Ntop enables powerful network logging and analysis

Ntop allows you to mimic the powerful tools used by UNIX administrators. Combine it with Perl or PHP, and you'll be able to get a good look at network activity.

Ntop is an interesting application, available for both UNIX and Windows platforms. It displays network data in an interactive shell, intop, which mimics the behavior of the venerable top program that most UNIX administrators use. Ntop also has a sophisticated Web interface, providing information on Net traffic and statistics in a variety of tabular and graphical formats. In this article, I'll provide an overview of the application and show some examples of its use.

The environment
Ntop runs its own small Web server and can use HTTPS, so you don't need to run Apache or another Web server to take advantage of the graphical interface. If that weren't enough, it readily interfaces with scripting languages like Perl and PHP. It can also store persistent network data in a database, such as MySQL, for later analysis.

Where do I get it?
You can get binary builds for various UNIX platforms, as well as a limited demo binary for Windows. Since the Ntop creator must purchase licensed copies of development tools for the Windows platforms, he requests that you donate to get a fully functional Windows binary or build it yourself from source.

Given its open-source nature, Ntop continues to evolve. A daily source snapshot is available from Ntop Web site. You can download the Windows demo binary from a different Web site. Lets take a closer look at the UNIX build.

In action
The UNIX build is slightly different from the normal configure - make – make install procedure you may be familiar with, but there is a Readme in ntop/docs/BUILD-NTOP.txt that describes the process:

1. Get mandatory packages/tools
  • ·        gdbm
  • ·        libpcap

2. Build chart libraries
  • ·        cd gdchart0.94c/
  • ·        ./configure
  • ·        cd gd-1.8.3/libpng-1.0.8
  • ·        cp scripts/makefile.[make your choice] Makefile
  • ·        make
  • ·        cd ../../zlib-1.1.3/
  • ·        ./configure
  • ·        make
  • ·        cd ..
  • ·        make

3. Build ntop
  • ·        cd ntop
  • ·        ./configure
  • ·        make

To do a test run before installing, you can just run it from the build directory. (I use sudo, as the program must be run as root.)
bash-2.03$ sudo ./ntop -P /tmp
Wait please: ntop is coming up...

You'll see considerable output on the screen, but to view the data in a presentable form, take your browser and point it to:

The Ntop Web interface is self-explanatory, with tabs across the top to select various screens. Once you select a category, a frame on the left side of the screen will allow you to drill down and view data in various groupings and formats.

Figure A
Ntop interface

Data storage with MySQL
By default, Ntop stores data in standard gnu dbm database files, under the directory specified with the -P flag when launched. Alternately, you can store the data in a MySQL database by using the -b switch. A sample schema is included for setting up the MySQL database, as well as a small Perl script to pass the Ntop data to the database. The process for MySQL integration is also documented in ntop/docs/database/README.mySQL:
  1. ·        Install and run MySQL
  2. ·        Run mysqladmin create NTOP
  3. ·        Run mysql NTOP < database/mySQLdefs.txt
  4. ·        Run perl database/ &
  5. ·        Run ntop -w 3000 -i eth0 -b localhost:4000

The script loads the data into the NTOP database, where it can be read and manipulated either with the mysql shell or a GUI interface or drawn back out via scripts. You'll need at least the DBI modules for Perl to interface with MySQL. The easiest way to get/install Perl modules, if your distribution doesn't provide them, is to use CPAN:
perl -MCPAN -e shell
cpan> install DBI
cpan> quit

CPAN will prompt you to install any other necessary modules. Again, this should be done as root. The output from Ntop will now look something like this:
UPDATE IPtraffic SET TCPSentLocally = 0, TCPSentRemotely = 0, TCPrcvdLocally = 0, TCPrcvdFromRemote = 0, UDPSentLocally = 384, UDPSentRemotely = 0, UDPrcvdLocally = 358, UDPrcvdFromRemote = 0, ICMPsent = 0, ICMPrcvd = 0, OSPFsent = 0, OSPFrcvd = 0, IGMPsent = 0, IGMPrcvd = 0  WHERE IPaddress = ''

The UPDATE statement indicates that the MySQL database data is being updated with the network traffic information. The MySQL database is simple, with five tables that hold the data, the contents of which is fairly obvious by the names:
bash-2.03$ mysql -p NTOP
Enter password:
mysql> show tables;
| Tables_in_NTOP |
| Hosts          |
| IPtraffic      |
| NameMapper     |
| NonIPTraffic   |
| TCPsessions    |
5 rows in set (0.00 sec)

To view data from within MySQL, use a SELECT statement, such as:
mysql> SELECT * from Hosts;

To use just the Ntop shell, you run intop:
bash-2.03$ sudo intop -i eth0
lt-intop@eth0> top

This will give you the familiar UNIX top-style listing, except now you will be looking at network traffic, as shown in Figure B.

Figure B
Ntop intop—familiar UNIX style listing

That's it. Entering q will exit the top listing, and quit will leave the Ntop shell. There are several more options that may be explored, but our focus is going to be on applying some scripting concepts to utilize the Ntop data.

Putting Ntop data to work
Let's look at how to gather a subset of the Ntop data via a script, which we could run from cron and pass on to the administrator via e-mail. The ntop/www/Perl/ script is a simple example of how to use the Perl API to access a running Ntop session and perform a straight delimited ASCII dump of the data once per minute. By examining the program, you can get a good idea how to interface to Ntop for your own purposes:
use LWP::Simple;
$ntopHost = "localhost";
$ntopPort = 3000;
$URL = "http://".$ntopHost.":".$ntopPort."/dumpData.html?language=perl";

The first few lines set up the code, calling in the libwww-perl module and defining variables for the host and the standard Ntop port of 3000. If you don't have libwww-perl, you'll need to install it from your distribution or CPAN (LWP). The $URL variable defines the call to Ntop, which can understand the following calls:
http://<ntop host>:<ntop port>/dumpData.html?language=<perl|php>
http://<ntop host>:<ntop port>/dumpTrafficData.html?language=<perl|php>

Here's a breakdown of these calls:
  • ·        The language= is either PHP or Perl.
  • ·        dumpData will define the %hash array that contains information about the active hosts.
  • ·        dumpTrafficData will define the %interfaces array that contains information about the active network interfaces.

Either one passes back an array of data, which can then be parsed and manipulated as desired. If you access the above URLs without the language= option, the results won't be too helpful. For instance, if you use the following call, you'll see something like Figure C:
lynx http://localhost:3000/dumpData.html

Figure C
Ntop data dump

And this call will return something like what you see in Figure D:
lynx http://localhost:3000/dumpTrafficData.html

Figure D
Ntop traffic data

When you use the language= option, you'll see something a little more useful. For example, the following call will produce the results shown in Figure E:
lynx http://localhost:3000/dumpData.html?language=perl

Figure E
Ntop data dump with Perl

And this call will produce the results shown in Figure F:
lynx http://localhost:3000/dumpTrafficData.html?language=perl

Figure F
Ntop traffic data with Perl

All you have to do at this point is manipulate the hash array and display and/or log what you need. As a trivial example, let’s say we want to see the www traffic for our local network. We grab the data, populate the hash table, and then format/display the data for our local subnet. If you look at the @flatkeys array in the sample in Listing A, you'll see the various keys in the hash table that can be used for lookups.

You could readily take this concept and pass $mynet and $protocol at the command line, allowing you to view any subnet or protocol. You could also collect the data by date, restarting Ntop every day, and keep a daily, per-machine log.

A powerful tool
As you can see, Ntop is a powerful and flexible program. Not only does it do a lot on its own, but by allowing you to integrate database storage and a simple scripting interface, it also opens up a number of possibilities for providing network analysis.

Editor's Picks