| View previous topic :: View next topic |
| Author |
Message |
Negated Void
l33t
Joined: 25 Dec 2002
Posts: 672
|
 Posted: Wed Apr 07, 2004 1:32 pm Post subject: Ntop: How to use it properly? |
 |
|
Hello!
I'm monitoring my server with ntop, and i like the functionality and whatnot. I only seem to undersytand completly like 5% of the things it's able to tell me, though, and would like to improve that. Any hints on a good site/way to do so? I couldn't find it w/ search...
Some specific questions:
1) What is "NBios-IP" traffic? One host on my network supplied a half gig of this to the server in a day.. is that bad? It flagged him as a "medium risk" - how do i know what the risk is?
2) Do i need to specify which computers/subnet is local, or can it assume that?
3) Can i remove some unused protocols from the list, to save screen space?
4) Can i password protect the entire embedded webserver? As it is, anyone can poke at my stats. Which is unsettling.
5) One of the hosts on the list is the server i'm monitoring, and it's sending alot of traffic. What gives with that?
Thanks in advance,
-Murph |
|
| Back to top |
|
 |
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Wed Apr 07, 2004 2:13 pm Post subject: Re: Ntop: How to use it properly? |
|
|
| Negated Void wrote: | | 1) What is "NBios-IP" traffic? |
NetBIOS over TCP/IP - Windows networking from the Stone Age 
This is normally only ever used to communicate with a Windows share, not to transfer data.
| Negated Void wrote: | | One host on my network supplied a half gig of this to the server in a day.. is that bad? It flagged him as a "medium risk" - how do i know what the risk is? |
If you don't have sensitive data on the shares the machine connects to - little to none.
| Negated Void wrote: | | 2) Do i need to specify which computers/subnet is local, or can it assume that? |
It does assume that, obviously.
Your local subnet is the included subnet of the interface(s) in the box.
Your local domain is the FQDN minus the hostname of the box - if any.
| Negated Void wrote: | | 3) Can i remove some unused protocols from the list, to save screen space? |
I don't know, but since it's a complete CGI app (not much HTML there!) that probably involves either rewriting HTML templates or - bugger - editing source code...
| Negated Void wrote: | | 4) Can i password protect the entire embedded webserver? As it is, anyone can poke at my stats. Which is unsettling. |
You can proxy it through a protected apache virtualhost - as 10 seconds of reading the ntop web site tells me... 
| Negated Void wrote: | | 5) One of the hosts on the list is the server i'm monitoring, and it's sending alot of traffic. What gives with that? |
Since it's a server, wouldn't you expect it to get the most traffic ?
I would.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
Negated Void
l33t
Joined: 25 Dec 2002
Posts: 672
|
| Posted: Wed Apr 07, 2004 10:00 pm Post subject: |
|
|
Hehe.
So netbios of tcp/ip is my samba stuff.. makes sense! 
Didn't think of the apache thing, as it is an embedded web server thigner.
As for the last comment - it looks like it sent alot of data to itself, thats all. |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Thu Apr 08, 2004 7:53 am Post subject: |
|
|
Sends data to itself ?
Seems to me you really need to familiarise yourself with ntop's data representation some more...
The only instance it could send data to itself is when both the sender and receiver are that one IP address.
The rest is just broadcasts or your misinterpretation.
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
Negated Void
l33t
Joined: 25 Dec 2002
Posts: 672
|
| Posted: Thu Apr 08, 2004 7:03 pm Post subject: |
|
|
Yeah, thats what i'm saying - it's odd!
The machine shows up in it's own "data sent" column. |
|
| Back to top |
|
|
adaptr
Watchman
Joined: 06 Oct 2002
Posts: 6730
Location: Rotterdam, Netherlands
|
| Posted: Fri Apr 09, 2004 11:01 am Post subject: |
|
|
And... why would that be weird ?
Or mean that it sends data to itself ?
Network traffic always involves two machines - a sender and a receiver.
Then there's the loopback address, which is always the machine itself, and subnet broadcasts, and...
_________________
>>> emerge (3 of 7) mcse/70-293 to /
Essential tools: gentoolkit eix profuse screen |
|
| Back to top |
|
|
nadmaximus
n00b
Joined: 30 Jan 2003
Posts: 17
|
| Posted: Fri Apr 09, 2004 2:30 pm Post subject: ntop |
|
|
We run NTOP here on a large class-b network. The NTOP box is located such that it is on a spanned port mirroring our wan link, and of course all of our subnets save one are on the other side of our firewall and core router. Therefore, the NTOP box doesn't see the MAC of the hosts on our network.
If your NTOP box can't see the MACs, if you don't use the flag to tell NTOP trust only IPs, it will lump traffic together using the MAC of the router. The name of the machine it assigns the traffic to in this case seems to vary, usually it seems to be a very active host. If your NTOP box is also acting as a gateway, it could very well be listing lots of traffic as belonging to the box itself, if it can't see the MACs as I described.
You might try firing it up with the flag to trust IP's only, and additionally specify your local network mask. Another tip is, if you're going to use the rrdtool plugin, make sure you set your local hosts mask there as well, otherwise you'll be tracking the whole internet and just might run out of space eventually.
-price |
|
| Back to top |
|
|
|
Networking & Security
