[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntop
Subject:    RE: [Ntop] Monitoring traffic internet
From:       "Nigel Brodt-Savage" <nbrodt_savage () ntlworld ! com>
Date:       2002-01-31 19:17:42
Message-ID: 000701c1aa8b$f788fa90$c801a8c0 () vimes
[Download RAW message or body]

This depends on your Lan, you've not given any information about your
setup at all so I'll describe the way I use Ntop, hopefully that will
give you some clues.

As the LAN at work is almost all a switched enviroment I dont think I
can actually monitor the entire LAN, switches channel data from their
source to their destination, data going from A to B via Switch x, where
A is connected to port 1 and B is connected to port 2 will only be seen
on Port 1 ( the port receiving ) and port 2 ( the port that the
destination host is connected to )

Unlike hubs which merely broadcast the data onto all of the ports on
that hub ( bad explanation I know, and my apologises if you already know
this, but you've not given any indication as to how knowledgable you are
on networking ). What I have done however is setup NTOP to monitor
traffic coming and going via our default gateway, this will monitor any
data that goes through the default gateway / router. 

As our default gateway is also our router to the rest of global WAN this
tells me quite alot.

1) What web pages and internet traffic ( eg instant messenger programs
such as MSN Messenger, ICQ and Yahoo chat, FTP, IRC, )

2) Which external hosts are connecting to my computers on our LAN, for
tracking down viruses such as funlove, Qaz and Nimda this is invaluable

3) Stats as to percentage of data going across the router, eg, how much
of the data is HTML pages, FTP, Netbios, ARP requests and such.

I run three instances of ntop, one to monitor all

	ntop -u ntop_user -w 2000 -i eth1 -d -P /tmp/ntop-general -E

One to monitor all web traffic

	ntop -u ntop_user -w 2001 -i eth1 -d -P /tmp/ntop-web -E src
port 80 or dst port 80

and one to monitor all netbios connections 

	ntop -u ntop_user -w 2002 -i eth1 -d -P /tmp/ntop-nbios -E dst
port 135 or dst port 136 or dst port 137 or dst port 138 or dst port 139
or src port 135 or src port 136 or src port 137 or src port 138 or src
port 1389

Break down of the options

	-u ntop_user 

Determines which user you run ntop under ( you can start it as root but
letting it run as root is a security issue, better off to create a
dedicated user and use the -u switch to tell ntop to use that user, in
this example the username in question is ntop_user )

	-w 2000

Port number that you connect to to see the statistics and web based
interface, as I run three instances I cant run them all on the same
port, I also prefer not to use the default port for security reasons (
although a simple portscan is going to show which port is in use )

	-P /tmp/ntop-general

Defines were ntop stores its temporary and working files, as ntop locks
these files you have to specify a different directory for each instance
you run

	-E

Allow use of Nmap and lsof, lsof allows you to view connections and
sessions on the machine thats running ntop. I have to admit I dont use
that much, also not sure how ntop uses nmap, but then I havent bothered
to RTFM

	-d 

Run as daemon, so I can get on with any other work on that console.

	-i eth1

As my linux box has two network interface cards I tell NTOP to listen on
eth1 ( which is connected to the mirror port I setup on the main switch
that handles the routers and servers ), if you only have one NIC then
use -i eth0 ( or what ever ethx number is used ).

To monitor a router, you need a switch that can "mirror" data going to
one port, or MAC ID to another, this is called port mirroring ( although
other switch makers have different names for it ), you simply set up a
mirror that sends all traffic going to and from the MAC ID of the router
to a certain port ( I use port 12 on a baystack 450 switch, but this is
up to you and perhaps dependant on the switch you use ). 

My linux box has two NIC's, I run a cable from the 2nd NIC ( eth1 ) to
the monitoring port I setup on the switch. The other
NIC is used for all other traffic. Eth1 doesn’t have an IP address.

If you don’t use switches in your LAN enviroment you don’t have to do
this, just run NTOP as normal and you'll see all
Traffic on your LAN. ( the options passed to NTOP don’t change )

Note, this example runs on linux, other OS's such as BSD and HP-UX use
different identifiers for their ethernet cards.

netstat -in will list all ethernet cards in your machine.

I find that between ntop and NT event logs ( turn on auditing on your
servers and some desktops so that it logs all logons, successful or
failed ) I can pretty much track most network scanner virus attacks (
such as funlove, qaz, nimda ), NTOP has alerted me to at least 5
potential outbreaks, all which were caught before the situation got
completely out of hand.

I also use it to monitor webpage usage, although we're not that strict
at work. ( also as NTOP only reports the IP address and MAC of the
computer requesting the page I cant easily tie it down to a user, just a
machine at a certain time ).

All in all NTOP is a very useful tool for me, next thing for me to learn
is to 1) how to store the stats in mysql, 2) how to usefully use those
stats.

Regards.

-----Original Message-----
From: ntop-admin@unipi.it [mailto:ntop-admin@unipi.it] On Behalf Of José
Luis Vásquez M.
Sent: 29 January 2002 16:28
To: ntop@unipi.it
Subject: [Ntop] Monitoring traffic internet


Wath parameter use with ntop, for monitoring the traffic internet on my
LAN????

Regards,

José Luis



[prev in list] [next in list] [prev in thread] [next in thread]