2007 Jan 24 - Wed

Installing NTOP: Network Traffic Probe Showing Network Usage

NTOP is a very good tool for monitoring the various traffic flows that make up an overall packet stream. It functions in two modes, simultaneously if you'd like: netflow mode, and sniffing mode.

In Netflow mode, routers forward their flow statistics through netflow summary packets to Ntop. Ntop will use those packets to generate its summaries. If a router capable of producing Netflow statistics is not available or is not appropriately placed in the network, then a secondary port on the server on which Ntop is installed can be used to sniiff aggregated traffic. Ntop will then calculate its summaries based upon the traffic it actually sees. For complicated scenarios, Ntop has the ability to monitor multiple netflow agents and multiple traffic sniffers simultaneously.

NTOP is almost runnable out of the package. A few items to do first though.

Installation

Install the package:

apt-get install ntop

You'll need to run it once from the command line first. When asked, key in the password. You can then kill it and start it as a service:

/etc/init.d/ntop start

You can then browse to it through port 3000. Once started, enter the configure menu, supply username of admin and the password. Set:

Basic:  run as daemon, 172.20.0.0/20 for local subnet (or similar)
Display:  mesu for ip only
IP Pref: v4 only
Advanced:  Don't trust mac, 

After purchasing and downloading the unix source for nProbe, I had a few build issues. Here is what I can recollect on what I did:

• apt-get install automake1.7
• apt-get remove automake1.4
• ./autogen.sh
• ./configure
• make

A user doc for the related nBox is found at http://www.ntop.org/UsersGuide.pdf

A paper on nProbe can be found at http://www.sane.nl/sane2006/program/final-papers/R3.pdf.

A closely related presentation can be found at http://luca.ntop.org/SANE-2006.pdf.

Sample command line: ./nprobe -n 127.0.0.1:9966 -i eth1 -V 9 -T "%IN_BYTES %IN_PKTS %PROTOCOL %SRC_TOS %TCP_FLAGS %L4_SRC_PORT %IPV4_SRC_ADDR %L4_DST_PORT %IPV4_DST_ADDR %OUT_BYTES %OUT_PKTS %ICMP_TYPE %IN_SRC_MAC %OUT_DST_MAC %SRC_VLAN %DST_VLAN %DIRECTION %IN_DST_MAC %OUT_SRC_MAC %NW_LATENCY_SEC %NW_LATENCY_USEC %APPL_LATENCY_SEC %APPL_LATENCY_USEC %IN_PAYLOAD %OUT_PAYLOAD %ICMP_FLAGS %RTP_FIRST_SSRC %RTP_FIRST_TS %RTP_LAST_SSRC %RTP_LAST_TS %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_OUT_JITTER %RTP_IN_PKT_LOST %RTP_OUT_PKT_LOST %RTP_OUT_PAYLOAD_TYPE %RTP_IN_MAX_DELTA %RTP_OUT_MAX_DELTA"

An RTP based command line example:  ./nprobe -n 127.0.0.1:9966 -i eth1 -V 9 -T "%IN_BYTES %IN_PKTS %PROTOCOL %SRC_TOS %DST_TOS %L4_SRC_PORT %IPV4_SRC_ADDR %L4_DST_PORT %IPV4_DST_ADDR %SRC_VLAN %DST_VLAN %NW_LATENCY_SEC %NW_LATENCY_USEC %APPL_LATENCY_SEC %APPL_LATENCY_USEC %RTP_FIRST_SSRC %RTP_FIRST_TS %RTP_LAST_SSRC %RTP_LAST_TS %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_OUT_JITTER %RTP_IN_PKT_LOST %RTP_OUT_PKT_LOST %RTP_OUT_PAYLOAD_TYPE %RTP_IN_MAX_DELTA %RTP_OUT_MAX_DELTA"