Remerciez-le!

Remerciez @Admin pour avoir partagé cet document gratuitement, de la manière la plus simple, en partageant sur les réseaux sociaux.

© 2008 | M.A. TAMON | http://techowto.wordpress.com |Page 1 of 34 © 

© 2008 | M.A. TAMON | http://techowto.wordpress.com |Page 1 of 34 ©      techowto.wordpress.com  © 2008 | M.A. TAMON | http://techowto.wordpress.com |Page 2 of 34 © Table of Contents Table of Contents ........................................................................................................... 2 Introduction ................................................................................................................... 3 Fundamental Knowledge ................................................................................................ 3 What is ntop and what do You Use it for? ..................................................................... 3 Directing Traffic to ntop [NetFlow vs. SPAN vs. Hub] ....................................................... 4 The Effect of Port Address Translation (PAT) on Ntop ....................................................... 6 Installing ntop ................................................................................................................ 7 Installing from Source ................................................................................................. 7 Installing from Repositories – Debian-based Distributions ............................................... 9 Overview of Command line Parameters ........................................................................... 9 Default Parameters & Essential Ntop Configuration ......................................................... 10 Login into Ntop‟s Web Interface ..................................................................................... 10 Ntop Menu Structures ................................................................................................... 11 Sample Screenshots of Ntop in Action ............................................................................ 15 Summary Traffic ..................................................................................................... 15 Summary Hosts ...................................................................................................... 17 Summary Network Load .......................................................................................... 18 IP Summary Multicasts .......................................................................................... 19 Configuring Persistent Storage Using RRDs ..................................................................... 19 Using ntop as a NetFlow Collector ................................................................................ 20 Ntop Usage Scenarios .................................................................................................. 22 Who Are The Top Internet Bandwidth Users on my Network? ........................................ 22 What Websites do the Top Bandwidth Wasters Visit? ..................................................... 22 What Websites Get the Most Traffic from within my Organization? ................................ 23 Which Websites‟ Traffic Consumes Most of my Bandwidth? ........................................... 24 What Applications are being used? ............................................................................ 26 Which Local Hosts Share the Most Data? .................................................................... 26 At what Time of the Day is the Network Most Utilized? ................................................. 27 Performing a Network Inventory ................................................................................. 27 Exporting Traffic Data ................................................................................................ 28 Configuring Startup Options ......................................................................................... 29 Tweaking Ntop – Preferences ........................................................................................ 32 Common Questions ..................................................................................................... 33 References/Sources/Further Reading .............................................................................. 34 © 2008 | M.A. TAMON | http://techowto.wordpress.com |Page 3 of 34 © Introduction Being an Open Source fan, I have always heard of this application called ntop (every serious network guru must have) and I even have used its cousin – top for Linux on a few occasions. I finally got round to giving it a try and was a bit disappointed that such a wonderful tool didn‟t have a nice Guide which is as elegant as the program itself is. Luca Deri – the program‟s author has done a wonderful job and so I thought I‟d emulate his example and contribute something to the FOSS commonwealth by doing something about documentation to start people off. This document draws heavily from what little info I could glean from the web, ntop forums as well as my own experience installing and using ntop on Ubuntu Server 8.04 in a large university network – Ahmadu Bello University, Zaria in Nigeria. I have absolutely no experience deploying and using ntop on Windows so most of what is reflected in this guide is related to Linux, particularly Ubuntu. I will upgrade this guide as my knowledge grows and everyone can send me information to be added to it by mailing me – mukom.tamon@gmail.com Great thanks go Luca Deri, Yuri Francalacci and Ricardo Paterna who looked at my initial mind map and offered suggestions and have offered to help me with answers in updating this guide and making it more accurate. Fundamental Knowledge What is ntop and what do You Use it for? Ntop is a simple, free a portable traffic measurement and monitoring tool, initially conceived by Luca Deri and Stefano Suin at the University of Pisa in Italy. It is known to work under Linux, Mac OS X, FreeBSD, Solaris and 32-bit versions of Windows. Ntop gives you an unprecedented amount of visibility into your network like which hosts are consuming most of your bandwidth (the top talkers), what are the most used protocols and applications on your network. Ntop also drills down even to show which peers a particular host has contacted contacting as well as local host traffic matrix that tells you the amount of information that hosts on your local network are exchanging between themselves. All of this information is very useful for network management and planning. In my case, I always thought I had about 1000 users on my network trying to access the web during peak times. On implementing ntop, I was amazed at how ignorant I was about my network – ntop told me I actually had about 2800 hosts!!!! A caveat though ... to get real visibility into your network, the network must be routed and not using port address translation (PAT) internally. Ntop will see every host behind a PAT router as a single device – albeit with multiple connections from it i.e. PAT generates a shield (think StarTrek) which even ntop can‟t penetrate. Ntop is an example of a spot check tool i.e., tools used that give you a quick view of what is happening on your network in real-time. Like me, your first use of ntop would occur when the need for bandwidth management becomes obvious and you need to answer the question – just who exactly is consuming most of our bandwidth, for what purpose (i.e. application) and which sites do they visit? A good network engineer always does analysis and investigation before trying to solve a problem on the network. Ntop can monitor IP , IPX and AppleTalk statistics as well as statistics for Fiberchannel and SCSI – but as we all know, IP rules and so most monitoring will be IP-based. Ntop will measure the following types of traffic:  Data sent/received: Volume and packets, classified according to network/IP protocol.  Multicast Traffic.  TCP Session History.  Bandwidth Measurement and Analysis.  VLAN and BGP Autonomous System [AS] traffic statistics. © 2008 | M.A. TAMON | http://techowto.wordpress.com |Page 4 of 34 ©  VoIP (SIP , Cisco SCCP) Monitoring. In addition, ntop offers you the following options for traffic monitoring and characterization:  Network Flows (user configurable)  Protocol utilization (number of requests, peaks/storms, positive/negative replies) and distribution.  Network Traffic Matrix.  ARP , ICMP Monitoring.  Detection of many popular P2P protocols Ntop data is generally not persistent i.e. it is stored and used from memory and so is lost when the server is rebooted or dumped after a certain time period. In practice, this means that you can‟t go back and see the analysis for a period prior to the last reboot. By default, you cannot also store the information in a database for later analysis (although there are scripts that will enable you to do that). Ntop can also use Round Robin Databases to store data that is used for graphs and so you can get historical information only for the period of the RRD. There is also a web option that allows us to dump data in XML and other formats for analysis by external tools. Directing Traffic to ntop [NetFlow vs. SPAN vs. Hub] Ntop only monitors what it „sees‟ from its own physical connection to the network or is „told‟ by a NetFlow or sFlow probe or meter. The options for feeding data to ntop are as follows: a. Use a hub: I know most networks don‟t use hubs but the property of a hub we are interested in is that unlike a switch, when a frame enters one port of a hub, it is automatically sent out all other ports and so if we plug out Internet connection, internal network and our ntop monitoring server into different ports of a hub, then ntop will see all traffic that is exchanged between our local network and the Internet. No configuration is needed on the hub or switch or router. Except you don‟t have switches capable of port mirroring, most people will likely never resort to this option so I include it here just for completeness. © 2008 | M.A. TAMON | http://techowto.wordpress.com |Page 5 of 34 © b. Use port mirroring: Unlike hubs, each port of a switch is its own collision domain – meaning that unless a frame is an unknown unicast1, broadcast or multicast2, it will only be forwarded out the port where it should go [as determined by the destination MAC address in the frame]. This means that if we replace our hub in the previous scenario with a switch, then the only thing that the ntop server will see are broadcasts, multicasts, unknown unicasts and unicasts that are directed to it. As such, most of the traffic being exchanged between local network and Internet will not be seen and analyzed by ntop. Some switches have a feature that allows the administrator to work round this. Essentially, the administrator can configure the switch such that all traffic that comes in or goes out a set of ports gets also copied and sent to a particular port to which we then plug in our ntop server. Cisco calls this feature SPAN (Switched Port Analyzer) and it works on the majority if not all of Cisco‟s switches. The most efficient way to capture Internet-related traffic is to mirror both received and transmitted frames on port P03 [the switch port connected to the Internet router] to the port on uploads/Ingenierie_Lourd/ ntop-guide.pdf