nProbe is an efficient netflow/IPFIX probe that can also act as a collector dumpling flows on disk or onto a database (MySQL, sqlite and Fastbit). As ntop has not been designed to operate on large/fast networks, it’s possible to use nProbe as pre-processor. In this configuration, nProbe captures packets from a network interface (or collects flows on a socket), computes flows based on packets, and sends them to ntop. Thus ntop acts as a flow collector.
Supposing to:
- receive packets to account/analyze on interface eth1 of host X
- start ntop on host Y (note that both ntop and nProbe can run on the same host simultaneously)
the configuration to use is the following
- nProbe
- Start nProbe as nprobe -i eth1 -n X:2055
In this case nProbe computes flows and sends them to host X on port 2055
- Start nProbe as nprobe -i eth1 -n X:2055
- ntop
- Start ntop as usual
- Enable the NetFlow plugin (menu Plugins -> NetFlow -> Activate)
- Inside the NetFlow plugin create a new virtual interface configured as follows:
- NetFlow Device: pick a name you like (e.g. MyNetFlow) and click “Set Interface Name”.
- Local Collector UDP port: 2055 and click “Set Port”.
- ntop automatically detects the flow version and decodes the flows without any further configuration.
- At this point switch the ntop view to the netflow interface you have just created (menu Admin -> Switch NIC -> MyNetFlow)
As soon as nProbe sends flows to ntop, the ntop web interface will show the flows being received. In case you see no flows coming you can:
- Check if you have a firewall or similar blocking flows
- See if there are decoding problems. You can do this accessing the NetFlow statistics (menu Plugins -> NetFlow -> Statistics).