SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG
DONATE


YUM REPOSITORY

 
 

MAN page from Other ntop-1.1-1.redhat-5.2.i386.rpm

NTOP

Section: Maintenance Commands (8)
Updated: 9 April 1999
Index 

NAME

ntop - display top network users 

SYNOPSIS

ntop[-rrefresh time][-ftraffic dump file][-n][-p]IP protocols to monitor][-iinterface][-wport][-d][-mlocal subnet][-llog period][-Fflow filter expression][filter expression] 

DESCRIPTION

ntopshows the current network usage. It displays a list of hosts that arecurrently using the network and reports information concerning the (IP and non-IP) traffic generated by each host. ntopcan be started either in a terminal window (interactive mode) or inweb mode. In the latter case, a web browser is needed to use theprogram. The traffic is sorted according to the host and the protocol. Wheneverntopis started in web mode (-w flag), multiple remote users can access the traffic information. See below for more information.

 

COMMAND-LINE OPTIONS

-rSpecifies the delay (in seconds) between screen updates (the default is 3 seconds). If the -l flag is used, it specifies how often entries are logged in the log file. Pleasenote that if the delay is very short (1 second for instance), ntop might notbe able to process all the network traffic.

-fSpecifies the file containing tcpdump captured traffic that will be browsed beforeto start sniffing.

-nThis causesntopto show numeric IP addresses instead of the symbolic names. This option can useful when the DNS is not present or quite slow. You can toggle the address format (numeric vs. symbolic) by pressing thenkey while ntopis running.

-pIt is used to specify the IP protocols thatntopwill monitor. The format is <label>=<protocol list> [, <label>=<protocol list>], wherelabel is used to symbolically identify the <protocol list>. The format of <protocol list>is <protocol>[|<protocol>], where <protocol> is either a valid protocol specified inside the/etc/services file or a numeric port range (e.g. 80, or 6000-6500). If the -p flag is omitted the following default value is used: "FTP=ftp|ftp-data,HTTP=http|www|https,DNS=name|domain,Telnet=telnet|login,NBios-IP=netbios-ns|netbios-dgm|netbios-ssn,Mail=pop-2|pop-3|kpop|smtp|imap|imap2,SNMP=snmp|snmp-trap,NEWS=nntp,NFS=mount|pcnfs|bwnfs|nfs|nfsd-status,X11=6000-6010,SSH=ssh".

-iSpecifies the network interface used byntop

-w Startsntopin web mode. Users can attach their web browsers to the specified port and browse traffic information remotely. Supposing to startntopat the port 3000 (ntop -w 3000), the URL to access ishttp://hostname:3000/. The file ~/.ntop specifies the HTTPuser/password of those people who are allowed to access ntop. If the~/.ntop file is missing no security will be used hence everyone canaccess traffic information. A simple .ntop file is the following:## .ntop File format## user<tab>/<space>pw##luca            linux
Please note that an HTTP server is NOTneeded in order to use the program in interactive mode.

-dThis flag (it has to be used with -w) causes ntop to become a daemon, i.e. it is started in background and detached from the terminal.

-mThis flag allows users to specify the subnets whose traffic is considered local. The format is <network address>/<# subnet mask bits>[,<network address>/<# subnet mask bits>]. For instance "131.114.21.0/24,10.0.0.0/255.0.0.0".

-lThis causesntopto periodically (specified with the -r flag) log network information data in the filentop.logwhose format is self-explanatory. This flag specifies the collection time between two consecutive log entries (in seconds). Please note that it is easy to use the log file to produce graphics (e.g. usinggnuplot).

"flow filter expression" [web mode only]It is used to specify network flows similar to more powerful applications such as NeTraMet. A flow is a stream of captured packets that match a specified rule. The format is <flow-label>='<matching expression>'[,<flow-label>='<matching expression>'], where the label is used to symbolically identify the flow specified by the expression. The expression format is specified in the appendix. If an expression is specified, then the information concerning flows can be accessed following the HTML link named 'List NetFlows'.For instance suppose to define two flows with the following expression "LucaHosts='host jake.unipi.it or host pisanino.unipi.it',GatewayRoutedPkts='gateway gateway.unipi.it'". All the traffic sent/received by hosts jake.unipi.it or pisanino.unipi.it is collected byntopand added to the LucaHosts flow, whereas all the packet routed by the gateway gateway.unipi.it are added to the GatewayRoutedPkts flow.

"filter expression"ntop, similar to what tcpdump does, allows users to specify an expressionthat restricts the type of traffic handled byntophence to select only the traffic of interest. For instance, suppose tobe interested only in the traffic generated/received by the hostjake.unipi.it. ntopcan then be started with the following filter: 'ntop src host jake.unipi.it or dst host jake.unipi.it'. See thetcpdumpman page for further information about this topic.

 

INTERACTIVE COMMANDS

Whilentopis running interactively (no web mode), the information shown can be manipulated by pressing the following keys.

qThis causesntopto quit.

nThis causesntopto toggle the IP address format (numeric vs. symbolic vs. MAC Address vs. Nw Board Manufacturer).

pThis causesntopto toggle the traffic format (percentage vs. absolute vs. throughput).

lThis causesntopto toggle the host list content (local vs. remote hosts).

dThis causesntopto toggle the host list content (idle vs. active hosts).

tThis causesntopto sort hosts according to the data received or sent.

yThis causesntopto sort traffic according to the various protocols being displayed in the current screen.

<space>This causesntopto show further traffic information. Each time the space bar is pressed the lastthree ntopcolumns are toggled. Please note that these columns represent eitherthe traffic sent or received, according to the the way the list is sorted (see previouscommand).

 

WEB VIEWS (Web mode)

Whilentopis running in web mode (-w flag), multiple users can access the traffic information using conventional web browsers. The main HTML page, is divided is two frames. The left frame allows users to select the traffic view that will be displayed in the right frame. Available sections are: sort traffic by data sent, sort traffic by data received, traffic statistics, active hosts list, remote to local (i.e. inside the subnet defined for the network board from which the program is currently sniffing) IP traffic, local to remote IP traffic, local to local IP traffic, list of active TCP sessions, IP protocol distribution statistics, IP protocol usage, IP traffic matrix.

 

FIELD DESCRIPTIONS (Interactive mode)

ntopdisplays a variety of information about the network traffic.

"traffic/throughput"This line displays general information about the network traffic: thenumber of packets that have been seen, the total traffic (IP or nonIP), the actual and the max observed throughput. Please note that if afilter expression is used, these values are relatives only to thetraffic that satisfies the filter expression.

HostThis column contains the host name in either symbolic or numericformat.

ActThis column contains further information about the host activity sincethe last screen update. The value 'B' (both) indicates that the hosthas both sent and received data, 'R' (receive) that the host hasreceived but not sent data, 'S' (sent) that the host has sent but notreceived data, 'I' (idle) that the host has been idle (no data sent or received).

RcvdThis column contains the traffic received by the host either inabsolute or percentage format. If the host list is sorted accordingthis field, then the column label becomes -Rcvd-.

SentThis column contains the traffic sent by the host either in absoluteor percentage format. If the host list is sorted according this field,then the column label becomes -Sent-.

<protocol>The last three columns contain further information concerning the IPprotocols. Data represented in these columns change according to thetraffic type (either sent or received). The 'y' key allows users to interactively change the sort order of these columns, whereas the space bar toggles the protocol list. 

NOTES

ntopis based on the libpcap library that can be foundat ftp://ftp.ee.lbl.gov/libpcap.tar.Z.

 

SEE ALSO

top(1),tcpdump(8).netramet(http://www.auckland.ac.nz/net/Accounting/ntm.Release.note.html). 

AUTHOR

Please send bug reports to the ntop mailing list <ntop@unipi.it>. ntop's author is Luca Deri <deriAATTunipi.it>.
 

Index

NAME
SYNOPSIS
DESCRIPTION
COMMAND-LINE OPTIONS
INTERACTIVE COMMANDS
WEB VIEWS (Web mode)
FIELD DESCRIPTIONS (Interactive mode)
NOTES
SEE ALSO
AUTHOR

This document was created byman2html,using the manual pages.