ntop is a wonderful hybrid packet analyzer that generates nice clickable HTML reports that show you what's happening on your network. It slices and dices network traffic all kinds of ways: by protocol, host, local or remote network, network load, network flow, what Web sites your users are visiting, how much traffic is coming from or going to remote sites, and loads more. It supports virtually all network protocols over both IP networks and Fibre Channel. ntop runs on any operating system that you can successfully compile it on: Linux, Unix, and Win32. Binary packages are available for Debian, Fedora, and Windows.
You'll need some sort of HTTP server running to get the pretty Web graphs: Apache, Lighttpd, Thttpd, whatever you like. ntop is in Ubuntu's Universe repository and Debian main. Fedora users can fetch it from RPMForge or Dag Wieers' Fedora repository.
There are two ways to run ntop: to monitor traffic on any network host, such as your workstation or a server, or to capture all LAN traffic. If you're still in the 20th century and using a hub, you can run ntop anywhere on your LAN and capture everything.
On switched networks, and hopefully your network has at least made it into the 20th century by ditching hubs and replacing them with switches, it's a little harder to grab all your LAN traffic. If your Ethernet switch has a monitoring port, you're golden. (You can find Gigabit-E switches with port monitoring for under $200 these days, yay.) If it doesn't, ntop on a border router is almost as good, but it won't capture packets traveling directly between LAN hosts. It will capture all traffic entering and leaving your network. You can use arpspoof to capture traffic intended for other hosts, but that's a scary and potentially network-borking thing to do, so use it with care.
Installation varies by Linux distribution. On Debian it's easy. Install it, then run the ntop command to create an
# apt-get install ntop # ntop
Open a second terminal, since ntop is now running in the foreground, and restart it:
/etc/init.d/ntop restart Now open a Web browser to http://localhost:3000, and there you are. If your ntop installation is on a headless box
like a router, then use the IP address or hostname of the router on a neighboring PC, like http://router1:3000. The ntop Web pages will automatically update themselves.
You can configure ntop and see its current configuration from the Web interface. Go to the Admin -> Configure tab to see the configuration panel, and log in with the admin user, using the password you created. About -> Show Configurations shows every detail of your current configuration, including build options.
Give ntop a few minutes to capture some data, then cruise the pages. You might find some surprises, like I did on IP -> Local Ports -> Used, which showed that POP3/110 was in use. This meant I had at least one email account that was operating in the clear, instead of over port 995 which is for encrypted mail transfer.
Summary -> Hosts can turn up some fascinating Web activity. Like a lot of traffic from www.google-analytics.com. The URL itself generates a 404 page; why on Earth is Google Analytics showing up so much when I haven't visited Google.com? So I googled on google-analytics, and found www.Google.com/analytics. Didn't learn much, other than it's yet another data-collection tool.
Auditmypc.com is another chronic offender revealed by ntop. Why are these people pestering me? Is someone using it to probe my firewall?
ntop gives enough information to write some iptables rules to block this stuff, if I feel like it. It reports the originating domain, the MAC address, IP address, and has a handy WHOIS button.
Visit ntop.org for documentation, and check out man ntop for a lot of good help.
The next time you're feeling like your network performance is too slow, don't blame your users. Look outward- you might be surprised at who is clogging your bandwidth with useless traffic.