Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
NTOPNG(8)		    System Manager's Manual		     NTOPNG(8)

NAME
       ntopng -	display	top network users

SYNOPSIS
       ntopng [filename]

       or

       ntopng  [-i <interface|pcap>] [-d <data_directory>] [-t <install_direc-
       tory>] [-n <mode>]  [-e]	 [-1  <path>]  [-2  <path>]  [-3  <path>]  [-w
       <[:]http_port>]	   [-W	   <[:]https_port>]    [-m    <local_subnets>]
       [-u|--no-promisc]    [-p	   <protocols>]	   [-P]	   [-q]	   [-r	  <re-
       dis_host[:port][@db-id]>]  [-g  <cpu_core_ids>]	[-s]  [-U  <sys_user>]
       [-l<mode>] [-X <maxnumflows>] [-B <filter>] [-k <key>] [-A <mode>]  [-x
       <max_num_hosts>]	 [-F  <mode><dump-flows>]  [-D	<dump-hosts>] [-I <ex-
       port-flows>] [-O	<communities-list>] [-E	<sticky-hosts>]	[-t <dir>] [-T
       <enable-taps>] [-H] [--hw-timestamp-mode	<mode>]	[-N <name>] [-Z	 <pre-
       fix>]  [--shutdown-when-done]  [--zmq-encrypt-pwd  <apssword>]  [--cap-
       ture-direction] [--online-license-check]	 [--print-ndpi-protocols]  [-v
       <level>]	[-V] [-h]

DESCRIPTION
       ntopng  shows  the  current  network usage. It displays a list of hosts
       that are	currently using	the network and	reports	information concerning
       the (IP and non-IP)  traffic  generated	and  received  by  each	 host.
       ntopng may operate as a front-end collector or as a stand-alone collec-
       tor/display program.  A web browser is needed to	access the information
       captured	by the ntopng program.

       ntopng  is  a  hybrid  layer 2 /	layer 3	network	monitor, by default it
       uses the	layer 2	Media Access Control (MAC) addresses AND the  layer  3
       tcp/ip addresses.  ntopng is capable of associating the two, so that ip
       and non-ip traffic (e.g.	arp, rarp) are combined	for a complete picture
       of network activity.

OPTIONS
       filename
	The  text  of  filename	 is copied -- ignoring line breaks and comment
	lines (anything	following a #) -- into the command line.   ntopng  be-
	haves as if all	of the text had	simply been typed directly on the com-
	mand  line.   For  example, if the command line	is "ntopng s.conf" and
	file s.conf contains just the line '-s', then  the  effective  command
	line  is  "ntopng -s".	In case	you use	a configuration	file, the fol-
	lowing options on the command line will	be  ignored.  Example  "ntopng
	/etc/ntopng/ntopng.conf	-v" the	-v option is ignored.

	The configuration file is similar to the command line, with the	excep-
	tion  that an equal sign '=' must be used between key and value. Exam-
	ple: -i=p1p2 or	--interface=p1p2 For options with no value  (e.g.  -v)
	the equal is also necessary. Example: "-v=" must be used.

	Remember,  most	 ntopng	options	are "sticky", that is they just	set an
	internal  flag.	 Invoking  them	 multiple  times  doesn't  change  the
	ntopng's  behavior.  However,  options	that  set  a  value,  such  as
	--trace-level, will use	the LAST value given: -w 8000 -w 8080 will run
	as -w 8080.

       -n|--dns-mode <mode>
	Sets the DNS address resolution	mode:
	0 -- Decode DNS	responses and resolve only local (-m) numeric IPs
	1 -- Decode DNS	responses and resolve all numeric IPs
	2 -- Decode DNS	responses and don't resolve numeric IPs
	3 -- Don't decode DNS responses	and don't resolve numeric IPs

       -i|--interface <interface|pcap>
	Specifies the network interface	or collector endpoint to  be  used  by
	ntopng for network monitoring. On Unix you can specify both the	inter-
	face name (e.g.	lo) or the numeric interface id	as shown by ntopng -h.
	On  Windows  you  must use the interface number	instead. Note that you
	can specify -i multiple	times in order to instruct  ntopng  to	create
	multiple  interfaces. If you want to pipe data from stdin use -	(dash)
	as device name.	Example	"cat ~/traffic.pcap | ./ntopng -i -".

	The -i option can also be used to specify a unified view of  more  in-
	terfaces,  given  they are provided in a comma-separated list and with
	the "view:" prefix (e.g. -i view:eth0,eth1). This is  just  a  logical
	view of	multiple physical interfaces.

	If  a collector	endpoint is specified, ntopng open a ZeroMQ connection
	to the specified endpoint as a subscriber whose	format is   <ZMQ  end-
	point>.	 In  this  case	ntopng acts as a client	that subscribes	to the
	remote endpoint	and fetches flows. If you want	the  remote  probe  to
	send  flows  to	 ntopng	(as in NetFlow), (you need to add a 'c'	at the
	collector endpoint in ntopng. Example:	tcp://127.0.0.1:5556c  (ntopng
	expects	 to  receive flows on 127.0.0.1:5556) and tcp://127.0.0.1:5556
	(ntopng	connects to 127.0.0.1:5556 to receive flows).  Note  that  you
	can  specify multiple endpoint,	commas separated list, in order	to in-
	struct	ntopng	to  aggregate  it  in  a  single  interface.  (e.g  -i
	tcp://127.0.0.1:5556,ipc://flows.ipc)

	If you want you	can pass a path	of a pcap file (e.g. -i	dummy.pcap) or
	a  path	 of  a	list file contains a path of a pcap file for each line
	(e.g. -i pcap.list) and	ntopng will read packets  from	the  specified
	pcap file/s.

	nProbe	can  be	instructed to act as a publisher delivering flows to a
	ZeroMQ endpoint	using the --ZMQ	<endpoint> parameter.

	Finally	using -i dummy it is possible to create	a dummy	interface that
	generates a large number of flows/hosts	in order  to  saturate	ntopng
	resources.  This  way  ntopng  can be tested for performance issues as
	well proper handling of	low-memory situations.

       -d|--data-dir <path>
	Specifies the data directory (it must be writable). Default  directory
	is /var/db/ntopng

       -t|--install-dir	<path>
	Specifies  the	installation directory.	Default	directory is retrieved
	from common install paths.

       -G|--pid-path <path>
	Specifies the path where the PID (process ID)  is  saved.  Default  is
	/var/run/ntopng.pid

       -k|--traffic-filtering <key>
	Set  the  key  used  to	 access	 httpbl	 services (default: disabled).
	Please read README.httpbl and README.flashstart	for more info.

       -e|--daemon
	This parameter causes ntop to become a daemon, i.e. a task which  runs
	in  the	 background  without connection	to a specific terminal.	To use
	ntop other than	as a casual monitoring tool, you probably will want to
	use this option.

       -1|--httpdocs-dir <path>
	Directory where	HTTP documents are placed. Default: httpdocs.

       -2|--scripts-dir	<path>
	Directory where	lua scripts reside. Default: scripts.

       -3|--callbacks-dir <path>
	Directory where	callback scripts reside. Default: scripts/callbacks.

       -w|--http-port <[:]http_port[,<alt_http_port>]>
	Sets the HTTP port of the embedded web server. If set to 0,  the  http
	server	will  be disabled. If you prepend a : before the port (i.e. -w
	:80) ntopng will listen	to the loopback	address.  You  can  specify  a
	second	HTTP  port  so that ntopng can isten on	both ports. Example -w
	80,3000	will start ntopng on both port 80 adn 3000. Note that for  en-
	abling the captive portal (not available on the	community edition) you
	need  to  start	ntopng on port 80.  NOTE: omitting the -w option won't
	disable	http: ntopng will fallback to the default http port.

       -W|--https-port <[:]https_port>
	Sets the HTTPS port of the embedded web	server.	If not set, it will be
	set to the value of -w plus one. If you	prepend	a :  before  the  port
	(i.e. -w :80) ntopng will listen to the	loopback address.

       -m|--local-networks <local_nets>
	ntopng determines the ip addresses and netmasks	for each active	inter-
	face.  Any traffic on those networks is	considered local. This parame-
	ter allows the user to	define	additional  networks  and  subnetworks
	whose  traffic	is  also considered local in ntopng reports. All other
	hosts are considered remote. If	not specified the default  is  set  to
	192.168.1.0/24.

	Commas	separate multiple network values.  Both	netmask	and CIDR nota-
	tion   may   be	  used,	  even	 mixed	  together,    for    instance
	"131.114.21.0/24,10.0.0.0/255.0.0.0".

       -u|--no-promisc
	Disable	 promiscuous  mode  when capturing from	network	interfaces (by
	default	promiscuous mode is used).

       -p|--ndpi-protocols <file>.protos
	This parameter is used to specify a nDPI protocol file.	 The format is
	<tcp|udp>:<port>,<tcp|udp>:<port>,.....@<proto>	where <port> is	a port
	number and <proto> is a	name of	a protocol supported by	nDPI protocol,
	or host:"<string>"@<proto> where string	is part	of an host  name.   As
	example	   see	 https://svn.ntop.org/svn/ntop/trunk/nDPI/example/pro-
	tos.txt

       -P|--disable-host-persistency
	Disable	host persistency in the	Redis cache.

       -q|--disable-autologout
	Disable	web interface logout for inactivity.

       -l|--disable-login
	Disable	user login. Mode can be	set to 0 (disable login	only  for  lo-
	calhost)  or  1	(disable login only for	all hosts). This is useful for
	debug purposes,	local host access unrestricted,	or if you want to  let
	everyone  access the web gui.  NOTE: this option lets anyone accessing
	the web	interface (from	localhost or from all hosts depending  on  the
	parameter) be administrator of the web interface.

       -r|--redis <redis_host[:port][@db
	Specifies  the	redis  database	host, port, and	a database id. On unix
	<redis_host> can be the	redis socket file to connect to. If  a	socket
	connection is made, <port> is ignored.	In case	you plan to run	multi-
	ple redis-based	applications on	the same redis server, you need	to use
	a  different  database	id per application. For	more information about
	redis, please refer to http://redis.io/.

       -g|--core-affinity <cpu_core_id1[,cpu_core_id2,...]>
	Bind the capture/processing threads to specific	CPU  cores,  indicated
	in  a comma-separated list. Cores are assigned to interface processing
	loops in the order interfaces are mapped to IDs.  NOTE:	 ntopng	 auto-
	matically sets affinity	of capture/processing threads to different CPU
	cores.

       -U|--user <user>
	Run ntopng with	the specified system user instead of 'nobody'.

       -s|--dont-change-user
	Do not change user (debug only).

       -B|--packet-filter <filter>
	Specifies   the	  packet  filter  for  the  specified  interface.  For
	pcap/PF_RING interfaces	the filter has to be specified in  BPF	format
	(Berkeley Packet Filter).

       -X|--max-num-flows <num>
	Specify	the maximum number of active flows that	ntopng will handle. If
	more flows are detected	they will be discarded.

       -x|--max-num-hosts <num>
	Specify	the maximum number of active hosts that	ntopng will handle. If
	more hosts are detected	they will be discarded.

       -F|--dump-flows <mode>
	If  ntopng  is	compiled with sqlite support, flows can	dumped persis-
	tently on disk using this option. The mode can be set to es - Dump  on
	ntopng.es  queue  in Elasticsearch format that be insert on a ES data-
	base. In  this	case  the  format  is  "es;<idx	 type>;<idx  name>;<es
	URL>;<http  auth>".  Example: -F "es;ntopng;ntopng-%Y.%m.%d;http://lo-
	calhost:9200/_bulk;user:pwd". The <idx name>  accepts  the  strftime()
	format.	  mysql	 - Dump	flows in MySQL tables. In this case the	format
	is "<host[@port]|unix  socket>:<dbname>:<table>:<user>:<pw>".  Example
	-F "mysql;localhost;ntopng;flows-%Y.%m.%d;root;".

       -D|--dump-hosts <mode>
	If  ntopng  is compiled	with sqlite support, hosts contacts can	dumped
	persistently on	disk using this	option.	 Databases are	created	 daily
	under  <data  directory>/<interface>/contacts.	This  options supports
	three dump modes: local	(dumps only local hosts), remote  (dumps  only
	remote	hosts),	 all (dumps all	hosts).	If not specified, no hosts are
	dumped to disk.

       -I|--export-flows <endpoint>
	Export the expired flows on the	specified endpoint. For	instance  sup-
	posing to start	ntopng on host 1.2.3.4 as ntopng -I "tcp://*:3456", it
	exports	 flows	on this	endpoint so that you can create	a hierarchy of
	ntopng's. You can achieve that	by  starting  a	 collector  ntopng  as
	ntopng -i tcp://1.2.3.4:3456

       -O|--communities-list <filename>
	Parse  the specified file and retrieve a list of communities, that are
	a logical representation of clusters of	hosts that fall	under the same
	administrative domain. The file	must be	in the following format:
	    communityX@id1=net1,net2,net3
	    communityY@id2=net4,net5,net6
	    ...

       -E|--dump-aggregations <mode>
	If ntopng is compiled with sqlite support, hosts contacts  can	dumped
	persistently  on  disk using this option.  Databases are created daily
	under <data  directory>/<interface>/contacts.  This  options  supports
	three  dump  modes:  local (dumps only aggregations contacted by local
	hosts),	remote (dumps only aggregations	contacted  by  remote  hosts),
	all (dumps all aggregations). If not specified,	no hosts are dumped to
	disk.

       -S|--sticky-hosts <mode>
	ntopng periodically purges idle	hosts. With this option	you can	modify
	this  behaviour	 by telling ntopng not to purge	the hosts specified by
	-S. This parameter requires an argument	that can be  "all"  (Keep  all
	hosts in memory), "local" (Keep	only local hosts), "remote" (Keep only
	remote hosts), "none" (Flush hosts when	idle).

       --hw-timestamp-mode <mode>
	Enable hw timestamping/stripping. Supported TS modes are:
	ixia --	Timestamped packets by ixiacom.com hardware devices.

       -t|--install-dir	<dir>
	Force  ntopng to use the HTML/lua files	installed on the specified di-
	rectory. This option should not	be used	unless under testing or	devel-
	opment,	as packaging systems should  place  the	 files	at  the	 right
	place.

       -T|--enable-taps	<mode>
	Enable	tap  interfaces	 to dump packets on. If	not specified, traffic
	can be dumped only on disk but not sent	live to	apps.

       -N|--instance-name <name>
	Assign <name> to this ntopng instance. Such  information  is  used  to
	uniquely  identify  the	data source and	thus its responsibility	of the
	ntopng user to make sure that the name is unique across	all the	ntopng
	instances. If this option is not set, we assume	as instance  name  the
	hostname where this ntopng instance is running.

       -Z|--http-prefix	<prefix>
	HTTP  prefix to	be prepended to	URLs. This is useful when using	ntopng
	behind a proxy.	 E.g. if you want to make the ntopng web interface ac-
	cessible through a proxy at a certain IP  address  with	 the  /ntopng/
	base  URL  and you have	the following lines in your proxy's configura-
	tion:
	    ProxyPass /ntopng/ http://192.168.0.3:3000/ntopng/
	    ProxyPassReverse /ntopng/ http://192.168.0.3:3000/ntopng/
	You must use ntopng with -Z "/ntopng"
	Do not use trailing shashes in the HTTP	prefix.

       --shutdown-when-done
	Terminate ntopng when the input	pcap file is over (debug only).

       --zmq-encrypt-pwd
	This is	the password used by the symmetric  encryption	on  the	 probe
	side.  Note  that  in  case  you have multiple ZMQ endpoints, the same
	password is used for all of them.

       --capture-direction
	Specify	the packet capture direction for packet	capture	interfaces (no
	ZMQ).  Supported values	are: 0=RX+TX (default),	1=RX only, 2=TX	only

       --online-license-check
	In case	the license does not match (e.g. you are running ntopng	 on  a
	VM/container) you can use this option to check your license instead of
	using  the  local  license  file.  Using this option we	make sure that
	changes	in your	system do not interfere	with license check (thing that
	we cannot guarantee with file-based licenses).

       --print-ndpi-protocols
	Print the list of nDPI protocols supported by the ntopng instance

       -v|--verbose
	Verbose	tracing: level 2 is normal, level 6 is debugging.

       -V|--version
	Print ntopng version and quit.

       -h|--help
	Help

WEB VIEWS
       While ntopng is running,	multiple users can access the traffic informa-
       tion using their	web browsers.  ntopng makes use	of JavaScript and LESS
       CSS.

       We do not expect	problems with any current web browser, but our ability
       to test with less common	ones is	very limited.	Testing	 has  included
       Safari,	Chrome,	Firefox	and Internet Explorer, with very limited test-
       ing on other current common browsers such as Opera.

NOTES
       ntopng requires a number	of external tools and  libraries  to  operate.
       Certain	other  tools  are optional, but	add to the program's capabili-
       ties.

       Required	libraries include:

       libpcap from http://www.tcpdump.org/, version 1.0 or newer.

       The Windows version makes use of	WinPcap	(libpcap  for  Windows)	 which
       may be downloaded from http://winpcap.polito.it/install/default.htm.

       ntopng requires a POSIX threads library.

       The  rrdtool  library creates 'Round-Robin databases' which are used to
       store historical	data in	a format that permits long duration  retention
       without growing larger over time.  The rrdtool home page	is http://peo-
       ple.ee.ethz.ch/~oetiker/webtools/rrdtool/

       The  LuaJIT  library is a Just-In-Time Compiler for Lua used to execute
       GUI and periodic	scripts.

       The mongoose library is used to	implement  the	HTTP  server  part  of
       ntopng.

       zeromq  is  a  socket  library supporting the publish/subscribe pattern
       used to collect flows from nProbe

       ntopng includes LuaJIT, mongoose, rrdtool  and  zeromq  in  the	third-
       party/  directory.  Users of ntopng should not need to specifically in-
       stall such libraries.

SEE ALSO
       top(1), tcpdump(8), pcap(3).

USER SUPPORT
       Please send bug reports to  https://github.com/ntop/ntopng/issues.  The
       ntopng <ntop@ntop.org> mailing list is used for discussing ntopng usage
       issues. In order	to post	messages on the	lists a	(free) subscription is
       required	 to  limit/avoid  spam.	 Please	do NOT contact the authors di-
       rectly unless this is a personal	question.

       Commercial support is available upon request. Please see	the ntop  site
       for further info.

       Please send code	patches	via the	github pull requests mechanism.

LICENCE
       ntopng	  is	distributed    under	the    GNU    GPLv3    licence
       (http://www.gnu.org/).

			     Dev 2015 (ntopng 2.2)		     NTOPNG(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=ntopng&sektion=8&manpath=FreeBSD+Ports+15.0>

home | help