Setting up and using Traffic Flow in Mikrotik

Enable Traffic Flow on the Mikrotik router:

ip traffic-flow set enabled=yes cache-entries=4k set active-flow-timeout=30m inactive-flow-timeout=15s interfaces=all

View settings:

ip traffic-flow print

Specify the IP address and port of the computer that will receive the Traffic-Flow packets:

ip traffic-flow target add address=192.168.88.240:1234 disabled=no version=9 v9-template-refresh=20 v9-template-timeout=30m

or

ip traffic-flow target add address=192.168.88.240:1234 disabled=no version=5

View settings:

ip traffic-flow target print

To configure through the GUI, the settings can be found in the menu IP -> Traffic Flow.

For monitoring under Windows, you can install the program ManageEngine NetFlow Analyzer, which will work as a server, receive packets from the specified port and generate graphs and statistics via a web server that can be opened by the browser.

For monitoring under Linux, you can install and configure for example flow-tools.

Logging activity using IPTables

Using iptables, you can write network activity to the log file, that is, which data is sent to and from where it comes from.
Example command:

sudo iptables -t filter -A FORWARD -s 192.168.1.0/24 -m tcp -p tcp --dport 80 -j LOG --log-prefix "iptables: "

That the information was written not in rsyslog a file, and separately, we will create a file:

sudo nano /etc/rsyslog.d/10-iptables.conf

And add the following to it:

:msg, contains, "iptables: " -/var/log/iptables.log
& ~

To apply the changes, restart rsyslog:

sudo /etc/init.d/rsyslog reload

Done, the network activity specified in the first rule will be written to the file /var/log/iptables.log.

It is also desirable to configure logrotate to remove old logs, to save disk space.

See also:
Configuring logrotate for log rotation
Configuring IPTables

Opening and analysis of files created with NetFlow

Here is an example of viewing statistics:

cat ft-v05.2015-05-01.000759+0300 | flow-stat -f 10 -S 3 | less
cat ft-v05.2015-05-01.000759+0300 | flow-stat -n -p -w -f 26 -S 2 | less
flow-cat ft-v05.2017-12-07.170236+0200 | flow-print | less

You can see the flow-stat tips by typing:

man flow-stat

I will give an example of exporting data to another format (for example, in csv, which can then be opened in windows by any convenient program):

flow-cat ft-v05.2015-05-01.000759+0300 | flow-export -f 2 | less
flow-cat ft-v05.2015-05-01.000759+0300 | flow-export -f 2 > csv.csv

You can display the list with the specified source address with the following command:

flowdumper -se '"192.168.0.1" eq $srcip' ft-v05.2015-06-17.175701+0300

Export the list only with the specified source address to a file, for example, with the following command:

flowdumper -se '"192.168.0.1" eq $srcip' ft-v05.2015-06-17.175701+0300 > file.txt

Example of exporting from multiple files:

flowdumper -se '"192.168.0.1" eq $srcip' /backup/flows/acct/first/2016/2016-01/ft-v05.2015-06-17* > /backup/result.txt

See also:
Installing and using flow-tools

Remote Wake-up of the computer (Wake On LAN)

To remotely turn on the computer, you need to have an ATX power supply, a motherboard with Wake On LAN and BIOS enabled, a Wake On LAN network adapter.

When Wake On LAN is supported, the shut down computer powers the AC adapter that is in low power mode and listens to all packets going to its MAC address without answering them. If a Magic Packet comes, the network adapter sends a signal to turn on the power of the computer.

View active network adapters:

ifconfig

You will need the ethtool package, if it is not installed on the system, you must perform the installation:

sudo apt-get install ethtool

Check for WOL support:

sudo ethtool eth0 | grep Wake

The result of the command if the network card is working with WOL and it is enabled:

Supports Wake-on: g
Wake-on: g

The result of the command when WOL is off:

Wake-on:d

Possible result letters (taken from man ethtool information):

p Wake on PHY activity
u Wake on unicast messages
m Wake on multicast messages
b Wake on broadcast messages
a Wake on ARP
g Wake on MagicPacket™
s Enable SecureOn™ password for MagicPacket™
d Disable (wake on nothing). This option clears all previous options.

To turn on WOL:

sudo ethtool -s интерфейс wol g

Turning on the computer:

apt-get install wakeonlan
wakeonlan -p 50000 00:01:02:03:04:05

-p indicates the UDP port number.

On the Internet, there are also many sites and applications for phones that allow you to send a package to a remote computer.

See also:
Using ethtool

Using ethtool

ethtool – a utility for configuring network interfaces in Linux.

You can install ethtool in Ubuntu / Debian using the command:

sudo apt-get install ethtool

Let’s look at the names of network interfaces:

ifconfig -a

Switch to root, as some commands require elevated privileges:

sudo su

Example of viewing eth0 settings:

ethtool eth0

Example of viewing information about the network interface driver:

ethtool -i eth0

Viewing Network Interface Statistics:

ethtool -S eth0

View auto-negotiation settings:

ethtool -a eth0

The LED blinks for 3 seconds on the specified network interface:

ethtool -p eth0 3

Network Interface Test:

ethtool -t eth0 online/offline

View the current and maximum size of TX and RX buffers:

ethtool -g eth0

Manual speed setting of 100 Mb Full Duplex on the specified network interface (the specified parameters will be reset after the system restart):

ethtool -s eth0 speed 100 duplex full

Viewing help about ethtool:

ethtool -h

See also:
Configuring the Network in Linux
Changing TX and RX network interface buffers in Linux
Remote Wake-up of the computer (Wake On LAN)

Installing and using jnettop

jnettop – a utility for viewing traffic statistics in real time, sorted by hosts / ports.

The installation command in Ubuntu/Debian:

sudo apt-get install jnettop

The installation command in CentOS:

sudo yum install jnettop

An example of a simple start:

sudo jnettop

An example of a start with a network interface:

sudo jnettop -i eth0

I’ll describe the possible startup options:
-h (help)
-v (view version)
-c (disable content filtering)
-d (write debugging information to a file)
-f (reading the configuration from the file, if not specified, then the file is searched for ~/.jnettop)
-i (to capture packets from the specified interface)
–local-aggr [none|host|port|host+port] (set local aggregation to the specified value)
–remote-aggr [none|host|port|host+port] (set remote aggregation to the specified value)
-n (do not resolving IP to DNS names)
-p (inclusion of promiscuous mode to receive all packets that come to the network interface)
-s (selects one of the rules defined in the .jnettop configuration file (by its name))
-x (allows you to specify a custom filter rule. this allows you to use the syntax of the tcpdump style. do not forget to include the filter in quotation marks when starting from the shell)

Install and configure ntopng

Below I’ll describe the installation of ntopng in Ubuntu.
We select the necessary package on http://packages.ntop.org/apt-stable/ and download it:

wget wget http://apt-stable.ntop.org/16.04/all/apt-ntop-stable.deb
sudo dpkg -i apt-ntop-stable.deb

Further we carry out:

sudo apt-get clean all
sudo apt-get update
sudo apt-get install pfring nprobe ntopng ntopng-data n2disk nbox
sudo touch /etc/ntopng/ntopng.start
sudo /etc/init.d/ntopng restart

If new versions of ntopng are released, then you can update by running the commands:

sudo apt-get update
sudo apt-get upgrade

After installation, the configuration file will be located in the /etc/ntopng/ntopng.conf directory
I will give an example of its content:

-w=3000
-d=/var/tmp/ntopng
-G=/var/run/ntopng.pid
--httpdocs-dir /usr/share/ntopng/httpdocs
--local-networks="192.168.0.0/16,10.0.0.0/8,172.16.0.0/16"

Restart / stop / start ntopng with commands:

sudo /etc/init.d/ntopng restart
sudo /etc/init.d/ntopng stop
sudo /etc/init.d/ntopng start

You can check from the console with the command:

sudo /etc/init.d/ntopng status
sudo netstat -tulpn | grep :3000

Open the web interface by typing in the address bar of the browser:
http://HOST:3000

The standard login and password are admin/admin.

See also:
Install and configure nprobe
The solution to the error “Missing /etc/ntopng/ntopng.start. Quitting”