-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
_ _ _
| \ | | |_ ___ _ __
| \| | __/ _ \| '_ \
| |\ | || (_) | |_) |
|_| \_|\__\___/| .__/
|_|
Network Top
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
FAQ
===
Section 1 - All Platforms and Section 2 - Platform Specific
(some general stuff on networking and using ntop in a switched network
is at the end of Section 2).
Section 3 - HowTo Ask For Help and GDB ultraMini-tutorial
Based on the FAQ entries at http://snapshot.ntop.org and the 1.3 NTOP docs/FAQ and
docs/THREADS-FAQ files. Also from messages to ntop and ntop-dev mailing lists.
Compiled by Burton M. Strauss III <Burton@ntopsupport.com> - comments to him!
Note that some of this information may be dated or not completely verified for 2.1
Entries are in no particular sequence.
Post 2.1 release entries will have a author/date stamp, (Updated/Added ddmmmyyyy by x)
at the end.
Extensive updates 30Oct2002 for the new ./configure scripts
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Section 1 - All Platforms
=========================
Q. What is ntop?
A. ntop is an open source network top - the official website can be found at
http://www.ntop.org/
Q. Is ntop like mrtg.
A. No & Yes...
ntop isn't a snmp enabled monitor like mrtg.
ntop is rather a traffic monitor with it's own interfaces, which monitors
what it sees.
ntop also supports netFlow (Cisco) and sFlow, which allow external monitors
to send information to an ntop instance.
Q. Why isn't there (any)(more)(better) documentation.
A. (A personal peeve from Burton...)
I get real tired of people complaining that there isn't any documentation
and then being unwilling to contribute even the simplest stuff. I've said
I'll edit and assemble whatever people send me... and since I started working
with ntop in November 2001, I've received maybe two pages of stuff.
I'm trying to get people - who aren't coders - to contribute to ntop the project.
The contribution that ANYONE can make is "documentation". A task-specific
HOWTO... some sample screen shots... An FAQ entry...
I've tried being nice.
I've tried asking.
I've tried shaming people into it.
What have I gotten? Zip.
Nasty is all that's left... This is your fair warning. If you show up on
the ntop mailing lists and complain about documentation, you will get blasted.
-----Burton
Compiling
---------
Q. ntop doesn't compile.
A. First, check the output from ./configure for an error message - sometimes
people miss them. Then review the output from make, also looking for an error.
Finally, look at config.log to see what ./configure found when looking for
headers and libraries. Usually, you are missing a critical library, but tried
to "make" anyway after ./configure failed.
ntop will report KEY information and PROBLEMS in large, set-off, lines:
*******************************************************************
*
* NOTE: Building ntop for a supported platform
* This means we expect ntop to work without major issues
*
* 'i686-pc-linux-gnu'
*
* Please keep the ntop-dev mailing list updated with any
* successes you have or problems you encounter...
*
* Support for this platform was most recently verified for
*
* RedHat7.2 w/ updates ntop 2.1.51 on 2002-10-21
* Suse i686, 2.4.18-4GB-SMP ntop 2.1.51 on 2002-10-24
*
*******************************************************************
or
*******************************************************************
*
* ERROR: 1. We were unable to find the header gdchart.h in the
* standard location or the alternate location you
* specified by --with-gdchart-root.
*
*>>> ./configure continues, charts will not be available.
*
*??? 1. Rerun ./configure with a corrected --with-gdchart-root
*??? or 2. Install gdchart and rerun ./configure
*
*******************************************************************
READ THEM!
Hint: It may sometimes be that you're missing the header files (often those
are in a -devel rpm if you're running RedHat)
(Updated 30Oct2002, new ./configure scripts)
Q. What is "snapshot"
A. Snapshot is a community FAQ and documentation resource at http://snapshot.ntop.org.
It's also the site of "the snapshots".
Q. What is "a snapshot" or "the snapshots"?
A. A snapshot is a dump of the ntop cvs structure, automatically generated every
day at 5 minutes after midnight (Pisa time).
Snapshots are named with their creation date, in the form of ntop-yy-mm-dd.tgz.
Snapshots are not polished nor even "releases". They contain any update(s)
checked into the cvs during the prior day. No more, no less.
cvs checkins (commits) are usually tested by the developer, but perhaps only in
one (limited) environment. Occasionally a file is missed or a typo occurs and a
snapshot won't compile. Snapshots frequently introduce bugs that aren't apparent
on a quick review. Snapshots are basically a point-in-time capture of the
moving development environment. No more and no less.
With release 2.0, rapid development occurred after general release and using
the latest snapshot was your best bet. With 2.1 we hope to be a little more
stable and to release incremental versions (e.g. 2.1a) if necessary.
If the 2.1 release doesn't work, drop by the mailing lists and check the back
traffic to see if this is a common problem. If it's not, try the latest
snapshot or ask for a recommendation of which version is the best to use.
Q. I have a problem with...
A. If you are compiling ntop from versions prior to 2.1.52, Please run
./autogen.sh -1 and try again.
ntop is distributed with generated files from RedHat 7.2 and/or Solaris 8
systems. The Makefile is supposed to detect things being out of whack and
automatically regenerate these files, but it doesn't ALWAYS work.
Doing ./autogen.sh -1 makes the various generated files conform to your
system and your tools versions. It's the right thing to do.
(Updated 30Oct2002, new ./configure scripts)
Q: How do I force configure to build ntop without xxxx support?
A: ./configure --help shows a bunch of configuration options available to you:
+--ntop-specific:------------------------------------------------------------+
--enable-configuredebug display debug information during ./configure
--disable-mt disable multithread support [default=enabled]
--enable-sslv3 enable ssl v3 support [default=disabled]
--enable-sslwatchdog enable Watchdog for ssl hangups [default=disabled]
--disable-plugins disable compilation of plugins [default=enabled]
--enable-static-plugins Enable static linked plugins sntop, default=dynamic]
--enable-micro-ntop compile a slim version of ntop [default=disabled]
--enable-intop enable intop (obsolete) command line version [default=disabled]
--enable-ignoresigpipe Ignore SIGPIPE errors [default=do not ignore]
--enable-i18n Enable (limited) internationalization [default=disabled]
--enable-xmldump Enable xml-based data dump [default=disabled]
--enable-largerrdpop Enable large rrd population [default=disabled]
--enable-netflowassumeftpdata Enable assumption that unknown ports for netflow data
are ftp-data [default=disabled]
--enable-showoses display OS Support information.
--enable-iknowbetter Override WILLFAIL
+--external-packages:--------------------------------------------------------+
--without-ssl disable HTPPS support [default=enabled]
--without-gdchart disable use of GDChart [default=enabled]
--with-tcpwrap enable use of TCP Wrapper [default=disabled]
--without-curses disable use of curses [intop, default=enabled]
--without-readline disable use of GNU readline [intop, default=enabled]
+-External-source-locations:-------------------------------------------------+
--with-pcap-root=DIR LBNL pcap located in DIR
--with-pcap-lib=DIR or libpcap located in DIR
--with-pcap-include=DIR or pcap.h located in DIR
--with-ossl-root=DIR openSSL located in DIR
--with-ossl-lib=DIR or libssl located in DIR
--with-ossl-include=DIR or ssl.h located in DIR
--with-gdbm-root=DIR GNU gdbm located in DIR
--with-gdbm-lib=DIR or libgdbm located in DIR
--with-gdbm-include=DIR or gdbm.h located in DIR
--with-zlib-root=DIR zlib located in DIR
--with-zlib-lib=DIR or libz located in DIR
--with-zlib-include=DIR or zlib.h located in DIR
--with-gdchart-root=DIR GDChart located in DIR
--with-gdchart-lib=DIR or libgdchart located in DIR
--with-gdchart-include=DIR or .h located in DIR
--with-gd-root=DIR gd located in DIR
--with-gd-lib=DIR or libgd located in DIR
--with-gd-include=DIR or gd.h located in DIR
--with-libpng-root=DIR libpng located in DIR
--with-libpng-lib=DIR or libpng located in DIR
--with-libpng-include=DIR or png.h located in DIR
--with-rrd-root=DIR rrdtool located in DIR
--with-rrd-lib=DIR or librrd located in DIR
--with-rrd-include=DIR or rrd.h located in DIR
--with-localedir=DIR LOCALE files located in DIR (i18n)
--with-xml2-root=DIR xml2 located in DIR
--with-xml2-lib=DIR or libxml2 located in DIR
--with-xml2-include=DIR or .h located in DIR
--with-gdome-root=DIR gdome located in DIR
--with-gdome-lib=DIR or libgdome located in DIR
--with-gdome-include=DIR or .h located in DIR
--with-glib-root=DIR glib located in DIR
--with-glib-lib=DIR or libglib located in DIR
--with-glib-include=DIR or .h located in DIR
--with-glibconfig-root=DIR glibconfig.h source in DIR
(Updated for the new scripts, 12Apr2003)
Q. Which packages/libraries do I need to compile ntop:
glibc
gcc
cpp
gawk
autoconf 2.5+ (distribution is built with 2.53)
automake 1.6+ (distribution is build with 1.6.3)
libtool 1.4+ (distribution is built with 1.4.2)
(there are successes reported with 1.3.4)
openssl (for https:// support)
gdbm
libpcap
Note that both gcc 2.95/2.96 and 3.2 are reported to work.
Note that in some cases the minimal header files for a tool will be in one
"package" and the execution library in another. ntop needs both so that
the ./configure test finds the tool. It's usually safest to install both
the tool and development packages!
(Note some packages will have additional packages as pre-requisites)
Building libpcap requires: bison/flex
Building gdchart uses ar and ranlib from binutils (available precompiled or from
http://www.gnu.org/directory/binutils.html)
(Updated for the new scripts, 30Oct2002)
(Updated for binutils, 13Dec2002)
Q. Compile dies because it's missing depcomp
A. automake/autoconf issue. Just copy the missing file (or make a symbolic link) into
the ntop source directory.
It's in /usr/share/automake on my Linux boxes
Another user reports it is in /usr/local/share/automake in sun8.
Snapshots after February 2002 should have fixed the problem, but you may have
to run:
$ automake --add-missing --gnu -c
to create the pointer.
Q. ntop make fails with a message about being unable to create a .deps file
A. Check the permissions on the (hidden) .deps (and .libs) directories - if root
owns them your non-root userid may not be able to create files in there
Q. ntop make fails with a message about a missing .deps file
A. Basically, it's a automake 1.5 bug, related to dependency tracking.
ntop requires automake 1.6+ - that dependency is EXPLICT in the Makefile.am!
Since we distribute ntop with scripts generated from 1.6.3, you would *think*
they should work, regardless of what version of automake is installed.
That's not the case. The problem occurs because automake gets invoked by
./configure to copy the missing gnu files such as depcomp. If you have 1.5
installed, it then remakes the plugins/Makefile as a 1.5 version, which fails.
A test was added in 2.1.55 (snapshots on/after 21Jan2003) to trap this.
Q. Why is the .deps problem mostly happening under FreeBSD?
A. Because the FreeBSD ports tree only has 1.5, but that's a FreeBSD ports problem,
not ntop's. If you search the FreeBSD lists on Google, there's lots of traffic
about a 1.6 version for FreeBSD, but it doesn't seem to be in the tree. What's
there is:
./devel/automake
-- which is 1.5
./devel/automake14
./devel/automake17
-- which does NOT work
Q. So how do I work around the problem?
A. Install 1.6.3. It's quite easy, does NOT require root. The steps are listed
in the ./configure message, repeated below:
Download automake 1.6.3 from gnu
$ wget http://ftp.gnu.org/gnu/automake/automake-1.6.3.tar.gz
Untar it
$ tar xfvz automake-1.6.3.tar.gz
Make it
$ cd automake-1.6.3
$ ./configure --prefix=/home/<whatever>/automake163
$ make
$ make install
Add it to your path (this is bash, but other shells, can do it too)
$ PATH=/home/<whatever>automake163/bin:$PATH
$ export PATH
And then untar, ./configure and make ntop.
(Added three .deps questions, 20Jan2003)
Q. How do I update the Vendor Table (MAC address prefixes)?
A. ntop has (in Makefile), a rule to automatically download the latest vendor
information table from the IEEE, the oui.txt file ntop reads.
ntop ships with a mini oui.txt, that is a small file of the MAC addresses
common to my networks.
If you are seeing unknown MAC address prefixes (the 1st three units), try
the full IEEE table. To rebuild it:
# make dnvt
and then copy the new oui.txt over the one installed by ntop originally.
Also note that the table changes over time - there are almost 600 modifications
and/or new assigments between the version shipped with ntop 2.0 and the version
on the IEEE site in February 2002.
Q. I get an error, libtool: link: CURRENT `-release' is not a nonnegative integer
A. This is an autoconf problem. It should be fixed in the new scripts (30Oct2002).
The whole set of messages is typically:
[...]
> libtool: link: CURRENT `-release' is not a nonnegative integer
> libtool: link: `-release' is not valid version information
> make[2]: *** [libntop.la] Error 1
> make[2]: Leaving directory `/usr/local/src/ntop'
> make[1]: *** [all-recursive] Error 1
> make[1]: Leaving directory `/usr/local/src/ntop'
> make: *** [all-recursive-am] Error 2
From Luca:
"AFAIK this is a bug of autoconf that's not able to expand some macros,
namely those that contain the version number. The workaround is to
downgrade to the previous autoconf version."
Workarounds:
- downgrade to a stable autoconf version
- edit all the ntop Makefile(s), add "0:0:0" behind any
occurence of "version-info" and "2.0" behind
"-release".
Other Solutions:
1) Burton posted a personal patch to do the above for Makefile.am on
Thu Dec 20 2001 - "Compile problems with -release". Check the ntop-dev archive.
2) Older versions (e.g. Slackware 7.xx) of Linux installations have older versions
of automake, which don't exhibit the bug.
3) (Sean O'Neill) "I cheated a bit and hacked libtool by changing the following"
current="$2"
to
current=0
4) The new ./configure scripts - call it versions after Nov2002 - fix this.
(Updated 2003-Jan-20)
Q. Why do we have static linked libraries in buildAll.sh?
A. I (Burton) don't know the history, but I have some guesses... First the facts...
gdchart0.94c wasn't regularly released - it's a special release for ntop -
check the home page and there isn't a mention of c!
libpng-1.0.8 has different calling parameters vs. 1.2.x and DOES NOT
implement the typical backwards compatible entry points. So if you compile
with one and .so to the other, it breaks... nice, huh?
zlib? Probably wouldn't have been an issue, but - as everyone else got
bitten by - it had been so stable for so long, that nobody even thought
about it...
My guess is that it simply became easier for Luca - static linking kills
off a whole raft of problem reports. But that's only a guess - I wasn't
involved with ntop back then...
Could it be fixed/changed?? Sure. Volunteers are welcome.
Q. What is "obsolete/"
A. Obsolete code is code that is no longer being maintained nor part of ntop, but
it's stuck off in that directory because 1) storage is cheap and 2) it might have
usage someday and 3) somebody might be interested in resurecting it...
Code in obsolete/ IS NOT MAINTAINED, even minimally.
Specifics? (As of June 2002)
Various programs and functions which supported "rules" were determined to be
obsolete were removed from ntop in late March 2002. This included a substantial
number of lines of code which was simply removed. Entire modules were placed into
the obsolete/ directory.
ntop-rules.8
event.c
rules.c
rules.h
rules.sample
Various plugin programs which were no longer being supported were removed from
ntop in late March 2002. These entire modules were placed into the obsolete/
directory.
wapPlugin.c
rmon.h
rmonPlugin.c
Various lines of code (totaling a substantial number, widely scattered throughout
ntop), which had provided compile-time selectable support (#define ENABLE_NAPSTER)
for analysis of the (late) Napster protocol were removed on 4Apr2002.
Q, How to Build the (obsolete) RMON plugin
A. Without any guarantees...
0) Please do NOT use a precompiled UCD package unless you know what you're doing.
1) Fetch UCD-SNMP [See http://net-snmp.sourceforge.net/developer.html]
2) Compile the stuff as specified as follows :
[see also http://net-snmp.sourceforge.net/tutorial/toolkit/demon/]
> ./configure --with-mib-modules="agentx"
> make
> make install
3) Once you this stuff ready you can build the ntop/RMON plugins.
4) Now start ntop.
5) The ntop/RMON plugin listens on port 161 (the default SNMP port).
If you want to test the agent you can use the 'tkMib' tool that comes with
UCD-SNMP [see http://net-snmp.sourceforge.net/tkmib.jpg].
NOTE: If you use tkMib do not forget to do "setenv MIBS ALL" (csh shells),
otherwise you won't see the RMON MIB.
How to Build the RMON plugin (bis) created 04/03 2002 by pierlo
The following works with :
- ntop v.2.0.1
- UCD-SNMP v.4.2.3
- openSSL v.0.9.6c
0. Requirements
* Make sure that ntop works properly
* Make sure that openSSL & openSSL libraries are correctly installed
(no WARNING when ntop is started !). If not, download and install
the latest versions)
* fetch & install UCD-SNMP :
tar -xvzf XXXXX.tar.gz
./configure --enable-shared
make
umask 022
make install
1. uncomment lines around 474 and 1035 in configure.in file :
dnl>OPTIONAL UCD-SNMP
dnl>AC_HAVE_HEADERS(ucd-snmp/ucd-snmp-agent-includes.h)
(...)
dnl> check for `UCD-SNMP' library by University of California [http://ucd-snmp.ucdavis.edu]
dnl>AC_CHECK_LIB(ucdagent, register_mib, [AC_DEFINE(HAVE_SNMP) SNMPLIBS="-L/usr/local/lib -lsnmp -lucdagent -lucdmibs"], , -lsnmp -lucdagent -lucdmibs $LIBS $MORELIBS)
(remove the dnl> from the AC_ lines)
* in /ntop/plugins/rmonPlugin.c file, replace :
line 702 approx. : droppedPackets with droppedPkts
(there is only one occurence, so it may not be difficult to find)
line 676 approx. :
if (header_simple_table (vp,name,length,exact,var_len,
write_method,numDevices)
with :
if (header_simple_table(vp,name,length,exact,var_len,
write_method,myGlobals.numDevices)
and :
long_ret = (long)(device[ifNum]
with
long_ret = (long)(myGlobals.device[ifNum]
(lines 690 to 782 approx., about 13 occurences to change)
2. launch /ntop/autogen.sh -1
3. launch /ntop/configure
Be sure that :
* there is no warning about openSSL libraries !
* the following checks are successful :
" Step 4. Looking for both required and optional system headers....
(...)
checking for ucd-snmp/ucd-snmp-agent-includes.h... yes"
(...)
"Step 7. Looking for optional GPLed libraries....
(...)
checking for register_mib in -lucdagent... yes"
-> NO warning about openSSL libraries here ! If any trouble,
check config.log file, which may help to get round the problem...
Looking at ls.so.conf file and checking libraries pathes may also be helpful.
3. edit /ntop/plugins/Makefile : replace every ocurence of "icmpPlugin" with "rmonPlugin".
4. Launch /ntop/plugins/make
5. Theoretically, RMON plugin is built and is ready to work ! If you have
a error message like "undefined symbol..." when ntop started...
I don't know how to fix it.
Hope I didn't forget anything... Have fun !
P-L.
Running
-------
Q. What is the function of the 'ntop' script in the build directory - should I
call it or /usr/local/bin/ntop ?
A. (from the comments in the script):
# ntop - temporary wrapper script for .libs/ntop
# Generated by ltmain.sh - GNU libtool 1.4 (1.920 2001/04/24 23:26:18)
#
# The ntop program cannot be directly executed until all the libtool
# libraries that it depends on are installed.
#
# This wrapper script should never be moved out of the build directory.
# If it is, it will not operate correctly.
It allows you to run ntop out of the build directory before doing a "make
install" by doing all the necessary linkage magic - such as forcing a relink
if it didn't succeed originally - to the files in .libs.
Think of it as simulating make install, but not moving stuff to /usr/local
or wherever.
Q. Which libraries do I need?
A. To run ntop: glibc, gdbm, libpcap
For https://, add openssl.
For intop, add ncurses.
For other tools and compile options, add the appropriate libraries.
Q. ntop seems to run, but the web server isn't up.
A. Set the password - see docs/1STRUN.TXT
Q. How do you reset Admin password if we lost it?
A. Delete ntop_pw.db and follow the procedure in docs/1STRUN.txt
Q. How does the @filename option work e.g. /usr/bin/ntop ... @filename ...
A. The text of 'filename', is copied - ignoring line breaks and
comments (anything following a #) - into the command line.
ntop behaves as if all of the text had simply been typed directly
on the command line. Multiple @s are permitted in the command
line, nesting is not. @s in the file will cause an error.
Both are displayed on the info.html report, the "Started as"
shows the actual command line ntop was given and the
"Resolved to" shows what ntop processed.
Started as /usr/bin/ntop -i eth0,eth1 @/root/ntop_parms -d -L
with /root/ntop_parms containing:
-p /usr/share/ntop/protocol.list
-P /usr/share/ntop
--throughput-bar-chart
-w 192.168.42.38:3000
# -W 192.168.42.38:3001
-u ntop
--trace-level 3
-m 12.239.0.0/16,10.113.0.0/16
-E
-K
--reuse-rrd-graphics
becomes:
Resolved to /usr/bin/ntop -i eth0,eth1 -p /usr/share/ntop/protocol.list
-P /usr/share/ntop --throughput-bar-chart -w 192.168.42.38
-u ntop --trace-level 3 -m 12.239.0.0/16,10.113.0.0/16 -E
-K --reuse-rrd-graphics -d -L
Remember, most ntop options are "sticky", that is they just set an
internal flag. Invoking them multiple times doesn't change ntop's
behavior. However, options that set a value, such as --trace-level,
will use the LAST value given: --trace-level 2 --trace-level 3 will
run as --trace-level 3.
It is recommended that you use FULL pathnames for @filename, since
ntop may have different effective directories when run in different
ways. However, you may wish to use relative pathnames to take
advantage of the different effective directories (say cron vs.
command line). Just know where you're starting from.
(Added 20Nov2002, Burton)
Q. ntop seems to run but I don't see any traffic.
A. Make sure you aren't running against the loopback (127.0.0.1) interface.
lo shouldn't see much traffic, only that originating on the host destined
for it (e.g. ping 127.0.0.1).
Q. ntop is unable to open it's database file. Specifically:
I have following messages while running ntop
wait please: ntop is coming up...
24/Jul/2003 15:15:23 Initializing IP services...
<snip />
24/Jul/2003 15:15:23 Initializing GDBM...
24/Jul/2003 15:15:23 Database '/var/ntop/addressCache.db' open failed: File open error
24/Jul/2003 15:15:23 Possible solution: please use '-P <directory>'
A. Multiple possible choices...
1. The directory /var/ntop doesn't exist. Create it or, as the message says, use the
-P parameter to point ntop at another directory.
2. You many not have read/write rights in /var/ntop - if you're running in non-promiscuous
mode from a user other than root.
3. Another instance of ntop may already be running, so it has the file open and locked.
(Added 29Jul2002 by Burton)
Q. ntop stops capturing packets, except ARP and other broadcasts. Why?
A. Check if you have a daemon running that periodically checks for and
resets interfaces in promiscuous mode? If that happens, all you
would see were broadcast packets like ARPs...
Check back in the log and see if there is a message about the interface
changing status. Determine why.
Q. How much horsepower do I need to run ntop on a network of size x?
A. Nobody really knows. ntop needs enough memory to store the active
hosts and enough cpu to keep up with the average packet flow. The
buffer will handle the occasional peak, but if you see frequent
lost packets, you're in trouble.
Note that a few packets occasionally lost isn't a big deal for most
users. After all, the network itself has losses - I've seen my AT&T
Broadband connection have spurts of 30% packet loss. Ideally in a
LAN environment, the packet loss should be down in the small #s...
the Ethernet standard allows 1 error in 100,000,000(10^8), but most
vendors beat that by a long margin (even as high as 1 in 10^12).
Of course, those are lab measurements. In the real world? Not that good.
Electrical noise can be a real bugaboo. Remember, at a certain point, if
the nic doesn't understand what it's seeing, it throws it away and
declares an error. The key is to keep up with the traffic.
Similarly, the OS kernel does the same thing in it's interrupt handling
(throw away packets). Last resort, but better than hanging up the whole
machine.
ntop drops packets when the queue gets longer than the permitted length.
You can see this in the configuration page as # Queued Pkts to Process
and # Max Queued Pkts.
One or two or a small number (you pick your tollerance) is ok, but constant
losses isn't. What I'm saying is that as long as ntop can keep up with the
nic, then the data is as good as it gets... if ntop can't keep up, then the
data isn't very good.
If you have measurements - network size, traffic flow and %CPU used (with
the hardware info, of course), shoot them over to us on ntop and someday
maybe we'll be able to give better #s.
Q. ntop starts up with this:
WARNING: Discarded network 172.20.0.0/16: this is the local network.
A. No worries. The message means exactly what it says - it's a warning that
you gave the local network as one of the parameter(s) to -m. Since the
local networks are always local, ntop doesn't need to make them pseudo-local.
Q. Can I set the admin password from a script?
A. Yes, you can call ntop with the option:
ntop --set-admin-password=password
If you are really crazy, emulate a tty with ptty, in a python script posted at
Snapshot.
Q. I changed the owner of the ntop database directory to the user
ntop runs as and I get prompted for the password endlessly.
A. Don't. At the point in the code where databases are opened, ntop has not yet
shed privileges. So the databases must be owned by root. Sensitive info,
such as the ntop "admin" password are stored in there, so changing ownership
isn't a good idea.
Q. Can I disable logging? Totally?
A. Sort of - if you run single threaded, without the -d or -L options.
Multithreaded? No. If ntop creates child threads, they don't have
terminal access and have to have some way of reporting things.
Q. I can't merge interfaces (-M option)?
A. Check your plugins and see if either netflow or sflow is active.
Regardless of whether you're using them, if they're active, they
(silently) force the -M switch on.
Q. I'm seeing weird "hosts" on my network with names like "Bridge Sp. Tree/OSI Route".
What are they?
A. There is a list of "special" MAC address prefixes in vendor.c, specialMacInfo[].
There are blocks of MAC addresses reserved (sometimes not formally) for special
uses, such as sharing information about Spanning Tree for bridges. These do not
have an IP address - they operate at a lower level - so nothing gets displayed
in some of ntop's fields.
A reference about protocols at the wire level is here:
http://www.oreillynet.com/pub/a/network/2001/03/02/net_2nd_lang.html
If you only want to see TCP/IP, then I suggest you use -B "ip" to filter
only TCP/IP protocol on your ntop line...
Q. How do I see fully qualified names for all my hosts? Some are netbios
names!
A. ntop doesn't SEND NetBIOS queries, it sniffs them off the traffic already on
the network.
There is only ONE case where ntop uses the NetBIOS names, which is if
it can't resolve them via DNS (both it's own queries and from sniffing
responses to other's queries off the network).
So, if you have a properly functioning DNS, you'll see DNS names. If
these are (for example) internal names, unknown to the DNS server, you'll
see NetBIOS names if they are available. Lastly, you'll get IP addresses...
If you do have a DNS, and the name is resolved as part of the default
domain, you won't see a fully qualified name back from the DNS, so ntop
won't have that information.
So, on a real network you'll often get a mix of name resolution types:
Host IP Address MAC Address Other Name(s)
netnews.attbi.com 63.240.76.16
tigger.homeportal.2wire.net 192.168.0.xx 00:D0:09:xx:xx:xx
homeportal.homeportal.2wire.net 192.168.0.1 00:D0:9E:xx:xx:xx
swallowtail 192.168.0.XX 00:A0:CC:xx:xx:xx SWALLOWTAIL [STRAUSS] ...
12-xxx-xxx-xxx.client.attbi.com 12.xxx.xxx.xxx 00:D0:9E:xx:xx:xx
12-xxx-xxx-yyy.client.attbi.com 12.xxx.xxx.yyy
Q. I don't understand -j | --border-sniffer-mode
A. Welcome to the club <grin />
Quoting from Luca's comment:
"-j is used when you are starting ntop on a mirrored interface where you
cannot trust MAC addresses."
ntop uses MAC addresses for many things to differentiate among machines.
IP addresses and names can mean many things, but hardware addresses are
supposed to be unique. This is usually true, but gets hairy when you
introduce a switch into the network which is also copying all of the
packets it sees to a monitoring port.
Understand how a switch works: In short, a switch monitors the network it sees
and knows which mac address(es) are on which ports. When it received a packet,
it forwards it to only that port. Broadcasts are forwarded to all ports.
So an ntop instance, sniffer, whatever only sees a fraction of the traffic.
In many managed switches, there is an option for a "repeater" or "monitoring"
or "spanned" port, which receives all traffic, so that network monitoring can
be performed there.
However, When the switch sends out packets on the monitoring port, it must
rewrite them to be valid Ethernet packets with a valid (i.e. the switch's)
MAC address and ntop gets confused.
Note that:
1. -j usually requires you to specify the local network (-m) as a mirrored
interface might have a wrong/ip-less/privare IP address.
2. -j disables some features as TCP session tracking etc.
In future versions -j will disappear and it will be replaced with more flags
for better controlling all these options.
With multiple switches in a hierarchy, you have to place the ntop instance
or instances carefully, depending upon what you want to monitor.
For example, most lans have a switch in each area with it's uplink connected
to a backbone switch. Servers and gateways are then placed off one or more
backbone ports. This keeps departmental traffic isolated from each other,
while making enterprise wide and inter-department traffic feasible. ntop
would have to be monitoring the backbone switch, but you would need to be
aware of what ntop is NOT seeing and place additional monitors.
For example, you could place additional ntop instances in the departments,
using the netflow or sFlow plugins to receive flow information from them
which wouldn't be visible to the backbone instance. (I'll note that I haven't
actually tried this, myself. -----Burton)
Q. When I run with -j | --border-sniffer-mode, there are different menus.
A. Yes.
The menus are just html files. There is a set for regular mode and a
j_xxx.html set for border sniffer mode. Why? Because there are things
that simply don't work in border-sniffer-mode, so why let the user
request those pages.
Q. OK, but it changed after 2.1.2 (i.e. in 2.1.50) what are the NEW parameters?
A. There were four new parameters introduced when -j | --border-sniffer-mode
was removed. Whether the old parameter really did all the same things as
the new ones is irrelevant and left to code-archiologists. What matters
is what the new ones are and what they do!
They are:
-b | --disable-decoders
This flag disables protocol decoders. Use it for better performance
or if you feel ntop has problems handling these protocols in your
environment.
This switch disables code in a number of places throughout ntop, code
which analyzes specific protocols, but can place additional load on the
host. This switch could be used to run ntop on low-end CPUs or where
ntop is acting as a collector (netFlow or sFlow) and the GUI is not
required.
Disabled is the analysis of:
DNS Sniffing - where ntop captures DNS information from other hosts'
requests to reduce the # of DNS requests ntop must -
itself - make.
NetBIOS \
NetWare \
AppleTalk -- resource intensive protocol analysis of less
bootp/dhcp / common protocols.
OSI /
http (80) - Request success/failure counting on port 80 and other
analysis, including "Virtual Host".
ftp passive session tracking.
"Wrong Port" monitoring for: http, ftp and smtp (used with the
-q | --create-suspicious-packets option to dump "suspicious"
packets to an analysis file) With this option, ntop checks
the payload for each new connection, looking for text usually
present in http, ftp or smtp requests. If these are not on the
"normal" ports (http's 80, ntop's 3000 or squid's 3128, ftp's
21 or smtp's 25) (or there is a non-ftp or smtp request on the
standard ports), the packet is logged.
-g | --track-local-hosts
Use this flag to tell ntop that you care only about local hosts (use
-m | -- local-subnets to specify local nets). This flag is useful when
ntop sees many hosts (e.g. border gateway) but only the local ones need
to be tracked.
This switch disables code in a number of places throughout ntop, code
which allows ntop to track "foreign" hosts (that is ones not local
according to the IP address(es) of ntop's interfaces or set pseudo-local
by -m | -- local-subnets).
Basically, ntop doesn't bother to do DNS resolution on these addresses
and, for purposes of various counts, uses the "other" bucket instead of
creating a unique hash table bucket for the specific host.
This switch could be used to run ntop on low-end CPUs or where ntop is
acting as a collector (netFlow or sFlow) and the GUI is not required.
-o | --no-mac
Specifies that ntop should not trust MAC addresses but just IP addresses.
This option is useful whenever ntop is started on an interface where MAC
(Media Access Controller - the low-level Ethernet address) addresses can
not really be trusted (e.g. port/VLAN mirror in Switched Ethernet
environments).
Certain processing is performed differently:
Hash search is via IP not MAC
Certain capabilities are disabled:
Analysis of bootp/dhcp requests
localRoutersList.html report
Wrong net mask log message and flag
Analysis of non-tcp/udp protocols like NetWare and Spanning Tree
Router listing on Host Detailed report.
Traffic Matrix report
(Note that this list is subject to change as we learn more about protocols
that do/do not depend on the MAC address)
See also -z | --disable-sessions
-z | --disable-sessions
This flag disables tcp session tracking. Use it for better performance or
when you don't really need the tracking of sessions.
Also, in situations where the MAC addresses can not be trusted, ntop may
- or may not - be able to accurately track tcp sessions. There is no easy
way to tell, so this switch puts control back into the users' hands.
In versions after 2.0 up to & including 2.1.2, the -j | --border-sniffer-mode
flag (predecessor of -o | --no-mac) always turned this off. Many users wanted
to try turning session tracking back on, and did via code patches with mixed
results.
Suggested usage: If you enable -o | --no-mac, try running ntop with
sessions enabled. If the data looks reasonable, congratulations - your
network allows session tracking. If the data does not look reasonable,
then you will also need to disable session tracking with this switch.
(Added 21Aug2002 - BMS)
Q. ntop shows an older, single menu interface
A. If ntop is unable to find the file index.html it generates the page
internally. That page refers to 'leftindex.html' which is the all-in-one menu
you see, similar to the v1.3 menu.
To find the html files, ntop looks in the html subdirectory in two places:
1. In the current directory (i.e. ./html),
and
2. In '[prefix]/share/ntop/html'
(where [prefix] is set by the --prefix option of your ./configure step).
Common causes:
1. Is manually installing ntop in an unusual place, having forgotten to update
DATAFILE_DIR in config.h. Or forgetting to copy the html subdirectories, etc.
2. Forgetting to run './autogen.sh -1' first and 'make install' last when first
building ntop from source.
3. The 'intop.1' problem discussed in another FAQ entry - this leaves an
partial install, which is often missing some or all of the html files.
4. Running ntop with an explicit path from somewhere other that the directory
it's installed into. For example, if you install ntop into /root/ntop, but
run it like this:
cd /usr/bin
/root/ntop/ntop
It will look 1st in /usr/bin/html and then in [prefix]/share/ntop and not
find the html files in /root/ntop/html!
This often occurs when running ntop as a daemon, because the current working
directory of the script is not what you expect it to be!
Q. What are the default protocols ntop monitors?
A. (These are the ones ntop monitors if the user does not supply a -p parameter)
Check addDefaultProtocols() in ntop.c around line 520.
The current list (July 2002) is
Protocol Ports
-------- -----
FTP ftp ftp-data
HTTP http www https 3128 /* 3128 is HTTP cache */
DNS name domain
Telnet telnet login
NBios-IP netbios-ns netbios-dgm netbios-ssn
Mail pop-2 pop-3 pop3 kpop smtp imap imap2
DHCP/BOOTP 67-68
SNMP snmp snmp-trap
NNTP nntp
NFS mount pcnfs bwnfs nfsd nfsd-status
X11 6000-6010
SSH 22
Gnutella 6346 6347 6348
Morpheus 1214
WinMX 6699 7730
eDonkey 4661-4665
Messenger 1863 5000 5001 5190-5193
Note that the names come from /etc/services (or your system's equivalent). If
you add protocols to /etc/services, you can refer to them by name on the -p
parameter.
The list changes over time as P2P protocols appear and disappear. Check the
cvs and diff ntop.c (around line 550 in void addDefaultProtocols() if you want
the history.
Q. What are ntop's options?
A. There are a couple of options that appear only if they're not compiled in, and a few
that depend on various external libraries, e.g. openSSL.
The best way to see what is actually available is to run ntop with the -h or
--help options and see.
Here is the FULL set as of April 2003:
-a <path> | --access-log-path <path>
Path for ntop web server access log
-b | --disable-decoders
Disable protocol decoders
-c | --sticky-hosts
Idle hosts are not purged from hash
-d | --daemon
Run ntop in daemon mode
-e <number> | --max-table-rows <number>
Maximum number of table rows to report
-f <file> | --traffic-dump-file <file>
Traffic dump file (see tcpdump)
-g | --track-local-hosts
Track only local hosts
-h | --help
Display this help and exit
-i <name> | --interface <name>
Interface name or names to monitor
-k | --filter-expression-in-extra-frame
Show kernel filter expression in extra frame
-l <path> | --pcap-log <path>
Dump packets captured to a file (debug only!)
-m <addresses> | --local-subnets <addresses>
Local subnetwork(s) (see man page)
-n | --numeric-ip-addresses
Numeric IP addresses - no DNS resolution
-o | --no-mac
ntop will trust just IP addresses (no MACs)
-p <list> | --protocols <list>
List of IP protocols to monitor (see man page)
-q | --create-suspicious-packets
Create file ntop-suspicious-pkts.XXX.pcap file
-r <number> | --refresh-time <number>
Refresh time in seconds, default is 120
-s | --no-promiscuous
Disable promiscuous mode
-t <number> | --trace-level <number>
Trace level [0-5]
-u <user> | --user <user>
Userid/name to run ntop under (see man page)
-w <port> | --http-server <port>
Web server (http:) port (or address:port) to listen on
-z | --disable-sessions
Disable TCP session tracking
-A Ask admin user password and exit
--set-admin-password=<pass>
Set password for the admin user to <pass>
-B <filter> | --filter-expression
Packet filter expression, like tcpdump
-C | --large-network
ntop will be used to analyze a large network
This is a hint which disables a couple of memory
intensive features.
-D <name> | --domain <name>
Internet domain name
-E | --enable-external-tools
Enable lsof/nmap integration (if present)
-F <spec> | --flow-spec <specs>
Flow specs (see man page)
-K | --enable-debug
Enable debug mode
-L Do logging via syslog
--use-syslog=<facility>
Do logging via syslog, facility - Note that the = is REQUIRED
-M | --no-interface-merge
Don't merge network interfaces (see man page)
-O <path> | --pcap-file-path <path>
Path for log files in pcap format
-P <path> | --db-file-path <path>
Path for ntop internal database files
-U <URL> | --mapper <URL>
URL (mapper.pl) for displaying host location
-V | --version
Output version information and exit
-W <port> | --https-server <port>
Web server (https:) port (or address:port) to listen on
--no-idle-host-purge
DO NOT USE - DOES NOT WORK
--throughput-bar-chart
Use BAR chart for graphs
--ignore-sigpipe
Ignore SIGPIPE errors
--ssl-watchdog
Use ssl watchdog (NS6 problem)
--disable-stopcap
Disable 'STOPCAP' mode
--dynamic-purge-limits
Enable dynamic adjustment of the number of hosts
to purge per cycle
--reuse-rrd-graphics
Reuse rrd graphics if no rrd data has been updated
between requests.
--p3p-cp
Value to return for p3p-cp header
--p3p-uri
Value to return for p3p-uri header
--xmlfileout
File name for xml dump during shutdown
--xmlfilesnap
File name for snapshot xml dump during run
--xmlfilein
DO NOT USE - DOES NOT WORK
Q. But, what about -A a/k/a --accuracy-level
A. This option was used to set ntop into various modes which performed less
processing, in order to handle higher traffic volumes.
It was added on 14Dec2001 (just before v2.0) and was removed on 11Mar2002,
although traces survived in usage() until April 2002.
Note that the CODE remains in initialize.c for use by EXPERTS if necessary.
Q. But, but, but what about --no-admin-password-hint
A. This option was used to remove the hint text from the administrative password
entry message box.
It was added 4Feb2002 and removed 8Mar2002 (the last traces, in usage(), were
removed on 4Apr2002).
Q. But what about SQL and mySQL
A. Removed in 2.1.50+ versions - use rrd
Q. But I really, really, need the data in an sql database.
A. If you are only interested in saving your netflow data in MySQL, use the script
ntop/NetFlow/netFlowClient.pl (netflow v5). With few additional lines you could
save your data in flat files, forward the netflow data or whatever.
What this script does it set itself up as a netflow collector and sql inserter.
The mail loop just accepts a netflow packet and inserts the flow(s) into sql.
To use this with a single instance of ntop, just set ntop up as a netflow
sender, directed at the script (e.g. 127.0.0.1 on any port you like). Configure
the script with the port # and run it.
The same idea would work with sFlow, you would just have to change the packet
decoding part of the script.
(Added, 28Nov2002, from a suggestion by Lubo Kovac, Luboslav.Kovac@dbv-winterthur.de)
Q: How does ntop use lsof?
A: ntop uses lsof to show open files on the ntop host (the IP Traffic | Local usage).
It does this by executing:
lsof -i -n -w
Note that running lsof requires root privledges, but ntop has shed root before
we ever get to lsof. Accordingly you must set lsof suid root.
BEFORE YOU DO THAT: You had better understand the security implications!
Search the web and check with the lsof people.
(Added 03Feb2003, Burton)
Q: How does ntop use nmap?
A: ntop versions 2.1.57+ do not use nmap. Older versions used nmap to do OS
fingerprinting. What it did was this:
nmap -p 23,21,80,138,139,548 -O <address>
Note that running nmap required root privledges, but ntop has shed root before
we ever get to nmap. Accordingly you had to have nmap suid root.
(Added nmap 03Feb2003, Burton)
(Updated 10Mar2003, Burton)
Q. What does the message "URL security(1): ERROR: Found percent in URL...DANGER...
rejecting request" mean?
A. It means that ntop received a request with a percent sign (%) in it, often used
as part of Unicode exploits against various web servers. Since there is no
situation where ntop should process this, we reject it.
URLsecurity in http.c is the place where these tests occur.
Q. What does the message "Rejected request from address x.y.z.t (it previously
sent ntop a bad request)" mean?
A. Once you send ntop a request that URLsecurity rejects, the sending address
goes into a ring buffer on a 5 minute timeout where we simply drop subsequent
requests... rather than waste cycles ignoring an attack...
Q. What are the other URL security(#) codes?
A. 1. Found a % in the request (Unicode problems)
2. Found a parameter type code (//, &&, ??)
3. Found a directory transversal code (..)
4. Found a prohibited (RFC1945) character
5. Found a bad extension
Q. How can I run ntop without being root?
A. A very simple way of doing this is:
> su
> chown root ntop
> chgrp root ntop
> chmod 6111 ntop
> exit
This makes ntop read-only for everyone and sets the setuid and setguid bits.
Do not forget to use the -u flag so that ntop changes user as soon as it
is started.
Understand that setting the Setuid and Setguid bits allows ANY user to run
ntop and it will run with ROOT privledges. This is very powerful, and often
a source of security exposure - many system hardening scripts and
recomendations tell you to look for and remove the setuid and setguid bits.
DO NOT suid UNLESS YOU UNDERSTAND THE RISKS!
Also, there are unconfirmed reports of problems, causing a
"socket: operation not permitted"
message.
Q. My security people won't let me run in promiscuous mode.
A. Tough...
Or, use the -s option and accept the limitations...
Ask them "honestly, what is the problem" - other than having an interface
in promiscuous mode is a signature of a sniffer and security folks look for
unauthorized sniffers?
ntop needs promiscuous mode so that it sees the full range of traffic. Any
similar product will do the same thing.
If the security people think traffic on the wire is secure, they're wrong!
Face facts - just about every Windows user, except for 2K/XP Pro (and then
only if TBTP have especially locked them down)can install the windows
version of tcpdump...
If it's a checklist item, just gen up a form to "authorize" it, have the
boss and VP/CIO sign it and give it to them.
Q. -s | --no-promiscuous doesn't work
A. It should work - it's passed to pcap_open_live. Understand that it does mean
ntop sees a lot less comprehensive view of the traffic. You won't see anything
different unless you do an ifconfig on the interface. Note that while the
parameter specifies if the interface is to be put into promiscuous mode, even
if this parameter is false, the interface could well be in promiscuous mode
for some other reason.
If it fails, you'll see a message and ntop will refuse to startup
(Updated April 2003, Burton)
Q. ntop doesn't report any traffic at all.
A. Understand how ntop works: It simply listens on the interface(s) for packets,
then counts and interprets them. If there aren't any packets, ntop doesn't
count things.
ntop does not sample. It processes every packet it sees and counts them.
Only if there is more traffic than ntop can handle for a long period of time
will the packet queue hit it's limit and packets be lost. But this is still
not sampling.
Make sure that there's traffic on the interface(s) you are using. You can
use tcpdump or a similar network sniffer tool to check.
If you are on a segmented network (i.e. switched), you may not see traffic
that isn't destined for the ntop machine unless you configure the switch to
set the port for the ntop host into "mirror" or "management" mode (different
vendors call it different things, but it's a mode where ALL traffic is copied
to a specific port, regardless of which port the destination host is on).
If there is more than one interface in the ntop host, perhaps you aren't
listening on the one that has traffic? Check using ifconfig:
eth0 Link encap:Ethernet HWaddr 00:D0:09:77:85:B9
inet addr:192.168.0.34 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1105906 errors:0 dropped:0 overruns:0 frame:0
TX packets:601935 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:119869887 (114.3 Mb) TX bytes:112203781 (107.0 Mb)
Interrupt:11 Base address:0xc000
If the RX and TX numbers are increasing, this shows that traffic IS flowing...
If you have an unnumbered interface (listening only), remember you need to
use -m to tell ntop what is local and what isn't:
eth1 Link encap:Ethernet HWaddr 00:30:F1:54:55:00
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1
RX packets:1596612 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:566953031 (540.6 Mb) TX bytes:0 (0.0 b)
You can select an interface using the '-i' flag, e.g. -i eth1 or -i eth0,eth1.
Q. How does -m | --local-subnets work?
A. This flag allows users to specify the subnets whose traffic is considered
local (called "pseudoLocal" internally). The format is
<network address>/<# subnet mask bits>[,<network address>/<# subnet mask bits>].
For instance "131.114.21.0/24,10.0.0.0/255.0.0.0".
Q. (followup) but what does it MEAN?
A. Surprisingly, it means EXACTLY what it says. Treat traffic on the listed subnet(s)
as local.
ntop differentiates between local traffic and remote traffic. There are actually
four classes (although only three are routinely reported) L->L L->R R->L and R->R.
Suppose your IP is 1.2.3.4 with a 255.255.255.0 netmask (a/k/a 1.2.3.4/24)
Under the TCP/IP protocol, traffic with any address 1.2.3.1 -> 1.2.3.254 does not
get routed. It's "local".
Your buddy is at 1.2.3.9 and the router is 1.2.3.1, so your network looks like this:
the +--------+
world-----+ Router +--1.2.3.1--------------------------------------
+--------+ | 1.2.3.4 | 1.2.3.9
+--------+ +--------+
| You | | Buddy |
+--------+ +--------+
Say you send a packet to your buddy at 1.2.3.9. You build a packet with SRC=1.2.3.4
DST=1.2.3.9 and you data and cast it out the wire. (For purposes of this illustration,
ignore the fact the your TCP stack would recognize the "local" nature of the packet and
actually use another, lower level protocol, called Ethernet to deliver it.)
The router (1.2.3.1) looks at it, does the math and ignores it - it's local
Your buddy (1.2.3.9) looks at it, says - gee, that's me and reads it
This is L->L traffic.
Now you send a packet to ntop.org at 131.114.21.9. Again, SRC=1.2.3.4 and now
DST=131.114.21.9.
The router (1.2.3.1) looks at it, does the math and says - oops, I have to send it out
to the world
Your buddy (1.2.3.9) looks at it, says - gee that's NOT me and ignores it
This is L->R traffic.
Now it's perfectly possible to have multiple (physical) networks on the same physical
wire. Say that your ISP chooses to put 1.2.4.1-1.2.4.254 (1.2.4.0/24) on the same wire.
(Why would they do this - maybe it's a big pipe and only a few users or whatever).
A packet from 1.2.4.4 -> 1.2.4.9 is seen by
The router - no, that too is local, ignore it
You (1.2.3.4): (1.2.4.9) - not me - ignore it
Buddy (1.2.3.9) - um... 1.2.4.9 - not me - ignore it
And that's perfectly legal.
But what if you are the ISP and you want ntop to see ALL the traffic on that wire?
ntop will figure out from it's own IP address that the 1.2.3.0/24 traffic is local,
but it will classify the 1.2.4.0/24 as REMOTE.
And that is what the --local-subnets switch does. It tells ntop to treat that
1.2.4.0/24 traffic as local.
If there isn't any other traffic on the wire, then telling ntop to treat it as local
won't change a thing.
You can always use a packet sniffer, such as tcpdump to scan the traffic on the wire
and see what's really there... (Added, 08Aug2002, BMS)
Q. And internally?
A. ntop is designed as a hybrid packet analyzer, not a pure Ethernet analyzer
(layer 2) nor a pure TCP/IP analyzer (layer 3). Most of ntop's displayed
counts are at the TCP/IP level, and that's what confuses people. Internally,
ntop works both at the level of the Ethernet frame and the TCP/IP packet.
A single MAC address can be associated with multiple TCP/IP addresses. The MAC
address -- unless something is horribly wrong on the network or with the hardware
or somebody is deliberately spoofing it -- is guaranteed to be unique and refers
to a physical host or network interface. For many reports, ntop displays the
information using the MAC address to separate physical devices. Other data is
accumulated and displayed at the TCP/IP (level 3) layer.
-m relates to the traffic you see on the wire at the TCP/IP level.
-m tells ntop something it can't determine by itself. And that is to treat
that range of addresses EXACTLY like it was local.
For example, on my Cable Modem, I see broadcasts for a number of subnets
that AT&T has assigned to this area (I don't see the traffic, but you get
the picture) in an overlay structure (two or more networks on the
same wire, but with separate address spaces). (Added, 20Sep2002, BMS)
Q. I am using a /16 (/25 or whatever) mask and I get this message:
Truncated network size to 1024 hosts (real netmask 255.255.255.0)
A. Yes. ntop limits each network to 1024 hosts (a /24). If you need more, alter the
#define for MAX_SUBNET_HOSTS in globals-defines.h and recompile. Space has to be reserved
for this many hosts for each network, so the limit exists to keep memory usage
from growing to absurd levels on people with "class A" (/8) interfaces (e.g. 10. or
Cable Modems, etc.).
Q. How does ntop purge idle hosts?
A. ntop tracks the last timestamp of a packet on a per-host and per-session
basis. After a period of time - configured through a #define in globals-defines.h -
with no packets received, the host is eligible for purge. Purge starts
in a random place in the list and selects the eligibles up to a per-cycle
limit (512 hosts or 1/3 of the hash size).
Q. What does --dynamic-purge-limits do?
A. It helps ntop performance in idle host purge for LARGE hash sizes. During
purge, the CPU usage may reach 100%. As long as we're not losing packets,
the time it takes to purge is really irrelevant unless the purge holds
the mutexes for such a long time that ntop locks up.
Up to a point, the trade-off is memory used (to hold "old" host data) vs.
how much time it requires to purge (how aggressive the purge is).
--dynamic-purge-limits dynamically scales the maximum # to purge to keep
the purge time limited in a way that reflects the environment (elapsed time)
not just a fixed #.
(Added 14Nov2002, BMS)
Q. ntop doesn't understand virtual hosts.
A. IP Packets have a source address & port and a destination address & port...
you MUST get your head out of the application layers and revert to that simple
concept.
How does Apache handle virtual hosts? It analyzes the flow at the
application level (layer 4) not the wire/packet/protocol (layers 1, 2 and
3). It does this by re-assembling packets into a layer 4 message (e.g. GET
http://virtual.host.name.com/page.html)...
So, since ntop works at the packet level, it doesn't understand virtual
hosts. It's a NETWORK analyzer, not an application level one. Which is not
to say you couldn't create a plugin that did the layer 4 analysis... but
ntop doesn't.
(20Sep2002, BMS) Support for virtual hosts is under development and the initial
support is in 2.1.50.
(April 2003) It's in the 2.2 release and the folks who have virtual hosts have
been pretty pleased.
Q. tcpwrappers does't work
A. Oh yes it does... for http: connections
1) You have to configure it this way before compiling ntop:
./configure --enable-tcpwrap
2) You must have the headers and libraries installed on the build machine
(and on the execution machine if they aren't the same).
Remember to make the appropriate entries in hosts.allow (e.g. ntop:192.168.0.)
and hosts.deny (e.g. ntop:ALL)
However, tcpwrappers and https:// is known not to work - see docs/KNOWN_BUGS
Q. My filter doesn't work! I'm running ntop like this:
/usr/local/bin/ntop -u nobody -L -d -E -w 3000 -S 2 \
-m 192.168.10.0/24,xxx.xxx.xxx.xxx/32 \
-M -i eth0,eth1 \
(src net 192.168.10.0/24 or src host xxx.xxx.xxx.xxx ) \
and not dst net 192.168.10.0/24
A. Yup, it doesn't work. Use the -B option and put the filter in quotes:
-B "(src net 192.168.10.0/24 or src host xxx.xxx.xxx.xxx ) and not dst net 192.168.10.0/24"
Current development versions (and 2.2) should be logging a warning that says maybe you
forgot the quotes
(Updated April 2003, Burton)
Q. I have experienced problems defining multiple filters: ntop reports 'syntax error'
A. If you believe the filter is syntactically correct then it's likely that the libpcap
you have used has been compiled using an old non-reentrant version of flex.
Please make sure you're using version 2.5.4 or above.
Q. Why does ntop use so much memory ?
A. ntop holds a lot of information about each host it has seen in an in-memory table.
Periodically, it looks at all the entries in the table and flushes any which have
been idle for a period of time.
You can change the sizing of the table and the flushing interval via #define
statements in globals-defines.h.
But realistically, ntop needs enough memory to hold information about what's
active on YOUR network.
To reduce memory, monitor fewer protocols or use the filter (-B "bpf filter")
option to monitor only parts of the network.
There have been a couple of discussions on the ntop mailing list about ntop's
memory usage - you might read them (search on gmane).
(Updated April 2003, Burton)
Q. What are High/Medium/Low risk flags
A. They are set in reportUtils.c based on fairly self-obvious functions:
Medium: hasWrongNetmask()
High: hasDuplicatedMac()
Often seen if you are monitoring a backbone or common network (high)
or if you have cloned MAC addresses for, say, a home Firewall box.
Q. What does the "Users" flag mean on a host?
A. If you go to the "Info about host xxxx" page, there will be data
in the "Known Users" section, if it's acting as a server for certain
protocols.
In sessions.c, the function updateHostUsers() is used to maintain the list
of "users" of a host. In handleSession(), as part of the protocol level
analysis, the "user" information for various protocols is pulled out of the
packets. Stuff like the "X-Kazaa-Username" header, the "MAIL FROM:" header,
etc.
We tag users as one or more of the following types:
P2P_USER, SMTP_USER, FTP_USER, POP_USER, IMAP_USER
Note that for P2P, we also record - where possible - whether this user is
in P2P_UPLOAD_MODE and/or P2P_DOWNLOAD_MODE.
(Added 27Sep2002, Burton)
Q. Why are some of the host names in different colors?
A. Colors are used on several of the ntop pages to convey extra
information to the user. (in particular the ACTIVE TCP SESSIONS
and the LOCAL HOST STATS pages). There are five colors used to
depict how long ago the host was first seen by ntop.
The pages which display these colors use a html stylesheet called
style.css located in the normal html subdirectory (where ntop is
installed). This happens by setting the 'class=' parameter of
the html 'A' (Anchor or hyper-link) tag. The stylesheet defines
the following:
Age of host 'class' name Color code Color description
(minutes)
-------------------------------------------------------------------
0-5 A.age0min { color:#FF0000 } Red
5-15 A.age5min { color:#FF00FF } Fuchsia/Magenta
15-30 A.age15min { color:#FF7F00 } Coral (lt orange)
30-60 A.age30min { color:#007FFF } Slate blue
60+ A.age60min { color:#0000FF } Blue
The color legend is displayed on the About | Configuration page
(info.html).
(Added 30Mar2003 by Burton, based on work by Tim_Cahoon@fmo.com)
Q. What about protocol XYZZY?
A. The analysis of protocols is very limited and unsophisticated. But,
theoretically, if it's there in plain text, we could report on it.
The more work you can do up front in identifying the protocol (e.g. port #s,
header structure, etc.), the easier it would be to add.
(Added 27Sep2002, Burton)
Q. What does the P2P flag mean on a host?
A. If ntop knows enough to tag you as a P2P user, it's also looking at the
other headers to see if it can track what files you're exchanging. If a host
(i.e. a workstation) downloads a file from another host ("server"), the file
name is recorded in the list ntop maintains for both of them.
If a host has at least one file name recorded, it's tagged with the "P2P"
flag.
(Added 27Sep2002, Burton)
Q. Why did you do this (P2P tracking) instead of feature "x"?
A. Don't know. I could guess...
Imagined you are the network manager for a large University network and have
to crack down on users who are illegally exchanging copyrighted files or
using University resources to run a businesses without paying for the resources
being consumed...
Then again, it could just be because it's cool...
(Added 27Sep2002, Burton)
Q. What does a "Virtual Host" mean.
A. If a single instance of a web server handles many web sites, all of the
references resolve to the same name. The web server uses the "Host:"
header to determine which "index.html" page to serve up.
ntop monitors port 80 (http:) exchanges and looks for the Host: which allows
it to build a list of virtual hosts being handled by the web server.
(Added 27Sep2002, Burton)
Q. Why create Userids
A. Multiple users allow you to control who can alter ntop's performance and/or
view specific information. If you look on the "Admin" tab, you will see that you can
create additional users and also control which URLs can be executed by whom.
Userids could allow, for example, an ISP to allow users to access SOME
network performance statistics, but not the proprietary stuff...
Suppose you want to restrict who accesses the Multicast statistics page, multicastStats.html.
ntop uses terminal wildcards matching the names, so multicast is treated as multicast*
and matches multicastStats.html plus any other name beginning multicast...
howto:
1st add a new user
2nd add "multicast" to the list of controlled screens and allow admin
and the new user to access it (note the * wildcard is automatically added)
Try an access the screen and you are prompted for a userid/password...
Look in http.c for all the names and #defines used...
Q. So, How do I restrict access to the main http or https ntop web page?
A. To stop everyone from logging into ntop, do the following:
Select ADMIN tab
Select URL's then "Add Url"
Don't fill in anything (the wildcard * is implied)
Select only the users who you want to authorise (hold cntrl key and
click on user to add more users if you added users)
and click on "Add Url"
You will see URL '*' is added, e.g.
'showU*'
'*'
'shutdown*'
'deleteU*'
'modifyU*'
Then only users who know the user id and password (remember to keep the .db
file secure!) will have access.
(Added 17Dec2002, thanks to Jac Engle for suggesting it)
Q. SSL is not working! I have the following error in the log/terminal:
10/Jun/2002 22:58:17 Started thread (6151) for network packet sniffing on
eth0.1700:error:140EC0AF:SSL routines:SSL2_READ_INTERNAL:non sslv2
initial packet:s2_pkt.c:187:
A. You forgot to put https:// instead of http:// in the url you put in your browser!
Q. Unable to find SSL certificate 'ntop-cert.pem'
A. ntop looks such file under the current working directory, then /etc or in whatever
directory you configured with ./configure.
If you want a personal certificate, you need to create it by:
>make ntop-cert.pem
It should be installed as part of "make install". If you have a special certificate
or it's not present, do it (one-time) manually:
For example to install it under /usr/local/etc, do:
mkdir /usr/local/etc
cp /usr/local/bin/ntop-cert.pem /usr/local/etc/ntop
See docs/README.SSL
Q. Can I use ntop from php/perl?
A. Yes you can. Please see the www directory under the ntop sourcetree.
Q. How do I save data between runs?
A. Use rrd.
Q. Where do I get rrd?
A. http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/
Q. Are there rpm's?
A. http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/pub
However, see the note below about the patch - you're probably going
to have to compile from source.
(Thanks to Marco Lusini for the pointer)
Q. Anything else I need to know about rrd.
A. Yes. There's a bug in all of the developent versions (at least through
1.0.41), which will sometimes cause ntop's rrd handler to crash. This is the
patch:
--- rrd_update.c.orig 2003-03-29 13:57:28.000000000 -0600
+++ rrd_update.c 2003-03-29 13:58:13.000000000 -0600
@@ -118,7 +118,7 @@
case '?':
rrd_set_error("unknown option '%s'",argv[optind-1]);
- rrd_free(&rrd);
+ /* rrd_free(&rrd); 2003-03-29 Burton@ntopsupport.com */
return(-1);
}
}
1.0.42 was release just before 2.2 shipped and includes the patch.
(Updated April 2003, Burton)
Q. What about the multi-threaded development version?
A. Stay away. I only experimented with it a little bit, but it was not
stable. Use 1.0.42.
(Updated 2003-03-29, Burton)
Q. What was the -S option?
A. The -S option was the --store-mode option, or the "Persistent storage mode"
Ntop's internal structures are basically an array of devices (network interfaces),
which contains an array of hosts (specific machines seen on the device.
So device[0] is the 1st network interface, and device[2] the third. device[0].host[0]
would be, say, the local file server and device[0].host[1] would be a simple host.
device[1].host[1] is a completely different set of counts from device[0].host[1].
The -S options tells ntop to store information about a specific host in a database from
run to run (-S 0 none, -S 1 all and -S 2 only local hosts).
This is only the count information about the host and does not store the information
about a device (a network interface). Further, items of dynamically allocated storage
(the devices name) are not stored.
Data is retrieved on a subsequent run ONLY when traffic is seen from that host after
the restart. (I suppose you could script a ping to each host you care about and force
the reload that way, but it hasn't been tested...)
So if you go into the host details (e.g. the 192.168.1.1.html page) you should see
prior-run information.
But if you're looking for device throughput to be preserved... nope...
Also, ntop stores the information during 1) reset and 2) shutdown. So if ntop crashes,
the persistent data will be lost.
This option was removed from ntop in the 2.1.52 development version.
(Updated 14Nov2002i, BMS)
Q: I've enabled the rrd plugin and there's no data ... there are messages in the log:
RRD call stack:
argv[0]: rrd_update
argv[1]: /usr/share/ntop/rrd/matrix/12.239.98.199/12.239.181.175/pkts.rrd
argv[2]: 1037289548:1
rrd_create(...) error: creating '...': No such file or directory
rrd_update(...) error: opening '...': No such file or directory
A: Create the rrd directory and make sure that the -u userid has read/write access to
it (typically /usr/share/ntop/rrd)
(Added 14Nov2002, BMS)
Q: intop doesn't....
A: Understand that intop hasn't been supported since v1.3. Only the very
minimal changes required to make it compile without errors and startup
in a very simple environment were made. It hasn't been tested.
What intop really needs is somebody to become it's maintainer.
Q. Where can I find neped/queso?
A. neped (Network Promiscuous Ethernet Detector) - Looks for ethernet cards in
promiscuous mode in your local net.
queso - Determines the remote OS sending simple tcp packets.
You could download neped/queso from http://www.apostols.org/ except that site
seems to be down...
neped is at http://packetstorm.decepticons.org/UNIX/IDS/
queso was found at http://packages.debian.org/unstable/net/queso.html (look for
the .orig.tar.gz file)
Other
-----
Q: Where is the documentation for x?
A: The documentation in the docs/ directory and the FAQs etc. at
http://snapshot.ntop.org/ are basically all that there is. Please
contribute to the ntop community by writing things up for inclusion
in this FAQ or other documents!
Q. What is sFlow
A. The core component of the sFlow toolkit is the sflowtool command line utility.
sflowtool interfaces to utilities such as tcpdump, ntop and Snort for detailed
packet tracing and analysis, NetFlow compatible collectors for IP flow accounting,
and provides text based output that can be used in scripts to provide customized
analysis and reporting and for integrating with other tools such as MRTG or rrdtool.
Some info:
http://www.inmon.com/sflowTools.htm
http://www.faqs.org/rfcs/rfc3176.html
Q. I have activated the sFlow plugin in ntop. But it doesn't seem to
generate any output based on the collected sflow datagrams.
A. sFlow can be a collector or a receiver or both, depending on the
settings configured via the plugin.
If you configure ntop as an sFlow collector, it will use sFlow data
for generating reports, treating the remote collector(s) as another
network interface - see Admin | Switch NIC.
Q. Where is info about netflow?
A. Dale Reed pointed out a good tech doc (no flak, just the formats) for netflow V1/5/7:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/nfc/nfc_2_0/nfc_ug/nfcform.htm
Q. The netFlow record input and output values are zero.
A. ntop doesn't have SNMP routines, so we can't determine the SNMP index of the interfaces.
(Added 26Nov2002, Burton)
Q. How do I access netFlow or sFlow data from ntop?
A. You need to configure ntop as a listener (it can also be a collector, but that data shows
up in the receiving interface, not under netFlow/sFlow).
First, use the appropriate plugin to set the parameters - basically the port you want ntop
to listen on. Then, using the Admin | Set Interface menu item, switch ntop to report on
the sFlow/netFlow pseudo-device (NetFlow-device or sFlow-device).
(Added 29Jul2002 by Burton)
Q. How Do I Enable NetFlow Data Export on a Cisco Device?
A. To enable netFlow Data Export (NDE) from a Cisco device to an ntop netFlow receiver
on port 2055 (default) at address 10.1.1.1:
ip flow-export destination 10.1.1.1 2055
ip flow-export version 5
You may want to designate the source interface, eg:
ip flow-export source Ethernet0
Enable netFlow on each interface to be monitored. netFlow normally only captures data
from each incoming packet, so to see traffic in both directions netFlow must be enabled
on both the incoming and outgoing interfaces. As an example, for an Internet access
router this would mean enabling netFlow on both the internal (eg ethernet) and the
external (eg ISDN / Frame Relay etc) interfaces:
interface Ethernet0
ip route-cache flow
interface Dialer1
ip route-cache flow
By default netFlow will only export flow statistics shortly after the flow terminates
or when 30 minutes have elapsed. In many environments, you want ntop to be a bit more
up to date. To change the timeout to five minutes:
ip flow-cache timeout active 5
The following 'show' commands are useful for examining netFlow statistics directly on
the Cisco box and may assist when setting up ntop:
show ip flow export
show ip cache flow
show ip cache verbose flow
Obviously, there is a lot more to it than this, for more information, see the Cisco
web site: http://www.cisco.com/go/netflow
(Created by sholmes at snapshot, 02Feb2003)
Q. Is there any parameter to set to tell ntop which interface/ip address
to use when exporting the (netflow/sflow) flows?
A. No. All ntop does is send a packet to the network addressed to the
destination you request.
Typically if the ntop host is multihomed, the routing service will pick the
the MOST SPECIFIC route with the lowest metric # that is selected. E.g., if
this is the routing table:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.2.129 0.0.0.0 255.255.255.128 U 0 0 0 eth2
192.168.2.146 0.0.0.0 255.255.255.255 U 0 0 0 eth1
192.168.2.146 0.0.0.0 255.255.255.255 U 1 0 0 eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.2.1 0.0.0.0 UG 0 0 0 eth0
A packet to 192.168.2.146 goes via eth1 (equally specific routes, so it chooses
based on the metric 0 vs. 1)
A packet to 192.168.2.145 goes via eth2 (192.168.2.129/25 is more specific than
192.168.2.0/24)
A packet to 192.168.2.46 goes via eth0
A packet to 10.1.1.1 goes via eth0 (the gateway is the least specific route, but
it is the best match)
But how it goes out (and thus the source IP address) is totally up to the OS.
Just be aware when it gets to the netflow/sflow collector, it might have an
unexpected ip address as the source.
Q: What is the ssl watchdog?
A: (Added 2002-Sep-09, Burton)
Short answer: There are reported problems w/ the ntop web server hanging when
accessed via ssl (https://) from Netscape 6.2.2 (Win2K) (and others).
The ssl "watchdog" keeps an eye on the web server - it waits for 3 seconds
and then if the SSL_accept call (openSSL) hasn't finished, it aborts it.
This leaves the user with nothing on their web browser, but at least ntop's
web server continues on.
There is no know way to send something back to the user. DON'T EVEN ASK.
It's not in ntop, it's the browser-server handshake that's hung.
So, it looks - to the user - like a failed connection. S'be'it...
If you are using https:// and seem to have the problem, run ntop with the --ssl-watchdog
command line parameter... The item to look for on the configuration page (info.html) is:
# HTTPS Request Timeouts
Or messages in the log:
...: SSLWDERROR: Watchdog timer has expired. Aborting request, but ntop processing continues!
You can also enable it via a ./configure parameter (./configure --help | less) if it's
something you're going to always require.
Q. Tell me more
A. The problem is that ntop's web server is single threaded until we determine that the
request is simply one that will be reading data. At that point we fork to generate
the page. But the basic "accept a request" code is single threaded. This happens
all but instantaneously and hasn't been a problem previously.
The code is pretty basic and pretty common:
select() to wait for a connection, then
ssl_accept() to fireup a "server", meaning the ssl handshake.
Then process the http request (i.e. the GET and associated headers).
With Netscape 6.2.2 (and others), there seems to be a bug in the Netscape code
(ntop's is identical to other projects like sshd).
According to something I read - but now can't find again - Netscape doesn't accept a
legal combination of options on the handshake back from openSSL and hangs in a deadly
embrace. Supposedly openSSL 0.9.6c (or was it d - it's not in the changelog) built
in a patch. However, I didn't find the new version changed the behavior, nor are a
lot of vendors shipping those releases (yet). There is stuff about a bug w/
Netscape 4.x on the openSSL website, but I'm not having trouble with Netscape 4.x.
I don't understand the details and really don't care to find out. It boils down to a
hang in a call, SSL_accept() that doesn't have a timeout parameter. Argh...
Because the code is invasive, I built it (like the SIGPIPE stuff) so you can turn it
on at ./configure time:
--enable-sslwatchdog Watchdog for ssl hangups (Netscape 6.2.2) [default=disabled]
or via a command line option:
--ssl-watchdog Use ssl watchdog (NS6 problem)
With the "fix", ntop's web server hangs for at most 3 seconds, then continues on. The
user gets nada - and I don't know a way to send them anything, because we haven't
retrieved the request yet nor done the handshake (so there isn't a TCP connection!)
It only affects https:// requests and I've coded the watchdog so it doesn't activate
unless we have openSSL and either the compile or runtime parameter set. If you don't
get https:// requests, it's just another idle thread.
The fix is working for me... What I've tested (and the results with and without
the watchdog):
Win2k
MS Internet Explorer 5.5 - ok
Netscape 4.61 - ok
Netscape 4.79 - ok
Netscape 6.2.2 - user gets no response
- old: ntop webserver hung and must restart ntop!!
Opera 6.03 - user gets a partial response
- old: browser says "setting up secure connection" and never continues, but
ntop webserver is ok (SOMETIMES you get SSL errors in log, esp.
if you cancel the browser)
Linux
Konqueror 2.2.2 - ok
Mozilla - 1.0 - ok
Netscape 4.78 - ok
Galeon 1.2.5 - almost complete response, browser session is toast (must restart)
- old: user gets nothing, but the ntop webserver is ok
Opera 6.0B1 - user gets a partial response, but browser session is ok
- old: browser says "setting up secure connection" and never continues, but
ntop webserver is ok.
Q. What's up with P3P?
A. P3P is a W3C recommendation - http://www.w3.org/TR/P3P/ - for specifying how an application
(typically a web site) handles personally identifiably information. What information the
site collects and what it does with the information.
p3p is pretty complex! There are basically two ways to enable an application for p3p.
One is to add another HTTP header, P3P:. The second is to support a well-known file
location, /w3c/p3p.xml (like robots.txt).
Browser support is pretty spotty, as is web site adoption.
Some 3rd party browsers have some support... up to CrazyBrowser which claims "full support",
whatever that means...
Q. So why put P3P into ntop?
A. It's comming. P3P is gradually making it's way into the top web sites -- right now (Dec2002),
for example dell.com supports it and yahoo.com doesn't.
Q. Ok, but what's that got to do with ntop?
A. Since ntop collects personally identifiable data in it's access log (-a option) and it's
various reports and makes those available to pretty much anyone in the default configuration,
it's probably not a bad idea to OFFER some support. Especially if you're running ntop at
a site that has started to support P3P, if you don't have a mechanism for your own policies
you'll have to adhere to corporate ones. And that could require massive changes to ntop.
Q. IE6?
A. Since ntop doesn't send the P3P: header, IE6 ignores ntop wrt p3p. Besides, IE6 uses p3p
to block 3rd party cookies. If you want to see the p3p stuff, it's view | privacy report
in the menus. If the site's policies don't match your settings, there will be a red "do
not enter" icon in the third box on the bottom right of the IE6 window - double click on
it to see the report.
See http://support.microsoft.com/default.aspx?scid=KB;en-us;q293513
Q. Mozilla
A. Unknown if it's enabled by default. Mozilla had support, ripped it out in Feb 2002 and
put a new version back in.
Q. Other browsers
A. See their home pages or search the web. One that I know that claims "full support"
(whatever that means) is at http://www.crazybrowser.com/
Q. Privacy Bird?
A. A browser-addon, AT&T's privacy bird (http://www.privacybird.com/), that I'm playing with
is a lot more aggressive in supporting p3p. If Privacy bird doesn't see the P3P: header,
it then requests the "well known" file, /w3c/p3p.xml file and gets nailed by ntop as a
hostile application, since we don't have support for returning .xml files (yet).
Q. So when & how does ntop support p3p?
A. A patch in the cvs on 4Dec2002 (snapshots 5Dec2002 or later) adds minimal support for
p3p -- specifically:
1) ntop will respond to queries for /w3c/p3p.xml and ntop.p3p -- returning the
ntop.p3p file, IF ONE EXISTS.
If the file does not exist, a 404 error is generated (vs. pre 4Dec2002 behavior
of adding the address to the myGlobals.weDontWantToTalkWithYou list).
2) New parameters, --p3p-cp and --p3p-uri allow you to return the P3P: header with
either or both of the parameters (cp="" or policyref="") set.
ntop doesn't validate the text in any way other than the usual stringSanityCheck().
This allows me to run the Privacy Bird and still talk to ntop. I'll admit that option #2
is speculative, since I really don't have much of a way to test it.
Q. But there isn't a sample .p3p file provided.
A. Right.
Please note that there is no sample file provided. This is not an oversight.
After careful consideration, I am not providing one. The reason is that a .p3p file is
intended to be a legal contract between your site and your users. While I could provide
a default file that has the right tags - as I understand p3p - for the data ntop collects
and stores, I don't want the responsibility and/or liability.
If anyone wants this "sample p3p file", I will make it available for a fee, provided
your organization - through an appropriate officer, in writting:
1) Acknowleges that Luca Deri, Burton Strauss and other developers of ntop have no
liability for any use(s) you make of the sample p3p file or anything you derive
from it.
2) You will defend us - at your expense - from any lawsuit, arbitration proceeding,
etc. filed in conjunction with your use of the sample p3p file.
3) You will pay any judgements, legal expenses, etc. related to any lawsuit,
arbitration proceeding, etc. in conjunction with your use of the sample p3p file.
Since your legal department would be nuts to agree to that I doubt it will come up.
Q. So How do I create a .p3p file?
A. There are tools available to create p3p policy files - search the web for 'p3p editor'.
One that I've used is a zero cost albeit beta tool, p3peditor from IBM
(http://www.alphaworks.ibm.com/tech/p3peditor).
(P3P stuff added 4Dec2002, Burton Strauss)
Q. Is ntop localized for language x? (i18n)
A. No. ntop wasn't really written with i18n in mind.
Most of the text is generated in-line, on the fly. Plus ntop must dynamically support
multiple locales simultaneously.
However, beginning with v2.1.56 (2.2 development release), there is limited, optional,
i18n support in ntop.
Q. So, what internationalization (i18n) support does ntop provide.
A. The key word is LIMITED
This only applies to the pages that are pulled from .html files, NOT those created
internally. This includes the menus and the few static text pages, but none of the
pages with interesting data on them.
The localized pages must be placed in parallel directories to the existing html ones.
For example, if ntop is installed in /usr/share/ntop, the html files are in
/usr/share/ntop/html.
To support them Canadians, then, you would need to create a /usr/share/ntop/html_en_CA
AND that locale would need to be installed on the ntop host system.
Note that there are NO i18n files distributed with ntop (yet!)
At ./configure time, you enable support via --enable-i18n. ntop MUST be told how to
find the locale files. In ./configure, a "standard" location is defined per OS.
(Initially only the value for FreeBSD is populated). All others assume the "default",
/usr/lib/locale. If that isn't right for your OS, then you MUST use the optional
parameter --with-localedir= to tell ntop where to find the files.
At run time, ntop scans the host for the installed locales (locale -a should - on most
systems give you a list) and checks if a comparable html_cc_XX directory exists.
This builds a list of supported languages, which (along with i18n status) is shown on
the configuration pages, info.html and textinfo.html.
When an http request is made, your browser sends a list of languages it is willing to
accept in the http Accept-Language: header.
(check View | Internet Options | Languages in IE to see what you're sending)
For example,
Accept-Languages: en_US, en
Means that you prefer US English, but will accept any English dialect if US English
isn't available.
Be aware that the locale settings and Accept-Language settings are not well
standardized, nor common and may not necessarily map very cleanly. You should
see what's defined (perhaps it's locale 'german' instead of 'gr') and make or
link directories as necessary. You can always create the directory you tell
ntop to use via --with-localedir= in the /usr/share/ntop structure and create
links from there to the real locale directories!
Limits in the per-request and total # of languages to support are in globals-defines.h
Because of directory structure limits, a lack of interest in multiple character sets,
etc. the locale and accept-language headers are coerced into a common format:
locales are ll[_XX][.char][@modifier]
ll - language, usually the 2 character ISO abrev., such as us, it.
XX - dialect (often a country), such as CA or US (en_US != en_CA)
char - character set (we sort of assume UTF-8)
modifier - euro
Accept-Language: values are ll-XX or ll or ll-*
Once the user makes a request, each page pulled is checked:
1. For each of the Accept-Language values.
2. For the ntop host locale value.
3. In the ntop default (English) set.
These checks are performed for each of the libraries specified in the config value
(CFG_DATAFILE_DIR).
Q. What pages can be customized?
A. ls /usr/share/ntop/html/*.html (or wherever the ntop pages are installed):
frameset
--------
Note: There is no real benefit, except maybe the title in index.html so you
can see that it really does work!
index.html
index_inner.html
index_left.html
index_top.html
top.html
Navigation
----------
About.html
Admin.html
Copyright.html
DataRcvd.html
DataSent.html
IPProtocols.html
IPTraffic.html
Stats.html
TotalData.html
Misc data
---------
dump.html
faq.html - lots of work
help.html - good candidate
ntop.html - splash page
Also, remember that a file overrides ntop's internal page generation, so you
can also use this facility to override ANY of ntop's pages and return a
customized page (perhaps you don't want users seeing them?).
(i18n Added 23Jan2003 - Burton)
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Section 2 - Specific Platforms
==============================
FYI: ntop development is done primarily on Solaris (Solaris 8 for i386)
and Linux (specifically RedHat 7.2 w/ updates).
Solaris
=-=--=-
During the ntop 2.2 development cycle, we did some development and testing on:
Solaris 2.6
Solaris 8 (i86).
Solaris 7 should work.
Solaris 9 is an unknown quantity.
Q. How do I install the ntop package on Solaris?
A. For instance do 'pkgadd -d ntop-2.2-solaris.i386'
(Updated, April 2003, Burton).
BSD Information
=-=-=-=-=-=-=-=
Q. I get "ntop: /dev/bpf0: Device not configured", what's wrong?
A. This is because bfpX has not been configured inside the generic bsd-kernel
config file.
If you use generic kernel config file put "pseudo-device bpfilter 16" in kernel
config file and rebuild the kernel.
During the ntop 2.2 development cycle, we did development/testing under:
FreeBSD
-------
4.6.3
5.0
Users reported success with 4.7 and 4.8.
OpenBSD
-------
Could never make it work. Problem seems to be that the gnu tools such
as ld don't support a.out systems very well.
NetBSD
------
Some testing was done using 1.5.3 and 1.6 - both work only in SINGLE
THREADED mode and so are fragile.
There isn't a standard POSIX thread package for NetBSD. Both "proven" and "unproven"
threads have issues. One user is bound and determined to make GNU Pth work, but pth
isn't quite POSIX threads and he's not getting far...
When -current finally incorporates the POSIX threads (it's been committed but not yet
part of a release) this should be revisited.
(Revised, April 2003, Burton)
Q. When I type 'make' it complains about a makefile error.
A. Always remember to use gmake on *BSD systems! (and possibly other systems as well.)
Q. I can't compile ntop under FreeBSD 5.0.
A. In some situations, we produce gcc link lines which expose a conflict 'tween
FreeBSD 5.0 and libtool.
You will see the following error messages:
expr: illegal option -- l
usage: expr [-e] expression
etc.
See the release notes for FreeBSD 5.0 and the expr(1) man page:
http://www.freebsd.org/releases/5.0R/DP2/relnotes-i386.html
http://www.freebsd.org/cgi/man.cgi?query=expr&sektion=1&manpath=FreeBSD+5.0-current
Solve this by setting the compatibility flag before running make.
$ export EXPR_COMPAT=Y
configure.in and configure have been updated to do warn you to do this.
(Added 27Jan2003, Burton)
Linux
=-=-=
During the ntop 2.2 development cycle we did development and/or testing under
RedHat AS2.1, 7.2, 7.3, 8.0
Debian
LinuxFromScratch 3.0pre3
Others should certainly work and there are user reports of many successes.
Compiling
---------
Q. Which libraries do I need to compile ntop under RedHat 7.2:
A. glibc, glibc-devel
gcc
cpp
gawk
autoconf 2.5+
automake 1.5+
libtool 1.4+
openssl, openssl-devel (for https:// support)
gdbm, gdbm-devel
libpcap
(Note some packages will have additional packages as pre-requisites)
Q. I have compile problems, especially with plugings.
A. The ./configure and make steps should automatically regenerated all of the
files on your machine to conform to the installed set of auto* tools.
./configure
make
make install
(Updated 30Oct2002, new ./configure scripts)
Q. I get an error:
/usr/bin/install: cannot create regular file
make install-man1 install-man8
make[3]: Entering directory `/root/src/ntop/ntop'
/bin/sh ./mkinstalldirs /usr/local/man/man1
/usr/bin/install -c -m 644 ./intop/intop.1
/usr/local/man/man1/intop/intop.1
/usr/bin/install: cannot create regular file
`/usr/local/man/man1/intop/intop.1': No such file or directory
make[3]: *** [install-man1] Error 1
A. This is an automake problem. First off, the Makefile was patched long prior to
release of 2.1 and this should not occur. However, here are the two
work-arounds:
1) create the directory manually - note that the intop.1 man file will probably
not be accessible to man.
2) Change versions of automake. This typically is a problem with 1.4p5 (which is
shipped with RedHat 7.x). Versions 1.4 and 1.5 are reported to work ok, but
you must recreate the various files with
./autogen.sh -1
Q. Why do I have to "make install" when building libpng??
A. You don't.
IF you use the buildAll.sh script in gdchart0.94c
or IF you don't try to be (too) clever while manually
building the libpng library.
The difference between makefile.gcc and makefile.linux in the scripts directory of
libpng-1.2.4 is that makefile.gcc builds a static library, while makefile.linux
builds both the static (.a) and shared (.so) libraries.
Most people doing a manual build of the tools see ".linux" and use it, vs. the
more generic sounding ".gcc", but ntop expects the ".gcc" build.
The problem is that ldd (the loader) prefers the .so (shared) version and if it
finds it, it will link to it, even if a .a version exists. So if you make the
static .a, but have the .so, that (.so) is what ntop will use.
For your own personal use, it shouldn't matter - there is NOTHING wrong with the
shared libraries, as long as the same version of the .so libraries for libpng are
installed on BOTH the build and execution machine(s).
This could happen either via a distribution supplied package (but if the package
was for version 1.0.x this WILL cause version problems).
Or, you can install the .so library by typing "make install" the 1st time you
build libpng.
Best suggestion is to use buildAll.sh!
(Updated 22Aug2002 - BMS - libpng-1.2.4)
Q. What about Slackware
A. Lorenzo had "Installation Notes For Slackware 8.0" available at
http://80.19.145.20/ntop-Slack-inst.txt
although the site may (as of July2002) be down.
Running
-------
Q. Segmentation fault on startup while inititializing GDBM (Slackware)
A. This occurs if one's crypt(3) does not support the standard UNIX crypt
(and just returns NULL)... Change CRYPT_SALT in ntop.h from 99 to $1$99
thereby forcing md5 crypting.. (reported in 1.3 era)
Q. ntop isn't able to capture data.
A. On some (old) Linux distributions, the libpcap package is broken. Please remove it,
get the source, build libpcap and install it (both the library and the include files).
Then rebuild ntop from scratch. (reported in 1.3 era)
Q. Bad things - I see the following messages:
libpng warning: Application was compiled with png.h from libpng-1.0.x
libpng warning: Application is running with png.c from libpng-1.2.x
gd-png: fatal libpng error: Incompatible libpng version in application and library
A. You have a version problem with libpng.
First off, following the instructions in BUILD-NTOP.txt should work just fine. These
problems come about when you have libpng installed (i.e. using shared libraries).
1. If you are compiling from source, you may have png.h left over from the earlier
version of libpng. Remove it.
2. (Most common under RedHat). RedHat 7.2 installs a libgd.so.1.8.4 library, which was
compiled against 1.0.x series of libpng (which is fine, because RedHat 7.2 includes
libpng-1.0.12).
Updating RedHat to newer (RawHide) packages for libpng,
http://www.rpmfind.net//linux/RPM/rawhide/1.0/i386/RedHat/RPMS/libpng-1.2.2-5.i386.html,
should work. However, there are reports of version conflicts and required updates to
multiple packages. Proceed with caution (especially if you decide to uninstall 1.2.2-5).
Also, do not use --nodeps or --force, as this can leave you with two partially installed
versions (see item #1, above).
3. (Slackware) Users have reported this error from an older header file in /usr/include.
Make sure to run "make install" in the libpng directory so that the latest files are in
the common library locations. You can do this with buildAll.sh, just navigate back down
to the libpng-1.2.x directory first.
4. If you are building ntop on one machine and running on another, they may have
different libpng.so versions. Even if you think you are using the static linked
version (buildAll.sh), be careful - see the entry (above) on "make install" for libpng.
(Updated 22Aug2002 - BMS - libpng-1.2.4)
Win32 (MinGw)
=-=-=-=-=-=-=
The .exe distributed through ntop.org is built with Visual C++ 6.0.
There are reports of problems using MinGW. Forget about cygwin.
Compiling
---------
Q. When I type 'make' it complains about a makefile error.
A: Remember to use -f Makefile.MinGW or whatever is appropriate - see BUILD-MinGW.txt.
Q. Where can I find GDBM for Windows?
A. GDBM for windows can be found at http://www.roth.net/libs/gdbm/
Q. Mingw make of Ntop fails when using the single-file distribution MinGW-1.1.tar.gz
with make errors about version.c like :
zsh: no matches found: *version
make: *** [version.c] Error 1
A. Be sure that your PATH setting in the DOS command box of the Mingw bin directory
ends with a backslash.
This is OK:
set path=C:\Mingw\bin\;%path%
This is wrong:
set path=C:\Mingw\bin;%path%
^
Running
-------
Q. ntop -i1 ... doesn't work
A. ntop has special parameters under Win32
Under win32 there are TWO COMPLETELY SEPARATE TYPES OF PARAMETERS.
There are the parameters to the win32 stub AND there are parameters to ntop itself.
AFTER THE win32 parameters are the ntop parameters in the standard (Unix) -xxx format.
ntop /c <normal parms> runs ntop INTERACTIVELY with the specified ntop parameters
ntop /i <parameters> installs ntop as a service to run with the specified parameters
ntop /d deletes the ntop service
Remember, ntop /i and ntop /d don't actually run the service - you need to start it.
(Updated 26Aug2002 - BMS)
Q. How do I figure out what my network interface numbers are for the -i parameter?
A. (Thanks to jac engel [jacengel@home.nl] for the example)
If you only have ONE network interface, it doesn't matter as the default is fine. However,
that's the RARE case. Most people have multiple network interfaces (NICs), with virtual
ones for VPNs, Dialup Networking, etc.
The Windows tools ipconfig, winipcfg and the Device Manager (depending on which version
of Windows you have) will probably show you them. However, it's easier and better to
use ntop to show you how ntop sees the network interfaces.
If you start ntop /c (interactive mode, with only the default parameters) it will
display all your network interfaces (NICs), like this:
Running ntop for Win32.
Wait please: ntop is coming up...
23/Aug/2002 20:43:55 Initializing IP services...
23/Aug/2002 20:43:55 Initializing GDBM...
23/Aug/2002 20:43:55 Initializing network devices...
23/Aug/2002 20:43:55 Found interface [index=0] '\Device\Packet_{1439C950-2E58-4398-828F-81AD38843F1C}'
23/Aug/2002 20:43:55 Found interface [index=1] '\Device\Packet_{86AE91B6-1F55-497C-9AEF-E208305084B4}'
23/Aug/2002 20:43:55 Found interface [index=2] '\Device\Packet_NdisWanIp'
23/Aug/2002 20:43:57 ntop v.2.1 MT [WinNT/2K/XP] (11/07/2002 build)
23/Aug/2002 20:43:57 Listening on [3F1C}\Device\Packet_{1439C950-2E58-4398-828F-81AD38843F1C}
By default, ntop will use the lowest numbered interface. Because #s are assigned based on
the sequence cards are discovered, and this is altered if cards are removed and added, this
is often not what you want.
After you figure out which NIC you want, start ntop /c -i1 or -i2 or whatever...
(Added 13Sep2002, Burton)
Q. OK, but how to I translate \Device\Packet_xxxxx to my Froboz ModelT network card and not the
Fubar27 that's on the motherboard.
A1. Newer (2.1.51+) ntop versions should report both the index and the human readable information.
A2. A Google search on script "CurrentVersion\NetworkCards" finds a couple of scripts/utilities
that might work in various environments.
Otherwise...
You're going to need to view the registry. All the usual warnings - back up your pc, etc.
If you damage the registry, you may not be able to reboot the computer. You're not going
to CHANGE anything, but an inadvertent keystroke could be disaster ... BE CAREFUL!
Under WinNT/2K, to find the interface name of your NIC look in the registry at the
keys in HKLM\Software\Microsoft\Windows NT\Currentversion\NetworkCards\
The two subkeys, Servicename and the Description tells you which id maps to which NIC.
(Added 13Sep2002, Burton)
(Updated 30Oct2002, Burton)
Q. Where does ntop look for html (and gif) files under Win32?
A. ntop looks in two places. The first is the current directory and the second is
configurable through a constant in ntop_win32.h, #define DATAFILE_DIR "."
Note that the current directory, or ".", may not be what you expect.
When running ntop as a Win32 service, "." is %SystemRoot%\system32, meaning that ntop
looks in %SystemRoot%\system32\html for the .html and .gif files.
When running ntop from the command line,
ntop /c parameters...
"." is whatever directory is current. This means that if you run ntop with a full,
explicit path (c:\ntopnew\ntop /c ...) there may be an unexpected difference between
what ntop finds for "." and what you THINK "." is! This will lead to missing .html
and .gif files.
If you wish to have ntop look in a specific place for the files, the best choices are:
1) Create a .bat file to run ntop which does a cd to the expected directory first.
2) Edit ntop_win32.c and then recompile.
Note that the settings for DATAFILE_DIR (and other constants) are reported on the text
version of the configuration page, textinfo.html. (Added 14Jul2002 Burton)
Other Platforms - not very well supported...
============================================
HP-UX
=-=-=
During the 2.2 development cycle, some work was done to make ntop work under HP-UX 11
without breaking the HP-UX 10.20 support (limited as it is). HP-UX 11 should work.
Q: v2.0.99RCx has been reported not to compile under HP-UX 10.20
A: The test in the code seems wrong, but we didn't have time, nor
the ability to test it before releasing 2.1. Specifically,
#if !defined(WIN32) && !defined(AIX)
extern int h_errno; /* netdb.h */
#endif
should probably be
#if !defined(HAVE_NETDB_H)
extern int h_errno; /* netdb.h */
#endif
Q: Why the HP-UX 10.20 version of ntop isn't multithreaded?
A: To reduce complexity and because resources aren't availabe to provide
full support for less commonly used OSes. Specifically Because HP's 10.20
pthread implementation is slightly different from the POSIX standard.
Q. Why is the HP-UX 11 version of ntop not multithreading?
A. As of 2.1.90 it should be.
(Updated, April 2003, Burton)
IRIX (v1.3 information)
=-=-=-=-=-=-=-=-=-=-=-=-
During the ntop 2.2 development cycle, IRIX was not considered. It will almost
certainly fail.
Q. Where can I find pthreads for IRIX 6.2?
A. Irix 6.2 doesn't support POSIX threads out of of the box. You must
install the patch: 2791
Q: Why the IRIX version of ntop doesn't use semaphores although
they are implemented in the OS?
A: When Luca used IRIX 6.2, semaphores seemed to have some problems. This is a
implementation issue only because ntop supports threads under IRIX.
Digital UNIX (v1.3)
===================
During the ntop 2.2 development cycle, Digital UNIX was not considered. It will almost
certainly fail.
Q. ntop doesn't seem to collect any data on Digital Unix.
A. Albert Chin-A-Young <china@thewrittenword.com> said:
First, to compile, make sure you don't use '-std1' which will cause problems
compiling pbuf.c. '-std' is ok.
Once ntop is compiled, do the following:
1. Make sure 'options PACKETFILTER' is in your kernel
configuration file under /sys/conf. Recompile the
kernel using 'doconfig -c [config file]' if necessary.
2. % cd /dev
% ./MAKEDEV pfilt
% pfconfig +promisc [interface]
The last part of #2 I didn't do so ntop did not collect any data.
AIX (v1.3)
==========
During the ntop 2.2 development cycle, AIX was not considered. It will almost
certainly fail.
Q. AIX: I've linked ntop against the special libcap library that's
available on the ntop sire. Unfortunately ntop doesn't work. It
fails with the following error:
# ./ntop
06/Oct/2000:10:25:55 ntop v.1.3.2 ST (SSL) [powerpc-ibm-aix4.3.2.0]
06/Oct/2000:10:25:55 Listening on [en0]
06/Oct/2000:10:25:55 Copyright 1998-2000 by Luca Deri <deri@ntop.org>
06/Oct/2000:10:25:55 Get the freshest ntop from http://www.ntop.org/
06/Oct/2000:10:25:55 Initialising...
06/Oct/2000:10:25:55 /dev/dlpi/en0: No such file or directory
A: Please configure dlpi.conf int the /etc dir using the command
strload -f /etc/dlpi.conf.
(Courtesy of Chuck Toman <ctoman@Park-Ohio.com>).
Q. I have a problem on AIX. What shall I do?
A. Read below.
=============================================================
From Ciaran.Deignan@bull.net Wed Oct 4 17:07:02 2000
Date: Tue, 3 Oct 2000 10:29:52 +0200 (DFT)
From: Ciaran.Deignan@bull.net
To: Karandeep Singh <kdsingh@ichips.intel.com>
Subject: Re: ntop problems
On Mon, 2 Oct 2000, Karandeep Singh wrote:
> Question I have for you is that if I run "strload -f /etc/dlpi.conf"
> and create special files in /dev/dlpi, do I then have to reboot?
> If not then this will work very well for us on our other servers.
you don;t need to reboot, but you do need to execute the command each
time you *do* reboot....
there's always something...
Ciaran
+-------------------------------------------------------------------------+
Ciaran Deignan Tel: (France) 04 76 29 79 92
BULL XS-BU (http://www-frec.bull.com) HA and Consolidation
Mail to: Ciaran.Deignan@bull.net Bullcom: 229 79 92
PGP: B1 78 FB 88 FD 86 58 A8 89 7B 22 8C D0 E8 71 FC Fax: 229 75 18
+-------------------------------------------------------------------------+
From Ciaran.Deignan@bull.net Wed Oct 4 17:07:02 2000
Date: Mon, 2 Oct 2000 12:00:18 +0200 (DFT)
From: Ciaran.Deignan@bull.net
To: Karandeep Singh <kdsingh@ichips.intel.com>
Cc: l.deri@tecsiel.it
Subject: Re: ntop problems
On Tue, 26 Sep 2000, Karandeep Singh wrote:
> Hi,
> I installed "successfully" ntop from Bull site and now when I run
> it am getting following errors. Any help would be appreciated.
>
> -KD
>
> <pdxfs30 157> # ntop
> 26/Sep/2000:17:13:01 ntop v.1.3.2 ST (SSL) [powerpc-ibm-aix4.3.2.0] (08/11/00 07:04:32 PM build)
> 26/Sep/2000:17:13:01 Listening on [en2]
> 26/Sep/2000:17:13:01 Copyright 1998-2000 by Luca Deri <deri@ntop.org>
> 26/Sep/2000:17:13:01 Get the freshest ntop from http://www.ntop.org/
> 26/Sep/2000:17:13:01 Initialising...
> 26/Sep/2000:17:13:01 /dev/dlpi/en2: No such file or directory
Anyway, what you've missed (and what I've failed to find a convient way
to communicate) is the command
# strload -f /etc/dlpi.conf
which will create the special files in /dev/dlpi...
This information is given in the mailing-list archives, each time libpcap
is repackaged:
http://www-frec.bull.com/download/Updates.txt
> <pdxfs30 158> # intop
> exec(): 0509-036 Cannot load program intop because of the following errors:
> 0509-150 Dependent module /usr/local/lib/libreadline.a(libreadline.so) could not be loaded.
> 0509-152 Member libreadline.so is not found in archive
intop has a dependence on freeware.gnu.readline.rte
(gnu.readline-4.1.0.1.exe), but intop doesn't work anyway :(
Sorry for the complexity,
Ciaran
+-------------------------------------------------------------------------+
Ciaran Deignan Tel: (France) 04 76 29 79 92
BULL XS-BU (http://www-frec.bull.com) HA and Consolidation
Mail to: Ciaran.Deignan@bull.net Bullcom: 229 79 92
PGP: B1 78 FB 88 FD 86 58 A8 89 7B 22 8C D0 E8 71 FC Fax: 229 75 18
+-------------------------------------------------------------------------+
From Ciaran.Deignan@bull.net Wed Oct 4 17:07:02 2000
Date: Mon, 18 Sep 2000 10:00:41 +0200 (DFT)
From: Ciaran.Deignan@bull.net
To: Bill Kurland <bill@shakespeare-nyc.com>
Subject: Re: Freeware:ntop-1.3.2.0
On Sun, 17 Sep 2000, Bill Kurland wrote:
> I have tried installing ntop-1.3.2 on three different rs6000's running
> AIX 4.3.3 with the same result and was hoping you might be kind enough
> to help me discover my error.
Humm... I don't have a /dev/ent* or /dev/en* on my system either. You live
and learn.
Anyway, what you've missed (and what I've failed to find a convient way
to communicate) is the command
# strload -f /etc/dlpi.conf
which will create the special files in /dev/dlpi...
This information is given in the mailing-list archives, each time libpcap
is repackaged:
http://www-frec.bull.com/download/Updates.txt
Hope this helps
Ciaran
+-------------------------------------------------------------------------+
Ciaran Deignan Tel: (France) 04 76 29 79 92
BULL XS-BU (http://www-frec.bull.com) HA and Consolidation
Mail to: Ciaran.Deignan@bull.net Bullcom: 229 79 92
PGP: B1 78 FB 88 FD 86 58 A8 89 7B 22 8C D0 E8 71 FC Fax: 229 75 18
+-------------------------------------------------------------------------+
From Ciaran.Deignan@bull.net Wed Oct 4 17:07:03 2000
Date: Wed, 6 Sep 2000 11:49:07 +0200 (DFT)
From: Ciaran.Deignan@bull.net
To: ry1481@csag.sbc.com
Subject: Re: NMAP on AIX
On Tue, 5 Sep 2000 ry1481@csag.sbc.com wrote:
> I am receiving the message "/dev/dlpi/en0 does not exist. The
> ethernet adapter en0 is configured but there is no /dev/dlpi/en0
> directory or file. Any suggestions would be appreciated.
as stated in the Updates log ( http://www-frec.bull.com/docs/downlist.htm )
This distribution uses the "dlpi" interface. If the dlpi
stream drivers are not loaded, the command
# strload -f /etc/dlpi.conf
should be executed after every reboot.
have fun
Ciaran
+-------------------------------------------------------------------------+
Ciaran Deignan Tel: (France) 04 76 29 79 92
BULL XS-BU (http://www-frec.bull.com) HA and Consolidation
Mail to: Ciaran.Deignan@bull.net Bullcom: 229 79 92
PGP: B1 78 FB 88 FD 86 58 A8 89 7B 22 8C D0 E8 71 FC Fax: 229 75 18
+-------------------------------------------------------------------------+
Networking...
=============
Q. What is Ethernet and TCP/IP and how do they differ?
A. Both are protocols - that is the definition of how
to interpret bits on wires (or in packets) into
meaningful conversations.
Ethernet is the lower level, wire (or wireless) protocol,
concerned with moving the physical bits of data.
TCP/IP is the higer level protocol, which explains
how to interpret the block of bits (frame).
TCP/IP uses a familiar 32 bit "IP" address, e.g.
192.168.0.1.
Ethernet uses a less familiar, 48 bit unique to the NIC
(some times called "burned in") address, e.g.
00:40:05:DE:AD:00. This is called the MAC (Media
Access Control) address.
FYI: The offical IEEE MAC address lookup is at
http://standards.ieee.org/regauth/oui/index.shtml
(Look up the first six digits, separated by -s, e.g. 00-40-05)
Q. OK, but how is stuff sent from my computer to, say, Yahoo!?
A. First off, your computer does a lookup - using a service
called DNS (Domain Name Service) to convert www.yahoo.com
to a numeric value, such as 66.218.71.80.
Then it builds a collection of characters that says send
this data from me, 192.168.0.1 to Yahoo at 66.218.71.80.
This is called a packet. That gets wrapped in an Ethernet
frame (addressed from 00:40:05:DE:AD:00 to the MAC address
of the local gateway router, 0:d0:9e:6:38:00 and squirts it
out the router.
Packets are forwarded step by step along a path from you
to Yahoo by computers called routers. This is done based
on the 32 bit IP address and the router's knowledge of the
network.
Each router sees a Ethernet frame addressed to it (by
MAC address), checks the TCP/IP address to figure out
where to send it next, re-wraps the TCP/IP packet in a new
Ethernet frame (with the from MAC as it's own and the to
MAC as the next hop).
This happens until the TCP/IP packet reaches the final
segment (the last router). Once it reaches a router that
knows it has addresses 66.218.71.0-66.218.71.255 on one
of it's interface, the routing stops using the TCP/IP
address.
The last hop is done (like each intermediate hop - at the
lowest level) based on the MAC address! Specifically, the
last router does an "ARP" (Address Resolution Protocol") query,
to find out "Who Has" address 66.218.71.80. The NIC responds
with it's MAC address:
arp who-has www.yahoo.com tell router
arp reply www.yahoo.com is-at 0:d0:9e:6:38:00
And the packet is routed to that address.
Alright, that's a bit simplified, but see Douglas Comer,
"Internetworking with TCP/IP, volume I", page 25 and 73ff.
Q. So what's a hub vs. a Switch
A. A hub is a device that links a bunch of computers together
at the wire (Ethernet) level. Logically, Ethernet is a bus,
that is everybody sees all the traffic, just like cars crossing
under a highway bridge. Physically, Ethernet is wired like
a star - with all the wires coming back to a central "hub".
The hub is just the device that makes the electric star look
like a shared bus.
Switches and Hubs operate at the Ethernet level, not TCP/IP.
A. Watch out for 'Switched hubs', which are hubs that include an
internal switch between 2 or more segments (for example, BUT
NOT LIMITED TO a 10BaseT and 100BaseT) segment. These are hubs
within a segment, but switches across segments. ntop may not
see the traffic you expect if you have a 'switched hubs' and
manufacturers are pretty bad about marking them. See
http://article.gmane.org/gmane.linux.ntop.general/5081
(Added April 2003, Burton)
A. A switch is a smart hub.
Switches improve performance by creating a virtual Ethernet
bus for the duration of the packet that joins JUST the source
and destination ports.
A switch operates via an internal table of MAC addresses.
It learns (or is programmed) that 0:d0:9e:6:38:00 is on
port 1, while 00:40:05:DE:AD:00 is on port 3.
A packet coming in port 1, destined for 00:40:05:DE:AD:00
is sent out ONLY port 3.
If the switch doesn't know (or the packet is a broadcast),
it gets sent out all ports.
This doesn't make for MORE bandwidth, but it does use it
more efficiently. That is in addition to the session between
ports 1 and 3 at 100Mbps, a second, simultaneous 100Mbps
session can occur between ports 2 and 4.
Q. How do I use ntop in a switched network?
A. First off, you need to be or have the support of
your network administrator. (Yes, you can do something
called "ARP poisoning" to - maybe - get the switch to send
you all the traffic, but that's beyond this FAQ... STFW)
Many switches (although not the USD$50 cheap "workgroup" units)
have a special port or mode, where by all the traffic for the
entire network gets copied out that port, in addition to the
normal switch action.
When you invoke the monitoring mode (called span, mirror, monitor,
analysis, etc.), you are forcing the entire switch bandwidth out one
port. This may exceed the bandwidth of the port. 100Mbps+100Mbps
>> 100Mbps!
Traffic that is being sent to the monitoring port in excess of the
capacity of that port is usually dropped. It should NOT slow down
the switch on other ports.
Some switches have some buffering capability and it *may* be able to
keep up with an occasional burst of traffic, as long as the average
is below the port capacity and the buffer isn't exceeded.
See, for example, http://www.cisco.com/warp/public/473/41.html#archXL.
One list of switch manufacturers is the document is titled "REFERENCE:
Configuring a Switch to Monitor All Traffic" from Elron Software. (The
URL is long, do a Google search for "site:elronsoftware.com wi6038").
Q: How can I use Apache (with it's security, etc.) to serve up ntop pages?
A: (Toby Johnson [public@tobiasly.com], Sun 10Nov2002)
A while back, I had written about the possibility of configuring ntop to use
only relative URL's, in order to facilitate proxying ntop's web interface
through Apache. I have decided it's easier to simply use Apache's ability to
rewrite ntop's URL's when necessary. So, based on my experience, here is a
mini-HOWTO on how to proxy ntop through Apache.
------
Proxying ntop's web interface through a secure Apache virtual host is a
convenient way to make use of any existing security measures you may already
have. In my case, I wanted to be able to access ntop from anywhere outside
my LAN, but opening another port on my server for ntop's dedicated web
server wasn't an option.
I already had a password-protected, secure web server that I use for admin
purposes -- I'll call it https://admin.tobiasly.com. I wanted ntop's web
interface to appear as a subdirectory under this host:
https://admin.tobiasly.com/ntop/ .
Here's how to configure such a setup. Change the server names and ports to
match your own. I'm assuming that you already have a working, secure Apache
virtual host (using HTTPS).
First, pick a port for ntop's HTTP server. I'll use 15123. You won't need
ntop's built-in HTTPS server, since you're proxying its content through a
pre-existing Apache HTTPS server. Configure ntop to start with the correct
HTTP port, and with HTTPS disabled. Something like "ntop -d -w 15123 -W 0".
(See the ntop man page for more startup options.)
Now, you need to tell Apache that anything under the /ntop/ URL should be
proxied to the ntop web server. In my case, the Apache server is running on
the same machine as ntop, so it's just a proxy to a different port on
localhost. In your Apache secure host configuration, add a line like this:
ProxyPass /ntop/ http://localhost:15123/
Now, whenever Apache receives a request for something like
"https://secure.tobiasly.com/ntop/home.html", it will proxy this request to
the location "http://localhost:15123/home.html". Ntop will take it from
there, generate the web content, and pass the result back to Apache. Then
Apache passes that result back to the original client.
It's important to note that you don't need to open port 15123 to the
outside, since the connection actually goes through your existing Apache
port, and then is transparently proxied by Apache on the server itself. Of
course, you don't even have to run ntop on the same machine; as long as the
Apache server can connect to ntop's port, it'll work.
This is not the same as URL redirection. As far as your web browser knows,
everything is going through https://secure.tobiasly.com/ntop/. The Apache
server does all the proxy work behind the scenes, and simply serves up the
results to the requesting client. And since the "outward-facing" server is
Apache instead of ntop, you'll be using your existing Apache secure server
certificate, instead of ntop's ntop-cert.pem.
Everything appears to work OK at first, but we quickly run into a problem:
some of the URL's that ntop generates are absolute. For example, to draw bar
graphs, ntop's web pages will request the image "/gauge.jpg". This would
translate into "https://secure.tobiasly.com/gauge.jpg". Also, host info
pages are absolute. If I click on the host "10.1.2.3", it tries to take me
to the page "https://secure.tobiasly.com/10.1.2.3.html".
This is a big problem, because unless the URL is underneath the /ntop/
directory, Apache doesn't know that it needs to proxy the request to ntop,
and you get broken links. Luckily, Apache has the Rewrite module that lets
us fool with requested URL's. In order to get the required URL's rewritten,
add the following to your Apache secure virtual host configuration:
RewriteEngine On
RewriteCond %{HTTP_REFERER} tobiasly.com/ntop
RewriteCond %{REQUEST_URI} !^/ntop
RewriteRule ^/(.*)$ http://secure.tobiasly.com/ntop/$1 [L,P]
In English, this basically says "If I get a URL request that comes from a
page that has tobiasly.com/ntop in it, and that request doesn't begin with
/ntop, rewrute the URL to begin with http://secure.tobiasly.com/ntop/, and
pass this rewritten URL to the Proxy engine." At this point, the Proxy
engine will see that it is getting a URL that begins with /ntop/, and
correctly pass it to the ntop web server. Rewriting the request to begin
with HTTP instead of HTTPS may seem incorrect, but since that URL will be
handed directly to the Proxy engine, it can't be HTTPS or ntop's web server
will not recognize it.
Now, you should be able to simply connect to
https://secure.tobiasly.com/ntop/ , and you're ready to go!
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Section 3
--------------------------------------------------------------------------------
HowTo Ask For Help (ntop mailing lists)
=======================================
(Updated April 2003)
HOWTO ask for help on the ntop or ntop-dev mailing lists:
WHERE TO POST
=============
ntop is for user questions - "How to I install", "data isn't being recorded", etc.
ntop-dev is for code and development questions. The ntop-dev list goes to fewer
people, those who have self-selected themselves to be interested in ntop at the
code level.
If a discussion gets too technical, you may be asked to "move it to ntop-dev".
Please honor that request (even if you have to subscribe for a while - ntop-dev
is fairly low traffic).
There used to be mailing lists and trackers at SourceForge, which were rarely
looked at and have been discontinued. Use the ntop and ntop-dev lists (go to
http://www.ntop.org to signup for them).
OFFICIAL vs UNOFFICIAL
======================
A response from Luca Deri should be considered official. He is the author of
ntop and controls the project and it's destiny.
***Please understand that the mailing lists are a community support effort***
Besides Luca Deri, a number of people answer questions to the best of our ability.
None of the rest of the people who may respond to your question on ntop or
ntop-dev are able to respond "officially".
Likewise, this HOWTO is unofficial.
Everyone is welcome to help with the evolution of ntop - that is to find
problems, create and test patches and send them in to patches@ntop.org for
inclusion. There are a small number of people with write access to the cvs,
but anything we commit is subject to being ripped out by Luca for any reason...
or no reason at all...
QUESTION FORMATS
================
ONE QUESTION per message, and you MUST use meaningful message subjects - one's
that would have helped YOU find the prior discussion of this or a similar
problem in the archives. Titles such as "urgent" or "ntop problem" will often
not get a response - it may be urgent to you but it's probably not an issue
for others.
WE STRONGLY SUGGEST YOU USE THE BUILT IN AUTOMATICALLY GENERATED PROBLEM
REPORT (About | "bug icon"). This includes most of the internal configuration
data we ask for (and more) and has blank spots for you to fill it.
Generate one, cut & paste into your mail client, edit the data and sent it.
Beyond that, don't worry -- it's about information, not format.
RESPONSES
=========
Despite any individual's frequent postings, nobody is "responsible" for
answering your question. It's all on a "best efforts" basis. This is equally
true of the FAQs posted at http://snapshot.ntop.org. Our responses may be
incomplete, inaccurate, even dead wrong. Caveat Emptor! The only "guarantee"
is that free support will be worth what you've paid for it.
Just because you post a question does NOT mean that you are OWED an answer.
If nobody answers, then maybe it's because:
* Nobody knows.
* People are busy.
* You've asked the same question multiple times and it's already been
answered.
* You have been asked for additional information and are unable/unwilling
to supply it.
or, well, any one of a dozen other reasons.
Asking the same question multiple times - or asking it again because you don't
like the answer you received - is a slap in the face of the person who took the
time to answer you in the first place and will more than likely not get a
different response. If you're not sure that your message posted, check the
archives to see if your message is there -- please don't just keep reposting it.
You can always use gmane (http://www.gmane.org) to see the last 600 or so
postings to the lists.
Please direct all original postings and subsequent replies to the list, not to
someone privately. Most of us will reply solely to the mailing list, unless
you specifically request otherwise. If you do request otherwise, the individual
you sent it to may choose not to respond. Our posting here is NOT a public
invitation to invade our e-mail boxes for your free private support.
THE BACK AND FORTH PROCESS
==========================
"Why don't you just fix my problem instead of asking for more information?"
Understand that we can't see your machine (and wouldn't want the
responsibility of sshing into somebody else's box as root). The only information
we have is what you post and the responses to our questions. Few failures in
ntop are related to the core processing routines - so if you're having a problem,
it's most likely because of some combination of your network and your ntop
configuration. It may be unique to you -- and only with YOUR help can it be
resolved.
WHAT IS SUPPORTED?
==================
Releases are hosted at SourceForge.
At the time of this writing the stable version is 2.2. What support is available
is for the development version ("the cvs"). All support is in the form of fixing
things in the cvs.
However we also attempt to support the current "stable" release (2.2).
Older versions are not supported -- especially 1.3 and the 2.0.99 series of
2.1 release candidates. If you have a problem with them, please obtain the
current cvs version and see if it's still a problem. Unlike certain much larger
projects, we don't fix things in older versions - there simply aren't enough
resources available.
intop is not supported. Although the code is part of the current version,
it's maintained on a "just enough to compile and start" basis. Rocco may be
revisiting this post 2.2, but don't expect ANYTHING from intop in the 2.0 and
2.1 releases.
If Rocco doesn't pick up intop, the next time it won't compile, it will be moved
to obsolete (unless somebody volunteers to become it's maintainer).
Please understand that the only way to fix your problem may be a source patch,
which you will have to apply, compile, install and test against the cvs version
prior to it's inclusion in the cvs.
If you aren't capable of or willing to do these steps -- for whatever reason --
then you should not be compiling from the cvs.
CVS
===
The cvs is at http://cvs.ntop.org, userid is anonymous, password ntop.
The cvs is a DEVELOPMENT version. The code in the cvs is subject to rapid change.
At any point in time, it may not compile. It may not compile with certain options
or on some platforms. s'be'it -- it's a DEVELOPMENT version.
2.1.3
=====
The actual flow of ntop development was 2.1 -> 2.1.1 -> 2.1.2 -> 2.1.50
-> 2.1.51...
Version 2.1.3 was provided by Dennis Schoen [ds@teuto.net] as part of the Debian
project. Dennis (manually) maintains a bitkeeper tree, based on 2.1.2 with various
patches which - in HIS opinion - were important enough to be back ported. Releases
in this tree are identified as 2.1.2-n. Dennis reports you can obtain his current
version via:
bk clone bk://ntop.teuto.net:ntop-debian ntop-stable
Version 2.1.3 is an export from Dennis' tree with the version number changed and
is equivalent to 2.1.2-1. Dennis' graciously provided the extract and we accepted
with thanks!
2.2
===
The actual flow of ntop development was 2.1 -> 2.1.1 -> 2.1.2 -> 2.1.50
-> 2.1.51..59 -> 2.1.90..92 -> 2.2
FEE-BASED SUPPORT
=================
If you want better than "best-efforts" support, contact the individual you desire
support from off-list to make financial arrangements. Please understand that people
are doing development in areas that are of personal interest to them, to improve ntop.
If you want to discuss payment for support or a specific change that is of interest
to you, feel free to email the individual off-list - some of us are computer
consultants and can be bought, with the understanding that the work product is
offered back to the community in the spirit of the open source movement and the
strictures of the GPL.
SO WHAT INFORMATION SHOULD I POST?
==================================
BEFORE POSTING:
1. Please review the output from ./configure.
We all have the bad habit of skipping over this, but there are often warnings
which explain why things don't work. ntop tries to build itself by turning
off features where the required libraries and/or headers aren't available.
The minimum required set is just that - minimal. This is often the source
of "feature x or switch y doesn't work" reports.
2. Please review the docs/FAQ file and also the ntop community FAQs at
http://snapshot.ntop.org.
3. Please review back message traffic from the mailing lists.
Yes, we know that there isn't a search function at ntop.org. Did you know
that the lists are spidered every couple of months or so and can be searched
through Google?? For example, "site:lists.ntop.org rpm" will find mail list
messages with the word "rpm" in them.
Do you know about gmane (http://www.gmane.org) has archives (searchable) of
the ntop lists going back into late 2001. The lists are called
gmane.linux.ntop.devel
gmane.linux.ntop.general
You can read these online (the last 600 messages or so) or through the nntp
server.
POSTING:
Do not worry about posting TOO much information - we're pretty good at filtering
out the noise.
WE STRONGLY SUGGEST YOU USE THE BUILT IN AUTOMATICALLY GENERATED PROBLEM
REPORT (About | "bug icon"). This includes most of the internal configuration
data we ask for (and more) and has blank spots for you to fill it.
Generate one, cut & paste into your mail client, edit the data and sent it.
If you can't or won't use the automated problem report (say, for example you can't
get ntop up to generate it) - don't worry -- it's about information, not format.
Send us what you can, organized this way:
1. A brief summary of the problem.
2. Operations
The EXACT command line you use to invoke ntop.
If it's in a script, cut & paste it and
resolve all the variables!
Error Messages: Cut & paste the exact text.
If it's in the log, give us 15 or 20 lines before.
The exact URL you used from the browser.
3. Software
ntop version, source and any applied patches
If you've compiled from the source, say so!
If you're using a package (such as an .rpm), where
did you get it from and what is the EXACT name,
version information and date? (for example, post
the output from rpm -q ntop -i)
OS vendor & version
gcc version (e.g. gcc --version)
(For ./configure problems, the versions for autoconf, automake and libtool too)
glibc version
Any major upgrades (kernel, networking, etc.)
What else is running
4. Hardware
Type & # of processors
Amount of memory
# network interfaces and types (vendor, bus, etc.)
5. Network
Roughly where are the interface(s) you're monitoring
(Public Internet, Private LAN, what?)
What's the bandwidth (e.g. 10 Mbps University internet,
1.5 Mbps T1, Cable Modem capped at 1.5Mbps, 56K dialup)
How many machines (traffic sources/destinations) and users
(If you're uncomfortable giving specifics, then leave it generic, but the information
is necessary to allow efficient use of the community's time helping YOU with YOUR problem)
AFTER POSTING:
Please let us know if our help fixed the problem, didn't solve it or enabled you to
solve it yourself and what the result was. The historical record of the ntop and
ntop-dev archives is the complete chain from problem to resolution.
(Originally posted on 07Jan2002 to ntop and ntop-dev, updated. This is version 12April2003)
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
GDB ultraMini-tutorial - Running ntop under gdb (debugger)
==========================================================
The very best way to debug a segmentation fault in ntop is to use gdb. The standard
ntop compile already has the flags necessary to do this set.
(Note - if you don't have gdb, or aren't compiling yourself, this won't work)
> gdb /usr/bin/ntop (or wherever ntop is installed)
...
(gdb) set args (your usual arg string) -K
[That is, add the -K argument. While you are at it, don't give it the -d argument
and add -u root (replace any existing -u value) - yes, it's insecure running as root,
but you're not planning on doing this in production nor as a routine situation!]
it will run... when it bombs...
(gdb) list [this shows where in the code it died]
(gdb) info stack [this shows the call stack]
if there are any variables involved, you can print them:
(gdb) print deviceId
[gdb can handle pretty complex arguments in the print command, so you can say
"print myGlobals.device[0].hash_hostTraffic[myGlobals.broadcastEntryIdx]"
if that's what it bombed on.]
"bt full" does a decent job of printing the stack and the back trace and the local
variables at each level. Just make sure you are in the thread you are interested in:
(gdb) bt full
#0 0x40592557 in __libc_pause () from /lib/i686/libc.so.6
No locals.
#1 0x4046b5a3 in pause () at wrapsyscall.c:123
result = -1073743680
oldtype = 0
#2 0x0804ac1b in main (argc=22, argv=0xbffffa44) at main.c:928
argc = -1073743680
argv = (char **) 0x0
i = 0
userSpecified = 1
ifStr = "eth0,eth1", '\000'
lastTime = 1025633918
#3 0x404f3647 in __libc_start_main (main=0x804a74c , argc=22, ubp_av=0xbffffa44,
init=0x8049600 <_init>, fini=0x804d000 <_fini>, rtld_fini=0x4000dcd4 <_dl_fini>,
stack_end=0xbffffa3c) at ../sysdeps/generic/libc-start.c:129
ubp_av = (char **) 0xbffffa44
fini = (void (*)()) 0x40016b4c <_dl_debug_mask>
rtld_fini = (void (*)()) 0xbffff87c
ubp_ev = (char **) 0xbffffaa0
(gdb)
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
==========================================================================
Original version Luca Deri, 1999-2001
Updated Burton M. Strauss III 2002, 2003
