Welcome, Guest. Please login or register.
Did you miss your activation email?
Saturday 23 November 2024, 11:47:47 am

Login with username, password and session length

The Latest Endian Firewall is now available for download HERE
14258 Posts in 4377 Topics by 6517 Members
Latest Member: Sandro
Search:     Advanced search
+  EFW Support
|-+  Support
| |-+  Installation Support
| | |-+  ntop configuration
0 Members and 1 Guest are viewing this topic. « previous next »
Pages: [1] Go Down Print
Author Topic: ntop configuration  (Read 50454 times)
Taxman
Jr. Member
*
Offline Offline

Posts: 6


« on: Tuesday 29 December 2009, 06:17:02 am »

I found the login/pass in a separate post (thanks btw)! :-)

The problem I am seeing is that ntop is configured for <br0> (My Green network) only...

When I edit the configuration and add <br1> (a separate LAN segment that I am watching) and <eth2> (my RED port) under "Admin">"Configure">"Startup Options" "Capture Interfaces" in the ntop web interface.

Seems that the settings "save" but when I close/reboot/etc they are actually never being saved.  Each time I come into the ntop interface, only the <br0> port (my green LAN) is showing.

Anyone else seeing this?  Fixes/suggestions welcome!
Logged
turitopa
Full Member
***
Offline Offline

Posts: 30


« Reply #1 on: Thursday 25 March 2010, 08:08:18 am »

Taxman,

I am seeing the same problem - I don't need to watch my green interface.  Any solution on getting NTOP to pull stats on the RED?

When I try to "switch" from <br1> I get this response:

Note that the NetFlow and sFlow plugins - if enabled - force -M to be set (i.e. they disable interface merging).

Sorry, you are currently capturing traffic from only a single/dummy interface [br0].

This interface switch feature is meaningful only when your ntop instance captures traffic from multiple interfaces.
You must specify additional interfaces via the -i command line switch at run time.


Also, I cannot get into NTOP configuration can someone advise default password?
Logged

Running XenServr 5.5 on a Dell Poweredge 2950 III rackserver.
vm Endian 2.3
vm sbs 2008
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #2 on: Saturday 27 March 2010, 02:26:46 am »

Try to manually edit the ntop cfg file at: /etc/ntop/etc/ntop.conf
Logged
turitopa
Full Member
***
Offline Offline

Posts: 30


« Reply #3 on: Saturday 27 March 2010, 07:57:16 am »

Try to manually edit the ntop cfg file at: /etc/ntop/etc/ntop.conf

Hi mrkroket,

I just had a quick look I do not have the path you stated above, or that Ntop.cfg file.
I am using endian 2.3 comunity version.

EDIT:  ok found it @ /etc/ntp/ntp.conf
will look at the file and see what I can do from there

EDIT2: haha, NTP is the time server huh??
Okay please someone, need assistance to setup NTOP for red interface.

Logged

Running XenServr 5.5 on a Dell Poweredge 2950 III rackserver.
vm Endian 2.3
vm sbs 2008
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #4 on: Tuesday 30 March 2010, 02:53:13 am »

I'm sorry, my fault!!  Cheesy Cheesy Cheesy Cheesy

I recheck my files and now I remember what I did.

By default Endian firewall loads ntop config directly from one script, not from one config file so it can't write down iface changes as it's hardcoded on script.
I changed that, and I created a config file instead (this way ntop can change some parameters).

Steps to do:
1-Edit /etc/init.d/ntop file
nano /etc/init.d/ntop
Comment out the option parameter on line 16 (just to backup) and and add a new option parameter:
#option="--user ntop --daemon --db-file-path /var/ntop --interface br0 --trace-level 3 --https-server 3001 --http-server 0 --disable-schedyield --no-fc"
option="@/etc/ntop/etc/ntop.conf"


2-Create the config file:

mkdir /etc/ntop/etc
nano /etc/ntop/etc/ntop.conf
chmod 666 /etc/ntop/etc/ntop.conf
(Just in case....)


I picked up a ntop.conf default file and I adjusted to replicate the parameters passed as options on line 16, but changing my interfaces:
Code:
################################################################################
##                                                                             #
##  This file, ntop.conf.sample is a sample of an ntop configuration file.     #
##                                                                             #
##  You should copy this file to it's normal location, /etc/ntop.conf          #
##  and edit it to fit your needs.                                             #
##                                                                             #
##       ntop is easily launched with options by referencing this file from    #
##       a command line like this:                                             #
##                                                                             #
##       ntop @/etc/ntop.conf                                                  #
##                                                                             #
##  Remember, options may also be listed directly on the command line, both    #
##  before and  after the @/etc/ntop.conf.                                     #
##                                                                             #
##  For switches that provide values, e.g. -i, the last one matters.           #
##  For switches just say 'do things', e..g -M, if it's ANYWHERE in the        #
##  commands, it will be set.  There's no unset option.                        #
##                                                                             #
##  You can use this to your advantage, for example:                           #
##       ntop @/etc/ntop.conf -i none                                          #
##  Overrides the -i in the file.                                              #
##                                                                             #
##  Nested @'s - that is @/etc/ntop.common inside /etc/ntop.conf are not       #
##  permitted.                                                                 #
##                                                                             #
##  Note that this is not an exhaustive list of ntop's commands - refer        #
##  to the man page and other documentation for that.  This is just the        #
##  most commonly used command and various examples of them                    #
##                                                                             #
##                                                                             #
##  Lines beginning ## are pure comments.                                      #
##                                                                             #
##  Lines beginning with a dash in this sample file are 'live' and will        #
##  be used if you just copy this file to /etc/ntop.conf.                      #
##                                                                             #
##  Lines you might wish to uncomment and use as is begin with #- or #--       #
##                                                                             #
##  Parameter lines beginning with #? are models that you will need to         #
##  review and or customize to your environment before using them.             #
##                                                                             #
################################################################################
##                                                                             #
##  Initial version by Burton M. Strauss III (Burton@ntopsupport.com)          #
##                                                                             #
##  Updates and documentation courtesy of                                      #
##      Joseph Ezerski (jezerski@broadcom.com) (04-2003)                       #
##      Tim Malnati (tgm@cshore.com) (09-2003)                                 #
##                                                                             #
################################################################################

############################## RUNNING ENVIRONMENT #############################

--disable-schedyield
--no-fc

## -u | --user -- tells ntop the user id to run as.

##  NOTE: This should not be root unless you really understand
##        the security risks.

--user ntop

##-----------------------------------------------------------------------------#

## -d | --daemon -- sets ntop to run as a daemon (in the background, not
##        connected to a specific terminal).

##  NOTE: For more than casual use, you probably want this.

--daemon

##-----------------------------------------------------------------------------#

## -P | --db-file-path -- sets the directory that ntop runs from.

##  NOTE: Use an absolute path (not a relative one like ../ntop) because
##        the working directory (pwd) will be different when ntop is run
##        from the command line, from cron and from initialization.

--db-file-path /var/ntop
#? -P /var/ntop

##-----------------------------------------------------------------------------#

## -D | --domain -- Sets the domain.  ntop should be able to determine
## this automatically, but occasionally has problems. If so, this makes the
## output cleaner.

#--domain YourDomainHere.local


################################ WHAT TO MONITOR ###############################

## -i | --interface tells ntop which network interfaces (NICs) to monitor.
##  DEFAULT: The 1st ethernet device, e.g. eth0, i.e. this line:
--interface  br0,eth0.1101,eth1

## To monitor both eth0 and eth2 but not eth1:
#? --interface eth0,eth2

## To monitor NO ethernet interfaces (for example a system collecting data
## only from netFlow probes):

#? --interface none

##-----------------------------------------------------------------------------#

## -M | --no-interface-merge -- tells ntop not to merge data from all of the
## network interfaces it is monitoring.  See the man page and docs/FAQ for
## discussions of -M.

 --no-interface-merge

##-----------------------------------------------------------------------------#

## -m | --local-subnets -- Tells ntop of additional networks that should
##        be considered local.  This is for the local/remote breakdowns
##        and because additional data is kept and display for local hosts.

##       The addresses of the network interface(s) (NICs) are always local
##       and don't need to be specified. If you use unnumbered interfaces
##       you MUST give ntop this information.

## NOTE: You can mix CIDR and network/netmask notation.

## SEE ALSO: --track-local-hosts

## EXAMPLES:


## Traffic I see (broadcasts only, of course) on my cable modem includes
## other subnets than my own 12.239.98.0/24.  I see 12.239.99.0/24 and
## 12.239.100.0/24 - to tell this to ntop:
#? -m 12.239.99.0/24,12.239.100.0/24
-m 192.168.0.0/16

## I actually run this way, telling ntop about the whole range of
## addresses used as well as the private network used internally by the
## cable modems themselves.
#? -m 192.168.42.0/24,12.239.96.0/22,12.239.100.0/24,10.113.0.0/16

## All of these are equivalent to the one above:

## -m 192.168.42.0/255.255.255.0,12.239.96.0/22,12.239.100.0/24,10.113.0.0/16
## -m 192.168.42.0/255.255.255.0,12.239.96.0/255.255.252.0,12.239.100.0/255.255.255.0,10.113.0.0/255.255.0.0

##-----------------------------------------------------------------------------#

## -p | --protocols -- ntop comes with an extensive list of common tcp/ip
## protocols to monitor already built in.  (See docs/FAQ for the current list).
## If you want to increase, decrease or change this list, this is the parameter.

## It can be either a file or a list.  To point ntop to a file specify it's name:

#? -p /usr/share/ntop/protocol.list

## Or to give an explicit list:

#? --protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-data"

##-----------------------------------------------------------------------------#

## -c | --sticky-hosts -- tells ntop NOT to purge idle hosts from memory.

## DO NOT USE THIS unless you are on a small, very static network, or you
## have LOTS of memory.

## It is strongly recommended that you use a filtering expression to limit
## the hosts which are stored if you use --sticky-hosts.

#? --sticky-hosts

##-----------------------------------------------------------------------------#

## --disable-instantsessionpurge -- by default, ntop internally changes the
## status of completed sessions so that they get purged immediately.  This
## doesn't present a true picture of the network, but does conserve memory.
## Enable this switch to see those finished sessions before their purge
## interval (5 minutes) expires, IF YOU HAVE ENOUGH MEMORY.

#? --disable-instantsessionpurge

################################## LOG MESSAGES ################################

## -t | --trace-level -- controls the amount and severity of messages that
## ntop will put out.  Choices are:

#--trace-level 0 # FATALERROR only
#--trace-level 1 # ERROR and above only
#--trace-level 2 # WARNING and above only
--trace-level 3 # INFO, WARNING and ERRORs - the default
#--trace-level 4 # NOISY - everything
#--trace-level 6 # NOISY + MSGID
#--trace-level 7 # NOISY + MSGID + file/line

--trace-level 3 # Which is the default

##-----------------------------------------------------------------------------#

##
## -L | --use-syslog | --use-syslog=xxxx -- By default, ntop writes it's
## messages to stdout (the terminal).

## WARNING: If you are running ntop as a daemon (--daemon parameter), the
## stdout (terminal) does not exist and so messages will be dropped.
## You probably don't want to do this.  Instead, use this -L | --use-syslog
## parameter to save them into the system log (/var/log/messages).
##
## Thus a typical startup for ntop running as a daemon is:
#--daemon --use-syslog


## You can also direct the messages to another file.  You'll want to
## look at man syslog.conf to setup the configuration file.  For example
## to use 'local3' to keep ntop messages separate, I have this in my
## /etc/syslog.conf:

##   # Save ntop
##   local3.*                                           /var/log/ntop.log

## Then I run ntop with this:
#? --use-syslog=local3

##  NOTE: The = is REQUIRED and no spaces are permitted.


################################## WEB SERVER ##################################

## ntop offers both an http:// and https:// web server.  These parameters
## tell ntop which ports (and interfaces) to offer this web server on.

## -w | --http-server -- is the http:// web server.

##  NOTE: --http-server 3000 is the default
#--http-server 0

## -W | --https-server -- is the https:// web server.

#--https-server 3001

## The default is -w 3000 -W 0 (disabled).  You can also...

## https:// only:
-w 0 -W 3001

## http:// and https://
#? --http-server 3000 --https-server 3001

## Neither - say ntop is running only as a netFlow probe:
#? -w 0 -W 0

## You can also limit ntop to listening on a specific interface. For example:

#? -w 127.0.0.1:3000  # Listens only on the loopback interface at port 3000

########################### PERFORMANCE AND PROBLEMS ###########################

## -B | filter-expression -- gives ntop a bpf (Berkeley Packet Filter) expression
## to use.  (the easiest place to find bpf documented is on the tcpdump man page).

## NOTE: The filter expression MUST be in quotes.

## To restrict ntop to only a few machines on a large network, say 192.168.1.88
## through 91:

# -B "net 192.168.0.0/16"

## That is equivalent to specifying the specific hosts:

#? -B "host (192.168.1.88 or 192.168.1.89 or 192.168.1.90 or 192.168.1.91)"

## You can limit traffic to that from (src) or to (dst) a specific host:

#? -B "src host www.mycompany.com"
#? -B "dst host www.mycompany.com"

## You can limit it to a specific protocol, including src/dst:

#? -B "port ssh"
#? -B "src port ssh"
#? -B "dst port ssh"

##-----------------------------------------------------------------------------#

## -o | --no-mac -- Configures ntop not to trust MAC addrs.
## This is used if you observe ntop being confused by 'changing' addresses -
## i.e. ntop belives that the corporate web server is actually Joe's desktop
## computer.

#--no-mac

##-----------------------------------------------------------------------------#

## -g | --track-local-hosts -- Tells ntop to track only local hosts.  These
## are hosts defined as local according to the network interfaces or specified
## by the --local-subnets option.

## Use this if you are seeing too many hosts and all you care about is the
## local (LAN) traffic.

#--track-local-hosts

##-----------------------------------------------------------------------------#

## -z | --disable-sessions -- Tells ntop not to track tcp session information.
## Speeds up processing, requires less memory, but conveys less information.

#--disable-sessions

##-----------------------------------------------------------------------------#

And save it.

3-Restart ntop
restartntop
Logged
turitopa
Full Member
***
Offline Offline

Posts: 30


« Reply #5 on: Wednesday 31 March 2010, 11:35:38 am »

Hi Mrkroket,

okay I have followed your instructions, but am unable to connect to the web monitor service now.

when i restartntop i get this message:  (ps i called my endian box ipcop)
root@ipcop:~ # restartntop
Stopping ntop:                                             [FAILED]
Starting ntop:                                             [  OK  ]
root@ipcop:~ #


I actually just copied and pasted your code, I was not sure if I need to configure settings for my particular network (well I tried and it did not work).
 Huh I am editing files on a XP client using winscp.  Should I use notepad+ to edit txt files, also when using notepad+ what format should I save the text files as?
I don't like using text editors in Linux, i don't know the cmds...

please help, let me know if you want to see any logs files etc..
thanks again,

EDIT: If possible I'd like NTOP to monitor RED interface (eth1) and if possible which devices on (BR0) are sending/receiving to the RED.
let me know if i need to provide IP numbers etc...

turitopa
Logged

Running XenServr 5.5 on a Dell Poweredge 2950 III rackserver.
vm Endian 2.3
vm sbs 2008
mrkroket
Hero Member
*****
Offline Offline

Posts: 495


« Reply #6 on: Friday 04 June 2010, 02:02:59 am »

Sorry, I didn't see your post, although is old I'll reply.

It doesn't seem anything wrong with your restart. It says: Starting ntop: [OK]
Maybe the copy paste fails, maybe the forum add or remove characters from my post.
 Use some ntop.conf you find in the internet.

You could use winscp, I'm not sure about notepad+. Try to use the internal editor from WinSCP, I'm sure it works.

Logged
turitopa
Full Member
***
Offline Offline

Posts: 30


« Reply #7 on: Thursday 24 June 2010, 03:15:03 pm »

Hi mrkroket,

Okay i have completed stuffed up my ntop now  Undecided

Ntop is started but I cannot connect via endian:3001

Would you know how I can restore Ntop to original settings?
I don't really want to do a complete factory reset as everything is working good except I have no NTOP now...

I was trialing EFW 2.4 but noticed my live log of SMTP proxy is extremely slow, so I think I may stay with 2.3 for now.

If i backed up my 2.3 config and restored it onto 2.4, would I expect the faulty Ntop config to be restored?
(I might actually try to restore backup on a new install...)

slightly off topic and late....I was searching  for a fix alas found none hence the post.
Logged

Running XenServr 5.5 on a Dell Poweredge 2950 III rackserver.
vm Endian 2.3
vm sbs 2008
flavio66
Jr. Member
*
Offline Offline

Posts: 2


« Reply #8 on: Tuesday 19 April 2011, 10:59:50 pm »

i'm quite late but i hope to be helpfull.

it's not necessary to search for a ntop configuration file.
simply change the startup parameters on the launch script (line 16 on efw2.4.0 community):

from
Code:
option="--user ntop --daemon --db-file-path /var/ntop --interface br0 --trace-level 3 --https-server 3001 --http-server 0 --disable-schedyield --no-fc"

to
Code:
option="--user ntop --daemon --db-file-path /var/ntop --interface br0,br1,eth3 --trace-level 3 --https-server 3001 --http-server 0 --disable-schedyield --no-fc"

where br1 and eth3 are a sample of interfaces you want to monitor (the list of available interfaces' name is in the endian dashboard).
I 'm monitoring br0 = LAN, br1 = DMZ and eth3 = WAN

naturally restart ntop to see the changes
Logged
Pages: [1] Go Up Print 
« previous next »
Jump to:  

Page created in 0.156 seconds with 18 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com