Using ntop to efficiently troubleshoot Linux network problems

With the increasing use of Linux, there are a large number of network servers using the Linux operating system. In order to fully measure the network health, it is necessary to be able to make more detailed and accurate measurements of the network status.

The total data traffic of the network server, as well as the packet transmission rate (or traffic) of TCP and UDP, is a matter that network administrators must pay attention to, because when the traffic is too high, Need to find the bottleneck of the network. Therefore, in terms of network management, it is necessary to understand the status of various network services of each host in the network, and to limit or increase bandwidth depending on traffic. We introduce a fully functional GUI network detection tool ntop in the Linux environment.

Getting Ready

Downloading Software:

ntop works with zlib, gd, libpcap, and libpng functions (zlib is used to compress charts, gd is used to draw charts) Before installation, please check if the following software is included in the server: zlib (zlib-1.1.3-xx or above) gd (gd-1.3.xx or higher), libpng. RPM can be confirmed:

rpm -qa |  Grep libpcaprpm -qa |  Grep zlibrpm -qa |  Grep gdrpm -qa |  Grep libpng

notp can be found in the red hat 7.1 tool tray, but we try not to use it because it has a lot of security holes, and one of the vulnerabilities allows remote reading of any file on the host. Details can be found at http://it.rising.com.cn/safety/subject/safety-hole/linux/825ntop.htm. It is best to download the latest version of it code: ntop-02-07-10.tar.gz.ntop, the home page is at http://www.ntop.org/ntop.html. The following describes the installation and use of ntop with Red Flag 3.0 (kernel 2.4.7-10) as an example.

Install the software:

gunzip ntop-02-07-10.tar.gz tar zxvf ntop-02-07-10.tar mv ntop-02-07-10 ntop cd ntop/Gdchart0.94c ./configure cd gd-1.8.3/libpng-1.2.4 make cd ../../zlib-1.1.4 ./configure make cd .. make cd ../ntop ./configure make make install

After the installation is complete, create a directory for ntop to store data:

mkdir -p /home/ntop_dbasechown 99,99 /home/ntop_dbaseexecute ntop /usr/local/bin/ntop -u Noun -P /home/ntop_dbase&

Description: The first execution of the ntop system will let you enter the password, you can set one yourself, and you will not need ntop later. Start the X window and enter http://192.168.0.2:3000/(the host where the software is installed) in the browser to open the main menu of ntop.

ntop can also be used from the command line:

intop -i eth0 Actual case study

My unit is a small and medium-sized local area network consisting of multiple systems. The network topology is shown in Figure 1. The operating system used by the server is Red Flag 3.0, and the client PC is Windows 9x/Me/2000.

One afternoon, the network performance suddenly dropped, resulting in a large amount of data on the Internet could not be transmitted smoothly. I first suspected that it was a physical failure. But using the ping command to test that the network is connected, there is no physical damage.

Detecting faults

Starting ntop, you can see that ntop can detect most protocol files on the network. First check the network load: Click on the “IP Protos” menu (see Figure 2) and find that the network load on the network is 98%.

Click on the Host “IP Traiffic” menu to query network traffic, as shown in Figure 3.

It turns out that a large amount of data is sent by a PC with the host name cao1, and its network load is close to 99%. Click “cao1”click “Host” to see other situations. As shown in Figure 4, it can be seen that the host "calo1" has an IP address of 192.168.0.1 and a MAC address of 00:50:BA:F0:AB:AC. The operating system used is Windows.

(Click to view larger image)

Double click on “cao1” to get an overview of the host“cao1” details of all network conditions. Let us look at the part of the transmission data type shown in Figure 5. It can be seen that the data it sends is in UDP format.

We know that UDP is the data of the transport layer of the Linux network layer, so it can be judged that the broadcast storm caused the network performance to drop.

Solution

We found the host "cao1”, a staff member was presenting the company's product information to the customer, he used Super Solution 2000. We know that when the Super Solution 2000 plays files, there is an option to perform DVB audio and video broadcasting on the LAN. The staff member made DVB audio and video broadcasts to all the hosts of the network, including the server, due to operational errors, causing a broadcast storm.

Turn off the host“cao1” super solution 2000 DVB audio and video broadcast options. The network is back to normal.

Summary

ntop is indeed a good helper for network administrators. Through it, basically all incoming and outgoing traffic, host information network, and security status are invisible, regardless of network monitoring or log management, are excellent tools. However, since ntop is essentially a network sniffer, it is a double-edged sword. For the security of the network, management is particularly important. Other than the network administrator, it is forbidden to use any sniffing tools &mdash in the network; including some enterprise senior managers, it is absolutely necessary