Solved

ntop on Ubuntu 10

Posted on 2010-08-18
7
515 Views
Last Modified: 2013-11-15
Hi Experts,

I have got ntop working on Ubuntu 10 desktop and it is gathering data. I would like to see traffic heading to/from the internet so I have mirrored a port on our Cisco switch. The desktop has only one NIC. When I connect the cable from the mirrored port to this NIC I don't see anything. Is my only solution to have another monitoring NIC? TIA
0
Comment
Question by:abhijitm00
  • 3
  • 3
7 Comments
 
LVL 4

Expert Comment

by:maysara
ID: 33470147
you need to set the interface in promiscuous mode probably ... (man ifconfig)
0
 

Author Comment

by:abhijitm00
ID: 33474594
Thanks for getting back maysara. This is the info from my Ubuntu machine:

ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:23:ae:a9:eb:c7  
          inet addr:192.168.4.131  Bcast:192.168.5.255  Mask:255.255.254.0
          inet6 addr: fe80::223:aeff:fea9:ebc7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:286336 errors:0 dropped:0 overruns:0 frame:0
          TX packets:107360 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:61994027 (61.9 MB)  TX bytes:106366670 (106.3 MB)
          Interrupt:16

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:453314 errors:0 dropped:0 overruns:0 frame:0
          TX packets:453314 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:48189972 (48.1 MB)  TX bytes:48189972 (48.1 MB)

vboxnet0  Link encap:Ethernet  HWaddr 0a:00:27:00:00:00  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

When I do a sudo vi /etc/network/interfaces, I see the following:

auto lo
iface lo inet loopback

Which looks to me like ntop is monitoring on loopback interface. Is this correct?

Also I am planning to apply sudo ifconfig eth0 promisc, will this work?
0
 

Author Comment

by:abhijitm00
ID: 33479303
Hi mayasara, once I put the NIC in promiscuous mode we have started getting data we need. Thanks.

How are you using ntop in your environment? Are you using it in conjunction with any other tool?
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 4

Expert Comment

by:maysara
ID: 33481579
frankly i never used ntop, i do not think i ever heared about it befor your post :)
0
 
LVL 25

Expert Comment

by:madunix
ID: 33482526
In the past i used NTop, but i found NTop was a bit of a CPU hog and I had instability issues with it on some servers, so i swapped to MRTG to see traffic....http://oss.oetiker.ch/mrtg/
0
 

Author Comment

by:abhijitm00
ID: 33484663
Thanks maysara

madunix thanks for responding. When you run MRTG, do you need the NIC to be in promiscuous mode? Also does the port it connect to on a switch need to be mirrored? I am planning to test it on a Ubuntu desktop and wanted to see if it was similar to installing ntop. Any help would be appreciated. Thanks
0
 
LVL 4

Accepted Solution

by:
maysara earned 250 total points
ID: 33491015
depends what do you want the data for ? do you want to see where the traffic goes (src - dst ), do you want it for security/intrusion detection. you want to see what protocols are used ? depending on what you want to do, it might be wise to get info directly from the switch (using snmp), other wise you need to capture all traffic, in that case, yes, mirror and promisc on nic is the way to go, regardless of the tool. ntop,mrtg,snort,nessus, wireshare,tcpdump,dsniff,arpwatch ...etc , they either handle the part of capturing traffic destined to other nodes on their own (i.e. setting the interface in promisc mode or possibly other techniques that allows reading stuff from the network stack) or require manually setting the interface in promisc mode.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users are often faced with high disk consumption without really knowing where the largest amount of data resides. Disk Usage Analyzer (aka Baobab) is is a graphical, menu-driven application to analyse disk usage in any Gnome environment and can e…
The purpose of this article is to demonstrate how we can upgrade Python from version 2.7.6 to Python 2.7.10 on the Linux Mint operating system. I am using an Oracle Virtual Box where I have installed Linux Mint operating system version 17.2. Once yo…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question