Enable, install, configure, and use ntop in linux

This article describes how to start, install, configure, and use ntop3.2 in linux!

1. Start ntop

1. Run the/usr/local/bin/ntop-u ntop-c-d-I eth0 command on the local machine to start ntop.
Note:
(1)/usr/local/bin is the path of ntop
(2)-u ntop is the specified user name
(3)-I eth0 indicates that the specified network device is eth0
2. web ingress:

: 3000 "> http: // <your_IP>: 3000

Note: 3000 is the default port number.

 

NTOP mainly provides the following functions:
　　
◆ Automatically identifies useful information from the network;
　　
◆ Convert intercepted data packets into a format that is easy to recognize;
　　
◆ Analyze communication failures in the network environment;
　　
◆ Detect communication bottlenecks in the network environment;
　　
◆ Record the time and process of network communication.

 

Ii. NTop Installation

First, you must install libpcap, gdbm, and other libraries. Generally, the system will include other libraries except libpcap.

1. Create a user ntop (for security reasons, only the user named ntop can enable the software)

# Useradd ntop

2 Installation
Run the following command in the pressurized Folder:

#./Cofigure
# Make
# Make install

3. Change the file owner to ntop.

(1) # chown-R ntop: ntop/usr/local/var/ntop/

* Modified status: (db file) drwxr-xr-x 10 root 4096 02-27 share

(2) # chown-R ntop: ntop/usr/local/share/ntop/
*: Status of the modified file: drwxr-xr-x 3 root 4096 02-25 var

Note:-R recursively changes the file master of the specified directory and all its subdirectories and files.

4. Set the Administrator Password

#/Usr/local/bin/ntop-A (required for WEB management, the default user name is admin)

5. Rows ntop:

(1) Enable ntop in the simplified interface (web Interface:
#/Usr/local/bin/ntop-u ntop-c-d

NOTE: If no network device is found, you can specify-I eth0!

(2) web ingress:

: 3000 "> http: // <your_IP>: 3000

Note: 3000 is the default port number.-w uses other ports.

Startup interface initialization:
[Root @ localhost ld. so. conf. d] #/usr/local/bin/ntop-u ntop-c-d-I eth0
Thu Mar 20 16:11:56 2008 NOTE: Interface merge enabled by default
Thu Mar 20 16:11:56 2008 Initializing gdbm databases
Thu Mar 20 16:11:56 2008 NOTE: Interface merge disabled from prefs file
Thu Mar 20 16:11:56 2008 ** WARNING **-s set so will ATTEMPT to open interface w/o promisc mode (this will probably fail below)
Thu Mar 20 16:11:56 2008 ntop v.3.2 SourceForge. tgz
Thu Mar 20 16:11:56 2008 Configured on Mar 20 2008 15:06:45, built on Mar 20 2008 15:25:01.
Thu Mar 20 16:11:56 2008 Copyright 1998-2005 by Luca Deri <deri@ntop.org>
Thu Mar 20 16:11:56 2008 Get the freshest ntop from http://www.ntop.org/
Thu Mar 20 16:11:56 2008 NOTE: ntop is running from/usr/local/bin
Thu Mar 20 16:11:56 2008 NOTE: (but see warning on man page for the -- instance parameter)
Thu Mar 20 16:11:56 2008 NOTE: ntop libraries are in/usr/local/lib
Thu Mar 20 16:11:56 2008 Initializing ntop
Thu Mar 20 16:11:56 2008 Checking eth0 for additional devices
Thu Mar 20 16:11:56 2008 Resetting traffic statistics for device eth0
Thu Mar 20 16:11:56 2008 DLT: Device 0 [eth0] is 1, mtu 1514, header 14
Thu Mar 20 16:11:56 2008 Initializing gdbm databases
Thu Mar 20 16:11:56 2008 VENDOR: Loading MAC address table.
Thu Mar 20 16:11:56 2008 VENDOR: Checking for MAC address table file
Thu Mar 20 16:11:56 2008 VENDOR: Loading newer file/usr/local/etc/ntop/specialMAC.txt.gz
Thu Mar 20 16:11:56 2008 VENDOR:... found 61 lines
Thu Mar 20 16:11:56 2008 VENDOR:... loaded 59 records
Thu Mar 20 16:11:56 2008 VENDOR: Checking for MAC address table file
Thu Mar 20 16:11:56 2008 VENDOR: Loading newer file/usr/local/etc/ntop/oui.txt.gz
Thu Mar 20 16:11:56 2008 VENDOR:... found 48541 lines
Thu Mar 20 16:11:56 2008 VENDOR:... loaded 7853 records
Thu Mar 20 16:11:56 2008 Fingeprint: Loading signature file.
Thu Mar 20 16:11:56 2008 Fingeprint:... loaded 1697 records
Thu Mar 20 16:11:57 2008 INIT: Parent process is exiting (this is normal)
Thu Mar 20 16:11:57 2008 INIT: Bye bye: Im becoming a daemon...
You have new mail in/var/spool/mail/root
[Root @ localhost ld. so. conf. d] #

********************** *******

3. Configure NetFlow

(1) http: // host: port/open the page
(2) Plugins-> NetFlow-> Active to activate NetFlow
(3) Plugins-> NetFlow-> Configure: Configure the network port and add a new device. The default port is 9996.
(4) Plugins-> NetFlow-> Statistics NetFlow status

4. Use ntop

1. view the overall network traffic
　　
To view the overall network Traffic, click the Stats tab and click the Traffic option. Network Traffic is displayed in a cylindrical diagram and a detailed table.
　　
2. View host traffic
　　
To view the network Traffic of a computer on a specific node, click the "IP Traffic" tab and click the "Host" option.
　　
3. Monitor the network protocol used by the host
　　
As shown in figure 3, a computer with the Host Name "CAO" sends a large amount of data. its IP address is "192.168.0.5" and its MAC address is "52: 54: AB: 34: 5B: 09 ". If you want to know the data transmitted by the computer, double-click the host name to analyze the types of network transmission protocols used by the user and their proportions of bandwidth respectively.
　　
4. view port usage
　　
NTOP can associate the port usage with the application, which is similar to the effect of using the "netstat-an" command, and displays the port opening time, port traffic, and other details. For example, you can associate the TCP/UDP Ports opened on the local machine with the application, and click "IP Traffic" → "L-L" → "TCP/UDP Servers/Ports Usage"

**************************************** ********

The character interface is still started. Further consideration is required!

Repost the attachment:

Case study:

My organization is a Linux LAN consisting of multiple systems. In the network topology (figure-1), the operating system used by the server is Hongqi 3.0, and the client PC uses win9x/me/2000.

Figure-1 Network Topology

I. Problems

One afternoon, network performance suddenly declined, resulting in a large amount of data on the Internet being unable to be transmitted smoothly. I first suspected that it was a physical fault. However, the ping command test shows that the network is connected without physical damage. Start ntop (see figure-2). You can see that ntop can detect the vast majority of protocol files in the network.

Figure-2 ntop Main Menu

Ii. Fault Detection

(1) first check the network load: click the "IP Protos" menu. (See figure-3) the network load of machines on the network is 98%.

Figure-3 high network load

(2) Click the "IP Traiffic" menu of the host to query network traffic: see figure-4.

Figure-4 network data traffic

(3) It was found that the PC with the Host Name cao1 sent a large amount of data, and its network load was close to 99%. Click "cao1" and then click "Host" to view other information. As shown in figure-5, the "host" cao1 "IP address is 192.168.0.1, the MAC address is 00: 50: BA: F0: AB: AC, and the operating system is Windows.

Figure-5 basic information about cao1 as the host name

(3) double-click "cao1" to learn details about all network conditions of the host "cao1. See figure-6.

Figure-6 details of the host "cao1"

(4) See figure-7. We can see that the data it sends is in UDP format.

Figure-7 the transmission data type of the Host "cao1" is UDP data

We know that UDP is the data at the transmission layer of the Linux network layer, so we can determine that a broadcast storm causes a decline in network performance. We found the host "cao1", and a former staff member was demonstrating the company's product information to the customer. He used super solution 2000. We know that when playing a file in super solution 2000, an option is to broadcast DVB audio and video on the LAN. This