NTOP

The text of filename is copied - ignoring line breaks and comment lines (anything following a #) - into the command line. ntop behaves as if all of the text had simply been typed directly on the command line. For example, if the command line is "-t 3 @d -u ntop" and file d contains just the line ’-d’, then the effective command line is -t 3 -d -u ntop. Multiple @s are permitted.

Remember, most ntop options are "sticky", that is they just set an internal flag. Invoking them multiple times doesn’t change ntop’s behavior. However, options that set a value, such as --trace-level, will use the LAST value given: --trace-level 2 --trace-level 3 will run as --trace-level 3.

By default ntop does not maintain an http log. Use this flag to specify the path of the file where HTTP accesses will be logged. Each log entry is in Apache-like style. The only difference between Apache and ntop is that an additional column has been added which has the time (in milliseconds) that ntop needed in order to serve the request.

This flag disables protocol decoders (e.g. DNS, NetBIOS). Use it for better performance or if you feel ntop has problem handling some protocols.

By default idle hosts are periodically purged from memory. Use this flag to prevent idle hosts from being purged from memory. NOTE: if idle hosts are kept in memory you can experience severe memory usage.

This flag causes ntop to become a daemon, i.e. it is started in background and runs detached from the terminal.

Is the maximum number of HTML table rows that ntop will display.

Specifies the file containing tcpdump captured traffic that has to be used by ntop. NOTE: if you specify -f ntop will not capture any traffic after the file has been read. This option is mostly used for debug purposes.

Use this flag to tell ntop that you do care only about local hosts (use -m to specify local nets). This flag is useful on large networks or those that see many hosts, (e.g. a border router or gateway), yet only the local ones need to be tracked.

Print help information for ntop , including usage.

Specifies the network interface used by ntop

If multiple interfaces are used (this feature is available only if ntop is compiled with thread support) their names must be separated with a comma. For instance -i "eth0,lo".

By default, traffic information obtained by all the interfaces is merged together as if the traffic were seen by only one interface. Use the -M flag to keep traffic separate by interface.

Win32 note: This is can be either the number of the interface or its name. Run ntop -h to see a list of interface name-number mappings (at the end of the help information).

When this flag is used, the current filter expression is printed in an extra frame and thus always visible.

Dumps the network traffic captured by ntop in a file in pcap format (useful for debug).

This flag allows users to specify the subnets whose traffic is considered local. The format is <network address>/<# subnet mask bits>[,<network address>/<# subnet mask bits>]. Both netmasks and CIDR notation may be used, for instance "131.114.21.0/24,10.0.0.0/255.0.0.0".

This causes ntop to show numeric IP addresses instead of the symbolic names. This option can useful when the DNS is not present or quite slow.

Specifies the user ntop should not trust MAC addresses but just IP addresses. This option is useful whenever ntop is started on an interface where MAC addresses cannot be really trusted (e.g. port/VLAN mirror).

Be aware that information which is dependent upon the MAC addresses (such as IPX) will not be collected nor displayed.

It is used to specify the TCP/UDP protocols that ntop will monitor. The format is <label>=<protocol list> [, <label>=<protocol list>], where label is used to symbolically identify the <protocol list>. The format of <protocol list> is <protocol>[|<protocol>], where <protocol> is either a valid protocol specified inside the /etc/services file or a numeric port range (e.g. 80, or 6000-6500). If the -p flag is omitted the following default value is used:

FTP=ftp|ftp-data HTTP=http|www|https|3128 3128 is Squid, the HTTP cache DNS=name|domain Telnet=telnet|login NBios-IP=netbios-ns|netbios-dgm|netbios-ssn Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2 DHCP-BOOTP=67-68 SNMP=snmp|snmp-trap NNTP=nntp NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status X11=6000-6010 SSH=22

Peer-to-Peer Protocols ---------------------- Gnutella=6346|6347|6348 Kazaa=1214 WinMX=6699|7730 DirectConnect=0 Dummy port as this is a pure P2P protocol eDonkey=4661-4665

Instant Messenger ----------------- Messenger=1863|5000|5001|5190-5193

If the <protocol list> is very long you may store it in a file (for instance protocol.list). To do so, specify the file name instead of the <protocol list> on the command line. e.g. ntop -p protocol.list instead of ntop -p FTP=ftp|ftp-data,HTTP=http|www|https|3128 ...

Forces ntop to create a file ntop-suspicious-pkts.XXX.pcap (XXX is the interface name) file. One file is created for each network interface where suspicious packets are found. The file is in pcap format (tcpdump).

Specifies the delay (in seconds) between screen updates (the default is 3 seconds).

Please note that if the delay is very short (1 second for instance), ntop might not be able to process all the network traffic.

Use this flag for preventing from setting the interface(s) into promiscuous mode.

ntop must probably still be started as root, since the libpcap function on most systems require it to capture raw packets.

This eliminates the ability of capturing ethernet frames regardless of whether they are directed to the local ethernet card or to the ethernet broadcast address.

Even if you use this flag, the interface could well be in promiscuous mode as other applications may have enabled it.

This flag specifies the level of ntop tracings on stdout. The trace level ranges between 0 (no trace) and 5 (full debug tracings). The default trace value is 3. The higher is the trace level the more information are printed. Trace level 1 is used to print errors only, level 2 for both warnings and errors, and so on.

Trace level 4 is called ’noisy’ and it is. It also enables a tag on every message, which may be useful for log watchers.

Trace level 5 is ’noisy’ plus --log-extra 1, i.e. with a file:line tag on every message.

Specifies the user ntop should run as after it initializes. The value specified may be either a username or a numeric user id. The group id used will be the primary group of the user specified. If this parameter is not specified, ntop will try to switch first to ’nobody’ and then to ’anonymous’ before giving up.

ntop offers an embedded web server so that users can attach their web browsers to the program and browse traffic information remotely. This parameter specifies the port (and optionally the address (i.e. interface)) of the ntop web server. For example, if started with -w 3000 (the default port), the URL to access ntop is http://hostname:3000/. If started with a full specification, e.g. -w 192.168.1.1:3000, ntop listens on only that address/port combination.

If -w is set to 0 the HTTP port will not be enabled (’-w 0’ is accepted only if ntop has been compiled with HTTPS support and has not been started with ’-W 0’ [see below]).

Some examples:

ntop -w 3000 -W 0 (this is the default setting) HTTP requests on port 3000 and no HTTPS.

ntop -w 80 -W 443 Both HTTP and HTTPS have been enabled on their most common ports.

ntop -w 0 -W 443 HTTP disabled, HTTPS enabled on the common port.

An external HTTP server is NOT required NOR supported. The ntop web server is embedded into the application.

By default user/URL administration are password protected and are accessible initially only user admin with a password set during the first run of ntop

Users can modify/add/delete users/URLs using ntop itself - see the Admin tab.

The passwords, userids and URLs to protect with passwords are stored in a database file. Passwords are stored in an encrypted form in the database for further security.

This flag disables TCP session tracking. Use it for better performance or when you don’t really need/care to track sessions.

This flag is used to start ntop , set the admin password and quit. It is quite useful for installers that may need to automatically set the password for the admin user.

-A and --set-admin-password (without a value) will prompt the user for the password.

You may set a specific value using --set-admin-password=value. The = is REQUIRED!

ntop , similar to what tcpdump does (and using the same BPF - Berkeley Packet Filter syntax), this allows the user to specify an expression which restricts the traffic seen by ntop You may use this to select only the traffic of interest. For instance, suppose you are interested only in the traffic generated/received by the host jake.unipi.it. ntop can then be started with the following filter: ’ntop -B "src host jake.unipi.it or dst host jake.unipi.it"’. i

See the ’expression’ section of the tcpdump man page for further information about BPF filters.

This identifies the local domain suffix, e.g. ntop.org. It may be necessary, if ntop is having difficulty determining it from the interface.

It is used to specify network flows similar to more powerful applications such as NeTraMet. A flow is a stream of captured packets that match a specified rule. The format is

<flow-label>=’<matching expression>’[,<flow-label>=’<matching expression>’]

, where the label is used to symbolically identify the flow specified by the expression. The expression format is specified in the appendix. If an expression is specified, then the information concerning flows can be accessed following the HTML link named ’List NetFlows’.

For instance define two flows with the following expression LucaHosts=’host jake.unipi.it or host pisanino.unipi.it’,GatewayRoutedPkts=’gateway gateway.unipi.it’ .

All the traffic sent/received by hosts jake.unipi.it or pisanino.unipi.it is collected by ntop and added to the LucaHosts flow, whereas all the packet routed by the gateway gateway.unipi.it are added to the GatewayRoutedPkts flow. If the flows list is very long you may store in a file (for instance flows.list) and specify the file name instead of the actual flows list (in the above example, this would be ’ntop -F flows.list’).

Use this flag to simplify application debug. It does three things: 1. Does not fork() on the "read only" html pages. 2. Displays mutex values on the configuration (info.html) page. 3. (If available - glibc/gcc) Activates an automated backtrace on application errors.

Use this flag for using the syslog instead of stdout. Please note that if ntop (ever) forks a child, regardless of this setting, the syslog will be used for this child. The (optional) parameter value indicates the facility (e.g. daemon, security) to be used for logging, using --use-syslog=facility. The = is REQUIRED!

Forces ntop not to merge network interfaces together. This means that ntop will collect statistics for each interface and report them separately - see Admin | Switch NIC to select which interface to report.

Note that the netFlow and sFlow plugins will force the setting of -M.

Base path for the ntop-suspicious-pkts.XXX.pcap and normal packet log file (in tcpdump format). If the base path is a directory you have to append a / to the string for this to work.

This specifies where ntop db and preferences files are created.

Note that the default, "." may not be what you expect when running ntop as a daemon or Win32 service. Setting an explicit value is STRONGLY recommended.

This specifies where ntop spool db files are created. If not specified is set to the same value of the db file path (see option above).

Specifies the URL of the mapper.pl utility. ntop creates a hyperlink to this URL by appending ?host=xxxxx and creates a clickable button. Any type of host lookup could be performed, but this is intended to lookup the geographical location of the host.

A cgi-based mapper interface to http://www.multimap.com is part of the ntop distribution [see www/Perl/mapper.pl]).

Prints ntop version information and then exits.

If ntop has been compiled with HTTPS support (via OpenSSL), this flag can be used to set the HTTPS port and address. If the user specifies ’-W 0’, HTTPS support is disabled. This is the default (disabled).

For more information, see the -w parameter above.

Return ntop to the old (v2.1) behavior on a memory error. The default of stopcap enabled makes the web interface available albeit with static content until ntop is shutdown.

Setting 1 adds a [file:line] to the beginning of every log message. Setting 2 adds a [MSGIDnnnnnnn] tag at the end of every log message. The nnnnnnn value should be unique number for every message and should be stable across ntop releases. Both are useful for debugging and for using log watching and filtering packages.

ntop sets completed sessions and ’timed out’ and then purges them almost instantly, which is not the behavior you might expect from the discussions about purge timeouts. This switch makes ntop respect the timeouts for completed sessions. It is NOT the default because a busy web server may have 100s or 1000s of completed sessions and this would significantly increase the amount of memory ntop uses.