Friday, August 28, 2009

Spun by Ntop

I have seen ntop way back when it was just character based. It may have not been the same program but I recently came back looking for a program that'll allow me to figure out what sort of traffic is going through my network and ntop came back to my mind. I didn't have the stomach to run a full-blown Snort setup nor was I interested in watching packets fly by in Wireshark. I figured I'd use Ntop to get a general feel and I then zoom in on particular hosts with Wireshart.
I tried a test setup of ntop running on Mandriva and quickly realised it's potential. I could see as far as the packet my NIC could catch. Problem was that I on a separate switch quite some ways off from the core switch.
So I found the hardware and setup a clean CentOS 5 setup and plugged it into a port that was mirrored to the port where the firewall was connected. I installed Ntop from an RPM (from rpmforge I think) and immediately hit a brick wall. The install didn't tell me to run from the command line at least once to set the admin password. And after that the init scripts spat out errors. I could not understand the errors until I realised that there was nothing wrong with the script file but there was a bug within ntop itself.
The man file explained that specifying a conf filename would expand the file into parameters onto the command line. However, the RPM I had was probably from some transitional stage because the file expansion would result in the parameters being delimited with a comma and a space on the command line while the version of ntop that was running wanted it delimited with a space only. So took the 3 parameters in the conf file and put them into the command line in the init script and said goodbye to the specified conf file.
I said this ntop was in a transitional stage because it's settings was also being kept in files set up by the web interface. These were created and updated after ntop was running. For some bizzare reason, while ntop could an wanted to run as user ntop, the files could not be created as user ntop not matter what I did with directory permissions. (I think I stopped short of using sticky bits). So I removed the parameter that specified the user. But then the graphs would not show. RRD, which was used by ntop, wanted to write as user ntop and having the directories created (and thus owned) by root prevented that. I was getting upset and I just changed the owner of the RRD directory from root to ntop. And then fireworks. Ntop provided quite a lot of insight into what people were doing on the network. For all of 15 minutes. I could not get past that magic number. Ntop would run at most 15 minutes, mostly less. No clue in the logs. All it said was that the network interface stopped becoming promiscuous.
I gave up. Set up a cron job to start ntop back every 15 minutes went back to the real task at hand, the reason why ntop was set up, trying to get a handle on my network.
After a few weeks ntop just refused to start.
I removed all of the unique ntop related-rpms and updated everything else and began from scratch. From another job, I figured out that SELinux was messing with some sensitive system calls. I had run it under Premissive, with the illusion that I would come back and do what was needed to get it to run under Enforcing. Fat chance. I disabled SElinux and NTOP is singing.
Now I got to figure out what all this data means.

Recently Popular