ntop - display top network users

       ntop  [-I] [-r refresh time] [-R filter rules] [-f traffic
       dump file] [-n] [-N] [-a] [-p] IP  protocols  to  monitor]
       [-i  interface]  [-e  num rows] [-w port] [-d] [-P dbpath]
       [-m local subnet] [-l log period] [-F flow filter  expres-
       sion] [filter expression]

       ntop  shows  the current network usage. It displays a list
       of hosts that are currently using the network and  reports
       information  concerning the (IP and non-IP) traffic gener-
       ated by each host.  ntop can be started either in a termi-
       nal  window (interactive mode) or in web mode. In the lat-
       ter case, a web browser is needed to use the program.  The
       traffic  is sorted according to the host and the protocol.
       Whenever ntop is started in web mode (-w  flag),  multiple
       remote users can access the traffic information. See below
       for more information.

        Use this option to start ntop in interactive mode.

        Specifies the filter rules  used  by  ntop  for  emitting
        alerts  and  warnings when the traffic matches the speci-
        fied rules. Shall you need further details  about  filter
        rules, please refer to ntop-rules (8) man page.

        Specifies  the  delay (in seconds) between screen updates
        (the default is 3 seconds). If the -l flag  is  used,  it
        specifies  how  often entries are logged in the log file.
        Please note that if the delay is very short (1 second for
        instance), ntop might not be able to process all the net-
        work traffic.

        Specifies the file containing  tcpdump  captured  traffic
        that will be browsed before to start sniffing.

        Forces ntop not to use nmap (if it is installed).

        This  causes ntop to show numeric IP addresses instead of
        the symbolic names. This option can useful when  the  DNS
        is not present or quite slow.  You can toggle the address
        format (numeric vs. symbolic) by pressing the n key while
        ntop is running.

        This  flag  my be useful when using ip-alias.  Instead of
        using one entry for all of the IP adresses ntop will show
        an entry for every ip used.

        It  is  used  to  specify the IP protocols that ntop will
        monitor.  The  format  is  <label>=<protocol   list>   [,
        <label>=<protocol list>], where label is used to symboli-
        cally identify the <protocol list>. The format of <proto-
        col list> is <protocol>[|<protocol>], where <protocol> is
        either a valid protocol specified  inside  the  /etc/ser-
        vices   file  or  a  numeric  port  range  (e.g.  80,  or
        6000-6500). If the  -p  flag  is  omitted  the  following
        default       value      is      used:      "FTP=ftp|ftp-
        tus,X11=6000-6010,SSH=ssh". If  the  <protocol  list>  is
        very  long  you  may store in a file (for instance proto-
        col.list) the value of the <protocol  list>  and  specify
        the  file  name  instead of the <protocol list> (in above
        example you will invoke 'ntop -p protocol.list').

        Specifies the network interface used by ntop If  multiple
        interfaces  are  used  (this feature is available only if
        ntop is compiled with thread support)  they  have  to  be
        separated with a comma. For instance -i "eth0,lo".

        Is  the  manimum number of HTML table rows that ntop will
        display. This flag makes sense in web mode only.

        Starts ntop in web  mode.  Users  can  attach  their  web
        browsers  to the specified port and browse traffic infor-
        mation remotely. Supposing to start ntop at the port 3000
        stored  in  a database file. By default user/URL adminis-
        tration are accessible uniquely by the  user  admin  with
        password  admin Passwords are stored in an encrypted form
        into the database for further security. Please note  that
        an  HTTP  server is NOT needed but it's embedded into the

        This flag (it has to be used  with  -w)  causes  ntop  to
        become  a  daemon,  i.e.  it is started in background and
        detached from the terminal.

        This allows to specify where  db-files  are  searched  or
        created  (default  "."). In addition DBPATH/html is added
        to the searchlist for the WEB-files

        This flag allows users to specify the subnets whose traf-
        fic   is   considered   local.  The  format  is  <network
        address>/<# subnet mask bits>[,<network address>/<#  sub-
        net        mask        bits>].        For        instance

        This causes ntop to periodically (specified with  the  -r
        flag)  log  network information data in the file ntop.log
        whose format is self-explanatory. This flag specifies the
        collection  time  between two consecutive log entries (in
        seconds). Please note that it is easy to use the log file
        to produce graphics (e.g. using gnuplot).

        It  is used to specify network flows similar to more pow-
        erful applications such as NeTraMet. A flow is  a  stream
        of captured packets that match a specified rule. The for-
        mat   is   <flow-label>='<matching   expression>'[,<flow-
        label>='<matching  expression>'], where the label is used
        to  symbolically  identify  the  flow  specified  by  the
        expression.  The  expression  format  is specified in the
        appendix. If an expression is specified, then the  infor-
        mation  concerning  flows  can  be accessed following the
        HTML link named 'List NetFlows'.  For instance suppose to
        define  two  flows  with  the following expression "Luca-
        Hosts='host         or         host',GatewayRoutedPkts='gateway       gate-'". All the traffic  sent/received  by  hosts
        routed  by  the gateway are added to the
        GatewayRoutedPkts flow. If the flows list  is  very  long
        you  may  store  in  a file (for instance flows.list) the
        list of flows and specify the file name  instead  of  the
        flows  list  (in  above  example you will invoke 'ntop -F

       filter expression
        ntop , similar to what  tcpdump  does,  allows  users  to
        specify  an expression that restricts the type of traffic
        handled by ntop hence  to  select  only  the  traffic  of
        interest.  For instance, suppose to be interested only in
        the traffic generated/received by the host
        ntop can then be started with the following filter: 'ntop
        src host or dst  host'.  See
        the  tcpdump  man page for further information about this

       While ntop is running interactively  (no  web  mode),  the
       information  shown can be manipulated by pressing the fol-
       lowing keys.

        This causes ntop to quit.

        This causes ntop to toggle the IP address format (numeric
        vs.  symbolic vs. MAC Address vs. Nw Board Manufacturer).

        This causes ntop to toggle the traffic format (percentage
        vs. absolute vs. throughput).

        This  causes  ntop to toggle the host list content (local
        vs. remote hosts).

        This causes ntop to toggle the host  list  content  (idle
        vs. active hosts).

        This  causes  ntop  to  sort  hosts according to the data
        received or sent.

        This causes ntop to sort traffic according to the various
        protocols being displayed in the current screen.

        This  causes  ntop  to  show further traffic information.
        Each time the space bar is pressed the  last  three  ntop
        columns  are toggled. Please note that these columns rep-
        resent either the traffic sent or received, according  to
        the the way the list is sorted (see previous command).

WEB VIEWS (Web mode)
       While  ntop  is  running  in  web mode (-w flag), multiple
       users can access the  traffic  information  using  conven-
       tional web browsers. The main HTML page, is divided is two
       frames. The left frame allows users to select the  traffic
       view  that will be displayed in the right frame. Available
       sections are: sort traffic by data sent, sort  traffic  by
       data  received,  traffic  statistics,  active  hosts list,
       remote to local (i.e. inside the subnet  defined  for  the
       network  board  from which the program is currently sniff-
       ing) IP traffic, local to  remote  IP  traffic,  local  to
       local IP traffic, list of active TCP sessions, IP protocol
       distribution statistics, IP  protocol  usage,  IP  traffic

FIELD DESCRIPTIONS (Interactive mode)
       ntop  displays  a variety of information about the network

        This line displays general information about the  network
        traffic:  the  number of packets that have been seen, the
        total traffic (IP or non IP),  the  actual  and  the  max
        observed throughput. Please note that if a filter expres-
        sion is used, these values  are  relatives  only  to  the
        traffic that satisfies the filter expression.

        This  column contains the host name in either symbolic or

        This column contains further information about  the  host
        activity  since  the  last  screen  update. The value 'B'
        (both) indicates that the host has both sent and received
        data,  'R'  (receive)  that the host has received but not
        sent data, 'S' (sent) that the  host  has  sent  but  not
        received data, 'I' (idle) that the host has been idle (no
        data sent or received).

        This column contains the traffic  received  by  the  host
        either in absolute or percentage format. If the host list
        is sorted according this field,  then  the  column  label
        becomes -Rcvd-.

        This  column contains the traffic sent by the host either
        in absolute or percentage format. If  the  host  list  is
        sorted  according  this  field,  then  the  column  label
        becomes -Sent-.

        The last three columns contain further  information  con-
        cerning  the  IP  protocols.  Data  represented  in these
        columns change according to the traffic type (either sent
        or  received).  The 'y' key allows users to interactively
        change the sort order of these columns, whereas the space
        bar toggles the protocol list.

       ntop  is based on the libpcap library that can be found at  The   Win32   version
       makes use of libpcap for Win32 that can be downloaded from

       ntop-rules(8),     top(1),      ngrep(8),      tcpdump(8).

       Please  send  bug  reports  to  the  ntop   mailing   list
       <>.    ntop's    author    is    Luca    Deri

Man(1) output converted with man2html