ASSIGNMENT : ReportINSTRUCTOR : Aiko PrasDATE : June 2000COURSE : Internet Management ProtocolsCOURSE CODE : 265310GROUP : 2STUDENTS[S] : João Paulo Almeida, 9816763Yohannes Albertino Ramlie, 9816798NTOP – Network TOPAn OverviewiSummaryNetwork management is becoming an increasingly complex task, requiring automatedtools to support human effort. This document is intended to provide valuableinformation for network managers or operators on the use of ntop. ntop is a simple,free, portable traffic measurement and monitoring tool, which supports variousmanagement activities, including network optimization and planning, and detection ofnetwork security violations. In this paper, ntop’s features are briefly described, aswell as installation procedures and examples of utilization. Alternative approaches tomonitoring are also discussed. ntop has shown to be a valuable tool for quick accessto network monitoring, with a simple to use integrated web interface and minimalrequirements. It is available for network administrator with minimal (installing,learning) effort and cost, as opposed to expensive and complex (yet sophisticated andflexible) management platforms.NTOP – NETWORK TOPiiTable of contents1. INTRODUCTION............................................................................................... 12. FUNCTIONS.......................................................................................................22.1 TRAFFIC MEASUREMENT 22.2 TRAFFIC MONITORING 32.3 NETWORK OPTIMIZATION AND PLANNING 42.4 DETECTION OF NETWORK SECURITY VIOLATIONS 43. INSTALLATION ................................................................................................ 44. UTILIZATION EXAMPLES .............................................................................65. ALTERNATIVE APPROACHES TO MONITORING.................................. 1111. IntroductionNetwork management is becoming an increasingly complex task due to the variety ofnetwork types and the integration of different network media. As networks becomelarger, more complex, and more heterogeneous, the costs of network managementrise. In this scenario, automated tools are needed to support human effort, gatheringinformation about the status and behavior of networked elements. According to[Stallings], network monitoring is the most fundamental aspect of automated networkmanagement.This document is intended to provide valuable information on the use of ntop bynetwork managers or operators. ntop [ntop] is a simple, free and portable trafficmeasurement and monitoring tool, initially conceived by Luca Deri and Stefano Suinfor tackling performance problems on the campus network of the University of Pisa,Italy.Similar to the Unix top tool that reports processes CPU usage, the authors needed asimple tool able to report the network top users (hence the term ntop) for quicklyidentifying those hosts that were currently using most of the available networkresources. ntop then evolved into a more flexible and powerful tool [DeriSuin00a,DeriSuin99, Deri98], using the concept of open source software [OpenSource]. Thecurrent version of ntop features both command line and web-based user interfaces,and is available on both UNIX and Win32 platforms. ntop focuses on:• traffic measurement,• traffic monitoring,• network optimization and planning, and• detection of network security violations.This document is further structured as follows: Section 2 presents the featuresmentioned above in further detail, Section 3 describes the installation procedures,Section 4 provides an example of the use of ntop, and finally Section 5 discussesalternative approaches to monitoring.NTOP – NETWORK TOP22. FunctionsThis section presents in further detail ntop’s main functions: traffic measurement,traffic monitoring, network optimization and planning, and detection of networksecurity violations.2.1 Traffic MeasurementTraffic measurement consists in measuring the usage of relevant traffic activities.ntop tracks network usage, generating a series of statistics for each host in the localsubnet and for the subnet as a whole. The needed information is collected by the hostrunning ntop by simply observing the traffic on the network. This arrangementoffloads the processing requirements from operational nodes to the ntop host. Allpackets in the subnet are captured and associated with a sender/receiver pair. In thisway, it is possible to track all traffic activities of a particular host.The following table shows the information registered by ntop for each hostconnected to the (broadcast) network:DATA SENT /RECEIVEDThe total traffic (volume and packets) generated or receivedby the host. Classified according to network protocol (IP,IPX, AppleTalk, etc.) and IP protocol (FTP, HTTP, NFS,etc.)USED BANDWIDTHActual, average and peak bandwidth usage.IP MULTICASTTotal amount of multicast traffic generated or received bythe host.TCP SESSIONSHISTORYCurrently active TCP sessions established/accepted by thehost and associated traffic statistics.UDP TRAFFICTotal amount of UDP traffic sorted by port.TCP/UDPUSED SERVICESList of IP-based services (e.g. open and active ports)provided by the host with the list of the last five hosts thatused them.TRAFFICDISTRIBUTIONLocal traffic, local to remote traffic, remote to local traffic(local hosts are attached to the broadcast network).IP TRAFFICDISTRIBUTIONUDP vs. TCP traffic, relative distribution of the IP protocolsaccording to the host name.Table 1 - Information recorded by ntop for each host3ntop also reports global traffic statistics, including:TRAFFICDISTRIBUTIONLocal (subnet) traffic, local vs. remote (outsidespecified/local subnet), remote vs. local.PACKETSDISTRIBUTIONTotal number of packets sorted by packet size, unicast vs.broadcast vs. multicast and IP vs. non-IP traffic.USED BANDWIDTHActual, average and peak bandwidth usage.PROTOCOLUTILIZATION ANDDISTRIBUTIONDistribution of the observed traffic according to bothprotocol and source/destination (local vs. remote).LOCAL SUBNETTRAFFIC MATRIXMonitored traffic between each pair of hosts in the subnet.NETWORK FLOWSTraffic statistics for user-defined flows (traffic of particularinterest to the user)Table 2 - Global statistics recorded by ntopIn addition to the information provided above, the current version allows theinstallation of plug-ins to provide detailed statistics about particular protocols notpresent in the standard version. Examples of these are the NFS and