Re: Is there an ntop virus for Linux?

Attachments:
Message as email (text/plain)

Author: Michael Butash
Date:
To: Mark Phillips
CC: Main PLUG discussion list
Subject: Re: Is there an ntop virus for Linux?

Usually you start it with "ntop -A" and set the admin account
credentials, then you init launch and hopefully get to the :3000 port.

Actually it's rather nifty tool I use with work a lot, I think most
people would be shocked to see what traffic a windoze box does these
days. UDP games and bittorrent can generate some shocking packet per
second numbers. Scary what you find when you drop sniffers into
customer (or your own) networks, ntop deciphers it quite nicely to make
(mostly) human readable.

Heh, maybe you should (or shouldn't depending on your moral boundaries)
take WarCrack away. I've seen junkies come down easier...

http://www.youtube.com/watch?v=YersIyzsOpc

-mb

On Wed, 2009-07-29 at 13:09 -0700, Mark Phillips wrote:
> Michael,
>
> Thanks...I will re-enable it sometime and try it out. When I run it
> without the command line arguments form the init.d script, it actually
> fails after a few minutes. I forget the error, but I traced it to an
> open bug that appeared in v 3.2 and was thought to be dead, but
> reappeared in 3.3.
>
> I have a small network, less than 10 computers, and very little
> traffic (unless you consider WOW a traffic hog!). Perhaps a reason to
> disable WOW and melt the only windows machine and get my daughter
> doing something else...;-)
>
> Cheers!
>
> Mark
>
> On Wed, Jul 29, 2009 at 12:41 PM, Michael Butash <michael@butash.net> > wrote: > Not that I know of, and I find it hard to believe ntop would > start > default on any distro, especially debian. Must have got in > via another > odd dependency. It's typically a standalone app and webserver > of its > own for diagnosing tcp/udp application flows from the flag > level, not > typically used by most outside of networking folk. I'm not > sure it even > offers a direct api for another app to use unless an app is > scraping, I > suppose its possible another has it as a dependency.

>
> It usually is stable under low loads, so if it's freaking out, > either > its a bad build, you have a lot of broadcast/unicast flooding > occurring > that it's seeing, or "normal" traffic of your own its > crunching on. > I've killed it with gratuitous bittorrent connections on a > slow test > box.

>
> What does it show when you http to:

>
> http://localhost:3000

>
> Should be default port. If you get curious, maybe you > should. :)

>
> -mb

>
>
>
> On Wed, 2009-07-29 at 11:19 -0700, Mark Phillips wrote: > > No, nothing that I am aware of. > > > > I disabled ntop from init.d, rebooted, and the world did not > come to > > an end...;-).

> > > > Does VMware or VirtualBox depend on ntop in some way? I have > those > > installed for my Windows partition, but I don't use them > because my > > po' lil' Pentium IV has a hard time keeping up with both > Linux and XP > > at the same time. I also couldn't get USB and network to > work with > > them, so my dream of running iTunes on Linux (via > VMware/VirtualBox > > and XP) did not come to fruition. Perhaps they installed > ntop?

> > > > Mark

> > > > On Wed, Jul 29, 2009 at 10:46 AM, Bob Elzer > <bob.elzer@gmail.com> > > wrote: > > I agree with Hans, did you turn on any monitoring > programs ? > > Stat gathering, big brother, hobbit, nagios anything > of this > > nature ?

> >

> >

> >

> > > ______________________________________________________ > > From: > plug-discuss-bounces@lists.plug.phoenix.az.us

> > > [mailto:plug-discuss-bounces@lists.plug.phoenix.az.us] > > On Behalf Of Mark Phillips > > Sent: Wednesday, July 29, 2009 9:59 AM > > To: Main PLUG discussion list > > Subject: Re: Is there an ntop virus for > Linux?

> >

> >

> >

> >

> >

> > > > On Wed, Jul 29, 2009 at 9:40 AM, Ryan Rix > > <phrkonaleash@gmail.com> wrote:

> > > > Mark Phillips wrote: > > > Whenever I start my Debian Lenny > testing > > laptop a process called ntop starts > > > and quickly consumes 99% of my > cpu. If I > > kill the process, nothing happens. > > > If I run ntop from the command > line, it does > > what the man page says it does, > > > and hardly consumes any resources > at all. > > There is an ntop in /etc/init.d/, > > > and when I run /etc/init.s/ntop it > consumes > > very few resources - the script > > > calls /usr/sbin/ntop. There are no > entries > > in the /var/log/ntop/access.log > > > file.

> > > > > > My questions are:

> > > > > > Do I have a virus masquerading as > ntop, and > > if so how do I remove it? I > > > googled "linux ntop virus" and did > not come > > up with anything useful.

> > > > > > Can I just remove ntop > from /etc/init.d/ ?

> > > > > > How do I find out if another > startup program > > needs ntop?

> > > > > > Is ntop necessary at startup?

> > >

> >

> > > > Are you monitoring your network > usage? > > if not, probably safe to remove > the /etc/rc.d/ > > hooks for it for the > > runlevel you are booting into.

> > > > /etc/rc.d/rc5/XX-ntop <-- look for > something > > like that if you are > > booting into runlevel 5 (full > desktop)

> > > > all in all, removing init.d scripts > is a bad > > idea.

> > > > If the init scripts in debian use > LSB, the > > headers will tell you which > > (if any) require ntop.

> > > > Does ps -aux list any options for > ntop when > > it's run from init?

> > > > Ryan

> > > > Ryan,

> > > > I am not monitoring network usage. This > weird behavior > > just started a week or so ago.

> > > > Here is what ps says when I start ntop:

> > > > narwhale:/home/mark# ps aux | grep ntop > > ntop 10943 4.5 2.6 197824 27136 ? > Ssl > > 09:49 0:00 /usr/sbin/ntop -d -L -u ntop > > -P /var/lib/ntop > > --access-log-file /var/log/ntop/access.log > -i > > eth0,eth1 -p /etc/ntop/protocol.list > -O /var/log/ntop

> > > > I ran grep -nr "ntop" /etc/init.d and all > references > > to ntop are from the ntop script, so I > assume none of > > the other init.d scripts are calling ntop.

> > > > Any other thoughts, or should I just disable > ntop from > > init.d: > > update-rc.d -f ntop remove > > Mark

> > > > P.S. Since I started ntop to check the > output from ps, > > I let it run. And sure enough, after a few > minutes, > > the fan started blowing hard and CPU usage > went over > > 90% for ntop. Now I am really confused....I > guess the > > real question is why do I need ntop to start > my > > laptop?

> >

> >

> >

> > > > --------------------------------------------------- > > PLUG-discuss mailing list - > > PLUG-discuss@lists.plug.phoenix.az.us > > To subscribe, unsubscribe, or to change your mail > settings:

> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

> > > > --------------------------------------------------- > > PLUG-discuss mailing list - > PLUG-discuss@lists.plug.phoenix.az.us > > To subscribe, unsubscribe, or to change your mail settings:

> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

>
> --------------------------------------------------- > PLUG-discuss mailing list - > PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

>
>

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message is part of the following thread:
	the complete thread tree sorted by date
	Mark Phillips at