NTOP for Netflow Monitoring
I did an NTOP install on CentOS 5.3 today and it was a little different then I’ve done before. image The SecurityTeam.US repository doesn’t seem to contain ntop anymore so I had to switch repositories. I did the following:
* Install a repository that has the ntop package available: “rpm –Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm”
* Install ntop “yum install ntop”
* Run ntop “ntop”
* When asked, you’ll need to supply a password for the default admin account. It get’s a little lost in the start up noise but if you scroll back you should see the request.
* run “service ntop start”
* run “chkconfig ntop on”
* Now it should be up and running and should restart at the next reboot as well.
* Allow ports 3000/tcp and 2055/udp if you have firewalling enabled. Port 3000 is for ntop and port 2055/ubp is for netflow.
* From another PC web browse http://yourserverip:3000
* Now, enable Netflow: From the menus select Plugins, Netflow, Enable
* Now make sure you are monitoring on the correct interface. Admin, Switch NIC. For me the interface was NetFlow-device.2 [id=1].
* Now set your Netflow defaults. Plugins, Netflow, View/Configure.
o Select the device you want, Hit the Edit Netflow Device button.
o I left the name alone as NetFlow-device.2
o Change local collector udp port to 2055 (the default port).
o Hit the Set Port button
o Virtual Netflow Interface is the interface on the router (indicated as the flowexport source interface below) that will be sending you the netflow stream of data. Also put it’s mask. (For me this was 192.168.1.1/255.255.255.0)
o Hit the Set Interface Address button
o Aggregation – none (This was my preference)
o Hit the Set Aggregation Button
o The only other thing I changed was debug. I turned it off.
o Hit the Set Debug button
So the next step was to configure our router to point to the ntop box.
* Login to privileged mode on the router
* (config)#ip flowexport source
* (config)#ip flowexport version 5 peeras
* (config)#ip flowexport destination
* (config)#ip flowcache timeout active 1
* Not change to the interface you want to monitor
* (config-if)# interface
* (config-if)# ip routecache flow
* (config-if)# bandwidth 1544
* (config-if)# wr
service ntop start causes FATAL ERROR on CentOS
Works runs fine when executed from the command line, however, the following happens when service ntop start is ran.
Starting ntop: Processing file /etc/ntop.conf for parameters...
Mon Aug 3 19:49:38 2009 NOTE: Interface merge enabled by default
Mon Aug 3 19:49:38 2009 Initializing gdbm databases
FATAL ERROR: Unrecognized/unprocessed ntop options...
, --user=ntop, , --db-file-path=/var/ntop, , , , --use-syslog=local3, , , , , , , --daemon,
run ntop --help for usage information
Common problems:
-B "filter expressions" (quotes are required)
--use-syslog=facilty (the = is required)
[FAILED]
The fix was orignally posted here, all credit goes to them, I’m reposting it here for my own convenience.
The Fix
Edit /etc/init.d/ntop
start () {
echo -n $"Starting $prog: "
# daemon $prog -d -L @/etc/ntop.conf
daemon $prog @/etc/ntop.conf -d -L
In addition to this, /etc/ntop.conf needs to be edited and any spaces in the options should be replaced with =.
[root@Neptune ~]# service ntop start
Starting ntop: Processing file /etc/ntop.conf for parameters...
Mon Aug 3 19:51:02 2009 NOTE: Interface merge enabled by default
Mon Aug 3 19:51:02 2009 Initializing gdbm databases
[ OK ]