I was always surprised when working for an ISP clients would ring and ask why they have gone over their quota. These aren’t home users many of these were major corporations spanning several sites with equipment several of our datacentres. Even in small networks it is important to know what data is traversing your network even if it is just to know who is running bit torrent and slowing everyone’s internet down. But it also has many more uses then that. It is a great way to detect anomalies in your network which most often are caused by Virus/Malware/Trogens all the fun stuff.
Lucky for us most of the major vendors support at least one protocol for monitoring traffic flow. There is Netflow developed by Cisco and supported by a number of vendors, sFlow that although not as accurate is great for high speed networks and jFlow by Juniper just to name a few. Don’t get this confused with your standard SNMP monitoring while that does a great job of showing the amount of data on your network it fails to show a break down of what that data is.
Recently I noticed a large amount of data going missing on my home internet connection and I decided to take the opportunity to write up how to setup Netflow. Being the nerd I am I run a Cisco 851 router at home. Below is a basic layout of what this post will walk through. The Cisco router will have netflow configured to send Netflow data a server running Ntop.
Ntop can not only act as a Netflow collector it can do sFlow. It can also be put on the end of a mirror port and use data received on one or multiple interfaces to log data. I am running Ntop on a minimal install Centos 5.5 server. Ntop can also be installed on Windows if you are more comfortable with that. The following steps will walk you through installing Ntop and then configuring a Cisco router to send netflow data to it.
To start with we need to install some required packages:
[root@netflow ~]# yum install libpcap-devel libpcap libtool gcc
Once that is done we then to download and install RRD. This is required by ntop and is used to log data and then graph it.[root@netflow ~]# cd /tmp/ [root@netflow tmp]# wget http://oss.oetiker.ch/rrdtool/pub/rrdtool.tar.gz [root@netflow tmp]# tar -zxvf rrdtool.tar.gz [root@netflow tmp]# cd rrdtool-1.4.4/ [root@netflow rrdtool-1.4.4]# ./configure [root@netflow rrdtool-1.4.4]# make [root@netflow rrdtool-1.4.4]# make install
Once RRD is installed we then need to install GeoIP[root@netflow ~]# cd /tmp/ [root@netflow tmp]# wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP-1.4.6.tar.gz [root@netflow tmp]# tar -zxvf GeoIP-1.4.6.tar.gz [root@netflow tmp]# cd GeoIP-1.4.6 [root@netflow GeoIP-1.4.6]# ./configure [root@netflow GeoIP-1.4.6]# make [root@netflow GeoIP-1.4.6]# make install
Now it is time to actually install Ntop. Note that you may have to change –with-rrd-home= option to reflect where RRD installed[root@netflow ~]# cd /tmp/ [root@netflow tmp]# wget http://downloads.sourceforge.net/project/ntop/ntop/ntop-4.0/ntop-4.0.tar.gz?r=http%3A%2F%2Ffreshmeat.net%2Fprojects%2Fntop%2F&amp;amp;amp;amp;amp;amp;amp;ts=1289727452&amp;amp;amp;amp;amp;amp;amp;use_mirror=internode [root@netflow tmp]# tar -zxvf ntop-4.0.tar.gz [root@netflow tmp]# cd ntop-4.0 [root@netflow ntop-4.0]# sh autogen.sh [root@netflow ntop-4.0]# ./configure --with-rrd-home=/opt/rrdtool-1.4.4/ [root@netflow ntop-4.0]# make [root@netflow ntop-4.0]# make install
Now we just need to configure a user for ntop to run as and set the correct permissions[root@netflow ntop-4.0]# useradd -M -s /sbin/nologin -r ntop [root@netflow ntop-4.0]# chown -R ntop.ntop //usr/local/share/ntop
Now that Ntop is installed we need to configure it. First thing is setting an Admin password. Run the following command, you will be prompted to set the password[root@netflow ~]# ntop -u ntop
Now we need to configure Ntop to start at boot. Add the following command into your /etc/rc.local file. Note replace eth0 with the interface you have setup to listen on./usr/local/bin/ntop -i &amp;amp;amp;amp;amp;quot;eth0&amp;amp;amp;amp;amp;quot; -M -d -L -u ntop -P /usr/local/var/ntop --skip-version-check --use-syslog=daemon
Run the above command to start Ntop without having to reboot. Once Ntop is running open a web browser and go to port 3000 on the server. In this case http://192.168.1.41:3000/
From the menu go to Plugins > All. Click the No next to the Netflow Plugin to first enable it. Then click the Netflow link to configure netflow. Now you need to configure each device that will be sending Netflow data. Click the add Netflow device button to add the device. The main things you need to set are:
- Netflow Device – Set this to the name of the device that will be sending data. In this case rt1
- Local collector UDP port – This is the port that Ntop will listen for Netflow data on. In this case 2055
- Virtual NetFlow Interface Network Address – Set this to the network you will be receiving Netflow data from. In this case 192.168.1.0/255.255.255.0 we could also use 192.168.1.0/24
Ntop is now configured to start receiving Netflow all that is left is configuration of the router.
Netflow is enabled on a per interface basis and a per direction basis. This means you set which interfaces to collect Netflow data for and which direction (incoming or outgoing) you want to collect data for.
A 852 is slightly different so we enable it on a VLAN and not ports however the commands we use on the VLAN are the same that are used to configure a port. First thing we need to do is set both the Netflow collector IP and the port to send it on.ip flow-export destination 192.168.1.41 2055
Then we need to set the version of Netflow to use. Ntop supports both v5 and v9 however v5 is the most commonly used.ip flow-export version 5
Finally the last global command is the source that it will use to send data. In most cases this will be the management interface for the device.ip flow-export source Vlan1
Now we need to configure the interfaces we are setting it to send flow data for data entering the vlan in both directionsip flow ingress ip flow egress ip route-cache flow
Analysing the Data
Ntop should now start showing you data. Some of the more interesting reports are:
Protocols > All Traffic – This shows the traffic to and from each IP. You can sort the headings by clicking on them. This makes it easy to find out the largest data users. You can click on an IP to get a more detailed breakdown
Protocols > Throughput – This shows the current throughput by each IP. This is great if you are having performance issues to determine what is causing it. Like above you can click on an IP to get a more detailed breakdown.
Summary > Traffic – This gives you great graphs on the breakdown of data flow. This is great to get an overall idea of what protocols are using data.
Ip > Traffic Directions – These reports all you to view data based on the direction of the traffic.
If you are having issues where are some basic steps to ensure you have everything configured:
- Obvious but can you ping from the Device to the Ntop Server?
- Is the Ntop service running (ps aux | grep ntop)
- Is the device generating flows (Router#show ip flow export)
- Is the configuration correct?
Further Reading and References: