Tuesday, April 14, 2009

NTOP on CentOS 5.3 for Netflow Monitoring

I did an NTOP install on CentOS 5.3 today and it was a little different then I’ve done before. image The SecurityTeam.US repository doesn’t seem to contain ntop anymore so I had to switch repositories. I did the following:

  • Install a repository that has the ntop package available: “rpm –Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
  • Install ntop “yum install ntop”
  • Run ntop “ntop”
  • When asked, you’ll need to supply a password for the default admin account.  It get’s a little lost in the start up noise but if you scroll back you should see the request.
  • run “service ntop start”
  • run “chkconfig ntop on”
  • Now it should be up and running and should restart at the next reboot as well.
  • Allow ports 3000/tcp and 2055/udp if you have firewalling enabled.  Port 3000 is for ntop and port 2055/ubp is for netflow.
  • From another PC web browse http://yourserverip:3000
  • Now, enable Netflow: From the menus select Plugins, Netflow, Enable
  • Now make sure you are monitoring on the correct interface. Admin, Switch NIC. For me the interface was NetFlow-device.2 [id=1]. 
  • Now set your Netflow defaults.  Plugins, Netflow, View/Configure.
    • Select the device you want, Hit the Edit Netflow Device button.
    • I left the name alone as NetFlow-device.2
    • Change local collector udp port to 2055 (the default port).
    • Hit the Set Port button
    • Virtual Netflow Interface is the interface on the router (indicated as the flowexport source interface below) that will be sending you the netflow stream of data.  Also put it’s mask. (For me this was 192.168.1.1/255.255.255.0)
    • Hit the Set Interface Address button
    • Aggregation – none (This was my preference)
    • Hit the Set Aggregation Button
    • The only other thing I changed was debug. I turned it off.
    • Hit the Set Debug button

So the next step was to configure our router to point to the ntop box.

  • Login to privileged mode on the router
  • (config)#ip flowexport source <interface number>
  • (config)#ip flowexport version 5 peeras
  • (config)#ip flowexport destination<ip address> <port number>
  • (config)#ip flowcache timeout active 1
  • Not change to the interface you want to monitor
  • (config-if)# interface <interface>
  • (config-if)# ip routecache flow
  • (config-if)# bandwidth 1544
  • (config-if)# wr

In the above example I used a few abbreviations: <interface number> is the local interface you want to use to send the data from (faste 0/0 for me).  It’s NOT the one you want to monitor.  <ip address> and <port number> are the ip address and the port that ntop will be listening on.  The default port is 2055 udp.  The bandwith of 1544 which is the speed of a T1 line.  You’ll have to adjust that for your line speed.

Ok pop back to the web interface and look at the Netflow Statistics.  (Plugins, Netflow, Statistics).  You should eventually see the Packets Received number start to grow. If it’s growing you’re getting data.  Now you should be able to browse through the menus and start to look at your data. It takes awhile for the data to build and be meaningful but it’s pretty cool.

Drop me a comment if you are interested and I’ll run through what some of the data means.

14 comments:

Raj said...

Hi,

Can you try www.netflowanalyzer.com. It is free for 2 interfaces. It is completely web based and hassle free. Please find the online demo in http://demo.netflowanalyzer.com

Rolfsa said...

ah...but ntop for centos is free for all interfaces. :) No licenses no restrictions.

Anonymous said...

I copied and pasted your "rpm -Uvh ..." command into my centos 5.3 but it didn't run. I'm not getting an error message, just something wrong with the syntax or missing a switch.

Please help.

Rolfsa said...

I've seen it where the minus sign gets replaced by some other characeter when cutting and posting from blogs. Remove the - from -Uhv and retype it in manually. See if that solves the problem.

Anonymous said...

Hi,

Thanks for the quick reply. I followed your suggestion by typing manually (a pain!) and I typed carefully but still didnt' work.

What worked though was spacing out the switches individually as in "rpm -U -v -h ...". However, now i'm getting a different error message below:

"Retrieving http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm
error: skipping http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm - transfer failed - Unknown or unexpected error "

Rolfsa said...

That sounds like a network problem. I'd probably begin by seeing if you could just web browse http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS. At least that way you can verify connectivity to the site. From there you should be able to click and download the rpm. Then you can install it locally.

Good luck!

Anonymous said...

Hi,

This is great tutorial. I am running NTOP for some few days now.

I enable netFlow dump and I can see the .flow files being generated every dump interval.

I am puzzled whether or not NTOP actually makes use of these files to re-build and show the graphs after NTOP restart or server restart itself.

And also the RRD dump, i'm wondering whether it also dumps netFlow data as the option only has ff.

Data to Dump:
Domains
Flows
Hosts
Interfaces
ASs
Matrix


Thanks very much,
Nas

Martin said...

runs at command line but not as a service.

[root@commodore ~]# service ntop start
Starting ntop: Processing file /etc/ntop.conf for parameters...
Tue Jun 14 16:53:03 2011 NOTE: Interface merge enabled by default
Tue Jun 14 16:53:03 2011 Initializing gdbm databases
FATAL ERROR: Unrecognized/unprocessed ntop options...
, --user ntop, , --db-file-path /var/ntop, , , , --use-syslog, , , , , , ,

run ntop --help for usage information

Common problems:
-B "filter expressions" (quotes are required)
--use-syslog=facilty (the = is required)

zeeker said...

Hi, I'm new to this field. I'm tring to use a cisco 805 router. I gives me an error message saying "% Invalid input detected at '^' marker." in (config)#ip flowexport eth0. this may be totally different problem. but can someone help me. (doesn't this router support for this )

Rolfsa said...

zeeker....I'd check your version of IOS an verify that it supports netflow. Not all versions do.

zeeker said...

Thanks for quick reply. Then what could be the problem. It doesn't identify the command ip flow-export source .....

Rolfsa said...

If it doesn't identify the command, then it's not supported in that IOS release. Upgrade (and unfortunately pay) for an upgrade to IOS that supports netflow.

zeeker said...

thankx, after upgrading it worked..

Bartek said...

Does anyone know how to read .flow files generated by nTop NetFlow plugin? I have found flow-export but it doesn't work:

flow-export -f2 -mSRCADDR < 1366966129.flow
flow-export: ftiheader_read(): Warning, bad magic number
flow-export: ftiheader_read(): failed
flow-export: ftio_init(): failed