Skip to main content

Tips and Tricks: Monitoring with NTOP and IFTOP

For monitoring networks I have an old GX260 Dell desktop in the small form factor. Packed into this little device are a couple of network cards, added on are a wireless NIC and an extra USB network device. The purpose? To slot this in between the router and the network and see what's going backwards and forwards - very useful in the situation where a client is hemorrhaging bandwidth and doesn't know why. I'm running Ubuntu 10.04 LTS on it and it behaves very well.

Two of the main tools I use are ntop and iftop. For those of you not familiar with them, ntop monitors a particular interface and creates some nice webpages to be checked by the user in order to see what's going on through the network. iftop is similar but real time and is available through a console - which is the real appeal for me.

The server in question has two internal NICs, both are 100MB cards and are scripted to come up as a transparent bridge - br0. Basically I monitor that bridge and use one of the other interfaces to see what the server is seeing. Here is the script I use (adapted from elsewhere) to bring the bridge up:

#!/bin/bash
PATH="/sbin:/usr/sbin:/usr/local/sbin";
slaveIfs="1 2 3 4 6 7 8 9 10";
cmd="$1";
[ -z "$cmd" ] && cmd="start";
case "$cmd" in
  start)
    brctl addbr br0;
    brctl stp br0 on;
    brctl addif br0 eth1;
    brctl addif br0 eth2;
    (ifdown eth1 1>/dev/null 2>&1;);
    (ifdown eth2 1>/dev/null 2>&1;);
    ifconfig eth1 0.0.0.0 up;
    ifconfig eth2 0.0.0.0 up;
    ifconfig br0 up ### Adapt to your needs.
    ;;
  stop)
    brctl delif br0 eth1;
    brctl delif br0 eth2;
    ifconfig br0 down;
    brctl delbr br0;
    #ifup eth0; ### Adapt to your needs.
    #ifup eth1; ### Adapt to your needs.
    ;;
  restart,reload)
    $0 stop;
    sleep 3;
    $0 start;
    ;;
esac;

It resides in /etc/init.d and is called (imaginatively) bridge.sh and then has appropriate symlinks to rc2.d.

NTOP
NTOP is reasonably easy to configure on Ubuntu and is quite straightforward to get going - point it at http://localhost:3000 and set your username/password and off you go.

A tip to remember is that in the /etc/default/ntop it's a good idea to uncomment GETOPT="" and change it to read (if your network was 192.168.0.0/24):

GETOPT="--local-subnet=192.168.0.0/24"

and restart NTOP. Why is this important I hear you ask? Well on the br0 interface there is no IP assigned to it so NTOP doesn't automatically figure out what the local network is. By assigning this you can set it up to get proper info on local-remote, remote-remote and local-local traffic. Then leave it to run and see what it tells you.

IFTOP
Ah iftop is such a nice little bit of software. apt-get install it and then run it from the console with iftop -i br0 and it will tell you all sorts of things - data going from here to there and the level of bandwidth being used. I fancy pants it up a bit by creating a shell script and then launching it from there. iftop will use .iftoprc by default and if there isn't one will simply launch with it's own defaults. Here is the shell script I use (again I have adapted this from someone else):

#!/bin/sh

# customisable settings
LOCALNET="192.168.0.0/24"
IFACE="br0" # the bridged interface
CONF="/etc/iftoprc"

/usr/sbin/iftop -p -n -N -i $IFACE -F $LOCALNET -c $CONF

where /etc/iftoprc looks like this:

dns-resolution: yes
port-resolution: yes
show-bars: yes
promiscuous: no
port-display: source-only
#hide-source: yes
#hide-destination: yes
use-bytes: yes
sort: 2s
#line-display: one-line-both
show-totals: yes

Most of these are self-explanatory and I believe you should examine them more closely if you are looking to deploy it. Suffice to say, it gives me the info I want and I'm happy with that setup. So I hope that gives you some food for thought and you can take some of this away with you when you're trying to find out what the hell is chewing up all your bandwidth and download limit!

Comments

Popular posts from this blog

Plone - the open source Content Management System - a review

One of my clients, a non-profit, has a lot of files on it's clients. They need a way to digitally store these files, securely and with availability for certain people. They also need these files to expire and be deleted after a given length of time - usually about 7 years. These were the parameters I was given to search for a Document Management System (DMS) or more commonly a Content Management System (CMS). There are quite a lot of them, but most are designed for front facing information delivery - that is, to write something, put it up for review, have it reviewed and then published. We do not want this data published ever - and some CMS's make that a bit tricky to manage. So at the end of the day, I looked into several CMS systems that looked like they could be useful. The first one to be reviewed was OpenKM ( www.openkm.com ). It looked OK, was open source which is preferable and seemed to have solid security and publishing options. Backing up the database and upgradin

elementary OS 5.1 Hera - a review and a revisit

 It's been ages since I used a desktop Linux distribution - being up to my ears in the horror of implementing ISO 27001 doesn't leave you much time to play around with computers - too busy writing policies, auditing and generally trying to improve security to a formally acceptable and risk managed level. I need a quick, small OS though to do the occasional network scan, view the contents of a dodgy file on and for general, low impact activities. I remembered reviewing elementary OS ( elementary.io ) some time ago ( see  https://www.ryv.id.au/2015/01/elementary-os-review.html ) from 2015 so I thought it was worth a revisit.  I downloaded the ISO from their website, forgoing to donation for the moment while I review it. If it turns out I'm going to keep using it, I'll send them some love. The ISO is 1.38GB in size and I booted it in a VMware Player instance. From go to whoa (I won't include the install photos here) it took about 10 minutes with a dual vCPU and 4GB of

Windows 10 Enterprise Eval - gotchas

After an annoying turn of events where my Windows 10 Enterprise USB drive failed, attempts to install Win10 onto a computer failed miserably. I turned to the net and managed to get my hands on Microsoft's Windows 10 Enterprise Evaluation. I have an enterprise key so I thought - cool! Here's the opportunity to get it going and to then upgrade the license later. Full install, patched etc and all is swell. Except when I try to upgrade. I straight up tried changing the licence key only to get a variety of errors, most of which are pertaining to the activation system being unavailable. The I try this: https://winaero.com/blog/upgrade-windows-10-evaluation-to-full-version-easily/ but it doesn't work either. Next I'll try this: h ttp://www.edugeek.net/forums/windows-10/174594-upgrading-windows-10-enterprise-90-evaluation-full.html And if all else fails, in goes the bootable USB I've now created. If only I'd had this in the first instance I would not be writing t