Saturday, July 21, 2007

HeX liveCD: Ntop

We have included Ntop in our liveCD and here's the simple how to use it to perform offline processing on pcap data, it's another useful to generate network statistic besides tshark and tcpdstat. I always use honeynet-scan18.pcap as example as it is publically available here. Credit to honeypot team for making the trace available.

shell>sudo ntop -u analyzt -M -n \ -f ./honeynet-scan18.pcap -m 172.16.1.0/24 \ -O ntop-output/ -w 192.168.0.50:3000 -W 0 -g -c -a -q

shell>sockstat -4 | grep ntop
analyzt ntop 3054 12 tcp4 *:3000 *:*

Now we have access to port 3000, just point our browser to it -

http://192.168.0.50:3000

Major Protocols Distribution

Application Protocols Distribution

Per Host Information

The down side about ntop is that it will purge the old data therefore you only view the latest data displayed, if anyone of you(experience Ntop user) know how to disable it, please share it with me because I would prefer to use it to process the pcap offline.

Enjoy (;])

No comments: