Provided by: ntopng_2.2+dfsg1-1build1_amd64 bug

NAME

       ntopng - display top network users

SYNOPSIS

       ntopng [filename]

       or

       ntopng  [-i  <interface|pcap>]  [-d <data_directory>] [-t <install_directory>] [-n <mode>]
       [-e] [-1 <path>] [-2 <path>] [-3 <path>]  [-w  <[:]http_port>]  [-W  <[:]https_port>]  [-c
       <categorization_key>]  [-m  <local_subnets>]  [-u|--no-promisc] [-p <protocols>] [-P] [-q]
       [-r <redis_host[:port][@db-id]>] [-g <cpu_core_ids>] [-s] [-U <sys_user>]  [-l<mode>]  [-X
       <maxnumflows>]   [-B   <filter>]   [-k   <key>]   [-A  <mode>]  [-x  <max_num_hosts>]  [-F
       <mode><dump-flows>] [-D <dump-hosts>]  [-I  <export-flows>]  [-O  <communities-list>]  [-E
       <sticky-hosts>]  [-t  <dir>]  [-T  <enable-taps>]  [-H]  [--hw-timestamp-mode  <mode>] [-Z
       <prefix>] [--shutdown-when-done] [-v] [-V] [-h]

DESCRIPTION

       ntopng shows the current network usage. It displays a list of  hosts  that  are  currently
       using the network and reports information concerning the (IP and non-IP) traffic generated
       and received by each host.  ntopng may operate as a front-end collector  or  as  a  stand-
       alone  collector/display  program.   A  web  browser  is  needed to access the information
       captured by the ntopng program.

       ntopng is a hybrid layer 2 / layer 3 network monitor, by default it uses the layer 2 Media
       Access  Control  (MAC)  addresses  AND the layer 3 tcp/ip addresses.  ntopng is capable of
       associating the two, so that ip and non-ip traffic (e.g. arp, rarp)  are  combined  for  a
       complete picture of network activity.

OPTIONS

       filename
        The  text  of  filename  is  copied  —  ignoring  line breaks and comment lines (anything
        following a #) — into the command line.  ntopng behaves as if all of the text had  simply
        been  typed  directly  on  the command line.  For example, if the command line is "ntopng
        s.conf" and file s.conf contains just the line '-s', then the effective command  line  is
        "ntopng  -s".  In case you use a configuration file, the following options on the command
        line will be ignored. Example  "ntopng  /etc/ntopng/ntopng.conf  -v"  the  -v  option  is
        ignored.

        The  configuration  file is similar to the command line, with the exception that an equal
        sign '=' must be used between key and value. Example:  -i=p1p2  or  --interface=p1p2  For
        options with no value (e.g. -v) the equal is also necessary. Example: "-v=" must be used.

        Remember,  most  ntopng  options  are  "sticky",  that is they just set an internal flag.
        Invoking them multiple times doesn't change the ntopng's behavior. However, options  that
        set  a  value, such as --trace-level, will use the LAST value given: -w 8000 -w 8080 will
        run as -w 8080.

       -n|--dns-mode <mode>
        Sets the DNS address resolution mode:
        0 — Decode DNS responses and resolve only local (-m) numeric IPs
        1 — Decode DNS responses and resolve all numeric IPs
        2 — Decode DNS responses and don't resolve numeric IPs
        3 — Don't decode DNS responses and don't resolve numeric IPs

       -i|--interface <interface|pcap>
        Specifies the network interface or collector endpoint to be used by  ntopng  for  network
        monitoring.  On  Unix  you  can  specify both the interface name (e.g. lo) or the numeric
        interface id as shown by ntopng -h. On Windows you must use the interface number instead.
        Note  that  you  can  specify  -i  multiple  times  in order to instruct ntopng to create
        multiple interfaces. If you want to pipe data from stdin use -  (dash)  as  device  name.
        Example "cat ~/traffic.pcap | ./ntopng -i -".

        The  -i  option can also be used to specify a unified view of more interfaces, given they
        are  provided  in  a  comma-separated  list  and  with  the  "view:"  prefix   (e.g.   -i
        view:eth0,eth1). This is just a logical view of multiple physical interfaces.

        If  a  collector  endpoint is specified, ntopng open a ZeroMQ connection to the specified
        endpoint as a subscriber whose format is  <ZMQ  endpoint>.  Example  of  valid  collector
        endpoints  are  "tcp://127.0.0.1:5556"  or  ipc://flows.ipc  Note  that  you  can specify
        multiple endpoint, commas separated list, in order to instruct ntopng to aggregate it  in
        a single interface. (e.g -i tcp://127.0.0.1:5556,ipc://flows.ipc)

        If  you  want you can pass a path of a pcap file (e.g. -i dummy.pcap) or a path of a list
        file contains a path of a pcap file for each line (e.g. -i  pcap.list)  and  ntopng  will
        read packets from the specified pcap file/s.

        nProbe  can  be  instructed  to  act as a publisher delivering flows to a ZeroMQ endpoint
        using the --ZMQ <endpoint> parameter.

       -d|--data-dir <path>
        Specifies the data directory (it must be writable). Default directory is /var/tmp/ntopng

       -d|--install-dir <path>
        Specifies the installation directory. Default directory is retrieved from common  install
        paths.

       -G|--pid-path <path>
        Specifies the path where the PID (process ID) is saved. Default is /var/tmp/ntopng.pid

       -H|--disable-alerts
        Disable the generation of alerts.

       -k|--httpbl-key <key>
        Set   the   key  used  to  access  httpbl  services  (default:  disabled).   Please  read
        README.httpbl for more info.

       -c|--categorization-key <key>
        Sets the key used to access host categorization services.  ntopng categorizes hosts using
        services provided by Google.  In order to use these categorization services you need sign
        uo at https://developers.google.com/safe-browsing/key_signup and use  the  generated  key
        with this command line option.

       -e|--daemon
        This  parameter  causes ntop to become a daemon, i.e. a task which runs in the background
        without connection to a specific terminal. To use ntop other than as a casual  monitoring
        tool, you probably will want to use this option.

       -1|--httpdocs-dir <path>
        Directory where HTTP documents are placed. Default: httpdocs.

       -2|--scripts-dir <path>
        Directory where lua scripts reside. Default: scripts.

       -3|--callbacks-dir <path>
        Directory where callback scripts reside. Default: scripts/callbacks.

       -w|--http-port <[:]http_port>
        Sets  the  HTTP  port  of  the  embedded web server. If set to 0, the http server will be
        disabled. If you prepend a : before the port (i.e. -w :80)  ntopng  will  listen  to  the
        loopback  address.  NOTE: omitting the -w option won't disable http: ntopng will fallback
        to the default http port.

       -W|--https-port <[:]https_port>
        Sets the HTTPS port of the embedded web server. If not set, it will be set to  the  value
        of  -w  plus  one. If you prepend a : before the port (i.e. -w :80) ntopng will listen to
        the loopback address.

       -m|--local-networks <local_nets>
        ntopng determines the ip addresses and netmasks for each active interface. Any traffic on
        those  networks  is considered local. This parameter allows the user to define additional
        networks and subnetworks whose traffic is also considered local in  ntopng  reports.  All
        other hosts are considered remote. If not specified the default is set to 192.168.1.0/24.

        Commas  separate  multiple  network  values.  Both netmask and CIDR notation may be used,
        even mixed together, for instance "131.114.21.0/24,10.0.0.0/255.0.0.0".

       -u|--no-promisc
        Disable promiscous mode when capturing from network interfaces  (by  default  promiscuous
        mode is used).

       -p|--ndpi-protocols <file>.protos
        This   parameter   is   used   to   specify   a   nDPI  protocol  file.   The  format  is
        <tcp|udp>:<port>,<tcp|udp>:<port>,.....@<proto> where <port> is a port number and <proto>
        is  a  name  of  a  protocol supported by nDPI protocol, or host:"<string>"@<proto> where
        string     is     part     of      an      host      name.       As      example      see
        https://svn.ntop.org/svn/ntop/trunk/nDPI/example/protos.txt

       -P|--disable-host-persistency
        Disable host persistency in the Redis cache.

       -q|--disable-autologout
        Disable web interface logout for inactivity.

       -l|--disable-login
        Disable user login. Mode can be set to 0 (disable login only for localhost) or 1 (disable
        login only for all  hosts).  This  is  useful  for  debug  purposes,  local  host  access
        unrestricted,  or if you want to let everyone access the web gui.  NOTE: this option lets
        anyone accessing the web interface (from localhost or from all  hosts  depending  on  the
        parameter) be administrator of the web interface.

       -r|--redis <redis_host[:port][@db
        Specifies  the  redis  database  host,  port,  and a database id. In case you plan to run
        multiple redis-based applications on the same redis server, you need to use  a  different
        database  id  per  application.   For  more  information  about  redis,  please  refer to
        http://redis.io/.

       -g|--core-affinity <cpu_core_id1[,cpu_core_id2,...]>
        Bind the capture/processing threads to specific CPU cores, indicated in a comma-separated
        list. Cores are assigned to interface processing loops in the order interfaces are mapped
        to IDs.  NOTE: ntopng  automatically  sets  affinity  of  capture/processing  threads  to
        different CPU cores.

       -U|--user <user>
        Run ntopng with the specified system user instead of 'nobody'.

       -s|--dont-change-user
        Do not change user (debug only).

       -B|--packet-filter <filter>
        Specifies  the packet filter for the specified interface. For pcap/PF_RING interfaces the
        filter has to be specified in BPF format (Berkeley Packet Filter).

       -X|--max-num-flows <num>
        Specify the maximum number of active flows that ntopng will handle.  If  more  flows  are
        detected they will be discarded.

       -x|--max-num-hosts <num>
        Specify  the  maximum  number  of active hosts that ntopng will handle. If more hosts are
        detected they will be discarded.

       -F|--dump-flows <mode>
        If ntopng is compiled with sqlite support, flows can dumped persistently  on  disk  using
        this  option. The mode can be set to es - Dump on ntopng.es queue in Elasticsearch format
        that be insert on a ES database. In this case the format is "es;<idx type>;<idx name>;<es
        URL>;<http                     auth>".                     Example:                    -F
        "es;ntopng;ntopng-%Y.%m.%d;http://localhost:9200/_bulk;user:pwd". The <idx name>  accepts
        the  strftime()  format.   mysql - Dump flows in MySQL tables. In this case the format is
        "<host[@port]|unix        socket>:<dbname>:<table>:<user>:<pw>".        Example        -F
        "mysql;localhost;ntopng;flows-%Y.%m.%d;root;".

       -D|--dump-hosts <mode>
        If ntopng is compiled with sqlite support, hosts contacts can dumped persistently on disk
        using    this    option.      Databases     are     created     daily     under     <data
        directory>/<interface>/contacts.  This  options  supports  three dump modes: local (dumps
        only local hosts), remote (dumps only remote  hosts),  all  (dumps  all  hosts).  If  not
        specified, no hosts are dumped to disk.

       -I|--export-flows <endpoint>
        Export  the  expired  flows  on  the  specified endpoint. For instance supposing to start
        ntopng on host 1.2.3.4 as ntopng -I "tcp://*:3456", it exports flows on this endpoint  so
        that you can create a hierarchy of ntopng's. You can achieve that by starting a collector
        ntopng as ntopng -i tcp://1.2.3.4:3456

       -O|--communities-list <filename>
        Parse the specified file  and  retrieve  a  list  of  communities,  that  are  a  logical
        representation  of  clusters of hosts that fall under the same administrative domain. The
        file must be in the following format:
            communityX@id1=net1,net2,net3
            communityY@id2=net4,net5,net6
            ...

       -E|--dump-aggregations <mode>
        If ntopng is compiled with sqlite support, hosts contacts can dumped persistently on disk
        using     this     option.      Databases     are     created     daily    under    <data
        directory>/<interface>/contacts. This options supports three  dump  modes:  local  (dumps
        only aggregations contacted by local hosts), remote (dumps only aggregations contacted by
        remote hosts), all (dumps all aggregations). If not specified, no  hosts  are  dumped  to
        disk.

       -S|--sticky-hosts <mode>
        ntopng  periodically purges idle hosts. With this option you can modify this behaviour by
        telling ntopng not to purge the  hosts  specified  by  -S.  This  parameter  requires  an
        argument  that  can be "all" (Keep all hosts in memory), "local" (Keep only local hosts),
        "remote" (Keep only remote hosts), "none" (Flush hosts when idle).

       --hw-timestamp-mode <mode>
        Enable hw timestamping/stripping. Supported TS modes are:
        ixia — Timestamped packets by ixiacom.com hardware devices.

       -t|--install-dir <dir>
        Force ntopng to use the HTML/lua files installed on the specified directory. This  option
        should not be used unless under testing or development, as packaging systems should place
        the files at the right place.

       -T|--enable-taps <mode>
        Enable tap interfaces to dump packets on. If not specified, traffic can bedumped only  on
        disk but not sent live to apps.

       -Z|--http-prefix <prefix>
        HTTP  prefix  to  be  prepended to URLs. This is useful when using ntopng behind a proxy.
        E.g. if you want to make the ntopng web interface accessible through a proxy at a certain
        IP  address  with  the /ntopng/ base URL and you have the following lines in your proxy's
        configuration:
            ProxyPass /ntopng/ http://192.168.0.3:3000/ntopng/
            ProxyPassReverse /ntopng/ http://192.168.0.3:3000/ntopng/
        you must use ntopng with -Z "/ntopng/"

       --shutdown-when-done
        Terminate ntopng when the input pcap file is over (debug only).

       -v|--verbose
        Verbose tracing.

       -V|--version
        Print ntopng version and quit.

       -h|--help
        Help

WEB VIEWS

       While ntopng is running, multiple users can access the traffic information using their web
       browsers.  ntopng makes use of JavaScript and LESS CSS.

       We  do not expect problems with any current web browser, but our ability to test with less
       common ones is very limited.  Testing has included Safari, Chrome,  Firefox  and  Internet
       Explorer, with very limited testing on other current common browsers such as Opera.

NOTES

       ntopng  requires a number of external tools and libraries to operate.  Certain other tools
       are optional, but add to the program's capabilities.

       Required libraries include:

       libpcap from http://www.tcpdump.org/, version 1.0 or newer.

       The Windows version makes use of WinPcap (libpcap for Windows)  which  may  be  downloaded
       from http://winpcap.polito.it/install/default.htm.

       ntopng requires a POSIX threads library.

       The  rrdtool  library  creates  'Round-Robin databases' which are used to store historical
       data in a format that permits long duration retention without growing  larger  over  time.
       The rrdtool home page is http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/

       The  LuaJIT  library  is  a Just-In-Time Compiler for Lua used to execute GUI and periodic
       scripts.

       The mongoose library is used to implement the HTTP server part of ntopng.

       zeromq is a socket library supporting the publish/subscribe pattern used to collect  flows
       from nProbe

       ntopng includes LuaJIT, mongoose, rrdtool and zeromq in the third-party/ directory.  Users
       of ntopng should not need to specifically install such libraries.

SEE ALSO

       top(1), tcpdump(8), pcap(3).

USER SUPPORT

       Please send bug reports to the  ntop-dev  <ntop-dev@ntop.org>  mailing  list.  The  ntopng
       <ntop@ntop.org>  mailing list is used for discussing ntopng usage issues. In order to post
       messages on the lists a (free) subscription is required to limit/avoid spam. Please do NOT
       contact the author directly unless this is a personal question.

       Commercial support is available upon request. Please see the ntopng site for further info.

       Please send code patches to <patch@ntop.org>.

LICENCE

       ntopng is distributed under the GNU GPL licence (http://www.gnu.org/).

                                     Jul 2015 (ntopng 2.0.1)                            NTOPNG(8)