Measure Network Performance: iperf and ntop - Page 2
February 06, 2007
ntop For Colorful Network Monitoring
ntop is a wonderful hybrid packet analyzer that generates nice clickable HTML reports that show you what's happening on your network. It slices and dices network traffic all kinds of ways: by protocol, host, local or remote network, network load, network flow, what Web sites your users are visiting, how much traffic is coming from or going to remote sites, and loads more. It supports virtually all network protocols over both IP networks and Fibre Channel. ntop runs on any operating system that you can successfully compile it on: Linux, Unix, and Win32. Binary packages are available for Debian, Fedora, and Windows.
You'll need some sort of HTTP server running to get the pretty Web graphs: Apache, Lighttpd, Thttpd, whatever you like. ntop is in Ubuntu's Universe repository and Debian main. Fedora users can fetch it from RPMForge or Dag Wieers' Fedora repository.
There are two ways to run ntop: to monitor traffic on any network host, such as your workstation or a server, or to capture all LAN traffic. If you're still in the 20th century and using a hub, you can run ntop anywhere on your LAN and capture everything.
Installation varies by Linux distribution. On Debian it's easy. Install it, then run the ntop command to create an
# apt-get install ntop # ntop
Open a second terminal, since ntop is now running in the foreground, and restart it:
/etc/init.d/ntop restart Now open a Web browser to http://localhost:3000, and there you are. If your ntop installation is on a headless box
like a router, then use the IP address or hostname of the router on a neighboring PC, like http://router1:3000. The ntop Web pages will automatically update themselves.
You can configure ntop and see its current configuration from the Web interface. Go to the Admin -> Configure tab to see the configuration panel, and log in with the admin user, using the password you created. About -> Show Configurations shows every detail of your current configuration, including build options.
Give ntop a few minutes to capture some data, then cruise the pages. You might find some surprises, like I did on IP -> Local Ports -> Used, which showed that POP3/110 was in use. This meant I had at least one email account that was operating in the clear, instead of over port 995 which is for encrypted mail transfer.
Summary -> Hosts can turn up some fascinating Web activity. Like a lot of traffic from www.google-analytics.com. The URL itself generates a 404 page; why on Earth is Google Analytics showing up so much when I haven't visited Google.com? So I googled on google-analytics, and found www.Google.com/analytics. Didn't learn much, other than it's yet another data-collection tool.
Auditmypc.com is another chronic offender revealed by ntop. Why are these people pestering me? Is someone using it to probe my firewall?
ntop gives enough information to write some iptables rules to block this stuff, if I feel like it. It reports the originating domain, the MAC address, IP address, and has a handy WHOIS button.
Visit ntop.org for documentation, and check out man ntop for a lot of good help.
The next time you're feeling like your network performance is too slow, don't blame your users. Look outward- you might be surprised at who is clogging your bandwidth with useless traffic.