simpleweb homepage: the source for snmp

 

PREVIOUS NEXT

4 Utilization Examples

In this section, some examples of capabilities are presented. The examples show screenshots of ntop's web-based mode.

The traffic statistics report general information about the observed traffic. The traffic is considered from a global perspective, with no host-specific information. In Figure 1, it is possible to view the Global IP Protocol Distribution table and graph. The data collected by ntop shows that NFS and X11 are the highest bandwidth consuming protocols currently present in the network. Together they account for 85.1% of the network usage. This sort of statistics is important for the administrator to understand the traffic, associating it to specific applications. In this way, it will be possible to manage the available bandwidth appropriately.

The tables in Figure 2 show statistics on local, remote to local and local to remote traffic. A host is considered local if attached to the local broadcast network, or remote otherwise [5]. The local traffic table shows information on exchanged traffic between local hosts. In the example, it is possible to verify that NFS accounts for 68.4% of the local traffic. The remote to local traffic table shows the incoming traffic generated from remote (non-local) hosts. In this example, local X11 servers are being used by hosts outside the network segment. With access to this sort of information, the administrator is able to revise policies on acceptable remote X-Windows usage. As could be expected, the local to remote traffic table relates to the traffic leaving the local network boundaries.

Figure 3 shows another global traffic statistics, displayed in throughput graphs. Those are graphs that show the evolution of the total throughput observed in the network. They are presented in different time scales, showing the throughput in the last 60 minutes and in the last 24 hours. This sort of statistics is valuable to determine peek and low usage periods. In this way the administrator will be able to better schedule traffic intensive or network disruptive activities (physical network maintenance, switch configuration, data traffic with low priority, etc.). It might also be interesting to detect unexpected throughput peeks, which could indicate excessive use of the network resources by a user or group of users, or other non-standard behaviour.

The previous examples showed the use of ntop for global traffic information. Figure 4 shows some information provided by ntop for a specific host.

The listing includes IP address, MAC address and board vendor (only for local hosts), total data sent/received statistics (local vs. remote traffic), broadcast packets sent, etc. The IP protocol distribution table provides information about protocol distribution, dividing IP traffic according to known higher-level protocols. The last contact peers table shows the last hosts that exchanged data with the host being inspected. Host information will support network operators in the proper configuration and maintenance of individual elements in the network. Moreover, hosts might be associated with specific users. These statistics could be representative of their behaviour.

ntop is able to analyse individual captured IP packets and relate them to active TCP sessions. This is possible because ntop implements the TCP protocol machine [5]. In Figure 5 the active TCP sessions table is showed, with an entry for each active connection. In this way it is possible to recognize specific flows and the traffic associated to them. The listing includes for each entry: calling- and called- host addresses, data sent and received, connection time, and session duration.

As mentioned in Section Installation, ntop's functionality can be extended using plug-ins. Figure 6 depicts ntop being accessed via a WAP device (for the example, an emulator of a WAP device [10] was used). This is possible through the installation and activation of a WAP plug-in [4], which is responsible for the generation of final statistics in WAP format.

Figure 7 shows ntop in its interactive mode, also known as intop. It is a shell to ntop and presents data in textual format, organized in tables. In this example it is possible to view the list of hosts that have sent/received data. The other columns highlight host activity, considering in particular sent and received data, TCP, UDP and ICMP data. A thorough (though currently out-dated) description if ntop's user interface can be found on ntop's User Guide [5].

PREVIOUS NEXT