Page tree

Welcome to FreeSoftwareServers Confluence Wiki

Skip to end of metadata
Go to start of metadata

This is the basic installation which will monitor the local network:

cat << 'EOL' >n2png_ubuntu14.sh
wget http://www.nmon.net/apt-stable/14.04/all/apt-ntop-stable.deb
dpkg -i apt-ntop-stable.deb
apt-get update
apt-get -y install pfring nprobe ntopng ntopng-data n2disk nbox nmap mysql-server
cat << 'LOE' >/etc/ntopng/ntopng.conf
#Variables
--interface=eth0
--http-port=3000
#Listen on the following network(s), can be comma separated
--local-networks="10.0.0.0/8,192.168.0.0/16,172.16.0.0/12"
 
#NetFlow Listening Port for NProbe Flow
#This is how NProve and Ntopng talk
--interface="tcp://127.0.0.1:5556"

#Static
--pid-path=/var/run/ntopng.pid
--daemon
--dns-mode=1
--data-dir=/var/tmp/ntopng
--disable-autologout
--sticky-hosts=all 
--community
 
#NGinX Proxy
--http-prefix "/ntop"

#--disable-login=1
#--disable-alerts
LOE
touch /etc/ntopng/ntopng.start
ufw allow 3000/tcp
iptables -A INPUT -m state --state NEW -p tcp --dport 3000 -j ACCEPT
update-rc.d ntopng enable
echo "#############################################"
echo "Run netstat -tulpn | grep :3000 after reboot!"
echo "Visit http://domain.com:3000"
echo "Default username/password = admin/admin"
echo "Check out FreeSoftwareServers.com :)"
echo "#############################################"
reboot
EOL
chmod +x n2png_ubuntu14.sh
./n2png_ubuntu14.sh

Setup nprobe in collector mode:

  • This is considerably more tricky IMO, I would higly reccomend running the config via the CLI, watching the GUI and confirming it works, before configuring daemon
  • Also, get the "basic" cli command working, then build on it
  • I read through the user guide and picked what I considered the most likely to be used options, but you can do the same!
  • http://www.ntop.org/support/documentation/documentation/

Note: For testing use the CLI version to read the output, make sure its running correctly, then "daemonize" the configs.

The most basic starting point (-V 9 = NetFlow v9 if v5, change accordingly)

nprobe --zmq "tcp://*:5556" --collector-port 2055 --interface none --collector none --flow-version 9

Once working, you can add on, here are some flags I though might be useful:

[--collector|-n] <host:port|none> 

This specifies the NetFlow collectors addresses to which nProbe will send the flows. If more than
one is specified, they need to be separated with a comma or the --n flag can be repeated several
times (e.g. -n 172.22.3.4:33,172.22.3.4:34 and -n 172.22.3.4:33 --n 172.22.3.4:34 are equivalent).
When multiple collectors are defined, you can control the way flows are exported using the --a
option (see below); if on a collector address the destination port is omitted, flows are sent to 2055
port and whereas if all the option is not specified, by default, flows are sent to the loop back
interface (127.0.0.1) on port 2055. If this parameter is used, nProbe exports flows towards
collector running at 127.0.0.1:2055. By default the UDP protocol is used but also TCP and SCTP
(Linux only when nProbe is compiled with SCTP support and the kernel supports it). In this case
you can specify the collector address as udp://<host>:<port>, tcp://<host>:<port>, and sctp://
<host>:<port>,

 

[--interface|-i] <iface|pcap>

It specifies the interface from which packets are captured. If -i is not used, nProbe will use the
default interface (if any). In case a user needs to activate nProbe on two different interfaces, then
he/she needs to activate multiple nProbe instances once per interface. For debugging purposes it
is possible to pass nProbe a .pcap file from which packets will be read. If nProbe is compiled and
activated with PF_RING support, you can specify multiple interfaces from which packets are
captured. Example “-i eth0,eth1”

[--daemon-mode|-G] 			| Start as daemon. 
--add-pid-to-logfile 			| Append the nprobe PID to dump files to avoid file overwrite in case multiple probes dump onto the same directory
--add-engineid-to-logfile 		| Append the defined NetFlow engineId to dump files
--enable-ipv4-deduplication     	| By default IPv4 frames hw-duplicated are not detected and discarded. Use this option to enable IPv4 hw-deduplication 
[--no-ipv6|-W] 				| IPv6 packets will not be accounted. 
[--netflow-engine|-E] <type:id> 	| Specify the engine type and id. The format is engineType:engineId. [default=0:18] where engineId is a random number.
[--sender-address|-q] <host:port>       | Specifies the address:port of the flow sender. This option is useful for hosts with multiple interfaces or if flows must be emitted from a static port/IP.

Note: Something is wrong with the init script, "--pid-file" doesn't work at the time of writing, so use "-g="

[--pid-file|-g] <PID file> 		| Put the PID in the specified file 
[--flow-version|-V] <version> 		| NetFlow Version: 5=NFv5, 9=NFv9, 10=IPFIX 
[--keep-probes-unmerged] 		| Don't merge flows rcvd from different probe IPs.
[--collector-port|-3] <port> 		| NetFlow/IPFIX/sFlow collector flows port
--timestamp-format <mode>		| Specify the timestamp format on dump files. Values:
								0 - Unix Epoch
								1 - Unix Epoch with microseconds
								2 - Human readable timestamp 
--zmq <socket> | Deliver flows to subscribers connected to the specified endpoint.
			     Example tcp://*:5556 or ipc://flows.ipc
--zmq-encrypt-pwd <pwd> | Encrypt the ZMQ data using the specified password 
--disable-l7-protocol-guess | When nDPI is enabled, in case a protocol is not recognized, nProbe guesses the protocol based on ports. This option disables this feature and uses only strict payload dissection.
--db-engine <database engine> 	| Define the DB engine type (example MyISAM, InfiniDB). This information is used by the database plugin. Default MyISAM.

My Final Command:

nprobe --zmq "tcp://*:5556" --collector-port 2055 -i none -n none --flow-version 9 --add-pid-to-logfile --add-engineid-to-logfile --enable-ipv4-deduplication --no-ipv6 --timestamp-format 2 > nprobe.log &
sudo netstat -tulpen | grep nprobe
cat nprobe.log

My Daemonized Config:

pkill nprobe
cat << 'EOL' >/etc/nprobe/nprobe-none.conf
--zmq="tcp://*:5556"
--collector-port=2055
--interface=none
--collector=none
-g=/var/run/nprobe-none.pid
--add-pid-to-logfile
--add-engineid-to-logfile
--enable-ipv4-deduplication
--no-ipv6
--timestamp-format=2
--daemon-mode
#--flow-version=9
EOL
touch /etc/nprobe/nprobe-none.start
service ntopng restart 
service ntopng status
service nprobe start
service nprobe status
netstat -tulpen | grep nprobe
netstat -tulpen | grep ntopng
root@ntop:~# sudo netstat -tulpen | grep nprobe
tcp        0      0 0.0.0.0:5556            0.0.0.0:*               LISTEN      0          593346      24755/nprobe
udp        0      0 0.0.0.0:2055            0.0.0.0:*                           0          593347      24755/nprobe
udp6       0      0 :::2055                 :::*                                0          593348      24755/nprobe
root@ntop:~# sudo netstat -tulpen | grep ntopng
tcp        0      0 0.0.0.0:3000            0.0.0.0:*               LISTEN      65534      594359      25204/ntopng

I found nprobe had issues starting with system, so I disabled auto start, and start it manually via a bash script

update-rc.d nprobe disable
reboot

You can run this with rc.local though!

cat << 'EOL'>start_nprobe.sh
#!/bin/bash

service nprobe start
service nprobe status
service ntopng status
netstat -tulpen | grep nprobe
netstat -tulpen | grep ntopng
EOL
chmod +x start_nprobe.sh
./start_nprobe.sh

Sources:

https://blog.webernetz.net/2016/08/16/using-netflow-with-nprobe-for-ntopng/
https://blog.webernetz.net/2016/02/09/ntopng-installation/
http://idroot.net/tutorials/how-to-install-ntopng-on-ubuntu-14-04/
https://hostingwikipedia.com/setup-ntop-ubuntu-14-04/#Install_NTOP_repo
https://www.plixer.com/blog/netflow/vyatta-netflow-configure/
https://github.com/ntop/ntopng/issues/1037
http://listgateway.unipi.it/pipermail/ntop/2015-September/018808.html
http://www.ntop.org/nprobe/advanced-flow-collection-with-ntopng-and-nprobe/
https://www.sciuro.org/posts/2016/10/installing-ntopng/

  • No labels