NTOP - Traffic Analysis and Flow Collection

NTOP - High-Speed Web-based Traffic Analysis and Flow Collection

The current version of ntop features both command line and web-based user interfaces, and is available on both UNIX and Win32 platforms. ntop focuses on:

• Traffic measurement
• Traffic monitoring
• Network optimization and planning
• Detection of network security violations

Traffic measurement consists in measuring the usage of relevant traffic activities. ntop tracks network usage, generating a series of statistics for each host in the local subnet and for the subnet as a whole. The needed information is collected by the host running ntop by simply observing the traffic on the network.This arrangement offloads the processing requirements from operational nodes to the ntop host. All packets in the subnet are captured and associated with a sender/receiver pair. In this way, it is possible to track all traffic activities of a particular host. The following table shows the information registered by ntop for each host connected to the (broadcast) network:

Information recorded by ntop for each host

Data Sent/ Received	The total traffic (volume and packets) generated or received by the host, Classified according to network protocol (IP, IPX, AppleTalk, etc.) and IP protocol (FTP, HTTP, NFS, etc.)
Used Bandwidth	Actual, average and peak bandwidth usage
IP Multicast	Total amount of multicast traffic generated or received by the host
TCP Sessions History	Currently active TCP sessions established/accepted by the host and associated traffic statistics.
UDP Traffic	Total amount of UDP traffic sorted by port
TCP/UDP Used Services	List of IP-based services (e.g. open and active ports) provided by the host with the list of the last five hosts that used them
Traffic Distribution	Local traffic, local to remote traffic, remote to local traffic (local hosts are attached  to the broadcast network)
IP Traffic Distribution	UDP vs. TCP traffic, relative distribution of the IP protocols according to the host name

ntop also reports global statistics, including:

Traffic Distribution	Local (subnet) traffic, local vs. remote (outside specified/local subnet), remote vs. local
Packets distribution	Total number of packets sorted by packet size, unicast vs. broadcast vs. multicast and IP vs. non-IP traffic
Used Bandwidth	Actual, average and peak bandwidth usage
Protocol Utilization and Distribution	Distribution of the observed traffic according to both protocol and source/destination (local vs. remote)
Local Subnet Traffic Matrix	Monitored traffic between each pair of hosts in the subnet
Network Flows	Traffic statistics for user-defined flows (traffic of particular interest to the user)

In addition to the information provided above, the current version allows the installation of plug-ins to provide detailed statistics about particular protocols not present in the standard version. e.g. (NFS, NetBIOS plug-ins). ntop will also generate statistics about the host on which it is running, listing open sockets, data sent/received, and contracted peers for each process.

Traffic Monitoring is the ability to identify those situations where network traffic does not comply with specified policies or when it exceeds some defined thresholds. In general, network administrators specify policies that apply to the behavior of elements in the managed networked. nevertheless, it is possible that some hosts will not comply with the policies prescribed. Typical causes of misbehavior are related to misconfiguration of operating systems, network interfaces, software applications and others.

ntop provides support for detecting some network configuration problems including:

• Use of duplicate IP addresses
• Identification of local hosts in "promiscuous mode"
• Misconfiguration of software applications, by analyzing protocol traffic data
• Service misuse detection 

        Identification of hosts that do not make use of specified proxies

• Protocol misuse

        Identification of hosts that use unnecessary protocols

• Identification of subnet routers

        Detection of misconfigured workstations acting as routers

• Excessive network bandwidth utilization

Nework Optimization and Planning

Sub-optimal configuration of hosts might influence negatively the overall performance of a network. ntop allows the administrator to identify potential sources of unproductive bandwidth usage, particularly the use of unnecessary protocols and sub-optimal routing problems. Indirectly, through traffic characterization and distribution, it is possible to revise policies for the network to promote wiser bandwidth usage.

Detection of Network Security Violations

In networks, most of the security attacks come from the network itself. For this reason ntop provides the users support for both tracking ongoing attacks and identifying potential security holes including IP spoofing, network cards in promiscuous mode, denial of service attacks, trojan horses (that use well known ports) and portscan attacks.

When a security violation or a network misconfiguration is identified, ntop offers facilities to generate alarms for the network operator (via e-mail, SNMP traps or Short Messaging Systems) and to perform specific actions (when applicable) in order to block the attack. As it is also possible to keep traffic information stored into a database, the records can be used to understand the attack and prevent further similar occurrences.

It is important to note that ntop, as well as other monitoring tools, might pose security threats if not installed and configured properly. Free access to ntop's web interface will allow any user with web access to read all the information provided by ntop, gaining knowledge about the network that would not be disclosed otherwise.

ntop Web Interface (Global IP Protocal Distribution)

ntop interface (host information)