ntop - display top network users
ntop [-I] [-r refresh time] [-R filter rules] [-f traffic
dump file] [-n] [-N] [-a] [-p] IP protocols to monitor]
[-i interface] [-e num rows] [-w port] [-d] [-P dbpath]
[-m local subnet] [-l log period] [-F flow filter expres-
sion] [filter expression]
ntop shows the current network usage. It displays a list
of hosts that are currently using the network and reports
information concerning the (IP and non-IP) traffic gener-
ated by each host. ntop can be started either in a termi-
nal window (interactive mode) or in web mode. In the lat-
ter case, a web browser is needed to use the program. The
traffic is sorted according to the host and the protocol.
Whenever ntop is started in web mode (-w flag), multiple
remote users can access the traffic information. See below
for more information.
Use this option to start ntop in interactive mode.
Specifies the filter rules used by ntop for emitting
alerts and warnings when the traffic matches the speci-
fied rules. Shall you need further details about filter
rules, please refer to ntop-rules (8) man page.
Specifies the delay (in seconds) between screen updates
(the default is 3 seconds). If the -l flag is used, it
specifies how often entries are logged in the log file.
Please note that if the delay is very short (1 second for
instance), ntop might not be able to process all the net-
Specifies the file containing tcpdump captured traffic
that will be browsed before to start sniffing.
Forces ntop not to use nmap (if it is installed).
This causes ntop to show numeric IP addresses instead of
the symbolic names. This option can useful when the DNS
is not present or quite slow. You can toggle the address
format (numeric vs. symbolic) by pressing the n key while
ntop is running.
This flag my be useful when using ip-alias. Instead of
using one entry for all of the IP adresses ntop will show
an entry for every ip used.
It is used to specify the IP protocols that ntop will
monitor. The format is <label>=<protocol list> [,
<label>=<protocol list>], where label is used to symboli-
cally identify the <protocol list>. The format of <proto-
col list> is <protocol>[|<protocol>], where <protocol> is
either a valid protocol specified inside the /etc/ser-
vices file or a numeric port range (e.g. 80, or
6000-6500). If the -p flag is omitted the following
default value is used: "FTP=ftp|ftp-
tus,X11=6000-6010,SSH=ssh". If the <protocol list> is
very long you may store in a file (for instance proto-
col.list) the value of the <protocol list> and specify
the file name instead of the <protocol list> (in above
example you will invoke 'ntop -p protocol.list').
Specifies the network interface used by ntop If multiple
interfaces are used (this feature is available only if
ntop is compiled with thread support) they have to be
separated with a comma. For instance -i "eth0,lo".
Is the manimum number of HTML table rows that ntop will
display. This flag makes sense in web mode only.
Starts ntop in web mode. Users can attach their web
browsers to the specified port and browse traffic infor-
mation remotely. Supposing to start ntop at the port 3000
stored in a database file. By default user/URL adminis-
tration are accessible uniquely by the user admin with
password admin Passwords are stored in an encrypted form
into the database for further security. Please note that
an HTTP server is NOT needed but it's embedded into the
This flag (it has to be used with -w) causes ntop to
become a daemon, i.e. it is started in background and
detached from the terminal.
This allows to specify where db-files are searched or
created (default "."). In addition DBPATH/html is added
to the searchlist for the WEB-files
This flag allows users to specify the subnets whose traf-
fic is considered local. The format is <network
address>/<# subnet mask bits>[,<network address>/<# sub-
net mask bits>]. For instance
This causes ntop to periodically (specified with the -r
flag) log network information data in the file ntop.log
whose format is self-explanatory. This flag specifies the
collection time between two consecutive log entries (in
seconds). Please note that it is easy to use the log file
to produce graphics (e.g. using gnuplot).
It is used to specify network flows similar to more pow-
erful applications such as NeTraMet. A flow is a stream
of captured packets that match a specified rule. The for-
mat is <flow-label>='<matching expression>'[,<flow-
label>='<matching expression>'], where the label is used
to symbolically identify the flow specified by the
expression. The expression format is specified in the
appendix. If an expression is specified, then the infor-
mation concerning flows can be accessed following the
HTML link named 'List NetFlows'. For instance suppose to
define two flows with the following expression "Luca-
Hosts='host jake.unipi.it or host
way.unipi.it'". All the traffic sent/received by hosts
routed by the gateway gateway.unipi.it are added to the
GatewayRoutedPkts flow. If the flows list is very long
you may store in a file (for instance flows.list) the
list of flows and specify the file name instead of the
flows list (in above example you will invoke 'ntop -F
ntop , similar to what tcpdump does, allows users to
specify an expression that restricts the type of traffic
handled by ntop hence to select only the traffic of
interest. For instance, suppose to be interested only in
the traffic generated/received by the host jake.unipi.it.
ntop can then be started with the following filter: 'ntop
src host jake.unipi.it or dst host jake.unipi.it'. See
the tcpdump man page for further information about this
While ntop is running interactively (no web mode), the
information shown can be manipulated by pressing the fol-
This causes ntop to quit.
This causes ntop to toggle the IP address format (numeric
vs. symbolic vs. MAC Address vs. Nw Board Manufacturer).
This causes ntop to toggle the traffic format (percentage
vs. absolute vs. throughput).
This causes ntop to toggle the host list content (local
vs. remote hosts).
This causes ntop to toggle the host list content (idle
vs. active hosts).
This causes ntop to sort hosts according to the data
received or sent.
This causes ntop to sort traffic according to the various
protocols being displayed in the current screen.
This causes ntop to show further traffic information.
Each time the space bar is pressed the last three ntop
columns are toggled. Please note that these columns rep-
resent either the traffic sent or received, according to
the the way the list is sorted (see previous command).
WEB VIEWS (Web mode)
While ntop is running in web mode (-w flag), multiple
users can access the traffic information using conven-
tional web browsers. The main HTML page, is divided is two
frames. The left frame allows users to select the traffic
view that will be displayed in the right frame. Available
sections are: sort traffic by data sent, sort traffic by
data received, traffic statistics, active hosts list,
remote to local (i.e. inside the subnet defined for the
network board from which the program is currently sniff-
ing) IP traffic, local to remote IP traffic, local to
local IP traffic, list of active TCP sessions, IP protocol
distribution statistics, IP protocol usage, IP traffic
FIELD DESCRIPTIONS (Interactive mode)
ntop displays a variety of information about the network
This line displays general information about the network
traffic: the number of packets that have been seen, the
total traffic (IP or non IP), the actual and the max
observed throughput. Please note that if a filter expres-
sion is used, these values are relatives only to the
traffic that satisfies the filter expression.
This column contains the host name in either symbolic or
This column contains further information about the host
activity since the last screen update. The value 'B'
(both) indicates that the host has both sent and received
data, 'R' (receive) that the host has received but not
sent data, 'S' (sent) that the host has sent but not
received data, 'I' (idle) that the host has been idle (no
data sent or received).
This column contains the traffic received by the host
either in absolute or percentage format. If the host list
is sorted according this field, then the column label
This column contains the traffic sent by the host either
in absolute or percentage format. If the host list is
sorted according this field, then the column label
The last three columns contain further information con-
cerning the IP protocols. Data represented in these
columns change according to the traffic type (either sent
or received). The 'y' key allows users to interactively
change the sort order of these columns, whereas the space
bar toggles the protocol list.
ntop is based on the libpcap library that can be found at
ftp://ftp.ee.lbl.gov/libpcap.tar.Z. The Win32 version
makes use of libpcap for Win32 that can be downloaded from
ntop-rules(8), top(1), ngrep(8), tcpdump(8).
Please send bug reports to the ntop mailing list
<email@example.com>. ntop's author is Luca Deri
Man(1) output converted with