All, Does anyone know how to create custom reports with ntop? If someone could point me in the right direction I would be most grateful.
I have googled the crap out of this: ntop + custom reports ntop config examples ntop + howto and I haven't found anything that clues me into the internals enough to extract what I am looking for... Thanks, Dave... Environment ntop v.3.0 SourceForge RPM MT (SSL) (configured on Mar 21 2004 18:07:20, built on Mar 21 2004 18:08:27) Linux rhentes151 2.4.21-15.0.4.EL #1 Sat Jul 31 01:33:50 EDT 2004 i686 i686 i386 GNU/Linux (RH Ent. Linux 3.x) ntop.conf [clipped leading comments] ############################## RUNNING ENVIRONMENT ############################# ## -u | --user -- tells ntop the user id to run as. ## NOTE: This should not be root unless you really understand ## the security risks. --user root ##-----------------------------------------------------------------------------# ## -d | --daemon -- sets ntop to run as a daemon (in the background, not ## connected to a specific terminal). ## NOTE: For more than casual use, you probably want this. --daemon ##-----------------------------------------------------------------------------# ## -P | --db-file-path -- sets the directory that ntop runs from. ## NOTE: Use an absolute path (not a relative one like ../ntop) because ## the working directory (pwd) will be different when ntop is run ## from the command line, from cron and from initialization. --db-file-path /var/downloads/ntop/working #? -P /var/ntop ##-----------------------------------------------------------------------------# ## -D | --domain -- Sets the domain. ntop should be able to determine ## this automatically, but occasionally has problems. If so, this makes the ## output cleaner. #? --domain mydomain.com ################################ WHAT TO MONITOR ############################### ## -i | --interface tells ntop which network interfaces (NICs) to monitor. ## DEFAULT: The 1st ethernet device, e.g. eth0, i.e. this line: --interface eth0 ## To monitor both eth0 and eth2 but not eth1: #? --interface eth0,eth2 ## To monitor NO ethernet interfaces (for example a system collecting data ## only from netFlow probes): #? --interface none ##-----------------------------------------------------------------------------# ## -M | --no-interface-merge -- tells ntop not to merge data from all of the ## network interfaces it is monitoring. See the man page and docs/FAQ for ## discussions of -M. #? --no-interface-merge ##-----------------------------------------------------------------------------# ## -m | --local-subnets -- Tells ntop of additional networks that should ## be considered local. This is for the local/remote breakdowns ## and because additional data is kept and display for local hosts. ## The addresses of the network interface(s) (NICs) are always local ## and don't need to be specified. If you use unnumbered interfaces ## you MUST give ntop this information. ## NOTE: You can mix CIDR and network/netmask notation. ## SEE ALSO: --track-local-hosts ## EXAMPLES: ## Traffic I see (broadcasts only, of course) on my cable modem includes ## other subnets than my own 12.239.98.0/24. I see 12.239.99.0/24 and ## 12.239.100.0/24 - to tell this to ntop: #? -m 12.239.99.0/24,12.239.100.0/24 ## I actually run this way, telling ntop about the whole range of ## addresses used as well as the private network used internally by the ## cable modems themselves. #? -m 192.168.42.0/24,12.239.96.0/22,12.239.100.0/24,10.113.0.0/16 ## All of these are equivalent to the one above: ## -m 192.168.42.0/255.255.255.0,12.239.96.0/22,12.239.100.0/24,10.113.0.0/16 ## -m 192.168.42.0/255.255.255.0,12.239.96.0/255.255.252.0,12.239.100.0/255.255.255.0,10.113.0.0/255.255.0.0 -m 192.168.188.0/255.255.252.0 ##-----------------------------------------------------------------------------# ## -p | --protocols -- ntop comes with an extensive list of common tcp/ip ## protocols to monitor already built in. (See docs/FAQ for the current list). ## If you want to increase, decrease or change this list, this is the parameter. ## It can be either a file or a list. To point ntop to a file specify it's name: #? -p /usr/share/ntop/protocol.list ## Or to give an explicit list: #? --protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-data" ##-----------------------------------------------------------------------------# ## -c | --sticky-hosts -- tells ntop NOT to purge idle hosts from memory. ## DO NOT USE THIS unless you are on a small, very static network, or you ## have LOTS of memory. ## It is strongly recommended that you use a filtering expression to limit ## the hosts which are stored if you use --sticky-hosts. #? --sticky-hosts ##-----------------------------------------------------------------------------# ## --disable-instantsessionpurge -- by default, ntop internally changes the ## status of completed sessions so that they get purged immediately. This ## doesn't present a true picture of the network, but does conserve memory. ## Enable this switch to see those finished sessions before their purge ## interval (5 minutes) expires, IF YOU HAVE ENOUGH MEMORY. #? --disable-instantsessionpurge ################################## LOG MESSAGES ################################ ## -t | --trace-level -- controls the amount and severity of messages that ## ntop will put out. Choices are: #--trace-level 0 # FATALERROR only #--trace-level 1 # ERROR and above only #--trace-level 2 # WARNING and above only #--trace-level 3 # INFO, WARNING and ERRORs - the default #--trace-level 4 # NOISY - everything #--trace-level 6 # NOISY + MSGID #--trace-level 7 # NOISY + MSGID + file/line --trace-level 3 # Which is the default ##-----------------------------------------------------------------------------# ## ## -L | --use-syslog | --use-syslog=xxxx -- By default, ntop writes it's ## messages to stdout (the terminal). ## WARNING: If you are running ntop as a daemon (--daemon parameter), the ## stdout (terminal) does not exist and so messages will be dropped. ## You probably don't want to do this. Instead, use this -L | --use-syslog ## parameter to save them into the system log (/var/log/messages). ## ## Thus a typical startup for ntop running as a daemon is: #--daemon --use-syslog ## You can also direct the messages to another file. You'll want to ## look at man syslog.conf to setup the configuration file. For example ## to use 'local3' to keep ntop messages separate, I have this in my ## /etc/syslog.conf: ## # Save ntop ## local3.* /var/log/ntop.log ## Then I run ntop with this: #? --use-syslog=local3 ## NOTE: The = is REQUIRED and no spaces are permitted. ################################## WEB SERVER ################################## ## ntop offers both an http:// and https:// web server. These parameters ## tell ntop which ports (and interfaces) to offer this web server on. ## -w | --http-server -- is the http:// web server. ## NOTE: --http-server 3000 is the default --http-server 3000 ## -W | --https-server -- is the https:// web server. #--https-server 3001 ## The default is -w 3000 -W 0 (disabled). You can also... ## https:// only: #? -w 0 -W 3001 ## http:// and https:// #? --http-server 3000 --https-server 3001 ## Neither - say ntop is running only as a netFlow probe: #? -w 0 -W 0 ## You can also limit ntop to listening on a specific interface. For example: #? -w 127.0.0.1:3000 # Listens only on the loopback interface at port 3000 ########################### PERFORMANCE AND PROBLEMS ########################### ## -B | filter-expression -- gives ntop a bpf (Berkeley Packet Filter) expression ## to use. (the easiest place to find bpf documented is on the tcpdump man page). ## NOTE: The filter expression MUST be in quotes. ## To restrict ntop to only a few machines on a large network, say 192.168.1.88 ## through 91: #? -B "net 192.168.1.88/30" ## That is equivalent to specifying the specific hosts: #? -B "host (192.168.1.88 or 192.168.1.89 or 192.168.1.90 or 192.168.1.91)" ## You can limit traffic to that from (src) or to (dst) a specific host: #? -B "src host www.mycompany.com" #? -B "dst host www.mycompany.com" ## You can limit it to a specific protocol, including src/dst: #? -B "port ssh" #? -B "src port ssh" #? -B "dst port ssh" ##-----------------------------------------------------------------------------# ## -o | --no-mac -- Configures ntop not to trust MAC addrs. ## This is used if you observe ntop being confused by 'changing' addresses - ## i.e. ntop belives that the corporate web server is actually Joe's desktop ## computer. #--no-mac ##-----------------------------------------------------------------------------# ## -g | --track-local-hosts -- Tells ntop to track only local hosts. These ## are hosts defined as local according to the network interfaces or specified ## by the --local-subnets option. ## Use this if you are seeing too many hosts and all you care about is the ## local (LAN) traffic. #--track-local-hosts ##-----------------------------------------------------------------------------# ## -z | --disable-sessions -- Tells ntop not to track tcp session information. ## Speeds up processing, requires less memory, but conveys less information. #--disable-sessions ##-----------------------------------------------------------------------------# ## --disable-schedyield -- Under certain circumstances, the sched_yield() ## function causes the ntop web server to lock up. It shouldn't happen, but ## it does. This option causes ntop to skip those calls, at a tiny performance ## penalty. --disable-schedyield
_______________________________________________ Ntop mailing list [EMAIL PROTECTED] http://listgateway.unipi.it/mailman/listinfo/ntop
