Setting Up Fprobe And Ntop

From Alpine Linux

Goal: Setup fprobe as a NetFlow probe on an Alpine Linux router, and then ntop as a collector/analyzer on another machine.
Assumptions: Eth0 on router will be monitored, 192.168.0.1 is router interface on LAN side, 192.168.0.100 is ntop host, and port 2055 will be used for fprobe.

Router setup

Install packages:

apk add fprobe

Edit /etc/conf.d/fprobe (adjust lines shown below as needed - leave rest of config file as is):

IFACE=eth0
FLOW_VER=7
LOCALIP=192.168.0.1
REMOTEIP=192.168.0.100
PORT=2055

Start fprobe.

/etc/init.d/fprobe start

Ntop host setup

Add package:

apk add ntop

Edit /etc/conf.d/ntop (adjust path to ntop cache as needed):

NTOP_OPTS="-P /var/cache/ntop --http-server 3000 --https-server 0 --interface eth0"

Generate ntop password:

ntop --generate-admin-password

Start ntop:

/etc/init.d/ntop start

Open ntop web interface by browsing to http://192.168.0.100:3000.
Enable NetFlow plugin from the Plugins menu.
Create NetFlow device with proper options:

Local Collector UDP Port: 2055
Virtual NetFlow Interface Network Address: 192.168.0.100/255.255.255.0
Flow Aggregation (set as desired, bu TCP/UDP Port is a good choice)
Enable Session Handling: Yes
Debug: Off

Check after a minute or two that flows are being processed by going to the Summary -> Traffic menu option and making sure data is present for the collector port and rrd graphs are being generated.

In case have trouble creating password, you can delete previous databases and recreate again:

rm /var/ntop/ *.db

If receive error regarding font not found you can add ttf fonts:

apk add ttf-dejavu

Notes

• To monitor 2 interfaces (gre1 given as example), copy /etc/init.d/fprobe to /etc/init.d/fprobe.gre1, edit BIN= line to point to /usr/sbin/fprobe.gre. Copy /etc/conf.d/fprobe to /etc/conf.d/fprobe.gre and change interface line to IP on gre interface and port line to 2056. Finally, softlink /usr/sbin/fprobe.gre to /usr/sbin/fprobe.
• If there isn't data present, make sure firewall on both router and ntop host have port 2055 (and possibly 2056) open from the router to the ntop host.
• If you have a high-volume router that you are monitoring, you may end up hitting a folder limit for your rrd interfaces directory(max of 32 000) depending on how you have flows being processed/parsed. It may be necessary to schedule a cron job to clear out the cache periodically and restart ntop after deleting the older folders.