MikroTik supports exporting NetFlow traffic data via /ip traffic-flow, which can be read using free or paid software.
This guide shows you how to setup ntop (a free option) on a fresh CentOS 6 (or RedHat) install and assumes you have setup a CentOS 6 server that has a connection to the internet.
Installing ntop:
Install prerequisite packages via yum.
yum install cairo-devel libxml2-devel pango-devel pango libpng-devel -y
yum install freetype freetype-devel libart_lgpl-devel wget gcc make -y
yum install perl-ExtUtils-MakeMaker -y
yum install graphviz -y
Now we grab rrdtool (round-robin-database) and configure then install.
Check the final paragraph of info after the configure line, this should confirm build settings and shouldn’t have any error messages. If everything looks good, continue on.
cd /opt
wget http://oss.oetiker.ch/rrdtool/pub/rrdtool-1.4.5.tar.gz
tar -zxvf rrdtool-1.4.5.tar.gz
cd rrdtool-1.4.5
./configure –prefix=/usr/local/rrdtool
make && make install
Now some more prerequisite packages and the maxmind GeoIP API plugin (for showing country listings next to IP addresses).
Once again check after the ./configure line and ensure there’s been no error before attempting to continue.
yum install libpcap libpcap-devel gdbm gdbm-devel -y
yum install libevent libevent-devel -y
cd /opt
wget http://geolite.maxmind.com/download/geoip/api/c/GeoIP-1.4.8.tar.gz
tar -zxvf GeoIP-1.4.8.tar.gz cd GeoIP-1.4.8
./configure
make && make install
Lastly install some final pre-reqs and then make ntop itself.
This time stop after the ./autogen and read the last paragraph, the final 2 lines (provided everything checked out ok) should read “…. autogen.sh done <br> just type make to compile ntop”
yum install libtool automake autoconf -y
cd /opt
wget http://downloads.sourceforge.net/project/ntop/ntop/Stable/ntop-4.1.0.tar.gz
tar zxvf ntop-4.1.0.tar.gz
cd ntop-4.1.0
./autogen.sh -prefix=/usr/local/ntop
make && make install
If you’re running SELinux on a number of the machines, it’s a good idea to complete the SELinux policy installation for ntop now.
make install-selinux-policy
Now we add the user for ntop, and give it ownership of the required directories.
useradd -M -s /sbin/nologin -r ntop
chown ntop:root /usr/local/ntop
chown ntop:ntop /usr/local/ntop/share/ntop
Now change to to ntop directory, and choose a password for the ntop admin user when prompted
cd /usr/local/ntop/
rm ntop_pw.db
cd /usr/local/ntop/bin/
./ntop -u ntop -P /usr/local/ntop -A
Adding iptables rules:
Open the iptables file
vi /etc/sysconfig/iptables
Append the following rules before the final INPUT – REJECT line:
(note we’re running the webpage on port 3000 and receiving netflow traffic on port 9996)
-A INPUT -m state –state NEW -m tcp -p tcp –dport 3000 -j ACCEPT
-A INPUT -m state –state NEW -m udp -p udp –dport 9996 -j ACCEPT
Then restart iptables
service iptables restart
Starting ntop (and starting on boot):
Now start ntop with the following options
Modify “-w 3000” to determine http port to start on for testing.
cd /usr/local/ntop/bin
./ntop -d -L -u ntop -P /usr/local/ntop -w 3000 –interface none –skip-version-check yes
More command line flag details here: http://www.ntop.org/wp-content/uploads/2011/09/ntop-man.html
To have ntop start on boot, open rc.local:
vi /etc/rc.local
and add this startup line (modify the values in the startup commands if you changed them above)
/usr/local/ntop/bin/ntop -d -L -u ntop -P /usr/local/ntop -w 3000 –interface none –skip-version-check yes
Setting web options:
The first time you open the ntop web interface you’ll need to do the following:
1. head to plugins -> netflow -> activate
This will activate netflow, don’t click the “yes” option as this will toggle it off again.
2. head to plugins -> netflow -> view/configure
3. Create a new collector named “eth#-collector” where # is the eth interface number you’re sending data to.
4. Edit this collector and ensure the following settings are in place:
– local collector udp port: 9996
– flow aggregation: none
– enable session handling: no
– assume ftp: no
– debug: off
5. Head to Admin -> Configure -> Preferences
6. change dot.path value to “/usr/bin/dot” (hit set when done)
7. head to http://code.google.com/apis/console and get a google maps API key (turn on Google maps API v2 and create a new browser-referrer key)
8. head back to Admin -> Configure -> Preferences
9. change google_maps.key value to your copied key (hit set when done)
10. stop ntop (killall ntop)
11. reboot server and confirm ntop starts upon boot.
Shutdown ntop:
To shutdown ntop:
killall ntop
Adding routers:
On a MikroTik:
/ip traffic-flow set active-flow-timeout=1m cache-entries=512k enabled=yes inactive-flow-timeout=15s interfaces=all
/ip traffic-flow target add address=<ntop ip address>:9996 disabled=no v9-template-refresh=20 v9-template-timeout=30m version=9
On a Cisco:
http://www.cisco.com/en/US/tech/tk812/tech_configuration_guides_list.html
Ensure port 9996 is the port you export the netflow traffic to.
Please feel free to post any comments or questions you have!