MikroTik supports exporting NetFlow traffic data via /ip traffic-flow, which can be read using free or paid software.
This guide shows you how to setup ntop (a free option) on a fresh CentOS 6 (or RedHat) install and assumes you have setup a CentOS 6 server that has a connection to the internet.
Installing ntop:
Install prerequisite packages via yum.
yum install cairo-devel libxml2-devel pango-devel pango libpng-devel -y
yum install freetype freetype-devel libart_lgpl-devel wget gcc make -y
yum install perl-ExtUtils-MakeMaker -y
yum install graphviz -y
Now we grab rrdtool (round-robin-database) and configure then install.
Check the final paragraph of info after the configure line, this should confirm build settings and shouldn’t have any error messages. If everything looks good, continue on.
cd /opt
wget http://oss.oetiker.ch/rrdtool/pub/rrdtool-1.4.5.tar.gz
tar -zxvf rrdtool-1.4.5.tar.gz
cd rrdtool-1.4.5
./configure –prefix=/usr/local/rrdtool
make && make install
Now some more prerequisite packages and the maxmind GeoIP API plugin (for showing country listings next to IP addresses).
Once again check after the ./configure line and ensure there’s been no error before attempting to continue.
yum install libpcap libpcap-devel gdbm gdbm-devel -y
yum install libevent libevent-devel -y
cd /opt
wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP-1.4.8.tar.gz
tar -zxvf GeoIP-1.4.8.tar.gz cd GeoIP-1.4.8
./configure
make && make install
Lastly install some final pre-reqs and then make ntop itself.
This time stop after the ./autogen and read the last paragraph, the final 2 lines (provided everything checked out ok) should read “…. autogen.sh done <br> just type make to compile ntop”
yum install libtool automake autoconf -y
cd /opt
wget http://downloads.sourceforge.net/project/ntop/ntop/Stable/ntop-4.1.0.tar.gz
tar zxvf ntop-4.1.0.tar.gz
cd ntop-4.1.0
./autogen.sh -prefix=/usr/local/ntop
make && make install
If you’re running SELinux on a number of the machines, it’s a good idea to complete the SELinux policy installation for ntop now.
make install-selinux-policy
Now we add the user for ntop, and give it ownership of the required directories.
useradd -M -s /sbin/nologin -r ntop
chown ntop:root /usr/local/ntop
chown ntop:ntop /usr/local/ntop/share/ntop
Now change to to ntop directory, and choose a password for the ntop admin user when prompted
cd /usr/local/ntop/
rm ntop_pw.db
cd /usr/local/ntop/bin/
./ntop -u ntop -P /usr/local/ntop -A
Adding iptables rules:
Open the iptables file
vi /etc/sysconfig/iptables
Append the following rules before the final INPUT – REJECT line:
(note we’re running the webpage on port 3000 and receiving netflow traffic on port 9996)
-A INPUT -m state –state NEW -m tcp -p tcp –dport 3000 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 9996 -j ACCEPT
Then restart iptables
service iptables restart
Starting ntop (and starting on boot):
Now start ntop with the following options
Modify “-w 3000” to determine http port to start on for testing.
cd /usr/local/ntop/bin
./ntop -d -L -u ntop -P /usr/local/ntop -w 3000 –interface none –skip-version-check yes
More command line flag details here: http://www.ntop.org/wp-content/uploads/2011/09/ntop-man.html
To have ntop start on boot, open rc.local:
vi /etc/rc.local
and add this startup line (modify the values in the startup commands if you changed them above)
/usr/local/ntop/bin/ntop -d -L -u ntop -P /usr/local/ntop -w 3000 –interface none –skip-version-check yes
Setting web options:
The first time you open the ntop web interface you’ll need to do the following:
1. head to plugins -> netflow -> activate
This will activate netflow, don’t click the “yes” option as this will toggle it off again.
2. head to plugins -> netflow -> view/configure
3. Create a new collector named “eth#-collector” where # is the eth interface number you’re sending data to.
4. Edit this collector and ensure the following settings are in place:
– local collector udp port: 9996
– flow aggregation: none
– enable session handling: no
– assume ftp: no
– debug: off
5. Head to Admin -> Configure -> Preferences
6. change dot.path value to “/usr/bin/dot” (hit set when done)
7. head to http://code.google.com/apis/console and get a google maps API key (turn on Google maps API v2 and create a new browser-referrer key)
8. head back to Admin -> Configure -> Preferences
9. change google_maps.key value to your copied key (hit set when done)
10. stop ntop (killall ntop)
11. reboot server and confirm ntop starts upon boot.
Shutdown ntop:
To shutdown ntop:
killall ntop
Adding routers:
On a MikroTik:
/ip traffic-flow set active-flow-timeout=1m cache-entries=512k enabled=yes inactive-flow-timeout=15s interfaces=all
/ip traffic-flow target add address=<ntop ip address>:9996 disabled=no v9-template-refresh=20 v9-template-timeout=30m version=9
On a Cisco:
http://www.cisco.com/en/US/tech/tk812/tech_configuration_guides_list.html
Ensure port 9996 is the port you export the netflow traffic to.
Please feel free to post any comments or questions you have!
Nice!
If you’re using FreeBSD or CentOS 6, add “/usr/local/ntop/share/man” to “/etc/man.config” like so:
MANPATH /usr/local/ntop/share/man
And Voila! A job nicely rounded off and polished- now you have manpages for ntop! Feels great, doesn’t it!?
It was going really good on a minimal installation of Centos6.2 until I executed
./autogen.sh -prefix=/usr/local/ntop
Then I get:
grep: libtool: No such file or directory
checking for pfring_open in -lpfring.. no
Critical library/include tests..
checking for pcap_lookupdev in -lpcap… no
*** FATAL ERROR ***
It looks that you don’t have the libpcap distribution installed
And so forth but are installed. Do I need to change a path somewhere? Or modify the autogen.sh?
Thanks
libpcap should’ve been installed in the 3rd paragraph, line 1:
yum install libpcap libpcap-devel gdbm gdbm-devel -y
if you try running yum install libpcap on its own, does it throw an error or say it’s already installed?
I don’t see dot.path value in “Edit Preferences” page,how to find it?
I created the symbolic link,the problem is solved,but seems no any data can capture,how to check the error?
Why is ntop not showing any IPv6 traffic? How could I tell if the router is really sending IPv6 flows?
Thanks
Hi,
There is an error in your post, please have a look:
-A INPUT -m state –state NEW -m tcp -p tcp –dport 3000 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 9996 -j ACCEPT
And it should be:
-A INPUT –m state –state NEW -m tcp -p tcp –-dport 3000 -j ACCEPT
-A INPUT –m state –state NEW -m udp -p udp –-dport 9996 -j ACCEPT
Your are missing 4″-“,one at “m” and one at”dport”.
Thanks for the post.
Chris
Hi Chris,
To the best of my knowledge the -m doesn’t need to be –m; I have many existing rules that follow the format:
“-A INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT”
With no outstanding issues, however if you have information that suggests otherwise please feel free to respond and post a link here, I’m more than happy to be proven incorrect! 🙂
Hi,
Thanks for your reply!
When i append the rule like you said in the post, iptables crashes when i do service iptables restart, so i went a little further, and found that the rule should be written like i said in my previous post.
Thanks allot for reading my post.
Chris
I can’t see the dot.path in Preferences,how to change this value?
you can add dot.path preference by end of the file
./configure -prefix=/usr/local/rrdtool
i get this errors; configure: error: Unable to find RRD at /usr/local: please use –with-rrd-home=DIR
how can i solve the problem?
solve the error
but now for make && make install i have follow error
cd ntop-4.1.0
……….
make && make install
collect2: ld returned 1 exit status
make[2]: *** [ntop] Error 1
make[2]: Leaving directory `/opt/ntop-4.1.0′
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/opt/ntop-4.1.0′
make: *** [all] Error 2
I am also having an error with the ./configure not finding the rrdtool
configure: error: Unable to find RRD at /usr/share/rrdtool: please use –with-rrd-home=DIR
What is the configure script looking for?
On CentOS 6.3 you can ‘yum install geoip geoip-devel’, ditto I used yum for python and python-devel.
I built an RPM for CentOS 6.3 x86_64 for both ntop 4 and ntop 5.0.1 because I use it extensively on multiple servers so I dont have to do all these ninja tricks to get it to work. If you want the rpm just reply here and I will see the follow ups in my mail to send it to you.
Hello Adam,
I just found this page and it is very useful. Thanks for posting. I would be interested in getting the SRPM so I could build and customize nTop rpms. Is it something you would share ?
Thanks
Hi,
This post is very useful and I’m trying to install ntop.
There are no firewall restrictions on my CentOS VM.
When I run Iptables, the output is:
# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Do I still need to modify the iptabels for 300 port?(right now I didn’t modify the iptables)
I’m getting error in the last steps:
When I run: ./ntop -d -L -u ntop -P /usr/local/ntop -w 3000 -interface none -skip-version-check yes
its giving an output:
NOTE: Interface merge enabled by default
./ntop: invalid option — ‘k’
Initializing gdbm databases
**ERROR** ++++ DEMON MODE=1
./ntop: invalid option — ‘k’
FATAL ERROR: unknown ntop option, ‘?’
In the prior steps I didn’t get any errors, how can I resolve this issue.
Eager to see the ntop console 🙂
Thanks,
Raj
Hi Raj,
Looks like you’ve only got one ‘-‘ on the -skip-version-check section, which should be –skip-version-check
As such it’s trying to action it as if it were -s and -k (from skip) and failing on the second one.
Give it a try with the change and let us know how you go.
Hi,
I install the Ntop on the centos6.3 i386.
When I run “./autogen.sh -prefix=/usr/local/ntop” commond.
It will complie some time and notice me as below.
What can I do for this?
I have install the Package python-2.6.6-29.el6_3.3.i686 already installed and latest version.
——————————————————————-
**Testing Optional libraries and headers**
checking for Multithreading… ok
checking for openSSL… ok
checking for zlib… ok
checking for python-config… no
>>>> Unable to locate python-config: using workaround <<<<
checking for python… python
checking Checking python version… Old python installed
Please install python 2.6 or newer.
You need to correct your script several mistakes.
hidaling, I had the same issue with Python and solved it by installing python devel package on CentOS 6.3 minimal (yum install python-devel)
hi i istalled all the requirements but when i enter on the ntopng interface i cannot find the plugin section. cabn you help me?
ta giving this error in the installation:
[root@SRV-MONITOR GeoIP-1.4.8]# make
cd . && /bin/sh /opt/GeoIP-1.4.8/missing –run automake-1.11 –gnu
libGeoIP/Makefile.am:1: Libtool library used but `LIBTOOL’ is undefined
libGeoIP/Makefile.am:1: The usual way to define `LIBTOOL’ is to add `AC_PROG_LIBTOOL’
libGeoIP/Makefile.am:1: to `configure.in’ and run `aclocal’ and `autoconf’ again.
libGeoIP/Makefile.am:1: If `AC_PROG_LIBTOOL’ is in `configure.in’, make sure
libGeoIP/Makefile.am:1: its definition is in aclocal’s search path.
make: ** [Makefile.in] Erro 1
For Centos 5 and ntop 5.0.1
yum install python26
ln -sf /usr/bin/python2.6 /usr/local/bin/python
ln -sf /usr/bin/python2.6-config /usr/local/bin/python-config
is solving common Python problem during installation
Regards