Installing ntop on CentOS 6/Redhat with NetFlow

MikroTik supports exporting NetFlow traffic data via /ip traffic-flow, which can be read using free or paid software.
This guide shows you how to setup ntop (a free option) on a fresh CentOS 6 (or RedHat) install and assumes you have setup a CentOS 6 server that has a connection to the internet.

Installing ntop:

Install prerequisite packages via yum.

yum install cairo-devel libxml2-devel pango-devel pango libpng-devel -y
yum install freetype freetype-devel libart_lgpl-devel wget gcc make -y
yum install perl-ExtUtils-MakeMaker -y
yum install graphviz -y

Now we grab rrdtool (round-robin-database) and configure then install.
Check the final paragraph of info after the configure line, this should confirm build settings and shouldn’t have any error messages. If everything looks good, continue on.

cd /opt
wget http://oss.oetiker.ch/rrdtool/pub/rrdtool-1.4.5.tar.gz
tar -zxvf rrdtool-1.4.5.tar.gz
cd rrdtool-1.4.5
./configure –prefix=/usr/local/rrdtool
make && make install

Now some more prerequisite packages and the maxmind GeoIP API plugin (for showing country listings next to IP addresses).
Once again check after the ./configure line and ensure there’s been no error before attempting to continue.

yum install libpcap libpcap-devel gdbm gdbm-devel -y
yum install libevent libevent-devel -y
cd /opt
wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP-1.4.8.tar.gz
tar -zxvf GeoIP-1.4.8.tar.gz cd GeoIP-1.4.8
./configure
make && make install

Lastly install some final pre-reqs and then make ntop itself.
This time stop after the ./autogen and read the last paragraph, the final 2 lines (provided everything checked out ok) should read “…. autogen.sh done <br> just type make to compile ntop”

yum install libtool automake autoconf -y
cd /opt
wget http://downloads.sourceforge.net/project/ntop/ntop/Stable/ntop-4.1.0.tar.gz
tar zxvf ntop-4.1.0.tar.gz
cd ntop-4.1.0
./autogen.sh -prefix=/usr/local/ntop
make && make install

If you’re running SELinux on a number of the machines, it’s a good idea to complete the SELinux policy installation for ntop now.

make install-selinux-policy

Now we add the user for ntop, and give it ownership of the required directories.

useradd -M -s /sbin/nologin -r ntop
chown ntop:root /usr/local/ntop
chown ntop:ntop /usr/local/ntop/share/ntop

Now change to to ntop directory, and choose a password for the ntop admin user when prompted

cd /usr/local/ntop/
rm ntop_pw.db
cd /usr/local/ntop/bin/
./ntop -u ntop -P /usr/local/ntop -A

Adding iptables rules:

Open the iptables file

vi /etc/sysconfig/iptables

Append the following rules before the final INPUT – REJECT line:
(note we’re running the webpage on port 3000 and receiving netflow traffic on port 9996)

-A INPUT -m state –state NEW -m tcp -p tcp –dport 3000 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 9996 -j ACCEPT

Then restart iptables

service iptables restart

Starting ntop (and starting on boot):

Now start ntop with the following options
Modify “-w 3000” to determine http port to start on for testing.

cd /usr/local/ntop/bin
./ntop -d -L -u ntop -P /usr/local/ntop -w 3000 –interface none –skip-version-check yes

More command line flag details here:  http://www.ntop.org/wp-content/uploads/2011/09/ntop-man.html

To have ntop start on boot, open rc.local:

vi /etc/rc.local

and add this startup line (modify the values in the startup commands if you changed them above)

/usr/local/ntop/bin/ntop -d -L -u ntop -P /usr/local/ntop -w 3000 –interface none –skip-version-check yes

Setting web options:

The first time you open the ntop web interface you’ll need to do the following:
1. head to plugins -> netflow -> activate
This will activate netflow, don’t click the “yes” option as this will toggle it off again.
2. head to plugins -> netflow -> view/configure
3. Create a new collector named “eth#-collector” where # is the eth interface number you’re sending data to.
4. Edit this collector and ensure the following settings are in place:
– local collector udp port: 9996
– flow aggregation: none
– enable session handling: no
– assume ftp: no
– debug: off
5. Head to Admin -> Configure -> Preferences
6. change dot.path value to “/usr/bin/dot” (hit set when done)
7. head to http://code.google.com/apis/console and get a google maps API key (turn on Google maps API v2 and create a new browser-referrer key)
8. head back to Admin -> Configure -> Preferences
9. change google_maps.key value to your copied key (hit set when done)
10. stop ntop (killall ntop)
11. reboot server and confirm ntop starts upon boot.

Shutdown ntop:
To shutdown ntop:

killall ntop

Adding routers:

On a MikroTik:

/ip traffic-flow set active-flow-timeout=1m cache-entries=512k enabled=yes inactive-flow-timeout=15s interfaces=all
/ip traffic-flow target add address=<ntop ip address>:9996 disabled=no v9-template-refresh=20 v9-template-timeout=30m version=9

On a Cisco:
http://www.cisco.com/en/US/tech/tk812/tech_configuration_guides_list.html
Ensure port 9996 is the port you export the netflow traffic to.

Please feel free to post any comments or questions you have!

Advertisement

26 thoughts on “Installing ntop on CentOS 6/Redhat with NetFlow

  1. Nice!

    If you’re using FreeBSD or CentOS 6, add “/usr/local/ntop/share/man” to “/etc/man.config” like so:

    MANPATH /usr/local/ntop/share/man

    And Voila! A job nicely rounded off and polished- now you have manpages for ntop! Feels great, doesn’t it!?

  2. It was going really good on a minimal installation of Centos6.2 until I executed

    ./autogen.sh -prefix=/usr/local/ntop

    Then I get:
    grep: libtool: No such file or directory
    checking for pfring_open in -lpfring.. no
    Critical library/include tests..
    checking for pcap_lookupdev in -lpcap… no
    *** FATAL ERROR ***
    It looks that you don’t have the libpcap distribution installed

    And so forth but are installed. Do I need to change a path somewhere? Or modify the autogen.sh?

    Thanks

  3. libpcap should’ve been installed in the 3rd paragraph, line 1:

    yum install libpcap libpcap-devel gdbm gdbm-devel -y

    if you try running yum install libpcap on its own, does it throw an error or say it’s already installed?

  4. I created the symbolic link,the problem is solved,but seems no any data can capture,how to check the error?

  5. Hi,

    There is an error in your post, please have a look:

    -A INPUT -m state –state NEW -m tcp -p tcp –dport 3000 -j ACCEPT
    -A INPUT -m state –state NEW -m udp -p udp –dport 9996 -j ACCEPT

    And it should be:
    -A INPUT –m state –state NEW -m tcp -p tcp –-dport 3000 -j ACCEPT
    -A INPUT –m state –state NEW -m udp -p udp –-dport 9996 -j ACCEPT
    Your are missing 4″-“,one at “m” and one at”dport”.

    Thanks for the post.
    Chris

  6. Hi Chris,

    To the best of my knowledge the -m doesn’t need to be –m; I have many existing rules that follow the format:
    “-A INPUT -m state –state NEW -m tcp -p tcp –dport 443 -j ACCEPT”
    With no outstanding issues, however if you have information that suggests otherwise please feel free to respond and post a link here, I’m more than happy to be proven incorrect! 🙂

  7. Hi,

    Thanks for your reply!
    When i append the rule like you said in the post, iptables crashes when i do service iptables restart, so i went a little further, and found that the rule should be written like i said in my previous post.

    Thanks allot for reading my post.
    Chris

  8. ./configure -prefix=/usr/local/rrdtool
    i get this errors; configure: error: Unable to find RRD at /usr/local: please use –with-rrd-home=DIR
    how can i solve the problem?

  9. solve the error

    but now for make && make install i have follow error
    cd ntop-4.1.0
    ……….
    make && make install

    collect2: ld returned 1 exit status
    make[2]: *** [ntop] Error 1
    make[2]: Leaving directory `/opt/ntop-4.1.0′
    make[1]: *** [all-recursive] Error 1
    make[1]: Leaving directory `/opt/ntop-4.1.0′
    make: *** [all] Error 2

  10. I am also having an error with the ./configure not finding the rrdtool

    configure: error: Unable to find RRD at /usr/share/rrdtool: please use –with-rrd-home=DIR

    What is the configure script looking for?

  11. On CentOS 6.3 you can ‘yum install geoip geoip-devel’, ditto I used yum for python and python-devel.

  12. I built an RPM for CentOS 6.3 x86_64 for both ntop 4 and ntop 5.0.1 because I use it extensively on multiple servers so I dont have to do all these ninja tricks to get it to work. If you want the rpm just reply here and I will see the follow ups in my mail to send it to you.

  13. Hello Adam,

    I just found this page and it is very useful. Thanks for posting. I would be interested in getting the SRPM so I could build and customize nTop rpms. Is it something you would share ?

    Thanks

  14. Hi,
    This post is very useful and I’m trying to install ntop.

    There are no firewall restrictions on my CentOS VM.
    When I run Iptables, the output is:

    # iptables -L
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    Chain FORWARD (policy ACCEPT)
    target prot opt source destination
    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Do I still need to modify the iptabels for 300 port?(right now I didn’t modify the iptables)

    I’m getting error in the last steps:
    When I run: ./ntop -d -L -u ntop -P /usr/local/ntop -w 3000 -interface none -skip-version-check yes
    its giving an output:

    NOTE: Interface merge enabled by default
    ./ntop: invalid option — ‘k’
    Initializing gdbm databases
    **ERROR** ++++ DEMON MODE=1
    ./ntop: invalid option — ‘k’
    FATAL ERROR: unknown ntop option, ‘?’

    In the prior steps I didn’t get any errors, how can I resolve this issue.
    Eager to see the ntop console 🙂

    Thanks,
    Raj

  15. Hi Raj,

    Looks like you’ve only got one ‘-‘ on the -skip-version-check section, which should be –skip-version-check
    As such it’s trying to action it as if it were -s and -k (from skip) and failing on the second one.

    Give it a try with the change and let us know how you go.

  16. Hi,

    I install the Ntop on the centos6.3 i386.

    When I run “./autogen.sh -prefix=/usr/local/ntop” commond.

    It will complie some time and notice me as below.

    What can I do for this?

    I have install the Package python-2.6.6-29.el6_3.3.i686 already installed and latest version.

    ——————————————————————-

    **Testing Optional libraries and headers**

    checking for Multithreading… ok
    checking for openSSL… ok
    checking for zlib… ok
    checking for python-config… no
    >>>> Unable to locate python-config: using workaround <<<<
    checking for python… python
    checking Checking python version… Old python installed

    Please install python 2.6 or newer.

  17. hidaling, I had the same issue with Python and solved it by installing python devel package on CentOS 6.3 minimal (yum install python-devel)

  18. ta giving this error in the installation:

    [root@SRV-MONITOR GeoIP-1.4.8]# make
    cd . && /bin/sh /opt/GeoIP-1.4.8/missing –run automake-1.11 –gnu
    libGeoIP/Makefile.am:1: Libtool library used but `LIBTOOL’ is undefined
    libGeoIP/Makefile.am:1: The usual way to define `LIBTOOL’ is to add `AC_PROG_LIBTOOL’
    libGeoIP/Makefile.am:1: to `configure.in’ and run `aclocal’ and `autoconf’ again.
    libGeoIP/Makefile.am:1: If `AC_PROG_LIBTOOL’ is in `configure.in’, make sure
    libGeoIP/Makefile.am:1: its definition is in aclocal’s search path.
    make: ** [Makefile.in] Erro 1

  19. For Centos 5 and ntop 5.0.1
    yum install python26
    ln -sf /usr/bin/python2.6 /usr/local/bin/python
    ln -sf /usr/bin/python2.6-config /usr/local/bin/python-config
    is solving common Python problem during installation
    Regards

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.