


NTOP(8)                                                   NTOP(8)


NNAAMMEE
       ntop - display top network users

SSYYNNOOPPSSIISS
       nnttoopp  [--cc]  [--EE]  [--rr  _r_e_f_r_e_s_h _t_i_m_e] [--RR _f_i_l_t_e_r _r_u_l_e_s] [--ff
       _t_r_a_f_f_i_c _d_u_m_p _f_i_l_e] [--nn] [--NN] [--MM] [--qq] [--pp] _T_C_P_/_U_D_P _p_r_o_t_o_
       _c_o_l_s  _t_o  _m_o_n_i_t_o_r]  [--ii  _i_n_t_e_r_f_a_c_e] [--ee _n_u_m _r_o_w_s] [--ww _H_T_T_P
       _I_P_:_p_o_r_t] [--WW _H_T_T_P_S _I_P_:_p_o_r_t] [--dd] [--SSvalue]] [--PP _d_b_p_a_t_h_] [--mm
       _l_o_c_a_l _s_u_b_n_e_t] [--aa _a_c_c_e_s_s _l_o_g _f_i_l_e _p_a_t_h] [--bb _c_l_i_e_n_t_:_p_o_r_t _D_B
       _c_l_i_e_n_t]  [--gg  _c_l_i_e_n_t_:_p_o_r_t  _N_e_t_F_l_o_w  _C_o_l_l_e_c_t_o_r]  [--tt  _t_r_a_c_e
       _l_e_v_e_l]  [--uu  _u_s_e_r  _n_a_m_e] [--ll _d_u_m_p _f_i_l_e _n_a_m_e] [--UU _m_a_p_p_e_r_._p_l
       _U_R_L] [--FF _f_l_o_w _f_i_l_t_e_r _e_x_p_r_e_s_s_i_o_n] [ffiilltteerr eexxpprreessssiioonn]

DDEESSCCRRIIPPTTIIOONN
       nnttoopp shows the current network usage. It displays  a  list
       of  hosts that are currently using the network and reports
       information concerning the (IP and non-IP) traffic  gener
       ated by each host.  nnttoopp can be started either in a termi
       nal window (see iinnttoopp ) or in  web  mode.  In  the  latter
       case, a web browser is needed to use the program.



CCOOMMMMAANNDD--LLIINNEE OOPPTTIIOONNSS
       --cc
        By  default  idle hosts are periodically purged from mem
        ory. Use this flag  to  prevent  idle  hosts  from  being
        purged  from memory. NOTE: if idle hosts are kept in mem
        ory you can experience severe memory usage.


       --EE
        By default ntop does not take advance of  lsof/nmap  even
        if  present. Use this flag if you want make ntop aware of
        such tools (if present).


       --RR
        Specifies the filter rules  used  by  ntop  for  emitting
        alerts  and  warnings when the traffic matches the speci
        fied rules. Shall you need further details  about  filter
        rules, please refer to ntop-rules (8) man page.


       --rr
        Specifies  the  delay (in seconds) between screen updates
        (the default is 3 seconds). If the -l flag  is  used,  it
        specifies  how  often entries are logged in the log file.
        Please note that if the delay is very short (1 second for
        instance), ntop might not be able to process all the net
        work traffic.






                            July 2001                           1





NTOP(8)                                                   NTOP(8)


       --ff
        Specifies the file containing  tcpdump  captured  traffic
        that has to be used by ntop. Note: if you specify -f ntop
        will not capture any traffic  after  the  file  has  been
        read. This option is mostly used for debug purposes.


       --NN
        Forces ntop not to use nmap (if it is installed).


       --MM
        Forces  ntop  not  to  merge network interfaces together.
        This means that ntop will  collect  statistics  for  each
        interface and will not merge data together.


       --qq
        Forces   ntop   to   create   a   file   ntop-suspicious-
        pkts.XXX.pcap (XXX is the interface name) for  each  net
        work  interface  where are stored suspicious packets. The
        file is in pcap format (tcpdump).


       --nn
        This causes nnttoopp to show numeric IP addresses instead  of
        the  symbolic  names. This option can useful when the DNS
        is not present or quite slow.  You can toggle the address
        format (numeric vs. symbolic) by pressing the nn key while
        nnttoopp is running.


       --pp
        It is used to specify the  TCP/UDP  protocols  that  nnttoopp
        will  monitor.  The  format is <label>=<protocol list> [,
        <label>=<protocol list>], where label is used to symboli
        cally identify the <protocol list>. The format of <proto
        col list> is <protocol>[|<protocol>], where <protocol> is
        either  a  valid  protocol specified inside the /etc/ser
        vices  file  or  a  numeric  port  range  (e.g.  80,   or
        6000-6500).  If  the  -p  flag  is  omitted the following
        default      value      is      used:       "FTP=ftp|ftp-
        data,HTTP=http|www|https,DNS=name|domain,Telnet=tel
        net|login,NBios-IP=netbios-ns|netbios-dgm|netbios-
        ssn,Mail=pop-2|pop-3|kpop|smtp|imap|imap2,SNMP=snmp|snmp-
        trap,NEWS=nntp,NFS=mount|pcnfs|bwnfs|nfs|nfsd-sta
        tus,X11=6000-6010,SSH=ssh".  If  the  <protocol  list> is
        very long you may store in a file  (for  instance  proto
        col.list)  the  value  of the <protocol list> and specify
        the file name instead of the <protocol  list>  (in  above
        example you will invoke 'ntop -p protocol.list').






                            July 2001                           2





NTOP(8)                                                   NTOP(8)


       --ii
        Specifies  the network interface used by nnttoopp If multiple
        interfaces are used (this feature is  available  only  if
        ntop  is  compiled  with  thread support) they have to be
        separated with a comma. For instance -i "eth0,lo".  Traf
        fic  information obtained by all the interfaces is merged
        together as if the traffic would have  been  produced  by
        one interface. Use the -M flag for not merging traffic.


       --ee
        Is  the  maximum number of HTML table rows that nnttoopp will
        display.


       --ww
        nnttoopp sports and embedded web server  so  that  users  can
        attach  their  web  browsers  to  the  specified port and
        browse traffic information remotely. Supposing  to  start
        nnttoopp  at  the port 33000000 (default port), the URL to access
        is http://hostname:3000/. Users and URLs to protect  with
        passwords  are  stored  in  a  database  file. By default
        user/URL administration are accessible  uniquely  by  the
        user aaddmmiinn with password aaddmmiinn Passwords are stored in an
        encrypted form into the database  for  further  security.
        Please  note  that  an HTTP server is NOT needed but it's
        embedded into the application. If -w is set to 0 the HTTP
        port will not be enabled ('-w 0' is accepted only if nnttoopp
         has been compiled with HTTPS support and  nnttoopp  has  not
        been  started with '-W 0' [see below]).  You can also use
        the IP:Port notation to bind ntop to  the  specified  IP-
        Address, e.g.  --ww 112277..00..00..11::33000000


       --WW
        If  nnttoopp  has  been  compiled  with  HTTPS  support  (via
        OpenSSL), this flag can be used to  set  the  HTTPS  port
        (default 33000011 ). If the user specifies '-W 0', HTTPS sup
        port is disabled. Some examples: 1.  nnttoopp --ww  8800  --WW  444433
        (both  HTTP  and HTTPS have been enabled at their default
        ports) 2.  nnttoopp --ww 00 --WW 444433 (HTTP disabled, HTTPS enabled
        at the default port).  You can also use the IP:Port nota
        tion to bind ntop to the specified IP-Address,  e.g.   --ww
        112277..00..00..11::33000011



       --dd
        This  flag  causes  ntop  to  become a daemon, i.e. it is
        started in background and detached from the terminal.


       --SS
        Use this flag for telling ntop to save information  about



                            July 2001                           3





NTOP(8)                                                   NTOP(8)


        host  traffic  on  shutdown.  Valid values are: 0 = don't
        store hosts, 1 = store all hosts, 2 =  store  only  local
        hosts.  This  flag allows ntop not to loose traffic stats
        across multiple ntop sessions. Please note that  informa
        tion about TCP session is (obviously) lost.


       --PP
        This  allows  to  specify  where db-files are searched or
        created (default "."). In addition DBPATH/html  is  added
        to the searchlist for the WEB-files


       --mm
        This flag allows users to specify the subnets whose traf
        fic  is  considered  local.  The   format   is   <network
        address>/<#  subnet mask bits>[,<network address>/<# sub
        net        mask        bits>].        For        instance
        "131.114.21.0/24,10.0.0.0/255.0.0.0".


       --aa
        By   default   nnttoopp   logs  HTTP  accesses  in  the  file
        ntop.access.log in the current directory. Use  this  flag
        to  specify the path of the file where HTTP accesses will
        be logged. Each log entry is in  Apache-like  style.  The
        only  difference  between Apache and nnttoopp is that .B ntop
        added a new column has been added. Such  column  contains
        the  time  (in milliseconds) that ntop needed in order to
        serve the request.


       --bb
        Exports nnttoopp traffic information into a SQL database. The
        flag  specifies  (in  http-like  host format) the address
        (IP:port) of a SQL client. The database/  directory  part
        of  ntop contains a few clients. Please use one of those.


       --gg
        Exports nnttoopp traffic  information  in  Cisco  NetFlow  V5
        (http://www.cisco.com/warp/pub
        lic/cc/pd/iosw/ioft/neflct/tech/napps_wp.htm) format. The
        flag  specifies  (in  http-like  host format) the address
        (IP:port) of a NetFlow client such as ftp://ftp.net.ohio-
        state.edu/users/maf/cisco/.


       --uu
        Specifies  the  user nnttoopp should run as after it initial
        izes. The value specified may be either a username  or  a
        numeric  user  id.  The group id used will be the primary
        group of the user specified.




                            July 2001                           4





NTOP(8)                                                   NTOP(8)


       --ll
        Dumps the network traffic captured by ntop in a  file  in
        pcap format (useful for debug).


       --UU
        It  specifies the UTR of the mapper.pl utility (it's part
        of the ntop  distribution  [see  www/Perl/mapper.pl]  for
        displaying host location.


       --tt
        This flag specifies the level of nnttoopp tracings on stdout.
        The trace level ranges between 0 (no trace) and  5  (full
        debug tracings). The default trace value is 3. The higher
        is the trace level  the  more  information  are  printed.
        Trace  level  1 is used to print errors only, level 2 for
        both warnings and errors, and so on.


       --FF
        It is used to specify network flows similar to more  pow
        erful  applications  such as NeTraMet. A flow is a stream
        of captured packets that match a specified rule. The for
        mat   is   <flow-label>='<matching   expression>'[,<flow-
        label>='<matching expression>'], where the label is  used
        to  symbolically  identify  the  flow  specified  by  the
        expression. The expression format  is  specified  in  the
        appendix.  If an expression is specified, then the infor
        mation concerning flows can  be  accessed  following  the
        HTML link named 'List NetFlows'.  For instance suppose to
        define two flows with  the  following  expression  "Luca
        Hosts='host         jake.unipi.it         or         host
        pisanino.unipi.it',GatewayRoutedPkts='gateway       gate
        way.unipi.it'".  All  the  traffic sent/received by hosts
        jake.unipi.it or pisanino.unipi.it is collected  by  nnttoopp
        and  added  to the LucaHosts flow, whereas all the packet
        routed by the gateway gateway.unipi.it are added  to  the
        GatewayRoutedPkts  flow.  If  the flows list is very long
        you may store in a file  (for  instance  flows.list)  the
        list  of  flows  and specify the file name instead of the
        flows list (in above example you  will  invoke  'ntop  -F
        flows.list').




       ffiilltteerr eexxpprreessssiioonn
        nnttoopp  ,  similar  to  what  tcpdump does, allows users to
        specify an expression that restricts the type of  traffic
        handled  by  nnttoopp  hence  to  select  only the traffic of
        interest. For instance, suppose to be interested only  in
        the traffic generated/received by the host jake.unipi.it.
        nnttoopp can then be started with the following filter: 'ntop



                            July 2001                           5





NTOP(8)                                                   NTOP(8)


        src  host  jake.unipi.it  or dst host jake.unipi.it'. See
        the ttccppdduummpp man page for further information  about  this
        topic.



WWEEBB VVIIEEWWSS
       While nnttoopp is running, multiple users can access the traf
       fic information using conventional web browsers. The  main
       HTML page, is divided is two frames. The left frame allows
       users to select the traffic view that will be displayed in
       the  right  frame. Available sections are: sort traffic by
       data sent, sort traffic by data received, traffic  statis
       tics,  active hosts list, remote to local (i.e. inside the
       subnet defined for the network board from which  the  pro
       gram is currently sniffing) IP traffic, local to remote IP
       traffic, local to local IP traffic,  list  of  active  TCP
       sessions, IP protocol distribution statistics, IP protocol
       usage, IP traffic matrix.


NNOOTTEESS
       nnttoopp is based on the libpcap library that can be found  at
       http://www.tcpdump.org/.  The  Win32  version makes use of
       libpcap  for   Win32   that   can   be   downloaded   from
       http://www.netgroup.polito.it/WinPcap/install/).

SSEEEE AALLSSOO
       iinnttoopp(1),  nnttoopp--rruulleess(8),  ttoopp(1),  nnggrreepp(8),  ttccppdduummpp(8).
       nneettrraammeett(http://www.auckland.ac.nz/net/Account
       ing/ntm.Release.note.html).

AAUUTTHHOORR
       Please   send   bug  reports  to  the  ntop  mailing  list
       <ntop@ntop.org>.    ntop's    author    is    Luca    Deri
       <deri@ntop.org>.





















                            July 2001                           6


