Install NTOP on Debian and Configure to Use NetFlow on Mikrotik RouterOS – …::: ClusterWeb®

Ntop is a network monitoring tool similar to Unix top, which shows network traffic usage. It can act as a NetFlow collector for flows generated by routers such as Cisco or Mikrotik. NetFlow is an industry standard for flow-based traffic monitoring.

We will install and configure Ntop to collect flows generated by Mikrotik router. Note: “Ntop” != “NtopNG”.

Install Pre-required Software

We’re using Debian Wheezy:

$ uname -rv
3.2.0-4-686-pae #1 SMP Debian 3.2.51-1

Update the system first:

# apt-get update && apt-get upgrade -uV

Install required software:

# apt-get install libtool automake autoconf make build-essential python-dev subversion

Install external tools and libraries required by ntop:

# apt-get install libpcap-dev libgdbm-dev zlib1g-dev libgeoip-dev libgraphviz-dev \
> graphviz rrdtool librrd-dev

Ntop Installation via Source Code

Download the source package:

# cd ~ ; wget http://sourceforge.net/projects/ntop/files/ntop/Stable/ntop-5.0.1.tar.gz

Extract the archive:

# tar xvfz ntop-5.0.1.tar.gz && cd ntop-5.0.1

Configure, compile and install ntop:

# ./autogen.sh
# make
# make install

Create a new system account for ntop:

# useradd -r -s /bin/false ntop

Change ownership appropriately:

# chown -R ntop:ntop /usr/local/share/ntop /usr/local/lib/ntop /usr/local/var/ntop

Update links and cache to the shared libraries:

# /sbin/ldconfig

Start Ntop as a Daemon

# ntop -cd -i eth0 -u ntop -W 0.0.0.0:3001 -m 10.132.1.0/24

-c : prevent idle hosts from being purged from memory
-d : causes ntop to become a daemon
-i : specifies the network interface to use
-u : the user ntop should run as after it initialises (but must be started as root)
-W : starts an embedded ntop web server for HTTPS
-m : specifies local subnets

Use man ntop for more command line options if needed. Also note that port 3001 needs to opened on a firewall if public access is needed.

Troubleshooting Ntop

If you get the error message below when launching ntop:

error while loading shared libraries: libntopreport-5.0.1.so: cannot open shared object file: No such file or directory

Update links and cache to the shared libraries:

# /sbin/ldconfig

Enable and Configure NetFlow Plugin on Ntop

Connect to ntop web interface here:

https://localhost:3001

Active NetFlow plugin: “Plugins” -> “NetFlow” -> “Activate”.

Open NetFlow configuration panel: “Plugins” -> “NetFlow” -> “Configure”.

Click Add NetFlow Device and fill in the following:

NetFlow Device: “Mikrotik”
Local Collector UDP Port: 2055
Virtual NetFlow Interface Network Address: 10.132.1.0/24 (change appropriately!)

Enable and Configure NetFlow on Mikrotik RouterOS

Enabling traffic flow on the Mikrotik can be done via SSH:

[sandy@mikrotik] > /ip traffic-flow 
[sandy@mikrotik] /ip traffic-flow> set enabled=yes interfaces=all

Print current configuration:

[sandy@mikrotik] /ip traffic-flow> print
 enabled: yes
 interfaces: all
 cache-entries: 4k
 active-flow-timeout: 30m
 inactive-flow-timeout: 15s

Add NetFlow target (our Debian machine):

[sandy@mikrotik] /ip traffic-flow> /ip traffic-flow target
[sandy@mikrotik] /ip traffic-flow target> add address=10.132.1.27:2055 disabled=no version=5

Print target configuration:

[sandy@mikrotik] /ip traffic-flow target> print 
Flags: X - disabled 
 # ADDRESS VERSION
 0 10.132.1.27:2055 5

That’s it, now we have to wait a couple of minutes and review data in the ntop web interface.

Ntop WebUI Report

Report created on Sun Jan 12 15:28:19 2014 [ntop uptime: 44:04] 
Generated by ntop v.5.0.1 (32 bit) [i686-pc-linux-gnu]
© 1998-2012 by Luca Deri, built: Jan 11 2014 23:13:11.
Version: the CURRENT stable version
Listening on [eth0,Mikrotik] for all packets (i.e. without a filtering expression) 
Web reports include only interface "Mikrotik"

Troubleshooting Usage

WARNING INIT: Unable to create pid file (/usr/local/var/ntop/ntop.pid)

Make sure ntop user is the owner of the directory (so can write to it):

# chown ntop /usr/local/var/ntop

ERROR RRD: Disabled – unable to create base directory (err 13, /usr/local/var/ntop/rrd)

The directory may not exist, so create it and change ownership to ntop user:

# mkdir /usr/local/var/ntop/rrd
# chown -R ntop /usr/local/var/ntop/rrd/

ERROR: Missing dot tool (expected /usr/local/bin/dot). Please set its path (key dot.path) here.

This may occur trying to use a “Local Network Traffic Map” when dot is not found. Find out where dot is:

# which dot
/usr/bin/dot

And create a symlink (or alternatively edit preferences under https://localhost:3001/editPrefs.html):

# ln -s /usr/bin/dot /usr/local/bin/dot

Versão para Impressão