INTOP(1)INTOP(1)NAMEintop - A (tiny) network-browser program based on the NTOP
Packet Sniffer and the LBNL libpcap.
SYNOPSISintop [-h]
intop [-i interface] [[-i interface]] [filter expression]
COMMAND LINE OPTIONS-i
Specifies the network interface used by intop If multiple
interfaces are used then the -i flag has to be repeated
for each interface. For instance '-i eth0 -i lo'.
intop can then be started with a BPF filter (for instance
'intop src host jake.unipi.it or dst host
jake.unipi.it'). See the tcpdump man page for further
information about this topic.
DESCRIPTIONintop provides a powerful and flexible interface to the
ntop packet sniffer. Since ntop has grown so much in func
tionality and it cannot be simply considered a network-
brower, the problem of capturing and showing network usage
has been splitted. As of version 1.3 the NTOP engine cap
tures packets, performs traffic analysis and information
storage.
intop implements a bare, command line based interface,
with an apparently spartan look and feel, but a lot of
functionality already implemented, and others planned for
future releases.
Current functionaly include:
full dynamic network behaviour
You can, for example, open a network interface,
then start looking a packets, play with traffic,
hosts and network usage or look at per-host infor
mation. Then you can suspend the packet sniffer for
the given network interface and go to have a coffe.
When you have finished and you're back at your key
board, a simple command is sufficient to restart
again the process of packet capturing.
multi-interface support
You can simultaneosly activate different packet
capturing activities on different network inter
faces, and have a look at each of them separately.
INTRODUCTION TO THE COMMAND SHELL
Once you started the program, a shell is promted where you
type commands to the program's shell. Usually you will
want to open a network interface and start looking at net
work packets.
To open a network interface on your system, you must use
the program's open command:
open -i <interface name>
where <interface name> is a network device suitable for
packet capturing.
You should now see the command prompt change to reflect
the name of the current network interface. If you are in
trouble with network names available for your system, you
can always have the list of all avaialable network inter
face on your system with the lsdev command.
After the open command completes successfully, you have a
network interface open for doing the job of packet captur
ing though the process of capturing is not really started
until the sniff command has been issued.
USABILITY
intop uses the GNU Readline library for history and com
mand line completion.
Because intop has been designed and implemented with
emphasis to usability, you can start playing at intop by
typing the sniff command and using the '-i' flag to spec
ify a network interface. The program has an internal con
cept of the status of the interface, so is is able to
decide wich operations should be done to satisfy user com
mand. In the latter case the network interface is first
opened and then enabled for packet sniffing.
intop claims to offer to the user a common interface,
which is independent from the specific command. So, for
example each command has its own help usage string (you
can display it using the '-h' flag) and support command
line arguments passed via arguments, in the same way most
Unix commands do.
Morevover, to avoid typing and increase usability, each
command acts on the latest referenced network interface,
unless the -i flag is used.
COMMAND REFERENCE
help The first command to know is help. If you just
type
help
from the command shell, the program prints the
names of all of the supported commands. From
there, you can get specific help for a command by
typing the command after, for example:
help open
prints information about the open command.
? This is an alias for the help command.
arp Tells the ntop ARP cache and displays hosts infor
mation according to user's filter.
close Close a network interface.
exit This is an alias for the quit command.
filter Get/Set the BPF filter associated to a network
interface.
history
Shows the history.
hosts Tells the ntop HOST cache and displays hosts infor
mation according to user's filter.
info Displays detailed information about the actual
state of a network interface.
lsdev Displays the list of network interfaces on your
system available for using with the program.
nbt Tells the ntop (NetBios over TCP/IP) cache and dis
plays hosts information according to user's filter.
open Opens a network interface to look at packets on the
given network interface.
prompt On terminals supporting ANSI colors, it changes the
color of the prompt.
quit Terminates the program.
sniff Starts enabling packet capture on the given network
interface.
swap Swaps the latest two referenced network interfaces
(if any). Useful if you have more than one active
interface and want to change your point of view.
top Shows network usage, similar to what the popular
top Unix command does. See the next section for a
list of interactive commands you have while running
in .
uptime Tells how long the program has been running and
general information about all enabled network
interfaces.
INTERACTIVE COMMANDS
While intop is running interactively, the information
shown can be manipulated by pressing the following keys.
q
This causes intop to quit.
n
This causes intop to toggle the IP address format
(numeric vs. symbolic vs. MAC Address vs. Nw Board Manu
facturer).
p
This causes intop to toggle the traffic format (percent
age vs. absolute vs. throughput).
l
This causes intop to toggle the host list content (local
vs. remote hosts).
d
This causes intop to toggle the host list content (idle
vs. active hosts).
t
This causes intop to sort hosts according to the data
received or sent.
y
This causes intop to sort traffic according to the vari
ous protocols being displayed in the current screen.
<space>
This causes intop to show further traffic information.
Each time the space bar is pressed the last three
intop columns are toggled. Please note that these columns
represent either the traffic sent or received, according
to the the way the list is sorted (see previous command).
FIELD DESCRIPTIONS (Interactive mode)intop displays a variety of information about the network
traffic.
traffic/throughput
This line displays general information about the network
traffic: the number of packets that have been seen, the
total traffic (IP or non IP), the actual and the max
observed throughput. Please note that if a filter expres
sion is used, these values are relatives only to the
traffic that satisfies the filter expression.
Host
This column contains the host name in either symbolic or
numeric format.
Act
This column contains further information about the host
activity since the last screen update. The value 'B'
(both) indicates that the host has both sent and received
data, 'R' (receive) that the host has received but not
sent data, 'S' (sent) that the host has sent but not
received data, 'I' (idle) that the host has been idle (no
data sent or received).
Rcvd
This column contains the traffic received by the host
either in absolute or percentage format. If the host list
is sorted according this field, then the column label
becomes -Rcvd-.
Sent
This column contains the traffic sent by the host either
in absolute or percentage format. If the host list is
sorted according this field, then the column label
becomes -Sent-.
<protocol>
The last three columns contain further information con
cerning the IP protocols. Data represented in these
columns change according to the traffic type (either sent
or received). The 'y' key allows users to interactively
change the sort order of these columns, whereas the space
bar toggles the protocol list.
NOTESintop is based on the ntop engine and the libpcap library
that can be found at ftp://ftp.ee.lbl.gov/libpcap.tar.Z.
SEE ALSOtop(1), ngrep(8), tcpdump(8).
AUTHOR
Please send bug reports to the ntop mailing list
<ntop@ntop.org>. intop's authors are Luca Deri
<deri@ntop.org> and Rocco Carbone <rocco@ntop.org>
NTOP User's Manual May 2000 INTOP(1)
