{"id":889,"date":"2014-06-18T01:43:01","date_gmt":"2014-06-18T04:43:01","guid":{"rendered":"http:\/\/www.viazap.com.br\/?p=889"},"modified":"2014-06-18T01:44:42","modified_gmt":"2014-06-18T04:44:42","slug":"install-ntop-on-debian-and-configure-to-use-netflow-on-mikrotik-routeros","status":"publish","type":"post","link":"https:\/\/blog.clusterweb.com.br\/?p=889","title":{"rendered":"Install NTOP on Debian and Configure to Use NetFlow on Mikrotik RouterOS"},"content":{"rendered":"
\n

Ntop<\/a>\u00a0is a network monitoring tool similar to Unix top, which shows network traffic usage. It can act\u00a0as a NetFlow collector for flows generated by routers such as Cisco or Mikrotik. NetFlow is an industry standard for flow-based traffic monitoring.<\/p>\n

We will install and configure Ntop to collect flows generated by Mikrotik router.\u00a0Note:<\/strong>\u00a0\u201cNtop\u201d != \u201cNtopNG\u201d.<\/p>\n

Install Pre-required Software<\/h2>\n

We\u2019re using Debian Wheezy:<\/p>\n

$ uname -rv<\/strong>\r\n3.2.0-4-686-pae #1 SMP Debian 3.2.51-1<\/pre>\n
Update the system first:<\/p>\n
# apt-get update && apt-get upgrade -uV<\/pre>\n
Install required software:<\/p>\n
# apt-get install libtool automake autoconf make build-essential python-dev subversion<\/pre>\n
Install external tools and libraries required by ntop:<\/p>\n
# apt-get install libpcap-dev libgdbm-dev zlib1g-dev libgeoip-dev libgraphviz-dev \\\r\n> graphviz rrdtool librrd-dev<\/pre>\n
<\/p>\n
Ntop Installation via Source Code<\/h2>\n
Download the source package:<\/p>\n
# cd ~ ; wget http:\/\/sourceforge.net\/projects\/ntop\/files\/ntop\/Stable\/ntop-5.0.1.tar.gz<\/pre>\n
Extract the archive:<\/p>\n
# tar xvfz ntop-5.0.1.tar.gz && cd ntop-5.0.1<\/pre>\n
Configure, compile and install ntop:<\/p>\n
# .\/autogen.sh\r\n# make\r\n# make install<\/pre>\n
Create a new system account for ntop:<\/p>\n
# useradd -r -s \/bin\/false ntop<\/pre>\n
Change ownership appropriately:<\/p>\n
# chown -R ntop:ntop \/usr\/local\/share\/ntop \/usr\/local\/lib\/ntop \/usr\/local\/var\/ntop<\/pre>\n
Update links and cache to the shared libraries:<\/p>\n
# \/sbin\/ldconfig<\/pre>\n
Start Ntop as a Daemon<\/h2>\n
# ntop -cd -i eth0 -u ntop -W 0.0.0.0:3001 -m 10.132.1.0\/24<\/pre>\n
-c :\u00a0prevent idle hosts from being purged from memory
\n-d : causes ntop to become a daemon
\n-i : specifies the network interface to use
\n-u :\u00a0the user ntop should run as after it initialises (but must be started as root)
\n-W : starts\u00a0an embedded ntop web server for HTTPS
\n-m : specifies local subnets<\/p>\n
Use\u00a0man ntop<\/em>\u00a0for more command line options if needed. Also note that port 3001 needs to opened on a firewall if public access is needed.<\/p>\n
Troubleshooting Ntop<\/h2>\n
If you get the error message below when launching ntop:<\/p>\n
error while loading shared libraries: libntopreport-5.0.1.so: cannot open shared object file: No such file or directory<\/em><\/span><\/pre>\n
Update links and cache to the shared libraries:<\/p>\n
# \/sbin\/ldconfig<\/pre>\n
Enable and Configure NetFlow Plugin on Ntop<\/h2>\n
Connect to ntop web interface here:<\/p>\n
https:\/\/localhost:3001<\/code><\/p>\n
Active NetFlow plugin:\u00a0\u201cPlugins\u201d -> \u201cNetFlow\u201d -> \u201cActivate\u201d<\/em><\/strong>.<\/p>\n
Open NetFlow configuration panel:\u00a0\u201cPlugins\u201d -> \u201cNetFlow\u201d -> \u201cConfigure\u201d<\/strong>.<\/em><\/p>\n
Click Add NetFlow Device and fill in the following:<\/p>\n
    \n
  1. NetFlow Device: \u201cMikrotik\u201d<\/li>\n
  2. Local Collector UDP Port: 2055<\/li>\n
  3. Virtual NetFlow Interface Network Address: 10.132.1.0\/24\u00a0(change appropriately!)<\/em><\/li>\n<\/ol>\n
    \"\"<\/a><\/p>\n
    Enable and Configure NetFlow on Mikrotik RouterOS<\/h2>\n
    Enabling traffic flow on the Mikrotik can be done via SSH:<\/p>\n
    [sandy@mikrotik] > <\/span>\/ip traffic-flow \r\n[sandy@mikrotik] \/ip traffic-flow> <\/span>set enabled=yes interfaces=all<\/pre>\n
    Print current configuration:<\/p>\n
    [sandy@mikrotik]\u00a0\/ip traffic-flow><\/span> print\r\n enabled: yes\r\n interfaces: all\r\n cache-entries: 4k\r\n active-flow-timeout: 30m\r\n inactive-flow-timeout: 15s<\/pre>\n
    Add NetFlow target (our Debian machine):<\/p>\n
    [sandy@mikrotik]\u00a0\/ip traffic-flow><\/span> \/ip traffic-flow target\r\n[sandy@mikrotik]\u00a0\/ip traffic-flow target><\/span> add address=10.132.1.27:2055 disabled=no version=5<\/pre>\n
    Print target configuration:<\/p>\n
    [sandy@mikrotik]\u00a0\/ip traffic-flow target><\/span> print \r\nFlags: X - disabled \r\n # ADDRESS VERSION\r\n 0 10.132.1.27:2055 5<\/pre>\n
    That\u2019s it, now we have to wait a couple of minutes and review data in the ntop web interface.<\/p>\n
    Ntop WebUI Report<\/h2>\n
    \n
    Report created on Sun Jan 12 15:28:19 2014 [ntop uptime: 44:04]\u00a0\r\nGenerated by ntop v.5.0.1 (32 bit) [i686-pc-linux-gnu]\r\n\u00a9 1998-2012 by Luca Deri, built: Jan 11 2014 23:13:11.\r\nVersion: the CURRENT stable version<\/span>\r\nListening on [eth0,Mikrotik] for all packets (i.e. without a filtering expression)\u00a0\r\nWeb reports include only interface \"Mikrotik\"<\/pre>\n<\/div>\n
    Troubleshooting Usage<\/h2>\n
    **WARNING** INIT: Unable to create pid file (\/usr\/local\/var\/ntop\/ntop.pid)<\/em><\/span><\/h3>\n
    Make sure ntop user is the owner of the directory (so can write to it):<\/p>\n
    # chown ntop \/usr\/local\/var\/ntop<\/pre>\n
    **ERROR** RRD: Disabled \u2013 unable to create base directory (err 13, \/usr\/local\/var\/ntop\/rrd)<\/em><\/span><\/h3>\n
    The directory may not exist, so create it and change ownership to ntop user:<\/p>\n
    # mkdir \/usr\/local\/var\/ntop\/rrd\r\n# chown -R ntop \/usr\/local\/var\/ntop\/rrd\/<\/pre>\n
    ERROR: Missing dot tool (expected \/usr\/local\/bin\/dot). Please set its path (key dot.path) here.<\/span><\/em><\/h3>\n
    This may occur trying to use a \u201cLocal Network Traffic Map\u201d when dot is not found. Find out where dot is:<\/p>\n
    # which dot<\/strong>\r\n\/usr\/bin\/dot<\/pre>\n
    And create a symlink (or alternatively\u00a0edit preferences under\u00a0https:\/\/localhost:3001\/editPrefs.html<\/code>):<\/p>\n
    # ln -s \/usr\/bin\/dot \/usr\/local\/bin\/dot<\/pre>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
    Ntop\u00a0is a network monitoring tool similar to Unix top, which shows network traffic usage. It can act\u00a0as a NetFlow collector for flows generated by routers such as Cisco or Mikrotik. NetFlow is an industry standard for flow-based traffic monitoring. We will install and configure Ntop to collect flows generated by Mikrotik router.\u00a0Note:\u00a0\u201cNtop\u201d != \u201cNtopNG\u201d. Install […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[455,1,42,51,415,495,68,271],"tags":[621,292,291,623,619,620,624,622],"class_list":["post-889","post","type-post","status-publish","format-standard","hentry","category-apache2","category-viazap","category-leitura-recomendada","category-linux-linuxrs","category-mikrotik-2","category-profissional-de-ti","category-redes-2","category-seguranca-2","tag-and","tag-configure","tag-install","tag-netflow","tag-ntop","tag-on-debian","tag-on-mikrotik-routeros","tag-to-use"],"_links":{"self":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/889","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=889"}],"version-history":[{"count":2,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/889\/revisions"}],"predecessor-version":[{"id":891,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=\/wp\/v2\/posts\/889\/revisions\/891"}],"wp:attachment":[{"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=889"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=889"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.clusterweb.com.br\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=889"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}