What is ntop

ntop shows the current network usage. It displays a list of hosts that are currently using the network and reports information concerning the IP (Internet Protocol) and Fibre Channel (FC) traffic generated by each host. The traffic is sorted according to host and protocol. Default protocol list (this is user configurable):

• TCP/UDP/ICMP
• (R)ARP
• IPX
• DLC
• Decnet
• AppleTalk
• Netbios
• TCP/UDP
  • FTP
  • HTTP
  • DNS
  • Telnet
  • SMTP/POP/IMAP
  • SNMP
  • NFS
  • X11

• Fibre Channel
  • Control Traffic - SW2,GS3,ELS
  • SCSI

ntop's author strongly believes in open source software and encourages everyone to modify, improve and extend ntop in the interest of the whole Internet community according to the GPLv3 license.

Support

The first place to report problems and bugs, ask questions, request enhancements, etc., should be the ntop mailing lists - subscribe from here:  http://lists.ntop.org/mailman/listinfo/ntop.

There is also a separate mailing list for development (code level) questions - we try to keep them separated so users don't drown in C code - for which the subscription page is here:  http://lists.ntop.org/mailman/listinfo/ntop-dev

Lastly, this list:  http://lists.ntop.org/mailman/listinfo/ntop-misc covers everything not specifically part of ntop, e.g. PF_RING, nProbe, etc.

Although the mailing lists have archives, it's not searchable. The best way is to use Google (although other sites have indexed the lists too), by restricting your search to the archive and then using the keywork ntop + whatever you are looking for:

 http://www.google.com/search?q=site%3Alistgateway.unipi.it+ntop+graphviz&btnG=Search

FAQ

There is an extensive FAQ which is part of the source AND also available in your ntop instance via the About | FAQ menu item.

FAQ page.

(But only if somebody is willing to commit to keeping it up to date - the official version is and remains the one in the CVS)

HowTos

Installing

• Installing on Fedora Core 5 (FC5) is an article on installing on Fedora Core 5 (FC5) with PF_RING.
• Installing PF_RING and nProbe on Fedora Core 4 (FC4) for FC4.

Prerequisites

Mandatory

•  LIBPCAP
•  GDBM
•  RRDTool

Compile source code or RPM

Configure

ntop IPv6

Porting Ntop to IPv6: Technical Report

NTOP Usage Tracking: Capturing and Reporting Network Usage

How to take advantage of PHP/MySQL to the the most out of ntop:  User Report

ntop and RRD

All about RRD files and how ntop uses them:  http://prdownloads.sourceforge.net/ntop/rrdandntop.pdf?download

Using ntop for computer asset inventory

ntop offers some capability for local host Operating System identification, which can be useful as part of an asset inventory. However, there are some limitations to this capability - it is implemented via a passive approach, using Ettercap ( http://sourceforge.net/projects/ettercap).

In general, users have found the default (Ettercap) database insufficient for their needs. Accordingly, creating a customized version of the file - one that is limited to the operating systems and versions actually deployed - is strongly recommended.

How to access ntop through a http (reverse) proxy

Sometimes can be useful having ntop running proxied. You don't need to open port 3000 (or another one you choose) , so with standard HTTPS service you can have ntop like any other service, happy on your web server. You can point to  https://bumbum.com/ntop exactly just like  https://bumbum.com/documents or whatever service or dir you commonly use.

Security, access-lists, password request can be choosed by web server and ntop is working well, reverse-proxied behind apache2.

This config covers Apache 2 and Ntop 3.2: so the “new” apache (not 1.3) and the newest ntop. I believe that also older ntop are supported, but haven't tested them. This config was done on debian sarge, and this is a working configuration, not a should-be or guess. Many people connect every day to this ntop-machine through apache2 server and no errors were reported . We can say “works for us”, hope also for you.

You need:

• ntop 3.3 working on port 3000 with: -w127.0.0.1:3000 -W0
• working apache2 under ssl, on port 443 (else change this number in first two lines in the file below)
• apache modules (probably not all are needed, but enabled on my config) :
• mod_cgid
• mod_headers
• mod_security
• mod_proxy
• mod_proxy-http
• mod_proxy-html
• proxy_connect.load
• proxy_html.load
• mod_rewrite
• mod_ssl
• mod_userdir

The first part is generic for apache ssl-site, the second part is ntop-specific. Of course you have to change some lines to fit your need.

NameVirtualHost *:443
<VirtualHost *:443>

############################################################
######          ALL TRAFFIC ON  443  ( HTTPS ) 
############################################################

# change: address of web admin
ServerAdmin webmaster@localhost
SSLEngine On
# change: where is ssl certificate on your machine?
SSLCertificateFile /etc/apache2/ssl/apache.pem



# change: paths for logs (error and custom)
ErrorLog /var/log/apache2/error.log
# choose one LogLevel value: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined


ServerSignature On

###  PATCH SUGGESTED BY NESSUS ABOUT TRACE ATTACKS
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]


#### NTOP (PROXY REVERSE) ########

ProxyHTMLLogVerbose On
LogLevel warn
ProxyHTMLExtended On


ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>


ProxyPass /ntop/  http://localhost:3000/
ProxyPassReverse /ntop/  http://localhost:3000/

<Location /ntop/>
SetOutputFilter	 proxy-html
ProxyHTMLURLMap	 /	/ntop/
ProxyHTMLURLMap /ntop/plugins/ntop/ /ntop/plugins/
RequestHeader 	 unset	Accept-Encoding
</Location>


</VirtualHost>

Contribution courtesy of Giovanni Odorifero.

How to create your own version of ettercap database ?

• Using ntop on RHAS3U1 as an example.

  [ntopserver ] cat /etc/redhat-release
  Red Hat Enterprise Linux AS release 3 (Taroon Update 1)
  [ntopserver ] rpm -qil ntop-3.2-1.el3.rf |grep etter
  /etc/ntop/etter.finger.os.gz
  [ntopserver ] ls -l /etc/ntop/etter.finger.os.gz
  -rw-r--r--    1 root     root        17822 Dec  1  2004 /etc/ntop/etter.finger.os.gz
  [ntopserver ]
  

• Find out the fingerprints for HP-UX OS.

  [ntopserver ] zgrep HP-UX /etc/ntop/etter.finger.os.gz
  8000:0218:40:WS:0:0:1:0:A:2C:HP-UX
  8000:0584:40:00:0:1:1:1:A:3C:HP-UX
  8000:0584:40:WS:0:0:1:0:A:2C:HP-UX B.10.20
  8000:05B4:01:WS:0:0:1:0:A:2C:HP-UX
  8000:05B4:40:00:0:0:1:0:S:2C:HP-UX B.10.01 A 9000/712
  8000:05B4:40:00:0:1:0:1:A:3C:HP-UX B.11.00
  8000:05B4:40:00:0:1:1:0:A:LT:HP-UX
  8000:05B4:40:WS:0:0:1:0:A:2C:Mac OS X Darwin 1.4 / HP-UX 10.20
  8000:1000:40:WS:0:0:1:0:A:2C:HP-UX
  [ntopserver ]
  

• assuming finger print for HP-UX B.11.00 is wrong.
  • We need to replace this "8000:05B4:40:00:0:1:0:1:A:3C" fingerprint with correct one.
• login into a HP machine with HP-UX B.11.00 OS
• run following program to generate the fingerprint of above format.
• TBA.

Reference

* R1:  See packet craft section

User's Guide

End User's Guide : End User's guide to NTOP

Projects where ntop is used

*  Careless Network *  Rock Clusters