ntop چیست؟

ابزار ntop فعالیت های شبکه در لینوکس را نمایش میدهد، مانند دستور top در لینوکس. این ابزار بر اساس pcapture و به صورت portable نوشته شده تا روی هر سیستم عامل لینوکسی با هر توزیعی قابل اجرا باشد. این ابزار می تواند هم به صورت کامندی و هم به صورت Web Based در دسترس باشد. این ابزار برای Capture نمودن پکت ها از libpcap استفاده می کند.

لینک منبع: http://www.ntop.org
لایسنس: GPLv2
سازنده: Luca Deri

نمونه ای از دستور مورد استفاده:

root@regux.com:~# ntop -h
Welcome to ntop v.4.99.3 (32 bit)
[Configured on Mar  2 2013  6:00:33, built on Mar  2 2013 06:01:55]
Copyright 1998-2012 by Luca Deri <deri@ntop.org>

Get the freshest ntop from http://www.ntop.org/

Usage: ntop [OPTION]

Basic options:
    [-h             | --help]                             Display this help and exit
    [-u       | --user ]                      Userid/name to run ntop under (see man page)
    [-t     | --trace-level ]             Trace level [0-6]
    [-P       | --db-file-path ]              Path for ntop internal database files
    [-Q       | --spool-file-path ]           Path for ntop spool files
    [-w       | --http-server ]               Web server (http:) port (or address:port) to listen on

Advanced options:
    [-4             | --ipv4]                             Use IPv4 connections
    [-6             | --ipv6]                             Use IPv6 connections
    [-a       | --access-log-file ]           File for ntop web server access log
    [-b             | --disable-decoders]                 Disable protocol decoders
    [-c             | --sticky-hosts]                     Idle hosts are not purged from memory
    [-d             | --daemon]                           Run ntop in daemon mode
    [-e     | --max-table-rows ]          Maximum number of table rows to report
    [-f       | --traffic-dump-file ]         Traffic dump file (see tcpdump)
    [-g             | --track-local-hosts]                Track only local hosts
    [-i       | --interface ]                 Interface name or names to monitor
    [-j             | --create-other-packets]             Create file ntop-other-pkts.XXX.pcap file
    [-l       | --pcap-log ]                  Dump packets captured to a file (debug only!)
    [-m  | --local-subnets ]        Local subnetwork(s) (see man page)
    [-n       | --numeric-ip-addresses ]      Numeric IP addresses DNS resolution mode:
                                                          0 - No DNS resolution at all
                                                          1 - DNS resolution for local hosts only
                                                          2 - DNS resolution for remote hosts only
    [-p       | --protocols ]                 List of IP protocols to monitor (see man page)
    [-q             | --create-suspicious-packets]        Create file ntop-suspicious-pkts.XXX.pcap file
    [-r     | --refresh-time ]            Refresh time in seconds, default is 120
    [-s             | --no-promiscuous]                   Disable promiscuous mode
    [-x  ]                          Max num. hash entries ntop can handle (default 8192)
    [-z             | --disable-sessions]                 Disable TCP session tracking
    [-A]                                                  Ask admin user password and exit
    [               | --set-admin-password=]        Set password for the admin user to 
    [               | --w3c]                              Add extra headers to make better html
    [-B ]   | --filter-expression                 Packet filter expression, like tcpdump (for all interfaces)
                                                          You can also set per-interface filter:
                                                          eth0=tcp,eth1=udp ....
    [-C ]     | --sampling-rate                     Packet capture sampling rate [default: 1 (no sampling)]
    [-D       | --domain ]                    Internet domain name
    [-F       | --flow-spec ]                Flow specs (see man page)
    [-K             | --enable-debug]                     Enable debug mode
    [-L]                                                  Do logging via syslog
    [               | --use-syslog=]            Do logging via syslog, facility ('=' is REQUIRED)
    [-M             | --no-interface-merge]               Don't merge network interfaces (see man page)
    [-O       | --pcap-file-path ]            Path for log files in pcap format
    [-U        | --mapper ]                     URL (mapper.pl) for displaying host location
    [-V             | --version]                          Output version information and exit
    [-X  ]                          Max num. TCP sessions ntop can handle (default 32768)
    [--disable-instantsessionpurge]                       Disable instant FIN session purge
    [--disable-mutexextrainfo]                            Disable extra mutex info
    [--disable-stopcap]                                   Capture packets even if there's no memory left
    [--disable-ndpi]                                      Disable nDPI for protocol discovery
    [--disable-python]                                    Disable Python interpreter
    [--instance ]                                   Set log name for this ntop instance
    [--p3p-cp]                                            Set return value for p3p compact policy, header
    [--p3p-uri]                                           Set return value for p3p policyref header
    [--skip-version-check]                                Skip ntop version check
    [--known-subnets ]                          List of known subnets (separated by ,)
                                                          If the argument starts with @ it is assumed it is a file path
                                                          E.g. 192.168.0.0/14=home,172.16.0.0/16=private

نمونه دستور کاربردی:

در این دستور فیلتر بر روی آدرس 192.168.1.1 قرار داده شده تا تنها ترافیک های مربوط به آن نمایش داده شود.

root@regux.com:~# ntop -B "src host 192.168.1.1"