I'm trying to bring up a ntop 3.3 instance to be only a netflow receiver from a cisco 6500. interfaces are set to none (which seems to annoy the web interface). I start the server and the initialization seems to take forever (at this point it's over an hour and it's still not done). It's running on a dual 3ghz, 8 GB memory box that's idle. To the best of my knowledge, I haven't enabled any debug other than setting the trace level to 4 to help debug this. I downloaded from sourceforge a few days ago,
Seems unlikely this is the way it should be running. Any ideas on what I might check? thanks jim op - 13:20:31 up 77 days, 21:25, 2 users, load average: 0.00, 0.00, 0.001 Tasks: 84 total, 2 running, 82 sleeping, 0 stopped, 0 zombie Cpu(s): 1.7% us, 3.0% sy, 0.0% ni, 94.3% id, 1.0% wa, 0.0% hi, 0.0% si Mem: 8309228k total, 1373696k used, 6935532k free, 160560k buffers Swap: 8385920k total, 0k used, 8385920k free, 949640k cached Linux mgmt2 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:32:14 EDT 2005 i686 i686 i386 GNU/Linux (RH ES4 U2) #gcc -v Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.4/specs Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux Thread model: posix gcc version 3.4.4 20050721 (Red Hat 3.4.4-2) rrdtool 1.2.19 the rest of the libs are current of that distro release, but I can get you specific version ID's if needed. from the cmd line... #/usr/local/bin/ntop @/usr/local/etc/ntop.conf -u ntop Processing file /usr/local/etc/ntop.conf for parameters... Wed Nov 7 12:26:10 2007 NOTE: Interface merge enabled by default Wed Nov 7 12:26:10 2007 Initializing gdbm databases Wed Nov 7 12:26:10 2007 Opening database '/usr/local/share/ntop/prefsCache.db' Wed Nov 7 12:26:10 2007 Opening database '/usr/local/share/ntop/ntop_pw.db' Wed Nov 7 12:26:10 2007 NOTE: Reading preferences file entries Wed Nov 7 12:26:10 2007 NOTE: Processing parameters (pass2) Wed Nov 7 12:26:10 2007 NOTE: Interface merge disabled due to command line switch >From syslog with trace set to 4. Notice that it takes an hour before the webserver is up Nov 7 12:22:57 mgmt2 ntop[11937]: Initializing ntop Nov 7 12:22:57 mgmt2 ntop[11937]: Initializing IP services Nov 7 12:22:57 mgmt2 ntop[11937]: Initializing network devices Nov 7 12:23:09 mgmt2 ntop[11937]: Found interface [index=0] 'eth0' Nov 7 12:23:29 mgmt2 ntop[11937]: Found interface [index=1] 'eth1' Nov 7 12:23:49 mgmt2 ntop[11937]: Found interface [index=2] 'any' Nov 7 12:24:09 mgmt2 ntop[11937]: Found interface [index=3] 'lo' Nov 7 12:26:10 mgmt2 ntop[13715]: ntop v.3.3 Nov 7 12:26:30 mgmt2 ntop[13715]: Configured on Nov 6 2007 18:34:17, built on Nov 6 2007 18:34:43. Nov 7 12:26:50 mgmt2 ntop[13715]: Copyright 1998-2007 by Luca Deri <[EMAIL PROTECTED]> Nov 7 12:27:10 mgmt2 ntop[13715]: Get the freshest ntop from http://www.ntop.org/ Nov 7 12:27:30 mgmt2 ntop[13715]: NOTE: ntop is running from '/usr/local/bin' Nov 7 12:27:50 mgmt2 ntop[13715]: NOTE: (but see warning on man page for the --instance parameter) Nov 7 12:28:10 mgmt2 ntop[13715]: NOTE: ntop libraries are in '/usr/local/lib' Nov 7 12:28:30 mgmt2 ntop[13715]: Initializing ntop Nov 7 12:28:50 mgmt2 ntop[13715]: Initializing IP services Nov 7 12:29:11 mgmt2 ntop[13715]: Initializing network devices Nov 7 12:29:31 mgmt2 ntop[13715]: Found interface [index=0] 'eth0' Nov 7 12:29:51 mgmt2 ntop[13715]: Found interface [index=1] 'eth1' Nov 7 12:30:11 mgmt2 ntop[13715]: Found interface [index=2] 'any' Nov 7 12:30:51 mgmt2 ntop[13715]: Found interface [index=3] 'lo' Nov 7 12:31:31 mgmt2 ntop[13715]: Checking requested device 'none' Nov 7 12:32:11 mgmt2 ntop[13715]: Adding network device none Nov 7 12:32:31 mgmt2 ntop[13715]: Creating dummy interface, 'none' Nov 7 12:32:52 mgmt2 ntop[13715]: -i none, so initialized only a dummy device Nov 7 12:33:12 mgmt2 ntop[13715]: Resetting traffic statistics for device none Nov 7 12:33:32 mgmt2 ntop[13715]: Initializing gdbm databases Nov 7 12:33:52 mgmt2 ntop[13715]: Creating database '/usr/local/share/ntop/addressQueue.db' Nov 7 12:34:12 mgmt2 ntop[13715]: Opening database '/usr/local/share/ntop/dnsCache.db' Nov 7 12:34:32 mgmt2 ntop[13715]: Opening database '/usr/local/share/ntop/macPrefix.db' Nov 7 12:34:52 mgmt2 ntop[13715]: Opening database '/usr/local/share/ntop/fingerprint.db' Nov 7 12:35:12 mgmt2 ntop[13715]: VENDOR: Loading MAC address table. Nov 7 12:35:52 mgmt2 ntop[13715]: VENDOR: Checking for MAC address table file Nov 7 12:36:33 mgmt2 ntop[13715]: VENDOR: Checking './specialMAC.txt.gz' Nov 7 12:37:13 mgmt2 ntop[13715]: VENDOR: Checking './specialMAC.txt' Nov 7 12:37:33 mgmt2 ntop[13715]: VENDOR: Checking '/usr/local/etc/ntop/s pecialMAC.txt.gz' Nov 7 12:37:53 mgmt2 ntop[13715]: VENDOR: ...Found Nov 7 12:38:13 mgmt2 ntop[13715]: VENDOR: Database created/last modified Wed Dec 31 19:00:00 1969 Nov 7 12:38:34 mgmt2 ntop[13715]: VENDOR: Input file created/last modifie d Tue Nov 6 18:36:11 2007 Nov 7 12:38:54 mgmt2 ntop[13715]: VENDOR: Loading newer file '/usr/local/ etc/ntop/specialMAC.txt.gz' Nov 7 12:39:14 mgmt2 ntop[13715]: VENDOR: Closing file Nov 7 12:39:34 mgmt2 ntop[13715]: VENDOR: ...found 61 lines Nov 7 12:39:54 mgmt2 ntop[13715]: VENDOR: ...loaded 59 records Nov 7 12:40:14 mgmt2 ntop[13715]: VENDOR: Checking for MAC address table file Nov 7 12:40:54 mgmt2 ntop[13715]: VENDOR: Checking './oui.txt.gz' Nov 7 12:41:35 mgmt2 ntop[13715]: VENDOR: Checking './oui.txt' Nov 7 12:42:15 mgmt2 ntop[13715]: VENDOR: Checking '/usr/local/etc/ntop/o ui.txt.gz' Nov 7 12:42:35 mgmt2 ntop[13715]: VENDOR: ...Found Nov 7 12:42:55 mgmt2 ntop[13715]: VENDOR: Database created/last modified Wed Dec 31 19:00:00 1969 Nov 7 12:43:15 mgmt2 ntop[13715]: VENDOR: Input file created/last modified Tue Nov 6 18:36:11 2007 Nov 7 12:43:35 mgmt2 ntop[13715]: VENDOR: Loading newer file '/usr/local/etc/ntop/oui.txt.gz' Nov 7 12:43:56 mgmt2 ntop[13715]: VENDOR: .... 5000 records read Nov 7 12:44:16 mgmt2 ntop[13715]: VENDOR: .... 10000 records read Nov 7 12:44:36 mgmt2 ntop[13715]: VENDOR: .... 15000 records read Nov 7 12:44:56 mgmt2 ntop[13715]: VENDOR: .... 20000 records read Nov 7 12:45:16 mgmt2 ntop[13715]: VENDOR: .... 25000 records read Nov 7 12:45:57 mgmt2 ntop[13715]: VENDOR: .... 30000 records read Nov 7 12:46:37 mgmt2 ntop[13715]: VENDOR: .... 35000 records read Nov 7 12:47:18 mgmt2 ntop[13715]: VENDOR: .... 40000 records read Nov 7 12:47:38 mgmt2 ntop[13715]: VENDOR: .... 45000 records read Nov 7 12:47:58 mgmt2 ntop[13715]: VENDOR: Closing file Nov 7 12:48:19 mgmt2 ntop[13715]: VENDOR: ...found 48541 lines Nov 7 12:48:39 mgmt2 ntop[13715]: VENDOR: ...loaded 7853 records Nov 7 12:48:59 mgmt2 ntop[13715]: Fingerprint: Loading signature file Nov 7 12:49:19 mgmt2 ntop[13715]: Fingerprint: Checking for Fingerprint file... file Nov 7 12:49:39 mgmt2 ntop[13715]: Fingerprint: Checking './etter.finger.os.gz' Nov 7 12:49:59 mgmt2 ntop[13715]: Fingerprint: Checking './etter.finger.os' Nov 7 12:50:19 mgmt2 ntop[13715]: Fingerprint: Checking '/usr/local/etc/ntop/etter.finger.os.gz' Nov 7 12:50:59 mgmt2 ntop[13715]: Fingerprint: ...Found Nov 7 12:51:40 mgmt2 ntop[13715]: Fingerprint: Loading file '/usr/local/etc/ntop/etter.finger.os.gz' Nov 7 12:52:20 mgmt2 ntop[13715]: Fingerprint: ...loaded 1765 records Nov 7 12:52:40 mgmt2 ntop[13715]: INIT: Parent process is exiting (this is normal) Nov 7 12:52:40 mgmt2 ntop[29035]: INIT: Bye bye: I'm becoming a daemon... Nov 7 12:53:20 mgmt2 ntop[29035]: THREADMGMT[t3086902976]: Now running as a daemon Nov 7 12:53:40 mgmt2 ntop[29035]: ASN: Checking for Autonomous System Number table file Nov 7 12:54:00 mgmt2 ntop[29035]: ASN: Checking './AS-list.txt.gz' Nov 7 12:54:21 mgmt2 ntop[29035]: ASN: Checking './AS-list.txt' Nov 7 12:54:41 mgmt2 ntop[29035]: ASN: Checking '/usr/local/etc/ntop/AS-list.txt.gz' Nov 7 12:55:01 mgmt2 ntop[29035]: ASN: Checking '/usr/local/etc/ntop/AS-list.txt' Nov 7 12:55:21 mgmt2 ntop[29035]: ASN: Checking '/etc/AS-list.txt.gz' Nov 7 12:56:01 mgmt2 ntop[29035]: ASN: Checking '/etc/AS-list.txt' Nov 7 12:56:41 mgmt2 ntop[29035]: **WARNING** ASN: Unable to open file 'AS-list.txt' Nov 7 12:57:21 mgmt2 ntop[29035]: ASN: ntop continues ok, but without ASN information. Nov 7 12:57:41 mgmt2 ntop[29035]: I18N: This instance of ntop does not support multiple languages Nov 7 12:58:02 mgmt2 ntop[29035]: IP2CC: Checking for IP address <-> Country Code mapping file Nov 7 12:58:22 mgmt2 ntop[29035]: IP2CC: Checking './p2c.opt.table.gz' Nov 7 12:58:42 mgmt2 ntop[29035]: IP2CC: Checking './p2c.opt.table' Nov 7 12:59:02 mgmt2 ntop[29035]: IP2CC: Checking '/usr/local/etc/ntop/p2c.opt.table.gz' Nov 7 12:59:22 mgmt2 ntop[29035]: IP2CC: ...Found Nov 7 12:59:42 mgmt2 ntop[29035]: IP2CC: Loading file '/usr/local/etc/ntop/p2c.opt.table.gz' Nov 7 13:00:02 mgmt2 ntop[29035]: IP2CC: .... 10000 records read Nov 7 13:01:02 mgmt2 ntop[29035]: IP2CC: .... 20000 records read Nov 7 13:02:23 mgmt2 ntop[29035]: IP2CC: .... 30000 records read Nov 7 13:03:43 mgmt2 ntop[29035]: IP2CC: .... 40000 records read Nov 7 13:04:24 mgmt2 ntop[29035]: IP2CC: .... 50000 records read Nov 7 13:04:44 mgmt2 ntop[29035]: IP2CC: Closing file Nov 7 13:05:04 mgmt2 ntop[29035]: IP2CC: ...found 52395 lines Nov 7 13:05:44 mgmt2 ntop[29035]: Database support not compiled into ntop Nov 7 13:06:24 mgmt2 ntop[29035]: Initializing external applications Nov 7 13:07:04 mgmt2 ntop[29035]: THREADMGMT[t3085831088]: NPA: Started thread for network packet analyzer (none) Nov 7 13:07:45 mgmt2 ntop[29035]: THREADMGMT[t3075341232]: SFP: Started thread for fingerprinting Nov 7 13:08:45 mgmt2 ntop[29035]: THREADMGMT[t3064851376]: SIH: Started thread for idle hosts detection Nov 7 13:09:25 mgmt2 ntop[29035]: THREADMGMT[t3054361520]: DNSAR(1): Started thread for DNS address resolution Nov 7 13:09:45 mgmt2 ntop[29035]: THREADMGMT[t3043871664]: DNSAR(2): Started thread for DNS address resolution Nov 7 13:10:05 mgmt2 ntop[29035]: THREADMGMT[t3033381808]: DNSAR(3): Started thread for DNS address resolution Nov 7 13:10:45 mgmt2 ntop[29035]: Starting Plugins Nov 7 13:11:26 mgmt2 ntop[29035]: Calling plugin start functions (if any) Nov 7 13:12:06 mgmt2 ntop[29035]: Plugins started... continuing with initialization Nov 7 13:12:26 mgmt2 ntop[29035]: SSL is present but https is disabled: use -W <https port> for enabling it netstat -Nov 7 13:12:46 mgmt2 ntop[29035]: INITWEB: Initializing web Nov 7 13:13:06 mgmt2 ntop[29035]: SECURITY: Loading items table Nov 7 13:13:46 mgmt2 last message repeated 2 times Nov 7 13:15:07 mgmt2 last message repeated 4 times Nov 7 13:15:47 mgmt2 ntop[29035]: THREADMGMT[t3075341232]: SFP: Fingerprint scan thread starting [p29035] Nov 7 13:16:27 mgmt2 ntop[29035]: THREADMGMT[t3085831088]: NPA: network packet analyzer (packet processor) thread running [p29035] Nov 7 13:17:07 mgmt2 ntop[29035]: THREADMGMT[t3064851376]: SIH: Idle host scan thread starting [p29035] Nov 7 13:17:28 mgmt2 ntop[29035]: THREADMGMT[t3054361520]: DNSAR(1): Address resolution thread running Nov 7 13:17:48 mgmt2 ntop[29035]: THREADMGMT[t3043871664]: DNSAR(2): Address resolution thread running Nov 7 13:18:08 mgmt2 ntop[29035]: SECURITY: Loading items table Nov 7 13:18:48 mgmt2 last message repeated 2 times Nov 7 13:19:08 mgmt2 ntop[29035]: INITWEB: Initializing TCP/IP socket connections for web server Nov 7 13:19:28 mgmt2 ntop[29035]: Initializing socket, port 3000, address (any) Nov 7 13:19:48 mgmt2 ntop[29035]: INITWEB: Created a new socket (0) Nov 7 13:20:08 mgmt2 ntop[29035]: INITWEB: Initialized socket, port 3000, address (any) Nov 7 13:21:29 mgmt2 ntop[29035]: INITWEB: Starting web server Nov 7 13:22:09 mgmt2 ntop[29035]: THREADMGMT[t3022891952]: INITWEB: Started thread for web server Nov 7 13:22:29 mgmt2 ntop[29035]: INITWEB: Server started... continuing with initialization Nov 7 13:22:49 mgmt2 ntop[29035]: Listening on [none] Nov 7 13:23:09 mgmt2 ntop[29035]: Loading Plugins Nov 7 13:23:29 mgmt2 ntop[29035]: Searching for plugins in /usr/local/lib/ntop/plugins Nov 7 13:23:49 mgmt2 ntop[29035]: Loading plugin '/usr/local/lib/ntop/plugins/remotePlugin.so' Nov 7 13:24:09 mgmt2 ntop[29035]: Remote: Welcome to Remote. (C) 2006-07 by L.Deri Nov 7 13:24:30 mgmt2 ntop[29035]: Loading plugin '/usr/local/lib/ntop/plugins/netflowPlugin.so' Nov 7 13:24:50 mgmt2 ntop[29035]: NETFLOW: Welcome to NetFlow.(C) 2002-07 by Luca Deri Nov 7 13:25:10 mgmt2 ntop[29035]: Loading plugin '/usr/local/lib/ntop/plugins/pdaPlugin.so' Nov 7 13:25:50 mgmt2 ntop[29035]: PDA: Welcome to PDA. (C) 2001-2005 by L.Deri and W.Brock Nov 7 13:26:30 mgmt2 ntop[29035]: Loading plugin '/usr/local/lib/ntop/plugins/sflowPlugin.so' Nov 7 13:27:10 mgmt2 ntop[29035]: SFLOW: Welcome to sFlow.(C) 2002-04 by Luca Deri Nov 7 13:27:30 mgmt2 ntop[29035]: Loading plugin '/usr/local/lib/ntop/plugins/rrdPlugin.so' Nov 7 13:27:51 mgmt2 ntop[29035]: RRD: Welcome to Round-Robin Databases. (C) 2002-07 by Luca Deri. Nov 7 13:28:11 mgmt2 ntop[29035]: Loading plugin '/usr/local/lib/ntop/plugins/lastSeenPlugin.so' Nov 7 13:28:31 mgmt2 ntop[29035]: LASTSEEN: Welcome to Host Last Seen. (C) 1999 by Andrea Marangoni Nov 7 13:28:51 mgmt2 ntop[29035]: THREADMGMT[t3033381808]: DNSAR(3): Address resolution thread running Nov 7 13:29:11 mgmt2 ntop[29035]: THREADMGMT[t3022891952]: WEB: Server connection thread starting [p29035] Nov 7 13:29:31 mgmt2 ntop[29035]: Note: SIGPIPE handler set (ignore) Nov 7 13:29:51 mgmt2 ntop[29035]: THREADMGMT[t3022891952]: WEB: Server connection thread running [p29035] Nov 7 13:30:11 mgmt2 ntop[29035]: WEB: ntop's web server is now processing requests Nov 7 13:30:52 mgmt2 ntop[29035]: SECURITY: Loading items table Nov 7 13:31:32 mgmt2 ntop[29035]: EPIPE during sending of page to web client Nov 7 13:32:12 mgmt2 ntop[29035]: EPIPE during sending of page to web client Nov 7 13:32:32 mgmt2 ntop[29035]: Loading plugin '/usr/local/lib/ntop/plugins/icmpPlugin.so' Nov 7 13:32:52 mgmt2 ntop[29035]: ICMP: Welcome to ICMP Watch. (C) 1999-2005 by Luca Deri Nov 7 13:33:12 mgmt2 ntop[29035]: Starting Plugins Nov 7 13:33:32 mgmt2 ntop[29035]: Calling plugin start functions (if any) Nov 7 13:33:53 mgmt2 ntop[29035]: Starting 'Host Last Seen' Nov 7 13:34:13 mgmt2 ntop[29035]: Starting 'ICMP Watch' Nov 7 13:34:33 mgmt2 ntop[29035]: Starting 'NetFlow' Nov 7 13:34:53 mgmt2 ntop[29035]: Starting 'PDA' Nov 7 13:35:13 mgmt2 ntop[29035]: Starting 'Remote' Nov 7 13:35:53 mgmt2 ntop[29035]: Starting 'Round-Robin Databases' Nov 7 13:36:33 mgmt2 ntop[29035]: RRD: Welcome to the RRD plugin Nov 7 13:37:14 mgmt2 ntop[29035]: RRD: Mask for new directories is 0700 Nov 7 13:37:34 mgmt2 ntop[29035]: RRD: Mask for new files is 0066 Nov 7 13:37:54 mgmt2 ntop[29035]: RRD_DEBUG: Parameters: Nov 7 13:38:14 mgmt2 ntop[29035]: RRD_DEBUG: dumpInterval 300 seconds Nov 7 13:38:34 mgmt2 ntop[29035]: RRD_DEBUG: dumpShortInterval 10 seconds Nov 7 13:38:54 mgmt2 ntop[29035]: RRD_DEBUG: dumpHours 72 hours by 300 seconds Nov 7 13:39:14 mgmt2 ntop[29035]: RRD_DEBUG: dumpDays 90 days by hour Nov 7 13:39:34 mgmt2 ntop[29035]: RRD_DEBUG: dumpMonths 36 months by day Nov 7 13:39:55 mgmt2 ntop[29035]: RRD_DEBUG: dumpDomains no Nov 7 13:40:15 mgmt2 ntop[29035]: RRD_DEBUG: dumpFlows no Nov 7 13:40:55 mgmt2 ntop[29035]: RRD_DEBUG: dumpHosts no Nov 7 13:41:35 mgmt2 ntop[29035]: RRD_DEBUG: dumpInterfaces yes Nov 7 13:42:15 mgmt2 ntop[29035]: RRD_DEBUG: dumpASs yes Nov 7 13:42:35 mgmt2 ntop[29035]: RRD_DEBUG: dumpMatrix no Nov 7 13:42:56 mgmt2 ntop[29035]: RRD_DEBUG: dumpDetail high Nov 7 13:43:16 mgmt2 ntop[29035]: RRD_DEBUG: hostsFilter 10.173.194.0/255.255.254.0 Nov 7 13:43:36 mgmt2 ntop[29035]: RRD_DEBUG: rrdPath /usr/local/share/ntop/rrd Nov 7 13:43:56 mgmt2 ntop[29035]: RRD_DEBUG: umask 0066 Nov 7 13:44:16 mgmt2 ntop[29035]: RRD_DEBUG: DirPerms 0700 Nov 7 13:44:36 mgmt2 ntop[29035]: THREADMGMT: RRD: Started thread (t3012402096) for data collection Nov 7 13:44:56 mgmt2 ntop[29035]: Starting 'sFlow' Nov 7 13:45:16 mgmt2 ntop[29035]: Plugins started... continuing with initialization Nov 7 13:45:56 mgmt2 ntop[29035]: INIT: Created pid file (/var/run/ntop.pid) Nov 7 13:46:37 mgmt2 ntop[29035]: THREADMGMT[t3012402096]: RRD: Data collection thread starting [p29035] Nov 7 13:47:17 mgmt2 ntop[29035]: THREADMGMT[t3086902976]: ntop RUNSTATE: INITNONROOT(3) Nov 7 13:47:37 mgmt2 ntop[29035]: Now running as requested user 'ntop' (1029:1029) Nov 7 13:47:57 mgmt2 ntop[29035]: Device 0. none (dummy) Nov 7 13:48:17 mgmt2 ntop[29035]: INITWEB: Reporting device not set, defaulting to 0 Nov 7 13:48:37 mgmt2 ntop[29035]: RRD: Created base directory (/usr/local/share/ntop/rrd) Nov 7 13:48:57 mgmt2 ntop[29035]: Note: Reporting device initally set to 0 [none] Nov 7 13:49:18 mgmt2 ntop[29035]: MEMORY: Base interface structure (no hashes loaded) is 0.03MB each Nov 7 13:49:38 mgmt2 ntop[29035]: MEMORY: or 0.03MB for 1 interfaces Nov 7 13:49:58 mgmt2 ntop[29035]: MEMORY: ipTraffixMatrix structure (no TrafficEntry loaded) is 0.01MB Nov 7 13:50:18 mgmt2 ntop[29035]: THREADMGMT[t3086902976]: ntop RUNSTATE: RUN(4) Nov 7 13:48:57 mgmt2 ntop[29035]: RRD: Created directory (/usr/local/share/ntop/rrd/graphics) Nov 7 13:51:38 mgmt2 ntop[29035]: RRD: Created directory (/usr/local/share/ntop/rrd/flows) Nov 7 13:52:18 mgmt2 ntop[29035]: RRD: Created directory (/usr/local/share/ntop/rrd/interfaces) Nov 7 13:52:39 mgmt2 ntop[29035]: THREADMGMT[t3001912240]: RRD: Started thread for throughput data collection Nov 7 13:52:59 mgmt2 ntop[29035]: THREADMGMT[t3012402096]: RRD: Data collection thread running [p29035] Nov 7 13:53:19 mgmt2 ntop[29035]: RRD_DEBUG: Sleeping for 112 seconds (interval 300, end at Wed Nov 7 13:55:11 2007) Nov 7 13:53:39 mgmt2 ntop[29035]: THREADMGMT[t3001912240]: RRD: Throughput data collection: Thread starting [p29035] Nov 7 13:53:59 mgmt2 ntop[29035]: THREADMGMT[t3001912240]: RRD: Throughput data collection: Thread running [p29035] Nov 7 13:54:19 mgmt2 ntop[29035]: THREADMGMT[t3064851376]: SIH: Idle host scan thread running [p29035] #cat /usr/local/etc/ntop.conf ################################################################################ ## # ## This file, ntop.conf.sample is a sample of an ntop configuration file. # ## # ## You should copy this file to it's normal location, /etc/ntop.conf # ## and edit it to fit your needs. # ## # ## ntop is easily launched with options by referencing this file from # ## a command line like this: # ## # ## ntop @/etc/ntop.conf # ## # ## Remember, options may also be listed directly on the command line, both # ## before and after the @/etc/ntop.conf. # ## # ## For switches that provide values, e.g. -i, the last one matters. # ## For switches just say 'do things', e..g -M, if it's ANYWHERE in the # ## commands, it will be set. There's no unset option. # ## # ## You can use this to your advantage, for example: # ## ntop @/etc/ntop.conf -i none # ## Overrides the -i in the file. # ## # ## Nested @'s - that is @/etc/ntop.common inside /etc/ntop.conf are not # ## permitted. # ## # ## Note that this is not an exhaustive list of ntop's commands - refer # ## to the man page and other documentation for that. This is just the # ## most commonly used command and various examples of them # ## # ## # ## Lines beginning ## are pure comments. # ## # ## Lines beginning with a dash in this sample file are 'live' and will # ## be used if you just copy this file to /etc/ntop.conf. # ## # ## Lines you might wish to uncomment and use as is begin with #- or #-- # ## # ## Parameter lines beginning with #? are models that you will need to # ## review and or customize to your environment before using them. # ## # ################################################################################ ## # ## Initial version by Burton M. Strauss III ([EMAIL PROTECTED]) # ## # ## Updates and documentation courtesy of # ## Joseph Ezerski ([EMAIL PROTECTED]) (04-2003) # ## Tim Malnati ([EMAIL PROTECTED]) (09-2003) # ## # ################################################################################ ############################## RUNNING ENVIRONMENT ############################# ## -u | --user -- tells ntop the user id to run as. ## NOTE: This should not be root unless you really understand ## the security risks. --user ntop ##-----------------------------------------------------------------------------# ## -d | --daemon -- sets ntop to run as a daemon (in the background, not ## connected to a specific terminal). ## NOTE: For more than casual use, you probably want this. --daemon ##-----------------------------------------------------------------------------# ## -P | --db-file-path -- sets the directory that ntop runs from. ## NOTE: Use an absolute path (not a relative one like ../ntop) because ## the working directory (pwd) will be different when ntop is run ## from the command line, from cron and from initialization. --db-file-path /usr/local/share/ntop #? -P /var/ntop ##-----------------------------------------------------------------------------# ## -D | --domain -- Sets the domain. ntop should be able to determine ## this automatically, but occasionally has problems. If so, this makes the ## output cleaner. #? --domain mydomain.com --domain my.dom.com ################################ WHAT TO MONITOR ############################### ## -i | --interface tells ntop which network interfaces (NICs) to monitor. ## DEFAULT: The 1st ethernet device, e.g. eth0, i.e. this line: #? --interface eth0 ## To monitor both eth0 and eth2 but not eth1: #? --interface eth0,eth2 ## To monitor NO ethernet interfaces (for example a system collecting data ## only from netFlow probes): --interface none ##-----------------------------------------------------------------------------# ## -M | --no-interface-merge -- tells ntop not to merge data from all of the ## network interfaces it is monitoring. See the man page and docs/FAQ for ## discussions of -M. --no-interface-merge ##-----------------------------------------------------------------------------# ## -m | --local-subnets -- Tells ntop of additional networks that should ## be considered local. This is for the local/remote breakdowns ## and because additional data is kept and display for local hosts. ## The addresses of the network interface(s) (NICs) are always local ## and don't need to be specified. If you use unnumbered interfaces ## you MUST give ntop this information. ## NOTE: You can mix CIDR and network/netmask notation. ## SEE ALSO: --track-local-hosts ## EXAMPLES: ## Traffic I see (broadcasts only, of course) on my cable modem includes ## other subnets than my own 12.239.98.0/24. I see 12.239.99.0/24 and ## 12.239.100.0/24 - to tell this to ntop: #? -m 12.239.99.0/24,12.239.100.0/24 ## I actually run this way, telling ntop about the whole range of ## addresses used as well as the private network used internally by the ## cable modems themselves. #? -m 192.168.42.0/24,12.239.96.0/22,12.239.100.0/24,10.113.0.0/16 -m 10.173.194.0/23 ## All of these are equivalent to the one above: ## -m 192.168.42.0/255.255.255.0,12.239.96.0/22,12.239.100.0/24,10.113.0.0/16 ## -m 192.168.42.0/255.255.255.0,12.239.96.0/255.255.252.0,12.239.100.0/255.255.255.0,10.113.0.0/255.255.0.0 ##-----------------------------------------------------------------------------# ## -p | --protocols -- ntop comes with an extensive list of common tcp/ip ## protocols to monitor already built in. (See docs/FAQ for the current list). ## If you want to increase, decrease or change this list, this is the parameter. ## It can be either a file or a list. To point ntop to a file specify it's name: #? -p /usr/local/share/ntop/protocol.list ## Or to give an explicit list: #? --protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-data" ##-----------------------------------------------------------------------------# ## -c | --sticky-hosts -- tells ntop NOT to purge idle hosts from memory. ## DO NOT USE THIS unless you are on a small, very static network, or you ## have LOTS of memory. ## It is strongly recommended that you use a filtering expression to limit ## the hosts which are stored if you use --sticky-hosts. #? --sticky-hosts ##-----------------------------------------------------------------------------# ## --disable-instantsessionpurge -- by default, ntop internally changes the ## status of completed sessions so that they get purged immediately. This ## doesn't present a true picture of the network, but does conserve memory. ## Enable this switch to see those finished sessions before their purge ## interval (5 minutes) expires, IF YOU HAVE ENOUGH MEMORY. #? --disable-instantsessionpurge ################################## LOG MESSAGES ################################ ## -t | --trace-level -- controls the amount and severity of messages that ## ntop will put out. Choices are: #--trace-level 0 # FATALERROR only #--trace-level 1 # ERROR and above only #--trace-level 2 # WARNING and above only #--trace-level 3 # INFO, WARNING and ERRORs - the default #--trace-level 4 # NOISY - everything #--trace-level 6 # NOISY + MSGID #--trace-level 7 # NOISY + MSGID + file/line --trace-level 4 # Which is the default ##-----------------------------------------------------------------------------# ## ## -L | --use-syslog | --use-syslog=xxxx -- By default, ntop writes it's ## messages to stdout (the terminal). ## WARNING: If you are running ntop as a daemon (--daemon parameter), the ## stdout (terminal) does not exist and so messages will be dropped. ## You probably don't want to do this. Instead, use this -L | --use-syslog ## parameter to save them into the system log (/var/log/messages). ## ## Thus a typical startup for ntop running as a daemon is: ##--daemon ## You can also direct the messages to another file. You'll want to ## look at man syslog.conf to setup the configuration file. For example ## to use 'local3' to keep ntop messages separate, I have this in my ## /etc/syslog.conf: ## # Save ntop ## local3.* /var/log/ntop.log ## Then I run ntop with this: --use-syslog=local3 ## NOTE: The = is REQUIRED and no spaces are permitted. ################################## WEB SERVER ################################## ## ntop offers both an http:// and https:// web server. These parameters ## tell ntop which ports (and interfaces) to offer this web server on. ## -w | --http-server -- is the http:// web server. ## NOTE: --http-server 3000 is the default #? --http-server 3000 ## -W | --https-server -- is the https:// web server. #? --https-server 0 ## The default is -w 3000 -W 0 (disabled). You can also... ## https:// only: #? -w 0 -W 3001 ## http:// and https:// #? --http-server 3000 --https-server 3001 ## Neither - say ntop is running only as a netFlow probe: -w 3000 -W 0 ## You can also limit ntop to listening on a specific interface. For example: #? -w 127.0.0.1:3000 # Listens only on the loopback interface at port 3000 ########################### PERFORMANCE AND PROBLEMS ########################### ## -B | filter-expression -- gives ntop a bpf (Berkeley Packet Filter) expression ## to use. (the easiest place to find bpf documented is on the tcpdump man page). ## NOTE: The filter expression MUST be in quotes. ## To restrict ntop to only a few machines on a large network, say 192.168.1.88 ## through 91: #? -B "net 192.168.1.88/30" ## That is equivalent to specifying the specific hosts: #? -B "host (192.168.1.88 or 192.168.1.89 or 192.168.1.90 or 192.168.1.91)" ## You can limit traffic to that from (src) or to (dst) a specific host: #? -B "src host www.mycompany.com" #? -B "dst host www.mycompany.com" ## You can limit it to a specific protocol, including src/dst: #? -B "port ssh" #? -B "src port ssh" #? -B "dst port ssh" ##-----------------------------------------------------------------------------# ## -o | --no-mac -- Configures ntop not to trust MAC addrs. ## This is used if you observe ntop being confused by 'changing' addresses - ## i.e. ntop belives that the corporate web server is actually Joe's desktop ## computer. #--no-mac ##-----------------------------------------------------------------------------# ## -g | --track-local-hosts -- Tells ntop to track only local hosts. These ## are hosts defined as local according to the network interfaces or specified ## by the --local-subnets option. ## Use this if you are seeing too many hosts and all you care about is the ## local (LAN) traffic. #--track-local-hosts ##-----------------------------------------------------------------------------# ## -z | --disable-sessions -- Tells ntop not to track tcp session information. ## Speeds up processing, requires less memory, but conveys less information. #--disable-sessions ##-----------------------------------------------------------------------------# ## --disable-schedyield -- Under certain circumstances, the sched_yield() ## function causes the ntop web server to lock up. It shouldn't happen, but ## it does. This option causes ntop to skip those calls, at a tiny performance ## penalty. --disable-schedyield _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
