Setting Up Fprobe And Ntop
Goal: Setup fprobe as a NetFlow probe on an Alpine Linux router, and then ntop as a collector/analyzer on another machine.
Assumptions: Eth0 on router will be monitored, 192.168.0.1 is router interface on LAN side, 192.168.0.100 is ntop host, and port 2055 will be used for fprobe.
Router setup
Install packages:
apk add fprobe
Edit /etc/conf.d/fprobe (adjust lines shown below as needed - leave rest of config file as is):
IFACE=eth0 FLOW_VER=7 LOCALIP=192.168.0.1 REMOTEIP=192.168.0.100 PORT=2055
Start fprobe.
/etc/init.d/fprobe start
Ntop host setup
Add package:
apk add ntop
Edit /etc/conf.d/ntop (adjust path to ntop cache as needed):
NTOP_OPTS="-P /var/cache/ntop --http-server 3000 --https-server 0 --interface eth0"
Generate ntop password:
ntop --generate-admin-password
Start ntop:
/etc/init.d/ntop start
Open ntop web interface by browsing to http://192.168.0.100:3000.
Enable NetFlow plugin from the Plugins menu.
Create NetFlow device with proper options:
Local Collector UDP Port: 2055 Virtual NetFlow Interface Network Address: 192.168.0.100/255.255.255.0 Flow Aggregation (set as desired, bu TCP/UDP Port is a good choice) Enable Session Handling: Yes Debug: Off
Check after a minute or two that flows are being processed by going to the Summary -> Traffic menu option and making sure data is present for the collector port and rrd graphs are being generated.
Notes
- To monitor 2 interfaces (gre1 given as example), copy /etc/init.d/fprobe to /etc/init.d/fprobe.gre1, edit BIN= line to point to /usr/sbin/fprobe.gre. Copy /etc/conf.d/fprobe to /etc/conf.d/fprobe.gre and change interface line to IP on gre interface and port line to 2056. Finally, softlink /usr/sbin/fprobe.gre to /usr/sbin/fprobe.
- If there isn't data present, make sure firewall on both router and ntop host have port 2055 (and possibly 2056) open from the router to the ntop host.
- If you have a high-volume router that you are monitoring, you may end up hitting a folder limit for your rrd interfaces directory(max of 32 000) depending on how you have flows being processed/parsed. It may be necessary to schedule a cron job to clear out the cache periodically and restart ntop after deleting the older folders.