NTop as a Network Diagnostics Tool

The network!

The NTop tool is a network traffic monitoring tool that shows network usage, similar to what the popular top command does. This article explains its utility while troubleshooting network problems.

Organisations face various types of network problems, which result in inaccessible devices, degradation of performance, intermittent disconnections, etc. These can be broadly classified into:

  • Network hardware failure: this includes faulty passive devices (information outlets, patch panels), improper cabling and crimping, and faulty active devices (switches, Ethernet cards).
  • Network configuration problems: this includes improper configuration of protocols, and installation of unwanted protocols.
  • Malicious code: the presence of worms/viruses on the network may cause performance to drop.

Table 1 details some possible reasons for network-related problems.

Network problem Example Classification
Faulty network layout Multiple cascading of switches on fast networks. Hardware
Faulty network cabling Cable sequence not observed while crimping; faulty crimping. Hardware
Faulty device on the network A faulty Ethernet card transmitting a lot of packets. Hardware
Various network protocols installed on the same network causing network performance degradation Unwanted protocols like NetBEUI, IPX installed on IP networks. Network configuration
Malware present on the network Various backdoors like Back Orifice Network

To troubleshoot network problems from scratch, you would typically start by checking the network hardware — study the network diagram; and physically check the network cabling, network cable crossovers over electrical cables, crimping quality, quality of IOs (Information Outlets), switches, routers, and practically all hardware being used for the network. It is well and good if the problem lies in hardware, since the tracking is reasonably straightforward.

However, troubleshooting problems related to network configuration/malicious code can turn really nasty and result in a long-drawn-out battle. This is because of the variety of different devices present on the network. You may have different operating systems with various protocols, network printers, wireless access points, firewalls, routers, managed switches, etc.

Troubleshooting should start with monitoring network traffic continuously over a period of time. This monitoring should cover various parameters, including the protocols being used, bandwidth utilisation, activity graphs, traffic direction and flow. The output from this monitoring should then be analysed for possible anomalies, to pinpoint the problem. A good, reliable network monitoring tool becomes a must to pinpoint such issues.

There are various open source networking tools available on the Linux platform, including packet sniffers like Wireshark, Kismet and Tcpdump, and network probes like Hping and Traceroute. However, the moment you consider simple network monitoring, the automatic choice should be Ntop!

It is said that the good things in life are never free, but I beg to differ. Ntop, developed by Luca Deri, an Italian scientist, is available free of cost under a GNU license. It is really a very effective way to monitor the network, and has various functions from packet capture to displaying an analysis of the captures in a Web browser, in different modules:

  • Packet capture: Ntop uses Linux-based libpcap to capture packets on the network. Typically, these libraries have a low buffer capacity. Ntop captures packets from the predefined network interface and buffers them, reducing the possibility of packet drops.
  • Packet analyser: Ntop analyses the captured packets one raw packet at a time, to extract information including the host’s operating system, a record of when the host appeared on the network for the first time, the protocol, address resolution, etc. The information is cached and stored in an SQL database with a user-definable path.
  • Network flow measurement: Network flow can be defined as matching captured packet(s) with a predetermined rule or criterion, and incrementing a flow counter by one, whenever a captured packet matches the predefined rule.
  • Plugins: Various plugins (dynamically loaded libraries) can be enabled or disabled at startup, or from the Web interface.
  • Web server: All the captured, analysed and measured information is displayed on a Web page for easy navigation, inspection and analysis by the user. By default, the Ntop Web server listens on TCP port 3000 for HTTP connections; HTTPS is also supported. The type of connection and the port numbers to listen on can be specified via command-line options. Authentication is required to access data in both cases.

Installing Ntop in Linux is simple and straightforward. Under Ubuntu, it is a simple command line:

sudo apt-get install ntop

Monitoring traffic using Ntop

To start, run Ntop from the command prompt, with the required parameters — for example:

ntop -i eth0 -w 1000 -W 2000 -A=Pwd123

With this command line, Ntop will:

  • capture packets from the eth0 interface
  • run the HTTP Web server on port 1000
  • run the HTTPS Web server on port 2000
  • assign Pwd123 as the Ntop administrator password for the Web interfaces

Ntop has some other interesting command line parameters, including:

  • -p limits Ntop to monitoring only the specified protocols.
  • -P can define directories used to store Ntop databases. Ideally, only the Ntop user should have access to this directory.
  • -f TrafficDumpFile specifies a file output from any packet-capture software like Wireshark. This may be used for offline analysis of the traffic. Invoking this option will stop captures from network cards.
  • -d will run Ntop in daemon mode (no output on the screen)
  • -L will log stdout to the syslog facility (useful along with -d)

Real-life examples

Networking engineers face challenging network congestion problems on various sites. It would have been a very difficult and time-consuming task to troubleshoot them without a proper network monitoring tool. Let me share two real-life experiences where Ntop was used to troubleshoot Internet speed problems.

A problem was reported that Internet connectivity used to slow down at 1pm everyday and would return to its normal speed automatically after some random time. Ntop was set up to monitor traffic from 12pm onwards. It was evident from the reports that Microsoft Windows updates were scheduled at 1pm daily, and all the PCs on the network were trying to connect to the Windows updates site at the same time, causing the Internet connection to get bogged down.

Another problem was that the ERP server and the Internet connection would slow down at 4pm everyday, and would return to normal speed after about two hours. Ntop monitoring results made it clear that a large number of remote users logged into the ERP server via VPN at 4pm, to start day-closing operations. These operations included using the server to generate reports/invoices, and printing them to their remote terminals. Multiple simultaneous user logins slowed down the ERP server, and the number of reports being printed on remote printers via the VPN slowed down Internet connectivity. Both, Internet connectivity and the ERP server were upgraded to solve the issue.

Ntop can be effectively used in other situations:

  • Detecting Trojan horses by watching for traffic on ports used by these malware.
  • Detecting MAC cloning/spoofing on the network.
  • Port scans targeting a particular IP.
  • Identifying unwanted protocols in use on the network.

To ensure effective and efficient utilisation of network resources, it’s an excellent idea for a company to design a network security policy that requires:

  • Continuous monitoring of the company network.
  • Analysis of the generated data, for anomalies.
  • Fixing of identified problems immediately.

Ntop is definitely a handy, simple-to-use and free tool to fulfil such policy requirements! At the time of writing this article, Ntop ranks first among all network traffic monitoring tools, eighth among all packet sniffers, and 36th among all network security tools, as surveyed by sectools.org.

All published articles are released under Creative Commons Attribution-NonCommercial 3.0 Unported License, unless otherwise noted.
Open Source For You is powered by WordPress, which gladly sits on top of a CentOS-based LEMP stack.

Creative Commons License.