https://easyipv6.wordpress.com/2014/08/22/how-to-configure-ntopng-for-collecting-sflow-packets/
Maybe you thought the same as I thought when I searched online for good ntopng tutorials : “damn, I’ll have to make my own”. Well, as I will have to install the whole setup myself again, I prefer write it here and share it with you.
Presentation
Just to clarify things before we put our hands in the dirt, ntopng is a netflow analyzer with a nice web-interface, that can get the traffic of its own interface. HOWEVER. It cannot work as a netflow collector too. That means that if you have a couple network devices on a WAN Network, and you want to know what kind of flows are going through your network, you will have to install a separate tool, which is also developped by the ntopng guys : nProbe. Sadly, this one is not free, and you will need a license to get it working in production environnement as the default-installation provides a 20K flows limit per nprobe thread, then it stops collecting them.
So to make it short, you will have to :
- install ntopng and nprobe
- configure your network devices to send net/sflow packets to ntopng server
- configure nProbe to collect net/sflow packets and to stream them in JSON to ntopng
- configure ntopng to listen for nProbe JSON streams
Installation
I used Ubuntu 12.04 amd64 with latest updates for this setup. But I’m pretty sure it works with 14.04, maybe I’ll test it and update this post according to it.
The easiest way to get these packages installed would be installing their sources in APT :
wget http://www.nmon.net/apt-stable/12.04/all/apt-ntop.deb sudo dpkg -i apt-ntop.deb
and do an update of package list :
apt-get clean all apt-get update apt-get install nprobe ntopng
Well, the other way to get these packages installed would be downloading the .deb files and install them manually (follow the right steps because there are some dependencies):
wget http://www.nmon.net/apt-stable/12.04/x64/pfring_6.0.1-7598_amd64.deb wget http://www.nmon.net/apt-stable/12.04/x64/nprobe_6.16.140627-4223_amd64.deb wget http://www.nmon.net/apt-stable/12.04/x64/ntopng_1.2.1-8121_amd64.deb wget http://www.nmon.net/apt-stable/12.04/all/ntopng-data_1.1.4-7806_all.deb
Once you’ve downloaded the files, install them like this:
dpkg -i pfring_6.0.1-7598_amd64.deb dpkg -i nprobe_6.16.140627-4223_amd64.deb dpkg -i ntopng_1.2.1-8121_amd64.deb dpkg -i ntopng-data_1.1.4-7806_all.deb
N.B. : You could download the subversion repository and build the packages by your own but I don’t see the point while you can directly download the built packages. Note that for Centos, there are pre-built packages too on http://www.nmon.net/centos-stable/ .
Configuration
My test server has the IPv4 192.168.1.10.
First, launch ntopng :
ntopng -i tcp://127.0.0.1:5556 -d /var/tmp -w 3000 -v >> /dev/null &
Then, launch the nprobe collector:
nprobe --collector-port 6343 --zmq tcp://127.0.0.1:5556 >> /dev/null &
I want packet samples from my Brocade router so I configure it:
(config)#sflow enable (config)#sflow destination 192.168.1.10 6343 (config)#sflow polling-interval 1 (config)#sflow sample 1024
And then activate sflow forwarding on the ports you want:
(config)#interface ethernet 1/6 (config-if-e1000-1/6)#sflow forwarding !
NTOP Next-Generation network analyzer
Go to http://192.168.1.10:3000 and login with admin/admin. Change the password in Settings and wait for traffic coming in.
Congrats, now you can see a lot of details concerning traffic flows inside your network.
Activate the whole for production
The last thing to do to get this working outside your lab, in the real world, is activating the nProbe. For this, you have to purchase a license here (Ntopng itself is free on Unix systems) :
http://www.nmon.net/shop/cart.php
Once you got it, just generate the license file on the ntopng website (composed of order ID and system ID). Create the file like this:
echo 10225F63D0LICENSE5216043489 > /etc/nprobe.license
Just restart the nprobe, it should recognize the license and no longer limit the flows to 25k.
Enjoy!