I had problems with 3.3.3 as well - from SourceForge and SVN - using netflow. I went back to 3.2.1. (FreeBSD 6.x)
MAYBE rrd is freaking out? Make sure perms are OK EVERYWHERE. I don't recall for sure, but I don't think they're set for user "ntop". I noticed the sFlow plugin is loading as well? If you're not using it - shut it down. Gary -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of security Sent: Wednesday, November 07, 2007 1:50 PM To: ntop list Subject: [Ntop] extremely slow initialization I'm trying to bring up a ntop 3.3 instance to be only a netflow receiver from a cisco 6500. interfaces are set to none (which seems to annoy the web interface). I start the server and the initialization seems to take forever (at this point it's over an hour and it's still not done). It's running on a dual 3ghz, 8 GB memory box that's idle. To the best of my knowledge, I haven't enabled any debug other than setting the trace level to 4 to help debug this. I downloaded from sourceforge a few days ago, Seems unlikely this is the way it should be running. Any ideas on what I might check? thanks jim op - 13:20:31 up 77 days, 21:25, 2 users, load average: 0.00, 0.00, 0.001 Tasks: 84 total, 2 running, 82 sleeping, 0 stopped, 0 zombie Cpu(s): 1.7% us, 3.0% sy, 0.0% ni, 94.3% id, 1.0% wa, 0.0% hi, 0.0% si Mem: 8309228k total, 1373696k used, 6935532k free, 160560k buffers Swap: 8385920k total, 0k used, 8385920k free, 949640k cached Linux mgmt2 2.6.9-22.ELsmp #1 SMP Mon Sep 19 18:32:14 EDT 2005 i686 i686 i386 GNU/Linux (RH ES4 U2) #gcc -v Reading specs from /usr/lib/gcc/i386-redhat-linux/3.4.4/specs Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --enable-shared --enable-threads=posix --disable-checking --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-java-awt=gtk --host=i386-redhat-linux Thread model: posix gcc version 3.4.4 20050721 (Red Hat 3.4.4-2) rrdtool 1.2.19 the rest of the libs are current of that distro release, but I can get you specific version ID's if needed. from the cmd line... #/usr/local/bin/ntop @/usr/local/etc/ntop.conf -u ntop Processing file /usr/local/etc/ntop.conf for parameters... Wed Nov 7 12:26:10 2007 NOTE: Interface merge enabled by default Wed Nov 7 12:26:10 2007 Initializing gdbm databases Wed Nov 7 12:26:10 2007 Opening database '/usr/local/share/ntop/prefsCache.db' Wed Nov 7 12:26:10 2007 Opening database '/usr/local/share/ntop/ntop_pw.db' Wed Nov 7 12:26:10 2007 NOTE: Reading preferences file entries Wed Nov 7 12:26:10 2007 NOTE: Processing parameters (pass2) Wed Nov 7 12:26:10 2007 NOTE: Interface merge disabled due to command line switch >From syslog with trace set to 4. Notice that it takes an hour before the webserver is up Nov 7 12:22:57 mgmt2 ntop[11937]: Initializing ntop Nov 7 12:22:57 mgmt2 ntop[11937]: Initializing IP services Nov 7 12:22:57 mgmt2 ntop[11937]: Initializing network devices Nov 7 12:23:09 mgmt2 ntop[11937]: Found interface [index=0] 'eth0' Nov 7 12:23:29 mgmt2 ntop[11937]: Found interface [index=1] 'eth1' Nov 7 12:23:49 mgmt2 ntop[11937]: Found interface [index=2] 'any' Nov 7 12:24:09 mgmt2 ntop[11937]: Found interface [index=3] 'lo' Nov 7 12:26:10 mgmt2 ntop[13715]: ntop v.3.3 Nov 7 12:26:30 mgmt2 ntop[13715]: Configured on Nov 6 2007 18:34:17, built on Nov 6 2007 18:34:43. Nov 7 12:26:50 mgmt2 ntop[13715]: Copyright 1998-2007 by Luca Deri <[EMAIL PROTECTED]> Nov 7 12:27:10 mgmt2 ntop[13715]: Get the freshest ntop from http://www.ntop.org/ Nov 7 12:27:30 mgmt2 ntop[13715]: NOTE: ntop is running from '/usr/local/bin' Nov 7 12:27:50 mgmt2 ntop[13715]: NOTE: (but see warning on man page for the --instance parameter) Nov 7 12:28:10 mgmt2 ntop[13715]: NOTE: ntop libraries are in '/usr/local/lib' Nov 7 12:28:30 mgmt2 ntop[13715]: Initializing ntop Nov 7 12:28:50 mgmt2 ntop[13715]: Initializing IP services Nov 7 12:29:11 mgmt2 ntop[13715]: Initializing network devices Nov 7 12:29:31 mgmt2 ntop[13715]: Found interface [index=0] 'eth0' Nov 7 12:29:51 mgmt2 ntop[13715]: Found interface [index=1] 'eth1' Nov 7 12:30:11 mgmt2 ntop[13715]: Found interface [index=2] 'any' Nov 7 12:30:51 mgmt2 ntop[13715]: Found interface [index=3] 'lo' Nov 7 12:31:31 mgmt2 ntop[13715]: Checking requested device 'none' Nov 7 12:32:11 mgmt2 ntop[13715]: Adding network device none Nov 7 12:32:31 mgmt2 ntop[13715]: Creating dummy interface, 'none' Nov 7 12:32:52 mgmt2 ntop[13715]: -i none, so initialized only a dummy device Nov 7 12:33:12 mgmt2 ntop[13715]: Resetting traffic statistics for device none Nov 7 12:33:32 mgmt2 ntop[13715]: Initializing gdbm databases Nov 7 12:33:52 mgmt2 ntop[13715]: Creating database '/usr/local/share/ntop/addressQueue.db' Nov 7 12:34:12 mgmt2 ntop[13715]: Opening database '/usr/local/share/ntop/dnsCache.db' Nov 7 12:34:32 mgmt2 ntop[13715]: Opening database '/usr/local/share/ntop/macPrefix.db' Nov 7 12:34:52 mgmt2 ntop[13715]: Opening database '/usr/local/share/ntop/fingerprint.db' Nov 7 12:35:12 mgmt2 ntop[13715]: VENDOR: Loading MAC address table. Nov 7 12:35:52 mgmt2 ntop[13715]: VENDOR: Checking for MAC address table file Nov 7 12:36:33 mgmt2 ntop[13715]: VENDOR: Checking './specialMAC.txt.gz' Nov 7 12:37:13 mgmt2 ntop[13715]: VENDOR: Checking './specialMAC.txt' Nov 7 12:37:33 mgmt2 ntop[13715]: VENDOR: Checking '/usr/local/etc/ntop/s pecialMAC.txt.gz' Nov 7 12:37:53 mgmt2 ntop[13715]: VENDOR: ...Found Nov 7 12:38:13 mgmt2 ntop[13715]: VENDOR: Database created/last modified Wed Dec 31 19:00:00 1969 Nov 7 12:38:34 mgmt2 ntop[13715]: VENDOR: Input file created/last modifie d Tue Nov 6 18:36:11 2007 Nov 7 12:38:54 mgmt2 ntop[13715]: VENDOR: Loading newer file '/usr/local/ etc/ntop/specialMAC.txt.gz' Nov 7 12:39:14 mgmt2 ntop[13715]: VENDOR: Closing file Nov 7 12:39:34 mgmt2 ntop[13715]: VENDOR: ...found 61 lines Nov 7 12:39:54 mgmt2 ntop[13715]: VENDOR: ...loaded 59 records Nov 7 12:40:14 mgmt2 ntop[13715]: VENDOR: Checking for MAC address table file Nov 7 12:40:54 mgmt2 ntop[13715]: VENDOR: Checking './oui.txt.gz' Nov 7 12:41:35 mgmt2 ntop[13715]: VENDOR: Checking './oui.txt' Nov 7 12:42:15 mgmt2 ntop[13715]: VENDOR: Checking '/usr/local/etc/ntop/o ui.txt.gz' Nov 7 12:42:35 mgmt2 ntop[13715]: VENDOR: ...Found Nov 7 12:42:55 mgmt2 ntop[13715]: VENDOR: Database created/last modified Wed Dec 31 19:00:00 1969 Nov 7 12:43:15 mgmt2 ntop[13715]: VENDOR: Input file created/last modified Tue Nov 6 18:36:11 2007 Nov 7 12:43:35 mgmt2 ntop[13715]: VENDOR: Loading newer file '/usr/local/etc/ntop/oui.txt.gz' Nov 7 12:43:56 mgmt2 ntop[13715]: VENDOR: .... 5000 records read Nov 7 12:44:16 mgmt2 ntop[13715]: VENDOR: .... 10000 records read Nov 7 12:44:36 mgmt2 ntop[13715]: VENDOR: .... 15000 records read Nov 7 12:44:56 mgmt2 ntop[13715]: VENDOR: .... 20000 records read Nov 7 12:45:16 mgmt2 ntop[13715]: VENDOR: .... 25000 records read Nov 7 12:45:57 mgmt2 ntop[13715]: VENDOR: .... 30000 records read Nov 7 12:46:37 mgmt2 ntop[13715]: VENDOR: .... 35000 records read Nov 7 12:47:18 mgmt2 ntop[13715]: VENDOR: .... 40000 records read Nov 7 12:47:38 mgmt2 ntop[13715]: VENDOR: .... 45000 records read Nov 7 12:47:58 mgmt2 ntop[13715]: VENDOR: Closing file Nov 7 12:48:19 mgmt2 ntop[13715]: VENDOR: ...found 48541 lines Nov 7 12:48:39 mgmt2 ntop[13715]: VENDOR: ...loaded 7853 records Nov 7 12:48:59 mgmt2 ntop[13715]: Fingerprint: Loading signature file Nov 7 12:49:19 mgmt2 ntop[13715]: Fingerprint: Checking for Fingerprint file... file Nov 7 12:49:39 mgmt2 ntop[13715]: Fingerprint: Checking './etter.finger.os.gz' Nov 7 12:49:59 mgmt2 ntop[13715]: Fingerprint: Checking './etter.finger.os' Nov 7 12:50:19 mgmt2 ntop[13715]: Fingerprint: Checking '/usr/local/etc/ntop/etter.finger.os.gz' Nov 7 12:50:59 mgmt2 ntop[13715]: Fingerprint: ...Found Nov 7 12:51:40 mgmt2 ntop[13715]: Fingerprint: Loading file '/usr/local/etc/ntop/etter.finger.os.gz' Nov 7 12:52:20 mgmt2 ntop[13715]: Fingerprint: ...loaded 1765 records Nov 7 12:52:40 mgmt2 ntop[13715]: INIT: Parent process is exiting (this is normal) Nov 7 12:52:40 mgmt2 ntop[29035]: INIT: Bye bye: I'm becoming a daemon... Nov 7 12:53:20 mgmt2 ntop[29035]: THREADMGMT[t3086902976]: Now running as a daemon Nov 7 12:53:40 mgmt2 ntop[29035]: ASN: Checking for Autonomous System Number table file Nov 7 12:54:00 mgmt2 ntop[29035]: ASN: Checking './AS-list.txt.gz' Nov 7 12:54:21 mgmt2 ntop[29035]: ASN: Checking './AS-list.txt' Nov 7 12:54:41 mgmt2 ntop[29035]: ASN: Checking '/usr/local/etc/ntop/AS-list.txt.gz' Nov 7 12:55:01 mgmt2 ntop[29035]: ASN: Checking '/usr/local/etc/ntop/AS-list.txt' Nov 7 12:55:21 mgmt2 ntop[29035]: ASN: Checking '/etc/AS-list.txt.gz' Nov 7 12:56:01 mgmt2 ntop[29035]: ASN: Checking '/etc/AS-list.txt' Nov 7 12:56:41 mgmt2 ntop[29035]: **WARNING** ASN: Unable to open file 'AS-list.txt' Nov 7 12:57:21 mgmt2 ntop[29035]: ASN: ntop continues ok, but without ASN information. Nov 7 12:57:41 mgmt2 ntop[29035]: I18N: This instance of ntop does not support multiple languages Nov 7 12:58:02 mgmt2 ntop[29035]: IP2CC: Checking for IP address <-> Country Code mapping file Nov 7 12:58:22 mgmt2 ntop[29035]: IP2CC: Checking './p2c.opt.table.gz' Nov 7 12:58:42 mgmt2 ntop[29035]: IP2CC: Checking './p2c.opt.table' Nov 7 12:59:02 mgmt2 ntop[29035]: IP2CC: Checking '/usr/local/etc/ntop/p2c.opt.table.gz' Nov 7 12:59:22 mgmt2 ntop[29035]: IP2CC: ...Found Nov 7 12:59:42 mgmt2 ntop[29035]: IP2CC: Loading file '/usr/local/etc/ntop/p2c.opt.table.gz' Nov 7 13:00:02 mgmt2 ntop[29035]: IP2CC: .... 10000 records read Nov 7 13:01:02 mgmt2 ntop[29035]: IP2CC: .... 20000 records read Nov 7 13:02:23 mgmt2 ntop[29035]: IP2CC: .... 30000 records read Nov 7 13:03:43 mgmt2 ntop[29035]: IP2CC: .... 40000 records read Nov 7 13:04:24 mgmt2 ntop[29035]: IP2CC: .... 50000 records read Nov 7 13:04:44 mgmt2 ntop[29035]: IP2CC: Closing file Nov 7 13:05:04 mgmt2 ntop[29035]: IP2CC: ...found 52395 lines Nov 7 13:05:44 mgmt2 ntop[29035]: Database support not compiled into ntop Nov 7 13:06:24 mgmt2 ntop[29035]: Initializing external applications Nov 7 13:07:04 mgmt2 ntop[29035]: THREADMGMT[t3085831088]: NPA: Started thread for network packet analyzer (none) Nov 7 13:07:45 mgmt2 ntop[29035]: THREADMGMT[t3075341232]: SFP: Started thread for fingerprinting Nov 7 13:08:45 mgmt2 ntop[29035]: THREADMGMT[t3064851376]: SIH: Started thread for idle hosts detection Nov 7 13:09:25 mgmt2 ntop[29035]: THREADMGMT[t3054361520]: DNSAR(1): Started thread for DNS address resolution Nov 7 13:09:45 mgmt2 ntop[29035]: THREADMGMT[t3043871664]: DNSAR(2): Started thread for DNS address resolution Nov 7 13:10:05 mgmt2 ntop[29035]: THREADMGMT[t3033381808]: DNSAR(3): Started thread for DNS address resolution Nov 7 13:10:45 mgmt2 ntop[29035]: Starting Plugins Nov 7 13:11:26 mgmt2 ntop[29035]: Calling plugin start functions (if any) Nov 7 13:12:06 mgmt2 ntop[29035]: Plugins started... continuing with initialization Nov 7 13:12:26 mgmt2 ntop[29035]: SSL is present but https is disabled: use -W <https port> for enabling it netstat -Nov 7 13:12:46 mgmt2 ntop[29035]: INITWEB: Initializing web Nov 7 13:13:06 mgmt2 ntop[29035]: SECURITY: Loading items table Nov 7 13:13:46 mgmt2 last message repeated 2 times Nov 7 13:15:07 mgmt2 last message repeated 4 times Nov 7 13:15:47 mgmt2 ntop[29035]: THREADMGMT[t3075341232]: SFP: Fingerprint scan thread starting [p29035] Nov 7 13:16:27 mgmt2 ntop[29035]: THREADMGMT[t3085831088]: NPA: network packet analyzer (packet processor) thread running [p29035] Nov 7 13:17:07 mgmt2 ntop[29035]: THREADMGMT[t3064851376]: SIH: Idle host scan thread starting [p29035] Nov 7 13:17:28 mgmt2 ntop[29035]: THREADMGMT[t3054361520]: DNSAR(1): Address resolution thread running Nov 7 13:17:48 mgmt2 ntop[29035]: THREADMGMT[t3043871664]: DNSAR(2): Address resolution thread running Nov 7 13:18:08 mgmt2 ntop[29035]: SECURITY: Loading items table Nov 7 13:18:48 mgmt2 last message repeated 2 times Nov 7 13:19:08 mgmt2 ntop[29035]: INITWEB: Initializing TCP/IP socket connections for web server Nov 7 13:19:28 mgmt2 ntop[29035]: Initializing socket, port 3000, address (any) Nov 7 13:19:48 mgmt2 ntop[29035]: INITWEB: Created a new socket (0) Nov 7 13:20:08 mgmt2 ntop[29035]: INITWEB: Initialized socket, port 3000, address (any) Nov 7 13:21:29 mgmt2 ntop[29035]: INITWEB: Starting web server Nov 7 13:22:09 mgmt2 ntop[29035]: THREADMGMT[t3022891952]: INITWEB: Started thread for web server Nov 7 13:22:29 mgmt2 ntop[29035]: INITWEB: Server started... continuing with initialization Nov 7 13:22:49 mgmt2 ntop[29035]: Listening on [none] Nov 7 13:23:09 mgmt2 ntop[29035]: Loading Plugins Nov 7 13:23:29 mgmt2 ntop[29035]: Searching for plugins in /usr/local/lib/ntop/plugins Nov 7 13:23:49 mgmt2 ntop[29035]: Loading plugin '/usr/local/lib/ntop/plugins/remotePlugin.so' Nov 7 13:24:09 mgmt2 ntop[29035]: Remote: Welcome to Remote. (C) 2006-07 by L.Deri Nov 7 13:24:30 mgmt2 ntop[29035]: Loading plugin '/usr/local/lib/ntop/plugins/netflowPlugin.so' Nov 7 13:24:50 mgmt2 ntop[29035]: NETFLOW: Welcome to NetFlow.(C) 2002-07 by Luca Deri Nov 7 13:25:10 mgmt2 ntop[29035]: Loading plugin '/usr/local/lib/ntop/plugins/pdaPlugin.so' Nov 7 13:25:50 mgmt2 ntop[29035]: PDA: Welcome to PDA. (C) 2001-2005 by L.Deri and W.Brock Nov 7 13:26:30 mgmt2 ntop[29035]: Loading plugin '/usr/local/lib/ntop/plugins/sflowPlugin.so' Nov 7 13:27:10 mgmt2 ntop[29035]: SFLOW: Welcome to sFlow.(C) 2002-04 by Luca Deri Nov 7 13:27:30 mgmt2 ntop[29035]: Loading plugin '/usr/local/lib/ntop/plugins/rrdPlugin.so' Nov 7 13:27:51 mgmt2 ntop[29035]: RRD: Welcome to Round-Robin Databases. (C) 2002-07 by Luca Deri. Nov 7 13:28:11 mgmt2 ntop[29035]: Loading plugin '/usr/local/lib/ntop/plugins/lastSeenPlugin.so' Nov 7 13:28:31 mgmt2 ntop[29035]: LASTSEEN: Welcome to Host Last Seen. (C) 1999 by Andrea Marangoni Nov 7 13:28:51 mgmt2 ntop[29035]: THREADMGMT[t3033381808]: DNSAR(3): Address resolution thread running Nov 7 13:29:11 mgmt2 ntop[29035]: THREADMGMT[t3022891952]: WEB: Server connection thread starting [p29035] Nov 7 13:29:31 mgmt2 ntop[29035]: Note: SIGPIPE handler set (ignore) Nov 7 13:29:51 mgmt2 ntop[29035]: THREADMGMT[t3022891952]: WEB: Server connection thread running [p29035] Nov 7 13:30:11 mgmt2 ntop[29035]: WEB: ntop's web server is now processing requests Nov 7 13:30:52 mgmt2 ntop[29035]: SECURITY: Loading items table Nov 7 13:31:32 mgmt2 ntop[29035]: EPIPE during sending of page to web client Nov 7 13:32:12 mgmt2 ntop[29035]: EPIPE during sending of page to web client Nov 7 13:32:32 mgmt2 ntop[29035]: Loading plugin '/usr/local/lib/ntop/plugins/icmpPlugin.so' Nov 7 13:32:52 mgmt2 ntop[29035]: ICMP: Welcome to ICMP Watch. (C) 1999-2005 by Luca Deri Nov 7 13:33:12 mgmt2 ntop[29035]: Starting Plugins Nov 7 13:33:32 mgmt2 ntop[29035]: Calling plugin start functions (if any) Nov 7 13:33:53 mgmt2 ntop[29035]: Starting 'Host Last Seen' Nov 7 13:34:13 mgmt2 ntop[29035]: Starting 'ICMP Watch' Nov 7 13:34:33 mgmt2 ntop[29035]: Starting 'NetFlow' Nov 7 13:34:53 mgmt2 ntop[29035]: Starting 'PDA' Nov 7 13:35:13 mgmt2 ntop[29035]: Starting 'Remote' Nov 7 13:35:53 mgmt2 ntop[29035]: Starting 'Round-Robin Databases' Nov 7 13:36:33 mgmt2 ntop[29035]: RRD: Welcome to the RRD plugin Nov 7 13:37:14 mgmt2 ntop[29035]: RRD: Mask for new directories is 0700 Nov 7 13:37:34 mgmt2 ntop[29035]: RRD: Mask for new files is 0066 Nov 7 13:37:54 mgmt2 ntop[29035]: RRD_DEBUG: Parameters: Nov 7 13:38:14 mgmt2 ntop[29035]: RRD_DEBUG: dumpInterval 300 seconds Nov 7 13:38:34 mgmt2 ntop[29035]: RRD_DEBUG: dumpShortInterval 10 seconds Nov 7 13:38:54 mgmt2 ntop[29035]: RRD_DEBUG: dumpHours 72 hours by 300 seconds Nov 7 13:39:14 mgmt2 ntop[29035]: RRD_DEBUG: dumpDays 90 days by hour Nov 7 13:39:34 mgmt2 ntop[29035]: RRD_DEBUG: dumpMonths 36 months by day Nov 7 13:39:55 mgmt2 ntop[29035]: RRD_DEBUG: dumpDomains no Nov 7 13:40:15 mgmt2 ntop[29035]: RRD_DEBUG: dumpFlows no Nov 7 13:40:55 mgmt2 ntop[29035]: RRD_DEBUG: dumpHosts no Nov 7 13:41:35 mgmt2 ntop[29035]: RRD_DEBUG: dumpInterfaces yes Nov 7 13:42:15 mgmt2 ntop[29035]: RRD_DEBUG: dumpASs yes Nov 7 13:42:35 mgmt2 ntop[29035]: RRD_DEBUG: dumpMatrix no Nov 7 13:42:56 mgmt2 ntop[29035]: RRD_DEBUG: dumpDetail high Nov 7 13:43:16 mgmt2 ntop[29035]: RRD_DEBUG: hostsFilter 10.173.194.0/255.255.254.0 Nov 7 13:43:36 mgmt2 ntop[29035]: RRD_DEBUG: rrdPath /usr/local/share/ntop/rrd Nov 7 13:43:56 mgmt2 ntop[29035]: RRD_DEBUG: umask 0066 Nov 7 13:44:16 mgmt2 ntop[29035]: RRD_DEBUG: DirPerms 0700 Nov 7 13:44:36 mgmt2 ntop[29035]: THREADMGMT: RRD: Started thread (t3012402096) for data collection Nov 7 13:44:56 mgmt2 ntop[29035]: Starting 'sFlow' Nov 7 13:45:16 mgmt2 ntop[29035]: Plugins started... continuing with initialization Nov 7 13:45:56 mgmt2 ntop[29035]: INIT: Created pid file (/var/run/ntop.pid) Nov 7 13:46:37 mgmt2 ntop[29035]: THREADMGMT[t3012402096]: RRD: Data collection thread starting [p29035] Nov 7 13:47:17 mgmt2 ntop[29035]: THREADMGMT[t3086902976]: ntop RUNSTATE: INITNONROOT(3) Nov 7 13:47:37 mgmt2 ntop[29035]: Now running as requested user 'ntop' (1029:1029) Nov 7 13:47:57 mgmt2 ntop[29035]: Device 0. none (dummy) Nov 7 13:48:17 mgmt2 ntop[29035]: INITWEB: Reporting device not set, defaulting to 0 Nov 7 13:48:37 mgmt2 ntop[29035]: RRD: Created base directory (/usr/local/share/ntop/rrd) Nov 7 13:48:57 mgmt2 ntop[29035]: Note: Reporting device initally set to 0 [none] Nov 7 13:49:18 mgmt2 ntop[29035]: MEMORY: Base interface structure (no hashes loaded) is 0.03MB each Nov 7 13:49:38 mgmt2 ntop[29035]: MEMORY: or 0.03MB for 1 interfaces Nov 7 13:49:58 mgmt2 ntop[29035]: MEMORY: ipTraffixMatrix structure (no TrafficEntry loaded) is 0.01MB Nov 7 13:50:18 mgmt2 ntop[29035]: THREADMGMT[t3086902976]: ntop RUNSTATE: RUN(4) Nov 7 13:48:57 mgmt2 ntop[29035]: RRD: Created directory (/usr/local/share/ntop/rrd/graphics) Nov 7 13:51:38 mgmt2 ntop[29035]: RRD: Created directory (/usr/local/share/ntop/rrd/flows) Nov 7 13:52:18 mgmt2 ntop[29035]: RRD: Created directory (/usr/local/share/ntop/rrd/interfaces) Nov 7 13:52:39 mgmt2 ntop[29035]: THREADMGMT[t3001912240]: RRD: Started thread for throughput data collection Nov 7 13:52:59 mgmt2 ntop[29035]: THREADMGMT[t3012402096]: RRD: Data collection thread running [p29035] Nov 7 13:53:19 mgmt2 ntop[29035]: RRD_DEBUG: Sleeping for 112 seconds (interval 300, end at Wed Nov 7 13:55:11 2007) Nov 7 13:53:39 mgmt2 ntop[29035]: THREADMGMT[t3001912240]: RRD: Throughput data collection: Thread starting [p29035] Nov 7 13:53:59 mgmt2 ntop[29035]: THREADMGMT[t3001912240]: RRD: Throughput data collection: Thread running [p29035] Nov 7 13:54:19 mgmt2 ntop[29035]: THREADMGMT[t3064851376]: SIH: Idle host scan thread running [p29035] #cat /usr/local/etc/ntop.conf ######################################################################## ######## ## # ## This file, ntop.conf.sample is a sample of an ntop configuration file. # ## # ## You should copy this file to it's normal location, /etc/ntop.conf # ## and edit it to fit your needs. # ## # ## ntop is easily launched with options by referencing this file from # ## a command line like this: # ## # ## ntop @/etc/ntop.conf # ## # ## Remember, options may also be listed directly on the command line, both # ## before and after the @/etc/ntop.conf. # ## # ## For switches that provide values, e.g. -i, the last one matters. # ## For switches just say 'do things', e..g -M, if it's ANYWHERE in the # ## commands, it will be set. There's no unset option. # ## # ## You can use this to your advantage, for example: # ## ntop @/etc/ntop.conf -i none # ## Overrides the -i in the file. # ## # ## Nested @'s - that is @/etc/ntop.common inside /etc/ntop.conf are not # ## permitted. # ## # ## Note that this is not an exhaustive list of ntop's commands - refer # ## to the man page and other documentation for that. This is just the # ## most commonly used command and various examples of them # ## # ## # ## Lines beginning ## are pure comments. # ## # ## Lines beginning with a dash in this sample file are 'live' and will # ## be used if you just copy this file to /etc/ntop.conf. # ## # ## Lines you might wish to uncomment and use as is begin with #- or #-- # ## # ## Parameter lines beginning with #? are models that you will need to # ## review and or customize to your environment before using them. # ## # ######################################################################## ######## ## # ## Initial version by Burton M. Strauss III ([EMAIL PROTECTED]) # ## # ## Updates and documentation courtesy of # ## Joseph Ezerski ([EMAIL PROTECTED]) (04-2003) # ## Tim Malnati ([EMAIL PROTECTED]) (09-2003) # ## # ######################################################################## ######## ############################## RUNNING ENVIRONMENT ############################# ## -u | --user -- tells ntop the user id to run as. ## NOTE: This should not be root unless you really understand ## the security risks. --user ntop ##---------------------------------------------------------------------- -------# ## -d | --daemon -- sets ntop to run as a daemon (in the background, not ## connected to a specific terminal). ## NOTE: For more than casual use, you probably want this. --daemon ##---------------------------------------------------------------------- -------# ## -P | --db-file-path -- sets the directory that ntop runs from. ## NOTE: Use an absolute path (not a relative one like ../ntop) because ## the working directory (pwd) will be different when ntop is run ## from the command line, from cron and from initialization. --db-file-path /usr/local/share/ntop #? -P /var/ntop ##---------------------------------------------------------------------- -------# ## -D | --domain -- Sets the domain. ntop should be able to determine ## this automatically, but occasionally has problems. If so, this makes the ## output cleaner. #? --domain mydomain.com --domain my.dom.com ################################ WHAT TO MONITOR ############################### ## -i | --interface tells ntop which network interfaces (NICs) to monitor. ## DEFAULT: The 1st ethernet device, e.g. eth0, i.e. this line: #? --interface eth0 ## To monitor both eth0 and eth2 but not eth1: #? --interface eth0,eth2 ## To monitor NO ethernet interfaces (for example a system collecting data ## only from netFlow probes): --interface none ##---------------------------------------------------------------------- -------# ## -M | --no-interface-merge -- tells ntop not to merge data from all of the ## network interfaces it is monitoring. See the man page and docs/FAQ for ## discussions of -M. --no-interface-merge ##---------------------------------------------------------------------- -------# ## -m | --local-subnets -- Tells ntop of additional networks that should ## be considered local. This is for the local/remote breakdowns ## and because additional data is kept and display for local hosts. ## The addresses of the network interface(s) (NICs) are always local ## and don't need to be specified. If you use unnumbered interfaces ## you MUST give ntop this information. ## NOTE: You can mix CIDR and network/netmask notation. ## SEE ALSO: --track-local-hosts ## EXAMPLES: ## Traffic I see (broadcasts only, of course) on my cable modem includes ## other subnets than my own 12.239.98.0/24. I see 12.239.99.0/24 and ## 12.239.100.0/24 - to tell this to ntop: #? -m 12.239.99.0/24,12.239.100.0/24 ## I actually run this way, telling ntop about the whole range of ## addresses used as well as the private network used internally by the ## cable modems themselves. #? -m 192.168.42.0/24,12.239.96.0/22,12.239.100.0/24,10.113.0.0/16 -m 10.173.194.0/23 ## All of these are equivalent to the one above: ## -m 192.168.42.0/255.255.255.0,12.239.96.0/22,12.239.100.0/24,10.113.0.0/16 ## -m 192.168.42.0/255.255.255.0,12.239.96.0/255.255.252.0,12.239.100.0/255.25 5.255.0,10.113.0.0/255.255.0.0 ##---------------------------------------------------------------------- -------# ## -p | --protocols -- ntop comes with an extensive list of common tcp/ip ## protocols to monitor already built in. (See docs/FAQ for the current list). ## If you want to increase, decrease or change this list, this is the parameter. ## It can be either a file or a list. To point ntop to a file specify it's name: #? -p /usr/local/share/ntop/protocol.list ## Or to give an explicit list: #? --protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-data" ##---------------------------------------------------------------------- -------# ## -c | --sticky-hosts -- tells ntop NOT to purge idle hosts from memory. ## DO NOT USE THIS unless you are on a small, very static network, or you ## have LOTS of memory. ## It is strongly recommended that you use a filtering expression to limit ## the hosts which are stored if you use --sticky-hosts. #? --sticky-hosts ##---------------------------------------------------------------------- -------# ## --disable-instantsessionpurge -- by default, ntop internally changes the ## status of completed sessions so that they get purged immediately. This ## doesn't present a true picture of the network, but does conserve memory. ## Enable this switch to see those finished sessions before their purge ## interval (5 minutes) expires, IF YOU HAVE ENOUGH MEMORY. #? --disable-instantsessionpurge ################################## LOG MESSAGES ################################ ## -t | --trace-level -- controls the amount and severity of messages that ## ntop will put out. Choices are: #--trace-level 0 # FATALERROR only #--trace-level 1 # ERROR and above only #--trace-level 2 # WARNING and above only #--trace-level 3 # INFO, WARNING and ERRORs - the default #--trace-level 4 # NOISY - everything #--trace-level 6 # NOISY + MSGID #--trace-level 7 # NOISY + MSGID + file/line --trace-level 4 # Which is the default ##---------------------------------------------------------------------- -------# ## ## -L | --use-syslog | --use-syslog=xxxx -- By default, ntop writes it's ## messages to stdout (the terminal). ## WARNING: If you are running ntop as a daemon (--daemon parameter), the ## stdout (terminal) does not exist and so messages will be dropped. ## You probably don't want to do this. Instead, use this -L | --use-syslog ## parameter to save them into the system log (/var/log/messages). ## ## Thus a typical startup for ntop running as a daemon is: ##--daemon ## You can also direct the messages to another file. You'll want to ## look at man syslog.conf to setup the configuration file. For example ## to use 'local3' to keep ntop messages separate, I have this in my ## /etc/syslog.conf: ## # Save ntop ## local3.* /var/log/ntop.log ## Then I run ntop with this: --use-syslog=local3 ## NOTE: The = is REQUIRED and no spaces are permitted. ################################## WEB SERVER ################################## ## ntop offers both an http:// and https:// web server. These parameters ## tell ntop which ports (and interfaces) to offer this web server on. ## -w | --http-server -- is the http:// web server. ## NOTE: --http-server 3000 is the default #? --http-server 3000 ## -W | --https-server -- is the https:// web server. #? --https-server 0 ## The default is -w 3000 -W 0 (disabled). You can also... ## https:// only: #? -w 0 -W 3001 ## http:// and https:// #? --http-server 3000 --https-server 3001 ## Neither - say ntop is running only as a netFlow probe: -w 3000 -W 0 ## You can also limit ntop to listening on a specific interface. For example: #? -w 127.0.0.1:3000 # Listens only on the loopback interface at port 3000 ########################### PERFORMANCE AND PROBLEMS ########################### ## -B | filter-expression -- gives ntop a bpf (Berkeley Packet Filter) expression ## to use. (the easiest place to find bpf documented is on the tcpdump man page). ## NOTE: The filter expression MUST be in quotes. ## To restrict ntop to only a few machines on a large network, say 192.168.1.88 ## through 91: #? -B "net 192.168.1.88/30" ## That is equivalent to specifying the specific hosts: #? -B "host (192.168.1.88 or 192.168.1.89 or 192.168.1.90 or 192.168.1.91)" ## You can limit traffic to that from (src) or to (dst) a specific host: #? -B "src host www.mycompany.com" #? -B "dst host www.mycompany.com" ## You can limit it to a specific protocol, including src/dst: #? -B "port ssh" #? -B "src port ssh" #? -B "dst port ssh" ##---------------------------------------------------------------------- -------# ## -o | --no-mac -- Configures ntop not to trust MAC addrs. ## This is used if you observe ntop being confused by 'changing' addresses - ## i.e. ntop belives that the corporate web server is actually Joe's desktop ## computer. #--no-mac ##---------------------------------------------------------------------- -------# ## -g | --track-local-hosts -- Tells ntop to track only local hosts. These ## are hosts defined as local according to the network interfaces or specified ## by the --local-subnets option. ## Use this if you are seeing too many hosts and all you care about is the ## local (LAN) traffic. #--track-local-hosts ##---------------------------------------------------------------------- -------# ## -z | --disable-sessions -- Tells ntop not to track tcp session information. ## Speeds up processing, requires less memory, but conveys less information. #--disable-sessions ##---------------------------------------------------------------------- -------# ## --disable-schedyield -- Under certain circumstances, the sched_yield() ## function causes the ntop web server to lock up. It shouldn't happen, but ## it does. This option causes ntop to skip those calls, at a tiny performance ## penalty. --disable-schedyield _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> _______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
