RE: [Ntop] My OpenBSD experience

[Burton Strauss]

Couple corrections and comments:   1. ntop can monitor an ipless interface just fine, at least on every other operating system.  Configure it via the os (in Linux it's ifconfig ethx promisc && ifconfig ethx up) and tell ntop via the -i command to use it.  Don't know why this doesn't work on OpenBSD - perhaps it's related to the bridge - Linux treats them internally as 'real' interfaces, so libpcap can handle them just fine.   2. gd likes to get compiled w/ freetype and that usually pulls in libiconv.  You can get a workable gd without them, but it takes some ./configure switches. iconv is an ugly bugger - read the back traffic.   3. If you can look in config.log, you'll see why the -lpthread detect failed - that could be useful to add to the configure script.  You can usually add stuff w/o modifying make (at least under bash):   $ LIBS="-lpthread ${LIBS}" make   4. zlib is required, or you don't create compressed pages.  Not a real big loss.  Why the gzflush() error?  Because zlib is INCREDIBLY sensitive to malloc()/free() problems.  I thought we had squashed all of those, but there could be something in the specific glibc version under OpenBSD (a memory leak in glibc code isn't something we can fix).   5. pcap-non-blocking is actually NOT a cpu hit.  What it does is to turn an interrupt driven process into a poll.  So ntop uses as much cpu as it can get.  BUT, because the poll is an I/O routine, it's interruptable - and so the cpu usage doesn't (within reason) impact other processes.     n.  With a lot of this stuff, remember there's a place for OS specific stuff - configureextra/<OS>release, e.g. configureextra/OPENBSD35 or such...   m. We tried to support OpenBSD - if you read the back traffic, you can see how much effort Julian put into it.  But there's a long history of OpenBSD being just too different from everyone else and close to zero demand.     All in all, thanks for the report!   -----Burton From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rory Prendergast Sent: Friday, March 11, 2005 5:08 PM To: 'ntop@unipi.it' Subject: [Ntop] My OpenBSD experience OpenBSD is not supported, I know.  OpenBSD has an ntop package, v1.1 with none of the cool trimmings and the web interface disabled.  For those that are interested in how to get the new, big ntop it to run OK on OpenBSD, know this - it ain't quite right J  If you can avoid installing it on OpenBSD, you should probably do so.   First, I needed it to run on OpenBSD because I have a bridge interface here that all traffic to the internet passes through.  pf controls traffic on the bridge.  Initially the bridge had no IP address, so I assigned one to the interface that goes into our big switch.  ntop can't monitor an IPless interface of course.  If I hadn't used OpenBSD in the first place, I would have saved days of effort, but I like OpenBSD so nyeah.  Hopefully this will help someone.  This is for OpenBSD 3.5 because I'm too scared to upgrade to 3.6 on this machine just yet.  I'm sure I did a lot of things wrong, but this is what worked for me and I'm insane.  I read a lot of stuff off these mailing lists, and I don't want to spread a bunch of misinformation, so if anyone is sure I did something completely wrong, might want to follow up.  Especially if this can be condensed down into like two steps.  If anyone tells me I could have done this in two steps, I'll jump off a bridge.  I could have mirrored a port on the switch and put a new machine up, but this was a conquest.   First thing is to get the required libraries compiled and installed.  Don't bother with BSD packages, get source.  Or, do what you like J   gd-2.0.33, libpng1.2.8, zlib-1.2.2, libiconv-1.9.1 (probably didn't need to get this one), and I had freetype 2 on there, for no really good reason.  Also, I installed the newest libpcap.   I believe gd needed some massaging to compile.  Not a big problem.  I don't recall the specifics, but it had to do with needing to pass -lpthread because it's internal detection didn't work.  After you run ./configure, edit the Makefile and change the LIBS= line to   LIBS = -lpthread -ljpeg -lfreetype -lpng -lz -lm  /usr/local/lib/libiconv.a   or something similar.   Install Zlib first because libpng wants that, and gd will enjoy linking with libpng.  Your OpenBSD will already have zlib on there in /usr/lib.  If you have updated your system libraries like a good citizen, your zlib is probably up to date.  If you're a scrub, install the new zlib to /usr/local/libs and tell stuff to compile against that one .. or else.   Once your libraries are in place, configure ntop.  First, edit config.sug and add   openbsd)                 basic_machine-i386-unknown-openbsd3.5                 os=                 ;;   near all the other osses.  This is probably not exactly correct, and it threw a fit about something, but it worked.   if you run configure, it'll probably whine about gdimagedestroy().  If you look at the config.log you'll see why.  To fix this, edit the configure file and search for gdimagedestroy.  A few lines under there, there's a LIBS statement, I changed mine to look like:  LIBS="-lgd -liconv $LIBS"   it'll also probably whine about png_read_info(), and to get around this, search configure for png_read_info and right underneath the line that says LIBS=$ac_check_lib_save_LIBS I made another entry that said   LIBS="-lgd -liconv -lpng -lz -lpthread $LIBS"   God knows what this does to the script when you do this, but it worked for me.   Tell it where all the stuff is.  My ./configure line looked like   ./configure --build=openbsd --with-localedir=/usr/share/locale --with-zlib-lib=/usr/local/lib --with-zlib-include=/usr/local/include   I think I might have run into other problems, so I edited the Makefile LIBS=line to read LIBS = -lresolv -lc -lssl -lcrypto -lz -lpthread -liconv -lpcap -lgdbm -lgd -lpng Again, if this is not good, don't listen to me.  But it did work.   It will compile at this point, but if you get a gzflush error from ntop and it crashes out, open config.h in the ntop source root and search for ZLIB.  The first hit should be about the header file, a define.  Comment that out with /* and */ or // or whatever.  Underneath put in   #undef MAKE_WITH_ZLIB   and it should not give you that gzflush error anymore.  I guess zlib isn't required? J   oh yeah, when you're compiling on OpenBSD get the gmake package or it will barf all over the place on make install.  If you do this stuff, and do gmake && gmake install you're all set.   Make an ntop user (or _ntop) or whatever.  Get ntop running once and set the admin password.  Close it down.   From now on, when you start ntop, you will have to pass some switches to it or you're in for a world of hurt.  One of the switches causes your CPU usage to spike very high, but it doesn't seem to adversely affect performance on this machine, magically.  Well, maybe it does, but this tool is so useful, what the heck, right?  Right?   The switches I use to start ntop look like this -   /usr/local/bin/ntop -i em0 -u ntop -d -w 127.0.0.1:15123 -W 0 -r 120 --skip-version-check --local-subnets 10.0.0.0/255.0.0.0 --use-syslog=syslog --no-mac --set-pcap-nonblocking -K    -i is the interface I want to monitor.  -w is the non-ssl webserver on port 15123, default is 3000.  -W is the ssl webserver that I disabled by specifying port 0 (see below for why).  -r is refresh time, but I think this is default anyway.  Don't think you need local-subnets unless you're a special case.  the -use-syslog doesn't work for me quite right yet, working on that.  -no-mac I needed, you might not.  Read about it.  I skip version check because I've got the noids.  The developers would probably like you to use it, and I don't blame them.  Thanks for allowing the switch.   now -set-pcap-nonblocking I needed.  If you read the man page, you'll see that this causes a massive CPU hit.  Without this, ntop's webserver would respond extremely slowly or not at all.  It wasn't cool.  I tried hard to get around this, but it seems I needed it for OpenBSD.   -K I needed, which is debug mode.  If I turned that off, I got a TON of ntop processes listed in ps -aux.  It seemed like they'd spawn and never go away.   As you can see, I told ntop to bind it's webserver to the localhost.  That's because I want it going through apache.  This machine has 3 net cards, two for the bridge interface, and one which is for Squid.  I wanted apache to serve pages out on the Squid/mgmt interface, and I wanted it to work like this - if the DNS name of the squid machine, say squid.domain.net was entered into a browser, apache would serve up some HTML.  if the DNS alias ntop.domain.net was entered into the machine, apache would proxy to the localhost port 15123, ntop's webserver.  I also wanted user authentication on both.   I did this by doing the following jank (thanks to Toby Johnson's mini-howto at http://www.ntop.org/UsageNotes.html for getting me started - You'll need mod_proxy and mod_rewrite open httpd.conf and set AllowOverride to AuthConfig in the first <directory entry.  Like I said, this is for those who type the non-aliased DNS name.  This probably won't apply to too many people, but nobody else mentioned how to do it like this exactly. Under that, put in     Order allow,deny     Allow from all AuthName "Restricted Area" AuthType Basic AuthUserFile /usr/local/apache/users/ntop_users require valid-user </Directory>   Later on, by the example virtualhost entry, I got   NameVirtualHost squid.domain.net <VirtualHost squid.domain.net:80> DocumentRoot /usr/local/apache/htdocs/ ServerName squid.domain.net </virtualhost>   and another one for the ntop proxy stuff for when someone puts the DNS CNAME in. NameVirtualHost ntop.domain.net <VirtualHost ntop.domain.net:80>         ServerName ntop.domain.net         ServerSignature Off         ServerAlias ntop.domain.net         ProxyPass / http://127.0.0.1:15123/         ProxyPassReverse / http://127.0.0.1:15123/         <Directory proxy:* >                 AuthName "Ntop Restricted"                 AuthType Basic                 AuthUserFile /usr/local/apache/users/ntop_users                 require valid-user         </Directory> </VirtualHost>   the same file is used by htpasswd for both areas.  Generate it by using htpasswd -c <filelocation> <user>   I believe this is all I had to do.  I might have missed something small.  At one point, I had to create/hand edit a libpngXX.la file in a text editor, but perhaps I figured a way to not require that anyway.   top command tells me ntop is using 74.41% of the CPU time J  It can't be the fastest ntop machine out there, but it's working so far.  Huzzah!   Note to developers or aspiring helpers who know more than me - consider fully supporting OpenBSD.  Your program is cool.

_______________________________________________
Ntop mailing list
Ntop@unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop