1© David Morgan 2003ntop – network topDavid Morgan© David Morgan 2003What/where to download?no RedHat rpm?both lead to sourceforge2© David Morgan 2003What to download?do we need this too?© David Morgan 2003Give these a shot3© David Morgan 2003Not built for stock RHwants glibc 2.3.2,RH came with 2.2.93options: 1) update environment to match rpms (ie, replace glibc 2.2.93 with 2.3.2)2) abandon rpms in favor of compilation-from-source to match the existing glibcyes, we need rrdtool© David Morgan 2003So instead try…one of theseand this4© David Morgan 2003Which tar file to use?Posted By: bstrauss3Date: 2003-07-04 06:46Summary: ntop 2.2.x vs 2.2cntop 2.2.n (n is a number) are the development version, presently available only through the cvs.ntop 2.2x (x is a letter) are released which continue the evolution of the 2.2 base.2.2a and 2.2b were unique to the Win32 environment.2.2c includes a number of critical fixes including a lot of backported fixes from 2.2.2/2.2.3.Most importantly, it should now run under glibc 2.3.x, such as updated installations of RedHat 8and RedHat 9.OK, let’s try ntop-2.2c.tgz© David Morgan 2003rrd – what is it?RRDtool refers to Round Robin Database tool. Round robinis a technique that works with a fixed amount of data, anda pointer to the current element. Think of a circle with somedots plotted on the edge, these dots are the places where datacan be stored. Draw an arrow from the center of the circle toone of the dots, this is the pointer. When the current data isread or written, the pointer moves to the next element. As weare on a circle there is no beginning nor an end, you can goon and on. After a while, all the available places will be usedand the process automatically reuses old locations. This way,the database will not grow in size and therefore requires nomainenance. RRDtool works with with Round Robin Databases(RRDs). It stores and retrieves data from them.from “rrdtutorial” man page5© David Morgan 2003rrd – why would we need it?RRDtool originated from MRTG (Multi Router Traffic Grapher)....RRDtool lets you create a database, store data in it, retrieve thatdata and create graphs in GIF format for display on a web browser.Those GIF images are dependent on the data you collected andcould be, for instance, an overview of the average network usage,or the peaks that occurred.... You need a sensor to measure thedata and be able to feed the numbers to RRDtool.from “rrdtutorial” man page© David Morgan 2003rrd – do we need it? no, it’s an optional plug-in to ntop but ntop rpm install attempt indicated dependency on rrd! dependency is that of the rpm, not ntop itself you can compile ntop from source with or without using rrd6© David Morgan 2003tar -xzvf ntop-2.2c.tgz.gzgdchart0.94cntopntop BUILD-NTOP.txtREADMEINSTALLFAQ1STRUN.txtdocs. per BUILD-NTOP.txt, build gdchart first then ntopchoose makefile.linux for your Makefile when building gdchart© David Morgan 20031strun, for some preliminariesThe 1st time ntop is run, ntop will prompt the user for the adminpassword and create a new password database file. The mostefficient way to do this is to manually run ntop with a limitedcommand line, let it create the file and then shut down. After the1st run, ntop will operate without this intervention, unless thepassword database ntop_pw.db can not be found, which is treatedas a 1st time run. Remember - you must create a user for ntop torun. This userid should have only minimal privledges, but it needsto be able to read/write in the directory where the ntop databasesare stored. ntop is customary, but it can be anything....from ntop/ntop/docs/1strun.txt7© David Morgan 2003useradd ntoppasswd ntopsu ntopcdntop -P /home/ntop/ntop -u ntop -Aresulting in some database files in my specified directory:[root@EMACH1 root]# ls -l /home/ntop/ntop/total 76-rw-r--r-- 1 root root 12288 Aug 16 12:48 addressQueue.db-rw-r--r-- 1 root root 12288 Aug 16 12:48 dnsCache.db-rw-r--r-- 1 root root 12288 Aug 16 12:48 hostsInfo.db-rw-r--r-- 1 root root 12288 Aug 16 12:48 macPrefix.db-rw-r--r-- 1 root root 12309 Aug 16 12:49 ntop_pw.db-rw-r--r-- 1 root root 12288 Aug 16 12:48 prefsCache.db1strunwhere database files are createduser as whom ntop will runprompt for and recordadmin password© David Morgan 2003running it for real (2ndrun) ntop is an http server listens on port 3000 by default launch as: ntop -P /home/ntop/ntop & view via browser as: http://<address>:3000 on local machine use interface address not 127.0.0.18© David Morgan 2003n(etwork)top vs top top is a realtime process monitor displays per-process activity info sorts processes by “top” usage ntop is a realtime network monitor displays per-host activity info …and a lot more© David Morgan 2003the top command9© David Morgan 2003ntop vs ethereal/tcpdump ethereal: individual packet content ntop: aggregate packet statistics© David Morgan 2003ntop scope of view seeks to be “network wide” but is a point (single-interface) monitor reflects the traffic of whatever realm arrives at the collection point10© David Morgan 2003Welcome screenmain menu© David Morgan 2003total/recv/sent menu options All protocols TCP/UDP Throughput Host activity11© David Morgan 2003total/all protocols© David Morgan 2003total/TCP-UDP12© David Morgan 2003total/throughput© David Morgan 2003total/host activity13© David Morgan 2003stats/traffic menu option reports Global Traffic Statistics Global Protocol Distribution Global TCP/UDP Protocol Distribution TCP/UDP Traffic Port Distribution: Last Minute View© David Morgan 2003stats/traffic –“cast” types14© David Morgan 2003stats/traffic –packet sizes© David Morgan 2003stats/traffic –IP-nonIP volumes15© David Morgan 2003stats/traffic –packet lifetimes© David Morgan 2003stats/traffic –Remote Hosts Distance16© David Morgan 2003stats/traffic –protocol distribution© David Morgan 2003stats/traffic –tcp subprotocol distribution17© David Morgan 2003stats/traffic –tcp last minute port usage© David Morgan 2003stats/hosts18© David Morgan 2003stats/hosts –individual host info© David Morgan 2003stats/hosts -network load19© David Morgan 2003IP Traffic menu options remote-to-local local-to-remote local-to-local traffic matrix© David Morgan 2003IP Traffic – R-L20© David Morgan 2003IP