Using ntopng as *flow collector

I just want to point out that the free version doesn’t really offer that much. As far as I can tell, it only track the current data and there is no historical data retention. The moment you reboot, the data is gone. I think the best FOSS that I have encountered is nfsen. Not the prettiest one, but it gets the job done.

A few months ago, I posted how to install ntopng on CentOS 8 and forgot to post the part 2; this is part 2 of that post. Why do we need a *flow collector? To get a better visibility of our network.

Routers, switches, and firewalls will send *flow statistics to nProbe then nProbe will send these statistics data to the ntopng which is a network traffic analyzer. ntopng does not speak *flow, but nProbe does. nProbe will function as a translator for ntopng and ntopng will provide the graphical interface for us to view. See Figure 1.

Figure 1

nProbe comes with ntopng during the installation. As shown in Figure 1, nProbe is listening to port 2055 and translate this *flow data into json for ntopng to process. However, nProbe does not provide a graphical interface for admins to view. This is where ntopng comes in.

Multiple nProbe can be created under the /etc/nprobe. This can be used for each interface e.g. nprobe-eth0.conf to allow different probes to run separately from other probes. The filename format goes like this – nprobe-<int-name>.conf – where <int-name> is the interface name e.g. eth0, eth1, etc.

However, we are configuring a probe mode. Probe mode is not tied/mapped to an interface. nProbe sole purpose for our usecase is to collect NetFlow packets. To configure nProbe to accept NetFlow data from a network device(s), we need to create a new file /etc/nprobe/nprobe-none.conf. Add the following content to the new file.

--zmq="tcp://*:5556"
-T="@NTOPNG@"
-i=none
-n=none
--collector-port=2055

To setup ntopng, we need instruct ntopng to listen to nprobe. In Figure 1, we have our nprobe installed on the same host as ntopng. Therefore, the address will be the host loopback (127.0.0.1). In a situation where the nprobe is installed on a different host, the IP address has to be the IP address of the nprobe host. In our case, we are using the Figure 1 setup.

The --local-networks is a list of networks to monitor. If you have multiple networks to list, you can use commas to list several networks e.g. --local-networks=10.0.0.0/24,10.0.1.0/24,10.0.2.0/24.

-i="tcp://127.0.0.1:5556"
--local-networks="10.0.0.0/13"

If the following ntopng and nprobe services are not yet started, you can start and enable them.

systemctl enable --now ntopng
systemctl enable --now nprobe
systemctl enable --now nprobe@none

That’s about it. Navigate to your web UI and check it out.

Cheers!

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x
WordPress Appliance - Powered by TurnKey Linux