https://www.lisenet.com/2014/install-ntop-on-debian-and-configure-to-use-netflow-on-mikrotik-routeros
Ntop
is a network monitoring tool similar to Unix top, which shows network
traffic usage. It can act as a NetFlow collector for flows generated by
routers such as Cisco or Mikrotik. NetFlow is an industry standard for
flow-based traffic monitoring.
We will install and configure Ntop to collect flows generated by Mikrotik router. Note: “Ntop” != “NtopNG”.
-d : causes ntop to become a daemon
-i : specifies the network interface to use
-u : the user ntop should run as after it initialises (but must be started as root)
-W : starts an embedded ntop web server for HTTPS
-m : specifies local subnets
Use man ntop for more command line options if needed. Also note that port 3001 needs to opened on a firewall if public access is needed.
Active NetFlow plugin: “Plugins” -> “NetFlow” -> “Activate”.
Open NetFlow configuration panel: “Plugins” -> “NetFlow” -> “Configure”.
Click Add NetFlow Device and fill in the following:
We will install and configure Ntop to collect flows generated by Mikrotik router. Note: “Ntop” != “NtopNG”.
Install Pre-required Software
We’re using Debian Wheezy:$ uname -rv 3.2.0-4-686-pae #1 SMP Debian 3.2.51-1Update the system first:
# apt-get update && apt-get upgrade -uVInstall required software:
# apt-get install libtool automake autoconf make build-essential python-dev subversionInstall external tools and libraries required by ntop:
# apt-get install libpcap-dev libgdbm-dev zlib1g-dev libgeoip-dev libgraphviz-dev \ graphviz rrdtool librrd-dev
Ntop Installation via Source Code
Download the source package:# cd ~ ; wget http://sourceforge.net/projects/ntop/files/ntop/Stable/ntop-5.0.1.tar.gzExtract the archive:
# tar xvfz ntop-5.0.1.tar.gz && cd ntop-5.0.1Configure, compile and install ntop:
# ./autogen.sh # make # make installCreate a new system account for ntop:
# useradd -r -s /bin/false ntopChange ownership appropriately:
# chown -R ntop:ntop /usr/local/share/ntop /usr/local/lib/ntop /usr/local/var/ntopUpdate links and cache to the shared libraries:
# /sbin/ldconfig
Start Ntop as a Daemon
# ntop -cd -i eth0 -u ntop -W 0.0.0.0:3001 -m 10.132.1.0/24-c : prevent idle hosts from being purged from memory
-d : causes ntop to become a daemon
-i : specifies the network interface to use
-u : the user ntop should run as after it initialises (but must be started as root)
-W : starts an embedded ntop web server for HTTPS
-m : specifies local subnets
Use man ntop for more command line options if needed. Also note that port 3001 needs to opened on a firewall if public access is needed.
Troubleshooting Ntop
If you get the error message below when launching ntop:error while loading shared libraries: libntopreport-5.0.1.so: cannot open shared object file: No such file or directory
Update links and cache to the shared libraries:# /sbin/ldconfig
Enable and Configure NetFlow Plugin on Ntop
Connect to ntop web interface here:https://localhost:3001Active NetFlow plugin: “Plugins” -> “NetFlow” -> “Activate”.
Open NetFlow configuration panel: “Plugins” -> “NetFlow” -> “Configure”.
Click Add NetFlow Device and fill in the following:
- NetFlow Device: “Mikrotik”
- Local Collector UDP Port: 2055
- Virtual NetFlow Interface Network Address: 10.132.1.0/24 (change appropriately!)
Enable and Configure NetFlow on Mikrotik RouterOS
Enabling traffic flow on the Mikrotik can be done via SSH:[admin@mikrotik] > /ip traffic-flow [admin@mikrotik] /ip traffic-flow> set enabled=yes interfaces=allPrint current configuration:
[admin@mikrotik] /ip traffic-flow> print
enabled: yes
interfaces: all
cache-entries: 4k
active-flow-timeout: 30m
inactive-flow-timeout: 15s
Add NetFlow target (our Debian machine):[admin@mikrotik] /ip traffic-flow> /ip traffic-flow target [admin@mikrotik] /ip traffic-flow target> add address=10.132.1.27:2055 disabled=no version=5Print target configuration:
[admin@mikrotik] /ip traffic-flow target> print
Flags: X - disabled
# ADDRESS VERSION
0 10.132.1.27:2055 5
That’s it, now we have to wait a couple of minutes and review data in the ntop web interface.Configure Iptables on Debian
# iptables -A INPUT -s 10.132.1.1/32 -p udp --dport 2055 -j ACCEPT # iptables -A INPUT -s 10.132.1.0/24 -p tcp -m multiport --dport 3000,3001 -j ACCEPT
Ntop WebUI Report
Report created on Sun Jan 12 15:28:19 2014 [ntop uptime: 44:04]
Generated by ntop v.5.0.1 (32 bit) [i686-pc-linux-gnu]
© 1998-2012 by Luca Deri, built: Jan 11 2014 23:13:11.
Version: the CURRENT stable version
Listening on [eth0,Mikrotik] for all packets (i.e. without a filtering expression)
Web reports include only interface "Mikrotik"
Troubleshooting Usage
**WARNING** INIT: Unable to create pid file (/usr/local/var/ntop/ntop.pid)
Make sure ntop user is the owner of the directory (so can write to it):# chown ntop /usr/local/var/ntop
**ERROR** RRD: Disabled – unable to create base directory (err 13, /usr/local/var/ntop/rrd)
The directory may not exist, so create it and change ownership to ntop user:# mkdir /usr/local/var/ntop/rrd # chown -R ntop /usr/local/var/ntop/rrd/
ERROR: Missing dot tool (expected /usr/local/bin/dot). Please set its path (key dot.path) here.
This may occur trying to use a “Local Network Traffic Map” when dot is not found. Find out where dot is:# which dot /usr/bin/dotAnd create a symlink (or alternatively edit preferences under
https://localhost:3001/editPrefs.html):# ln -s /usr/bin/dot /usr/local/bin/dot
No comments:
Post a Comment