Fitting ntop into Networks
The ntop tool provides some risk analysis reporting by flagging hosts and traffic that could potentially be considered hostile. Duplicated MAC addresses, port zero traffic, network masking issues, and too much traffic on ports and hosts are a few of the problems networks face. This traffic is analyzed; flagged and categorized as no, medium, or high risk; and then associated with the offending host.
While ntop provides some useful information relating to possible security risks, its power and flexibility lies with its ability to sort, analyze, and graph network traffic according to many protocols. Once traffic is observed for some time, ntop is able to report network usage statistics and graphs and then provide network flows based upon its encounters. A few of its key features are listed here, and many more can be found at the ntop.org Web site.
- Store permanent traffic statistics in RRD graph format
- Passively identify host OSes
- Analyze and sort traffic by source and destination
- Report IP protocol by types
Platforms that are supported include UNIX (Linux, BSD, Solaris, and MacOSX) and all Windows versions, from Windows 95 to Vista. One of the best features of ntop is the lack of overhead required to run it. Generally, CPU and memory requirements are very nominal. Depending on the size of networks you want to monitor, CPU load can be less than 10 percent of the normal work load and should operate smoothly with 256MB of memory.
Switched Networks vs. Non-switched Networks
Before you install ntop on a host machine, you must decide what host you are going to select as your monitoring station. You can only use this tool on a subnet basis, which means if you have multiple subnets within your organization, you will have to install an instance of ntop to monitor each subnet location. In a switched environment, ntop can monitor only the segment of that particular network that the host is connected to. Therefore, ntop isn't able to jump across router points.
Also, many switches won't easily allow ntop to view traffic. If you discover ntop is not sniffing out traffic as accurately as you think it should, you'll need to turn to your switch manufacturer for support on port mirroring. Many 3Com switches incorporate a technology called "roving analysis," or port mirroring. When you activate this on a specific switch port, all incoming and outgoing traffic on the switch can be captured through the monitoring port. This is the perfect port to plug ntop into so it can view all traffic, missing virtually zero packets. If you're using only hubs—not managed switches— then you need not worry about this problem.
If you're in the market for a new network switch and also want to start tracking network statistics, make sure you check that any new switches you plan to purchase have this option. Beware of the 3Com 4200 series switches; they do not have roving analysis capabilities.
Source downloads and installation instructions can be found on ntop.org. You can find ntop packaged as an RPM for RHEL and CentOS at Dag Wieer's third-party repository. If you want a lot of the extra graphs and charts options, there are a couple of package requirements that I've found: GD graphics and Graphviz libraries. Graphviz, which can also be found in Dag's repository, has its own set of dependencies.
I suggest using CentOS and setting up the repository on the system. This setup will allow the use of the package tool yum, which will satisfy all of these dependencies automatically. All questions about using these repositories can be answered on the FAQ section of the Web site. Other CentOS-specific repository questions are addressed on the CentOS wiki.
Once you get these items configured, installation should be a trivial matter:
If many of the dependent packages are missing, yum will retrieve them from the appropriate locations and install them.
Configuration takes only a few minutes to complete, and then you can start using ntop. If you're not using the RPM installation on RHEL/CentOS, then substitute the appropriate commands. Turn on the service and allow ntop to run through its configuration process. You'll be prompted to enter an admin password to use with the Web interface.
Doing this will install all the necessary service files to their locations, and it will also start the service. You'll need to kill this session since you're going to be using it as a service. Hit Ctrl+C to end the process and then start the service using the appropriate command.
# service ntop status
ntop (pid 22848) is running...
That completes configuration.
By default, ntop runs on port 3000, which you can change if necessary. Also by default, ntop allows all users access to the Web interface, but it does not allow configuration changes to be made unless you authenticate with the password that you created in the setup portion of installation. You can change this behavior in the admin section within the Web interface. Bring up a Web browser and browse to your instance at http://hostname:3000.
To change the settings for allowing access to the Web interface, go to the Admin panel:
Admin -> Configure -> Protect URLs
Delete all of the default-configured URLs and then click the Add URL link. Do not enter any characters into the URL box, highlight the admin user, and then select Add URL. This creates a wildcard link as http://hostname:3000/*, which protects all pages from being accessed without the user name and password. If you don't mind others being able to Web browse to view statistics, leave these settings at their default values.
The Summary tab provides the default page as the global traffic statistics view. This page contains global traffic reports that the network adapter has discovered, global protocol distribution reports, and traffic port distribution charts. Under the Summary tab, you can find reports on a per-host basis. Lastly, basic network load statistics are broken down by 10 minute, 1 hour, 1 day, and 1 month intervals provided in the graphs.
The All Protocols tab provides detailed information broken down into specific protocols. Under the traffic page, you can find all data sent and received per host that is categorized.
Located under the IP tab, you can see reports for all Internet domain traffic used and host reports with data categorized by type. For instance, a host shows FTP, HTTP, DNS, Telnet, SNMP, SSH, and many others displayed by bandwidth use. One of the most useful maps I've found is under the Local -> Network Traffic Map page. It displays the current view of how traffic is flowing on your network. Another useful report is the IP -> Summary -> Distribution page, featured below.
Figure 1: You can find a local traffic report at IP -> Summary -> Distribution. (Click image to enlarge.)
The Plugins tab gives you the ability to add in features such as ICMP Watch, Cisco NetFlow reports, and much more. There is also a PDA plug-in available if you would like minimal reports displayed on PDA devices.
Add ntop to Your Network Arsenal
The options and information ntop provides are far more than I am able to demonstrate. Get an instance running and explore all of its features for yourself; I don't think you'll be disappointed. The nicest thing about ntop is the ease of implementing it into networks. It will quickly become a tool you can utilize to gain extremely detailed reporting about network usage and bandwidth. For the monitoring junkies, here's yet another tool to satisfy those watchdog addictions.