NTop plugin

knobdy · Post by **knobdy** » Wed Feb 01, 2006 5:29 pm

I've just installed cigamit's ntop plugin.

Has anyone ever used this with an installation of Apache on the same machine? How'd you go about it?

farhan · Post by **farhan** » Wed Feb 01, 2006 6:22 pm

I have been running ntop along side cacti. It works fine. ntop has its own

webserver which runs on 3000 port. So, You have to just install ntop and

start ntop as a daemon. When you will click ntop plugin from cacti

everything should be fine.

Farhan

knobdy · Post by **knobdy** » Thu Feb 02, 2006 4:15 pm

Got it working, beautifully.

knobdy · Post by **knobdy** » Thu Feb 02, 2006 5:05 pm

Well, maybe not so beautifully...

Where is suggested you run ntop from - the cacti server or elsewhere? I was running it on the cacti server until I realized cacti wasn't collecting data any more!

Is this because of the way NTop used the NIC? If so, with a second NIC installed would it be able to run?

farhan · Post by **farhan** » Thu Feb 02, 2006 9:28 pm

I have single NIC , cacti and ntop are running fine together. I think there

should not be issue. check rrdtool becoz ntop uses rrdtool as well. But I

am not sure what is the reason.

egarnel · Post by **egarnel** » Fri Feb 03, 2006 9:43 am

ntop has an option whether to have the nic placed in promiscuous mode. do a man ntop for the flags on how to toggle it and/or look for it in ntop.conf

I was running ntop & cacti together for a while with no problems, both in ntop 3.1 and then more recently 3.2

knobdy · Post by **knobdy** » Fri Feb 03, 2006 3:01 pm

How much value would there be in not having it in promiscuous mode, it would only map that which was send directly to the NIC, right?

egarnel · Post by **egarnel** » Fri Feb 03, 2006 8:26 pm

Correct. One of the main points of ntop is to monitor net traffic on the network, not just that computer

N3NCY · Post by **N3NCY** » Sat Feb 18, 2006 1:54 am

I have ntop running on the same NIC as Cacti as well.
They can peacefully co-exist.

I wrote (and borrowed) some instructions for getting ntop up and running on UNIX:
http://members.netjunkies.net/n3ncy/FreeBSD60/ntop.htm

On any platform, the steps should be similar:
1.) Get ntop installed on your server (ntop is a "Collector" and a web displayer of this collected data)
2.) Make sure you can log into ntop on your server (usually port 3000)
example: http://Yourserver:3000
3.) Configure a pair of items:
- Setup a "Collector" via your ntop web interface (see step 2 above)
- Export a "Flow" from your router to this collector
4.) Test ntop and look at this flow - You should be getting data
5.) Lastly setup the Cacti ntop plug-in to point to your ntop
example: http://Yourserver:3000

Post by **gandalf** » Tue Feb 21, 2006 8:22 am

Sorry for dropping in ....
I used nTop 2-3 years ago but dropped it then. AFAIK, nTop does not need to gather all network traffic itself. You may configure it as a netflow collector. And e.g. some Cisco Router may be the netflow emitter (or use nProbe on a small and cheap box as an emitter, but then you'll need mirror ports or taps in a switched environment ...). This way, you get the stream info into nTop. But to be honest, my "knowledge" is only theoretical ...
Reinhard

knobdy · Post by **knobdy** » Tue Feb 21, 2006 1:52 pm

I'm about to install a second, dual NIC in this machine. I was hoping to tap our network between the ISP and firewalls (our IDS is already on one spanned port, so hopefully this isn't too much of a big deal) as well is in our core network. I would then, if possible, configure these two interfaces in NTop. I do not intend to provide IP addresses for them either - just a question of whether or not its possible to have more than one NIC in use at the same time.

I do have a question about configuring the routers to send flow data - how is it done and how many devices can you configure to do this at the same time, to the same nTop server? Probably a question better asked on an nTop board - but folks here appear to be knowledgable enough (and besides, I'm hoping to get something like this added to the Cacti package - maybe via Argus' xml output files???).

egarnel · Post by **egarnel** » Tue Feb 21, 2006 2:07 pm

another option would be to implement 8021q kernel module for the network card and add vlan interfaces for each subnet you want to listen to
(assuming linux)
do a 'man vconfig' to see what options are.

a simple setup
vconfig add eth1 <vlan #>
ifconfig 192.168.111.1 netmask 255.255.255.0 eth1.<vlan #> up
(whatever networks you want the box to listen to)
be sure to turn off ip forwarding on the ntop box
I think ntop can only listen up to 20 interfaces

knobdy · Post by **knobdy** » Tue Feb 21, 2006 2:51 pm

Awesome - I'll certainly look into this! Hopefully I can do it without too much trouble running OpenSuSE 10. Of course, any kernel update is a PIA because of the machine I'm running it on...but I think the payoff here would be worth it.

I'll still need the various NICs, however, since I'll need to get past a firewall or two.

Currently, the second interface is plugged into our alternate Internet access network (a DSL connection for contractors). It's firewalled via SuSEfirewall and configured as being an external NIC. I also have no routes for it configured. I've automated Nessus scans for twice a month which utilizes that connection, the script that kicks it off also creates the route needed and then removes it after the scan is complete. I'm hoping that's enough. That network (the DSL connection) is also firewalled via a PIX.

egarnel · Post by **egarnel** » Tue Feb 21, 2006 3:54 pm

kernel 2.6.x should have the vlan module (8021q) by default, you may just have to load it (insmod 8021q).

knobdy · Post by **knobdy** » Tue Feb 21, 2006 4:12 pm

nope, far as I can tell its now installed!

Just need to install the new NIC and try it out...looks like fun.

NTop plugin

NTop plugin

Who is online