Linux

Monitor network traffic with ntop


Like the command-line tool with a similar name, ntop is a monitoring agent. Instead of monitoring system resource usage like top, ntop monitors network usage and provides some very sophisticated and informative data.

Ntop, available at http://www.ntop.org/, can be downloaded and compiled from source or installed via your Linux vendor's package repositories if available. The ntop Web site also provides Debian and RPM package formats that can be downloaded and installed.

Once ntop is installed, you must provide an administrative password on the first run, so instead of executing an initscript, run ntop directly:

# ntop -A

This will start ntop, ask you for the administrative password to use, and then exit. Once that is done, you can start ntop and begin monitoring network traffic.

A very basic invocation of ntop would be:

# ntop -P /var/lib/ntop

This will start ntop and write the database files to the directory /var/lib/ntop. Ntop needs to start as root, but it supports dropping privileges to an unprivileged user. Instead of running ntop as root all the time, run it as a dedicated user. To create the user ntop, execute:

# groupadd ntop

# useradd -M -s /bin/false -d /var/lib/ntop -c "ntop user" -g ntop ntop

These two commands will create the user and group for ntop. Finally, start ntop and tell it to drop privileges to the ntop user:

# ntop -P /var/lib/ntop -u ntop

This starts ntop and leaves it attached to the terminal; using ntop this way is great if you need to quickly visualize network traffic (perhaps to determine where a bottleneck is or to aid in network troubleshooting). Running ntop on a firewall or gateway device is best as it can watch all traffic; if you use Linux for a custom firewall, install ntop there to get the best data. Otherwise, ntop can watch traffic coming to and from the system it is installed on, which may be useful to determine what programs are opening connections, for example, from that system.

To view ntop statistics, connect to port 3000 on the system on which ntop is installed with a Web browser. You can configure the port and decide whether to use HTTPS instead of HTTP by adjusting the command-line options. For instance, to have ntop listen to port 4000 and only accept HTTPS traffic, use ntop -w 0 -W 4000. To have it listen on port 3000 for HTTP traffic and port 4000 for HTTPS traffic, use ntop -w 3000 -W 4000.

To have ntop start at boot and constantly watch traffic, add the following to /etc/init.d/rc.local or a similar script that is started at boot:

ntop -P /var/lib/ntop -u ntop -d

Specifying the -d option tells ntop to daemonize and fork to the background.

Ntop is a great analytical tool that can be extremely useful for seeing what is happening on the network in real-time. By design, ntop can consume a lot of memory, so if there is no need to run it constantly, it's probably best to leave it as part of the troubleshooting arsenal and invoke it when necessary.

Delivered each Tuesday, TechRepublic's free Linux NetNote provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!

About

Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.

0 comments

Editor's Picks