How to Build a 100$/€ “Augmented” NetFlow/IPFIX Probe

Posted · Add Comment

One of main problems of flow-based devices is their high cost or poor monitoring capabilities (nothing beyond IPv4 packets and bytes). At ntop we believe that network visibility is much more than this, as people in 2016 want application performance, deep packet inspection, export to big data system and much more. We’re experimenting with low-cost hardware devices since a long time but we finding a powerful yet cheap device with  embedded port mirror capability isn’t that simple (or cheap). Finally we have found a solution for families and small business who want to see what’s happening on their network without spending much. The Ubiquity EdgeRouter X (ntop has no relationship with Ubiquity Networks, we’re just happy users) is a good device for our purposes, but having it 128 MB or free ram, we cannot run ntopng (at least the current version) on it, but nProbe can work on it.

As depicted below, the nice thing of this device is the fact that it comes with 5 ethernet ports, that can work independently or grouped. This means you have plenty of ports for connecting your Internet connection and your LAN to it. The trick is to use this device transparently so that you do not have to mess up with IP addresses, DHCP or gateways. To do this you can configure the device to group the ports via the bridge br0.


Screen Shot 2016-03-05 at 10.59.17

The difference between it and switch0 is that on the former case packets are bridged by Linux running on the device, on the latter is the hardware switch that does it. Although the second option is more performant,  the first one is the one we are looking for packets hit Linux and thus nProbe can see them, whereas on the other case we can see just broadcast/multicast packets.

EdgeRouterX

In essence you can use the first port for exporting flows, and group the other ports as an ethernet switch where you attach your LAN/Access Point and the Internet connection/xDSL Router. Then you need to do this:

  • Download the nProbe package for EdgeRouter X to your PC.
  • scp <nprobe package you downloaded>.deb ubnt@<router IP> (the default password is ubnt)
  • ssh ubnt@<router IP>
  • sudo su
  • dpkg -i <nprobe package you downloaded>.deb
ssh ubnt@192.168.1.8
Welcome to EdgeOS

By logging in, accessing, or using the Ubiquiti product, you
acknowledge that you have read and understood the Ubiquiti
License Agreement (available in the Web UI at, by default,
http://192.168.1.1) and agree to be bound by its terms.

ubnt@192.168.1.8's password: 
Linux ubnt 3.10.14-UBNT #1 SMP Fri Jan 29 20:03:40 PST 2016 mips
Welcome to EdgeOS
ubnt@ubnt:~$ sudo su
root@ubnt:/home/ubnt# dpkg -i nprobe_7.3.160305-4921_mipsel.deb 
(Reading database ... 33861 files and directories currently installed.)
Preparing to replace nprobe 7.3.160305-4921 (using nprobe_7.3.160305-4921_mipsel.deb) ...
Unpacking replacement nprobe ...
/sbin/ldconfig: /usr/local/lib/libhiredis.so.0.13 is not a symbolic link

/sbin/ldconfig: /usr/lib/libzmq.so.3 is not a symbolic link

Setting up nprobe (7.3.160305-4921) ...
Rebuilding ld cache...
/sbin/ldconfig: /usr/lib/libzmq.so.3 is not a symbolic link

Adding the nprobe startup script
Making the /etc/nprobe directory...
Making the /var/log/nprobe directory...
root@ubnt:/home/ubnt# nprobe --version

Welcome to nProbe v.7.3.160305 (r4921)

Copyright 2002-16 ntop.org

Build OS:      EdgeRouter X
SystemID:      E809B957499602D2
Edition:       nProbe Embedded
License:       6E0AB140A8B1596D1AA5DB7E4C80064D148871506412BF6396 [valid license]
License Type:  Permanent License 
Maintenance:   Until Sun Mar  5 12:57:44 2017 [362 days left]

nProbe is subject to the terms and conditions defined in
the LICENSE and EULA files that are part of this package.

nProbe also contains third party code:
Radix tree code - (C) The Regents of the University of Michigan
                      ("The Regents") and Merit Network, Inc.
sFlow collector - (C) InMon Inc.

Now what you need to do is to create a configuration file for nprobe and start it. Note that:

  • the EdgeRouter X is based on the mipsel architecture whereas other EdeRouter models are not, so make sure you pick the right nprobe version.
  • nProbe on EdgeRouter is the embedded edition (just like for Raspberry PI) that is the same as the Pro version on x64 but that is much cheap (you can buy a license on our shop unless you are an educational user that can get it for free as all our products). In total the hardware+software combination will cost ~100$/€.

As usual, you can instruct nProbe to send flows to ntopng for collection via ZMQ as follows.

ubiquity> # nprobe --zmq tcp://0.0.0.0:1234 -i br0 -n none

your PC>  # ntopng -i tcp://ubiquity:1234

Note that you can enable on nProbe all the standard information elements such as packets out-of-order/retransmissions, DPI, HTTP URL, DNS query dissection, VoIP traffic analysis…. The fact that this solution is so cheap does not mean that it is limited, as it includes the same features you can find on a more powerful machine; the only difference is the hardware platform that makes it suitable for home and small businesses and not for an enterprise.

Happy traffic analysis!