Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

ntop on Ubuntu 10

Posted on 2010-08-18
7
Medium Priority
?
526 Views
Last Modified: 2013-11-15
Hi Experts,

I have got ntop working on Ubuntu 10 desktop and it is gathering data. I would like to see traffic heading to/from the internet so I have mirrored a port on our Cisco switch. The desktop has only one NIC. When I connect the cable from the mirrored port to this NIC I don't see anything. Is my only solution to have another monitoring NIC? TIA
0
Comment
Question by:abhijitm00
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 4

Expert Comment

by:maysara
ID: 33470147
you need to set the interface in promiscuous mode probably ... (man ifconfig)
0
 

Author Comment

by:abhijitm00
ID: 33474594
Thanks for getting back maysara. This is the info from my Ubuntu machine:

ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:23:ae:a9:eb:c7  
          inet addr:192.168.4.131  Bcast:192.168.5.255  Mask:255.255.254.0
          inet6 addr: fe80::223:aeff:fea9:ebc7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:286336 errors:0 dropped:0 overruns:0 frame:0
          TX packets:107360 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:61994027 (61.9 MB)  TX bytes:106366670 (106.3 MB)
          Interrupt:16

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:453314 errors:0 dropped:0 overruns:0 frame:0
          TX packets:453314 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:48189972 (48.1 MB)  TX bytes:48189972 (48.1 MB)

vboxnet0  Link encap:Ethernet  HWaddr 0a:00:27:00:00:00  
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

When I do a sudo vi /etc/network/interfaces, I see the following:

auto lo
iface lo inet loopback

Which looks to me like ntop is monitoring on loopback interface. Is this correct?

Also I am planning to apply sudo ifconfig eth0 promisc, will this work?
0
 

Author Comment

by:abhijitm00
ID: 33479303
Hi mayasara, once I put the NIC in promiscuous mode we have started getting data we need. Thanks.

How are you using ntop in your environment? Are you using it in conjunction with any other tool?
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 4

Expert Comment

by:maysara
ID: 33481579
frankly i never used ntop, i do not think i ever heared about it befor your post :)
0
 
LVL 25

Expert Comment

by:madunix
ID: 33482526
In the past i used NTop, but i found NTop was a bit of a CPU hog and I had instability issues with it on some servers, so i swapped to MRTG to see traffic....http://oss.oetiker.ch/mrtg/
0
 

Author Comment

by:abhijitm00
ID: 33484663
Thanks maysara

madunix thanks for responding. When you run MRTG, do you need the NIC to be in promiscuous mode? Also does the port it connect to on a switch need to be mirrored? I am planning to test it on a Ubuntu desktop and wanted to see if it was similar to installing ntop. Any help would be appreciated. Thanks
0
 
LVL 4

Accepted Solution

by:
maysara earned 1000 total points
ID: 33491015
depends what do you want the data for ? do you want to see where the traffic goes (src - dst ), do you want it for security/intrusion detection. you want to see what protocols are used ? depending on what you want to do, it might be wise to get info directly from the switch (using snmp), other wise you need to capture all traffic, in that case, yes, mirror and promisc on nic is the way to go, regardless of the tool. ntop,mrtg,snort,nessus, wireshare,tcpdump,dsniff,arpwatch ...etc , they either handle the part of capturing traffic destined to other nodes on their own (i.e. setting the interface in promisc mode or possibly other techniques that allows reading stuff from the network stack) or require manually setting the interface in promisc mode.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
This document is written for Red Hat Enterprise Linux AS release 4 and ORACLE 10g.  Earlier releases can be installed using this document as well however there are some additional steps for packages to be installed see Metalink. Disclaimer: I hav…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question