8. Host Details¶
Host Details page is as follows.
A contextual menu with labels and badges appears right below the top toolbar. Menu entries are dynamic, hence, some of them may not always be present.
Menu entries are discussed below.
Home is the default view of the Host Details page and provides detailed information including host MAC Address (or the last router MAC address if the host is remote), IP Address (with network mask if detected), a toggle to activate/deactivate alerts for the host, a checkbox to enable packet dump for the specific host, symbolic hostname (or IP address), location (local or remote), date and time of first and last packet seen for the host, traffic breakdown, amount of traffic packets received/sent, number of flows as client/server host. All of this information is also available in JSON format by clicking on the ‘Download’ link. The heat map provides the Activity Map for each host. Each box represents one minute of traffic. By default, Activity Map shows the last six hours, but it is possible to set a different timeframe using the controls.
The Traffic Page provides Layer-4 protocol statistics for the host. A pie chart showing L-4 protocol breakdown is show at the top of page. A table with detailed statistics is shown below the chart.
Packets page provides pie charts with packet size distribution, both for sent and received packets.
Ports page provides pie charts with traffic statistics grouped by port. A chart is available for client ports and another one is available for server ports.
Peers page presents a graphical overview of top contacted peers and top protocols used. In the following screenshot some hosts are struck-through intentionally for privacy reasons. A table with top application per peer is shown below the graphical overview. Every information is clickable to allow the user to drill down and find insights.
Using the DPI information, this page provides in pie chart and tabular format the amount of traffic divided by application. An additional pie chart provides a statistics about protocol type. A click on the protocol name redirects the user to the page with detailed statistics about the selected protocol.
The chart and the table displayed on this page report DNS statistics, such as the number of queries, their type (e.g., A, AAAA, PTR, and so on), and possible errors.
This page provides information about the HTTP protocol in terms of requests done and responses received for each HTTP method, together with response codes. Counters are provided both as tables and pie charts. In the case of virtual host being detected, a badge with the number of virtual hosts detected for the same IP address is displayed in the host bar and an entry for each virtual server is displayed in a virtual server table.
ntopng can keep track of top visited sites for any monitored local host. Enabling the tracking of top visited sites requires preference “Top HTTP Sites” to be set using the ntopng preferences page.
Once the preference has been enabled, this page will start showing visited websites, which are shown over the two most recent 5-minute intevals. Newly visited sites are placed under the “Current Sites”. Every 5 minutes ntopng moves the “Current Sites” under “Last 5 Minute Sites”, and starts over with a clean “Current Sites”.
Column “Contacts” count the number of time a particular website has been visited. Every time the host visit a site, the corresponding “Contacts” counter is increased by one.
This page is only available in the Host Details page menu when there is at least one visited website.
Flows page lists all active flows that have the selected host as an endpoint. A section of this manual discuss in greater detail the statistics shown for flows.
SMNP page provides SNMP information for the selected host with all the standard SNMP traffic metrics.
Talkers page provides top talkers having active flows with selected host. Similarly to the Community edition dashboard, top talkers are laid out in a Sankey Diagram.
Geography page provides an interactive map that shows the selected hosts, its flows, and its peers.
8.14. Alerts Configuration¶
Alerts Configuration page enables the user to set custom thresholds on multiple metrics, and to trigger alerts based on those thresholds. Alerts can be armed, among other metrics, per total bytes, DNS traffic, P2P traffic or packets, in a fixed time interval. Available time intervals are 1 and 5 minutes, 60 minutes, and 1 day. Two columns are available for configuration. The first affects only the selected local host, whereas the second affects all local hosts.
Statistics page provides historical traffic statistics for the selected host. The user can choose to filter statistics on a protocol basis and display data in several formats (e.g., bytes, packets, flows, and so on).