NTOP - High-Speed Web-based Traffic Analysis and Flow Collection
Information recorded by ntop for each host
The current version of ntop features both command line and web-based user interfaces, and is available on both UNIX and Win32 platforms. ntop focuses on:
- Traffic measurement
- Traffic monitoring
- Network optimization and planning
- Detection of network security violations
Traffic measurement consists in measuring the usage of relevant traffic activities. ntop tracks network usage, generating a series of statistics for each host in the local subnet and for the subnet as a whole. The needed information is collected by the host running ntop by simply observing the traffic on the network.This arrangement offloads the processing requirements from operational nodes to the ntop host. All packets in the subnet are captured and associated with a sender/receiver pair. In this way, it is possible to track all traffic activities of a particular host. The following table shows the information registered by ntop for each host connected to the (broadcast) network:
Information recorded by ntop for each host
Data Sent/ Received
|
The total traffic (volume and packets) generated or received by the
host, Classified according to network protocol (IP, IPX, AppleTalk, etc.) and
IP protocol (FTP, HTTP, NFS, etc.)
|
Used Bandwidth
|
Actual, average and peak bandwidth usage
|
IP Multicast
|
Total amount of multicast traffic generated or received by the host
|
TCP Sessions History
|
Currently active TCP sessions established/accepted by the host and
associated traffic statistics.
|
UDP Traffic
|
Total amount of UDP traffic sorted by port
|
TCP/UDP Used Services
|
List of IP-based services (e.g. open and active ports) provided by
the host with the list of the last five hosts that used them
|
Traffic Distribution
|
Local traffic, local to remote traffic, remote to local traffic
(local hosts are attached to the
broadcast network)
|
IP Traffic Distribution
|
UDP vs. TCP traffic, relative distribution of the IP protocols
according to the host name
|
ntop also reports global statistics, including:
Traffic Distribution
|
Local (subnet) traffic, local vs. remote (outside specified/local
subnet), remote vs. local
|
Packets distribution
|
Total number of packets sorted by packet size, unicast vs. broadcast
vs. multicast and IP vs. non-IP traffic
|
Used Bandwidth
|
Actual, average and peak bandwidth usage
|
Protocol Utilization and Distribution
|
Distribution of the observed traffic according to both protocol and
source/destination (local vs. remote)
|
Local Subnet Traffic Matrix
|
Monitored traffic between each pair of hosts in the subnet
|
Network Flows
|
Traffic statistics for user-defined flows (traffic of particular
interest to the user)
|
In addition to the information provided above, the current version allows the installation of plug-ins to provide detailed statistics about particular protocols not present in the standard version. e.g. (NFS, NetBIOS plug-ins). ntop will also generate statistics about the host on which it is running, listing open sockets, data sent/received, and contracted peers for each process.
Traffic Monitoring is the ability to identify those situations where network traffic does not comply with specified policies or when it exceeds some defined thresholds. In general, network administrators specify policies that apply to the behavior of elements in the managed networked. nevertheless, it is possible that some hosts will not comply with the policies prescribed. Typical causes of misbehavior are related to misconfiguration of operating systems, network interfaces, software applications and others.
ntop provides support for detecting some network configuration problems including:
- Use of duplicate IP addresses
- Identification of local hosts in "promiscuous mode"
- Misconfiguration of software applications, by analyzing protocol traffic data
- Service misuse detection
- Protocol misuse
- Identification of subnet routers
- Excessive network bandwidth utilization
Nework Optimization and Planning
Detection of Network Security Violations
Sub-optimal configuration of hosts might influence negatively the overall performance of a network. ntop allows the administrator to identify potential sources of unproductive bandwidth usage, particularly the use of unnecessary protocols and sub-optimal routing problems. Indirectly, through traffic characterization and distribution, it is possible to revise policies for the network to promote wiser bandwidth usage.
Detection of Network Security Violations
In networks, most of the security attacks come from the network itself. For this reason ntop provides the users support for both tracking ongoing attacks and identifying potential security holes including IP spoofing, network cards in promiscuous mode, denial of service attacks, trojan horses (that use well known ports) and portscan attacks.
When a security violation or a network misconfiguration is identified, ntop offers facilities to generate alarms for the network operator (via e-mail, SNMP traps or Short Messaging Systems) and to perform specific actions (when applicable) in order to block the attack. As it is also possible to keep traffic information stored into a database, the records can be used to understand the attack and prevent further similar occurrences.
It is important to note that ntop, as well as other monitoring tools, might pose security threats if not installed and configured properly. Free access to ntop's web interface will allow any user with web access to read all the information provided by ntop, gaining knowledge about the network that would not be disclosed otherwise.
ntop Web Interface (Global IP Protocal Distribution)
ntop interface (host information)
ntop Web Interface (Global IP Protocal Distribution)
ntop interface (host information)
No comments:
Post a Comment