Tag Archives: NetFlow

Install and configure nprobe

Suppose we installed ntopng as I described in this article – Install and configure ntopng
That is, they selected the necessary package at http://packages.ntop.org/apt-stable/ and downloaded it:

wget wget http://apt-stable.ntop.org/16.04/all/apt-ntop-stable.deb
sudo dpkg -i apt-ntop-stable.deb

Install nprobe if it is not installed:

sudo apt-get clean all
sudo apt-get update
sudo apt-get install nprobe

To receive NetFlow data and transfer it to ntopng, create a file (in the nano editor, press CTRL+X to exit, y/x to save or discard changes):

sudo nano /etc/nprobe/nprobe-anyname.conf

Add to it:

--zmq="tcp://*:5556"
-3 2055
--flow-version 9
-n=none
-i=none

2055 is the port on which you want to receive NetFlow data, and port 5556 is used to transmit it to ntopng.
See my articles on configuring NetFlow on switches:
Configuring NetFlow on Cisco
Configuring sFlow on D-Link Switches
Setting up and using Traffic Flow in Mikrotik

Now it remains to open the ntopng configuration in a text editor:

sudo nano /etc/ntopng/ntopng.conf

And add a line at the end (thereby adding the nprobe interface to collect statistics):

--interface="tcp://127.0.0.1:5556"

It remains to restart ntopng to apply the changes:

sudo service ntopng restart

Check whether everything works:

sudo netstat -tulpen | grep 2055
sudo netstat -tulpen | grep 5556
sudo /etc/init.d/nprobe status

I noticed that nprobe does not always shut down after the command:

sudo /etc/init.d/nprobe stop

Therefore, if necessary, you can stop it like this:

sudo killall nprobe
sudo kill -9 PID

In the free version of nprobe, I had a message:

NOTE: This is a DEMO version limited to 25000 flows export.

The full version can be purchased at the official site of shop.ntop.org.

See also:
IPTables rules for nprobe

Configuring sFlow on D-Link Switches

sFlow – Traffic analysis protocol, similar to NetFlow.

Enable/disable sFlow on the switch:

enable/disable sflow

Viewing parameters:

show sflow
show sflow flow_sampler
show sflow counter_poller
show sflow analyzer_server

Adding/modifying the sFlow analyzer server:

create/config sflow analyzer_server 1-4 owner NAME timeout 1-2000000(sec)/infinite collectoraddress ADDRESS collectorport udp_PORT maxdatagramsize 300-1400

Example of removing the sFlow analyzer server:

delete sflow analyzer_server 1-4

Creating, modifying, deleting the sFlow polling counters:

create/config sflow counter_poller ports NUMBER/all analyzer_server_id 1-4 interval disable/20-120(sec)
delete sflow counter_poller ports NUMBER/all

Create, modify, delete sFlow sample ports:

create/config sflow flow_sampler ports NUMBER/all analyzer_server_id (1-4) rate value 0-65535 tx_rate value 0-65535 maxheadersize value 18-256
delete sflow flow_sampler ports NUMBER/all

I will give an example of setting:

enable sflow
create sflow analyzer_server 1 owner Linux collectoraddress 192.168.1.5 collectorport 6343
create sflow counter_poller ports 1 analyzer_server_id 1 interval 20
create sflow flow_sampler ports 1:1 analyzer_server_id 1 rate 1000 maxheadersize 128

Setting up and using Traffic Flow in Mikrotik

Enable Traffic Flow on the Mikrotik router:

ip traffic-flow set enabled=yes cache-entries=4k set active-flow-timeout=30m inactive-flow-timeout=15s interfaces=all

View settings:

ip traffic-flow print

Specify the IP address and port of the computer that will receive the Traffic-Flow packets:

ip traffic-flow target add address=192.168.88.240:1234 disabled=no version=9 v9-template-refresh=20 v9-template-timeout=30m

or

ip traffic-flow target add address=192.168.88.240:1234 disabled=no version=5

View settings:

ip traffic-flow target print

To configure through the GUI, the settings can be found in the menu IP -> Traffic Flow.

For monitoring under Windows, you can install the program ManageEngine NetFlow Analyzer, which will work as a server, receive packets from the specified port and generate graphs and statistics via a web server that can be opened by the browser.

For monitoring under Linux, you can install and configure for example flow-tools.

Opening and analysis of files created with NetFlow

Here is an example of viewing statistics:

cat ft-v05.2015-05-01.000759+0300 | flow-stat -f 10 -S 3 | less
cat ft-v05.2015-05-01.000759+0300 | flow-stat -n -p -w -f 26 -S 2 | less
flow-cat ft-v05.2017-12-07.170236+0200 | flow-print | less

You can see the flow-stat tips by typing:

man flow-stat

I will give an example of exporting data to another format (for example, in csv, which can then be opened in windows by any convenient program):

flow-cat ft-v05.2015-05-01.000759+0300 | flow-export -f 2 | less
flow-cat ft-v05.2015-05-01.000759+0300 | flow-export -f 2 > csv.csv

You can display the list with the specified source address with the following command:

flowdumper -se '"192.168.0.1" eq $srcip' ft-v05.2015-06-17.175701+0300

Export the list only with the specified source address to a file, for example, with the following command:

flowdumper -se '"192.168.0.1" eq $srcip' ft-v05.2015-06-17.175701+0300 > file.txt

Example of exporting from multiple files:

flowdumper -se '"192.168.0.1" eq $srcip' /backup/flows/acct/first/2016/2016-01/ft-v05.2015-06-17* > /backup/result.txt

See also:
Installing and using flow-tools