Setting Up Fprobe And Ntop

From Alpine Linux
Revision as of 08:52, 17 June 2011 by Fab (talk | contribs) (category added)

Goal: Setup fprobe as a NetFlow probe on an Alpine Linux router, and then ntop as a collector/analyzer on another machine.
Assumptions: Eth0 on router will be monitored, 192.168.0.1 is router interface on LAN side, 192.168.0.100 is ntop host, and port 2055 will be used for fprobe.

Router setup

Install packages:

apk add fprobe

Edit /etc/conf.d/fprobe (adjust lines shown below as needed - leave rest of config file as is):

IFACE=eth0
FLOW_VER=7
LOCALIP=192.168.0.1
REMOTEIP=192.168.0.100
PORT=2055

Start fprobe.

/etc/init.d/fprobe start

Ntop host setup

Add package:

apk add ntop

Edit /etc/conf.d/ntop (adjust path to ntop cache as needed):

NTOP_OPTS="-P /var/cache/ntop --http-server 3000 --https-server 0 --interface eth0"

Generate ntop password:

ntop --generate-admin-password

Start ntop:

/etc/init.d/ntop start

Open ntop web interface by browsing to http://192.168.0.100:3000.
Enable NetFlow plugin from the Plugins menu.
Create NetFlow device with proper options:

Local Collector UDP Port: 2055
Virtual NetFlow Interface Network Address: 192.168.0.100/255.255.255.0
Flow Aggregation (set as desired, bu TCP/UDP Port is a good choice)
Enable Session Handling: Yes
Debug: Off

Check after a minute or two that flows are being processed by going to the Summary -> Traffic menu option and making sure data is present for the collector port and rrd graphs are being generated.

Notes

  • To monitor 2 interfaces (gre1 given as example), copy /etc/init.d/fprobe to /etc/init.d/fprobe.gre1, edit BIN= line to point to /usr/sbin/fprobe.gre. Copy /etc/conf.d/fprobe to /etc/conf.d/fprobe.gre and change interface line to IP on gre interface and port line to 2056. Finally, softlink /usr/sbin/fprobe.gre to /usr/sbin/fprobe.
  • If there isn't data present, make sure firewall on both router and ntop host have port 2055 (and possibly 2056) open from the router to the ntop host.
  • If you have a high-volume router that you are monitoring, you may end up hitting a folder limit for your rrd interfaces directory(max of 32 000) depending on how you have flows being processed/parsed. It may be necessary to schedule a cron job to clear out the cache periodically and restart ntop after deleting the older folders.