All,

Does anyone know how to create custom reports with ntop?  If someone could 
point me in the right direction I would be most grateful.

I have googled the crap out of this:

ntop + custom reports
ntop config examples
ntop + howto

and I haven't found anything that clues me into the internals enough to 
extract what I am looking for...


Thanks,


Dave...



Environment
ntop v.3.0 SourceForge RPM MT (SSL) (configured on Mar 21 2004 18:07:20, 
built on Mar 21 2004 18:08:27)
Linux rhentes151 2.4.21-15.0.4.EL #1 Sat Jul 31 01:33:50 EDT 2004 i686 
i686 i386 GNU/Linux (RH Ent. Linux 3.x)

ntop.conf
[clipped leading comments]

############################## RUNNING ENVIRONMENT 
#############################

## -u | --user -- tells ntop the user id to run as. 

##  NOTE: This should not be root unless you really understand
##        the security risks.

--user root

##-----------------------------------------------------------------------------#

## -d | --daemon -- sets ntop to run as a daemon (in the background, not
##        connected to a specific terminal).

##  NOTE: For more than casual use, you probably want this.

--daemon

##-----------------------------------------------------------------------------#

## -P | --db-file-path -- sets the directory that ntop runs from. 

##  NOTE: Use an absolute path (not a relative one like ../ntop) because
##        the working directory (pwd) will be different when ntop is run
##        from the command line, from cron and from initialization.

--db-file-path /var/downloads/ntop/working
#? -P /var/ntop

##-----------------------------------------------------------------------------#

## -D | --domain -- Sets the domain.  ntop should be able to determine
## this automatically, but occasionally has problems. If so, this makes 
the
## output cleaner.

#? --domain mydomain.com


################################ WHAT TO MONITOR 
###############################

## -i | --interface tells ntop which network interfaces (NICs) to monitor.
##  DEFAULT: The 1st ethernet device, e.g. eth0, i.e. this line:
--interface eth0

## To monitor both eth0 and eth2 but not eth1:
#? --interface eth0,eth2

## To monitor NO ethernet interfaces (for example a system collecting data
## only from netFlow probes):

#? --interface none

##-----------------------------------------------------------------------------#

## -M | --no-interface-merge -- tells ntop not to merge data from all of 
the
## network interfaces it is monitoring.  See the man page and docs/FAQ for
## discussions of -M.

#? --no-interface-merge

##-----------------------------------------------------------------------------#

## -m | --local-subnets -- Tells ntop of additional networks that should
##        be considered local.  This is for the local/remote breakdowns
##        and because additional data is kept and display for local hosts.

##       The addresses of the network interface(s) (NICs) are always local
##       and don't need to be specified. If you use unnumbered interfaces
##       you MUST give ntop this information.

## NOTE: You can mix CIDR and network/netmask notation.

## SEE ALSO: --track-local-hosts

## EXAMPLES:

## Traffic I see (broadcasts only, of course) on my cable modem includes
## other subnets than my own 12.239.98.0/24.  I see 12.239.99.0/24 and
## 12.239.100.0/24 - to tell this to ntop:
#? -m 12.239.99.0/24,12.239.100.0/24

## I actually run this way, telling ntop about the whole range of 
## addresses used as well as the private network used internally by the 
## cable modems themselves.
#? -m 192.168.42.0/24,12.239.96.0/22,12.239.100.0/24,10.113.0.0/16 

## All of these are equivalent to the one above:

## -m 
192.168.42.0/255.255.255.0,12.239.96.0/22,12.239.100.0/24,10.113.0.0/16 
## -m 
192.168.42.0/255.255.255.0,12.239.96.0/255.255.252.0,12.239.100.0/255.255.255.0,10.113.0.0/255.255.0.0
 


-m 192.168.188.0/255.255.252.0


##-----------------------------------------------------------------------------#

## -p | --protocols -- ntop comes with an extensive list of common tcp/ip 
## protocols to monitor already built in.  (See docs/FAQ for the current 
list).
## If you want to increase, decrease or change this list, this is the 
parameter.

## It can be either a file or a list.  To point ntop to a file specify 
it's name:

#? -p /usr/share/ntop/protocol.list 

## Or to give an explicit list:

#? --protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-data"

##-----------------------------------------------------------------------------#

## -c | --sticky-hosts -- tells ntop NOT to purge idle hosts from memory.

## DO NOT USE THIS unless you are on a small, very static network, or you
## have LOTS of memory.

## It is strongly recommended that you use a filtering expression to limit
## the hosts which are stored if you use --sticky-hosts.

#? --sticky-hosts

##-----------------------------------------------------------------------------#

## --disable-instantsessionpurge -- by default, ntop internally changes 
the
## status of completed sessions so that they get purged immediately.  This
## doesn't present a true picture of the network, but does conserve 
memory.
## Enable this switch to see those finished sessions before their purge
## interval (5 minutes) expires, IF YOU HAVE ENOUGH MEMORY.

#? --disable-instantsessionpurge

################################## LOG MESSAGES 
################################

## -t | --trace-level -- controls the amount and severity of messages that
## ntop will put out.  Choices are:

#--trace-level 0 # FATALERROR only
#--trace-level 1 # ERROR and above only 
#--trace-level 2 # WARNING and above only
#--trace-level 3 # INFO, WARNING and ERRORs - the default
#--trace-level 4 # NOISY - everything
#--trace-level 6 # NOISY + MSGID
#--trace-level 7 # NOISY + MSGID + file/line

--trace-level 3 # Which is the default

##-----------------------------------------------------------------------------#

##
## -L | --use-syslog | --use-syslog=xxxx -- By default, ntop writes it's 
## messages to stdout (the terminal).

## WARNING: If you are running ntop as a daemon (--daemon parameter), the
## stdout (terminal) does not exist and so messages will be dropped.
## You probably don't want to do this.  Instead, use this -L | 
--use-syslog
## parameter to save them into the system log (/var/log/messages).
##
## Thus a typical startup for ntop running as a daemon is:
#--daemon --use-syslog


## You can also direct the messages to another file.  You'll want to
## look at man syslog.conf to setup the configuration file.  For example
## to use 'local3' to keep ntop messages separate, I have this in my
## /etc/syslog.conf:

##   # Save ntop
##   local3.*                                           /var/log/ntop.log

## Then I run ntop with this:
#? --use-syslog=local3

##  NOTE: The = is REQUIRED and no spaces are permitted.


################################## WEB SERVER 
##################################

## ntop offers both an http:// and https:// web server.  These parameters
## tell ntop which ports (and interfaces) to offer this web server on.

## -w | --http-server -- is the http:// web server.

##  NOTE: --http-server 3000 is the default
--http-server 3000

## -W | --https-server -- is the https:// web server.

#--https-server 3001

## The default is -w 3000 -W 0 (disabled).  You can also...

## https:// only:
#? -w 0 -W 3001

## http:// and https://
#? --http-server 3000 --https-server 3001

## Neither - say ntop is running only as a netFlow probe:
#? -w 0 -W 0

## You can also limit ntop to listening on a specific interface. For 
example:

#? -w 127.0.0.1:3000  # Listens only on the loopback interface at port 
3000

########################### PERFORMANCE AND PROBLEMS 
###########################

## -B | filter-expression -- gives ntop a bpf (Berkeley Packet Filter) 
expression
## to use.  (the easiest place to find bpf documented is on the tcpdump 
man page).

## NOTE: The filter expression MUST be in quotes.

## To restrict ntop to only a few machines on a large network, say 
192.168.1.88 
## through 91:

#? -B "net 192.168.1.88/30"

## That is equivalent to specifying the specific hosts:

#? -B "host (192.168.1.88 or 192.168.1.89 or 192.168.1.90 or 
192.168.1.91)"

## You can limit traffic to that from (src) or to (dst) a specific host:

#? -B "src host www.mycompany.com"
#? -B "dst host www.mycompany.com"

## You can limit it to a specific protocol, including src/dst:

#? -B "port ssh"
#? -B "src port ssh"
#? -B "dst port ssh"

##-----------------------------------------------------------------------------#

## -o | --no-mac -- Configures ntop not to trust MAC addrs.
## This is used if you observe ntop being confused by 'changing' addresses 
- 
## i.e. ntop belives that the corporate web server is actually Joe's 
desktop
## computer.

#--no-mac

##-----------------------------------------------------------------------------#

## -g | --track-local-hosts -- Tells ntop to track only local hosts. These
## are hosts defined as local according to the network interfaces or 
specified
## by the --local-subnets option.

## Use this if you are seeing too many hosts and all you care about is the
## local (LAN) traffic.

#--track-local-hosts

##-----------------------------------------------------------------------------#

## -z | --disable-sessions -- Tells ntop not to track tcp session 
information.
## Speeds up processing, requires less memory, but conveys less 
information.

#--disable-sessions

##-----------------------------------------------------------------------------#

## --disable-schedyield -- Under certain circumstances, the sched_yield()
## function causes the ntop web server to lock up.  It shouldn't happen, 
but
## it does.  This option causes ntop to skip those calls, at a tiny 
performance
## penalty.

--disable-schedyield

_______________________________________________
Ntop mailing list
[EMAIL PROTECTED]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to