Ntop

Overview

This page reviews the GroundWork NMS Ntop.

CONTENTS

RELATED RESOURCES

WAS THIS PAGE HELPFUL?

1.0 About Ntop

The ntop package is an open source toolkit for monitoring network traffic and is integrated into the GroundWork Network Management System (NMS.

In simple terms, ntop is an integrated toolkit for monitoring the activity on a network. Whereas most of the components in GroundWork Monitor are designed for the purpose of monitoring the devices on a network (such as measuring the available resources on a host and then generating alarms when conditions require it), ntop is designed to help administrators monitor the traffic on a network (such as measuring the amount of HTTP versus SMTP traffic, or viewing which nodes are generating the most traffic).

More specifically, ntop uses a variety of technologies to capture traffic from one or more network segments, analyzes the traffic for key attributes and markers, and then stores a summarized form of the data in a set of dynamic databases. From there, administrators can use the ntop web interface to display charts and tables that show the activity across the overall network, and can also drill-down to examine information associated with a particular network node.

ntop is primarily useful as a tool for assisting network administrators with network monitoring and management tasks such as viewing the distribution of application traffic across a network, or determining which nodes are responsible for the most traffic. However, ntop is also useful for monitoring peculiar traffic at specific devices, such as determining if a particular node is infected with a network worm, running a prohibited file-sharing program, or engaging in some other kind of undesirable activity.

This document discusses the basic configuration and operation of ntop.

2.0 Configuring the Ntop Package

The GroundWork NMS ntop package has its own unique configuration process.

Managing user access

The ntop web pages are provided by a standalone application, although the ntop web front-end is also integrated into GroundWork Monitor through the use of the JBoss Portal. As such, users who have been granted the appropriate role-based permission to access the ntop object can do so by logging into GroundWork Monitor, and then choosing the "Protocol Analyzer" entry from the main drop-down menu.

However, ntop also has its own separate user accounts and access controls, which are independent of the GroundWork Monitor controls. By default, ntop only has a single predefined administrative user account, with the username of admin and the password of admin. Furthermore, most of the built-in web pages are unrestricted, and do not require any authentication, although many of the administrative pages have access controls that restrict the users who can access those pages. If you want to restrict access to the ntop web server or some of its web pages, you will need to create the appropriate user accounts and access controls within ntop.

This process is separate from the process of determining which users have access to the Protocol Analyzer item in the GroundWork Monitor main menu. For information on configuring user access to the Protocol Analyzer menu item, refer to the System Administration documentation.
Managing user accounts

To manage the ntop user accounts, mouse-over the Admin menu at the top of the screen, then mouse-over the Configure sub-menu entry, and then click on the Web Users menu item (you can also access this page from the access controls page by clicking the Show Users hyperlink below the list of URLs). If you have not already authenticated to the ntop daemon, you will be presented with a dialog box requesting your credentials. Once you have provided the necessary credentials, you will then be presented with a screen that lists the currently defined user accounts, similar to the following:

Figure: Registered Ntop users


To add a new user account, click on the Add User hyperlink below the list of currently defined user accounts. A new screen will be displayed which allows you to specify the account name and password, similar to the following:

Figure: Manage Ntop users


After the fields have been filled in, click Add User to finalize the user account creation.

To modify a user account, return to the main user account page and click the pencil icon next to the desired account.

To delete a user account, return to the main user account page and click the trashcan icon next to the desired account.

There is no confirmation for this step. Also note that the _admin_ account cannot be deleted.
Managing Access Controls

ntop access controls are fairly rudimentary, and use basic pattern matching against a requested URL, with user accounts either having full or no access. In this model, access controls are matched against requests for specific web pages, and if the currently authenticated user is in the access list, then access is granted. If an unauthorized user is currently authenticated, then access is denied. If the current session is not already authenticated, then the user is asked to authenticate before access is granted.

To manage the access controls, mouse-over the Admin menu at the top of the screen, then mouse-over the Configure sub-menu entry, and then click on the Protect URLs menu item (you can also access this page from the user accounts page by clicking the Show URLs hyperlink below the list of accounts). If you have not already authenticated to the ntop daemon, you will be presented with a dialog box requesting your credentials. Once you have provided the necessary credentials, you will then be presented with a screen that lists the currently defined URLs, similar to the following:

Figure: Restricted Ntop URLs
Restricted Ntop URLs

To create a new access control, click the Add URL hyperlink below the list of currently defined access controls. A new screen will be displayed which allows you to specify the URL pattern which should be matched and the users which should have access to it, similar to the following:

Figure: Manage Ntop URLs


The URL string always includes the hostname and port number, and always ends with a wildcard (the "*" after the edit box in the screen above), so you can only specify the directory string for comparison purposes. Also note that you can restrict access to the entire ntop web server by leaving the URL field empty, since this will result in an access control that will match every request.

After the fields have been filled in, click Add User to finalize the user account creation. You can repeat this process as many times as needed.

To modify an access control, return to the main access control page and click the pencil icon next to the desired entry.

To delete an access control, return to the main user account page and click the trashcan icon next to the desired entry.

There is no confirmation for this step.
Configuring network monitors

By default, ntop is configured to use the local server's primary Ethernet interface for the purpose of collecting network traffic. However, modern switched networks limit the amount of data that is sent to each switch port, and as such this approach typically only allows ntop to capture the traffic that originated with or is destined for the local server. This is perfectly adequate when administrators only want to monitor the network activity associated with a specific server, but it is not adequate when the administrator wants to monitor an entire network. In order to capture additional traffic, one or more additional technologies must be deployed.

If an administrator only needs to monitor a handful of relatively low-volume devices, a simple solution is to use a non-switched network medium, such as an Ethernet hub. These devices broadcast every frame across all of the attached ports, which in turn allow the ntop daemon to capture all of the traffic that is transmitted across that portion of the network. However, the total available bandwidth of shared-medium networks is relatively limited in comparison to switched networks, which makes this approach unfeasible for large or busy networks.

Another option is to use a switch or router with port mirroring capabilities. In this arrangement, the network device sends duplicate copies of selected network traffic to a dedicated Ethernet interface on the ntop server, with ntop being configured to monitor the activity on that specific interface. However, this approach also has scalability problems---you cannot fully replicate multiple gigabit links into a single gigabit interface without losing some data, and the CPU requirements for processing such large amounts of network traffic can also be extraordinarily high.

For very large networks, ntop supports the use of two different flow monitoring technologies, both of which only transmit summary data instead of raw traffic. One of these technologies is called NetFlow, which was developed by Cisco Systems for use with their billing systems, but is now available on a wide variety of router platforms (even some small home routers support it). Essentially, NetFlow generates summary data about each individual network connection whenever that connection has been closed, providing details about the source and destination addresses, the amount of data transmitted, and so forth. This data is very close to the data that ntop uses for its own summary records, and as such is very well suited for detailed monitoring of a large network, although it does not offer the same level of granularity as direct captures.

Another technology supported by ntop is called sFlow, which was developed by InMon for use with high-volume Ethernet switches, but is also currently implemented on a variety of different networking products. Unlike NetFlow, sFlow does not summarize every individual connection, but instead makes use of sample traffic to provide an overall picture, such as capturing one out of every 100 packets on a particular switch port. This approach is more scalable on very-high volume networks, and provides enough data for administrators to get a good feel for the traffic crossing the network, but it is also the least granular technology since it is designed to completely ignore very large amounts of traffic.

In some cases, it may be desirable to use more than one of these techniques simultaneously. For example, a mid-sized network can use NetFlow to monitor the traffic traveling across an Internet router, while using sFlow to monitor sample traffic on the local network switches, while also using direct captures to monitor all of the low-level traffic that enters the server itself. When this kind of arrangement is in place, Ntop allows the administrator to switch between the different interfaces and display information about each network monitor separately.

If you wish to capture traffic on one or more local interfaces, you can specify the interface(s) to use through the ntop administration pages. To specify the capture interface(s), mouse-over the Admin menu at the top of the screen, then mouse-over the Configure sub-menu entry, and then click on the Startup Options menu item. A new screen will be shown which allows the basic capture options to be specified, with all of the known local interfaces shown in the top row. From there, you can enable or disable the interfaces that you want to use.

Any modifications to the local capture interfaces will not be fully recognized until the ntop daemon has been restarted.

To enable NetFlow monitoring, mouse-over the Plugins menu at the top of the screen, then mouse-over the NetFlow sub-menu entry, and then click on the Activate menu item. A new screen will be shown which describes the purpose of the NetFlow plugin, with a hyperlinked NetFlow row heading underneath a Configure column heading. Click the hyperlinked entry, and another screen will be shown that displays any currently defined entries. To add a new entry, click the Add NetFlow Device button, and a new screen with a large form will be displayed which will allow you to specify the NetFlow host, the port number, and a variety of other options.

To enable sFlow monitoring, mouse-over the Plugins menu at the top of the screen, then mouse-over the sFlow sub-menu entry, and then click on the Activate menu item. A new screen will be shown which describes the purpose of the sFlow plugin, with a hyperlinked sFlow row heading underneath a Configure column heading. Click the hyperlinked entry, and another screen will be shown that displays any currently defined entries. To add a new entry, click the Add sFlow Device button, and a new screen with a large form will be displayed which will allow you to specify the sFlow host, the port number, and a variety of other options.

Multiple NetFlow and sFlow interfaces can be defined, although each discrete entry should have its own port number. In order for this to work as expected, the originating routers and/or switches must also be configured to transmit their flow data to the appropriate port number(s) on the Ntop server.

For more information about the Ntop startup parameters and the remote data-collection technologies that are available, refer to the online Ntop documentation.

3.0 Performing Common Ntop Tasks

As was discussed in the introduction, Ntop uses a variety of network technologies to capture traffic from one or more network segments, analyzes the traffic for key attributes and markers, and then stores a summarized form of the data in a set of dynamic databases which are then made available to administrators through the Ntop web interface. In broad terms, the data in Ntop is organized into one of two categories for the purpose of generating reports: information about the overall traffic that has crossed the currently selected monitoring interface, and information about the traffic on a particular network node.

It's important to recognize that the presented data will reflect the currently selected monitoring interface. If there is only monitoring interface defined, or if only local capture interfaces are being used, then there will only be a single global pool of network-wide data, and the device-specific data will only reflect the data that was seen on that monitoring interface. However, if multiple monitoring interfaces are defined, then each interface will have its own global summary data that reflects the traffic on that network, and the host-specific data will also reflect the traffic that was seen from that host as it crossed the selected network.

For example, if Ntop is configured to monitor traffic on a web server's Ethernet interface, a local Ethernet switch via sFlow, and an Internet router via NetFlow, then a single host system could easily have wildly different traffic profiles on each network---the server's capture would likely only show the host traffic between the two devices, while the router would only show the host traffic for remote sites, and the switch might show both sets of host traffic plus all of the other local traffic generated by the target device.

It's also important to recognize that the different monitoring technologies report different kinds of data back to ntop, so different networks will usually show different kinds of summary data.

A brief description of the most common reports is provided in the remainder of this section. For more detailed discussion, refer to the online Ntop documentation.

Global Summary Data

The global summary data shows information related to the monitoring interfaces that have been defined. To view this data, mouse-over the Summary menu at the top of the screen, and then click on the Traffic menu item. A screen similar to the following will be displayed, with the global summary data being shown in the Global Traffic Statistics table at the top of the page:

Figure: Global traffic statistics
Global traffic statistics
At the top of the global summary table is a sub-table which lists all of the active monitoring interfaces. This data shows the name of the device (such as eth0 for the first Ethernet interface, or NetFlow-device.2 for the first NetFlow device), as well as their important characteristics.

Next, an Active End Nodes row will be displayed which shows the number of stations with sessions that are currently active across all of the monitored networks. As network connections on the monitored network are established and torn down, this figure will change. The chart icon next to the Active End Nodes row links to a page containing several historical charts about the currently selected monitoring interface.

If multiple interfaces have been defined, the global summary table will also contain a pie chart that shows the relative amount of traffic being captured across each interface.

For each active monitoring interface, the ntop summary page also displays some or all of the following data, depending on the capabilities of the monitoring interface:

  • Distribution of unicast, broadcast, and multicast packets.
  • Distribution of packets by size. Large packets indicate bulk transfers of some kind, while smaller packets indicate control messages such as connection requests.
  • Distribution of fragmented versus non-fragmented packets. Fragments are used when data exceeds the payload size of a packet, and are common with applications that use large messages.
  • Distribution of time-to-live values.
  • Distribution of remote host distance. This value is determined by looking at the time-to-live values of traffic being exchanged with hosts on remote networks, which is inferred by looking for addresses that are outside the monitoring interface's own local subnet.
  • Current and historical network traffic load, in bits-per-second and packets-per-second.
  • Distribution of IP versus non-IP packets, and the distribution of UDP, TCP and ICMP packets within the IP pool.
  • Distribution and historical usage of known TCP and UDP applications, such as HTTP, DNS, SMTP, and other protocols. The magnifying glass icon next to each graph provides access to historical views of the data.
    Ntop does not display graphs for unknown applications, so network traffic related to games and other uncommon services may not be displayed.

As stated earlier, if multiple monitoring interfaces are defined then the data that is reported in this page will only reflect the currently selected interface. To view a different interface, mouse-over the Admin menu at the top of the screen, click on the Switch NIC menu item, and select the monitoring interface you wish to view.

Network Load Data

ntop provides prebuilt graphs showing the total amount of traffic that has been seen on a specific monitoring interface, which provides a way to view the overall load on a network. To view this data, mouse-over the Summary menu at the top of the screen, and then click on the Network Load menu item. A screen similar to the following will be displayed, with four individual graph options showing the determined network load for the last 10 minutes, the last hour, the last 24 hours, and the last month:

Figure: Network load statistics

Clicking on the magnifying glass icon next to the graph will allow you to view the different graphs across variable time scales.

As stated earlier, if multiple monitoring interfaces are defined then the data that is reported in this page will only reflect the currently selected interface. To view a different interface, mouse-over the Admin menu at the top of the screen, click on the Switch NIC menu item, and select the monitoring interface you wish to view.

Device Summary Data

Most of the ntop reports show details about the host devices that have been detected on the currently selected monitoring interface. Some of these reports present high-level information, such as the geographical location of the device and the manufacturer of the host's network card. Meanwhile, other reports present low-level information, such as the relative amount of traffic generated by each device, or the relative amount of application traffic generated on a specific device.

For each host device, ntop always displays the following information, in addition to whatever other data has been requested:

  • The primary identifier for the device. When a device first appears, ntop will only know its IP address. However, ntop decodes a variety of application traffic, and uses any names that are discovered in that data to assign a friendly name to each device (ntop does not actively resolve the names itself). For example, if a host has a NetBIOS name for use with Windows networking, ntop will eventually detect that name from the NetBIOS traffic, and will likely use that name as the primary identifier. ntop also displays a variety of icons next to the primary name, each of which indicate some additional detail that was detected from the underlying traffic. For example, if ntop determines that a device is running Linux, it will show a penguin icon next to the device name. Similarly, if ntop determines that a device is running a Web or DHCP server, then it will display those icons as well.
  • The management domain for the device. If a device' IP address falls within the range of the local network for the monitoring interface, then it will have a house icon. If a device is determined to be outside the local network for the monitoring interface, then ntop typically uses a country flag to indicate the geographical location.

ntop also automatically highlights potential problems in the device reports, based on the activity that has been detected. For example, the collected information can be used to assist a network administrator in determining if a particular node is making too many requests to a remote network, or if the usage times do not reflect normal working hours, but ntop will also automatically flag suspicious activity such as excessive connection requests that may indicate a compromised host, among many other symptoms.

If multiple monitoring interfaces are defined then the data that is reported in these pages will only reflect the currently selected interface. To view a different interface, mouse-over the Admin menu at the top of the screen, click on the Switch NIC menu item, and select the monitoring interface you wish to view.

To view the high-level summary data about the detected host devices, mouse-over the Summary menu at the top of the screen, and then click on the Hosts menu item. A new screen will be displayed, with a single table listing all of the host devices that have been discovered on the currently selected monitoring interface. For each discovered device, the host summary page displays some or all of the following data, depending on the capabilities of the monitoring interface:

  • The device' primary identifier and management domain.
  • The device' IP address.
  • The device' hardware address.
    Hardware addresses are typically only visible to ntop when the device is on the same local network as the monitoring interface (packets that are forwarded across routers show the router's hardware address, instead of the original device' address).
  • The ntop community name for the device' IP network. This is a friendly name for an IP network, which is manually assigned by the administrator. If you want to assign these names, mouse-over the Admin menu at the top of the screen, then mouse-over the Configure sub-menu item, and then click on the Preferences menu item. A new screen will appear which contains a table containing all of the preference settings defined so far. To create new community names, scroll to the bottom of the table, and add a new preference called community.network-name (where network-name is the friendly name you want to be used) with a network address and subnet mask in the value field. If a device is subsequently discovered to have an IP address in an address range with a community preference, then the friendly name will be displayed in the community column.
  • The relative bandwidth usage for the device.
    The green portion of the bar indicates the amount of data sent, while the blue bar represents the amount of data received.
  • The manufacturer of the network card. This information is typically determined by examining the hardware address, and comparing it to known allocations of hardware addresses.
  • The distance from the device to the monitoring interface. This is usually determined by looking at the time-to-live value of incoming traffic.
  • The number of other hosts that this device has been seen communicating with.
  • The length of time that the host has been actively transmitting traffic on the network.
  • The length of time since the host was last seen transmitting traffic.
  • The autonomous system or administrative domain of the device' IP address. This information is typically determined by comparing the host address to known allocations of IP addresses.

Clicking on one of the hyperlinked table headers will allow you to sort the data according to highest-to-lowest values for that column. Clicking on the header again will cause the sort order to be reversed.

If multiple monitoring interfaces are defined then the data that is reported in these pages will only reflect the currently selected interface. To view a different interface, mouse-over the Admin menu at the top of the screen, click on the Switch NIC menu item, and select the monitoring interface you wish to view.

Host Detail Data

To view the low-level detail data about a specific device, click on the primary identifier for that device anywhere it appears. A screen similar to the following will be displayed, with multiple tables describing various aspects of the host devices that have been discovered on the currently selected monitoring interface:

Figure: Low level detail


For each discovered device, the host summary page displays some or all of the following data, depending on the capabilities of the monitoring interface:

  • IP address.
  • The date and time at which the device was first and last seen on the currently selected monitoring interface.
  • The autonomous system associated with the IP address.
  • The DNS domain name associated with the IP address.
  • The last hardware address seen for this device. For devices that are not on the same local network as the monitoring interface, the hardware address will typically belong to the last router that forwarded a packet on behalf of the device.
  • The full NetBIOS description, as well as the NetBIOS server type flags that have been seen for the device.
  • Whether or not the host is considered to be on the same local network as the currently selected monitoring interface.
  • The friendly community name associated with the IP address.
  • The distance in hops from the device to the monitoring interface.
  • The cumulative and relative amounts of data that has been sent and received by the device, both in total and broken across time periods.
  • Potential security risks or problems associated with the host traffic.
  • Connection data. Statistics about open sockets, data sent/received, and contacted peers for each process running on the host where ntop is active.
  • The sessions which are currently active.

If multiple monitoring interfaces are defined then the data that is reported in these pages will only reflect the currently selected interface. To view a different interface, mouse-over the Admin menu at the top of the screen, click on the Switch NIC menu item, and select the monitoring interface you wish to view.

Network Load by Host Device

To view the network utilization levels for each of the known host devices, mouse-over the All Protocols menu at the top of the screen, and then click on the Throughput menu item. A new screen will be displayed, with a single table listing all of the host devices that have been discovered on the currently selected monitoring interface. For each discovered device, the network load summary page displays some or all of the following data, depending on the capabilities of the monitoring interface:

  • The device' primary identifier and management domain.
  • The amount of bandwidth utilized by the host, in bits-per-second. This data is displayed for the currently active sessions, a running average period, and the long-term peak usage.
  • The number of packets transferred by the host. This data is displayed for the currently active sessions, a running average period, and the long-term peak usage.

Clicking on one of the hyperlinked table headers will allow you to sort the data according to highest-to-lowest values for that column. Clicking on the header again will cause the sort order to be reversed.

If multiple monitoring interfaces are defined then the data that is reported in these pages will only reflect the currently selected interface. To view a different interface, mouse-over the Admin menu at the top of the screen, click on the Switch NIC menu item, and select the monitoring interface you wish to view.

Application Traffic by Host Device

To view the application traffic for each of the known host devices, mouse-over the IP menu at the top of the screen, then mouse-over the Summary sub-menu item, and then click on the Traffic menu item. A new screen will be displayed, with a single table listing all of the host devices that have been discovered on the currently selected monitoring interface. For each discovered device, the application traffic summary page displays some or all of the following data, depending on the capabilities of the monitoring interface:

  • The device' primary identifier and management domain.
  • The cumulative total amount of data, and the relative percentage that this amount represents, in bytes. By default, this column is sorted in highest-to-lowest order, with the most talkative devices at the top of the list.
  • Additional columns show the application specific volume, in bytes.
    Ntop does not track unknown applications, so network traffic related to games and other uncommon services may not be displayed.

Clicking on one of the hyperlinked table headers will allow you to sort the data according to highest-to-lowest values for that column. Clicking on the header again will cause the sort order to be reversed.

If multiple monitoring interfaces are defined then the data that is reported in these pages will only reflect the currently selected interface. To view a different interface, mouse-over the Admin menu at the top of the screen, click on the Switch NIC menu item, and select the monitoring interface you wish to view.

4.0 Integrating Ntop Data with GroundWork Monitor

At the present time, the GroundWork NMS ntop package does not include any tools for automatically exchanging data between the ntop and GroundWork databases. However, ntop does support manually exporting some data through a variety of mechanisms, and it may be feasible to develop tools which automate some parts of this process. Similarly, the dynamic round-robin database files that ntop uses for graphing purposes may also be integrated into some of the GroundWork Monitor reporting tools.

Labels

ntop ntop Delete
network network Delete
traffic traffic Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.