One of the main uses of Ntop is on-the-spot traffic checkups. When one of my Cacti-driven PHP Weathermaps suddenly shows a collection of network links running in the red, it tells me that those links exceed 85 percent utilization, but it doesn't tell me why. By switching to an Ntop process watching that network segment, I can quickly pull a minute-by-minute report of the top talkers and immediately know which hosts are responsible and what traffic they're pushing.
That kind of visibility is invaluable, and it's very easy to come by. Essentially, you can run Ntop on any interface that's been configured at the switch level to monitor another port or VLAN. That's really it.
Pancho is a simple Perl script that reaches out to Cisco routers and switches and pulls down a current copy of the running configuration. When run at set intervals, it allows admins to keep instant backups of router and switch configurations, which can be terribly valuable when things go pear-shaped and nobody thought to write down some specific configuration information for an edge router.
Pancho hasn't been under active development since 2005, but that hasn't been a problem so far. In fact, barring fundamental changes in Cisco IOS, Pancho's latest and last release may be completely functional for years to come.
There's not really much more to say about Pancho. It takes all of five minutes to configure and use, and as long as you properly secure the downloaded configurations, there's very little risk involved. In a nutshell, you risk more by not using Pancho.
The Snort IDS has been available as an open source tool for 10 years now. In fact, it was so successful that it developed into a viable commercial tool with support from Sourcefire, but the open source version is still actively developed and available.
In either the commercial or open source flavor, Snort is a very complete intrusion detection system that watches and catalogs network traffic, matching that traffic against predefined rules to monitor network segments for nefarious activity. In fact, it can do much more, since rules can be written to flag traffic that matches any criteria. If you want to check all IM traffic exiting the network that matches a specific internal product code name, that's certainly possible, right along with standard rules that watch for port scans, virus activity, and so forth.
When coupled with the BASE (Basic Analysis and Security Engine) Web GUI, Snort becomes an even more powerful tool. When Snort is configured to log to MySQL, BASE can pull reports on alarm triggers and display traffic anomalies based on source or destination IP address, TCP or UDP port number, and alert type. In addition, if you have multiple Snort sensors in various places on the network, they can all log to the same database, and BASE can produce reports incorporating any or all of those sensors.
The best part is that a Snort sensor doesn't have to be anything special. In most networks, it can easily be built on a low-end desktop- or server-class system, depending on traffic levels. The basic rule sets are available for free from Sourcefire with registration, and rules updates are easily managed. And if you want to go with a supported solution, you can buy the official commercial counterpart from Sourcefire. In either case, Snort can quickly become an invaluable addition to any network.