Where TOP shows you the cpu usage, NTop does the trick for the current network usage. It displays a list of hosts that
are currently using the network and reports information concerning the (IP and non-IP) traffic generated by each of them.
NTop can be started either in a terminal window (by using intop) or in web mode. In the latter case, a web browser
is needed to use the program.
NTop can also be used in conjunction with MySQL to achieve a full registration of all traffic, which could be usefull
as a base for your self-made applications. In those cases we could think about user-limits or warning-systems in case
weird packets appear
in the network.
Type at the command-line :
#> chown -R nobody. /usr/share/ntop
Type :
#> /usr/sbin/ntop -P /usr/share/ntop -u nobody -A
(and enter a selfchosen password, a verification is asked aswell)
Edit the file /etc/rc.d/init.d/ntop (under the head start, around line 25, it states default "-u ntop" , replace this with "-u nobody").
You could also add -w portnumber if you want the webinterface on a different port as 3000.
Start with
#> /etc/rc.d/init.d/ntop start
or
#> service ntop start
Start NTop automatically during boot:
#> ln -s /etc/rc.d/init.d/ntop /etc/rc7.d/S88ntop
How it works
Once installed and started you can use a web-browser and enter your server with the portnumber (standaard 3000) attached to it like:
http://192.168.1.1:3000 or http://www.mybestdomain.com:3000. A screen will
open that needs time to make clear what kind of information is logged.
This screen also can be seen from the internet so it wouldn't be the best thing to leave the portnumber at 3000
but choose a less easy to guess number. The reason is offcourse a little higher security.
Expand to MySQL (optional and buggy)
Before you want to start on this section, be smart and read the information found on this link.
http://lists.ntop.org/pipermail/ntop/2002-April/001658.html
Here you can read pretty well that there is a problem with the option -b and that it causes segmentation
errors in NTop.
After intensive searching for solutions we only can conclude there are none yet. NTop works but for some reason, that
can't be pinpointed, it simply crashes and the perl script is filling up your buffer, alone. Which isn't a good thing
for the cpu-usage offcourse.
Download the following 2 files mySQLdefs.txt
and mySQLserver.pl and place them in the
map /usr/share/ntop
Best thing to do is wget http://members.home.nl/timothee/ntop/mySQLserver.pl to prevent trouble with windows.
Create the database NTOP in MySQL:
#> mysqladmin create NTOP
Import the structure for NTOP in MySQL:
#> mysql NTOP < /usr/share/ntop/mySQLdefs.txt
Make a special 'user' in MySQL to place/correct/erase the data:
#> mysql
mysql> grant all on NTOP.* to NTOP@localhost identified by 'NTOP';
mysql> exit
Starting the perl script to import the data:
#> perl /usr/share/ntop/mySQLserver.pl > /dev/null &
Adjust the NTop start script in /etc/rc.d/init.d/ntop around line 25:
Place the parameter "-b localhost:4000" at the end of the startcommand line. Port 4000 is also used in the perl-script,
only replace it when you know exactly what you are doing.
Now NTop has to prove itself so lets do the procedure found in the previous section at item 7.
Tips
To make use of the SSL (Secure Layer) we have to correct something from the installation.
Place /usr/sbin/ntop-cert.pem in the map /etc (cp /usr/sbin/ntop-cert.pem /etc)
To activate the SSL port you need to add the parameter "-W 4300" (sample-port) in the file
/etc/rc.d/init.d/ntop around line 25.
To keep data logging-totals after shutting down NTop we need the parameter "-S 1" in /etc/rc.d/init.d/ntop
at the command-line (around line 25).
To prevent that detected hosts are erased after being switched off or get idle in another way we need to add the parameter
"-c" at the command-line in /etc/rc.d/init.d/ntop around line 25.
To adjust the (/etc/rc.d/init.d/ntop) to a script more usefull for starting NTop AND the MySQL script without extra
hassles you can download a corrected version as ntop-mysql
You only need to place this file in the map /etc/rc.d/init.d as ntop. You also need to make a small
adjustment on the perl-script:
#> chmod 550 /usr/share/ntop/mySQLserver.pl
To prevent that we become an easy target/victim from hackers and other strange iNet-abusers we can adjust NTop easy
to a situation where it only shows the data to the 'inside' of the network.
This can be done with the parameter "-w 192.168.1.1:3000" and for SSL "-W 0".
In this case we expect that the IP number is the same as from the server and the portnumber is the default we used
so far or change it to your own choice. This parameter has to be added in the same command-line in
/etc/rc.d/init.d/ntop offcourse.
Disclaimer
Use this howto at your own risk! Although we tested everything several times without the occurance of any strange errors,
we cannot 100% garantee it won't harm your server. The authors of this howto and the host
Minddigger.com can't be held responsible for any damage caused by the usage of this howto.
If you have any comments, feel free to mail to howto@minddigger.com
