NTOP is a very good tool for monitoring the various traffic flows that make up an overall packet stream. It functions in two modes, simultaneously if you'd like: netflow mode, and sniffing mode.
In Netflow mode, routers forward their flow statistics through netflow summary packets to Ntop. Ntop will use
those packets to generate its summaries. If a router capable of producing Netflow statistics is not available or is
not appropriately placed in the network, then a secondary port on the server on which Ntop is installed can be used
to sniiff aggregated traffic. Ntop will then calculate its summaries based upon the traffic it actually sees.
For complicated scenarios, Ntop has the ability to monitor multiple netflow agents and multiple traffic sniffers
simultaneously.
NTOP is almost runnable out of the package. A few items to do first though.
Installation
Install the package:
apt-get install ntop
You'll need to run it once from the command line first. When asked,
key in the password. You can then kill it and start it as a service:
/etc/init.d/ntop start
You can then browse to it
through port 3000. Once started, enter the configure menu, supply username of admin and the password. Set:
Basic: run as daemon, 172.20.0.0/20 for local subnet (or similar)
Display: mesu for ip only
IP Pref: v4 only
Advanced: Don't trust mac,
nProbe Build Process
After purchasing and downloading the unix source for nProbe, I had a few build issues. Here is what I can
recollect on what I did:
- apt-get install automake1.7
- apt-get remove automake1.4
- ./autogen.sh
- ./configure
- make
A user doc for the related nBox is found at
http://www.ntop.org/UsersGuide.pdf
A paper on nProbe can be found at
http://www.sane.nl/sane2006/program/final-papers/R3.pdf.
A closely related presentation can
be found at http://luca.ntop.org/SANE-2006.pdf.
Sample command line: ./nprobe -n 127.0.0.1:9966 -i eth1
-V 9 -T "%IN_BYTES %IN_PKTS %PROTOCOL %SRC_TOS %TCP_FLAGS %L4_SRC_PORT %IPV4_SRC_ADDR %L4_DST_PORT %IPV4_DST_ADDR %OUT_BYTES %OUT_PKTS %ICMP_TYPE %IN_SRC_MAC
%OUT_DST_MAC %SRC_VLAN %DST_VLAN %DIRECTION %IN_DST_MAC %OUT_SRC_MAC %NW_LATENCY_SEC %NW_LATENCY_USEC %APPL_LATENCY_SEC %APPL_LATENCY_USEC %IN_PAYLOAD %OUT_PAYLOAD
%ICMP_FLAGS %RTP_FIRST_SSRC %RTP_FIRST_TS %RTP_LAST_SSRC %RTP_LAST_TS %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_OUT_JITTER %RTP_IN_PKT_LOST %RTP_OUT_PKT_LOST
%RTP_OUT_PAYLOAD_TYPE %RTP_IN_MAX_DELTA %RTP_OUT_MAX_DELTA"
An RTP based command line example: ./nprobe -n 127.0.0.1:9966 -i eth1 -V 9 -T
"%IN_BYTES %IN_PKTS %PROTOCOL %SRC_TOS %DST_TOS %L4_SRC_PORT %IPV4_SRC_ADDR %L4_DST_PORT %IPV4_DST_ADDR %SRC_VLAN %DST_VLAN %NW_LATENCY_SEC %NW_LATENCY_USEC
%APPL_LATENCY_SEC %APPL_LATENCY_USEC %RTP_FIRST_SSRC %RTP_FIRST_TS %RTP_LAST_SSRC %RTP_LAST_TS %RTP_IN_JITTER %RTP_OUT_JITTER %RTP_OUT_JITTER %RTP_IN_PKT_LOST
%RTP_OUT_PKT_LOST %RTP_OUT_PAYLOAD_TYPE %RTP_IN_MAX_DELTA %RTP_OUT_MAX_DELTA"