Ever wonder what is happening on your network? Particularly in terms of what traffic is passing in and out? Whether it's out of curiosity or you have a real need to audit what kind of traffic is passing through your network, ntop is a fantastic tool that will more than likely do what you need.
Ntop is for networks what top is for processes on the local system. With top you can view all kinds of process information: memory and CPU usage, system load, and so forth. With ntop you can view similar information, but related to network processes: network load throughput, active connections, which hosts are connecting to what sites, the amount of bandwidth sent to a particular site, protocol usage, and more. Ntop provides so much information, in fact, that it will take time to wade through it all and narrow down what is pertinent to you.
A number of distributions provide ntop pre-packaged so it's a simple yum, urpmi, or apt-get away. Once it is installed, it should be started manually, first, so you can set the administrator password; instead of running service ntop start, run ntop directly; it will ask for the password before starting the actual service. Once you have set the password, you can hit CTRL-C to kill the service and then use service ntop start to enable the service to run in the background.
When ntop is running, you can connect to the host it's running on, using port 3000 by default. There may be access restrictions denying access to everything other than connections coming from the localhost; if you want to connect from a different host you may have to edit the ntop configuration file (/etc/ntop.conf on Fedora). For instance, on Fedora, ntop will listen to 127.0.0.1:3000 for HTTP connections; you will want to change that to a reachable IP address instead (i.e., 192.168.10.1:3000) and restart ntop to make the change effective. Now you can log in using a Web browser pointing to http://[ip_address]:3000 or https://[ip_address]:3001 if the HTTPS server is enabled (again, see the configuration file).
Once you have logged in, there is a lot that you can look at. Ntop has a lot of information available on network traffic. On the main page you will find global traffic statistics which provide information such as:
- Total number of packets broken down by type (TCP, UDP, etc.)
- Total number of packets broken down by packet size
- Bad packets
- Number of hops to remote hosts
- Current and average network loads
- Protocol distribution (broken down by active protocols such as HTTP, SSH, FTP, etc.)
At the top of the page there are links to configure various plugins and configuration options for ntop itself. There are also links to other ways you can view the data, such as looking at network load statistics in nice RRD graphs and a breakdown of communication by host. The latter is really useful if you want to see what systems are connecting to a particular domain and how they are connecting.
As an example, you could click on a link such as "www.facebook.com" and see exactly when traffic was sent to it during the last 24 hours, what hosts on the local subnet connected to it, and what protocol was used (HTTP or HTTPS, etc.). There are even links where you can see where the end-host is located geographically using Google Maps, and you can also obtain WHOIS information with a simple click.
The amount of information you get from ntop is very impressive. If you are curious, need to debug, or need to audit your network usage and throughput, ntop is definitely one good tool to use.
Delivered each Tuesday, TechRepublic's free Linux and Open Source newsletter provides tips, articles, and other resources to help you hone your Linux skills. Automatically sign up today!
Vincent Danen works on the Red Hat Security Response Team and lives in Canada. He has been writing about and developing on Linux for over 10 years and is a veteran Mac user.