a better look at ntop – part 1
Earlier this morning I read an article that came through my digg rss feed, entitled “Monitor network traffic with ntop“. Basically it went like this .. install ntop (from source) and then type some stuff and you have ntop .. reet! Suffice to say it left me wanting a little more depth. If you want something done right …
I’ve used ntop before in previous jobs, and I have used it on my home network. So today I decided after reading the above linked article, I would setup ntop on my debian box. I will preface this with a short explanation of how I have things setup network wise.
Let’s get ready to nerd it up:
I have two network cards in my linux box, one of which is assigned an IP address (eth0) and one is transparent. The transparent interface (eth1) is plugged into a hub (no not switch!) and my cable modem and soho router wan interface are also plugged into the hub. Essentially I have a network tap on the WAN side of my network. This let’s me have a bit more data to play with, as I get to see worms and such trolling around. There are better ways to do this of course, but in this case it worked the best for me and cost $0, neaner.
Now on to the point of all this .. ntop .. oh yeah that was the point. Ok so in the article they say go download the source and ./configure blah blah blah. If you have a modern linux distribution then you have a built in package management system. use it. In my case using Debian 4.1.2 (lenny), so as root (or sudo) I typed apt-get update (wait …..) apt-get install ntop. Apt is smart enough to know what dependencies you will need (if this is a fresh install it will be a lot) so just let it do it’s thing till it’s done. Most likely you will be asked a few questions about settings for ntop. The first two questions are important. The first will ask what user you would like to run ntop as (and a password for the account), I used ‘ntop’. The next question is for the password for admin users password (and to confirm it). This is NOT asking for your root password!! Use a unique password here, it’s for the web interface admin account. The rest of the questions are related to the ntop server config. Answer them if you want to; they will all get done in the config file in the end.
Now that ntop is installed, it’s time do a little configing. If you installed the Debian package, like I did, you will find the config files located in an asinine and stupid place. So for now I just mv’d the installed /etc/init.d/ntop script to my home dir and did a killall -9 ntop (sudo/root). I decided for now, and for the scope of this post, I would just create my own conf file, and start/stop ntop from the command line.
One of the great things about ntop (and one of the down sides too) is that it has it’s own built in webserver, so if you haven’t installed apache, you don’t need to just to use ntop.
The next step you will need to do is (sudo/root) chown -R ntop:ntop /var/lib/ntop and /var/log/ntop so that it can write the database files as needed. I looked for example ntop.conf* files via the google and used it as an example to learn the formatting, then refered to ntop –help for the options I wanted.
my configuration looks like this:
–user ntop
–db-file-path /var/lib/ntop
–spool-file-path /var/log/ntop
–interface eth1
–use-syslog=local3
–http-server 3000
–https-server 0
–local-subnets xx.xx.xx.xx/xxx
–ipv4
–refresh-time 30
–w3c
–sampling-rate 30
–no-fc
–no-invalid-lun
–skip-version-check
–numeric-ip-addresses
–protocols FTP=ftp|ftp-data,PROXY=8080,HTTP=http|www|https,\
DNS=name|domain,Telnet=telnet|login,Mail=pop-3|smtp|imap|imap2,\
SNMP=snmp|snmp-trap,NEWS=nntp,DHCP-BOOTP=67-68,X11=6000-6010,\
SSH=ssh|9638,Gnutella=6346|6347|6348,Kazaa=1214,BitTorrent=6881-6887,\
IRC=6667,Messaging=1863|5000|5001|5190-5193
–filter-expression “not arp”
–no-interface-merge
–daemon—————————————–
optionally it can be downloaded from here.
I believe it is pretty straight forward, though I did make some changes to that protocol list (the default list should be located in /etc/ntop/protocol.list). I will explain some of what I used: –https-server 0, this disables the https server, optionally you can use that to disable http. The –filter-expression accepts bpf style variables (i.e. tcpdump), I am using “not arp” because of the placement of my ntop sensor, I don’t want my logs filled up with useless network chatter.
Next up, I saved my conf file to /etc/ntop/ and now (sudo/root) you should be able to start ntop from the command line by entering ntop @/etc/ntop/ntop.conf. Yes that really is an @ symbol .. kinda odd but whatever. You should now be able to connect to http://yourserverip:3000 and see the ntop page! If you are having problems getting ntop to start you can comment out (with a #) the –use-syslog and –daemon options so ntop will output everything to the console. Just be sure to put them back when you are done.
This concludes part 1 of a better look at ntop. In the next part I will cover the config file more in depth. I will also go into the plugins and upload some screen shots of ntop in action.
*original file is located here, saved locally in case the site goes down.