Setting Up Fprobe And Ntop: Difference between revisions

From Alpine Linux
m (→‎Notes: formatting)
(Using cmd template to display commands)
Line 4: Line 4:
== Router setup ==
== Router setup ==
Install packages:
Install packages:
apk add fprobe
{{cmd|apk add fprobe}}
Edit /etc/conf.d/fprobe (adjust lines shown below as needed - leave rest of config file as is):
Edit /etc/conf.d/fprobe (adjust lines shown below as needed - leave rest of config file as is):
  IFACE=eth0
  IFACE=eth0
Line 12: Line 12:
  PORT=2055
  PORT=2055
Start fprobe.
Start fprobe.
/etc/init.d/fprobe start
{{cmd|/etc/init.d/fprobe start}}


== Ntop host setup ==
== Ntop host setup ==
Add package:
Add package:
apk add ntop
{{cmd|apk add ntop}}
Edit /etc/conf.d/ntop (adjust path to ntop cache as needed):
Edit /etc/conf.d/ntop (adjust path to ntop cache as needed):
  NTOP_OPTS="-P /var/cache/ntop --http-server 3000 --https-server 0 --interface eth0"
  NTOP_OPTS="-P /var/cache/ntop --http-server 3000 --https-server 0 --interface eth0"
Generate ntop password:
Generate ntop password:
ntop --generate-admin-password
{{cmd|ntop --generate-admin-password}}
Start ntop:
Start ntop:
/etc/init.d/ntop start
{{cmd|/etc/init.d/ntop start}}
Open ntop web interface by browsing to http://192.168.0.100:3000.<br />
Open ntop web interface by browsing to http://192.168.0.100:3000.<br />
Enable NetFlow plugin from the Plugins menu. <br />
Enable NetFlow plugin from the Plugins menu. <br />

Revision as of 10:14, 9 January 2011

Goal: Setup fprobe as a NetFlow probe on an Alpine Linux router, and then ntop as a collector/analyzer on another machine.
Assumptions: Eth0 on router will be monitored, 192.168.0.1 is router interface on LAN side, 192.168.0.100 is ntop host, and port 2055 will be used for fprobe.

Router setup

Install packages:

apk add fprobe

Edit /etc/conf.d/fprobe (adjust lines shown below as needed - leave rest of config file as is):

IFACE=eth0
FLOW_VER=7
LOCALIP=192.168.0.1
REMOTEIP=192.168.0.100
PORT=2055

Start fprobe.

/etc/init.d/fprobe start

Ntop host setup

Add package:

apk add ntop

Edit /etc/conf.d/ntop (adjust path to ntop cache as needed):

NTOP_OPTS="-P /var/cache/ntop --http-server 3000 --https-server 0 --interface eth0"

Generate ntop password:

ntop --generate-admin-password

Start ntop:

/etc/init.d/ntop start

Open ntop web interface by browsing to http://192.168.0.100:3000.
Enable NetFlow plugin from the Plugins menu.
Create NetFlow device with proper options:

Local Collector UDP Port: 2055
Virtual NetFlow Interface Network Address: 192.168.0.100/255.255.255.0
Flow Aggregation (set as desired, bu TCP/UDP Port is a good choice)
Enable Session Handling: Yes
Debug: Off

Check after a minute or two that flows are being processed by going to the Summary -> Traffic menu option and making sure data is present for the collector port and rrd graphs are being generated.

Notes

  • To monitor 2 interfaces (gre1 given as example), copy /etc/init.d/fprobe to /etc/init.d/fprobe.gre1, edit BIN= line to point to /usr/sbin/fprobe.gre. Copy /etc/conf.d/fprobe to /etc/conf.d/fprobe.gre and change interface line to IP on gre interface and port line to 2056. Finally, softlink /usr/sbin/fprobe.gre to /usr/sbin/fprobe.
  • If there isn't data present, make sure firewall on both router and ntop host have port 2055 (and possibly 2056) open from the router to the ntop host.