


NTOP(8)							  NTOP(8)


NAME
       ntop - display top network users

SYNOPSIS
       ntop  [-I] [-r refresh time] [-R filter rules] [-f traffic
       dump file] [-n] [-N] [-M] [-p] IP  protocols  to	 monitor]
       [-i  interface]	[-e  num rows] [-w port] [-d] [-P dbpath]
       [-m local subnet] [-l log period] [-F flow filter  expres-
       sion] [filter expression]

DESCRIPTION
       ntop  shows  the current network usage. It displays a list
       of hosts that are currently using the network and  reports
       information  concerning the (IP and non-IP) traffic gener-
       ated by each host.  ntop can be started either in a termi-
       nal  window  (see  intop	 )  or in web mode. In the latter
       case, a web browser is needed to use the program.



COMMAND-LINE OPTIONS
       -I
	This flag is obsolete: it used to start ntop in	 interac-
	tive  mode.   intop provides you a character based inter-
	face.


       -R
	Specifies the filter rules  used  by  ntop  for	 emitting
	alerts	and  warnings when the traffic matches the speci-
	fied rules. Shall you need further details  about  filter
	rules, please refer to ntop-rules (8) man page.


       -r
	Specifies  the	delay (in seconds) between screen updates
	(the default is 3 seconds). If the -l flag  is	used,  it
	specifies  how	often entries are logged in the log file.
	Please note that if the delay is very short (1 second for
	instance), ntop might not be able to process all the net-
	work traffic.


       -f
	Specifies the file containing  tcpdump	captured  traffic
	that will be browsed before to start sniffing.


       -N
	Forces ntop not to use nmap (if it is installed).


       -M
	Forces	ntop  not  to  merge network interfaces together.



			     May 2000				1





NTOP(8)							  NTOP(8)


	This means that ntop will  collect  statistics	for  each
	interface and will not merge data together.


       -n
	This  causes ntop to show numeric IP addresses instead of
	the symbolic names. This option can useful when	 the  DNS
	is not present or quite slow.  You can toggle the address
	format (numeric vs. symbolic) by pressing the n key while
	ntop is running.


       -p
	It  is	used  to  specify the IP protocols that ntop will
	monitor.  The  format  is  <label>=<protocol   list>   [,
	<label>=<protocol list>], where label is used to symboli-
	cally identify the <protocol list>. The format of <proto-
	col list> is <protocol>[|<protocol>], where <protocol> is
	either a valid protocol specified  inside  the	/etc/ser-
	vices	file  or  a  numeric  port  range  (e.g.  80,  or
	6000-6500). If the  -p	flag  is  omitted  the	following
	default	      value	 is	 used:	    "FTP=ftp|ftp-
	data,HTTP=http|www|https,DNS=name|domain,Telnet=tel-
	net|login,NBios-IP=netbios-ns|netbios-dgm|netbios-
	ssn,Mail=pop-2|pop-3|kpop|smtp|imap|imap2,SNMP=snmp|snmp-
	trap,NEWS=nntp,NFS=mount|pcnfs|bwnfs|nfs|nfsd-sta-
	tus,X11=6000-6010,SSH=ssh". If	the  <protocol	list>  is
	very  long  you	 may store in a file (for instance proto-
	col.list) the value of the <protocol  list>  and  specify
	the  file  name	 instead of the <protocol list> (in above
	example you will invoke 'ntop -p protocol.list').



       -i
	Specifies the network interface used by ntop If	 multiple
	interfaces  are	 used  (this feature is available only if
	ntop is compiled with thread support)  they  have  to  be
	separated  with a comma. For instance -i "eth0,lo". Traf-
	fic information obtained by all the interfaces is  merged
	together  as  if  the traffic would have been produced by
	one interface. Use the -M flag for not merging traffic.


       -e
	Is the manimum number of HTML table rows that  ntop  will
	display. This flag makes sense in web mode only.


       -w
	ntop  sports  and  embedded  web server so that users can
	attach their web  browsers  to	the  specified	port  and
	browse	traffic	 information remotely. Supposing to start
	ntop at the port 3000 (default port), the URL  to  access



			     May 2000				2





NTOP(8)							  NTOP(8)


	is  http://hostname:3000/. Users and URLs to protect with
	passwords are stored  in  a  database  file.  By  default
	user/URL  administration  are  accessible uniquely by the
	user admin with password admin Passwords are stored in an
	encrypted  form	 into  the database for further security.
	Please note that an HTTP server is NOT	needed	but  it's
	embedded into the application.


       -d
	This  flag  (it	 has  to  be used with -w) causes ntop to
	become a daemon, i.e. it is  started  in  background  and
	detached from the terminal.


       -P
	This  allows  to  specify  where db-files are searched or
	created (default "."). In addition DBPATH/html	is  added
	to the searchlist for the WEB-files


       -m
	This flag allows users to specify the subnets whose traf-
	fic  is	 considered  local.  The   format   is	 <network
	address>/<#  subnet mask bits>[,<network address>/<# sub-
	net	   mask	       bits>].	      For	 instance
	"131.114.21.0/24,10.0.0.0/255.0.0.0".


       -l
	This  causes  ntop to periodically (specified with the -r
	flag) log network information data in the  file	 ntop.log
	whose format is self-explanatory. This flag specifies the
	collection time between two consecutive log  entries  (in
	seconds). Please note that it is easy to use the log file
	to produce graphics (e.g. using gnuplot).


       -F
	It is used to specify network flows similar to more  pow-
	erful  applications  such as NeTraMet. A flow is a stream
	of captured packets that match a specified rule. The for-
	mat   is   <flow-label>='<matching   expression>'[,<flow-
	label>='<matching expression>'], where the label is  used
	to  symbolically  identify  the	 flow  specified  by  the
	expression. The expression format  is  specified  in  the
	appendix.  If an expression is specified, then the infor-
	mation concerning flows can  be	 accessed  following  the
	HTML link named 'List NetFlows'.  For instance suppose to
	define two flows with  the  following  expression  "Luca-
	Hosts='host	    jake.unipi.it	  or	     host
	pisanino.unipi.it',GatewayRoutedPkts='gateway	    gate-
	way.unipi.it'".	 All  the  traffic sent/received by hosts
	jake.unipi.it or pisanino.unipi.it is collected	 by  ntop



			     May 2000				3





NTOP(8)							  NTOP(8)


	and  added  to the LucaHosts flow, whereas all the packet
	routed by the gateway gateway.unipi.it are added  to  the
	GatewayRoutedPkts  flow.  If  the flows list is very long
	you may store in a file	 (for  instance	 flows.list)  the
	list  of  flows	 and specify the file name instead of the
	flows list (in above example you  will	invoke	'ntop  -F
	flows.list').




       filter expression
	ntop  ,	 similar  to  what  tcpdump does, allows users to
	specify an expression that restricts the type of  traffic
	handled	 by  ntop  hence  to  select  only the traffic of
	interest. For instance, suppose to be interested only  in
	the traffic generated/received by the host jake.unipi.it.
	ntop can then be started with the following filter: 'ntop
	src  host  jake.unipi.it  or dst host jake.unipi.it'. See
	the tcpdump man page for further information  about  this
	topic.



WEB VIEWS
       While  ntop  is	running	 in  web mode (-w flag), multiple
       users can access the  traffic  information  using  conven-
       tional web browsers. The main HTML page, is divided is two
       frames. The left frame allows users to select the  traffic
       view  that will be displayed in the right frame. Available
       sections are: sort traffic by data sent, sort  traffic  by
       data  received,	traffic	 statistics,  active  hosts list,
       remote to local (i.e. inside the subnet	defined	 for  the
       network	board  from which the program is currently sniff-
       ing) IP traffic, local to  remote  IP  traffic,	local  to
       local IP traffic, list of active TCP sessions, IP protocol
       distribution statistics, IP  protocol  usage,  IP  traffic
       matrix.


NOTES
       ntop  is based on the libpcap library that can be found at
       ftp://ftp.ee.lbl.gov/libpcap.tar.Z.  The	  Win32	  version
       makes use of libpcap for Win32 that can be downloaded from
       http://www.ntop.org/libpcap.html).


SEE ALSO
       intop(1),  ntop-rules(8),  top(1),  ngrep(8),  tcpdump(8).
       netramet(http://www.auckland.ac.nz/net/Account-
       ing/ntm.Release.note.html).

AUTHOR
       Please  send  bug  reports  to  the  ntop   mailing   list



			     May 2000				4





NTOP(8)							  NTOP(8)


       <ntop@ntop.org>.	   ntop's    author    is    Luca    Deri
       <deri@ntop.org>.























































			     May 2000				5


