NAME¶
ntopng - display top network users
SYNOPSIS¶
ntopng [
filename]
or
ntopng [
-i <interface|pcap>] [
-d
<data_directory>] [
-n <mode>] [
-e]
[
-w <http_port>] [
-W <https_port>]
[
-c <categorization_key>] [
-m
<local_subnets>] [
-p <protocols>] [
-q]
[
-r <redis_host:port>] [
-s] [
-U
<sys_user>] [
-l] [
-X
<maxnum
flows>] [
-B <filter>]
[
-C] [
-k <key>] [
-A <mode>]
[
-x <maxnum
hosts>] [
-F
<dump-flows>] [
-D <dump-hosts>] [
-I
<export-flows>] [
-E <dump-aggregations>]
[
-S <sticky-hosts>] [
-H]
[
--hw-timestamp-mode <mode>] [
--json-label]
[
-v] [
-V] [
-h]
DESCRIPTION¶
ntopng shows the current network usage. It displays a list of hosts that
are currently using the network and reports information concerning the (IP and
non-IP) traffic generated and received by each host.
ntopng may operate
as a front-end collector or as a stand-alone collector/display program. A web
browser is needed to access the information captured by the
ntopng
program.
ntopng is a hybrid layer 2 / layer 3 network monitor, by default it uses
the layer 2 Media Access Control (MAC) addresses AND the layer 3 tcp/ip
addresses.
ntopng is capable of associating the two, so that ip and
non-ip traffic (e.g. arp, rarp) are combined for a complete picture of network
activity.
OPTIONS¶
- filename
- The text of filename is copied — ignoring line breaks and
comment lines (anything following a #) — into the command line.
ntopng behaves as if all of the text had simply been typed directly
on the command line. For example, if the command line is "ntopng
s.conf" and file s.conf contains just the line '-s', then the
effective command line is "ntopng -s". In case you use a
configuration file, the following options on the command line will be
ignored. Example "ntopng /etc/ntopng/ntopng.conf -v" the -v
option is ignored.
The configuration file is similar to the command line, with the exception
that an equal sign '=' must be used between key and value. Example:
-i=p1p2 or --interface=p1p2 For options with no value (e.g. -v) the equal
is also necessary. Example: "-v=" must be used.
Remember, most ntopng options are "sticky", that is they
just set an internal flag. Invoking them multiple times doesn't change the
ntopng's behavior. However, options that set a value, such as
--trace-level, will use the LAST value given: -w 8000 -w 8080 will run as
-w 8080.
- -n|--dns-mode
- Sets the DNS address resolution mode:
0 — Decode DNS responses and resolve only local (-m) numeric IPs
1 — Decode DNS responses and resolve all numeric IPs
2 — Decode DNS responses and don't resolve numeric IPs
3 — Don't decode DNS responses and don't resolve numeric IPs
- -i|--interface
- Specifies the network interface or collector endpoint to be used by
ntopng for network monitoring. On Unix you can specify both the
interface name (e.g. lo) or the numeric interface id as shown by ntopng
-h. On Windows you must use the interface number instead. Note that you
can specify -i multiple times in order to instruct ntopng to create
multiple interfaces.
If a collector endpoint is specified, ntopng open a ZeroMQ connection
to the specified endpoint as a subscriber whose format is <ZMQ
endpoint>. Example of valid collector endpoints are
"tcp://127.0.0.1:5556" or ipc://flows.ipc Note that you can
specify multiple endpoint, commas separated list, in order to instruct
ntopng to aggregate it in a single interface. (e.g -i
tcp://127.0.0.1:5556,ipc://flows.ipc)
If you want you can pass a path of a pcap file (e.g. -i dummy.pcap) or a
path of a list file contains a path of a pcap file for each line (e.g. -i
pcap.list) and ntopng will read packets from the specified pcap file/s.
nProbe can be instructed to act as a publisher delivering flows to a
ZeroMQ endpoint using the --ZMQ <endpoint> parameter.
- -d|--data-dir
- Specifies the data directory (it must be writable). Default directory is
/var/tmp/data
- -G|--pid-path
- Specifies the path where the PID (process ID) is saved. Default is
/var/tmp/ntopng.pid
- -H|--disable-alerts
- Disable the generation of alerts.
- -k|
- Set the key used to access httpbl services (default: disabled). Please
read README.httpbl for more info.
- -c|--categorization-key
- Sets the key used to access host categorization services. ntopng
categorizes hosts using services provided by http://block.si In order to
use these categorization services you need to mail info@block.si and ask
for a test key to be used in ntopng. For test driving the service please
use as key 9hoAtewwpC2tXRMJBfifrY24B (example ntopng -c
9hoAtewwpC2tXRMJBfifrY24B .....).
- -e|--daemon
- This parameter causes ntop to become a daemon, i.e. a task which runs in
the background without connection to a specific terminal. To use ntop
other than as a casual monitoring tool, you probably will want to use this
option.
- -w|--http-port
- Sets the HTTP port of the embedded web server. If set to 0, the http
server will be disable.
- -W|--https-port
- Sets the HTTPS port of the embedded web server. If not set, it will be set
to the value of -w plus one.
- -m|--local-networks
- ntopng determines the ip addresses and netmasks for each active
interface. Any traffic on those networks is considered local. This
parameter allows the user to define additional networks and subnetworks
whose traffic is also considered local in ntopng reports. All other
hosts are considered remote. If not specified the default is set to
192.168.1.0/24.
Commas separate multiple network values. Both netmask and CIDR notation may
be used, even mixed together, for instance
"131.114.21.0/24,10.0.0.0/255.0.0.0".
- -p|--ndpi-protocols
- This parameter is used to specify a nDPI protocol file. The format is
<tcp|udp>:<port>,<tcp|udp>:<port>,.....@<proto>
where <port> is a port number and <proto> is a name of a
protocol supported by nDPI protocol, or
host:"<string>"@<proto> where string is part of an
host name. As example see
https://svn.ntop.org/svn/ntop/trunk/nDPI/example/protos.txt
- -P|--disable-host-persistency
- Disable host persistency.
- -q|--disable-autologout
- Disable web interface logout for inactivity.
- -l|--disable-login
- Disable user login. This is useful for debug purposes or if you want to
let everyone access the web gui.
- -r|--redis
- Specifies the redis database host and port. For more information about
redis, please refer to http://redis.io/.
- -U|--user
- Run ntopng with the specified system user instead of 'nobody'.
- -s|--dont-change-user
- Do not change user (debug only).
- -B|--packet-filter
- Specifies the packet filter for the specified interface. For pcap/PF_RING
interfaces the filter has to be specified in BPF format (Berkeley Packet
Filter).
- -C|--dump-timeline
- Enable timeline dump on disk (default: disabled).
- -A|--enable-aggregations
- Enable data aggregations (e.g. Operating System, DNS etc). The available
modes are:
0 — Disable aggregations, default
1 — Enable aggregations but do not dump on disk their activity
timeline
2 — Enable aggregations and timeline dump on disk.
- -X|--max-num-flows
- Specify the maximum number of active flows that ntopng will handle. If
more flows are detected they will be discarded.
- -x|--max-num-hosts
- Specify the maximum number of active hosts that ntopng will handle. If
more hosts are detected they will be discarded.
- -F|--dump-flows
- If ntopng is compiled with sqlite support, flows can dumped persistently
on disk using this option. Databases are created daily under <data
directory>/<interface>/db. Using this option you can reload the
dumped flows via the Historical Interface specify the time interval and
the interface.
- -D|--dump-hosts
- If ntopng is compiled with sqlite support, hosts contacts can dumped
persistently on disk using this option. Databases are created daily under
<data directory>/<interface>/contacts. This options supports
three dump modes: local (dumps only local hosts), remote (dumps only
remote hosts), all (dumps all hosts). If not specified, no hosts are
dumped to disk.
- -I|--export-flows
- Export the expired flows on the specified endpoint. For instance supposing
to start ntopng on host 1.2.3.4 as ntopng -I "tcp://*:3456", it
exports flows on this endpoint so that you can create a hierarchy of
ntopng's. You can achieve that by starting a collector ntopng as ntopng -i
tcp://1.2.3.4:3456
- -E|--dump-aggregations
- If ntopng is compiled with sqlite support, hosts contacts can dumped
persistently on disk using this option. Databases are created daily under
<data directory>/<interface>/contacts. This options supports
three dump modes: local (dumps only aggregations contacted by local
hosts), remote (dumps only aggregations contacted by remote hosts), all
(dumps all aggregations). If not specified, no hosts are dumped to disk.
- -S|--sticky-hosts
- ntopng periodically purges idle hosts. With this option you can modify
this behaviour by telling ntopng not to purge the hosts specified by -S.
This parameter requires an argument that can be "all" (Keep all
hosts in memory), "local" (Keep only local hosts),
"remote" (Keep only remote hosts), "none" (Flush hosts
when idle).
- --json-labels
- Using this option in case JSON label is used (e.g. with ZMQ/Sqlite) labels
instead of numbers are used as keys.
- --hw-timestamp-mode
- Enable hw timestamping/stripping. Supported TS modes are:
ixia — Timestamped packets by ixiacom.com hardware devices .
- -v|--verbose
- Verbose tracing.
- -V|--version
- Print ntopng version and quit.
- -h|--help
- Help
WEB VIEWS¶
While
ntopng is running, multiple users can access the traffic
information using their web browsers.
ntopng makes use of JavaScript
and LESS CSS.
We do not expect problems with any current web browser, but our ability to test
with less common ones is very limited. Testing has included Safari, Chrome,
Firefox and Internet Explorer, with very limited testing on other current
common browsers such as Opera.
NOTES¶
ntopng requires a number of external tools and libraries to operate.
Certain other tools are optional, but add to the program's capabilities.
Required libraries include:
libpcap from
http://www.tcpdump.org/, version 1.0 or newer.
The Windows version makes use of
WinPcap (libpcap for Windows) which may
be downloaded from
http://winpcap.polito.it/install/default.htm.
ntopng requires a POSIX threads library.
The
rrdtool library creates 'Round-Robin databases' which are used to
store historical data in a format that permits long duration retention without
growing larger over time. The rrdtool home page is
http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/
The
LuaJIT library is a Just-In-Time Compiler for Lua used to execute GUI
and periodic scripts.
The
mongoose library is used to implement the HTTP server part of ntopng.
zeromq is a socket library supporting the publish/subscribe pattern used
to collect flows from
nProbe
ntopng includes LuaJIT, mongoose, rrdtool and zeromq in the third-party/
directory. Users of
ntopng should not need to specifically install such
libraries.
SEE ALSO¶
top(1),
tcpdump(8),
pcap(3).
USER SUPPORT¶
Please send bug reports to the ntop-dev <ntop-dev@ntop.org> mailing list.
The ntopng <ntop@ntop.org> mailing list is used for discussing ntopng
usage issues. In order to post messages on the lists a (free) subscription is
required to limit/avoid spam. Please do NOT contact the author directly unless
this is a personal question.
Commercial support is available upon request. Please see the ntopng site for
further info.
Please send code patches to <patch@ntop.org>.
LICENCE¶
ntopng is distributed under the GNU GPL licence (
http://www.gnu.org/).