CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are human.
  • Create new account
  • Reset your password

User account menu

Home
The Hyperlogos
Read Everything

Main navigation

  • Home
  • My Resumé
  • blog
  • Howtos
  • Pages
  • Contact
  • Search

How to use ntop with mapper.pl on Ubuntu Feisty

Breadcrumb

  • Home
  • How to use ntop with mapper.pl on Ubuntu Feisty

If you want to use the mapping functionality of ntop to give you [typically incorrect but better than nothing] geolocation maps on host-information pages (for IP hosts) then you need to install the mapper.pl script on a webhost someplace. Each lookup seems to take around 30-40kB but that's just a guess. I suppose I could use ntop to find out... Regardless, this is how I got mapper.pl to work.

Introduction

nmap is a powerful but poorly-documented packet monitoring tool with support for TCP/IP (v4 and v6), SCSI, FiberChannel and some other goodies. It lets you easily examine hosts playing on your network, see what kind of activity there is, and so on.

nmap is useful for monitoring traffic on all sizes of network; bigger networks require bigger machines. Each host seen consumes about 20kB (!) of memory, so you can imagine that a DDoS attack would consume memory very rapidly. Sites with multiple fast connections will almost certainly need multiple ntop servers. But this article is written to assist someone who is setting up ntop on their personal system to monitor local traffic. ntop is useful on any speed of connection - I first installed it specifically to monitor the modem connection on the laptop I use at home.

The Ubuntu distribution of ntop seems to omit this file for no good reason. It's just a perl script, it could have been thrown in with the docs or something. Instead, we will fetch it from CVS, set up web access to it, and configure ntop for it.

I will also provide some advice on (slightly) securing ntop by the simple expedient of having it only listen on localhost. Linux drops source-routed frames by default for security reasons, and most any firewall ruleset worth using will drop any packets claiming to be from 127.0.0.0/8 that come from any interface other than the loopback.

Getting Started

We're going to install dependencies, then download mapper, and finally install it into a web server environment - downloading a small web server as necessary. We're also going to tweak some configuration files so that things work as we expect them to.

Installing and configuring ntop

ntop is an easy install from Ubuntu Feisty; sudo apt-get install ntop will do the trick. There's some configuration that you could do to enhance security, however, that doesn't take much in the way of effort. There's also some configuration to be done, especially for modem users (which, yes, still exist.)

First, edit /etc/default/ntop. There's a GETOPT="" line that's commented out. Change it to:

GETOPT="-w 127.0.0.1:3000"

Unsurprisingly, this means that the non-SSL webservice will be started on localhost, port 3000. This is the standard port, but normally ntop binds the webserver to all interfaces, and we're explicitly trying to avoid that here. You could also use SSL, but if someone can snoop on TCP/IP communications to localhost then you've got big problems anyway.

Now edit /var/lib/ntop/init.cfg. See the line INTERFACES="eth0"? If you want to monitor any interfaces other than eth0, add them (or replace eth0 with them, as appropriate) here. You can specify multiple interfaces, separated with commas. Note that the INTERFACES line here has absolutely nothing to do with the web server component, which is the typical means for viewing ntop's data (although not the only one.)

If you have problems starting ntop

It can help to run ntop without the init script, so you can set the admin user password. I suppose you could do this another way, but this is how I did it:

/usr/sbin/ntop -u ntop -P /var/lib/ntop --skip-version-check \
  -a /var/log/ntop/access.log -i eth0 -p /etc/ntop/protocol.list \
  -O /var/log/ntop -w 127.0.0.1:3000

This is basically the same as the commands it's normally run with, but I don't log through syslog and I don't detach from the terminal. Moral of the story here is that you can see the errors, respond to prompts, etc. When I did this, I was prompted for the password. I ran it as root, as in, from an actual root shell; you might consider running it with sudo su -c 'command' root which should prompt you for your password, then run the command. Put the whole thing inside the single quotes. When you've tested the connection (load http://localhost:3000 in your browser) you can ^C (control-c, or break in most environments) ntop, wait for it to quit, then start the service as normal (sudo /etc/init.d/ntop start).

Installing mapper.pl

mapper.pl depends on graphviz. Here's how you prepare for and fetch the mapper.pl if your distribution didn't come with it. Note that you don't need to install cvs if you already have it installed — type which cvs and if there is any non-error output ending in "cvs", you probably have the thing installed.

If you are prompted for a password when you cvs co ntop... then use 'ntop'.

sudo apt-get install graphviz cvs
export CVSROOT=:pserver:anonymous@cvs.ntop.org:/export/home/ntop
mkdir ntop
cd ntop
cvs login # password is ntop
cvs co ntop/www/Perl/mapper.pl

Preparing a web server

mapper.pl is a CGI script, so you need a web server with CGI support to display it. Sadly this does not include the webserver built into ntop. On my first testing host I used bozohttpd because it was very small. But you can also do it with any web server that supports Perl CGI (which is nearly all of them.) On my second, I used Apache2. The latter requires less monkeying, but dramatically more downloading.

Using bozohttpd for mapper.pl

Here's how you use bozo, in its simplest form. Actually, the very simplest form is to install inetd and use that. But perhaps you want to do it differently. I wanted it to listen on a nonstandard port and only on the localhost interface:

sudo apt-get install bozohttpd
mkdir -p /home/username/www/html
mkdir /home/username/www/cgi-bin
cp ntop/www/Perl/mapper.pl /home/username/www/cgi-bin
sudo bozohttpd /home/username/www/html -X -c /home/username/www/cgi-bin \
    -U username -i 127.0.0.1 -I 30080 -b

What's this do? Besides installing bozohttpd, it tells it where to find files. I put a file "index.html" into the www/html directory, which was very simple (basically had a <p> with "nothing here" in it) and put the mapper.pl into the cgi-bin directory. And it runs in daemon mode, so you don't need to deal with inetd. In theory inetd is a cool way to enhance your security, especially with xinetd and/or tcpwrappers. In practice, it's a PITA, and if you're already using firewalling of some sort (as many of us are) you've already got the same or superior security available.

If you really wanted to be complete, you could add the bozohttpd-starting line (sans 'sudo' command) to the /etc/init.d/nmap file, or create its own init script. You could also create a bozohttpd user, put everything in their home directory, and run with -U bozohttpd (or whatever you named it.) Make sure the user's shell is set to something that prevents login (like /usr/sbin/nologin) and that their password field is starred out to prevent login. These paths and options are just examples.

Using Apache2 for mapper.pl

This is probably a more common case for we Ubuntu users, but I thought I'd provide the smaller/lighter version first. Ubuntu virtualhost configurations are in /etc/apache2/sites-enabled. You just drop a file in there, restart apache, and you have a new vhost. By default there's just one vhost here (000-default) which uses /var/www. We can put things elsewhere.

Like our bozohttpd example, this runs only on localhost, port 30080. This prevents us from

Probably the most sensible place to put the mapper is inside of /usr/share/ntop, but I'm going to put it into /usr/local/share/ntop because I'm installing it manually and I don't want later ntop releases to wipe it out.

sudo mkdir -p /usr/local/share/ntop/www/html
sudo mkdir /usr/local/share/ntop/www/cgi-bin
sudo mkdir /usr/local/share/ntop/www/logs
sudo chgrp www-data /usr/local/share/ntop/www/logs
sudo chmod 770 /usr/local/share/ntop/www/logs
sudo cp ntop/www/Perl/mapper.pl /usr/local/share/ntop/www/cgi-bin

Copy mapper.pl from wherever it lives (wherever you downloaded it) rather than just typing the third line; but if you just type (or copy/paste) all that I have typed everything should work fine for you up through this point at least.

The Apache virtual host configuration

I put the following into a file called /etc/apache2/sites-enabled/ntop:

Listen 30080
NameVirtualHost 127.0.0.1:30080
<VirtualHost 127.0.0.1:30080>
        ServerAdmin webmaster@localhost

        DocumentRoot /usr/local/share/ntop/www/html
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /usr/local/share/ntop/www/html>
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/local/share/ntop/www/cgi-bin/
        <Directory "/usr/local/share/ntop/www/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /usr/local/share/ntop/www/logs/error.log
        LogLevel warn
        CustomLog /usr/local/share/ntop/www/logs/access.log combined

        ServerSignature On
</VirtualHost>

Testing mapper.pl and configuring ntop

Testing mapper.pl

Regardless of which http server solution you have opted for, you should be able to visit http://localhost:30080/cgi-bin/mapper.pl and get out a map of Italy. At least, that's what I get :)

If you don't get that, then examine your error log; it's located in the log directory we created, /usr/local/share/ntop/www/logs. There's an access log there, too. These logs should probably be cleaned; later on I'll produce a logrotate config file to handle that, too.

Configuring ntop

Now go back and revisit ntop (http://localhost:3000.) If you see a message about "Rut roh - bad mojo scooby" then you are probably blocking javascript. Enable it, and you will see the menus. From "Admin" pick "Configuration -> Startup Options" and then click on "IP Preferences". The last preference asks for the location of mapper.pl, which we know from earlier: http://localhost:30080/cgi-bin/mapper.pl. Plug this in and click save. Now go restart nmap from the command line:

sudo /etc/init.d/nmap restart

IP Mapping should be working from this point on. Go to the "IP -> Summary -> Traffic" option in the menu, and you will see a list of hosts who have been seen on your interface. Click on one of them (I usually open them in another tab) and you'll see stats on that host. If everything is working, there will be a map there below the whois entry in the first table.

Conclusion

Getting mapper.pl and getting it working is relatively trivial, but figuring out what is required ain't necessarily so. These instructions should be easily adaptible to any Unix system which supports ntop, although many of the suspects will be missing. For instance, systems which don't use sysvinit don't have an /etc/init.d directory.

software
network
howto
Ubuntu
  • Log in or register to post comments

Footer menu

  • Contact
Powered by Drupal

Copyright © 2025 Martin Espinoza - All rights reserved