{"id":493,"date":"2012-10-26T15:36:55","date_gmt":"2012-10-26T19:36:55","guid":{"rendered":"https:\/\/infotechguy.net\/?p=493"},"modified":"2022-08-26T10:02:30","modified_gmt":"2022-08-26T14:02:30","slug":"network-monitoring-ntop-vs-darkstat","status":"publish","type":"post","link":"https:\/\/infotechguy.net\/?p=493","title":{"rendered":"Linux &#8212; nTop and darkstat Traffic Monitoring"},"content":{"rendered":"<p>Hey All, so I posted an article on setting up your own Linux based firewall using iptables, and thought it would be nice to be able to monitor the connections coming in and out of each interface on the Linux Firewall. So I installed and played with two passive Network Traffic Monitoring applications; <a title=\"http:\/\/www.ntop.org\/\" href=\"http:\/\/www.ntop.org\/\" target=\"_blank\" rel=\"noopener noreferrer\">nTop<\/a> and <a title=\"http:\/\/unix4lyfe.org\/darkstat\/\" href=\"http:\/\/unix4lyfe.org\/darkstat\/\" target=\"_blank\" rel=\"noopener noreferrer\">darkstat<\/a>.<br \/>\n<!--more--><br \/>\nAll in all they are both very good at what they do, record network traffic\/connection information, and display it in a pretty graph.<\/p>\n<h3>nTop<\/h3>\n<p>nTop obtains and maintains a very large amount of data, everything from my simple IPs in a connection, to an itemized list and distribution of the protocols being used by each IP. nTop comes complete with pie graphs and line charts to show the IP connection usage over time, and is very customizable. You can select the single network interface or multiple. Hooray! You may also setup a custom user table to allow restricted viewing of the information nTop collects. Last, nTop utilizies the RRDTool mechansium for display the information collect which is great, especially i you have ever used <a title=\"http:\/\/www.cacti.net\/\" href=\"http:\/\/www.cacti.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">cacti<\/a> before.<\/p>\n<p><strong>Cool Features:<\/strong><\/p>\n<ul>\n<li>Custom Labels &#8212; Ability to create custom labels for each device seen by nTop.<\/li>\n<li>Application Protocol Dissection &#8212; nTop can decode many common protocols for each connection stream and display statistical information about them. Including HTTP, HTTPS, FTP, etc.<\/li>\n<li>Trending &#8212; nTop keeps track of each network connection, reporting on when connection are initiated, how often, by who (IP), etc.<\/li>\n<li>In-depth Detail &#8212; The in-depth detail nTop gives you is very beneficial for a complicated setup. For example, the Linux Firewall we created had 3 networks attached to 3 different interfaces on the Linux box. nTop makes it easy to summarize the traffic from all 3-legs via it&#8217;s (dun, dun, dun) Summary page. Displaying a snapshot of recent traffic and it&#8217;s trends.<\/li>\n<\/ul>\n<p><strong>Not So Cool Features:<br \/>\n<\/strong><\/p>\n<ul>\n<li>Dependencies &#8212; nTop relies heavily on other application dependicies, such as libpcap, <a href=\"http:\/\/en.wikipedia.org\/wiki\/RRDtool\" target=\"_blank\" rel=\"noopener noreferrer\">RRD<\/a>, etc. Thus increasing it&#8217;s complexity.<\/li>\n<li>Incomplete documentation &#8212; it may have been just me, but when I was setting up nTop I had to search Google a lot to figure out many steps along the installation.<\/li>\n<li>Prepacked vs SVN &#8212; The prepacked .deb file Ubuntu has is an old version. SVN, obviously is the the latest and greatest, so see below for an installation walk-through.<\/li>\n<li>Too much? &#8212; nTop may be too much for what you need. It is not a simplistic Network Traffic Monitor, this may bet too much for those just looking to display a few things about their network traffic.<\/li>\n<\/ul>\n<p>Screens:<br \/>\n<a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop_hourly.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3560\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop_hourly-300x155.png\" alt=\"\" width=\"600\" height=\"309\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop_hourly-300x155.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop_hourly-768x396.png 768w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop_hourly.png 793w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><br \/>\n<a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop_network_load.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3561\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop_network_load-300x116.png\" alt=\"\" width=\"600\" height=\"232\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop_network_load-300x116.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop_network_load.png 676w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><br \/>\n<a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop-node-details.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3563\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop-node-details-300x96.png\" alt=\"\" width=\"600\" height=\"192\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop-node-details-300x96.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop-node-details-1024x328.png 1024w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop-node-details-768x246.png 768w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop-node-details.png 1280w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<p><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop_protocol_distribution.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3564\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop_protocol_distribution-300x231.png\" alt=\"\" width=\"600\" height=\"462\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop_protocol_distribution-300x231.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/ntop_protocol_distribution.png 768w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<h4>Installing nTop on Ubuntu 12.04 or Debian<\/h4>\n<ol>\n<li>Install dependencies.\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">sudo apt-get install libpcap-dev libgdbm-dev libevent-dev librrd-dev python-dev libgeoip-dev automake libtool subversion<\/pre>\n<p>Or<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">sudo apt-get build-dep ntop<\/pre>\n<p><strong>NOTICE:<\/strong> I am install nTop from the latest stable source, I did previously install it from the Ubuntu Package system. However, it was an older version.<\/li>\n<li>Download the stable source tar.gz from ntop, <a href=\"http:\/\/sourceforge.net\/projects\/ntop\/files\/ntop\/Stable\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>. And decompress it.\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">tar xzvf {ntopversion}.tar.gz<\/pre>\n<\/li>\n<li>Rather than initiating a <strong>.\/configure<\/strong> run the <strong>autogen.sh <\/strong>file instead which will automatically create the proper make files.\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">.\/autogen.sh<\/pre>\n<\/li>\n<li>Do a make, then make install\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">make \nsudo make install<\/pre>\n<\/li>\n<li>If you try to run nTop, it will complain that it cannot find some files, for example, <strong>libntopreport-5.0.1.so<\/strong>. To remedy this, copy everything relating to nTop from the <strong>\/usr\/local\/lib\/<\/strong> location to the <strong>\/usr\/lib\/<\/strong> location.\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">sudo cp \/usr\/local\/lib\/libntop* \/usr\/lib\/<\/pre>\n<p>This will copy the necessary files nTop is complaining about, you could also just as well created a symlink or something else. (see links, <a href=\"http:\/\/listgateway.unipi.it\/pipermail\/ntop\/2010-September\/015774.html\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>, <a href=\"http:\/\/listgateway.unipi.it\/pipermail\/ntop\/2012-August\/016934.html\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>, and <a title=\"http:\/\/www.linuxforums.org\/forum\/mandriva-linux\/78112-ldd-command-how-fullfil-missing-libs.html\" href=\"http:\/\/www.linuxforums.org\/forum\/mandriva-linux\/78112-ldd-command-how-fullfil-missing-libs.html\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.)<\/li>\n<li>Create a DB folder where nTop can save it&#8217;s database files to, also give this directory nTop user ownership.\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">mkdir \/home\/{user}\/nTopDB \nsudo chown ntop. nTopDB<\/pre>\n<p><strong>NOTICE:<\/strong> This step is not necessary, I only did it so I would remember where nTop was putting all it&#8217;s DB information files and RRDTOol files.<\/li>\n<li>Now start up nTop with the correct parameters. For this example I have an <strong>eth0, eth1, and eth2 interface<\/strong>.\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">sudo ntop -i \"eth0,tun0,eth1,eth2\" -d -L -u ntop --skip-version-check --use-syslog=daemon -P \/home\/{user}\/ntopDB\/ --set-admin-password={your_admin_password}<\/pre>\n<p><strong><br \/>\n-i = interfaces<br \/>\n<\/strong><strong>-d= run as daemon<br \/>\n<\/strong><strong>-L = use syslog facility<br \/>\n<\/strong><strong>-u = run as user &#8220;nTop&#8221;<br \/>\n<\/strong><strong>&#8211;skip-version-check = self explanatory<br \/>\n<\/strong><strong>&#8211;use-syslog=daemon = use current syslog daemon to handle application logging<br \/>\n<\/strong><strong>&#8211;set-admin-password<\/strong>\u00a0= sets te Admin web password, very important!!<\/li>\n<li>I recommend taking the command from above and putting it into a shell script file or text file, so you don&#8217;t forget the parameters used when starting nTop.\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">vi start_nTop.sh\nbash\nsudo ntop -i \"eth0,tun0,eth1,eth2\" -d -L -u ntop --skip-version-check --use-syslog=daemon -P \/home\/{user}\/ntopDB\/ --set-admin-password={your_admin_password}<\/pre>\n<\/li>\n<li>If all goes well you should see something like this:<br \/>\n<code> Fri Oct 26 14:20:52 2012  Initializing gdbm databases<\/code><\/li>\n<li>Check out <strong>syslog<\/strong> to verify no errors where thrown upon nTop execution. <strong>less \/var\/log\/syslog<\/strong>.<\/li>\n<\/ol>\n<h3>darkstat<\/h3>\n<p>I stumbled across darkstat while Googling for a &#8220;network traffic web reporter&#8221;. Sure enough darkstat does exactly that. darkstat gives the user a simplistic web based report of the current network connections running, as well as, network traffic trends displayed in graphs and charts. darkstat also provides a super easy installation and setup to get you going right away. I can&#8217;t stress it&#8217;s easy installation enough, it was only 3 steps!<\/p>\n<p>Cool Stuff:<\/p>\n<ul>\n<li>Easy Install &#8212; Super easy install, see below, only 3 steps to get you going with monitoring network traffic.<\/li>\n<li>Moderate Detail &#8212; Providing a moderate amount of detail, which should be plenty for those looking for strictly a network connection monitor that has a few graphs and charts.<\/li>\n<li>Last 60 seconds Graph &#8212; This graph is pretty cool, especially if you have auto-refresh on. It shows real-time throughput over the last 60 seconds and is updated frequently. Giving you a good idea of what the current network demand is.<\/li>\n<\/ul>\n<p>Not So Cool Stuff:<\/p>\n<ul>\n<li>Too simple &#8212; May be too simple for your network monitor needs. Only, lists IP addresses, and when they were last seen. Graphs contain only rudimentary information.<\/li>\n<li>No Packet Details &#8212; Lacks the packet inspection aspect that nTop has. Such as, protocol distribution, demand, frequency, etc.<\/li>\n<\/ul>\n<p>Screens:<\/p>\n<p><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat-graphs.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3565\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat-graphs-300x283.png\" alt=\"\" width=\"600\" height=\"567\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat-graphs-300x283.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat-graphs-1024x967.png 1024w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat-graphs-768x725.png 768w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat-graphs.png 1280w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a> <a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat-graphs2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3566\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat-graphs2-300x287.png\" alt=\"\" width=\"600\" height=\"573\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat-graphs2-300x287.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat-graphs2-1024x978.png 1024w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat-graphs2-768x734.png 768w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat-graphs2.png 1280w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a> <a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat_node_detail.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3567\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat_node_detail-212x300.png\" alt=\"\" width=\"600\" height=\"847\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat_node_detail-212x300.png 212w, https:\/\/infotechguy.net\/wp-content\/uploads\/2021\/03\/darkstat_node_detail.png 461w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<h4>Installing darkstat on Ubuntu 12.04 or Debian<\/h4>\n<ol>\n<li>Install from Ubuntu&#8217;s or Debian&#8217;s package system.\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">sudo apt-get install darkstat<\/pre>\n<\/li>\n<li>Modify the init.cfg file for this application located \/etc.darkstat\/init.cfg. Add these lines, or uncomment them.\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">sudo vi \/etc\/darkstat\/init.cfg \nSTART_DARKSTAT=yes \nINTERFACE=\"-i eth0\" \nPORT=\"-p 8081\" \nBINDIP=\"-b 192.168.0.1\" \nLOCAL=\"-l 192.168.0.0\/255.255.255.0\" \nDNS=\"--no-dns\"<\/pre>\n<p>Most of these are obvious. A few things to note. INTERFACES can only contain one interface :(. PORT, default is 666, I changed it to 8081. BINDIP, I had to expicilty set this to the IP of the Linux box, 127.0.0.1 would not work for some reason.<\/li>\n<li>Start it up:\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">sudo service darkstat start<\/pre>\n<\/li>\n<\/ol>\n<p>That&#8217;s It!, I hope you found this article useful. I urge you to try both out yourself before committing to one or the other.<\/p>\n<p>Cheers!<\/p>\n<p><strong>Sources:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/help.ubuntu.com\/community\/Ntop\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/help.ubuntu.com\/community\/Ntop<\/a><\/li>\n<li><a href=\"http:\/\/www.ubuntugeek.com\/network-traffic-analyzers-for-ubuntu-system.html#more-100\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/www.ubuntugeek.com\/network-traffic-analyzers-for-ubuntu-system.html#more-100<\/a><\/li>\n<li><a href=\"http:\/\/www.debianadmin.com\/network-traffic-analyzer-for-your-ubuntu-system.html\" target=\"_blank\" rel=\"noopener noreferrer\">http:\/\/www.debianadmin.com\/network-traffic-analyzer-for-your-ubuntu-system.html<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Hey All, so I posted an article on setting up your own Linux based firewall using iptables, and thought it would be nice to be able to monitor the connections coming in and out of&#46;&#46;&#46;<\/p>\n","protected":false},"author":2,"featured_media":4240,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[86],"class_list":["post-493","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-linux","tag-linux"],"_links":{"self":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/493","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=493"}],"version-history":[{"count":1,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/493\/revisions"}],"predecessor-version":[{"id":4181,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/493\/revisions\/4181"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/media\/4240"}],"wp:attachment":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=493"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=493"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=493"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}