File: ntop.8

package info (click to toggle)
ntop 3:3.3-11
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 12,772 kB
  • ctags: 7,534
  • sloc: ansic: 71,427; sh: 16,772; awk: 1,504; perl: 792; makefile: 782; php: 123; python: 23; sql: 13; sed: 11
file content (1305 lines) | stat: -rw-r--r-- 46,799 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
.\" This file Copyright 1998-2005 Luca Deri <deri@ntop.org>
.\"
.
.de It
.TP 1.2
.B "\\$1 "
..
.de It2
.TP 1.2
.B "\\$1 | \\$2"
..
.TH NTOP 8 "August 2005 (ntop 3.2)"
.SH NAME
ntop \- display top network users
.SH SYNOPSIS
.B ntop
.RB [ @filename ]
.RB [ -a | --access-log-file
.IR <path> ]
.RB [ -b | --disable-decoders ]
.RB [ -c | --sticky-hosts ]
.RB [ -e | --max-table-rows ]
.RB [ -f | --traffic-dump-file
.IR file> ]
.RB [ -g | --track-local-hosts ]
.RB [ -h | --help ]
.RB [ -j | --create-other-packets ]
.RB [ -l | --pcap-log 
.IR <path> ]
.RB [ -m | --local-subnets
.IR <addresses> ]
.RB [ -n | --numeric-ip-addresses ]
.RB [ -o | --no-mac ]
.RB [ -p | --protocols
.IR <list> ]
.RB [ -q | --create-suspicious-packets ]
.RB [ -r | --refresh-time 
.IR <number> ]
.RB [ -s | --no-promiscuous ]
.RB [ -t | --trace-level 
.IR <number> ]
.RB [ -x
.IR <max_num_hash_entries> ]
.RB [ -w | --http-server
.IR <port> ]
.RB [ -z | --disable-sessions ]
.RB [ -A | --set-admin-password
.IR "password" ]
.RB [ -B | --filter-expression
.IR "expression" ]
.RB [ -C 
.IR <config mode> ]
.RB [ -D | --domain 
.IR <name> ]
.RB [ -F | --flow-spec
.IR <specs> ]
.RB [ -M | --no-interface-merge ]
.RB [ -N | --wwn-map
.IR <path> ]
.RB [ -O | ----output-packet-path
.IR <path> ]
.RB [ -P | --db-file-path
.IR <path> ]
.RB [ -Q | --spool-file-path
.IR <path> ]
.RB [ -U | --mapper 
.IR <URL> ]
.RB [ -V | --version]
.RB [ -X
.IR <max_num_TCP_sessions> ]
.RB [ --disable-instantsessionpurge ]
.RB [ --disable-mutexextrainfo ]
.RB [ --disable-schedyield ]
.RB [ --disable-stopcap ]
.RB [ --fc-only ]
.RB [ --instance ]
.RB [ --no-fc ]
.RB [ --no-invalid-lun ]
.RB [ --p3p-cp ]
.RB [ --p3p-uri ]
.RB [ --skip-version-check ]
.RB [ --w3c ]
.RB [ -4 | --ipv4]
.RB [ -6 | --ipv6]

Unix options:

.RB [ -d | --daemon ]
.RB [ -i | --interface
.IR <name> ]
.RB [ -u | --user 
.IR <user> ]
.RB [ -K | --enable-debug ]
.RB [ -L ]
.RB [ --pcap_setnonblock ]
.RB [ --use-syslog=
.IR <facility> ]
.RB [ --webserver-queue
.IR <number> ]

Windows option:

.RB [ -i | --interface
.IR <number|name> ]

OpenSSL options:

.RB [ -W | --https-server
.IR <port> ]
.RB [ --ssl-watchdog ]

.SH DESCRIPTION
.B ntop
shows the current network usage. It displays a list of hosts that are
currently using the network and reports information concerning the (IP and non-IP) 
traffic generated and received by each host.
.B ntop
may operate as a front-end collector (sFlow and/or netFlow plugins) or as a stand-alone
collector/display program. A web browser is needed to access the information captured by the 
.B ntop
program. 

.B ntop
is a hybrid layer 2 / layer 3 network monitor, that is by default it uses the layer 2 Media
Access Control (MAC) addresses AND the layer 3 tcp/ip addresses.
.B ntop
is capable of associating the two, so that ip and non-ip traffic (e.g. arp, rarp) are combined
for a complete picture of network activity.

.PP
.SH "COMMAND\-LINE OPTIONS"

.It @filename
The text of 
.B filename
is copied - ignoring line breaks and comment lines (anything following a #) - into the
command line.
.B ntop
behaves as if all of the text had simply been typed directly on the command line.
For example, if the command line is "-t 3 @d -u ntop" and file d contains 
just the line '-d', then the effective command line is -t 3 -d -u ntop.  
Multiple @s are permitted. Nested @s (an @ inside the file) are not permitted.

Remember, most 
.B ntop 
options are "sticky", that is they just set an internal flag. Invoking 
them multiple times doesn't change 
.B ntop's 
behavior. However, options that set a value, such as --trace-level, will use the LAST value
given: --trace-level 2 --trace-level 3 will run as --trace-level 3.
 
Beginning with
.b ntop
3.1, many command-line options may also be set via the web browser interface.  These changes 
take effect on the next run of
.b ntop
and on each subsequent run until changed.


.It2 -a --access-log-file
By default 
.B ntop
does not maintain a log of HTTP requests to the internal web server. 
Use this parameter to request logging and to specify the location of the file where these
HTTP requests are logged.

Each log entry is in Apache-like style. 
The only difference between Apache and 
.B ntop
logs is that an additional column has been added which has the time (in milliseconds) that 
.B ntop 
needed to serve the request.
Log entries look like this:

.nf
192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET / HTTP/1.1" 200 1489 4
192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET /index_top.html HTTP/1.1" 200 1854 4
192.168.1.1 - - [04/Sep/2003:20:38:55 -0500] - "GET /index_inner.html HTTP/1.1" 200 1441 7
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /index_left.html HTTP/1.1" 200 1356 4
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /home_.html HTTP/1.1" 200 154/617 9
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /home.html HTTP/1.1" 200 1100/3195 10
192.168.1.1 - - [04/Sep/2003:20:38:56 -0500] - "GET /About.html HTTP/1.1" 200 2010 10
.fi 

This parameter is the complete file name of the access log.  In prior releases it was
erroneously called --access-log-path.

.It2 -b --disable-decoders
This parameter disables protocol decoders.

Protocol decoders examine and collect information about layer 2 protocols such as 
NetBIOS or Netware SAP, as well as about specific tcp/ip (layer 3) protocols, such as 
DNS, http and ftp.

This support is specifically coded for each protocol and is different from the 
capability to count raw information (packets and bytes) by protocol specified by the 
-p | --protocols parameter, below.

Decoding protocols is a significant consumer of resources. If the
.B ntop
host is underpowered or monitoring a very busy network, you may wish to disable
protocol decoding via this parameter.
It may also be appropriate to use this parameter if you believe that 
.B ntop
has problems handling some protocols that occur on your network.

Even if decoding is disabled, ftp-data traffic is still decoded to look for
passive ftp port commands.

.It2 -c --sticky-hosts
Use this parameter to prevent idle hosts from being purged from memory. 

By default idle hosts are periodically purged from memory. 
An idle host is identified when no packets from or to that host have been 
monitored for the period of time defined by the value of
PARM_HOST_PURGE_MINIMUM_IDLE in globals-defines.h.

If you use this option, all hosts - active and idle - are retained in
memory for the duration of the 
.B ntop
run.  

P2P users, port scans, popular web servers and other activity will cause
.B ntop
to record data about a large number of hosts.
On an active network, this will consume a significant - and always growing -
amount of memory.
It is strongly recommended that you use a filtering expression to limit the 
hosts which are stored if you use --sticky-hosts.

The idle purge is a statistical one - a random selection of the eligible
hosts will be purged during each cycle.  Thus it is possible on a busy system
for an idle host to remain in the
.B ntop
tables and appear 'active' for some considerable time after it is truly idle.

.It2 -d --daemon
This parameter causes ntop to become a daemon, i.e. a task which runs in the 
background without connection to a specific terminal.
To use
.B ntop
other than as a casual monitoring tool, you probably will want to use
this option.

.B WARNING:
If you are running as a daemon, the messages from
.B ntop 
will be 'printed' on to stdout and thus dropped.
You probably don't want to do this.  
So remember to also use the -L or --use-syslog options to save the
messages into the system log.

.It2 -e --max-table-rows
This defines the maximum number of lines that
.B ntop
will display on each generated HTML page. If there are more lines to be
displayed than this setting permits, only part of the data will be displayed.
There will be page forward/back arrows placed at the bottom of the page
for navigation between pages.

.It2 -f --traffic-dump-file
By default,
.B ntop
captures traffic from network interface cards (NICs) or from netFlow/sFlow
probes.  However, 
.B ntop
can also read data from a file - typically a tcpdump capture or the output from
one of the
.B ntop
packet capture options.

if you specify -f,
.B ntop
will not capture any traffic from NICs during or after the file has been read.
netFlow/sFlow capture - if enabled - would still be active.

This option is mostly used for debug purposes.

.It2 -g --track-local-hosts
By default,
.B ntop
tracks all hosts that it sees from packets captured on the various NICs.
Use this parameter to tell
.B ntop 
to capture data only about local hosts.  Local hosts are defined based on
the addresses of the NICs and those networks identified as local via the
-m | --local-subnets parameter.

This parameter is useful on large networks or those that see many hosts,
(e.g. a border router or gateway), where information about remote hosts is
not desired/required to be tracked.

.It2 -h --help
Print help information for 
.B ntop,
including usage and parameters.

.It2 -i --interface 
Specifies the network interface or interfaces to be used by
.B ntop
for network monitoring.

If multiple interfaces are used (this feature is available only if ntop is compiled with 
thread support) their names must be separated with a comma. For instance -i "eth0,lo".

If not specified, the default is the first Ethernet device, e.g. eth0.  The specific 
device that is 'first' is highly system dependent.  Especially on systems where the
device name reflects the driver name instead of the type of interface.

By default, traffic information obtained by all the interfaces is merged together as if 
the traffic was seen by only one interface. 
Use the -M parameter to keep traffic separate by interface.

If you do not want
.B ntop
to monitor any interfaces, use -i none.

Under Windows, the parameter value is either the number of the interface or its name, e.g.
{6252C14C-44C9-49D9-BF59-B2DC18C7B811}. 
Run 
.B ntop
-h to see a list of interface name-number mappings (at the end of the help information).

.It2 -j --create-other-packets
This parameter causes 
.B ntop
to create a dump file of the 'other' network traffic captured.
One file is created for each network interface where 
'other' packets are found. The file is in tcpdump (pcap) format and is named
<path>/ntop-other-pkts.<device>.pcap, where <path> is defined by the 
-O | --output-packet-path parameter.
This file is useful for understanding these unclassified packets.

.It2 -l --pcap-log
This parameter causes a dump file to be created of the network traffic captured by 
.B ntop
in tcpdump (pcap) format.  This file is useful for debug, and may be read back into 
.B ntop
by the -f | --traffic-dump-file parameter.  The dump is made after processing any
filter expression (
.b ntop
never even sees filtered packets).

The output file will be named 
.I <path>/<log>.<device>.pcap
(Windows: 
.I <path>/<log>.pcap
), where <path> is defined by the -O | --output-packet-path parameter and <log> is 
defined by this -l | --pcap-log parameter.

.It2 -m --local-subnets
.B ntop
determines the ip addresses and netmasks for each active interface.  Any traffic on
those networks is considered local.  This parameter allows the user to define additional
networks and subnetworks whose traffic is also considered local in
.B ntop
reports. All other hosts are considered remote.

Commas separate multiple network values.
Both netmask and CIDR notation may be used, even mixed together, for instance
"131.114.21.0/24,10.0.0.0/255.0.0.0".

The local subnet - as defined by the interface address(es) - is/are always local
and do not need to be specified.  If you do give the same value as a NIC's local
address, a harmless warning message is issued.

.It2 -n --numeric-ip-addresses
By default,
.B ntop
resolves IP addresses using a combination of active (explicit) DNS queries and 
passive sniffing.  Sniffing of DNS responses occurs when
.B ntop
receives a network packet containing the response to some other user's DNS query.
.B ntop
captures this information and enters it into 
.B ntop's
DNS cache, in expectation of shortly seeing traffic addressed to that host. This way
.B ntop
significantly reduces the number of DNS queries it makes.

This parameter causes
.B ntop
to skip DNS resolution, showing only numeric IP addresses instead of the symbolic
names.
This option can useful when the DNS is not present or quite slow.

.It2 -o --no-mac
.B ntop
is a hybrid layer 2/3 network monitor.  That is, it uses both the lower level, physical
device address - the MAC (Media Access Control) address - and the higher level,
logical, tcp/ip address (the familiar www.ntop.org or 131.114.21.9 address).  
This allows 
.B ntop 
to link the logical addresses to a physical machine with multiple addresses
(This occurs with virtual hosts or additional addresses assigned to the interface, etc.)
to present consolidated reporting.

This parameter specifies that
.B ntop
should not trust the MAC addresses but just use the IP addresses. 

Normally, since the MAC address must be globally unique, the dual nature of
.B ntop 
is a benefit and provides far better information about the network than is available via
a pure layer 2 or pure layer 3 monitor.

Under certain circumstances - whenever 
.B ntop
is started on an interface where MAC addresses cannot be really trusted - you may
require this option.

Situations which may require this option include port/VLAN mirror, some cases with
switches and spanning tree protocol, and (reportedly) some specific models of Ethernet
switches which re-write MAC addresses of the packets they process.
Normally, you discover that this option is necessary when you observe that hosts seem
to change their addresses or information about different machines get lumped together.

Note that with this option, information which is dependent upon the MAC 
addresses (non tcp/ip protocols like IPX) will not be collected nor displayed.

.It2 -p --protocols
This parameter is used to specify the TCP/UDP protocols that
.B ntop
will monitor. The format is <label>=<protocol list> [, <label>=<protocol list>], where
label is used to symbolically identify the <protocol list>. The format of <protocol list>
is <protocol>[|<protocol>], where <protocol> is either a valid protocol specified inside the
/etc/services file or a numeric port range (e.g. 80, or 6000-6500). 

A simple example is --protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-data", which
reduces the protocols displayed on the "IP" pages to three:

.nf
Host                      Domain Data          HTTP   FTP   Other IP
ns2.attbi.com             <flag>  954 63.9 %      0     0        954
64.124.83.112.akamai.com  <flag>  240 16.1 %    240     0          0
64.124.83.99.akamai.com   <flag>  240 16.1 %    240     0          0
toolbarqueries.google.com <flag>   60 4.0 %      60     0          0
.fi

If the <protocol list> is very long you may store it in a file (for instance protocol.list).
To do so, specify the file name instead of the <protocol list> on the command line.  e.g.
.B ntop -p protocol.list

If the -p parameter is omitted the following default value is used: 

.nf
  FTP=ftp|ftp-data
  HTTP=http|www|https|3128     3128 is Squid, the HTTP cache
  DNS=name|domain
  Telnet=telnet|login
  NBios-IP=netbios-ns|netbios-dgm|netbios-ssn
  Mail=pop-2|pop-3|pop3|kpop|smtp|imap|imap2
  DHCP-BOOTP=67-68
  SNMP=snmp|snmp-trap
  NNTP=nntp
  NFS=mount|pcnfs|bwnfs|nfsd|nfsd-status
  X11=6000-6010
  SSH=22

  Peer-to-Peer Protocols
  ----------------------
  Gnutella=6346|6347|6348
  Kazaa=1214
  WinMX=6699|7730
  DirectConnect=0      Dummy port as this is a pure P2P protocol
  eDonkey=4661-4665

  Instant Messenger
  -----------------
  Messenger=1863|5000|5001|5190-5193
.fi

NOTE: To resolve protocol names to port numbers, they must be specified in
the system file used to list tcp/udp protocols and ports, which is typically
/etc/services file.  You will have to match the names in that file, exactly.  
Missing or unspecified (non-standard) ports must be specified by number, such
as 3128 in our examples above.

If you have a file named /etc/protocols, don't get confused by it, as that's
the Ethernet protocol numbers, which are not what you're looking for.

.It2 -q --create-suspicious-packets
This parameter tells 
.B ntop 
to create a dump file of suspicious packets.

There are many, many, things that cause a packet to be labeled as 'suspicious', including:

.nf
  Detected ICMP fragment
  Detected Land Attack against host
  Detected overlapping/tiny packet fragment
  Detected traffic on a diagnostic port
  Host performed ACK/FIN/NULL scan
  Host rejected TCP session
  HTTP/FTP/SMTP/SSH detected at wrong port
  Malformed TCP/UDP/ICMP packet (packet too short)
  Packet # %u too long
  Received a ICMP protocol Unreachable from host
  Sent ICMP Administratively Prohibited packet to host
  Smurf packet detected for host
  TCP connection with no data exchanged
  TCP session reset without completing 3-way handshake
  Two MAC addresses found for the same IP address
  UDP data to a closed port
  Unknown protocol (no HTTP/FTP/SMTP/SSH) detected (on port 80/21/25/22)
  Unusual ICMP options
.fi

When this parameter is used, one file is created for each network interface where 
suspicious packets are found. The file is in tcpdump (pcap) format and is named
<path>/ntop-suspicious-pkts.<device>.pcap, where <path> is defined by the 
-O | --output-packet-path parameter.

.It2 -r --refresh-time
Specifies the delay (in seconds) between automatic screen updates for those
generated HTML pages which support them.  This parameter allows you to leave
your browser window open and have it always displaying nearly real-time data from
.B ntop.

The default is 3 seconds.  Please note that if the delay is very short (1 second 
for instance), 
.B ntop 
might not be able to process all of the network traffic.

.It2 -s --no-promiscuous
Use this parameter to prevent 
.b ntop
from setting the interface(s) into promiscuous mode.

An interface in promiscuous mode will accept ALL Ethernet frames, regardless of
whether they directed (addressed) to the specific network interface (NIC) or not.
This is an essential part of enabling
.B ntop
to monitor an entire network.  (Without promiscuous mode, 
.B ntop
will only see traffic directed to the specific host it is running on, plus
broadcast traffic such as the arp and dhcp protocols.

Even if you use this parameter, the interface could well be in promiscuous mode if
another application enabled it.

.B ntop
passes this setting on to libpcap, the packet capture library.  On many systems, 
a non-promiscuous open of the network interface will fail, 
since the libpcap function on most systems require it to capture raw packets
(
.B ntop
captures raw packets so that we may view and analyze the layer 2 - MAC - information).

Thus on most systems,
.B ntop
must probably still be started as root, and this option is largely ornamental.  If
it fails, you will see a ***FATALERROR*** message referring to pcap_open_live() and
then an information message, "Sorry, but on this system, even with -s, it appears 
that ntop must be started as root".

.It2 -t --trace-level
This parameter specifies the 'information' level of messages that you wish
.B ntop
to display (on stdout or to the log).
The higher the trace level number the more information that is displayed.
The trace level ranges between 0 (no trace) and 5 (full debug tracings).

The default trace value is 3. 

Trace level 0 is not quite zero messages. Fatal errors and certain startup/shutdown
messages are always displayed.
Trace level 1 is used to display errors only, level 2 for both errors and warnings, and
level 3 displays error, warning and informational messages.

Trace level 4 is called 'noisy' and it is - generating many messages about the internal
functioning of 
.B ntop.
Trace level 5 and above are 'noisy' plus extra logs, i.e. all possible messages, with a 
file:line tag prepended to every message.

.It2 -u --user
Specifies the user
.B ntop
should run as after it initializes.

.B ntop
must normally be started as root so that it has sufficient privileges to open the
network interfaces in promiscuous mode and to receive raw frames.
See the discussion of -s | --no-promiscuous above, if you wish to try starting
.B ntop
as a non-root user.

Shortly after starting up, 
.B ntop
becomes the user you specify here, which normally has substantially reduced privileges,
such as no login shell.  This is the userid which owns
.B ntop's
database and output files.

The value specified may be either a username or a numeric user id.
The group id used will be the primary group of the user specified.

If this parameter is not specified, ntop will try to switch first to 'nobody' and then 
to 'anonymous' before giving up.

NOTE: This should not be root unless you really understand the security risks. In order
to prevent this by accident, the only way to run 
.B ntop
as root is to explicitly specify -u root.
.B Don't do it.

.It -x
.It -X 
.B ntop
creates a new hash/list entry for each new host/TCP session seen. In case of DOS (Denial Of Service) an attacker can easily exhaust all the host available memory because ntop is creating entries for dummy hosts. In order to avoid this you can set an upper limit in order to limit the memory ntop can use.

.It2 -w --http-server
.It2 -W --https-server
.B ntop
offers an embedded web server to present the information that has been so painstakingly
gathered. 
An external HTTP server is NOT required NOR supported.  The
.B ntop
web server is embedded into the application.
These parameters specify the port (and optionally the address (i.e. interface))
of the
.B ntop
web server.

For example, if started with -w 3000 (the default port), the URL to access 
.B ntop
is http://hostname:3000/.  If started with a full specification, e.g. -w 192.168.1.1:3000,
.B ntop
listens on only that address/port combination.

If -w is set to 0 the web server will not listen for http:// connections.

-W operates similarly, but controls the port for the https:// connections.

Some examples:

.B ntop -w 3000 -W 0 
(this is the default setting) HTTP requests on port 3000 and no HTTPS.
 
.B ntop -w 80 -W 443 
Both HTTP and HTTPS have been enabled on their most common ports.
 
.B ntop -w 0 -W 443 
HTTP disabled, HTTPS enabled on the common port.

Certain sensitive, configuration pages of the
.B ntop
web server are protected by a userid/password.  By default, these are the
user/URL administration, filter, shutdown and reset stats are password protected
 and are accessible initially only to user 
.B admin
with a password set during the first run of 
.B ntop.

Users can modify/add/delete users/URLs using ntop itself - see the Admin tab.

The passwords, userids and URLs to protect with passwords are stored in a database file.
Passwords are stored in an encrypted form in the database for further security.  Best
practices call for securing that database so that only the 
.B ntop
user can read it.

There is a discussion in docs/FAQ about further securing the
.B ntop
environment.

.It2 -z --disable-sessions
This parameter disables TCP session tracking. 
Use it for better performance or when you don't really need/care to track sessions.

.It2 -A --set-admin-password
This parameter is used to start 
.B ntop
, set the admin password and quit. It is quite useful for installers that need 
to automatically set the password for the admin user.

-A and --set-admin-password (without a value) will prompt the user for the password.

You may also use this parameter to set a specific value using --set-admin-password=value.  
.B The = is REQUIRED and no spaces are permitted!

If you attempt to run
.B ntop
as a daemon without setting a password, a FATAL ERROR message is generated and
.B ntop
stops.

.It2 -B --filter-expression
Filters allows the user to restrict the traffic seen by
.B ntop
on just about any imaginable item.

The filter expression is set at run time by this parameter, but it may be
changed during the
.B ntop
run on the Admin | Change Filter web page.

The basic format is
.B -B "filter"
, where the quotes are 
.B REQUIRED
.

The syntax of the filter expression uses the same BPF (Berkeley Packet Filter) 
expressions used by other packages such as tcpdump

For instance, suppose you
are interested only in the traffic generated/received by the host jake.unipi.it. 
.B ntop
can then be started with the following filter: 

.B ntop -B "src host jake.unipi.it or dst host jake.unipi.it"

or in shorthand:

.B ntop -B "host jake.unipi.it or host jake.unipi.it"

See the 'expression' section of the
.B tcpdump
man page - usually available at http://www.tcpdump.org/tcpdump_man.html - for 
further information and the best quick guide to BPF filters currently available.

WARNING: If you are using complex filter expressions, especially those with =s
or meaningful spaces in them, be sure and use the long option format,
--filter-expression="xxxx" and not -B "xxxx".


.It2 -C
This instruments ntop to be used in two configurations: host and network mode. In host mode (default) ntop works as usual: the IP addresses received are those of real hosts. In host mode the IP addresses received are those of the C-class network to which the address belongs. Using ntop in network mode is extremely useful when installed in a traffic exchange (e.g. in the middle of the Internet) whereas the host mode should be used when ntop is installed on the edge of a network (e.g. inside a company). The network mode significantly reduces the amount of work ntop has to perform and it has to be used whenever ntop is used to find out how the network traffic flows and not to pin-point specific hosts.


.It2 -D --domain
This identifies the local domain suffix, e.g. ntop.org.  It may be necessary, if
.B ntop
is having difficulty determining it from the interface.

.It2 -F --flow-spec
It is used to specify network flows similar to more powerful applications such as NeTraMet. 
A flow is a stream of captured packets that match a specified rule. The format is 

.B "<flow-label>='<matching expression>'[,<flow-label>='<matching expression>']"

, where the label is used to symbolically identify the flow specified by the expression. 
The expression is a bpf (Berkeley Packet Filter) expression. If an expression is specified, then 
the information concerning flows can be accessed following the HTML link named 'List NetFlows'.

For instance define two flows with the following expression 
.B "LucaHosts='host jake.unipi.it or host pisanino.unipi.it',GatewayRoutedPkts='gateway gateway.unipi.it'".

All the traffic sent/received by hosts jake.unipi.it or pisanino.unipi.it is collected by
.B ntop
and added to the LucaHosts flow, whereas all the packet routed by the gateway gateway.unipi.it 
are added to the GatewayRoutedPkts flow. If the flows list is very long you may store in a 
file (for instance flows.list) and specify the file name instead of the actual flows list 
(in the above example, this would be 'ntop -F flows.list').

Note that the double quotations around the entire flow expression are required.

.It2 -K --enable-debug
Use this parameter to simplify application debug.  It does three things:
1. Does not fork() on the "read only" html pages.
2. Displays mutex values on the configuration (info.html) page.
3. (If available - glibc/gcc) Activates an automated backtrace on application errors.

.It2 -L --use-syslog=facility
Use this parameter to send log messages to the system log instead of stdout.

-L and the simple form --use-syslog use the default log facility, defined as 
LOG_DAEMON in the #define symbol DEFAULT_SYSLOG_FACILITY in globals-defines.h.

The complex form, --use-syslog=facility will set the log facility to whatever
value (e.g. local3, security) you specify.
.B The = is REQUIRED and no spaces are allowed!

This setting applies both to
.B ntop
and to any child fork()ed for reporting.  If this parameter is not specified, any
fork()ed child will use the default value and will log it's messages to the
system log (this occurs because the fork()ed child must give up it's access
to the parents stdout).

Because various systems do not make the permissible names available, we have
a table at the end of globals-core.c.  Look for myFacilityNames.

.It2 -M --no-interface-merge
By default,
.B ntop 
merges the data collected from all of the interfaces (NICs) it is monitoring into a
single set of counters. 

If you have a simple network, say a small LAN with a connection to the Internet, 
merging data is good as it gives you a better picture of the whole network.
For larger, more complex networks, this may not be desirable.
You may also have other reasons for wishing to monitor each interface separately,
for example DMZ vs. LAN traffic.

This option instructs
.B ntop
not to merge network interfaces together. This means that 
.B ntop 
will collect statistics for each interface and report them separately.

Only ONE interface may be reported on at a time - use the
.B Admin | Switch NIC 
option on the web server to select which interface to report upon.

Note that activating either the netFlow and/or sFlow plugins will force the
setting of -M.  Once enabled, you cannot go back.

.It2 -N --wwn-map
This options names the file providing the map of WWN to FCID/VSAN ids.

.It2 -O --output-packet-path
This parameter defines the base path for the ntop-suspicious-pkts.XXX.pcap and 
normal packet dump files.

If this parameter is not specified, the default value is the config.h parameter
CFG_DBFILE_DIR, which is set during ./configure from the --localstatedir= parameter.
If --localstatedir is not specified, it defaults to the --prefix value plus /var
(e.g. /usr/local/var).

Be aware that this may not be what you expect when running
.B ntop
as a daemon or Windows service. Setting an explicit and absolute path value is
.B STRONGLY
recommended if you use this facility.

.It2 -P --db-file-path
.It2 -Q --spool-file-path
These parameters specify where 
.B ntop
stores database files.

There are two types, 'temporary' - that is ones which need not be retained
from
.B ntop
run to
.B ntop
run, and 'permanent', which must be retained (or recreated).

The 'permanent' databases are the preferences, "prefsCache.db" and the password
file, "ntop_pw.db".  These are stored in the -P | --db-file-path specified location.

Certain plugins use the -P | --db-file-path specified location for their database
("LsWatch.db") or (as a default value) for files (.../rrd/...).

The 'temporary' databases are the address queue, "addressQueue.db", the cached DNS
resolutions, "dnsCache.db" and the MAC prefix (vendor table), "macPrefix.db".

If only -P | --db-file-path is specified, it is used for both types of databases.

The directories named must allow read/write and
file creation by the
.B ntop
user.  For security, nobody else should have even read access to these files.

Note that the default value is the config.h parameter CFG_DBFILE_DIR.
This is set during ./configure from the --localstatedir= parameter.
If --localstatedir is not specified, it defaults to the --prefix value plus /var
(e.g. /usr/local/var).

This may not be what you expect when running
.B ntop
as a daemon or Windows service.

Note that on versions of
.B ntop
prior to 2.3, these parameters defaulted to "." (the current working directory, e.g.
the value returned by the pwd command) and caused havoc as it was different when
.B ntop
was run from the command line, vs. run via cron, vs. run from an initialization
script.

Setting an explicit and absolute path value is
.B STRONGLY
recommended.

.It2 -U --mapper
Specifies the URL of the mapper.pl utility.

If provided, 
.B ntop
creates a clickable hyperlink on the 'Info about host xxxxxx' page to this URL by appending 
?host=xxxxx.
Any type of host lookup could be performed, but this is intended to lookup the geographical
location of the host.

A cgi-based mapper interface to http://www.multimap.com is part of the 
.B ntop 
distribution [see www/Perl/mapper.pl]).

.It2 -V --version
Prints 
.B ntop 
version information and then exits.

.It2 -W --https-server
(See the joint documentation with the -w parameter, above)

.It --disable-instantsessionpurge
.B ntop
sets completed sessions as 'timed out' and then purge them almost instantly, which is
not the behavior you might expect from the discussions about purge timeouts.  This switch
makes ntop respect the timeouts for completed sessions.  It is NOT the default because
a busy web server may have 100s or 1000s of completed sessions and this would significantly
increase the amount of memory
.B ntop
uses.

.It --disable-mutexextrainfo
.B ntop
stores extra information about the locks and unlocks of the protective mutexes it uses. Since
.B ntop
uses fine-grained locking, this information is updated frequently.  On some OSes, the system
calls used to collect this information (getpid() and gettimeofday()) are expensive.  This option
disables the extra information.  It should have no processing impact on
.B ntop
 - however should
.B ntop
actually deadlock, we would lose the information that sometimes tells us why.

.It --disable-schedyield
.B ntop
uses sched_yield() calls for better interactive performance.  Under some situations, primarily
under RedHat Linux 8.0, this can deadlock, causing the 
.B ntop
web server to stop responding, although
.B ntop
appears to still be operational according to the ps command. Use this switch to disable
these calls, IF you are seeing deadlocks.

.It --disable-stopcap
Return 
.B ntop 
to the old (v2.1) behavior on a memory error.  
The default of stopcap enabled makes the web interface available albeit with static 
content until 
.B ntop
is shutdown.

.It --fc-only 

Display only Fibre Channel statistics.

.It --instance

You can run multiple instances of
.B ntop
simultaneously by specifying different -P values (typically through
separate ntop.conf files).  If you set a value for this parameter (available only on the command
line), you (1) display the 'instance' name on every web page and (2) alter the log prefix from "NTOP"
to your chosen value.

If you want to make the tag more obvious, create a .instance class in style.css, e.g.:

   .instance {
     color: #666666;
     font-size: 18pt;
   }

Note (UNIX): To run completely different versions of the
.B ntop
binary, you need to compile and install into a different library (using ./configure --prefix)
and then specify the LD_LIBRARY_PATH before invoking, e.g.

LD_LIBRARY_PATH=/devel/lib/ntop/:... /devel/bin/ntop ...args...

If present, a file of the form <instance>_ntop_logo.gif will be used instead of the normal
ntop_logo.gif.  This is tested for ONLY once, at the beginning of the
.b ntop
run.  The EXACT word(s) of the --instance flag are used, without testing if they make a 
proper file name.  If - for any reason - the file is not found, an informational message 
is logged and the normal logo file is used.  To construct your own logo, make it a 300x40
transparent gif.

NOTE: On the web pages, 
.B ntop 
uses the dladdr() function.  The original Solaris routine had a bug, replicated in
FreeBSD (and possibly other places) where it uses the ARGV[0] value - which might be
erroneous - instead of the actual file name.  If the 'running from' value looks bogus but
the 'libraries in' value looks OK, go with the library.

.It --no-fc 

Disable processing & Display of Fibre Channel

.It --no-invalid-lun 

Don't display Invalid LUN information.

.It --p3p-cp 
.It --p3p-uri 

P3P is a W3C recommendation - http://www.w3.org/TR/P3P/ - for specifying
personal information a site collects and what it does with the information.
These parameters allow 
.b ntop
to return P3P information.  We do not supply samples.

.It --pcap_setnonblock
On some platforms, the 
.B ntop 
web server will hang or appear to hang (it actually just responds incredibly
slowly to the first request from a browser session), while the rest of
.B ntop
runs just fine. This is known to be an issue under FreeBSD 4.x.

This option sets the non-blocking 
option (assuming it's available in the version of libpcap that is installed).

While this works around the problem (by turning an interrupt driven process into 
a poll), it also MAY significantly increase the CPU usage of
.B ntop.
Although it does not actually interfere with other work, seeing
.B ntop
use 80-90% or more of the cpu is not uncommon - don't say we didn't warn you.

.B THIS OPTION IS OFFICIALLY UNSUPPORTED
and used at your own risk.  Read the docs/FAQ write-up.

.It --skip-version-check
By default,
.B ntop
accesses a remote file to periodically check if the most current version is running.
This option disables that check.  Please review the privacy notice at the bottom of
this page for more information.
By default, the recheck period is slightly more than 15 days.  This can be adjusted
via a constant in globals-defines.h.  If the result of the initial check indicates that
the
.B ntop
version is a 'new development' version (that is newer than the latest published
development version), the recheck is disabled.  This is because which fixes and
enhancements were present/absent from the code.

NOTE: At present, the recheck does not work under Windows.

.It --ssl-watchdog 

Enable a watchdog for 
.b ntop 
webserver hangs. These usually happen when connecting with older browsers. The user 
gets nothing back and other users can't connect. Internally, packet processing continues
but there is no way to access the data through the web server or shutdown ntop cleanly. 
With the watchdog, a timeout occurs after 3 seconds, and processing continues with a 
log message. Unfortunately, the user sees nothing - it just looks like a failed 
connection. (also available as a ./configure option, --enable-sslwatchdog) 
 
.It --w3c
By default,
.B ntop
generates displayable but not great html.  There are a number of tags we do not 
generate because they cause problems with older browsers which are still commonly
used or are important to look good on real-world browsers.
This flag tells
.B ntop
to generate 'BETTER' (but not perfect) w3c compliant html 4.01 output. This in no 
way addresses all of the compatibility and markup issues.  Over time, we would like
to make 
.B ntop
more compatible, but it will never be 100%.  If you find any issues, please report
them to ntop-dev.

.It2 -4 --ipv4
Use IPv4 connections.

.It2  -6 --ipv6
Use IPv6 connections

.SH "WEB VIEWS"
While
.B ntop
is running, multiple users can access the traffic information using their web browsers.
.B ntop
does not generate 'fancy' or 'complex' html, although it does use frames, shallowly nested
tables and makes some use of JavaScript and Cascading Style Sheets.

Beginning with release 3.1, the menus are cascading dropdowns via JSCookMenu.  With release
3.2, this extends to plugins.

We do not expect problems with any current web browser, but our ability to test with less 
common ones is very limited.  Testing has included Firefox and Internet Explorer, with 
very limited testing on other current common browsers such as Opera.

In documentation and this man page, when we refer to a page such as Admin | Switch NIC, we
mean the Broad category "Admin" and the detailed item "Switch NIC" on that Admin menu.

.SH NOTES
.B ntop
requires a number of external tools and libraries to operate.
Certain other tools are optional, but add to the program's capabilities.

.It --webserver-queue
Specifies the maximum number of web server requests for the tcp/ip stack to retain in
it's queue awaiting delivery to the
.B ntop
web server.  Requests in excess of this queue may be dropped (allowing for retransmission) or
rejected at the tcp/ip stack level, depending upon the OS.
Whatever happens, happens at the OS level, without any information being delivered to 
.B ntop

Required libraries include:

.B libpcap
from http://www.tcpdump.org/, version 0.7.2 or newer. 0.8.3 or newer is strongly 
recommended.

The Windows version makes use of
.B WinPcap
(libpcap for Windows) which may be downloaded from 
http://winpcap.polito.it/install/default.htm.

WARNING: The 2.x releases of
.B WinPcap
will NOT support SMP machines.
.

.B gdbm
from http://www.gnu.org/software/gdbm/gdbm.html
.

.B ntop
requires a POSIX threads library. As of 
.B ntop
3.2, the single-threaded version of 
.B ntop
is no longer available.
.

The
.B gd
2.x library, for the creation of png files, available at
http://www.boutell.com/gd/. 

The
.B libpng
1.2.x library, for the creation of png files, available at 
http://www.libpng.org/pub/png/libpng.html.

.B ntop 
should support both gd 1.X and libpng 1.0.x libraries but this has not been tested.
Note that there are incompatibilities if you compile with one version of these libraries
and then run with the other.  Please read the discussion in docs/FAQ before reporting ANY 
problems of this nature.
.

(if an https:// server is desired)
.B openSSL
from the OpenSSL project available at http://www.openssl.org.
.

The
.B rrdtool
library is required by the rrd plugin.  rrdtool creates 'Round-Robin databases' which are
used to store and graph historical data in a format that permits long duration retention
without growing larger over time.
The rrdtool home page is http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/

.B ntop
includes a limited version of rrdtool 1.0.49 in the myrrd/ directory.  Users of
.B ntop 
3.2 should not need to specifically install rrdtool.
.

The 
.B sflow
Plugin is courtesy of and supported by InMon Corporation, http://www.inmon.com/sflowTools.htm.
.

There are other optional libraries.  See the output of ./configure for a fuller listing. 
.

Tool locations are current as of August 2005 - please send email to 
report new locations or dead links.

.SH "SEE ALSO"
.BR top (1),
.BR tcpdump (8).
.BR pcap (3).
.
.

.SH PRIVACY NOTICE
By default at startup and at periodic intervals, the 
.B ntop
program will retrieve a file containing current ntop program version information.
Retrieving this file allows this 
.B ntop
instance to confirm that it is running the most current version.

The retrieval is done using standard http:// requests, which will create log 
records on the hosting system.  These log records do contain information which 
identifies a specific 
.B ntop
site.  Accordingly, you are being notified that this individually identifiable
information is being transmitted and recorded.

You may request - via the 
.B --skip-version-check
run-time option - that this check be eliminated.  If you use this option, no 
individually identifiable information is transmitted or recorded, because the
entire retrieval and check is skipped.

We ask you to allow this retrieval and check, because it benefits both you and the 
.B ntop
developers.  It benefits you because you will be automatically notified
if the 
.B ntop
program version is obsolete, becomes unsupported or is no longer current.
It benefits the developers of 
.B ntop
because it allows us to determine the number of active 
.B ntop
instances, and the operating system/versions that users are running
.B ntop
under.  This allows us to focus development resources on systems like those our 
users are using 
.B ntop
on.

The individually identifiable information is contained in the web server log 
records which are automatically created each time the version file is retrieved.
This is a function of the web server and not of 
.B ntop
, but we do take advantage of it.
The log record shows the IP address of the requestor (the 
.B ntop
instance) and a User-Agent header field.  We place information in the User-Agent 
header as follows:

    ntop/<version> 
    host/<name from config.guess>
    distro/<if one>
    release/<of the distro, also if one> 
    kernrlse/<kernel version or release> 
    GCC/<version>
    config() <condensed parameters from ./configure>
    run()    <condensed flags - no data - from the execution line>
    libpcap/<version>
    gdbm/<version>
    openssl/<version>
    zlib/<version>
    access/<http, https, both or none>
    interfaces() <given interface names>

For example:

    ntop/2.2.98 host/i686-pc-linux-gnu distro/redhat release/9 kernrlse/2.4.20-8smp
    GCC/3.2.2 config(i18n) run(i; u; P; w; t; logextra; m; instantsessionpurge; 
    schedyield; d; usesyslog=; t) gdbm/1.8.0 openssl/0.9.7a zlib/1.1.4
    access/http interfaces(eth0,eth1)

Distro and release information is determined at compile time and consists of 
information typically found in the /etc/release (or similar) file. See the
.B ntop
tool linuxrelease for how this is determined.

gcc compiler version (if available) is the internal version #s for the gcc
compiler, e.g. 3.2.3.

kernrlse is the Linux Kernel version or the xBSD 'release' such as 4.9-RELEASE
and is determined from the uname data (if it's available).

The ./configure parameters are stripped of directory paths, leading -s, etc. to
create a short form that shows us what ./configure parameters people are using.

Similarly, the run time parameters are stripped of data and paths, just showing
which flags are being used.

The libpcap, gdbm, openssl and zlib versions come from the strings returned by the various
inquiry functions (if they're available).

Here's a sample log record:

67.xxx.xxx.xxx - - [28/Dec/2003:12:11:46 -0500] "GET /version.xml HTTP/1.0"
  200 1568 www.burtonstrauss.com "-" "ntop/2.2.98 host/i686-pc-linux-gnu
  distro/redhat release/9 kernrlse/2.4.20-8smp GCC/3.2.2 config(i18n)
  run(i; u; P; w; t; logextra; m; instantsessionpurge; schedyield; d;
  usesyslog=) libpcap/0.8 gdbm/1.8.0 openssl/0.9.7a zlib/1.1.4 access/http
  interfaces(eth0,eth1,eth2)" "-"

.SH USER SUPPORT
Please send bug reports to the ntop-dev <ntop-dev@ntop.org> mailing list. The
ntop <ntop@ntop.org> mailing list is used for discussing ntop usage issues. In
order to post messages on the lists a (free) subscription is required 
to limit/avoid spam. Please do NOT contact the author directly unless this is
a personal question.

Commercial support is available upon request. Please see the ntop site for further info.

Please send code patches to <patch@ntop.org>.

.SH AUTHOR
ntop's author is Luca Deri (http://luca.ntop.org/) who can be reached at <deri@ntop.org>.

.SH LICENCE
ntop is distributed under the GNU GPL licence (http://www.gnu.org/).

.SH ACKNOWLEDGMENTS
The author acknowledges the Centro Serra of the University of Pisa, Italy (http://www-serra.unipi.it/) for
hosting the ntop sites (both web and mailing lists), and Burton Strauss
<burton@ntopsupport.com> for his help and user assistance. Many thanks to Stefano
Suin <stefano@ntop.org> and Rocco Carbone <rocco@ntop.org> for contributing to
the project.