Install and configure nprobe

Suppose we installed ntopng as I described in this article – Install and configure ntopng
That is, they selected the necessary package at http://packages.ntop.org/apt-stable/ and downloaded it:

wget wget http://apt-stable.ntop.org/16.04/all/apt-ntop-stable.deb
sudo dpkg -i apt-ntop-stable.deb

Install nprobe if it is not installed:

sudo apt-get clean all
sudo apt-get update
sudo apt-get install nprobe

To receive NetFlow data and transfer it to ntopng, create a file (in the nano editor, press CTRL+X to exit, y/x to save or discard changes):

sudo nano /etc/nprobe/nprobe-anyname.conf

Add to it:

--zmq="tcp://*:5556"
-3 2055
--flow-version 9
-n=none
-i=none

2055 is the port on which you want to receive NetFlow data, and port 5556 is used to transmit it to ntopng.
See my articles on configuring NetFlow on switches:
Configuring NetFlow on Cisco
Configuring sFlow on D-Link Switches
Setting up and using Traffic Flow in Mikrotik

Now it remains to open the ntopng configuration in a text editor:

sudo nano /etc/ntopng/ntopng.conf

And add a line at the end (thereby adding the nprobe interface to collect statistics):

--interface="tcp://127.0.0.1:5556"

It remains to restart ntopng to apply the changes:

sudo service ntopng restart

Check whether everything works:

sudo netstat -tulpen | grep 2055
sudo netstat -tulpen | grep 5556
sudo /etc/init.d/nprobe status

I noticed that nprobe does not always shut down after the command:

sudo /etc/init.d/nprobe stop

Therefore, if necessary, you can stop it like this:

sudo killall nprobe
sudo kill -9 PID

In the free version of nprobe, I had a message:

NOTE: This is a DEMO version limited to 25000 flows export.

The full version can be purchased at the official site of shop.ntop.org.

See also:
IPTables rules for nprobe

Configuring sFlow on D-Link Switches

sFlow – Traffic analysis protocol, similar to NetFlow.

Enable/disable sFlow on the switch:

enable/disable sflow

Viewing parameters:

show sflow
show sflow flow_sampler
show sflow counter_poller
show sflow analyzer_server

Adding/modifying the sFlow analyzer server:

create/config sflow analyzer_server 1-4 owner NAME timeout 1-2000000(sec)/infinite collectoraddress ADDRESS collectorport udp_PORT maxdatagramsize 300-1400

Example of removing the sFlow analyzer server:

delete sflow analyzer_server 1-4

Creating, modifying, deleting the sFlow polling counters:

create/config sflow counter_poller ports NUMBER/all analyzer_server_id 1-4 interval disable/20-120(sec)
delete sflow counter_poller ports NUMBER/all

Create, modify, delete sFlow sample ports:

create/config sflow flow_sampler ports NUMBER/all analyzer_server_id (1-4) rate value 0-65535 tx_rate value 0-65535 maxheadersize value 18-256
delete sflow flow_sampler ports NUMBER/all

I will give an example of setting:

enable sflow
create sflow analyzer_server 1 owner Linux collectoraddress 192.168.1.5 collectorport 6343
create sflow counter_poller ports 1 analyzer_server_id 1 interval 20
create sflow flow_sampler ports 1:1 analyzer_server_id 1 rate 1000 maxheadersize 128

Configuring NetFlow on Cisco

Let’s say we have a collector running like I wrote in this article – Installing and using flow-tools

Now connect to the Cisco switch, for the test, I connect to the Cisco Catalyst 6509-E.
Now go into the configuration mode:

enable
configure terminal

Enable NetFlow:

mls netflow

Specify NetFlow parameters, collector address, port and version:

mls flow ip interface-full
mls nde sender version 5
ip flow-export version 5
ip flow-export destination 192.168.1.25 555
ip flow-cache timeout active 1

Suppose you need to collect statistics from the interface vlan 995:

interface vlan 995
ip route-cache flow
exit

Done, the statistics should be sent to the collector (via the vlan interface which is closer to the collector (if there are several), and not from which statistics are collected, respectively, on the collector, you need to specify the IP correctly).

To cancel execute the commands:

interface vlan 995
no ip route-cache flow
exit

An example of viewing the age of records:

show mls netflow aging
show mls netflow table-contention detailed

You can also set the MLS aging time (default is 300 seconds), in the range 32 – 4092 seconds:

show mls netflow aging
mls aging normal 300
mls aging {fast [threshold {1-128} | time {1-128}] | long 64-1920 | normal 32-4092}

Viewing the installed mask:

show mls netflow flowmask

View collected statistics:

show mls netflow ip nowrap

Setting up and using Traffic Flow in Mikrotik

Enable Traffic Flow on the Mikrotik router:

ip traffic-flow set enabled=yes cache-entries=4k set active-flow-timeout=30m inactive-flow-timeout=15s interfaces=all

View settings:

ip traffic-flow print

Specify the IP address and port of the computer that will receive the Traffic-Flow packets:

ip traffic-flow target add address=192.168.88.240:1234 disabled=no version=9 v9-template-refresh=20 v9-template-timeout=30m

or

ip traffic-flow target add address=192.168.88.240:1234 disabled=no version=5

View settings:

ip traffic-flow target print

To configure through the GUI, the settings can be found in the menu IP -> Traffic Flow.

For monitoring under Windows, you can install the program ManageEngine NetFlow Analyzer, which will work as a server, receive packets from the specified port and generate graphs and statistics via a web server that can be opened by the browser.

For monitoring under Linux, you can install and configure for example flow-tools.

Opening and analysis of files created with NetFlow

Here is an example of viewing statistics:

cat ft-v05.2015-05-01.000759+0300 | flow-stat -f 10 -S 3 | less
cat ft-v05.2015-05-01.000759+0300 | flow-stat -n -p -w -f 26 -S 2 | less
flow-cat ft-v05.2017-12-07.170236+0200 | flow-print | less

You can see the flow-stat tips by typing:

man flow-stat

I will give an example of exporting data to another format (for example, in csv, which can then be opened in windows by any convenient program):

flow-cat ft-v05.2015-05-01.000759+0300 | flow-export -f 2 | less
flow-cat ft-v05.2015-05-01.000759+0300 | flow-export -f 2 > csv.csv

You can display the list with the specified source address with the following command:

flowdumper -se '"192.168.0.1" eq $srcip' ft-v05.2015-06-17.175701+0300

Export the list only with the specified source address to a file, for example, with the following command:

flowdumper -se '"192.168.0.1" eq $srcip' ft-v05.2015-06-17.175701+0300 > file.txt

Example of exporting from multiple files:

flowdumper -se '"192.168.0.1" eq $srcip' /backup/flows/acct/first/2016/2016-01/ft-v05.2015-06-17* > /backup/result.txt

See also:
Installing and using flow-tools

Installing and using trafshow

trafshow – a utility for displaying traffic statistics passing through network interfaces.

Since the utility is included in the Netdiag (Net-Diagnostics) set, everything is installed together.

You can install Netdiag and trafshow in Ubuntu / Debian using the following command:

sudo apt-get install netdiag

In CentOS/RedHat/Fedora:

sudo yum install netdiag

Command viewing guide:

man trafshow

Simple launch:

sudo trafshow

I’ll describe the possible startup options:
-v (view the version of the program)
-n (do not convert the addresses into DNS names, and port numbers for example 80 in http, etc., in the running program, you can toggle the option with the N key)
-a len (summarizing traffic flows using the IP prefix IP netmask len, in the program is switched by pressing the A key)
-с conf (using an alternative color configuration instead of the standard / etc / trafshow)
-i name (indication of the network interface)
-s str (search for an item in the list and go to it)
-u port (listening to the specified UDP port for Cisco Netflow, the default number is 9995, to disable use 0)
-R refresh (update interval, default 2 secs, in the program is changed with the R key)
-P purge (cleaning of obsolete records after the specified time, by default 10 seconds, in the program is changed by the key P)
-F file (using a file for filters)
expr (what packages will be displayed, if not specified, then all)

Installing and using softflowd

Softflowd – NetFlow network traffic analyzer.

You can install in Ubuntu/Debian using the command:

sudo apt-get install softflowd

After installation, you need to open its configuration file, for example, in the nano editor (Ctrl+X for exit, y/n for saving or canceling changes):

sudo nano /etc/default/softflowd

And specify the parameters, for example:

INTERFACE="any"
OPTIONS="-n 192.168.1.40:5556"

After the changes, perform a restart:

sudo /etc/init.d/softflowd restart

Let’s look at the statistics of softflowd:

softflowctl statistics

If it is not running, there will be an error:

ctl connect(“/var/run/softflowd.ctl”) error: Connection refused

Display information about all monitored threads:

sudo softflowctl dump-flows

Information about softflowctl can be viewed by the command:

man softflowctl

I’ll describe other startup options:
-n (specify the network node and port on which will work softflowd)
-i (interface on which will work softflowd)
-r pcap_file (reading information from a file, not a network interface)
-p pidfile (alternative location for storing the process identifier, standard /var/run/softflowd.pid)
-c ctlsock (alternative location for the socket, standard /var/run/softflowd.ctl)
-m max_flows (maximum number of threads for simultaneous tracking)
-6 (consider also IPv6 data)
-D (debug mode)
-T track_level (level of tracking, can be full, proto, ip)
-v netflow_version (netflow version)