usagenotes.htm

ntop官方文档及安装配置文件

<html>
<title>ntop (Mis)Usage Notes</title>
<body>
<font face="Helvetica, Arial">

<center>
<h1>ntop (Mis)Usage Notes</H1>
</center>
<p>

<p>
<H2 align=left>Configuration</H2>
<br>
ntop's performance vary according to the way ntop is deployed. Below you can find simple scenarios where you can deploy your ntop instance.
<ol>
<p><li>Simple Host
<br>
This is probably the most common scenario: you install ntop on your PC that's part of a LAN you use for your daily tasks. In this case you will probably see only a portion of the traffic, so don't complain if ntop can't tell you all about your network.

<p><li>Border Gateway
<br>
In this case you'll see only the traffic from/to your LAN. As your ntop will probably need to analyze several packets, you should consider options such as -b, -n, -z in order to reduce the amount of work needed to analyze all the traffic.

<p><li>Mirror Line
<br>
On this case you will see packets that were not supposed to be received by the PC where ntop runs. Due to this, ntop (usually) cannot trust MAC addresses but just IPs. Hence do not forget to use -o otherwise you'll see some strange trafic figures.
</ol>
<p>
Bottom line:
<ul>
<li>ntop defaults have been designed for people who run ntop on their private PC. If you want ntop to analyze a different kind of traffic you should be prepared to configure it properly.
<li>Do not expect ntop to analyze traffic you don't care.
<li>Bear in mind that ntop needs CPU cycles for analyzing each packet. So disable all the activities you don't need. For instance if you only need to know how traffic flows, or who's producing most of the traffic, you probably do not care of tracking TCP sessions or activating protocol decoders.
<li>Avoid to enable plugins you will never use.
</ul>




<H2 align=left>Win32</H2>
<ol>
<p><li>How to store ntop command line flags into the registry
<br>
ntop for WinNT/2K/XP is a service (under Win95/98/ME is an application that starts on a shell). The ntop installer stores an empty set of options into the registry. Users who need to modify those options can:
<ul>
<li>Open a shell and test your options. In order to do this type "ntop /c myFlags". The "/c" flag is needed to tell ntop not to read flags from the registry but rather from the command line.
<li>When you're sure about your flags do "ntop /i myFlags". For instance "ntop /i -i 0 -P C:".
<li>Restart the ntop service from the Services control panel.
</ul>
<p> Note that "/i" has no effect on Win95/98/ME.


<p><li>How to start multiple ntop instances
<br>
Under Win95/98/ME, users can start as many ntop instances as they want by starting ntop on different shells. On WinNT/2K/XP ntop is a service hence you can start at most one ntop instance. On this case, you can start one instance as a service then start further instances on a shell using "ntop /c myFlags".
</ol>


<!----------------!>

<H2 align=left>Proxying ntop through Apache</H2>
<p>
This Moni-HOWTO is cortesy of <A HREF=mailto:public@tobiasly.com>Toby Johnson</A>
<p>
<pre>
Proxying ntop's web interface through a secure Apache virtual host is a
convenient way to make use of any existing security measures you may already
have. In my case, I wanted to be able to access ntop from anywhere outside
my LAN, but opening another port on my server for ntop's dedicated web
server wasn't an option.

I already had a password-protected, secure web server that I use for admin
purposes -- I'll call it https://admin.tobiasly.com. I wanted ntop's web
interface to appear as a subdirectory under this host:
https://admin.tobiasly.com/ntop/ .

Here's how to configure such a setup. Change the server names and ports to
match your own. I'm assuming that you already have a working, secure Apache
virtual host (using HTTPS).

First, pick a port for ntop's HTTP server. I'll use 15123. You won't need
ntop's built-in HTTPS server, since you're proxying its content through a
pre-existing Apache HTTPS server. Configure ntop to start with the correct
HTTP port, and with HTTPS disabled. Something like "ntop -d -w 15123 -W 0".
(See the ntop man page for more startup options.)

Now, you need to tell Apache that anything under the /ntop/ URL should be
proxied to the ntop web server. In my case, the Apache server is running on
the same machine as ntop, so it's just a proxy to a different port on
localhost. In your Apache secure host configuration, add a line like this:

   ProxyPass /ntop/ http://localhost:15123/

Now, whenever Apache receives a request for something like
"https://secure.tobiasly.com/ntop/home.html", it will proxy this request to
the location "http://localhost:15123/home.html". Ntop will take it from
there, generate the web content, and pass the result back to Apache. Then
Apache passes that result back to the original client.

It's important to note that you don't need to open port 15123 to the
outside, since the connection actually goes through your existing Apache
port, and then is transparently proxied by Apache on the server itself. Of
course, you don't even have to run ntop on the same machine; as long as the
Apache server can connect to ntop's port, it'll work.

This is not the same as URL redirection. As far as your web browser knows,
everything is going through https://secure.tobiasly.com/ntop/. The Apache
server does all the proxy work behind the scenes, and simply serves up the
results to the requesting client. And since the "outward-facing" server is
Apache instead of ntop, you'll be using your existing Apache secure server
certificate, instead of ntop's ntop-cert.pem.

Everything appears to work OK at first, but we quickly run into a problem:
some of the URL's that ntop generates are absolute. For example, to draw bar
graphs, ntop's web pages will request the image "/gauge.jpg". This would
translate into "https://secure.tobiasly.com/gauge.jpg". Also, host info
pages are absolute. If I click on the host "10.1.2.3", it tries to take me
to the page "https://secure.tobiasly.com/10.1.2.3.html".

This is a big problem, because unless the URL is underneath the /ntop/
directory, Apache doesn't know that it needs to proxy the request to ntop,
and you get broken links. Luckily, Apache has the Rewrite module that lets
us fool with requested URL's. In order to get the required URL's rewritten,
add the following to your Apache secure virtual host configuration:

   RewriteEngine On
   RewriteCond %{HTTP_REFERER} tobiasly.com/ntop
   RewriteCond %{REQUEST_URI} !^/ntop
   RewriteRule ^/(.*)$ http://secure.tobiasly.com/ntop/$1 [L,P]

In English, this basically says "If I get a URL request that comes from a
page that has tobiasly.com/ntop in it, and that request doesn't begin with
/ntop, rewrute the URL to begin with http://secure.tobiasly.com/ntop/, and
pass this rewritten URL to the Proxy engine." At this point, the Proxy
engine will see that it is getting a URL that begins with /ntop/, and
correctly pass it to the ntop web server. Rewriting the request to begin
with HTTP instead of HTTPS may seem incorrect, but since that URL will be
handed directly to the Proxy engine, it can't be HTTPS or ntop's web server
will not recognize it.

Now, you should be able to simply connect to
https://secure.tobiasly.com/ntop/ , and you're ready to go!
</pre>


<hr>
<H5>&copy; 2002 - <a href="mailto:deri@ntop.org">Luca Deri</A></H5>
</font>
</body>
</html>