NAME
ntop - display top network users
SYNOPSIS
ntop [-r refresh time] [-f traffic dump file] [-n] [-p] IP
protocols to monitor] [-i interface] [-w port] [-d] [-m
local subnet] [-l log period] [-F flow filter expression]
[filter expression]
DESCRIPTION
ntop shows the current network usage. It displays a list
of hosts that are currently using the network and reports
information concerning the (IP and non-IP) traffic gener-
ated by each host. ntop can be started either in a termi-
nal window (interactive mode) or in web mode. In the lat-
ter case, a web browser is needed to use the program. The
traffic is sorted according to the host and the protocol.
Whenever ntop is started in web mode (-w flag), multiple
remote users can access the traffic information. See below
for more information.
COMMAND-LINE OPTIONS
-r
Specifies the delay (in seconds) between screen updates
(the default is 3 seconds). If the -l flag is used, it
specifies how often entries are logged in the log file.
Please note that if the delay is very short (1 second for
instance), ntop might not be able to process all the net-
work traffic.
-f
Specifies the file containing tcpdump captured traffic
that will be browsed before to start sniffing.
-n
This causes ntop to show numeric IP addresses instead of
the symbolic names. This option can useful when the DNS
is not present or quite slow. You can toggle the address
format (numeric vs. symbolic) by pressing the n key while
ntop is running.
-p
It is used to specify the IP protocols that ntop will
monitor. The format is <label>=<protocol list> [,
<label>=<protocol list>], where label is used to symboli-
cally identify the <protocol list>. The format of <proto-
col list> is <protocol>[|<protocol>], where <protocol> is
either a valid protocol specified inside the /etc/ser-
default value is used: "FTP=ftp|ftp-
data,HTTP=http|www|https,DNS=name|domain,Telnet=tel-
net|login,NBios-IP=netbios-ns|netbios-dgm|netbios-
ssn,Mail=pop-2|pop-3|kpop|smtp|imap|imap2,SNMP=snmp|snmp-
trap,NEWS=nntp,NFS=mount|pcnfs|bwnfs|nfs|nfsd-sta-
tus,X11=6000-6010,SSH=ssh".
-i
Specifies the network interface used by ntop
-w
Starts ntop in web mode. Users can attach their web
browsers to the specified port and browse traffic infor-
mation remotely. Supposing to start ntop at the port 3000
(ntop -w 3000), the URL to access is http://host-
name:3000/. The file ~/.ntop specifies the HTTP
user/password of those people who are allowed to access
ntop. If the ~/.ntop file is missing no security will be
used hence everyone can access traffic information. A
simple .ntop file is the following: # # .ntop File format
# # user<tab>/<space>pw # # luca linux Please note
that an HTTP server is NOT needed in order to use the
program in interactive mode.
-d
This flag (it has to be used with -w) causes ntop to
become a daemon, i.e. it is started in background and
detached from the terminal.
-m
This flag allows users to specify the subnets whose traf-
fic is considered local. The format is <network
address>/<# subnet mask bits>[,<network address>/<# sub-
net mask bits>]. For instance
"131.114.21.0/24,10.0.0.0/255.0.0.0".
-l
This causes ntop to periodically (specified with the -r
flag) log network information data in the file ntop.log
whose format is self-explanatory. This flag specifies the
collection time between two consecutive log entries (in
seconds). Please note that it is easy to use the log file
to produce graphics (e.g. using gnuplot).
flow filter expression
It is used to specify network flows similar to more pow-
format is <flow-label>='<matching expression>'[,<flow-
label>='<matching expression>'], where the label is used
to symbolically identify the flow specified by the
expression. The expression format is specified in the
appendix. If an expression is specified, then the infor-
mation concerning flows can be accessed following the
HTML link named 'List NetFlows'. For instance suppose to
define two flows with the following expression "Luca-
Hosts='host jake.unipi.it or host
pisanino.unipi.it',GatewayRoutedPkts='gateway gate-
way.unipi.it'". All the traffic sent/received by hosts
jake.unipi.it or pisanino.unipi.it is collected by ntop
and added to the LucaHosts flow, whereas all the packet
routed by the gateway gateway.unipi.it are added to the
GatewayRoutedPkts flow.
filter expression
ntop , similar to what tcpdump does, allows users to
specify an expression that restricts the type of traffic
handled by ntop hence to select only the traffic of
interest. For instance, suppose to be interested only in
the traffic generated/received by the host jake.unipi.it.
ntop can then be started with the following filter: 'ntop
src host jake.unipi.it or dst host jake.unipi.it'. See
the tcpdump man page for further information about this
topic.
INTERACTIVE COMMANDS
While ntop is running interactively (no web mode), the
information shown can be manipulated by pressing the fol-
lowing keys.
q
This causes ntop to quit.
n
This causes ntop to toggle the IP address format (numeric
vs. symbolic vs. MAC Address vs. Nw Board Manufacturer).
p
This causes ntop to toggle the traffic format (percentage
vs. absolute vs. throughput).
l
d
This causes ntop to toggle the host list content (idle
vs. active hosts).
t
This causes ntop to sort hosts according to the data
received or sent.
y
This causes ntop to sort traffic according to the various
protocols being displayed in the current screen.
<space>
This causes ntop to show further traffic information.
Each time the space bar is pressed the last three ntop
columns are toggled. Please note that these columns rep-
resent either the traffic sent or received, according to
the the way the list is sorted (see previous command).
WEB VIEWS (Web mode)
While ntop is running in web mode (-w flag), multiple
users can access the traffic information using conven-
tional web browsers. The main HTML page, is divided is two
frames. The left frame allows users to select the traffic
view that will be displayed in the right frame. Available
sections are: sort traffic by data sent, sort traffic by
data received, traffic statistics, active hosts list,
remote to local (i.e. inside the subnet defined for the
network board from which the program is currently sniff-
ing) IP traffic, local to remote IP traffic, local to
local IP traffic, list of active TCP sessions, IP protocol
distribution statistics, IP protocol usage, IP traffic
matrix.
FIELD DESCRIPTIONS (Interactive mode)
ntop displays a variety of information about the network
traffic.
traffic/throughput
This line displays general information about the network
traffic: the number of packets that have been seen, the
total traffic (IP or non IP), the actual and the max
observed throughput. Please note that if a filter expres-
sion is used, these values are relatives only to the
traffic that satisfies the filter expression.
Host
This column contains the host name in either symbolic or
numeric format.
Act
This column contains further information about the host
activity since the last screen update. The value 'B'
(both) indicates that the host has both sent and received
data, 'R' (receive) that the host has received but not
sent data, 'S' (sent) that the host has sent but not
received data, 'I' (idle) that the host has been idle (no
data sent or received).
Rcvd
This column contains the traffic received by the host
either in absolute or percentage format. If the host list
is sorted according this field, then the column label
becomes -Rcvd-.
Sent
This column contains the traffic sent by the host either
in absolute or percentage format. If the host list is
sorted according this field, then the column label
becomes -Sent-.
<protocol>
The last three columns contain further information con-
cerning the IP protocols. Data represented in these
columns change according to the traffic type (either sent
or received). The 'y' key allows users to interactively
change the sort order of these columns, whereas the space
bar toggles the protocol list.
NOTES
ntop is based on the libpcap library that can be found at
ftp://ftp.ee.lbl.gov/libpcap.tar.Z.
SEE ALSO
top(1), tcpdump(8). netramet(http://www.auck-
land.ac.nz/net/Accounting/ntm.Release.note.html).
AUTHOR
Please send bug reports to the ntop mailing list
<ntop@unipi.it>. ntop's author is Luca Deri
<deri@unipi.it>.
Man(1) output converted with
man2html