Configuring ntop
Ntop will run on many operating systems and while the initial setup will vary, once you have ntop installed, the configuration and usage is primarily via a Web interface, so the data will be presented in a uniform manner regardless of the underlying operating system.The ntop Web site offers multiple versions of the package for download. For Windows, they offer the source files, in which case you must compile them yourself, and they offer a pre-compiled binary distribution.The downside is that they have chosen to limit the precompiled version to capturing only the first 2000 packets, which makes it fairly useless to most people.This limitation does not exist in the Linux versions or the Windows source files. If compiling the source code is not a task your relish, you can download and install a precompiled version (meaning no 2000 packet capture limit!) of ntop from www.openxtra.co.uk, whose tagline is "network management for all." OPENXTRA Limited has made available precompiled files for many popular packages, including Ethereal,MRTG, Net-SNMP, ntop,Windump, and Nmap. Follow these steps to install and configure the ntop package from OPENXTRA on a Windows host.
- Download the installation file and execute the file.
- Click Next on the welcome screen.
- Accept the license agreement and click Next.
- Enter a user name and organization if desired, choose whether the start menu entries will be made for all users or only the user who is running the Setup Wizard, and then click Next.
- Choose which components to install (the defaults are recommended) and the installation target directory and click Next.
- When the installation is complete, click Finish.
After the installation is finished, you should have a new icon in the system tray called OPENXTRA Commander. Double-click this icon to open the OPENXTRA Commander. If the NTop Service plug-in is not started, click Start in the Action column to start it. Once it is started, click the Launch action for the NTop plug-in, which will open your browser. If all is well, you will already be collecting some impressive data. If you have more than one network interface card (NIC) in the host, you may need to select the proper NIC. Do this by selecting Admin | Configure | Startup Options in the menu listing at the top of the page.You will notice that some menu entries have a small padlock icon in them; these are the Web pages that require a password to access.The default credentials for the XTRA package is user = admin, password = admin.The top of the page will contain a listing of your network interfaces.You can collect data from more than one interface if desired. If you change the selected interface, you will need to use the OPENXTRA Commander to stop and restart the NTop Service.
The ntop FAQ can be a little hard to find; it's located at www.ntopsupport. com/faq.html. Because ntop is focused only on displaying data in a format that is easy to drill down into, there is very little to configure once you have it working properly. There is a host of information on the various screens.Any of the options under Summary can be useful. If you navigate to IP | Local | Ports Used you will see a screen. This is just one of the many screens full of data that ntop provides; to include screen prints of all the available graphs and tables would require an inordinate number of pages.
Many of the elements on the ntop pages are actually hyperlinked to additional pages so that you can drill down and obtain more and more detailed information. Despite ntop's lack of native support for alarms and other active actions, you can perform several useful functions with a little customization. For example, the OPENXTRA Commander can be used to provide some handy links. By adding an appropriately configured .INI file to \OPENXTRA\Common\Plugins\, you can add entries to the Commander menu. For example, the following contents placed in an INI file would open Notepad.
[APPLICATION] NAME=Notepad DESCRIPTION=Launch notepad ACTIONDESCRIPTION=Start VERSION=1.0.0 COPYRIGHT=ESS COMMAND=notepad COMMANDARG=
If you change the plug-in options, you will need to navigate to View | Plug-ins | Reload Plug-ins before your changes will take effect.There are also a few Perl scripts available in \OPENXTRA\NTopWin32\www\perl\. Any of these can be executed with perl <scriptname> from the command line. Here is a short summary of the provided Perl scripts.
- dumpFlat.pl This returns a flat listing of all the host data in ntop for the current time slice in a Perl-like format, and loops every minute (by default) generating current data. Usage information is discussed further in this section.
- mapper.pl This script will use a host IP address to return a GIF flag of their location.This is what is used to generate the flag labels in various reports within ntop.
- remoteClient.pl This returns a Perl-like listing of all the host data in ntop for the current time slice. Usage information is discussed further in this section.
Being able to pull this raw data opens a host of possibilities. As a simple example, let's suppose you wanted to produce a listing of all the hostnames that ntop currently knew about. Dumpflat.pl is configured by default to loop and dump the output on one-minute intervals. Remoteclient.pl is configured for a Perl-like output, which isn't conducive to parsing in a DOS window. Copy the remoteClient.pl and rename it to raw.pl. Edit raw.pl and find the line that says
$URL = "http://".$ntopHost.":".$ntopPort."/dumpData.html?language=perl";
and change it to read
$URL = "http://".$ntopHost.":".$ntopPort."/dumpData.html?language=text";
Now executing perl raw.pl will produce the raw data held in memory by ntop.This output is easily parsable because each host it knows about has all of its data on one line.Now the following command would parse the output from raw.pl and print the fourth field (the hostname) to the screen for each line.
FOR /F "tokens=1-4 delims=|" %a in ('perl raw.pl') do @echo %d
You could also use find.exe (perl raw.pl | find "192.168.1.99") to pull out a line of data containing a known hostname or IP address. Once you have the raw data at your disposal you can perform a wide variety of parsing options on it.
In all likelihood, you will need to alter the list of defined port numbers. This serves two purposes in that it gives you greater insight into the applications being used on the network and reduces the amount of data that gets lumped into "other." Changes to the port list will affect the output of all screens under the IP menu option.The "create your own custom port definitions" follow these steps.
- Create an application port list file in the \OPENXTRA\NTopWin32\etc\ directory, such as portlist.txt.
- Enter the applications you wish to be displayed in portlist.txt file.The
following list can be placed in the portlist.txt.The format is name that
will appear in ntop=port or portname, as defined by the OS, or a port range.
The first three sections are what ntop will use if no portlist file is
specified.
## Default ntop portlist ## FTP=ftp|ftp-data HTTP=http|www|https|3128 DNS=name|domain Telnet=telnet|login NBios-IP=netbios-ns|netbios-dgm|netbios-ssn Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2 DHCP-BOOTP=67-68 SNMP=snmp|snmp-trap NNTP=nntp NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status X11=6000-6010 SSH=22 ## Default ntop Peer-to-Peer portlist ## Gnutella=6346|6347|6348 Kazaa=1214 WinMX=6699|7730 DirectConnect=0 Dummy port as this is a pure P2P protocol eDonkey=4661-4665 ## Default ntop Instant Messenger ports ## Messenger=1863|5000|5001|5190-5193 ## Extra ports ## Syslog=514 PCAnywhere=5631 SQL=1433
- After you have your portlist file created, navigate to Admin | Configure | Startup Options.
- Select the IP Preferences hyperlink.
- In the field TCP/UDP Protocols To Monitor, specify the full path to the portlist.txt file.
- Stop and restart the ntop process for the changes to take effect.
TIP The Web page will display the application names in the same order as they are defined in the portlist.txt file. This means you should list the port definitions you want to see first earlier in the portlist file to keep from having to scroll the Web page to see them.
You can restrict additional ntop pages. If you want a person to have to supply the user name and password to view any ntop pages, you can configure this by navigating to Admin | Configure | Protect URLs. Click Add URL at the bottom and then click the Add URL button without filling anything into the field.This will password protect all ntop pages.
Ntop stores all of its active data in RAM, so if the system is reset, you lose all your data.There is a mechanism to store the data to disk. Be forewarned that logging all the data to disk can consume a large amount of disk space, so it will require careful monitoring. Ntop stores the data in RRD files (roundrobin database).You can configure the RRD plug-in by navigating to Plugins | Round-Robin Databases | Describe.The active column should say Yes; if it says No, click No to toggle it to active.To help you decide which reporting tools to focus your energies on.
In this tutorial:
- Network Reporting and Troubleshooting
- Reporting on Bandwidth Usage and Other Metrics
- Collecting Data for Analysis
- Understanding SNMP
- SNMP Security
- Configuring Multi Router Traffic Grapher
- Configuring MZL & Novatech TrafficStatistic
- Configuring PRTG Traffic Grapher
- Configuring ntop
- Enabling SNMP on Windows Hosts
- Enabling SNMP on Linux Hosts
- Troubleshooting Network Problems
- Using a GUI Sniffer
- Using a Command-Line Sniffer
- Windump
- ngSniff
- Tcpdump
- Additional Troubleshooting Tools
- Netcat
- Tracetcp
- Netstat