Is there an ntop virus for Linux?
Mark Phillips
mark at phillipsmarketing.biz
Wed Jul 29 13:09:39 MST 2009
Michael,
Thanks...I will re-enable it sometime and try it out. When I run it without
the command line arguments form the init.d script, it actually fails after a
few minutes. I forget the error, but I traced it to an open bug that
appeared in v 3.2 and was thought to be dead, but reappeared in 3.3.
I have a small network, less than 10 computers, and very little traffic
(unless you consider WOW a traffic hog!). Perhaps a reason to disable WOW
and melt the only windows machine and get my daughter doing something
else...;-)
Cheers!
Mark
On Wed, Jul 29, 2009 at 12:41 PM, Michael Butash <michael at butash.net> wrote:
> Not that I know of, and I find it hard to believe ntop would start
> default on any distro, especially debian. Must have got in via another
> odd dependency. It's typically a standalone app and webserver of its
> own for diagnosing tcp/udp application flows from the flag level, not
> typically used by most outside of networking folk. I'm not sure it even
> offers a direct api for another app to use unless an app is scraping, I
> suppose its possible another has it as a dependency.
>
> It usually is stable under low loads, so if it's freaking out, either
> its a bad build, you have a lot of broadcast/unicast flooding occurring
> that it's seeing, or "normal" traffic of your own its crunching on.
> I've killed it with gratuitous bittorrent connections on a slow test
> box.
>
> What does it show when you http to:
>
> http://localhost:3000
>
> Should be default port. If you get curious, maybe you should. :)
>
> -mb
>
>
> On Wed, 2009-07-29 at 11:19 -0700, Mark Phillips wrote:
> > No, nothing that I am aware of.
> >
> > I disabled ntop from init.d, rebooted, and the world did not come to
> > an end...;-).
> >
> > Does VMware or VirtualBox depend on ntop in some way? I have those
> > installed for my Windows partition, but I don't use them because my
> > po' lil' Pentium IV has a hard time keeping up with both Linux and XP
> > at the same time. I also couldn't get USB and network to work with
> > them, so my dream of running iTunes on Linux (via VMware/VirtualBox
> > and XP) did not come to fruition. Perhaps they installed ntop?
> >
> > Mark
> >
> > On Wed, Jul 29, 2009 at 10:46 AM, Bob Elzer <bob.elzer at gmail.com>
> > wrote:
> > I agree with Hans, did you turn on any monitoring programs ?
> > Stat gathering, big brother, hobbit, nagios anything of this
> > nature ?
> >
> >
> >
> > ______________________________________________________
> > From: plug-discuss-bounces at lists.plug.phoenix.az.us
> > [mailto:plug-discuss-bounces at lists.plug.phoenix.az.us]
> > On Behalf Of Mark Phillips
> > Sent: Wednesday, July 29, 2009 9:59 AM
> > To: Main PLUG discussion list
> > Subject: Re: Is there an ntop virus for Linux?
> >
> >
> >
> >
> >
> >
> > On Wed, Jul 29, 2009 at 9:40 AM, Ryan Rix
> > <phrkonaleash at gmail.com> wrote:
> >
> > Mark Phillips wrote:
> > > Whenever I start my Debian Lenny testing
> > laptop a process called ntop starts
> > > and quickly consumes 99% of my cpu. If I
> > kill the process, nothing happens.
> > > If I run ntop from the command line, it does
> > what the man page says it does,
> > > and hardly consumes any resources at all.
> > There is an ntop in /etc/init.d/,
> > > and when I run /etc/init.s/ntop it consumes
> > very few resources - the script
> > > calls /usr/sbin/ntop. There are no entries
> > in the /var/log/ntop/access.log
> > > file.
> > >
> > > My questions are:
> > >
> > > Do I have a virus masquerading as ntop, and
> > if so how do I remove it? I
> > > googled "linux ntop virus" and did not come
> > up with anything useful.
> > >
> > > Can I just remove ntop from /etc/init.d/ ?
> > >
> > > How do I find out if another startup program
> > needs ntop?
> > >
> > > Is ntop necessary at startup?
> > >
> >
> >
> > Are you monitoring your network usage?
> > if not, probably safe to remove the /etc/rc.d/
> > hooks for it for the
> > runlevel you are booting into.
> >
> > /etc/rc.d/rc5/XX-ntop <-- look for something
> > like that if you are
> > booting into runlevel 5 (full desktop)
> >
> > all in all, removing init.d scripts is a bad
> > idea.
> >
> > If the init scripts in debian use LSB, the
> > headers will tell you which
> > (if any) require ntop.
> >
> > Does ps -aux list any options for ntop when
> > it's run from init?
> >
> > Ryan
> >
> > Ryan,
> >
> > I am not monitoring network usage. This weird behavior
> > just started a week or so ago.
> >
> > Here is what ps says when I start ntop:
> >
> > narwhale:/home/mark# ps aux | grep ntop
> > ntop 10943 4.5 2.6 197824 27136 ? Ssl
> > 09:49 0:00 /usr/sbin/ntop -d -L -u ntop
> > -P /var/lib/ntop
> > --access-log-file /var/log/ntop/access.log -i
> > eth0,eth1 -p /etc/ntop/protocol.list -O /var/log/ntop
> >
> > I ran grep -nr "ntop" /etc/init.d and all references
> > to ntop are from the ntop script, so I assume none of
> > the other init.d scripts are calling ntop.
> >
> > Any other thoughts, or should I just disable ntop from
> > init.d:
> > update-rc.d -f ntop remove
> > Mark
> >
> > P.S. Since I started ntop to check the output from ps,
> > I let it run. And sure enough, after a few minutes,
> > the fan started blowing hard and CPU usage went over
> > 90% for ntop. Now I am really confused....I guess the
> > real question is why do I need ntop to start my
> > laptop?
> >
> >
> >
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list -
> > PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090729/39aef138/attachment.htm
More information about the PLUG-discuss
mailing list