![]() | ![]() |
Interpretation of the data is straightforward. The top two lines show the program name and version, date, interface, number of packets, total traffic, and throughput. The first column lists hosts by name or IP number. The second column reflects activity since the last update -- Idle, Send, Receive, or Both. The next two columns are the amount of traffic sent and received, while the last two columns break traffic down as TCP, UPD, or ICMP traffic. intop should be started with the -i option to specify which interface to use. For example:$<50> intop 0.0.1 (Sep 19 2000) listening on [eth0] 379 Pkts/56.2 Kb [IP 50.5 Kb/Other 5.7 Kb] Thpt: 6.1 Kbps/24.9 Kbps Host Act -Rcv-Rcvd- Sent TC-TCP- UDP IC$ sloan B 69.0% 16.7% 38.8 Kb 0 0 lnx1a B 16.7% 69.4% 9.4 Kb 0 0 rip2-routers.mcast.net R 3.7% 0.0% 0 2.1 Kb 0 172.16.3.1 B 2.1% 6.5% 0 0 0 Cisco CDPD/VTP [MAC] I 4.7% 0.0% 0 0 0 172.16.3.3 B 2.2% 6.1% 0 0 0
If your computer is multihomed, you can specify several interfaces on the command line, each with a separate -i. Once started, it prints an annoying 20 lines or so of general information about the program and then gives you a prompt. At this point, you can enter ? to find out what services are available:lnx1# intop -i eth0
As you can see, a number of commands are planned but had not been implemented at the time this was written. Most are exactly what you would expect. You use the top command to get a display like the one just shown. The info command reports the interface and number of packets captured. With the filter command, you can set packet-capture filters. You use the same syntax as explained in Chapter 5, "Packet Capture" with tcpdump. (Filters can also be specified on the command line when intop is started.) The lsdev command lists interfaces. The swap command is used to jump between data collection on two different interfaces. You can change how the data is displayed on-the-fly using your keyboard. For example, the d key will allow you to toggle between showing all hosts or only active hosts. The l key toggles between showing or not showing only local hosts. The p key can be used to show or suppress showing data as percentages. The y key is used to change the sorting order among the columns. The n key is used to toggle between hostnames and IP addresses. The r key can be used to reset or zero statistics. The q key is used to stop the program.intop@eth0> ? Commands enclosed in '<>' are not yet implemented. Commands may be abbreviated. Commands are: ? <warranty> filter swap nbt help <copying> sniff top <dump> exit history uptime lsdev <last> quit open <hash> hosts <nslookup> prompt <close> info arp intop@eth0>
The last menu, Admin, is used to control the operation of ntop. Switch NIC allows you to capture on a different interface, and Reset Stats zeros all cumulative statistics. Shutdown shuts down ntop. Users and URLs allow you to control access to ntop. A number of command-line options allow you to control how ntop runs. These can be listed with the -h option. As noted previously, -w is used to change the port it listens to, and -i allows you to specify which interface to listen to. -r sets the delay between screen updates in seconds. The -n option is used to specify numeric IP addresses rather than hostnames. Consult the documentation for other options. ntop has other features not discussed here. It can be used as a lightweight intrusion detection system. It provides basic access control and can be used with secure HTTP. It also provides facilities to log data, including logging to a SQL database. As previously noted, the real problem with point monitoring is that it doesn't really work well with segmented or switched networks. Unless you are mirroring all traffic to your test host, many of these numbers can be meaningless. If this is the case, you'll want to collect information from a number of sources.
![]() | ![]() | ![]() |
8.2. Host-Monitoring Tools | ![]() | 8.4. Network-Monitoring Tools |
Copyright © 2002 O'Reilly & Associates. All rights reserved.