In the previous article we saw wireshark, which allows, once activated, to capture packets in a given interface, in this article we’ll see ntop software that allows you to have similar information but also something more.
ntop is a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntop is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform and on Win32 as well.
ntop users can use a web browser (e.g. Firefox) to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntop can be seen as a simple RMON-like agent with an embedded web interface.
Ntop package is available on Ubuntu and Debian repository so you can install it with
aptitude install ntop
if you want to install it on red hat or centos check out this guide
From terminal type
ntop this will start ntop in Non-daemon mode, you’ll be prompted for a password, enter one of your choise.
After that use c to exit, and start ntop with
sudo /etc/init.d/ntop start
From here you can display and manage completely Ntop.
Some useful options:
utils -> view log to display ntop log, really useful to check for error on the first start-ups, for example i’ve saw that ntop did not had the right permissions to write in the directory where he want to write the RRD files.
All Protocols -> Traffic show in a table all inbound and outbound traffic toward the top hostname you are contacting, detailed by protocols
ip -> Summary -> Traffic Show in a table all inbound and outbound TCP/IP traffic toward the top hostname you are contacting, detailed by service used.
Summary -> Traffic Display an huge amount of data and traffic informations, you’ll see here a lot of pie chart and historical chart
another great feature of Ntop is the possibility of narrow the time bye just clicking and keeping the left mouse pressed while you select a period of time:
Admin -> Configure from here you can setup variosu options of Ntop, or shutdown the daemon.
There are a lot more of information on Ntop, if you need a daemon that collect any possible information this is the software for you.