INTOP

intop - A (tiny) network-browser program based on the NTOP Packet Sniffer and the LBNL libpcap.

intop [-h]

intop [-i interface] [[-i interface]] [filter expression]

-i Specifies the network interface used by intop If multiple interfaces are used then the -i flag has to be repeated for each interface. For instance '-i eth0 -i lo'.

intop can then be started with a BPF filter (for instance 'intop src host jake.unipi.it or dst host jake.unipi.it'). See the tcpdump man page for further information about this topic.

intop provides a powerful and flexible interface to the ntop packet sniffer. Since ntop has grown so much in functionality and it cannot be simply considered a network-brower, the problem of capturing and showing network usage has been splitted. As of version 1.3 the NTOP engine captures packets, performs traffic analysis and information storage.

intop implements a bare, command line based interface, with an apparently spartan look and feel, but a lot of functionality already implemented, and others planned for future releases.

Current functionaly include:

full dynamic network behaviour

You can, for example, open a network interface, then start looking a packets, play with traffic, hosts and network usage or look at per-host information. Then you can suspend the packet sniffer for the given network interface and go to have a coffe. When you have finished and you're back at your keyboard, a simple command is sufficient to restart again the process of packet capturing.

multi-interface support

You can simultaneosly activate different packet capturing activities on different network interfaces, and have a look at each of them separately.

Once you started the program, a shell is promted where you type commands to the program's shell. Usually you will want to open a network interface and start looking at network packets.

To open a network interface on your system, you must use the program's open command:

open -i <interface name>

where <interface name> is a network device suitable for packet capturing.

You should now see the command prompt change to reflect the name of the current network interface. If you are in trouble with network names available for your system, you can always have the list of all avaialable network interface on your system with the lsdev command.

After the open command completes successfully, you have a network interface open for doing the job of packet capturing though the process of capturing is not really started until the sniff command has been issued.

intop uses the GNU Readline library for history and command line completion.

Because intop has been designed and implemented with emphasis to usability, you can start playing at intop by typing the sniff command and using the '-i' flag to specify a network interface. The program has an internal concept of the status of the interface, so is is able to decide wich operations should be done to satisfy user command. In the latter case the network interface is first opened and then enabled for packet sniffing.

intop claims to offer to the user a common interface, which is independent from the specific command. So, for example each command has its own help usage string (you can display it using the '-h' flag) and support command line arguments passed via arguments, in the same way most Unix commands do.

Morevover, to avoid typing and increase usability, each command acts on the latest referenced network interface, unless the -i flag is used.

help

The first command to know is help. If you just type

help

from the command shell, the program prints the names of all of the supported commands. From there, you can get specific help for a command by typing the command after, for example:

help open

prints information about the open command.

?

This is an alias for the help command.

arp

Tells the ntop ARP cache and displays hosts information according to user's filter.

close

Close a network interface.

exit

This is an alias for the quit command.

filter

Get/Set the BPF filter associated to a network interface.

history

Shows the history.

hosts

Tells the ntop HOST cache and displays hosts information according to user's filter.

info

Displays detailed information about the actual state of a network interface.

lsdev

Displays the list of network interfaces on your system available for using with the program.

nbt

Tells the ntop (NetBios over TCP/IP) cache and displays hosts information according to user's filter.

open

Opens a network interface to look at packets on the given network interface.

prompt

On terminals supporting ANSI colors, it changes the color of the prompt.

quit

Terminates the program.

sniff

Starts enabling packet capture on the given network interface.

swap

Swaps the latest two referenced network interfaces (if any). Useful if you have more than one active interface and want to change your point of view.

top

Shows network usage, similar to what the popular top Unix command does. See the next section for a list of interactive commands you have while running in .

uptime

Tells how long the program has been running and general information about all enabled network interfaces.

While intop is running interactively, the information shown can be manipulated by pressing the following keys.

q This causes intop to quit.

n This causes intop to toggle the IP address format (numeric vs. symbolic vs. MAC Address vs. Nw Board Manufacturer).

p This causes intop to toggle the traffic format (percentage vs. absolute vs. throughput).

l This causes intop to toggle the host list content (local vs. remote hosts).

d This causes intop to toggle the host list content (idle vs. active hosts).

t This causes intop to sort hosts according to the data received or sent.

y This causes intop to sort traffic according to the various protocols being displayed in the current screen.

<space> This causes intop to show further traffic information. Each time the space bar is pressed the last three

intop columns are toggled. Please note that these columns represent either the traffic sent or received, according to the the way the list is sorted (see previous command).

intop displays a variety of information about the network traffic.

"traffic/throughput" This line displays general information about the network traffic: the number of packets that have been seen, the total traffic (IP or non IP), the actual and the max observed throughput. Please note that if a filter expression is used, these values are relatives only to the traffic that satisfies the filter expression.

Host This column contains the host name in either symbolic or numeric format.

Act This column contains further information about the host activity since the last screen update. The value 'B' (both) indicates that the host has both sent and received data, 'R' (receive) that the host has received but not sent data, 'S' (sent) that the host has sent but not received data, 'I' (idle) that the host has been idle (no data sent or received).

Rcvd This column contains the traffic received by the host either in absolute or percentage format. If the host list is sorted according this field, then the column label becomes -Rcvd-.

Sent This column contains the traffic sent by the host either in absolute or percentage format. If the host list is sorted according this field, then the column label becomes -Sent-.

<protocol> The last three columns contain further information concerning the IP protocols. Data represented in these columns change according to the traffic type (either sent or received). The 'y' key allows users to interactively change the sort order of these columns, whereas the space bar toggles the protocol list.

intop is based on the ntop engine and the libpcap library that can be found at ftp://ftp.ee.lbl.gov/libpcap.tar.Z.

top(1), ngrep(8), tcpdump(8).

Please send bug reports to the ntop mailing list <ntop@ntop.org>. intop's authors are Luca Deri <deri@ntop.org> and Rocco Carbone <rocco@ntop.org