Content

ntop [ntopng] is a very powerful network traffic monitoring system. The interface of ntopng has some awesome features like viewing of network traffic, including top hosts data, top flow talkers, application protocols in use, top flow senders data in live mode. Also using ntopng’s web interface each and every node’s active flow can be viewed live.

1. Install NTOP repo

Execute the following two commands to add ntopng repository

# wget http://www.nmon.net/apt-stable/14.04/all/apt-ntop-stable.deb

wget nmon

Now install ntop stable repository using following command

# dpkg -i apt-ntop-stable.deb

Install nmon

2. Install NTOPNG

Browse the location “/etc/apt/sources.list.d/” , you will be able to list  “ntop-stable.list” file. Now install ntopng with

# apt-get update
# apt-get -y install pfring nprobe ntopng ntopng-data n2disk nbox

This will install all dependencies incuding ntopng, ntopng-data, pfring, redis-server, redis-tools.

Install nmon

3. Configure NTOPNG

Now create a configuration file inside /etc/ntopng by the name ntopng.conf. Add the following lines in it.  [ * Replace your own local network accordingly, we use 172.31.0.0/20 here ]

–pid-path=/var/run/ntopng.pid

–daemon

–interface=eth0

–http-port=3000

–local-networks=”172.31.0.0/20″

–dns-mode=1

–data-dir=/var/tmp/ntopng

–disable-autologout

–community

ntopng conf file

Create a empty file by the name “ntopng.start”. It must exist in the folder /etc/ntopng

# touch /etc/ntopng/ntopng.start

Start ntopng with:

# ntopng start

It will also be started automatically after a reboot.

4. Configure Firewall

Configure firewall to allow inbound traffic to ntopng server.

For IPTABLES user:

# sudo iptables -A INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT

Restart iptables

#service iptables restart

For UFW user:

#sudo ufw allow 3000/tcp
#sudo ufw reload

5. Run ntopng

Restart ntopng using folowing command

#service ntopng restart

Restart nmon

To verify that ntopng is running, use netstat command.

# netstat -tulpn | grep :3000

netstat command

6. Testing ntopng

Now you can test your ntopng application by typing http://demohost.com:3000 . You will see ntopng login page.

Login ntopng

For the first time, you can use user ‘admin’ and password ‘admin’. You will be redirected to the dashboard.

ntopng talkers

Click hosts

ntopng tophost

7.Configuring ntopng collector to receive flow from another device such as Cisco Router.

Edit ntopng.conf as shown and add the following line at the end of the file and save the file [ You may choose other port number , in this tutorial we use port 5559 ]

nano /etc/ntopng/ntopng.conf
-i=tcp://your-sender-ip-address:5559

Next we need to start the collector with the following command

nprobe –zmq “tcp://your-sender-ip-address:5559” =i none -n none –collector-port 2055

8.Cisco Router IP Flow Configuration Example

Global Configuration

config#ip flow-cache timeout active 1
config#ip flow-export source GigabitEthernet0/1
config#ip flow-export version 9
config#ip flow-export destination your-ntopng ip-address 2055

On the interface you want enable flow capturing so as to send it to ntopng. [ This example illustrate using GigabitEthernet0/1]

config# interface GigabitEthernet0/1
config-if# ip flow ingress
config-if# ip flow egress

Congratulation! Your ntopng server should be now receiving flow data from your wan device for traffics analysis.

Was this article helpful to you?

DD2016

Comments are closed.