Re: [Ntop] My OpenBSD experience

Fri, 11 Mar 2005 20:20:32 -0800

Pretty cool Rory,
 
    I may give that a shot next week.  I use OpenBSD for much of my work, but I started using Linux for our ntop work (which I know nothing about - not even how to change a host name or ip address).  I am at a point in our school year I can experiment.  Thanks for the cool info.
 
Shane
 
----- Original Message -----
Sent: Friday, March 11, 2005 6:08 PM
Subject: [Ntop] My OpenBSD experience

OpenBSD is not supported, I know.  OpenBSD has an ntop package, v1.1 with none of the cool trimmings and the web interface disabled.  For those that are interested in how to get the new, big ntop it to run OK on OpenBSD, know this - it ain't quite right J  If you can avoid installing it on OpenBSD, you should probably do so.

 

First, I needed it to run on OpenBSD because I have a bridge interface here that all traffic to the internet passes through.  pf controls traffic on the bridge.  Initially the bridge had no IP address, so I assigned one to the interface that goes into our big switch.  ntop can't monitor an IPless interface of course.  If I hadn't used OpenBSD in the first place, I would have saved days of effort, but I like OpenBSD so nyeah.  Hopefully this will help someone.  This is for OpenBSD 3.5 because I'm too scared to upgrade to 3.6 on this machine just yet.  I'm sure I did a lot of things wrong, but this is what worked for me and I'm insane.  I read a lot of stuff off these mailing lists, and I don't want to spread a bunch of misinformation, so if anyone is sure I did something completely wrong, might want to follow up.  Especially if this can be condensed down into like two steps.  If anyone tells me I could have done this in two steps, I'll jump off a bridge.  I could have mirrored a port on the switch and put a new machine up, but this was a conquest.

 

First thing is to get the required libraries compiled and installed.  Don't bother with BSD packages, get source.  Or, do what you like J

 

gd-2.0.33, libpng1.2.8, zlib-1.2.2, libiconv-1.9.1 (probably didn't need to get this one), and I had freetype 2 on there, for no really good reason.  Also, I installed the newest libpcap.

 

I believe gd needed some massaging to compile.  Not a big problem.  I don't recall the specifics, but it had to do with needing to pass -lpthread because it's internal detection didn't work.  After you run ./configure, edit the Makefile and change the LIBS= line to

 

LIBS = -lpthread -ljpeg -lfreetype -lpng -lz -lm  /usr/local/lib/libiconv.a

 

or something similar.

 

Install Zlib first because libpng wants that, and gd will enjoy linking with libpng.  Your OpenBSD will already have zlib on there in /usr/lib.  If you have updated your system libraries like a good citizen, your zlib is probably up to date.  If you're a scrub, install the new zlib to /usr/local/libs and tell stuff to compile against that one .. or else.

 

Once your libraries are in place, configure ntop.  First, edit config.sug and add

 

openbsd)

                basic_machine-i386-unknown-openbsd3.5

                os=

                ;;

 

near all the other osses.  This is probably not exactly correct, and it threw a fit about something, but it worked.

 

if you run configure, it'll probably whine about gdimagedestroy().  If you look at the config.log you'll see why.  To fix this, edit the configure file and search for gdimagedestroy.  A few lines under there, there's a LIBS statement, I changed mine to look like:  LIBS="-lgd -liconv $LIBS"

 

it'll also probably whine about png_read_info(), and to get around this, search configure for png_read_info and right underneath the line that says LIBS=$ac_check_lib_save_LIBS I made another entry that said

 

LIBS="-lgd -liconv -lpng -lz -lpthread $LIBS"

 

God knows what this does to the script when you do this, but it worked for me.

 

Tell it where all the stuff is.  My ./configure line looked like

 

./configure --build=openbsd --with-localedir=/usr/share/locale --with-zlib-lib=/usr/local/lib --with-zlib-include=/usr/local/include

 

I think I might have run into other problems, so I edited the Makefile LIBS=line to read

LIBS = -lresolv -lc -lssl -lcrypto -lz -lpthread -liconv -lpcap -lgdbm -lgd -lpng

Again, if this is not good, don't listen to me.  But it did work.

 

It will compile at this point, but if you get a gzflush error from ntop and it crashes out, open config.h in the ntop source root and search for ZLIB.  The first hit should be about the header file, a define.  Comment that out with /* and */ or // or whatever.  Underneath put in

 

#undef MAKE_WITH_ZLIB

 

and it should not give you that gzflush error anymore.  I guess zlib isn't required? J

 

oh yeah, when you're compiling on OpenBSD get the gmake package or it will barf all over the place on make install.  If you do this stuff, and do gmake && gmake install you're all set.

 

Make an ntop user (or _ntop) or whatever.  Get ntop running once and set the admin password.  Close it down.

 

From now on, when you start ntop, you will have to pass some switches to it or you're in for a world of hurt.  One of the switches causes your CPU usage to spike very high, but it doesn't seem to adversely affect performance on this machine, magically.  Well, maybe it does, but this tool is so useful, what the heck, right?  Right?

 

The switches I use to start ntop look like this -

 

/usr/local/bin/ntop -i em0 -u ntop -d -w 127.0.0.1:15123 -W 0 -r 120 --skip-version-check --local-subnets 10.0.0.0/255.0.0.0 --use-syslog=syslog --no-mac --set-pcap-nonblocking -K

 

 -i is the interface I want to monitor.  -w is the non-ssl webserver on port 15123, default is 3000.  -W is the ssl webserver that I disabled by specifying port 0 (see below for why).  -r is refresh time, but I think this is default anyway.  Don't think you need local-subnets unless you're a special case.  the -use-syslog doesn't work for me quite right yet, working on that.  -no-mac I needed, you might not.  Read about it.  I skip version check because I've got the noids.  The developers would probably like you to use it, and I don't blame them.  Thanks for allowing the switch.

 

now -set-pcap-nonblocking I needed.  If you read the man page, you'll see that this causes a massive CPU hit.  Without this, ntop's webserver would respond extremely slowly or not at all.  It wasn't cool.  I tried hard to get around this, but it seems I needed it for OpenBSD.

 

-K I needed, which is debug mode.  If I turned that off, I got a TON of ntop processes listed in ps -aux.  It seemed like they'd spawn and never go away.

 

As you can see, I told ntop to bind it's webserver to the localhost.  That's because I want it going through apache.  This machine has 3 net cards, two for the bridge interface, and one which is for Squid.  I wanted apache to serve pages out on the Squid/mgmt interface, and I wanted it to work like this - if the DNS name of the squid machine, say squid.domain.net was entered into a browser, apache would serve up some HTML.  if the DNS alias ntop.domain.net was entered into the machine, apache would proxy to the localhost port 15123, ntop's webserver.  I also wanted user authentication on both.

 

I did this by doing the following jank (thanks to Toby Johnson's mini-howto at http://www.ntop.org/UsageNotes.html for getting me started -

You'll need mod_proxy and mod_rewrite

open httpd.conf and set AllowOverride to AuthConfig in the first <directory entry.  Like I said, this is for those who type the non-aliased DNS name.  This probably won't apply to too many people, but nobody else mentioned how to do it like this exactly.

Under that, put in

    Order allow,deny

    Allow from all

AuthName "Restricted Area"

AuthType Basic

AuthUserFile /usr/local/apache/users/ntop_users

require valid-user

</Directory>

 

Later on, by the example virtualhost entry, I got

 

NameVirtualHost squid.domain.net

<VirtualHost squid.domain.net:80>

DocumentRoot /usr/local/apache/htdocs/

ServerName squid.domain.net

</virtualhost>

 

and another one for the ntop proxy stuff for when someone puts the DNS CNAME in.

NameVirtualHost ntop.domain.net

<VirtualHost ntop.domain.net:80>

        ServerName ntop.domain.net

        ServerSignature Off

        ServerAlias ntop.domain.net

        ProxyPass / http://127.0.0.1:15123/

        ProxyPassReverse / http://127.0.0.1:15123/

        <Directory proxy:* >

                AuthName "Ntop Restricted"

                AuthType Basic

                AuthUserFile /usr/local/apache/users/ntop_users

                require valid-user

        </Directory>

</VirtualHost>

 

the same file is used by htpasswd for both areas.  Generate it by using htpasswd -c <filelocation> <user>

 

I believe this is all I had to do.  I might have missed something small.  At one point, I had to create/hand edit a libpngXX.la file in a text editor, but perhaps I figured a way to not require that anyway.

 

top command tells me ntop is using 74.41% of the CPU time J  It can't be the fastest ntop machine out there, but it's working so far.  Huzzah!

 

Note to developers or aspiring helpers who know more than me - consider fully supporting OpenBSD.  Your program is cool.

 

 

 

_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________
Ntop mailing list
[email protected]
http://listgateway.unipi.it/mailman/listinfo/ntop

Reply via email to