Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 531
  • Last Modified:

ntop on Ubuntu 10

Hi Experts,

I have got ntop working on Ubuntu 10 desktop and it is gathering data. I would like to see traffic heading to/from the internet so I have mirrored a port on our Cisco switch. The desktop has only one NIC. When I connect the cable from the mirrored port to this NIC I don't see anything. Is my only solution to have another monitoring NIC? TIA
0
abhijitm00
Asked:
abhijitm00
  • 3
  • 3
1 Solution
 
maysaraCommented:
you need to set the interface in promiscuous mode probably ... (man ifconfig)
0
 
abhijitm00Author Commented:
Thanks for getting back maysara. This is the info from my Ubuntu machine:

ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:23:ae:a9:eb:c7  
          inet addr:192.168.4.131  Bcast:192.168.5.255  Mask:255.255.254.0
          inet6 addr: fe80::223:aeff:fea9:ebc7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:286336 errors:0 dropped:0 overruns:0 frame:0
          TX packets:107360 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:61994027 (61.9 MB)  TX bytes:106366670 (106.3 MB)
          Interrupt:16

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:453314 errors:0 dropped:0 overruns:0 frame:0
          TX packets:453314 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:48189972 (48.1 MB)  TX bytes:48189972 (48.1 MB)

vboxnet0  Link encap:Ethernet  HWaddr 0a:00:27:00:00:00  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

When I do a sudo vi /etc/network/interfaces, I see the following:

auto lo
iface lo inet loopback

Which looks to me like ntop is monitoring on loopback interface. Is this correct?

Also I am planning to apply sudo ifconfig eth0 promisc, will this work?
0
 
abhijitm00Author Commented:
Hi mayasara, once I put the NIC in promiscuous mode we have started getting data we need. Thanks.

How are you using ntop in your environment? Are you using it in conjunction with any other tool?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
maysaraCommented:
frankly i never used ntop, i do not think i ever heared about it befor your post :)
0
 
madunixChief Information Security Officer Commented:
In the past i used NTop, but i found NTop was a bit of a CPU hog and I had instability issues with it on some servers, so i swapped to MRTG to see traffic....http://oss.oetiker.ch/mrtg/
0
 
abhijitm00Author Commented:
Thanks maysara

madunix thanks for responding. When you run MRTG, do you need the NIC to be in promiscuous mode? Also does the port it connect to on a switch need to be mirrored? I am planning to test it on a Ubuntu desktop and wanted to see if it was similar to installing ntop. Any help would be appreciated. Thanks
0
 
maysaraCommented:
depends what do you want the data for ? do you want to see where the traffic goes (src - dst ), do you want it for security/intrusion detection. you want to see what protocols are used ? depending on what you want to do, it might be wise to get info directly from the switch (using snmp), other wise you need to capture all traffic, in that case, yes, mirror and promisc on nic is the way to go, regardless of the tool. ntop,mrtg,snort,nessus, wireshare,tcpdump,dsniff,arpwatch ...etc , they either handle the part of capturing traffic destined to other nodes on their own (i.e. setting the interface in promisc mode or possibly other techniques that allows reading stuff from the network stack) or require manually setting the interface in promisc mode.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now