Hack 37. Get Real-Time Network Stats
Get a picture of utilization on your network over time with ntop.
If you're looking for real-time network statistics, you should check out the terrific ntop tool. It is a full-featured protocol analyzer with a web frontend, complete with SSL and graphing support. Although ntop isn't exactly lightweight, it does give you a nice picture of who's talking to whom on your network. Get it at http://www.ntop.org.
ntop needs to run initially as root in order to throw your interfaces into promiscuous mode and start capturing packets, but then releases its privileges to a user that you specify. If you need to run ntop for long periods of time or you have a large network, you'll probably be happiest running it on a dedicated monitoring box.
Here's a quick reference on how to get ntop up and running quickly in Linux. It should be trivial to do this also on BSD, Mac OS X, Solaris, and other Unix-like creatures. First, create an ntop user and group:
# groupadd ntop # useradd -c "ntop user" -d /usr/local/etc/ntop -s /bin/true -g ntop ntop
Then unpack and build ntop per the instructions in docs/BUILD-NTOP.txt. I assume that you have the source tree unpacked in /usr/local/src/ntop/.
Create a directory for ntop to keep its capture database in:
# mkdir /usr/local/etc/ntop # chown root /usr/local/etc/ntop
The capture database should be owned by root, and not by the ntop user.
If you'd like to use SSL for HTTPS, copy the default SSL key to /usr/local/etc/ntop:
# cp /usr/local/src/ntop-2.1.3/ntop/*pem /usr/local/etc/ntop
Note that the default SSL key will not be built with the correct hostname for your server. Now we need to initialize the ntop databases and set an administrative password:
# ntop -A -u ntop -P /usr/local/etc/ntop 21/Sep/2002 20:30:23 Initializing GDBM… 21/Sep/2002 20:30:23 Started thread (1026) for network packet analyser. 21/Sep/2002 20:30:23 Started thread (2051) for idle hosts detection. 21/Sep/2002 20:30:23 Started thread (3076) for DNS address resolution. 21/Sep/2002 20:30:23 Started thread (4101) for address purge. Please enter the password for the admin user: Please enter the password again: 21/Sep/2002 20:30:29 Admin user password has been set.
Finally, run ntop as a daemon and start the SSL server on your favorite port (4242, for example):
# ntop -u ntop -P /usr/local/etc/ntop -W4242 -d
By default, ntop also runs a standard HTTP server on port 3000. You should strongly consider locking down access to these ports at your firewall, or by using command-line iptables rules on your Linux machine.
Let ntop run for a while, and then connect to https://your.server.here:4242. You can find out all sorts of details about what traffic has been seen on your network, as shown in Figure 2-41.
Figure 2-41. Showing lots of real-time network information with ntop
While tools such as tcpdump [Hack #33] and Ethereal [Hack #31] give you detailed, interactive analysis of network traffic, ntop delivers a wealth of statistical information in a slick and easy-to-use web interface. When properly installed and locked down, it will likely become a favorite tool in your network-analysis tool chest.