{"id":9606,"date":"2012-08-21T00:17:00","date_gmt":"2012-08-20T23:17:00","guid":{"rendered":"http:\/\/touk.pl\/blog\/?guid=2310604ee43169aed04752982e4c3ae2"},"modified":"2022-08-02T12:51:22","modified_gmt":"2022-08-02T10:51:22","slug":"control-your-bandwidth-using-ntop","status":"publish","type":"post","link":"https:\/\/touk.pl\/blog\/2012\/08\/21\/control-your-bandwidth-using-ntop\/","title":{"rendered":"Control your bandwidth using ntop"},"content":{"rendered":"<div style=\"font-size: medium;font-weight: normal\">\n<p>I was looking for tool which could help me check who is using my bandwidth. Here are requirements which I want from this kind of tool:<\/p>\n<ol>\n<li>local hosts bandwidth distribution &#8211; it is helpful when you are loosing your bandwidth and don&#8217;t know who abuse it in your local network<\/li>\n<li>remote hosts bandwidth distribution &#8211; it is useful in situation when you want to have control over <i>DoS<\/i> attacks for your public homepage or when your <i>QoS<\/i> are not set well<\/li>\n<\/ol>\n<\/div>\n<p>&nbsp;<\/p>\n<div style=\"font-size: medium;font-weight: normal\">\n<h3 id=\"gargoyle\">Gargoyle<\/h3>\n<p>My first shoot is to check what features can give me my <i>TP-Link TL-WR941ND<\/i> router. I&#8217;ve installed on it <i>Gargoyle<\/i> (modification of <i>OpenWRT<\/i> with some additional features) some time ago. It has some useful monitoring features:<\/p>\n<ul>\n<li><b>bandwidth distribution pie charts<\/b> which answer for my first requirement but I can&#8217;t check the time when bandwidth was used there<\/li>\n<\/ul>\n<div class=\"separator\" style=\"clear: both;text-align: center\"><a style=\"margin-left: 1em;margin-right: 1em\" href=\"http:\/\/1.bp.blogspot.com\/-861dltT2k9U\/UDK6mzF-zTI\/AAAAAAAAAHg\/hK3adLnrlhU\/s1600\/bandwidth_distribution.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/1.bp.blogspot.com\/-861dltT2k9U\/UDK6mzF-zTI\/AAAAAAAAAHg\/hK3adLnrlhU\/s320\/bandwidth_distribution.png\" width=\"320\" height=\"260\" border=\"0\" \/><\/a><\/div>\n<ul>\n<li><b>connections track<\/b> &#8211; from this I can check two sides of connection (also remote host) and how much of data was send\/received but it also doesn&#8217;t show this information in time domain and it is served in less friendly, text form<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<div class=\"separator\" style=\"clear: both;text-align: center\"><a style=\"margin-left: 1em;margin-right: 1em\" href=\"http:\/\/1.bp.blogspot.com\/-a0AObRCVk9o\/UDK6qAJk_JI\/AAAAAAAAAHo\/qtWes0n59bY\/s1600\/connections_track.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/1.bp.blogspot.com\/-a0AObRCVk9o\/UDK6qAJk_JI\/AAAAAAAAAHo\/qtWes0n59bY\/s320\/connections_track.png\" width=\"320\" height=\"129\" border=\"0\" \/><\/a><\/div>\n<p>It was no exactly what I&#8217;m looking for. Therefor I checked what what can we find in <i>OPKG<\/i> (<i>OpenWRT Package Management<\/i>).<\/p>\n<\/div>\n<p><a name=\"more\"><\/a><\/p>\n<div style=\"font-size: medium;font-weight: normal\">\n<h4 id=\"snmp-nagiosgraph\">SNMP + NagiosGraph<\/h4>\n<p>I tried to find how I can link <i>Nagios<\/i> (with <i>NagiosGraph<\/i>) with my router because I already have some experience with this tools. I found out that there is <i>check_snmp<\/i> Nagios plugin which can realize this. In <i>OPKG<\/i> there is <i>mini-snmpd<\/i> package. It is light <i>SNMP<\/i> server implementation. You can run it after login by SSH to you router and execute this command:<\/p>\n<\/div>\n<div style=\"font-size: medium;font-weight: normal\">After this you can check available from server data:<\/div>\n<div style=\"font-size: medium;font-weight: normal\">In returned <i>MIB tree<\/i> there are some useful data like server&#8217;s uptime, disk space and also interface&#8217;s bandwidth. The last one, stored in <i>Round Robin Database<\/i> and printed by <i>NagiosGraph<\/i> will give graphs of bandwidth usage in time domain. But will not show who exactly use bandwidth!<\/div>\n<p>&nbsp;<\/p>\n<div style=\"font-size: medium;font-weight: normal\">\n<h4 id=\"other-software\">Other software<\/h4>\n<p>I continue searches in <i>OpenWRT<\/i> packages. I came across good <i>OpenWRT<\/i> wiki page: <a href=\"http:\/\/wiki.openwrt.org\/doc\/howto\/bwmon\">http:\/\/wiki.openwrt.org\/doc\/howto\/bwmon<\/a> describing some available stuff.<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div style=\"font-size: medium;font-weight: normal\">\n<h3 id=\"ntop\">ntop<\/h3>\n<p>Among other there is mentioned ntop &#8211; extensive application written in C with many views showing statistics of network protocols usage. Installation of this application on my router with 400MHz CPU will be not the best idea. So I tried to install it on my home server and only send data to it from router by <i>fprobe<\/i>. At first I installed <i>ntop<\/i> available from <i>ubuntu 12.04<\/i> server&#8217;s APT repository. There is available <i>3:4.1.0+dfsg1-1<\/i> version. After some simple configuration steps ntop start drawing graphs.<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div style=\"font-size: medium;font-weight: normal\">I simulate situation when from remote server I was downloading a big file from my home server. I was disappointed when noticed that I can&#8217;t read that this situation taking place from ntop graphs.<\/div>\n<p>&nbsp;<\/p>\n<div style=\"font-size: medium;font-weight: normal\">\n<h4 id=\"listening-on-interface-in-promiscuous-mode\">listening on interface in promiscuous mode<\/h4>\n<p>Some time ago I&#8217;ve done <i>tcpdump<\/i> logs analyzer on my studies. I remind that interface working in <i>promiscuous mode<\/i> can collect all data about local network traffic just like the router. To enable this mode you should exec this command:<\/p>\n<\/div>\n<div style=\"font-size: medium;font-weight: normal\">Or if you want to set this state persistent you should edit your <i>\/etc\/network\/interfaces<\/i> to look like this:<\/div>\n<div style=\"font-size: medium;font-weight: normal\">If the server where you want to listen for all packages is a <i>VirutalBox<\/i> vhost you should also verify that it is set promiscuous mode to &#8221;Allow all&#8221; in their network configuration like on screenshot below.<\/div>\n<div class=\"separator\" style=\"clear: both;text-align: center\"><a style=\"margin-left: 1em;margin-right: 1em\" href=\"http:\/\/3.bp.blogspot.com\/-JCeKjX1yazU\/UDK6uHhpgwI\/AAAAAAAAAIM\/IkSl6EcZgAU\/s1600\/promisc.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/3.bp.blogspot.com\/-JCeKjX1yazU\/UDK6uHhpgwI\/AAAAAAAAAIM\/IkSl6EcZgAU\/s320\/promisc.png\" width=\"320\" height=\"259\" border=\"0\" \/><\/a><\/div>\n<div style=\"font-size: medium;font-weight: normal\">\n<h4 id=\"ntop-v-5-0-2\">ntop v.5.0.2<\/h4>\n<p>After this settings we can run <i>ntop<\/i> on any server in our local network. I give a try for a development version which you can download from ntop homepage: <a href=\"http:\/\/www.ntop.org\/get-started\/download\/\">http:\/\/www.ntop.org\/get-started\/download\/<\/a>. Configure script led me through necessary packages that you must install before compilation. After this I run make and sudo make install. To manage ntop using init scripts I used existing \/etc\/init.d\/ntop script and just edited a line with location of <i>DEAMON<\/i> value &#8211; setting them to <i>\/usr\/local\/bin\/ntop<\/i> value. I also removed <span style=\"font-family: 'Courier New', Courier, monospace\">-n 0<\/span> switch from <i>\/etc\/default\/ntop<\/i> because I hope that bug with DNS resolution is already fixed (it is a little note in config about it).<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<div style=\"font-size: medium;font-weight: normal\">\n<p>I started deamon by <span style=\"font-family: 'Courier New', Courier, monospace\">service ntop start<\/span>. In <i>syslog<\/i> there was nothing alarming &#8211; <i>ntop<\/i> started collecting traffic statistics. After login I checked available features.<\/p>\n<ul>\n<li><b>Network load<\/b> &#8211; this page shows all load in our network in four time intervals: 10mins, last hour, last day, last month<\/li>\n<\/ul>\n<div class=\"separator\" style=\"clear: both;text-align: center\"><a style=\"margin-left: 1em;margin-right: 1em\" href=\"http:\/\/2.bp.blogspot.com\/-oUTz58Holr0\/UDK6rSz-1MI\/AAAAAAAAAH0\/M2r9LPqHBoE\/s1600\/ntop_network_load.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/2.bp.blogspot.com\/-oUTz58Holr0\/UDK6rSz-1MI\/AAAAAAAAAH0\/M2r9LPqHBoE\/s640\/ntop_network_load.png\" width=\"640\" height=\"200\" border=\"0\" \/><\/a><\/div>\n<ul>\n<li><b>Top talkers<\/b> &#8211; similar to network load intervals, shows how hosts were using bandwidth in past<\/li>\n<\/ul>\n<div class=\"separator\" style=\"clear: both;text-align: center\"><a style=\"margin-left: 1em;margin-right: 1em\" href=\"http:\/\/3.bp.blogspot.com\/-zCyP6XcOzO0\/UDK6tMB9hdI\/AAAAAAAAAII\/sveYOsssddo\/s1600\/ntop_top_talkers.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/3.bp.blogspot.com\/-zCyP6XcOzO0\/UDK6tMB9hdI\/AAAAAAAAAII\/sveYOsssddo\/s400\/ntop_top_talkers.png\" width=\"400\" height=\"206\" border=\"0\" \/><\/a><\/div>\n<ul>\n<li><b>Traffic maps: Region map &amp; hosts map<\/b> &#8211; ntop is connected to Google Maps and shows where are located hosts that we are talking to<\/li>\n<\/ul>\n<div class=\"separator\" style=\"clear: both;text-align: center\"><a style=\"margin-left: 1em;margin-right: 1em\" href=\"http:\/\/4.bp.blogspot.com\/-WWVJANaS-GE\/UDK6saTD1DI\/AAAAAAAAAH8\/2pI8enPi2-U\/s1600\/ntop_regions.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/4.bp.blogspot.com\/-WWVJANaS-GE\/UDK6saTD1DI\/AAAAAAAAAH8\/2pI8enPi2-U\/s320\/ntop_regions.png\" width=\"320\" height=\"176\" border=\"0\" \/><\/a><\/div>\n<ul>\n<li><b>Activity<\/b>: how changes activity of hosts in every hour<\/li>\n<\/ul>\n<div class=\"separator\" style=\"clear: both;text-align: center\"><a style=\"margin-left: 1em;margin-right: 1em\" href=\"http:\/\/1.bp.blogspot.com\/-4OBQRng69DQ\/UDK6q1WDiUI\/AAAAAAAAAHs\/0BKpjbc82kA\/s1600\/ntop_activity.png\"><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/1.bp.blogspot.com\/-4OBQRng69DQ\/UDK6q1WDiUI\/AAAAAAAAAHs\/0BKpjbc82kA\/s320\/ntop_activity.png\" width=\"320\" height=\"163\" border=\"0\" \/><\/a><\/div>\n<ul>\n<li>And other &#8211; there are other useful things like <b>Protocol statistics<\/b>, <b>Map of connections between hosts<\/b> generated in dot and many more<\/li>\n<\/ul>\n<div>After some tests I noticed that now I have full control about how my network is used (also find out that I have some scheduled script that every minute send unnecessary MBs of data ;-)).<\/div>\n<\/div>\n<p>&nbsp;<\/p>\n<div style=\"font-size: medium;font-weight: normal\">\n<h4 id=\"little-fix\">little fix<\/h4>\n<p>This tests help me find out that there is a little bug in page showing top talkers of an hour. I submitted patch fixing it to <i>ntop&#8217;s<\/i> request tracker if you are interested in: <a href=\"http:\/\/sourceforge.net\/tracker\/?func=detail&amp;aid=3559097&amp;group_id=17233&amp;atid=367233\">http:\/\/sourceforge.net\/tracker\/?func=detail&amp;aid=3559097&amp;group_id=17233&amp;atid=367233<\/a>. This is a patch to r5644.<\/p>\n<\/div>\n<div style=\"font-size: medium;font-weight: normal\">\n<h3 id=\"on-the-end\">On the end<\/h3>\n<p>My adventure with traffic monitoring tools ended on <i>ntop<\/i>. It is a great tool which fits my needs. Now I know who consumes my resources and can set <i>QoS<\/i> rules which make my internet connection more responsive.<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"I was looking for tool which could help me check who is using my bandwidth. Here are requirements which I want from this kind of tool:local hosts bandwidth distribution &#8211; it is helpful when you are loosing your bandwidth and don&#8217;t know who abuse it in &#8230;\n","protected":false},"author":28,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[368],"class_list":{"0":"post-9606","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-development-design","7":"tag-openwrt"},"_links":{"self":[{"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/posts\/9606","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/users\/28"}],"replies":[{"embeddable":true,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/comments?post=9606"}],"version-history":[{"count":10,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/posts\/9606\/revisions"}],"predecessor-version":[{"id":14829,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/posts\/9606\/revisions\/14829"}],"wp:attachment":[{"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/media?parent=9606"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/categories?post=9606"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/touk.pl\/blog\/wp-json\/wp\/v2\/tags?post=9606"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}