NTOP(8)NTOP(8)NAMEntop - display top network users
SYNOPSISntop [-c] [-E] [-r refresh time] [-R filter rules] [-f
traffic dump file] [-n] [-N] [-M] [-q] [-p] TCP/UDP proto_
cols to monitor] [-i interface] [-e num rows] [-w HTTP
IP:port] [-W HTTPS IP:port] [-d] [-Svalue] [-P dbpath] [-m
local subnet] [-a access log file path] [-b client:port DB
client] [-g client:port NetFlow Collector] [-t trace
level] [-A accuracy level] [-u user name] [-l dump file
name] [-U mapper.pl URL] [-F flow filter expression] [-k]
[-K] [-L] [filter expression]
DESCRIPTIONntop shows the current network usage. It displays a list
of hosts that are currently using the network and reports
information concerning the (IP and non-IP) traffic gener
ated by each host. ntop can be started either in a termi
nal window (see intop ) or in web mode. In the latter
case, a web browser is needed to use the program.
COMMAND-LINE OPTIONS
-c
By default idle hosts are periodically purged from mem
ory. Use this flag to prevent idle hosts from being
purged from memory. NOTE: if idle hosts are kept in mem
ory you can experience severe memory usage.
-E
By default ntop does not take advance of lsof/nmap even
if present. Use this flag if you want make ntop aware of
such tools (if present).
-R
Specifies the filter rules used by ntop for emitting
alerts and warnings when the traffic matches the speci
fied rules. Shall you need further details about filter
rules, please refer to ntop-rules (8) man page.
-r
Specifies the delay (in seconds) between screen updates
(the default is 3 seconds). If the -l flag is used, it
specifies how often entries are logged in the log file.
Please note that if the delay is very short (1 second for
instance), ntop might not be able to process all the net
work traffic.
-f
Specifies the file containing tcpdump captured traffic
that has to be used by ntop. Note: if you specify -fntop
will not capture any traffic after the file has been
read. This option is mostly used for debug purposes.
-N
Forces ntop not to use nmap (if it is installed).
-M
Forces ntop not to merge network interfaces together.
This means that ntop will collect statistics for each
interface and will not merge data together.
-q
Forces ntop to create a file ntop-suspicious-
pkts.XXX.pcap (XXX is the interface name) for each net
work interface where are stored suspicious packets. The
file is in pcap format (tcpdump).
-n
This causes ntop to show numeric IP addresses instead of
the symbolic names. This option can useful when the DNS
is not present or quite slow. You can toggle the address
format (numeric vs. symbolic) by pressing the n key while
ntop is running.
-p
It is used to specify the TCP/UDP protocols that ntop
will monitor. The format is <label>=<protocol list> [,
<label>=<protocol list>], where label is used to symboli
cally identify the <protocol list>. The format of <proto
col list> is <protocol>[|<protocol>], where <protocol> is
either a valid protocol specified inside the /etc/ser
vices file or a numeric port range (e.g. 80, or
6000-6500). If the -p flag is omitted the following
default value is used: "FTP=ftp|ftp-
data,HTTP=http|www|https,DNS=name|domain,Telnet=tel
net|login,NBios-IP=netbios-ns|netbios-dgm|netbios-
ssn,Mail=pop-2|pop-3|kpop|smtp|imap|imap2,SNMP=snmp|snmp-
trap,NEWS=nntp,NFS=mount|pcnfs|bwnfs|nfs|nfsd-sta
tus,X11=6000-6010,SSH=ssh". If the <protocol list> is
very long you may store in a file (for instance proto
col.list) the value of the <protocol list> and specify
the file name instead of the <protocol list> (in above
example you will invoke 'ntop -p protocol.list').
-i
Specifies the network interface used by ntop If multiple
interfaces are used (this feature is available only if
ntop is compiled with thread support) they have to be
separated with a comma. For instance -i "eth0,lo". Traf
fic information obtained by all the interfaces is merged
together as if the traffic would have been produced by
one interface. Use the -M flag for not merging traffic.
-e
Is the maximum number of HTML table rows that ntop will
display.
-w
ntop sports and embedded web server so that users can
attach their web browsers to the specified port and
browse traffic information remotely. Supposing to start
ntop at the port 3000 (default port), the URL to access
is http://hostname:3000/. Users and URLs to protect with
passwords are stored in a database file. By default
user/URL administration are accessible uniquely by the
user admin with password admin Passwords are stored in an
encrypted form into the database for further security.
Please note that an HTTP server is NOT needed but it's
embedded into the application. If -w is set to 0 the HTTP
port will not be enabled ('-w 0' is accepted only if ntop
has been compiled with HTTPS support and ntop has not
been started with '-W 0' [see below]). You can also use
the IP:Port notation to bind ntop to the specified IP-
Address, e.g. -w 127.0.0.1:3000
-W
If ntop has been compiled with HTTPS support (via
OpenSSL), this flag can be used to set the HTTPS port
(default 3001 ). If the user specifies '-W 0', HTTPS sup
port is disabled. Some examples: 1. ntop-w 80 -W 443
(both HTTP and HTTPS have been enabled at their default
ports) 2. ntop-w 0 -W 443 (HTTP disabled, HTTPS enabled
at the default port). You can also use the IP:Port nota
tion to bind ntop to the specified IP-Address, e.g. -w
127.0.0.1:3001
-d
This flag causes ntop to become a daemon, i.e. it is
started in background and detached from the terminal.
-S
Use this flag for telling ntop to save information about
host traffic on shutdown. Valid values are: 0 = don't
store hosts, 1 = store all hosts, 2 = store only local
hosts. This flag allows ntop not to loose traffic stats
across multiple ntop sessions. Please note that informa
tion about TCP session is (obviously) lost.
-P
This allows to specify where db-files are searched or
created (default "."). In addition DBPATH/html is added
to the searchlist for the WEB-files
-m
This flag allows users to specify the subnets whose traf
fic is considered local. The format is <network
address>/<# subnet mask bits>[,<network address>/<# sub
net mask bits>]. For instance
"131.114.21.0/24,10.0.0.0/255.0.0.0".
-a
By default ntop logs HTTP accesses in the file
ntop.access.log in the current directory. Use this flag
to specify the path of the file where HTTP accesses will
be logged. Each log entry is in Apache-like style. The
only difference between Apache and ntop is that .B ntop
added a new column has been added. Such column contains
the time (in milliseconds) that ntop needed in order to
serve the request.
-b
Exports ntop traffic information into a SQL database. The
flag specifies (in http-like host format) the address
(IP:port) of a SQL client. The database/ directory part
of ntop contains a few clients. Please use one of those.
-g
Exports ntop traffic information in Cisco NetFlow V5
(http://www.cisco.com/warp/pub
lic/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm) format. The
flag specifies (in http-like host format) the address
(IP:port) of a NetFlow client such as ftp://ftp.net.ohio-
state.edu/users/maf/cisco/.
-u
Specifies the user ntop should run as after it initial
izes. The value specified may be either a username or a
numeric user id. The group id used will be the primary
group of the user specified.
-l
Dumps the network traffic captured by ntop in a file in
pcap format (useful for debug).
-U
It specifies the UTR of the mapper.pl utility (it's part
of the ntop distribution [see www/Perl/mapper.pl] for
displaying host location.
-t
This flag specifies the level of ntop tracings on stdout.
The trace level ranges between 0 (no trace) and 5 (full
debug tracings). The default trace value is 3. The higher
is the trace level the more information are printed.
Trace level 1 is used to print errors only, level 2 for
both warnings and errors, and so on.
-A
This flag specifies the level of ntop's traffic analysis
accuracy. Level 2 (high accuracy) is full accuracy. Level
1 (medium accuracy): ntop filters out non-local traffic
and disables protocol decoding. Level 0 (low accuracy):
ntop acts as level 1 and also disables TCP session han
dling. This flag has to be used when the network is over
loaded and ntop can't keep up with the current traffic.
-F
It is used to specify network flows similar to more pow
erful applications such as NeTraMet. A flow is a stream
of captured packets that match a specified rule. The for
mat is <flow-label>='<matching expression>'[,<flow-
label>='<matching expression>'], where the label is used
to symbolically identify the flow specified by the
expression. The expression format is specified in the
appendix. If an expression is specified, then the infor
mation concerning flows can be accessed following the
HTML link named 'List NetFlows'. For instance suppose to
define two flows with the following expression "Luca
Hosts='host jake.unipi.it or host
pisanino.unipi.it',GatewayRoutedPkts='gateway gate
way.unipi.it'". All the traffic sent/received by hosts
jake.unipi.it or pisanino.unipi.it is collected by ntop
and added to the LucaHosts flow, whereas all the packet
routed by the gateway gateway.unipi.it are added to the
GatewayRoutedPkts flow. If the flows list is very long
you may store in a file (for instance flows.list) the
list of flows and specify the file name instead of the
flows list (in above example you will invoke 'ntop -F
flows.list').
-k
When this flag is used, the current filter expression is
printed in an extra frame and thus always visible.
-K
Use this flag for easying application debug (eg. fork()
is not used etc.)
-L
Use this flag for using the syslog instead of stdout.
Please note that if ntop (ever) forks a child, in any
case the syslog will be used for this child.
filter expression
ntop , similar to what tcpdump does, allows users to
specify an expression that restricts the type of traffic
handled by ntop hence to select only the traffic of
interest. For instance, suppose to be interested only in
the traffic generated/received by the host jake.unipi.it.
ntop can then be started with the following filter: 'ntop
src host jake.unipi.it or dst host jake.unipi.it'. See
the tcpdump man page for further information about this
topic.
WEB VIEWS
While ntop is running, multiple users can access the traf
fic information using conventional web browsers. The main
HTML page, is divided is two frames. The left frame allows
users to select the traffic view that will be displayed in
the right frame. Available sections are: sort traffic by
data sent, sort traffic by data received, traffic statis
tics, active hosts list, remote to local (i.e. inside the
subnet defined for the network board from which the pro
gram is currently sniffing) IP traffic, local to remote IP
traffic, local to local IP traffic, list of active TCP
sessions, IP protocol distribution statistics, IP protocol
usage, IP traffic matrix.
NOTESntop is based on the libpcap library that can be found at
http://www.tcpdump.org/. The Win32 version makes use of
libpcap for Win32 that can be downloaded from
http://www.netgroup.polito.it/WinPcap/install/).
SEE ALSOintop(1), ntop-rules(8), top(1), ngrep(8), tcpdump(8).
netramet(http://www.auckland.ac.nz/net/Account
ing/ntm.Release.note.html).
AUTHOR
Please send bug reports to the ntop mailing list
<ntop@ntop.org>. ntop's author is Luca Deri and it can be
reached at deri@ntop.org.
December 2001 NTOP(8)
