In my earlier post “a better look at ntop – part 1“, I covered installing ntop, creating the ntop conf file and a few of it’s more interesting configuration options. Today in part 2, we will look at the web interface, plugins and an important command line option. After posting part 1, I thought it would be a good idea to let ntop run for a few days so I could collect some good graphs/data to share. However, it did slip my mind at the time .. ntop is serious resource hog. After 4 days of data collection, the hard drive in my debian box filled up and things were not so happy. Because of this, unfortunately I had to dump all the rrd graphs for those 4 days. But we must press on, with or without pretty graphs!

Let’s dive into a better look at ntop – part 2:

I feel like I need to backtrack just a little, and expand upon some things I neglected in part 1. We covered installing ntop using apt-get, and I realized that my apt source list, is vastly different then the default one. The ntop package I installed comes from another project I like to experiment with, called OSSIM. If you want to make sure you have the same package installed, you will need to edit your apt sources list.

You will need to (sudo/root) use the editor of your choice and edit /etc/apt/sources.list Adding the following line: deb http://www.ossim.net/download/ debian/. This applies to debian only, your mileage may vary.

I also failed to mention the location of the package installed conf file, I simply called it asinine. If you wish to use the package installed conf file, it is located in /var/lib/ntop/init.cfg. Recap: I created my own ntop.conf in /etc/ntop/

One of the most important command line options you need to know about is -A. Remember when you set that password during the package install? No? then ntop -A is for you. The man page describes the-A command as ‘Ask admin user password and exit‘ .. I’m pretty sure this couldn’t be any more vague. Here is what it really does: it’s allows you (sudo/root) to change the admin password! Amazing. Just use ntop -A, from the terminal, enter the new password twice and everything should be ready to go.

At this point, you need to have the ntop server running. I hope by now you have tried starting it a few times and are sure that the process starts and then becomes a daemon. If not, refer back to my troubleshooting tips in part 1. If you don’t remember how to start it, (sudo/root) ntop @/etc/ntop/ntop.conf

Launch the browser of your choice, and go to http(s)://ipofyourntopbox:3000/3001, if you have installed it locally then use localhost or 127.0.0.1, otherwise you probably know the correct IP:port. You won’t be prompted for a login at this point, you should see the Global Traffic Statistics page. Initially there isn’t going to be much to see here, depending on the options you used (or if you used mine), data should start populating pretty quickly.

Now it’s time to explore the plugins available to us. The Round-Robin Database plugin is where we should begin, which will be found at Plugins -> Round-Robin Databases -> Configure. Hopefully your package management installed rrdtool when you installed ntop. If not you will need to install rrdtool to use this plugin. RRDtool, is used to store historical data about the network while ntop is running. Ntop also uses the historical data to predict network usage as well as possible anomalies. The default settings for the rrdtool plugin are fine for testing and experimenting, but I warn you, ntop is a hog. I filled up a 14GB partition in just under four days. You may wish to throttle the collection times to a longer period, as well as unchecking some of the “data to dump” options (I dump domains, hosts and interfaces). Another option is to change the RRD Detail down to low, but c’mon, we are nerding it up here, leave it at full. The other plugins that I find useful are icmp watch and Hosts last seen. Neither of these require any configuration, they are active or inactive. Try them out if you wish.

As you explore around, you may find some things that aren’t working. Don’t panic, some things are dependent on where your ntop sever is placed on the network, and some things require a certain amount of data be collected first. An example of things not working: since my ntop listens on a transparent interface the wan side of my network, I can not see “local lan” traffic. Because of this, IP -> Traffic Directions -> Local to Local and Local to Remote, never populate with any information for me, but I expected that to occur (YMMV).

The last piece of ntop we should examine, is located at IP -> Local -> Network Traffic Map. This section did not work for me out of the box, due to some needed dependencies not being installed. In order to get the map working properly, I had to install graphviz, gsfonts and fontconfig. Once complete, go to Admin -> Configure -> Preferences (username: admin). At the bottom of the preferences page you will need to add key.path and provide the path to the dot tool (most likely it is in /usr/bin/dot). Hopefully now the network map is showing established connections between your host and other local/remote hosts.

Now is the time where you go off on your own and see what you can discover with ntop. See if you can answer some questions about the network using only ntop.

• Who is the biggest file sharing user?
• Who spends more time instant messaging then working?
• When are your peak traffic times?

Lastly, I decided not to cover making an init script for ntop, mainly because I only run it from time to time for fun and troubleshooting. It is also very likely that you will be upset if ntop starts automatically and fills up your hard drive all the time. However if you like ntop and you want a solution that is designed to run all the time, take a look at nBox86. They sell an ntop appliance, I however can not afford one. I of course would accept a free one :)

Hope you enjoyed this two part look at ntop, and I hope you learn something because of it.

This entry was posted on Monday, September 10th, 2007 at 6:50 pm and is filed under geek stuff, ntop. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.