Basic Ntop configurations

NTOP

A computer network is a hub for wealth of information about our network independent of its size ( small/medium/large Enterprise/Home/ISP ). Network top (Ntop) is a network management tool, a raw packet analyzer that displays the top network hosts and protocols. It is what a top command is for Unix/linux. It processes raw network packets directly from a medium to provide a fine grained view of the hosts and protocols on a single network. ntop takes streams of bits, understands its and presents that information to you.

How ntop works ?

ntop doesn’t bother about the medium through which network information is passing through. It uses a libpcap, which is a system-independent interface for user-level packet capturing. ntop is a packet analyzer, not a pure Ethernet analyzer (layer 2) nor a pure TCP/IP analyzer (layer 3). ntop gets the data at the layer 2 (frame) level, which could be Ethernet or another protocol, which is enough to extract the (layer 3) TCP/IP data in side.

ntop is a traffic monitor with it’s own network interfaces, which monitors what it sees (or is told about through netFlow or sFlow probes). ntop can be used in both interactive or web mode. In interactive mode, ntop displays the network status on the user’s terminal whereas in web mode a web browser (e.g. netscape) can attach to ntop (that acts as a web server) and get a dump of the network status.

Configuring ntop

==============

Download latest version of ntop:

http://space.dl.sourceforge.net/project/ntop/ntop/ntop-4.0/ntop-4.0.tar.gz

Prerequisites

===========

Get the latest version of the following :

glibc, glibc-devel, gcc, cpp

awk

libtool (1.4+)

m4

autoconf (2.53+)

automake (1.6+)

gdbm, gdbm-devel

libpcap (http://www.tcpdump.org)

librrdtool

Optional Packages: openssl, openssl-devel (http://www.openssl.org), zlib, zlib-devel

Untar the Package:

#cd /usr/src

#tar -zxvf ntop-4.0.tar.gz

Type the following commands to compile and install ntop:

1. `cd’ to the directory containing the package’s source code and type `./autogen.sh’ to configure the package for your system. This should take a while to complete. While running, it prints some messages telling which features it is checking for.

# cd ntop

#./autogen.sh

2. Type `make’ to compile the package.

# make

3. type `make check’ to run any self-tests that come with the package.

# make check

4. Type `make install’ to install the programs and any data files and documentation.

#make install

This should configure, build, and install this ntop package.

5. You can remove the program binaries and object files from the source code directory by typing `make clean’. To also remove the files that `configure’ created (so you can compile the package for a different kind of computer), type `make distclean’.

Now create ntop user and set directory permissions. Make sure that the user has only minimal privileges, but can read/write in the directory where ntop databases are stored.

# useradd -M -s /sbin/nologin -r ntop

# chown ntop:root /usr/local/var/ntop/

# chown ntop:ntop /usr/local/share/ntop/

3. Running ntop for the first time

==============================

The first time ntop is run, ntop will prompt the user for the admin password and create a new password database file. The most efficient way to do this is to manually run ntop with a limited command line, let it create the file and then shutdown. After the 1st run, ntop will operate without this intervention, unless the password database ntop_pw.db can not be found, which is treated as a 1st time run.

/usr/bin/ntop -P <your directory> -u <ntopuserid> -A

The output from ntop will look like this:

[root@dhcpp5 root]# /usr/bin/ntop -P /usr/share/ntop -u ntop -A

Please enter the password for the admin user:

*****enter the admin password (“admin” is NOT a good idea) and press enter!

Please enter the password again:

*****enter the admin password again and press enter!

*****ntop will store the password and stop.

You should now be able to run ntop as usual.

#/usr/local/bin/ntop -A -u <userid> -P <directory>

<userid> is the userid you’ve created

<directory> is the directory path where ntop will store it’s databases

Start ntop as a daemon by using the following command:

#ntop -d

We can now access ntop interface through the webmode by pointing the IP of your machine along with the port 3000. Make sure that your firewall allows connection through port 3000.

http://<ip-of-your-machine>:3000

Build a static ntop

Sometimes you want to build ntop statically so that both shared libraries and plugins are included in the main program. In order to do that you need to:

# cd ntop

# ./autogen.sh –enable-static-plugins

# make sntop

The final binary is called sntop (static ntop).

Compile problems

================

The most common problem is an inability to find critical libraries such as libpcap, libpng, etc. This is because for different platforms, library files get installed at different locations. Starting with 2.2, ntop no longer goes to extreme lengths to find the .h and lib files. If a header or library isn’t in the standard locations, we have to specify the exact location of the file. ntop3.0 version adds the common /usr/local directories (e.g. /usr/local/include and /usr/local/lib) to the places ntop looks by default.

So, if ntop tells you it can’t find something, do this – first look for the File on your system:

$ locate pcap.h

/usr/include/pcap/pcap.h

You can also use the find command to locate the header files

$ find / -type f -name “pcap.h”)

And then tell ./autogen.sh via –with-pcap-include=/usr/include/pcap

There is a set that tells ntop where to install stuff. For simplicity, the two you might want to change are:

–prefix=PREFIX install architecture-independent files in PREFIX [/usr/local]

–datadir=DIR read-only architecture-independent data [PREFIX/share]

–prefix tells ntop where to install the various files. The default value is /usr/local, which is where most non-OS software normal goes. A common choice for libraries (such as pcap) is –prefix=/usr, which puts things like .h files in places easier to automatically find (/usr/include). –prefix=/usr certainly works for ntop. –prefix=/opt is another choice.

–datadir tells ntop where to put its databases and output files. The default is /usr/share/ntop, Another popular choice is –datadir=/var, which puts all the files in /var/ntop. That may be attractive especially if you make /var/ntop a separate partition, so the rrd files don’t eat all your disk space.

Advantages & Disadvantages

=========================

ntop is best focused on generating a view of a single network and presenting it over long periods of time rather than showing multiple networks. It sees that actual web server request instead of just that there was a traffic on port 80. It can display fine grained information. It is easy configurable and can be managed easily through the web interface.

It require lot more processing power and memory, though this depends mainly on the size and traffic of network. Another disadvantage of ntop is that it requires access to the physical network ( either directly via a network card or indirectly via a netFlow/sFlow probe). This limits ntop’s ability to work across sites.

The Beyond Technology

www.techbeo.com

Leave a Reply