Solved

ntop on Ubuntu 10

Posted on 2010-08-18
7
508 Views
Last Modified: 2013-11-15
Hi Experts,

I have got ntop working on Ubuntu 10 desktop and it is gathering data. I would like to see traffic heading to/from the internet so I have mirrored a port on our Cisco switch. The desktop has only one NIC. When I connect the cable from the mirrored port to this NIC I don't see anything. Is my only solution to have another monitoring NIC? TIA
0
Comment
Question by:abhijitm00
  • 3
  • 3
7 Comments
 
LVL 4

Expert Comment

by:maysara
Comment Utility
you need to set the interface in promiscuous mode probably ... (man ifconfig)
0
 

Author Comment

by:abhijitm00
Comment Utility
Thanks for getting back maysara. This is the info from my Ubuntu machine:

ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:23:ae:a9:eb:c7  
          inet addr:192.168.4.131  Bcast:192.168.5.255  Mask:255.255.254.0
          inet6 addr: fe80::223:aeff:fea9:ebc7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:286336 errors:0 dropped:0 overruns:0 frame:0
          TX packets:107360 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:61994027 (61.9 MB)  TX bytes:106366670 (106.3 MB)
          Interrupt:16

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:453314 errors:0 dropped:0 overruns:0 frame:0
          TX packets:453314 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:48189972 (48.1 MB)  TX bytes:48189972 (48.1 MB)

vboxnet0  Link encap:Ethernet  HWaddr 0a:00:27:00:00:00  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

When I do a sudo vi /etc/network/interfaces, I see the following:

auto lo
iface lo inet loopback

Which looks to me like ntop is monitoring on loopback interface. Is this correct?

Also I am planning to apply sudo ifconfig eth0 promisc, will this work?
0
 

Author Comment

by:abhijitm00
Comment Utility
Hi mayasara, once I put the NIC in promiscuous mode we have started getting data we need. Thanks.

How are you using ntop in your environment? Are you using it in conjunction with any other tool?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 4

Expert Comment

by:maysara
Comment Utility
frankly i never used ntop, i do not think i ever heared about it befor your post :)
0
 
LVL 25

Expert Comment

by:madunix
Comment Utility
In the past i used NTop, but i found NTop was a bit of a CPU hog and I had instability issues with it on some servers, so i swapped to MRTG to see traffic....http://oss.oetiker.ch/mrtg/
0
 

Author Comment

by:abhijitm00
Comment Utility
Thanks maysara

madunix thanks for responding. When you run MRTG, do you need the NIC to be in promiscuous mode? Also does the port it connect to on a switch need to be mirrored? I am planning to test it on a Ubuntu desktop and wanted to see if it was similar to installing ntop. Any help would be appreciated. Thanks
0
 
LVL 4

Accepted Solution

by:
maysara earned 250 total points
Comment Utility
depends what do you want the data for ? do you want to see where the traffic goes (src - dst ), do you want it for security/intrusion detection. you want to see what protocols are used ? depending on what you want to do, it might be wise to get info directly from the switch (using snmp), other wise you need to capture all traffic, in that case, yes, mirror and promisc on nic is the way to go, regardless of the tool. ntop,mrtg,snort,nessus, wireshare,tcpdump,dsniff,arpwatch ...etc , they either handle the part of capturing traffic destined to other nodes on their own (i.e. setting the interface in promisc mode or possibly other techniques that allows reading stuff from the network stack) or require manually setting the interface in promisc mode.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

In order for businesses to be compliant with certain information security laws in some countries, you need to be able to prove that a user (which user it was becomes important to the business to take action against the user after an event has occurr…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now