Ntop is a network monitoring tool similar to Unix top, which shows network traffic usage. It can act as a NetFlow collector for flows generated by routers such as Cisco or Mikrotik. NetFlow is an industry standard for flow-based traffic monitoring.
We will install and configure Ntop to collect flows generated by Mikrotik router. Note: “Ntop” != “NtopNG”.
Install Pre-required Software
We’re using Debian Wheezy:
# uname -rv 3.2.0-4-686-pae #1 SMP Debian 3.2.51-1
Update the system first:
# apt-get update # apt-get upgrade
Install required software:
# apt-get install libtool automake autoconf make build-essential python-dev subversion
Install external tools and libraries required by ntop:
# apt-get install libpcap-dev libgdbm-dev zlib1g-dev libgeoip-dev libgraphviz-dev graphviz rrdtool librrd-dev
Ntop Installation via Source Code
Download the source package:
# cd ~ ; wget http://sourceforge.net/projects/ntop/files/ntop/Stable/ntop-5.0.1.tar.gz
Extract the archive:
# tar xvfz ntop-5.0.1.tar.gz && cd ntop-5.0.1
Configure, compile and install ntop:
# ./autogen.sh # make # make install
Create a new system account for ntop:
# useradd -r -s /bin/false ntop
Change ownership appropriately:
# chown -R ntop:ntop /usr/local/share/ntop /usr/local/lib/ntop
Update links and cache to the shared libraries:
# /sbin/ldconfig
Start Ntop as a Daemon
# ntop -cd -i eth0 -u ntop -W 3001 -m 10.132.1.0/24
-c : prevent idle hosts from being purged from memory
-d : causes ntop to become a daemon
-i : specifies the network interface to use
-u : the user ntop should run as after it initialises (but must be started as root)
-W : starts an embedded ntop web server for HTTPS
-m : specifies local subnets
-d : causes ntop to become a daemon
-i : specifies the network interface to use
-u : the user ntop should run as after it initialises (but must be started as root)
-W : starts an embedded ntop web server for HTTPS
-m : specifies local subnets
Use man ntop for more command line options if needed. Also note that port 3001 needs to opened on a firewall.
Troubleshooting Ntop
If you get the error message below when launching ntop:
error while loading shared libraries: libntopreport-5.0.1.so: cannot open shared object file: No such file or directory
Update links and cache to the shared libraries:
# /sbin/ldconfig
Enable and Configure NetFlow Plugin on Ntop
Connect to ntop web interface here:
https://<ntop_ip>:3001
Active NetFlow plugin: “Plugins” -> “NetFlow” -> “Activate”.
Open NetFlow configuration panel: “Plugins” -> “NetFlow” -> “Configure”.
Click Add NetFlow Device and fill in the following:
- NetFlow Device: “Mikrotik”
- Local Collector UDP Port: 2055
- Virtual NetFlow Interface Network Address: 10.132.1.0/24 (change appropriately!)
Enable and Configure NetFlow on Mikrotik RouterOS
Enabling traffic flow on the Mikrotik can be done via SSH:
[sandy@mikrotik] > /ip traffic-flow [sandy@mikrotik] /ip traffic-flow> set enabled=yes interfaces=all
Print current configuration:
[sandy@mikrotik] /ip traffic-flow> print
enabled: yes
interfaces: all
cache-entries: 4k
active-flow-timeout: 30m
inactive-flow-timeout: 15s
Add NetFlow target (our Debian machine):
[sandy@mikrotik] /ip traffic-flow> /ip traffic-flow target [sandy@mikrotik] /ip traffic-flow target> add address=10.132.1.27:2055 disabled=no version=5
Print target configuration:
[sandy@mikrotik] /ip traffic-flow target> print
Flags: X - disabled
# ADDRESS VERSION
0 10.132.1.27:2055 5
That’s it, now we have to wait a couple of minutes and review data in the ntop web interface.
Ntop WebUI Report
Report created on Sun Jan 12 15:28:19 2014 [ntop uptime: 44:04]
Generated by ntop v.5.0.1 (32 bit) [i686-pc-linux-gnu]
© 1998-2012 by Luca Deri, built: Jan 11 2014 23:13:11.
Version: the CURRENT stable version
Listening on [eth0,Mikrotik] for all packets (i.e. without a filtering expression)
Web reports include only interface "Mikrotik"
Source from : https://www.lisenet.com
Tidak ada komentar:
Posting Komentar