How to use ntop and proxyarp to monitor network traffic

Jephe Wu -

Environment: 2M lease line connecting office and datacenter. CentOS 5.5 bridge firewall with proxyarp enabled, ntop for monitor traffic
Objective: use the existing network segment without any changes, use ntop builtin web server at port 3000 to monitor traffic

Network diagram:
___2M lease line__Router( LAN
__2M lease line__Router( Firewall(CentOS 5.5) eth0: LAN

1. Install CentOS 5.5 32bit on firewall
Use NFS installation(put DVD iso file under /root on NFS server, service nfs restart) and VNC remote install (type in: linux vnc vncconnect=
use same ip address on both eth1 and eth0.

2. enable proxyarp and ip_forward in /etc/sysctl.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 1
net.ipv4.conf.eth0.proxy_arp = 1
net.ipv4.conf.eth1.proxy_arp = 1

in /etc/rc.local as follows:
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
echo 1 > /proc/sys/net/ipv4/ip_forward

3. modify ip route

adding the following into /etc/rc.local

ip route del dev eth0
ip route del dev eth1
ip route add dev eth1
ip route add dev eth0
route add default gw eth1
ntop -i eth1 >/dev/null 2>&1 &

4. OS update

vi /etc/yum.conf (put proxy=
yum -y update
vi /etc/grub.conf to use the latest kernel without Xen

5. Install ntop
search google for 'DAG', go to to install rpmforge rpm
rpm -Uvh rpmforge*.rpm
yum install ntop

6. test

use ping, arping, ssh etc to test server/pc in can reach the other end, as well as datacenter servers.

If  things are not working, you might need to delete arp entries for your gateway from your own pc or gateways:
arp -d
arp -na

7. use browser  to access

8. References: