Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

ntop on Ubuntu 10

Posted on 2010-08-18
7
514 Views
Last Modified: 2013-11-15
Hi Experts,

I have got ntop working on Ubuntu 10 desktop and it is gathering data. I would like to see traffic heading to/from the internet so I have mirrored a port on our Cisco switch. The desktop has only one NIC. When I connect the cable from the mirrored port to this NIC I don't see anything. Is my only solution to have another monitoring NIC? TIA
0
Comment
Question by:abhijitm00
  • 3
  • 3
7 Comments
 
LVL 4

Expert Comment

by:maysara
ID: 33470147
you need to set the interface in promiscuous mode probably ... (man ifconfig)
0
 

Author Comment

by:abhijitm00
ID: 33474594
Thanks for getting back maysara. This is the info from my Ubuntu machine:

ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:23:ae:a9:eb:c7  
          inet addr:192.168.4.131  Bcast:192.168.5.255  Mask:255.255.254.0
          inet6 addr: fe80::223:aeff:fea9:ebc7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:286336 errors:0 dropped:0 overruns:0 frame:0
          TX packets:107360 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:61994027 (61.9 MB)  TX bytes:106366670 (106.3 MB)
          Interrupt:16

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:453314 errors:0 dropped:0 overruns:0 frame:0
          TX packets:453314 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:48189972 (48.1 MB)  TX bytes:48189972 (48.1 MB)

vboxnet0  Link encap:Ethernet  HWaddr 0a:00:27:00:00:00  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

When I do a sudo vi /etc/network/interfaces, I see the following:

auto lo
iface lo inet loopback

Which looks to me like ntop is monitoring on loopback interface. Is this correct?

Also I am planning to apply sudo ifconfig eth0 promisc, will this work?
0
 

Author Comment

by:abhijitm00
ID: 33479303
Hi mayasara, once I put the NIC in promiscuous mode we have started getting data we need. Thanks.

How are you using ntop in your environment? Are you using it in conjunction with any other tool?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 4

Expert Comment

by:maysara
ID: 33481579
frankly i never used ntop, i do not think i ever heared about it befor your post :)
0
 
LVL 25

Expert Comment

by:madunix
ID: 33482526
In the past i used NTop, but i found NTop was a bit of a CPU hog and I had instability issues with it on some servers, so i swapped to MRTG to see traffic....http://oss.oetiker.ch/mrtg/
0
 

Author Comment

by:abhijitm00
ID: 33484663
Thanks maysara

madunix thanks for responding. When you run MRTG, do you need the NIC to be in promiscuous mode? Also does the port it connect to on a switch need to be mirrored? I am planning to test it on a Ubuntu desktop and wanted to see if it was similar to installing ntop. Any help would be appreciated. Thanks
0
 
LVL 4

Accepted Solution

by:
maysara earned 250 total points
ID: 33491015
depends what do you want the data for ? do you want to see where the traffic goes (src - dst ), do you want it for security/intrusion detection. you want to see what protocols are used ? depending on what you want to do, it might be wise to get info directly from the switch (using snmp), other wise you need to capture all traffic, in that case, yes, mirror and promisc on nic is the way to go, regardless of the tool. ntop,mrtg,snort,nessus, wireshare,tcpdump,dsniff,arpwatch ...etc , they either handle the part of capturing traffic destined to other nodes on their own (i.e. setting the interface in promisc mode or possibly other techniques that allows reading stuff from the network stack) or require manually setting the interface in promisc mode.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you use Debian 6 Squeeze and you are tired of looking at the childish graphical GDM login screen that is used by default, here's an easy way to change it. If you've already tried to change it you've probably discovered that none of the old met…
1. Introduction As many people are interested in Linux but not as many are interested or knowledgeable (enough) to install Linux on their system, here is a safe way to try out Linux on your existing (Windows) system. The idea is that you insta…
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question