/ntopdump.dtd *

html/privacyNotice.html *

html/seagate.gif *

html/statsicons/flags/eu.gif *

html/statsicons/flags/ml.gif *

html/statsicons/flags/mn.gif *

html/statsicons/flags/mo.gif *

html/statsicons/flags/mz.gif *

html/statsicons/flags/pg.gif *

html/statsicons/flags/ps.gif *

html/statsicons/flags/sd.gif *

html/statsicons/flags/sm.gif *

html/statsicons/flags/sn.gif *

html/statsicons/flags/sv.gif *

html/statsicons/flags/tj.gif *

html/style.css

html/switch.gif *

http.c

iface.c

iface.h

initialize.c

install-sh

installer/MacOSX/ReadMe.txt

leaks.c

libtool.m4.in

ltmain.sh

main.c

missing

mkinstalldirs

ntop.8

ntop.c

ntop.h

ntop.html

ntop.txt

ntop_win32.c

ntop_win32.h

oui.txt.gz *

pbuf.c

plugin.c

plugins/FILES

plugins/Makefile.am

plugins/Makefile.in

plugins/icmpPlugin.c

plugins/lastSeenPlugin.c

plugins/netflowPlugin.c

plugins/pdaPlugin.c

plugins/rrdPlugin.c

plugins/rrdPlugin.h

plugins/sflowPlugin.c

prefs.c

protocols.c

report.c

reportUtils.c

scsiUtils.h *

sessions.c

specialMAC.txt.gz *

ssl.c

term.c

traffic.c

util.c

utildl.c

utils/addMacAddress.c

utils/addVlanName.c

utils/rrd-alarm/doc/rrd.pdf *

vendor.c

version.c

webInterface.c

Show diffs side-by-side

added added

removed removed

ntop.html

<html>

<head>

</head>

<body>

<a href="#SYNOPSIS">SYNOPSIS</a><br>

<a href="#DESCRIPTION">DESCRIPTION</a><br>

<a href="#COMMAND−LINE OPTIONS">COMMAND−LINE OPTIONS</a><br>

<a href="#WEB VIEWS">WEB VIEWS</a><br>

<a href="#NOTES">NOTES</a><br>

<a href="#PRIVACY NOTICE">PRIVACY NOTICE</a><br>

<a href="#USER SUPPORT">USER SUPPORT</a><br>

<a href="#AUTHOR">AUTHOR</a><br>

<a href="#LICENCE">LICENCE</a><br>

<a href="#ACKNOWLEDGMENTS">ACKNOWLEDGMENTS</a><br>

<hr>

<table width="100%" border=0 rules="none" frame="void"

cols="2" cellspacing="0" cellpadding="0">

<p>ntop − display top network users</p>

</td>

</table>

<h2>SYNOPSIS</h2>

<table width="100%" border=0 rules="none" frame="void"

cols="2" cellspacing="0" cellpadding="0">

<p><b>ntop</b> [<b>@filename</b>]

[<b>-a</b>|<b>--access-log-file</b> <i><path></i>]

[<b>-b</b>|<b>--disable-decoders</b>]

[<b>-c</b>|<b>--sticky-hosts</b>]

[<b>-e</b>|<b>--max-table-rows</b>]

[<b>-f</b>|<b>--traffic-dump-file</b> <i>file></i>]

[<b>-g</b>|<b>--track-local-hosts</b>]

[<b>-h</b>|<b>--help</b>]

[<b>-j</b>|<b>--create-other-packets</b>]

[<b>-l</b>|<b>--pcap-log</b> <i><path></i>]

[<b>-m</b>|<b>--local-subnets</b> <i><addresses></i>]

[<b>-n</b>|<b>--numeric-ip-addresses</b>]

[<b>-o</b>|<b>--no-mac</b>] [<b>-p</b>|<b>--protocols</b>

<i><list></i>]

[<b>-q</b>|<b>--create-suspicious-packets</b>]

[<b>-r</b>|<b>--refresh-time</b> <i><number></i>]

[<b>-s</b>|<b>--no-promiscuous</b>]

[<b>-t</b>|<b>--trace-level</b> <i><number></i>]

[<b>-x</b> <i><max_num_hash_entries></i>]

[<b>-w</b>|<b>--http-server</b> <i><port></i>]

[<b>-z</b>|<b>--disable-sessions</b>]

[<b>-A</b>|<b>--set-admin-password</b> <i>password</i>]

[<b>-B</b>|<b>--filter-expression</b> <i>expression</i>]

[<b>-C</b> <i><config</i>mode><i>]</i>

[<b>-D</b>|<b>--domain</b> <i><name></i>]

[<b>-F</b>|<b>--flow-spec</b> <i><specs></i>]

[<b>-M</b>|<b>--no-interface-merge</b>]

[<b>-N</b>|<b>--wwn-map]</b>

[<b>-O</b>|<b>----output-packet-path</b>]

[<b>-P</b>|<b>--db-file-path</b> <i><path></i>]

[<b>-Q</b>|<b>--spool-file-path</b> <i><path></i>]

[<b>-U</b>|<b>--mapper</b> <i><URL></i>]

[<b>-V</b>|<b>--version]</b> [<b>-X</b>

<i><max_num_TCP_sessions></i>]

[<b>--disable-instantsessionpurge</b>]

[<b>--disable-mutexextrainfo</b>]

[<b>--disable-schedyield</b>] [<b>--disable-stopcap</b>]

[<b>--fc-only</b>] [<b>--instance</b>] [<b>--no-fc</b>]

[<b>--no-invalid-lun</b>] [<b>--p3p-cp</b>]

[<b>--p3p-uri</b>] [<b>--skip-version-check</b>]

[<b>--w3c</b>] [<b>-4</b>|<b>--ipv4]</b>

[<b>-6</b>|<b>--ipv6]</b></p>

<p>Unix options:</p>

<p>[<b>-d</b>|<b>--daemon</b>] [<b>-i</b>|<b>--interface</b>

<i><user></i>] [<b>-K</b>|<b>--enable-debug</b>]

[<b>-L</b>] [<b>--pcap_setnonblock</b>]

[<b>--use-syslog=</b> <i><facility></i>]

[<b>--webserver-queue</b> <i><number></i>]</p>

100

101

<p>Windows option:</p>

102

103

<p>[<b>-i</b>|<b>--interface</b>

104

105

106

<p>OpenSSL options:</p>

107

108

<p>[<b>-W</b>|<b>--https-server</b> <i><port></i>]

109

[<b>--ssl-watchdog</b>]</p>

110

</td>

111

</table>

112

113

<h2>DESCRIPTION</h2>

114

115

<table width="100%" border=0 rules="none" frame="void"

116

cols="2" cellspacing="0" cellpadding="0">

117

118

119

120

<p><b>ntop</b> shows the current network usage. It displays

121

a list of hosts that are currently using the network and

122

reports information concerning the (IP and non-IP) traffic

123

generated and received by each host. <b>ntop</b> may operate

124

as a front-end collector (sFlow and/or netFlow plugins) or

125

as a stand-alone collector/display program. A web browser is

126

needed to access the information captured by the <b>ntop</b>

127

program.</p>

128

129

<p><b>ntop</b> is a hybrid layer 2 / layer 3 network

130

monitor, that is by default it uses the layer 2 Media Access

131

Control (MAC) addresses AND the layer 3 tcp/ip addresses.

132

<b>ntop</b> is capable of associating the two, so that ip

133

and non-ip traffic (e.g. arp, rarp) are combined for a

134

complete picture of network activity.</p>

135

</td>

136

</table>

137

138

<h2>COMMAND−LINE OPTIONS</h2>

139

140

<table width="100%" border=0 rules="none" frame="void"

141

cols="2" cellspacing="0" cellpadding="0">

142

143

144

145

<p><b>@filename</b></p></td>

146

</table>

147

148

<table width="100%" border=0 rules="none" frame="void"

149

cols="2" cellspacing="0" cellpadding="0">

150

151

152

153

<p>The text of <b>filename</b> is copied - ignoring line

154

breaks and comment lines (anything following a #) - into the

155

command line. <b>ntop</b> behaves as if all of the text had

156

simply been typed directly on the command line. For example,

157

if the command line is "-t 3 @d -u ntop" and file

158

d contains just the line ’-d’, then the

159

effective command line is -t 3 -d -u ntop. Multiple @s are

160

permitted. Nested @s (an @ inside the file) are not

161

permitted.</p>

162

163

<p>Remember, most <b>ntop</b> options are

164

"sticky", that is they just set an internal flag.

165

Invoking them multiple times doesn’t change

166

<b>ntop’s</b> behavior. However, options that set a

167

value, such as --trace-level, will use the LAST value given:

168

--trace-level 2 --trace-level 3 will run as --trace-level

169

3.</p>

170

171

<p>Beginning with 3.1, many command-line options may also be

172

set via the web browser interface. These changes take effect

173

on the next run of and on each subsequent run until

174

changed.</p>

175

</td>

176

</table>

177

178

<table width="100%" border=0 rules="none" frame="void"

179

cols="2" cellspacing="0" cellpadding="0">

180

181

182

183

<p><b>-a | --access-log-file</b></p></td>

184

</table>

185

186

<table width="100%" border=0 rules="none" frame="void"

187

cols="2" cellspacing="0" cellpadding="0">

188

189

190

191

<p>By default <b>ntop</b> does not maintain a log of HTTP

192

requests to the internal web server. Use this parameter to

193

request logging and to specify the location of the file

194

where these HTTP requests are logged.</p>

195

196

<p>Each log entry is in Apache-like style. The only

197

difference between Apache and <b>ntop</b> logs is that an

198

additional column has been added which has the time (in

199

milliseconds) that <b>ntop</b> needed to serve the request.

200

Log entries look like this:</p>

201

202

<pre>192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET / HTTP/1.1" 200 1489 4

203

192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET /index_top.html HTTP/1.1" 200 1854 4

204

192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET /index_inner.html HTTP/1.1" 200 1441 7

205

192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /index_left.html HTTP/1.1" 200 1356 4

206

192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /home_.html HTTP/1.1" 200 154/617 9

207

192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /home.html HTTP/1.1" 200 1100/3195 10

208

192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /About.html HTTP/1.1" 200 2010 10

209

</pre>

210

211

<p>This parameter is the complete file name of the access

212

log. In prior releases it was erroneously called

213

--access-log-path.</p>

214

</td>

215

</table>

216

217

<table width="100%" border=0 rules="none" frame="void"

218

cols="2" cellspacing="0" cellpadding="0">

219

220

221

222

<p><b>-b | --disable-decoders</b></p></td>

223

</table>

224

225

<table width="100%" border=0 rules="none" frame="void"

226

cols="2" cellspacing="0" cellpadding="0">

227

228

229

230

<p>This parameter disables protocol decoders.</p>

231

232

<p>Protocol decoders examine and collect information about

233

layer 2 protocols such as NetBIOS or Netware SAP, as well as

234

about specific tcp/ip (layer 3) protocols, such as DNS, http

235

and ftp.</p>

236

237

<p>This support is specifically coded for each protocol and

238

is different from the capability to count raw information

239

(packets and bytes) by protocol specified by the -p |

240

--protocols parameter, below.</p>

241

242

<p>Decoding protocols is a significant consumer of

243

resources. If the <b>ntop</b> host is underpowered or

244

monitoring a very busy network, you may wish to disable

245

protocol decoding via this parameter. It may also be

246

appropriate to use this parameter if you believe that

247

<b>ntop</b> has problems handling some protocols that occur

248

on your network.</p>

249

250

<p>Even if decoding is disabled, ftp-data traffic is still

251

decoded to look for passive ftp port commands.</p>

252

</td>

253

</table>

254

255

<table width="100%" border=0 rules="none" frame="void"

256

cols="2" cellspacing="0" cellpadding="0">

257

258

259

260

<p><b>-c | --sticky-hosts</b></p></td>

261

</table>

262

263

<table width="100%" border=0 rules="none" frame="void"

264

cols="2" cellspacing="0" cellpadding="0">

265

266

267

268

<p>Use this parameter to prevent idle hosts from being

269

purged from memory.</p>

270

271

<p>By default idle hosts are periodically purged from

272

memory. An idle host is identified when no packets from or

273

to that host have been monitored for the period of time

274

defined by the value of PARM_HOST_PURGE_MINIMUM_IDLE in

275

globals-defines.h.</p>

276

277

<p>If you use this option, all hosts - active and idle - are

278

retained in memory for the duration of the <b>ntop</b>

279

run.</p>

280

281

<p>P2P users, port scans, popular web servers and other

282

activity will cause <b>ntop</b> to record data about a large

283

number of hosts. On an active network, this will consume a

284

significant - and always growing - amount of memory. It is

285

strongly recommended that you use a filtering expression to

286

limit the hosts which are stored if you use

287

--sticky-hosts.</p>

288

289

<p>The idle purge is a statistical one - a random selection

290

of the eligible hosts will be purged during each cycle. Thus

291

it is possible on a busy system for an idle host to remain

292

in the <b>ntop</b> tables and appear ’active’

293

for some considerable time after it is truly idle.</p>

294

</td>

295

</table>

296

297

<table width="100%" border=0 rules="none" frame="void"

298

cols="2" cellspacing="0" cellpadding="0">

299

300

301

302

<p><b>-d | --daemon</b></p></td>

303

</table>

304

305

<table width="100%" border=0 rules="none" frame="void"

306

cols="2" cellspacing="0" cellpadding="0">

307

308

309

310

<p>This parameter causes ntop to become a daemon, i.e. a

311

task which runs in the background without connection to a

312

specific terminal. To use <b>ntop</b> other than as a casual

313

monitoring tool, you probably will want to use this

314

option.</p>

315

316

<p><b>WARNING:</b> If you are running as a daemon, the

317

messages from <b>ntop</b> will be ’printed’ on

318

to stdout and thus dropped. You probably don’t want to

319

do this. So remember to also use the -L or --use-syslog

320

options to save the messages into the system log.</p>

321

</td>

322

</table>

323

324

<table width="100%" border=0 rules="none" frame="void"

325

cols="2" cellspacing="0" cellpadding="0">

326

327

328

329

<p><b>-e | --max-table-rows</b></p></td>

330

</table>

331

332

<table width="100%" border=0 rules="none" frame="void"

333

cols="2" cellspacing="0" cellpadding="0">

334

335

336

337

<p>This defines the maximum number of lines that <b>ntop</b>

338

will display on each generated HTML page. If there are more

339

lines to be displayed than this setting permits, only part

340

of the data will be displayed. There will be page

341

forward/back arrows placed at the bottom of the page for

342

navigation between pages.</p>

343

</td>

344

</table>

345

346

<table width="100%" border=0 rules="none" frame="void"

347

cols="2" cellspacing="0" cellpadding="0">

348

349

350

351

<p><b>-f | --traffic-dump-file</b></p></td>

352

</table>

353

354

<table width="100%" border=0 rules="none" frame="void"

355

cols="2" cellspacing="0" cellpadding="0">

356

357

358

359

<p>By default, <b>ntop</b> captures traffic from network

360

interface cards (NICs) or from netFlow/sFlow probes.

361

However, <b>ntop</b> can also read data from a file -

362

typically a tcpdump capture or the output from one of the

363

<b>ntop</b> packet capture options.</p>

364

365

<p>if you specify -f, <b>ntop</b> will not capture any

366

traffic from NICs during or after the file has been read.

367

netFlow/sFlow capture - if enabled - would still be

368

active.</p>

369

370

<p>This option is mostly used for debug purposes.</p>

371

</td>

372

</table>

373

374

<table width="100%" border=0 rules="none" frame="void"

375

cols="2" cellspacing="0" cellpadding="0">

376

377

378

379

<p><b>-g | --track-local-hosts</b></p></td>

380

</table>

381

382

<table width="100%" border=0 rules="none" frame="void"

383

cols="2" cellspacing="0" cellpadding="0">

384

385

386

387

<p>By default, <b>ntop</b> tracks all hosts that it sees

388

from packets captured on the various NICs. Use this

389

parameter to tell <b>ntop</b> to capture data only about

390

local hosts. Local hosts are defined based on the addresses

391

of the NICs and those networks identified as local via the

392

-m | --local-subnets parameter.</p>

393

394

<p>This parameter is useful on large networks or those that

395

see many hosts, (e.g. a border router or gateway), where

396

information about remote hosts is not desired/required to be

397

tracked.</p>

398

</td>

399

</table>

400

401

<table width="100%" border=0 rules="none" frame="void"

402

cols="2" cellspacing="0" cellpadding="0">

403

404

405

406

407

</table>

408

409

<table width="100%" border=0 rules="none" frame="void"

410

cols="2" cellspacing="0" cellpadding="0">

411

412

413

414

<p>Print help information for <b>ntop,</b> including usage

415

and parameters.</p>

416

</td>

417

</table>

418

419

<table width="100%" border=0 rules="none" frame="void"

420

cols="2" cellspacing="0" cellpadding="0">

421

422

423

424

<p><b>-i | --interface</b></p></td>

425

</table>

426

427

<table width="100%" border=0 rules="none" frame="void"

428

cols="2" cellspacing="0" cellpadding="0">

429

430

431

432

<p>Specifies the network interface or interfaces to be used

433

by <b>ntop</b> for network monitoring.</p>

434

435

<p>If multiple interfaces are used (this feature is

436

available only if ntop is compiled with thread support)

437

their names must be separated with a comma. For instance -i

438

"eth0,lo".</p>

439

440

<p>If not specified, the default is the first Ethernet

441

device, e.g. eth0. The specific device that is

442

’first’ is highly system dependent. Especially

443

on systems where the device name reflects the driver name

444

instead of the type of interface.</p>

445

446

<p>By default, traffic information obtained by all the

447

interfaces is merged together as if the traffic was seen by

448

only one interface. Use the -M parameter to keep traffic

449

separate by interface.</p>

450

451

<p>If you do not want <b>ntop</b> to monitor any interfaces,

452

use -i none.</p>

453

454

<p>Under Windows, the parameter value is either the number

455

of the interface or its name, e.g.

456

{6252C14C-44C9-49D9-BF59-B2DC18C7B811}. Run <b>ntop</b> -h

457

to see a list of interface name-number mappings (at the end

458

of the help information).</p>

459

</td>

460

</table>

461

462

<table width="100%" border=0 rules="none" frame="void"

463

cols="2" cellspacing="0" cellpadding="0">

464

465

466

467

<p><b>-j | --create-other-packets</b></p></td>

468

</table>

469

470

<table width="100%" border=0 rules="none" frame="void"

471

cols="2" cellspacing="0" cellpadding="0">

472

473

474

475

<p>This parameter causes <b>ntop</b> to create a dump file

476

of the ’other’ network traffic captured. One

477

file is created for each network interface where

478

<path>/ntop-other-pkts.<device>.pcap, where

479

<path> is defined by the -O | --output-packet-path

480

parameter. This file is useful for understanding these

481

unclassifed packets.</p>

482

</td>

483

</table>

484

485

<table width="100%" border=0 rules="none" frame="void"

486

cols="2" cellspacing="0" cellpadding="0">

487

488

489

490

491

</table>

492

493

<table width="100%" border=0 rules="none" frame="void"

494

cols="2" cellspacing="0" cellpadding="0">

495

496

497

498

<p>This parameter causes a dump file to be created of the

499

network traffic captured by <b>ntop</b> in tcpdump (pcap)

500

format. This file is useful for debug, and may be read back

501

into <b>ntop</b> by the -f | --traffic-dump-file parameter.

502

The dump is made after processing any filter expression (

503

never even sees filtered packets).</p>

504

505

<p>The output file will be named

506

507

(Windows: <i><path>/<log>.pcap</i> ), where

508

<path> is defined by the -O | --output-packet-path

509

parameter and <log> is defined by this -l | --pcap-log

510

parameter.</p>

511

</td>

512

</table>

513

514

<table width="100%" border=0 rules="none" frame="void"

515

cols="2" cellspacing="0" cellpadding="0">

516

517

518

519

<p><b>-m | --local-subnets</b></p></td>

520

</table>

521

522

<table width="100%" border=0 rules="none" frame="void"

523

cols="2" cellspacing="0" cellpadding="0">

524

525

526

527

<p><b>ntop</b> determines the ip addresses and netmasks for

528

each active interface. Any traffic on those networks is

529

considered local. This parameter allows the user to define

530

additional networks and subnetworks whose traffic is also

531

considered local in <b>ntop</b> reports. All other hosts are

532

considered remote.</p>

533

534

<p>Commas separate multiple network values. Both netmask and

535

CIDR notation may be used, even mixed together, for instance

536

"131.114.21.0/24,10.0.0.0/255.0.0.0".</p>

537

538

<p>The local subnet - as defined by the interface

539

address(es) - is/are always local and do not need to be

540

specified. If you do give the same value as a NIC’s

541

local address, a harmless warning message is issued.</p>

542

</td>

543

</table>

544

545

<table width="100%" border=0 rules="none" frame="void"

546

cols="2" cellspacing="0" cellpadding="0">

547

548

549

550

<p><b>-n | --numeric-ip-addresses</b></p></td>

551

</table>

552

553

<table width="100%" border=0 rules="none" frame="void"

554

cols="2" cellspacing="0" cellpadding="0">

555

556

557

558

<p>By default, <b>ntop</b> resolves IP addresses using a

559

combination of active (explicit) DNS queries and passive

560

sniffing. Sniffing of DNS responses occurs when <b>ntop</b>

561

receives a network packet containing the response to some

562

other user’s DNS query. <b>ntop</b> captures this

563

information and enters it into <b>ntop’s</b> DNS

564

cache, in expectation of shortly seeing traffic addressed to

565

that host. This way <b>ntop</b> significantly reduces the

566

number of DNS queries it makes.</p>

567

568

<p>This parameter causes <b>ntop</b> to skip DNS resolution,

569

showing only numeric IP addresses instead of the symbolic

570

names. This option can useful when the DNS is not present or

571

quite slow.</p>

572

</td>

573

</table>

574

575

<table width="100%" border=0 rules="none" frame="void"

576

cols="2" cellspacing="0" cellpadding="0">

577

578

579

580

581

</table>

582

583

<table width="100%" border=0 rules="none" frame="void"

584

cols="2" cellspacing="0" cellpadding="0">

585

586

587

588

<p><b>ntop</b> is a hybrid layer 2/3 network monitor. That

589

is, it uses both the lower level, physical device address -

590

the MAC (Media Access Control) address - and the higher

591

level, logical, tcp/ip address (the familiar www.ntop.org or

592

131.114.21.9 address). This allows <b>ntop</b> to link the

593

logical addresses to a physical machine with multiple

594

addresses (This occurs with virtual hosts or additional

595

addresses assigned to the interface, etc.) to present

596

consolidated reporting.</p>

597

598

<p>This parameter specifies that <b>ntop</b> should not

599

trust the MAC addresses but just use the IP addresses.</p>

600

601

<p>Normally, since the MAC address must be globally unique,

602

the dual nature of <b>ntop</b> is a benefit and provides far

603

better information about the network than is available via a

604

pure layer 2 or pure layer 3 monitor.</p>

605

606

<p>Under certain circumstances - whenever <b>ntop</b> is

607

started on an interface where MAC addresses cannot be really

608

trusted - you may require this option.</p>

609

610

<p>Situations which may require this option include

611

port/VLAN mirror, some cases with switches and spanning tree

612

protocol, and (reportedly) some specific models of Ethernet

613

switches which re-write MAC addresses of the packets they

614

process. Normally, you discover that this option is

615

necessary when you observe that hosts seem to change their

616

addresses or information about different machines get lumped

617

together.</p>

618

619

<p>Note that with this option, information which is

620

dependent upon the MAC addresses (non tcp/ip protocols like

621

IPX) will not be collected nor displayed.</p>

622

</td>

623

</table>

624

625

<table width="100%" border=0 rules="none" frame="void"

626

cols="2" cellspacing="0" cellpadding="0">

627

628

629

630

<p><b>-p | --protocols</b></p></td>

631

</table>

632

633

<table width="100%" border=0 rules="none" frame="void"

634

cols="2" cellspacing="0" cellpadding="0">

635

636

637

638

<p>This parameter is used to specify the TCP/UDP protocols

639

that <b>ntop</b> will monitor. The format is

640

<label>=<protocol list> [,

641

<label>=<protocol list>], where label is used to

642

symbolically identify the <protocol list>. The format

643

of <protocol list> is

644

<protocol>[|<protocol>], where <protocol>

645

is either a valid protocol specified inside the

646

/etc/services file or a numeric port range (e.g. 80, or

647

6000-6500).</p>

648

649

<p>A simple example is

650

--protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-data",

651

which reduces the protocols displayed on the "IP"

652

pages to three:</p>

653

654

<pre>Host Domain Data HTTP FTP Other IP

655

ns2.attbi.com <flag> 954 63.9 % 0 0 954

656

64.124.83.112.akamai.com <flag> 240 16.1 % 240 0 0

657

64.124.83.99.akamai.com <flag> 240 16.1 % 240 0 0

658

toolbarqueries.google.com <flag> 60 4.0 % 60 0 0

659

</pre>

660

661

<p>If the <protocol list> is very long you may store

662

it in a file (for instance protocol.list). To do so, specify

663

the file name instead of the <protocol list> on the

664

command line. e.g. <b>ntop -p protocol.list</b></p>

665

666

<p>If the -p parameter is omitted the following default

667

value is used:</p>

668

669

<pre> FTP=ftp|ftp-data

670

HTTP=http|www|https|3128 3128 is Squid, the HTTP cache

671

DNS=name|domain

672

Telnet=telnet|login

673

NBios-IP=netbios-ns|netbios-dgm|netbios-ssn

674

675

DHCP-BOOTP=67-68

676

SNMP=snmp|snmp-trap

677

NNTP=nntp

678

NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status

679

X11=6000-6010

680

SSH=22

681

682

Peer-to-Peer Protocols

683

----------------------

684

Gnutella=6346|6347|6348

685

Kazaa=1214

686

WinMX=6699|7730

687

DirectConnect=0 Dummy port as this is a pure P2P protocol

688

eDonkey=4661-4665

689

690

Instant Messenger

691

-----------------

692

Messenger=1863|5000|5001|5190-5193

693

</pre>

694

695

<p>NOTE: To resolve protocol names to port numbers, they

696

must be specified in the system file used to list tcp/udp

697

protocols and ports, which is typically /etc/services file.

698

You will have to match the names in that file, exactly.

699

Missing or unspecified (non-standard) ports must be

700

specified by number, such as 3128 in our examples above.</p>

701

702

<p>If you have a file named /etc/protocols, don’t get

703

confused by it, as that’s the Ethernet protocol

704

numbers, which are not what you’re looking for.</p>

705

</td>

706

</table>

707

708

<table width="100%" border=0 rules="none" frame="void"

709

cols="2" cellspacing="0" cellpadding="0">

710

711

712

713

<p><b>-q | --create-suspicious-packets</b></p></td>

714

</table>

715

716

<table width="100%" border=0 rules="none" frame="void"

717

cols="2" cellspacing="0" cellpadding="0">

718

719

720

721

<p>This parameter tells <b>ntop</b> to create a dump file of

722

suspicious packets.</p>

723

724

<p>There are many, many, things that cause a packet to be

725

labeled as ’suspicious’, including:</p>

726

727

<pre> Detected ICMP fragment

728

Detected Land Attack against host

729

Detected overlapping/tiny packet fragment

730

Detected traffic on a diagnostic port

731

Host performed ACK/FIN/NULL scan

732

Host rejected TCP session

733

HTTP/FTP/SMTP/SSH detected at wrong port

734

Malformed TCP/UDP/ICMP packet (packet too short)

735

Packet # %u too long

736

Received a ICMP protocol Unreachable from host

737

Sent ICMP Administratively Prohibited packet to host

738

Smurf packet detected for host

739

TCP connection with no data exchanged

740

TCP session reset without completing 3-way handshake

741

Two MAC addresses found for the same IP address

742

UDP data to a closed port

743

Unknown protocol (no HTTP/FTP/SMTP/SSH) detected (on port 80/21/25/22)

744

Unusual ICMP options

745

</pre>

746

747

<p>When this parameter is used, one file is created for each

748

network interface where suspicious packets are found. The

749

file is in tcpdump (pcap) format and is named

750

<path>/ntop-suspicious-pkts.<device>.pcap, where

751

<path> is defined by the -O | --output-packet-path

752

parameter.</p>

753

</td>

754

</table>

755

756

<table width="100%" border=0 rules="none" frame="void"

757

cols="2" cellspacing="0" cellpadding="0">

758

759

760

761

<p><b>-r | --refresh-time</b></p></td>

762

</table>

763

764

<table width="100%" border=0 rules="none" frame="void"

765

cols="2" cellspacing="0" cellpadding="0">

766

767

768

769

<p>Specifies the delay (in seconds) between automatic screen

770

updates for those generated HTML pages which support them.

771

This parameter allows you to leave your browser window open

772

and have it always displaying nearly real-time data from

773

774

775

<p>The default is 3 seconds. Please note that if the delay

776

is very short (1 second for instance), <b>ntop</b> might not

777

be able to process all of the network traffic.</p>

778

</td>

779

</table>

780

781

<table width="100%" border=0 rules="none" frame="void"

782

cols="2" cellspacing="0" cellpadding="0">

783

784

785

786

<p><b>-s | --no-promiscuous</b></p></td>

787

</table>

788

789

<table width="100%" border=0 rules="none" frame="void"

790

cols="2" cellspacing="0" cellpadding="0">

791

792

793

794

<p>Use this parameter to prevent from setting the

795

interface(s) into promiscuous mode.</p>

796

797

<p>An interface in promiscuous mode will accept ALL Ethernet

798

frames, regardless of whether they directed (addressed) to

799

the specific network interface (NIC) or not. This is an

800

essential part of enabling <b>ntop</b> to monitor an entire

801

network. (Without promiscuous mode, <b>ntop</b> will only

802

see traffic directed to the specific host it is running on,

803

plus broadcast traffic such as the arp and dhcp

804

protocols.</p>

805

806

<p>Even if you use this parameter, the interface could well

807

be in promiscuous mode if another application enabled

808

it.</p>

809

810

<p><b>ntop</b> passes this setting on to libpcap, the packet

811

capture library. On many systems, a non-promiscuous open of

812

the network interface will fail, since the libpcap function

813

on most systems require it to capture raw packets (

814

<b>ntop</b> captures raw packets so that we may view and

815

analyze the layer 2 - MAC - information).</p>

816

817

<p>Thus on most systems, <b>ntop</b> must probably still be

818

started as root, and this option is largely ornamental. If

819

it fails, you will see a ***FATALERROR*** message referring

820

to pcap_open_live() and then an information message,

821

"Sorry, but on this system, even with -s, it appears

822

that ntop must be started as root".</p>

823

</td>

824

</table>

825

826

<table width="100%" border=0 rules="none" frame="void"

827

cols="2" cellspacing="0" cellpadding="0">

828

829

830

831

<p><b>-t | --trace-level</b></p></td>

832

</table>

833

834

<table width="100%" border=0 rules="none" frame="void"

835

cols="2" cellspacing="0" cellpadding="0">

836

837

838

839

<p>This parameter specifies the ’information’

840

level of messages that you wish <b>ntop</b> to display (on

841

stdout or to the log). The higher the trace level number the

842

more information that is displayed. The trace level ranges

843

between 0 (no trace) and 5 (full debug tracings).</p>

844

845

<p>The default trace value is 3.</p>

846

847

<p>Trace level 0 is not quite zero messages. Fatal errors

848

and certain startup/shutdown messages are always displayed.

849

Trace level 1 is used to display errors only, level 2 for

850

both errors and warnings, and level 3 displays error,

851

warning and informational messages.</p>

852

853

<p>Trace level 4 is called ’noisy’ and it is -

854

generating many messages about the internal functioning of

855

<b>ntop.</b> Trace level 5 and above are ’noisy’

856

plus extra logs, i.e. all possible messages, with a

857

file:line tag prepended to every message.</p>

858

</td>

859

</table>

860

861

<table width="100%" border=0 rules="none" frame="void"

862

cols="2" cellspacing="0" cellpadding="0">

863

864

865

866

867

</table>

868

869

<table width="100%" border=0 rules="none" frame="void"

870

cols="2" cellspacing="0" cellpadding="0">

871

872

873

874

<p>Specifies the user <b>ntop</b> should run as after it

875

initializes.</p>

876

877

<p><b>ntop</b> must normally be started as root so that it

878

has sufficient privileges to open the network interfaces in

879

promiscuous mode and to receive raw frames. See the

880

discussion of -s | --no-promiscuous above, if you wish to

881

try starting <b>ntop</b> as a non-root user.</p>

882

883

<p>Shortly after starting up, <b>ntop</b> becomes the user

884

you specify here, which normally has substantially reduced

885

privileges, such as no login shell. This is the userid which

886

owns <b>ntop’s</b> database and output files.</p>

887

888

<p>The value specified may be either a username or a numeric

889

user id. The group id used will be the primary group of the

890

user specified.</p>

891

892

<p>If this parameter is not specified, ntop will try to

893

switch first to ’nobody’ and then to

894

’anonymous’ before giving up.</p>

895

896

<p>NOTE: This should not be root unless you really

897

understand the security risks. In order to prevent this by

898

accident, the only way to run <b>ntop</b> as root is to

899

explicitly specify -u root. <b>Don’t do it.</b></p>

900

</td>

901

</table>

902

903

<table width="100%" border=0 rules="none" frame="void"

904

cols="2" cellspacing="0" cellpadding="0">

905

906

907

908

909

</table>

910

911

<table width="100%" border=0 rules="none" frame="void"

912

cols="2" cellspacing="0" cellpadding="0">

913

914

915

916

917

</table>

918

919

<table width="100%" border=0 rules="none" frame="void"

920

cols="2" cellspacing="0" cellpadding="0">

921

922

923

924

<p><b>ntop</b> creates a new hash/list entry for each new

925

host/TCP session seen. In case of DOS (Denial Of Service) an

926

attacker can easily exhaust all the host available memory

927

because ntop is creating entries for dummy hosts. In order

928

to avoid this you can set an upper limit in order to limit

929

the memory ntop can use.</p>

930

</td>

931

</table>

932

933

<table width="100%" border=0 rules="none" frame="void"

934

cols="2" cellspacing="0" cellpadding="0">

935

936

937

938

<p><b>-w | --http-server</b></p></td>

939

</table>

940

941

<table width="100%" border=0 rules="none" frame="void"

942

cols="2" cellspacing="0" cellpadding="0">

943

944

945

946

<p><b>-W | --https-server</b></p></td>

947

</table>

948

949

<table width="100%" border=0 rules="none" frame="void"

950

cols="2" cellspacing="0" cellpadding="0">

951

952

953

954

<p><b>ntop</b> offers an embedded web server to present the

955

information that has been so painstakingly gathered. An

956

external HTTP server is NOT required NOR supported. The

957

<b>ntop</b> web server is embedded into the application.

958

These parameters specify the port (and optionally the

959

address (i.e. interface)) of the <b>ntop</b> web server.</p>

960

961

<p>For example, if started with -w 3000 (the default port),

962

the URL to access <b>ntop</b> is http://hostname:3000/. If

963

started with a full specification, e.g. -w 192.168.1.1:3000,

964

<b>ntop</b> listens on only that address/port

965

combination.</p>

966

967

<p>If -w is set to 0 the web server will not listen for

968

http:// connections.</p>

969

970

<p>-W operates similarly, but controls the port for the

971

https:// connections.</p>

972

973

<p>Some examples:</p>

974

975

<p><b>ntop -w 3000 -W 0</b> (this is the default setting)

976

TP requests on port 3000 and no HTTPS.</p>

977

978

<p><b>ntop -w 80 -W 443</b> Both HTTP and HTTPS have been

979

enabled on their most common ports.</p>

980

981

<p><b>ntop -w 0 -W 443</b> HTTP disabled, HTTPS enabled on

982

the common port.</p>

983

984

<p>Certain sensitive, configuration pages of the <b>ntop</b>

985

web server are protected by a userid/password. By default,

986

these are the user/URL administration, filter, shutdown and

987

reset stats are password protected and are accessible

988

initially only to user <b>admin</b> with a password set

989

during the first run of <b>ntop.</b></p>

990

991

<p>Users can modify/add/delete users/URLs using ntop itself

992

- see the Admin tab.</p>

993

994

<p>The passwords, userids and URLs to protect with passwords

995

are stored in a database file. Passwords are stored in an

996

encrypted form in the database for further security. Best

997

practices call for securing that database so that only the

998

999

1000

<p>There is a discussion in docs/FAQ about further securing

1001

the <b>ntop</b> environment.</p>

1002

</td>

1003

</table>

1004

1005

<table width="100%" border=0 rules="none" frame="void"

1006

cols="2" cellspacing="0" cellpadding="0">

1007

1008

1009

1010

<p><b>-z | --disable-sessions</b></p></td>

1011

</table>

1012

1013

<table width="100%" border=0 rules="none" frame="void"

1014

cols="2" cellspacing="0" cellpadding="0">

1015

1016

1017

1018

<p>This parameter disables TCP session tracking. Use it for

1019

better performance or when you don’t really need/care

1020

to track sessions.</p>

1021

</td>

1022

</table>

1023

1024

<table width="100%" border=0 rules="none" frame="void"

1025

cols="2" cellspacing="0" cellpadding="0">

1026

1027

1028

1029

<p><b>-A | --set-admin-password</b></p></td>

1030

</table>

1031

1032

<table width="100%" border=0 rules="none" frame="void"

1033

cols="2" cellspacing="0" cellpadding="0">

1034

1035

1036

1037

<p>This parameter is used to start <b>ntop</b> , set the

1038

admin password and quit. It is quite useful for installers

1039

that need to automatically set the password for the admin

1040

user.</p>

1041

1042

<p>-A and --set-admin-password (without a value) will prompt

1043

the user for the password.</p>

1044

1045

<p>You may also use this parameter to set a specific value

1046

using --set-admin-password=value. <b>The = is REQUIRED and

1047

no spaces are permitted!</b></p>

1048

1049

<p>If you attempt to run <b>ntop</b> as a daemon without

1050

setting a password, a FATAL ERROR message is generated and

1051

<b>ntop</b> stops.</p>

1052

</td>

1053

</table>

1054

1055

<table width="100%" border=0 rules="none" frame="void"

1056

cols="2" cellspacing="0" cellpadding="0">

1057

1058

1059

1060

<p><b>-B | --filter-expression</b></p></td>

1061

</table>

1062

1063

<table width="100%" border=0 rules="none" frame="void"

1064

cols="2" cellspacing="0" cellpadding="0">

1065

1066

1067

1068

<p>Filters allows the user to restrict the traffic seen by

1069

<b>ntop</b> on just about any imaginable item.</p>

1070

1071

<p>The filter expression is set at run time by this

1072

parameter, but it may be changed during the <b>ntop</b> run

1073

on the Admin | Change Filter web page.</p>

1074

1075

<p>The basic format is <b>-B filter</b> , where the quotes

1076

are <b>REQUIRED</b></p>

1077

1078

<p>The syntax of the filter expression uses the same BPF

1079

(Berkeley Packet Filter) expressions used by other packages

1080

such as tcpdump</p>

1081

1082

<p>For instance, suppose you are interested only in the

1083

traffic generated/received by the host jake.unipi.it.

1084

<b>ntop</b> can then be started with the following

1085

filter:</p>

1086

1087

<p><b>ntop -B src host jake.unipi.it or dst host

1088

jake.unipi.it</b></p>

1089

1090

<p>or in shorthand:</p>

1091

1092

<p><b>ntop -B host jake.unipi.it or host

1093

jake.unipi.it</b></p>

1094

1095

<p>See the ’expression’ section of the

1096

<b>tcpdump</b> man page - usually available at

1097

http://www.tcpdump.org/tcpdump_man.html - for further

1098

information and the best quick guide to BPF filters

1099

currently available.</p>

1100

1101

<p>WARNING: If you are using complex filter expressions,

1102

especially those with =s or meaningful spaces in them, be

1103

sure and use the long option format,

1104

--filter-expression="xxxx" and not -B

1105

"xxxx".</p>

1106

</td>

1107

</table>

1108

1109

<table width="100%" border=0 rules="none" frame="void"

1110

cols="2" cellspacing="0" cellpadding="0">

1111

1112

1113

1114

1115

</table>

1116

1117

<table width="100%" border=0 rules="none" frame="void"

1118

cols="2" cellspacing="0" cellpadding="0">

1119

1120

1121

1122

<p>This instruments ntop to be used in two configurations:

1123

host and network mode. In host mode (default) ntop works as

1124

usual: the IP addresses received are those of real hosts. In

1125

host mode the IP addresses received are those of the C-class

1126

network to which the address belongs. Using ntop in network

1127

mode is extremely useful when installed in a traffic

1128

exchange (e.g. in the middle of the Internet) whereas the

1129

host mode should be used when ntop is installed on the edge

1130

of a network (e.g. inside a company). The network mode

1131

significantly reduces the amount of work ntop has to perform

1132

and it has to be used whenever ntop is used to find out how

1133

the network traffic flows and not to pin-point specific

1134

hosts.</p>

1135

</td>

1136

</table>

1137

1138

<table width="100%" border=0 rules="none" frame="void"

1139

cols="2" cellspacing="0" cellpadding="0">

1140

1141

1142

1143

<p><b>-D | --domain</b></p></td>

1144

</table>

1145

1146

<table width="100%" border=0 rules="none" frame="void"

1147

cols="2" cellspacing="0" cellpadding="0">

1148

1149

1150

1151

<p>This identifies the local domain suffix, e.g. ntop.org.

1152

It may be necessary, if <b>ntop</b> is having difficulty

1153

determining it from the interface.</p>

1154

</td>

1155

</table>

1156

1157

<table width="100%" border=0 rules="none" frame="void"

1158

cols="2" cellspacing="0" cellpadding="0">

1159

1160

1161

1162

1163

</table>

1164

1165

<table width="100%" border=0 rules="none" frame="void"

1166

cols="2" cellspacing="0" cellpadding="0">

1167

1168

1169

1170

<p>It is used to specify network flows similar to more

1171

powerful applications such as NeTraMet. A flow is a stream

1172

of captured packets that match a specified rule. The format

1173

is</p>

1174

1175

<p><b><flow-label>=’<matching

1176

expression>’[,<flow-label>=’<matching

1177

expression>’]</b></p>

1178

1179

<p>, where the label is used to symbolically identify the

1180

flow specified by the expression. The expression is a bpf

1181

(Berkeley Packet Filter) expression. If an expression is

1182

specified, then the information concerning flows can be

1183

accessed following the HTML link named ’List

1184

NetFlows’.</p>

1185

1186

<p>For instance define two flows with the following

1187

expression <b>LucaHosts=’host jake.unipi.it or host

1188

pisanino.unipi.it’,GatewayRoutedPkts=’gateway

1189

gateway.unipi.it’ .</b></p>

1190

1191

<p>All the traffic sent/received by hosts jake.unipi.it or

1192

pisanino.unipi.it is collected by <b>ntop</b> and added to

1193

the LucaHosts flow, whereas all the packet routed by the

1194

gateway gateway.unipi.it are added to the GatewayRoutedPkts

1195

flow. If the flows list is very long you may store in a file

1196

(for instance flows.list) and specify the file name instead

1197

of the actual flows list (in the above example, this would

1198

be ’ntop -F flows.list’).</p>

1199

1200

<p>Note that the double quotations around the entire flow

1201

expression are required.</p>

1202

</td>

1203

</table>

1204

1205

<table width="100%" border=0 rules="none" frame="void"

1206

cols="2" cellspacing="0" cellpadding="0">

1207

1208

1209

1210

<p><b>-K | --enable-debug</b></p></td>

1211

</table>

1212

1213

<table width="100%" border=0 rules="none" frame="void"

1214

cols="2" cellspacing="0" cellpadding="0">

1215

1216

1217

1218

<p>Use this parameter to simplify application debug. It does

1219

three things: 1. Does not fork() on the "read

1220

only" html pages. 2. Displays mutex values on the

1221

configuration (info.html) page. 3. (If available -

1222

glibc/gcc) Activates an automated backtrace on application

1223

errors.</p>

1224

</td>

1225

</table>

1226

1227

<table width="100%" border=0 rules="none" frame="void"

1228

cols="2" cellspacing="0" cellpadding="0">

1229

1230

1231

1232

<p><b>-L | --use-syslog=facility</b></p></td>

1233

</table>

1234

1235

<table width="100%" border=0 rules="none" frame="void"

1236

cols="2" cellspacing="0" cellpadding="0">

1237

1238

1239

1240

<p>Use this parameter to send log messages to the system log

1241

instead of stdout.</p>

1242

1243

<p>-L and the simple form --use-syslog use the default log

1244

facility, defined as LOG_DAEMON in the #define symbol

1245

DEFAULT_SYSLOG_FACILITY in globals-defines.h.</p>

1246

1247

<p>The complex form, --use-syslog=facility will set the log

1248

facility to whatever value (e.g. local3, security) you

1249

specify. <b>The = is REQUIRED and no spaces are

1250

allowed!</b></p>

1251

1252

<p>This setting applies both to <b>ntop</b> and to any child

1253

fork()ed for reporting. If this parameter is not specified,

1254

any fork()ed child will use the default value and will log

1255

it’s messages to the system log (this occurs because

1256

the fork()ed child must give up it’s access to the

1257

parents stdout).</p>

1258

1259

<p>Because various systems do not make the permissible names

1260

available, we have a table at the end of globals-core.c.

1261

Look for myFacilityNames.</p>

1262

</td>

1263

</table>

1264

1265

<table width="100%" border=0 rules="none" frame="void"

1266

cols="2" cellspacing="0" cellpadding="0">

1267

1268

1269

1270

<p><b>-M | --no-interface-merge</b></p></td>

1271

</table>

1272

1273

<table width="100%" border=0 rules="none" frame="void"

1274

cols="2" cellspacing="0" cellpadding="0">

1275

1276

1277

1278

<p>By default, <b>ntop</b> merges the data collected from

1279

all of the interfaces (NICs) it is monitoring into a single

1280

set of counters.</p>

1281

1282

<p>If you have a simple network, say a small LAN with a

1283

connection to the internet, merging data is good as it gives

1284

you a better picture of the whole network. For larger, more

1285

complex networks, this may not be desirable. You may also

1286

have other reasons for wishing to monitor each interface

1287

separately, for example DMZ vs. LAN traffic.</p>

1288

1289

<p>This option instructs <b>ntop</b> not to merge network

1290

interfaces together. This means that <b>ntop</b> will

1291

collect statistics for each interface and report them

1292

separately.</p>

1293

1294

<p>Only ONE interface may be reported on at a time - use the

1295

<b>Admin | Switch NIC</b> option on the web server to select

1296

which interface to report upon.</p>

1297

1298

<p>Note that activating either the netFlow and/or sFlow

1299

plugins will force the setting of -M. Once enabled, you

1300

cannot go back.</p>

1301

</td>

1302

</table>

1303

1304

<table width="100%" border=0 rules="none" frame="void"

1305

cols="2" cellspacing="0" cellpadding="0">

1306

1307

1308

1309

1310

</table>

1311

1312

<table width="100%" border=0 rules="none" frame="void"

1313

cols="2" cellspacing="0" cellpadding="0">

1314

1315

1316

1317

<p>This options names the file providing the map of WWN to

1318

FCID/VSAN ids.</p>

1319

</td>

1320

</table>

1321

1322

<table width="100%" border=0 rules="none" frame="void"

1323

cols="2" cellspacing="0" cellpadding="0">

1324

1325

1326

1327

<p><b>-O | --output-packet-path</b></p></td>

1328

</table>

1329

1330

<table width="100%" border=0 rules="none" frame="void"

1331

cols="2" cellspacing="0" cellpadding="0">

1332

1333

1334

1335

<p>This parameter defines the base path for the

1336

ntop-suspicious-pkts.XXX.pcap and normal packet dump

1337

files.</p>

1338

1339

<p>If this parameter is not specified, the default value is

1340

the config.h parameter CFG_DBFILE_DIR, which is set during

1341

./configure from the --localstatedir= parameter. If

1342

--localstatedir is not specified, it defaults to the

1343

--prefix value plus /var (e.g. /usr/local/var).</p>

1344

1345

<p>Be aware that this may not be what you expect when

1346

running <b>ntop</b> as a daemon or Windows service. Setting

1347

an explicit and absolute path value is <b>STRONGLY</b>

1348

recommended if you use this facility.</p>

1349

</td>

1350

</table>

1351

1352

<table width="100%" border=0 rules="none" frame="void"

1353

cols="2" cellspacing="0" cellpadding="0">

1354

1355

1356

1357

1358

</table>

1359

1360

<table width="100%" border=0 rules="none" frame="void"

1361

cols="2" cellspacing="0" cellpadding="0">

1362

1363

1364

1365

<p><b>-Q | --spool-file-path</b></p></td>

1366

</table>

1367

1368

<table width="100%" border=0 rules="none" frame="void"

1369

cols="2" cellspacing="0" cellpadding="0">

1370

1371

1372

1373

<p>These parameters specify where <b>ntop</b> stores

1374

database files.</p>

1375

1376

<p>There are two types, ’temporary’ - that is

1377

ones which need not be retained from <b>ntop</b> run to

1378

<b>ntop</b> run, and ’permanent’, which must be

1379

retained (or recreated).</p>

1380

1381

<p>The ’permanent’ databases are the

1382

preferences, "prefsCache.db" and the password

1383

file, "ntop_pw.db". These are stored in the -P |

1384

--db-file-path specified location.</p>

1385

1386

<p>Certain plugins use the -P | --db-file-path specified

1387

location for their database ("LsWatch.db") or (as

1388

a default value) for files (.../rrd/...).</p>

1389

1390

<p>The ’temporary’ databases are the address

1391

queue, "addressQueue.db", the cached DNS

1392

resolutions, "dnsCache.db" and the MAC prefix

1393

(vendor table), "macPrefix.db".</p>

1394

1395

<p>If only -P | --db-file-path is specified, it is used for

1396

both types of databases.</p>

1397

1398

<p>The directories named must allow read/write and file

1399

creation by the <b>ntop</b> user. For security, nobody else

1400

should have even read access to these files.</p>

1401

1402

<p>Note that the default value is the config.h parameter

1403

CFG_DBFILE_DIR. This is set during ./configure from the

1404

--localstatedir= parameter. If --localstatedir is not

1405

specified, it defaults to the --prefix value plus /var (e.g.

1406

/usr/local/var).</p>

1407

1408

<p>This may not be what you expect when running <b>ntop</b>

1409

as a daemon or Windows service.</p>

1410

1411

<p>Note that on versions of <b>ntop</b> prior to 2.3, these

1412

parameters defaulted to "." (the current working

1413

directory, e.g. the value returned by the pwd command) and

1414

caused havoc as it was different when <b>ntop</b> was run

1415

from the command line, vs. run via cron, vs. run from an

1416

initialization script.</p>

1417

1418

<p>Setting an explicit and absolute path value is

1419

<b>STRONGLY</b> recommended.</p>

1420

</td>

1421

</table>

1422

1423

<table width="100%" border=0 rules="none" frame="void"

1424

cols="2" cellspacing="0" cellpadding="0">

1425

1426

1427

1428

<p><b>-U | --mapper</b></p></td>

1429

</table>

1430

1431

<table width="100%" border=0 rules="none" frame="void"

1432

cols="2" cellspacing="0" cellpadding="0">

1433

1434

1435

1436

<p>Specifies the URL of the mapper.pl utility.</p>

1437

1438

<p>If provided, <b>ntop</b> creates a clickable hyperlink on

1439

the ’Info about host xxxxxx’ page to this URL by

1440

appending ?host=xxxxx. Any type of host lookup could be

1441

performed, but this is intended to lookup the geographical

1442

location of the host.</p>

1443

1444

<p>A cgi-based mapper interface to http://www.multimap.com

1445

is part of the <b>ntop</b> distribution [see

1446

www/Perl/mapper.pl]).</p>

1447

</td>

1448

</table>

1449

1450

<table width="100%" border=0 rules="none" frame="void"

1451

cols="2" cellspacing="0" cellpadding="0">

1452

1453

1454

1455

<p><b>-V | --version</b></p></td>

1456

</table>

1457

1458

<table width="100%" border=0 rules="none" frame="void"

1459

cols="2" cellspacing="0" cellpadding="0">

1460

1461

1462

1463

<p>Prints <b>ntop</b> version information and then

1464

exits.</p>

1465

</td>

1466

</table>

1467

1468

<table width="100%" border=0 rules="none" frame="void"

1469

cols="2" cellspacing="0" cellpadding="0">

1470

1471

1472

1473

<p><b>-W | --https-server</b></p></td>

1474

</table>

1475

1476

<table width="100%" border=0 rules="none" frame="void"

1477

cols="2" cellspacing="0" cellpadding="0">

1478

1479

1480

1481

<p>(See the joint documentation with the -w parameter,

1482

above)</p>

1483

</td>

1484

</table>

1485

1486

<table width="100%" border=0 rules="none" frame="void"

1487

cols="2" cellspacing="0" cellpadding="0">

1488

1489

1490

1491

<p><b>--disable-instantsessionpurge</b></p></td>

1492

</table>

1493

1494

<table width="100%" border=0 rules="none" frame="void"

1495

cols="2" cellspacing="0" cellpadding="0">

1496

1497

1498

1499

<p><b>ntop</b> sets completed sessions as ’timed

1500

out’ and then purge them almost instantly, which is

1501

not the behavior you might expect from the discussions about

1502

purge timeouts. This switch makes ntop respect the timeouts

1503

for completed sessions. It is NOT the default because a busy

1504

web server may have 100s or 1000s of completed sessions and

1505

this would significantly increase the amount of memory

1506

1507

</td>

1508

</table>

1509

1510

<table width="100%" border=0 rules="none" frame="void"

1511

cols="2" cellspacing="0" cellpadding="0">

1512

1513

1514

1515

<p><b>--disable-mutexextrainfo</b></p></td>

1516

</table>

1517

1518

<table width="100%" border=0 rules="none" frame="void"

1519

cols="2" cellspacing="0" cellpadding="0">

1520

1521

1522

1523

<p><b>ntop</b> stores extra information about the locks and

1524

unlocks of the protective mutexes it uses. Since <b>ntop</b>

1525

uses fine-grained locking, this information is updated

1526

frequently. On some OSes, the system calls used to collect

1527

this informatio (getpid() and gettimeofday()) are expensive.

1528

This option disables the extra information. It should have

1529

no processing impact on <b>ntop</b> - however should

1530

<b>ntop</b> actually deadlock, we would lose the information

1531

that sometimes tells us why.</p>

1532

</td>

1533

</table>

1534

1535

<table width="100%" border=0 rules="none" frame="void"

1536

cols="2" cellspacing="0" cellpadding="0">

1537

1538

1539

1540

<p><b>--disable-schedyield</b></p></td>

1541

</table>

1542

1543

<table width="100%" border=0 rules="none" frame="void"

1544

cols="2" cellspacing="0" cellpadding="0">

1545

1546

1547

1548

<p><b>ntop</b> uses sched_yield() calls for better

1549

interactive performance. Under some situations, primarily

1550

under RedHat Linux 8.0, this can deadlock, causing the

1551

<b>ntop</b> web server to stop responding, although

1552

<b>ntop</b> appears to still be operational according to the

1553

ps command. Use this switch to disable these calls, IF you

1554

are seeing deadlocks.</p>

1555

</td>

1556

</table>

1557

1558

<table width="100%" border=0 rules="none" frame="void"

1559

cols="2" cellspacing="0" cellpadding="0">

1560

1561

1562

1563

<p><b>--disable-stopcap</b></p></td>

1564

</table>

1565

1566

<table width="100%" border=0 rules="none" frame="void"

1567

cols="2" cellspacing="0" cellpadding="0">

1568

1569

1570

1571

<p>Return <b>ntop</b> to the old (v2.1) behavior on a memory

1572

error. The default of stopcap enabled makes the web

1573

interface available albeit with static content until

1574

<b>ntop</b> is shutdown.</p>

1575

</td>

1576

</table>

1577

1578

<table width="100%" border=0 rules="none" frame="void"

1579

cols="2" cellspacing="0" cellpadding="0">

1580

1581

1582

1583

1584

</table>

1585

1586

<table width="100%" border=0 rules="none" frame="void"

1587

cols="2" cellspacing="0" cellpadding="0">

1588

1589

1590

1591

<p>Display only Fibre Channel statistics.</p>

1592

</td>

1593

</table>

1594

1595

<table width="100%" border=0 rules="none" frame="void"

1596

cols="2" cellspacing="0" cellpadding="0">

1597

1598

1599

1600

<p><b>--instance</b></p></td>

1601

</table>

1602

1603

<table width="100%" border=0 rules="none" frame="void"

1604

cols="2" cellspacing="0" cellpadding="0">

1605

1606

1607

1608

<p>You can run multiple instances of <b>ntop</b>

1609

simultaneously by specifying different -P values (typically

1610

through separate ntop.conf files). If you set a value for

1611

this parameter (available only on the command line), you (1)

1612

display the ’instance’ name on every web page

1613

and (2) alter the log prefix from "NTOP" to your

1614

chosen value.</p>

1615

1616

<p>If you want to make the tag more obvious, create a

1617

.instance class in style.css, e.g.:</p>

1618

1619

<p>.instance { color: #666666; font-size: 18pt; }</p>

1620

1621

<p>Note (UNIX): To run completely different versions of the

1622

<b>ntop</b> binary, you need to compile and install into a

1623

different library (using ./configure --prefix) and then

1624

specify the LD_LIBRARY_PATH before invoking, e.g.</p>

1625

1626

<p>LD_LIBRARY_PATH=/devel/lib/ntop/:... /devel/bin/ntop

1627

...args...</p>

1628

1629

<p>If present, a file of the form

1630

<instance>_ntop_logo.gif will be used instead of the

1631

normal ntop_logo.gif. This is tested for ONLY once, at the

1632

beginning of the run. The EXACT word(s) of the --instance

1633

flag are used, without testing if they make a proper file

1634

name. If - for any reason - the file is not found, an

1635

informational message is logged and the normal logo file is

1636

used. To construct your own logo, make it a 300x40

1637

transparent gif.</p>

1638

1639

<p>NOTE: On the web pages, <b>ntop</b> uses the dladdr()

1640

function. The original Solaris routine had a bug, replicated

1641

in FreeBSD (and possibly other places) where it uses the

1642

ARGV[0] value - which might be erroneous - instead of the

1643

actual file name. If the ’running from’ value

1644

looks bogus but the ’libaries in’ value looks

1645

ok, go with the libarary.</p>

1646

</td>

1647

</table>

1648

1649

<table width="100%" border=0 rules="none" frame="void"

1650

cols="2" cellspacing="0" cellpadding="0">

1651

1652

1653

1654

1655

</table>

1656

1657

<table width="100%" border=0 rules="none" frame="void"

1658

cols="2" cellspacing="0" cellpadding="0">

1659

1660

1661

1662

<p>Disable processing & Display of Fibre Channel</p>

1663

</td>

1664

</table>

1665

1666

<table width="100%" border=0 rules="none" frame="void"

1667

cols="2" cellspacing="0" cellpadding="0">

1668

1669

1670

1671

<p><b>--no-invalid-lun</b></p></td>

1672

</table>

1673

1674

<table width="100%" border=0 rules="none" frame="void"

1675

cols="2" cellspacing="0" cellpadding="0">

1676

1677

1678

1679

<p>Don’t display Invalid LUN information.</p>

1680

</td>

1681

</table>

1682

1683

<table width="100%" border=0 rules="none" frame="void"

1684

cols="2" cellspacing="0" cellpadding="0">

1685

1686

1687

1688

1689

</table>

1690

1691

<table width="100%" border=0 rules="none" frame="void"

1692

cols="2" cellspacing="0" cellpadding="0">

1693

1694

1695

1696

1697

</table>

1698

1699

<table width="100%" border=0 rules="none" frame="void"

1700

cols="2" cellspacing="0" cellpadding="0">

1701

1702

1703

1704

<p>P3P is a W3C recommendation - http://www.w3.org/TR/P3P/ -

1705

for specifying personal information a site collects and what

1706

it does with the information. These parameters allow to

1707

return P3P information. We do not supply samples.</p>

1708

</td>

1709

</table>

1710

1711

<table width="100%" border=0 rules="none" frame="void"

1712

cols="2" cellspacing="0" cellpadding="0">

1713

1714

1715

1716

<p><b>--pcap_setnonblock</b></p></td>

1717

</table>

1718

1719

<table width="100%" border=0 rules="none" frame="void"

1720

cols="2" cellspacing="0" cellpadding="0">

1721

1722

1723

1724

<p>On some platforms, the <b>ntop</b> web server will hang

1725

or appear to hang (it actually just responds incredibly

1726

slowly to the first request from a browser session), while

1727

the rest of <b>ntop</b> runs just fine. This is known to be

1728

an issue under FreeBSD 4.x.</p>

1729

1730

<p>This option sets the non-blocking option (assuming

1731

it’s available in the version of libpcap that is

1732

installed).</p>

1733

1734

<p>While this works around the problem (by turing an

1735

interupt driven process into a poll), it also MAY

1736

signifcantly increases the cpu usage of <b>ntop.</b>

1737

Although it does not actually interfere with other work,

1738

seeing <b>ntop</b> use 80-90% or more of the cpu is not

1739

uncommon - don’t say we didn’t warn you.</p>

1740

1741

<p><b>THIS OPTION IS OFFICIALLY UNSUPPORTED</b> and used at

1742

your own risk. Read the docs/FAQ write-up.</p>

1743

</td>

1744

</table>

1745

1746

<table width="100%" border=0 rules="none" frame="void"

1747

cols="2" cellspacing="0" cellpadding="0">

1748

1749

1750

1751

<p><b>--skip-version-check</b></p></td>

1752

</table>

1753

1754

<table width="100%" border=0 rules="none" frame="void"

1755

cols="2" cellspacing="0" cellpadding="0">

1756

1757

1758

1759

<p>By default, <b>ntop</b> accesses a remote file to

1760

periodically check if the most current version is running.

1761

This option disables that check. Please review the privacy

1762

notice at the bottom of this page for more information. By

1763

default, the recheck period is slightly more than 15 days.

1764

This can be adjusted via a constant in globals-defines.h. If

1765

the result of the initial check indicates that the

1766

<b>ntop</b> version is a ’new development’

1767

version (that is newer than the latest published development

1768

version), the recheck is disabled. This is because which

1769

fixes and enhancements were present/absent from the

1770

code.</p>

1771

1772

<p>NOTE: At present, the recheck does not work under

1773

Windows.</p>

1774

</td>

1775

</table>

1776

1777

<table width="100%" border=0 rules="none" frame="void"

1778

cols="2" cellspacing="0" cellpadding="0">

1779

1780

1781

1782

<p><b>--ssl-watchdog</b></p></td>

1783

</table>

1784

1785

<table width="100%" border=0 rules="none" frame="void"

1786

cols="2" cellspacing="0" cellpadding="0">

1787

1788

1789

1790

<p>Enable a watchdog for webserver hangs. These usually

1791

happen when connecting with older browsers. The user gets

1792

nothing back and other users can’t connect.

1793

Internally, packet processing continues but there is no way

1794

to access the data through the web server or shutdown ntop

1795

cleanly. With the watchdog, a timeout occurs after 3

1796

seconds, and processing continues with a log message.

1797

Unfortunately, the user sees nothing - it just looks like a

1798

failed connection. (also available as a ./configure option,

1799

--enable-sslwatchdog)</p>

1800

</td>

1801

</table>

1802

1803

<table width="100%" border=0 rules="none" frame="void"

1804

cols="2" cellspacing="0" cellpadding="0">

1805

1806

1807

1808

1809

</table>

1810

1811

<table width="100%" border=0 rules="none" frame="void"

1812

cols="2" cellspacing="0" cellpadding="0">

1813

1814

1815

1816

<p>By default, <b>ntop</b> generates displayable but not

1817

great html. There are a number of tags we do not generate

1818

because they cause problems with older browsers which are

1819

still commonly used or are important to look good on

1820

real-world browsers. This flag tells <b>ntop</b> to generate

1821

’BETTER’ (but not perfect) w3c compliant html

1822

4.01 output. This in no way addresses all of the

1823

compatibility and markup issues. Over time, we would like to

1824

make <b>ntop</b> more compatible, but it will never be 100%.

1825

If you find any issues, please report them to ntop-dev.</p>

1826

</td>

1827

</table>

1828

1829

<table width="100%" border=0 rules="none" frame="void"

1830

cols="2" cellspacing="0" cellpadding="0">

1831

1832

1833

1834

1835

</table>

1836

1837

<table width="100%" border=0 rules="none" frame="void"

1838

cols="2" cellspacing="0" cellpadding="0">

1839

1840

1841

1842

<p>Use IPv4 connections.</p>

1843

</td>

1844

</table>

1845

1846

<table width="100%" border=0 rules="none" frame="void"

1847

cols="2" cellspacing="0" cellpadding="0">

1848

1849

1850

1851

1852

</table>

1853

1854

<table width="100%" border=0 rules="none" frame="void"

1855

cols="2" cellspacing="0" cellpadding="0">

1856

1857

1858

1859

<p>Use IPv6 connections</p>

1860

</td>

1861

</table>

1862

1863

<h2>WEB VIEWS</h2>

1864

1865

<table width="100%" border=0 rules="none" frame="void"

1866

cols="2" cellspacing="0" cellpadding="0">

1867

1868

1869

1870

<p>While <b>ntop</b> is running, multiple users can access

1871

the traffic information using their web browsers.

1872

<b>ntop</b> does not generate ’fancy’ or

1873

’complex’ html, although it does use frames,

1874

shallowly nested tables and makes some use of JavaScript and

1875

Cascading Style Sheets.</p>

1876

1877

<p>Beginning with release 3.1, the menus are cascading

1878

dropdowns via JSCookMenu. With release 3.2, this extends to

1879

plugins.</p>

1880

1881

<p>We do not expect problems with any current web browser,

1882

but our ability to test with less common ones is very

1883

limited. Testing has included Firefox and Internet Explorer,

1884

with very limited testing on other current common browsers

1885

such as Opera.</p>

1886

1887

<p>In documentation and this man page, when we refer to a

1888

page such as Admin | Switch NIC, we mean the Broad category

1889

"Admin" and the detailed item "Switch

1890

NIC" on that Admin menu.</p>

1891

</td>

1892

</table>

1893

1894

<h2>NOTES</h2>

1895

1896

<table width="100%" border=0 rules="none" frame="void"

1897

cols="2" cellspacing="0" cellpadding="0">

1898

1899

1900

1901

<p><b>ntop</b> requires a number of external tools and

1902

libraries to operate. Certain other tools are optional, but

1903

add to the program’s capabilities.</p>

1904

</td>

1905

</table>

1906

1907

<table width="100%" border=0 rules="none" frame="void"

1908

cols="2" cellspacing="0" cellpadding="0">

1909

1910

1911

1912

<p><b>--webserver-queue</b></p></td>

1913

</table>

1914

1915

<table width="100%" border=0 rules="none" frame="void"

1916

cols="2" cellspacing="0" cellpadding="0">

1917

1918

1919

1920

<p>Specifies the maximum number of web server requests for

1921

the tcp/ip stack to retain in it’s queue awaiting

1922

delivery to the <b>ntop</b> web server. Requests in excess

1923

of this queue may be dropped (allowing for retransmission)

1924

or rejected at the tcp/ip stack level, depending upon the

1925

OS. Whatever happens, happens at the OS level, without any

1926

information being delivered to <b>ntop</b></p>

1927

1928

<p>Required libraries include:</p>

1929

1930

<p><b>libpcap</b> from http://www.tcpdump.org/, version

1931

0.7.2 or newer. 0.8.3 or newer is strongly recommended.</p>

1932

1933

<p>The Windows version makes use of <b>WinPcap</b> (libpcap

1934

for Windows) which may be downloaded from

1935

http://winpcap.polito.it/install/default.htm.</p>

1936

1937

<p>WARNING: The 2.x releases of <b>WinPcap</b> will NOT

1938

support SMP machines.</p>

1939

1940

<p><b>gdbm</b> from

1941

http://www.gnu.org/software/gdbm/gdbm.html</p>

1942

1943

<p><b>ntop</b> requires a POSIX threads library. As of

1944

<b>ntop</b> 3.2, the single-threaded version of <b>ntop</b>

1945

is no longer available.</p>

1946

1947

<p>The <b>gd</b> 2.x library, for the creation of png files,

1948

available at http://www.boutell.com/gd/.</p>

1949

1950

<p>The <b>libpng</b> 1.2.x library, for the creation of png

1951

files, available at

1952

http://www.libpng.org/pub/png/libpng.html.</p>

1953

1954

<p><b>ntop</b> should support both gd 1.X and libpng 1.0.x

1955

libraries but this has not been tested. Note that there are

1956

incompatibilities if you compile with one version of these

1957

libraries and then run with the other. Please read the

1958

discussion in docs/FAQ before reporting ANY problems of this

1959

nature.</p>

1960

1961

<p>(if an https:// server is desired) <b>openSSL</b> from

1962

the OpenSSL project available at http://www.openssl.org.</p>

1963

1964

<p>The <b>rrdtool</b> library is required by the rrd plugin.

1965

rrdtool creates ’Round-Robin databases’ which

1966

are used to store and graph historical data in a format that

1967

permits long duration retention without growing larger over

1968

time. The rrdtool home page is

1969

http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/</p>

1970

1971

<p><b>ntop</b> includes a limited version of rrdtool 1.0.49

1972

in the myrrd/ directory. Users of <b>ntop</b> 3.2 should not

1973

need to specifically install rrdtool.</p>

1974

1975

<p>The <b>sflow</b> Plugin is courtesy of and supported by

1976

InMon Corporation, http://www.inmon.com/sflowTools.htm.</p>

1977

1978

<p>There are other optional libraries. See the output of

1979

./configure for a fuller listing.</p>

1980

1981

<p>Tool locations are current as of August 2005 - please

1982

send email to report new locations or dead links.</p>

1983

</td>

1984

</table>

1985

1986

1987

1988

<table width="100%" border=0 rules="none" frame="void"

1989

cols="2" cellspacing="0" cellpadding="0">

1990

1991

1992

1993

<p><b>top</b>(1), <b>tcpdump</b>(8). <b>pcap</b>(3).</p>

1994

</td>

1995

</table>

1996

1997

<h2>PRIVACY NOTICE</h2>

1998

1999

<table width="100%" border=0 rules="none" frame="void"

2000

cols="2" cellspacing="0" cellpadding="0">

2001

2002

2003

2004

<p>By default at startup and at periodic intervals, the

2005

<b>ntop</b> program will retrieve a file containing current

2006

ntop program version information. Retrieving this file

2007

allows this <b>ntop</b> instance to confirm that it is

2008

running the most current version.</p>

2009

2010

<p>The retrieval is done using standard http:// requests,

2011

which will create log records on the hosting system. These

2012

log records do contain information which identifies a

2013

specific <b>ntop</b> site. Accordingly, you are being

2014

notified that this individually identifiable information is

2015

being transmitted and recorded.</p>

2016

2017

<p>You may request - via the <b>--skip-version-check</b>

2018

run-time option - that this check be eliminated. If you use

2019

this option, no individually identifiable information is

2020

transmitted or recorded, because the entire retrieval and

2021

check is skipped.</p>

2022

2023

<p>We ask you to allow this retrieval and check, because it

2024

benefits both you and the <b>ntop</b> developers. It

2025

benefits you because you will be automatically notified if

2026

the <b>ntop</b> program version is obsolete, becomes

2027

unsupported or is no longer current. It benefits the

2028

developers of <b>ntop</b> because it allows us to determine

2029

the number of active <b>ntop</b> instances, and the

2030

operating system/versions that users are running <b>ntop</b>

2031

under. This allows us to focus development resources on

2032

systems like those our users are using <b>ntop</b> on.</p>

2033

2034

<p>The individually identifiable information is contained in

2035

the web server log records which are automatically created

2036

each time the version file is retrieved. This is a function

2037

of the web server and not of <b>ntop</b> , but we do take

2038

advantage of it. The log record shows the IP address of the

2039

requestor (the <b>ntop</b> instance) and a User-Agent header

2040

field. We place information in the User-Agent header as

2041

follows:</p>

2042

2043

2044

distro/<if one> release/<of the distro, also if

2045

one> kernrlse/<kernel version or release>

2046

GCC/<version> config() <condensed parameters from

2047

./configure> run() <condensed flags - no data - from

2048

the execution line> libpcap/<version>

2049

gdbm/<version> openssl/<version>

2050

zlib/<version> access/<http, https, both or

2051

none> interfaces() <given interface names></p>

2052

2053

<p>For example:</p>

2054

2055

<p>ntop/2.2.98 host/i686-pc-linux-gnu distro/redhat

2056

release/9 kernrlse/2.4.20-8smp GCC/3.2.2 config(i18n) run(i;

2057

u; P; w; t; logextra; m; instantsessionpurge; schedyield; d;

2058

usesyslog=; t) gdbm/1.8.0 openssl/0.9.7a zlib/1.1.4

2059

access/http interfaces(eth0,eth1)</p>

2060

2061

<p>Distro and release information is determined at compile

2062

time and consists of information typically found in the

2063

/etc/release (or similar) file. See the <b>ntop</b> tool

2064

linuxrelease for how this is determined.</p>

2065

2066

<p>gcc compiler version (if available) is the internal

2067

version #s for the gcc compiler, e.g. 3.2.3.</p>

2068

2069

<p>kernrlse is the Linux Kernel version or the xBSD

2070

’release’ such as 4.9-RELEASE and is determined

2071

from the uname data (if it’s available).</p>

2072

2073

<p>The ./configure parameters are stripped of directory

2074

paths, leading -s, etc. to create a short form that shows us

2075

what ./configure parameters people are using.</p>

2076

2077

<p>Similarly, the run time parameters are stripped of data

2078

and paths, just showing which flags are being used.</p>

2079

2080

<p>The libpcap, gdbm, openssl and zlib versions come from

2081

the strings returned by the various inquiry functions (if

2082

they’re availabe).</p>

2083

2084

<p>Here’s a sample log record:</p>

2085

2086

<p>67.xxx.xxx.xxx - - [28/Dec/2003:12:11:46 -0500] "GET

2087

/version.xml HTTP/1.0" 200 1568 www.burtonstrauss.com

2088

"-" "ntop/2.2.98 host/i686-pc-linux-gnu

2089

distro/redhat release/9 kernrlse/2.4.20-8smp GCC/3.2.2

2090

config(i18n) run(i; u; P; w; t; logextra; m;

2091

instantsessionpurge; schedyield; d; usesyslog=) libpcap/0.8

2092

gdbm/1.8.0 openssl/0.9.7a zlib/1.1.4 access/http

2093

interfaces(eth0,eth1,eth2)" "-"</p>

2094

</td>

2095

</table>

2096

2097

<h2>USER SUPPORT</h2>

2098

2099

<table width="100%" border=0 rules="none" frame="void"

2100

cols="2" cellspacing="0" cellpadding="0">

2101

2102

2103

2104

<p>Please send bug reports to the ntop-dev

2105

<ntop-dev@ntop.org> mailing list. The ntop

2106

<ntop@ntop.org> mailing list is used for discussing

2107

ntop usage issues. In order to post messages on the lists a

2108

(free) subscription is required to limit/avoid spam. Please

2109

do NOT contact the author directly unless this is a personal

2110

question.</p>

2111

2112

<p>Commercial support is available upon request. Please see

2113

the ntop site for further info.</p>

2114

2115

<p>Please send code patches to <patch@ntop.org>.</p>

2116

</td>

2117

</table>

2118

2119

<h2>AUTHOR</h2>

2120

2121

<table width="100%" border=0 rules="none" frame="void"

2122

cols="2" cellspacing="0" cellpadding="0">

2123

2124

2125

2126

<p>ntop’s author is Luca Deri (http://luca.ntop.org/)

2127

who can be reached at <deri@ntop.org>.</p>

2128

</td>

2129

</table>

2130

2131

<h2>LICENCE</h2>

2132

2133

<table width="100%" border=0 rules="none" frame="void"

2134

cols="2" cellspacing="0" cellpadding="0">

2135

2136

2137

2138

<p>ntop is distributed under the GNU GPL licence

2139

(http://www.gnu.org/).</p>

2140

</td>

2141

</table>

2142

2143

<h2>ACKNOWLEDGMENTS</h2>

2144

2145

<table width="100%" border=0 rules="none" frame="void"

2146

cols="2" cellspacing="0" cellpadding="0">

2147

2148

2149

2150

<p>The author acknowledges the Centro Serra of the

2151

University of Pisa, Italy (http://www-serra.unipi.it/) for

2152

hosting the ntop sites (both web and mailing lists), and

2153

Burton Strauss <burton@ntopsupport.com> for his help

2154

and user assistance. Many thanks to Stefano Suin

2155

<stefano@ntop.org> and Rocco Carbone

2156

<rocco@ntop.org> for contributing to the project.</p>

2157

</td>

2158

</table>

2159

<hr>

2160

</body>

2161

</html>

Older »