2 Functions

---

This section presents in further detail ntop's main functions: traffic measurement, traffic monitoring, network optimization and planning, and detection of network security violations.

2.1 Traffic Measurement

Traffic measurement consists in measuring the usage of relevant traffic activities. ntop tracks network usage, generating a series of statistics for each host in the local subnet and for the subnet as a whole. The needed information is collected by the host running ntop by simply observing the traffic on the network. This arrangement off-loads the processing requirements from operational nodes to the ntop host. All packets in the subnet are captured and associated with a sender/receiver pair. In this way, it is possible to track all traffic activities of a particular host.

The following table shows the information registered by ntop for each host connected to the (broadcast) network:

Table 1 : Information recorded by ntop for each host

Data Sent / Received	The total traffic (volume and packets) generated or received by the host. Classified according to network protocol (IP, IPX, AppleTalk, etc.) and IP protocol (FTP, HTTP, NFS, etc.)
Used Bandwidth	Actual, average and peak bandwidth usage.
IP Multicast	Total amount of multicast traffic generated or received by the host.
TCP Sessions History	Currently active TCP sessions established/accepted by the host and associated traffic statistics.
UDP Traffic	Total amount of UDP traffic sorted by port.
TCP/UDP Used Services	For each protocol (e.g. HTTP), a list of the last 5 clients that interacted with the host using the protocol.
Traffic Distribution	Local traffic, local to remote traffic, remote to local traffic (a host is local if it belongs to either the specified network card subnet or to the subnet(s) specified in the initialization [5]).
IP Traffic Distribution	UDP vs. TCP traffic, relative distribution of the IP protocols according to the host name.

ntop also reports global traffic statistics, including:

Table 2 : Global statistics recorded by ntop

Traffic Distribution	Local (subnet) traffic, local vs. remote (outside specified/local subnet), remote vs. local.
Packets Distribution	Total number of packets sorted by packet size, unicast vs. broadcast vs. multicast and IP vs. non-IP traffic.
Used Bandwidth	Actual, average and peak bandwidth usage.
Protocol Utilization and Distribution	Distribution of the observed traffic according to both protocol and source/destination (local vs. remote).
Local Subnet Traffic Matrix	Monitored traffic between each pair of hosts in the subnet.
Network Flows	Traffic statistics for user-defined flows (traffic of particular interest to the user)

In addition to the information provided above, the current version allows the installation of plug-ins to provide detailed statistics about particular protocols not present in the standard version. Examples of these are the NFS and NetBIOS plug-ins. ntop will also generate statistics about the host on which it is running, listing open sockets, data sent/received, and contacted peers for each process.

2.2 Traffic Monitoring

Traffic monitoring is the ability to identify those situations where network traffic does not comply with specified policies or when it exceeds some defined thresholds. In general, network administrators specify policies that apply to the behaviour of elements in the managed networked. Nevertheless, it is possible that some hosts will not comply with the policies prescribed. Typical causes of misbehaviour are related to misconfiguration of operating systems, network interfaces, software applications and others [6].

ntop provides support for detecting some network configuration problems including:

• Use of duplicate IP addresses.
• Identification of local hosts in "promiscuous mode".
• Misconfiguration of software applications, by analysing protocol traffic data.
• Service misuse detection
  Identification of hosts that do not make use of specified proxies.
• Protocol misuse
  Identification of hosts that use unnecessary protocols.
• Identification of subnet routers
  Detection of misconfigured workstations acting as routers.
• Excessive network bandwidth utilization

2.3 Network Optimization and Planning

Sub-optimal configuration of hosts might influence negatively the overall performance of a network. ntop allows the administrator to identify potential sources of unproductive bandwidth usage, particularly the use of unnecessary protocols and sub-optimal routing problems. Indirectly, through traffic characterization and distribution, it is possible to revise policies for the network to promote wiser bandwidth usage.

2.4 Detection of Network Security Violations

In networks, most of the security attacks come from the network itself. For this reason ntop provides the users support for both tracking ongoing attacks and identifying potential security holes including IP spoofing, network cards in promiscuous mode, denial of service attacks, trojan horses (that use well known ports) and portscan attacks.

When a security violation or a network misconfiguration is identified, ntop offers facilities to generate alarms for the network operator (via e-mail, SNMP traps or Short Messaging Systems) and to perform specific actions (when applicable) in order to block the attack. As it is also possible to keep traffic information stored into a database, the records can be used to understand the attack and prevent further similar occurrences. Further information on the use of ntop for security purposes is available on [7].

It is important to note that ntop, as well as other monitoring tools, might pose security threats if not installed and configured properly. Free access to ntop's web interface will allow any user with web access to read all the information provided by ntop, gaining knowledge about the network that would not be disclosed otherwise.