Suppose we installed ntopng as I described in this article – Install and configure ntopng
That is, they selected the necessary package at http://packages.ntop.org/apt-stable/ and downloaded it:
wget wget http://apt-stable.ntop.org/16.04/all/apt-ntop-stable.deb sudo dpkg -i apt-ntop-stable.deb
Install nprobe if it is not installed:
sudo apt-get clean all sudo apt-get update sudo apt-get install nprobe
To receive NetFlow data and transfer it to ntopng, create a file (in the nano editor, press CTRL+X to exit, y/x to save or discard changes):
sudo nano /etc/nprobe/nprobe-anyname.conf
Add to it:
--zmq="tcp://*:5556" -3 2055 --flow-version 9 -n=none -i=none
2055 is the port on which you want to receive NetFlow data, and port 5556 is used to transmit it to ntopng.
See my articles on configuring NetFlow on switches:
Configuring NetFlow on Cisco
Configuring sFlow on D-Link Switches
Setting up and using Traffic Flow in Mikrotik
Now it remains to open the ntopng configuration in a text editor:
sudo nano /etc/ntopng/ntopng.conf
And add a line at the end (thereby adding the nprobe interface to collect statistics):
--interface="tcp://127.0.0.1:5556"
It remains to restart ntopng to apply the changes:
sudo service ntopng restart
Check whether everything works:
sudo netstat -tulpen | grep 2055 sudo netstat -tulpen | grep 5556 sudo /etc/init.d/nprobe status
I noticed that nprobe does not always shut down after the command:
sudo /etc/init.d/nprobe stop
Therefore, if necessary, you can stop it like this:
sudo killall nprobe sudo kill -9 PID
In the free version of nprobe, I had a message:
NOTE: This is a DEMO version limited to 25000 flows export.
The full version can be purchased at the official site of shop.ntop.org.
See also:
IPTables rules for nprobe