Using ntop as a flow collector for nProbe

Posted · Add Comment

nProbe is an efficient netflow/IPFIX probe that can also act as a collector dumpling flows on disk or onto a database (MySQL, sqlite and Fastbit). As ntop has not been designed to operate on large/fast networks, it’s possible to use nProbe as pre-processor. In this configuration, nProbe captures packets from a network interface (or collects flows on a socket), computes flows based on packets, and sends them to ntop. Thus ntop acts as a flow collector.

Supposing to:

  • receive packets to account/analyze on interface eth1 of host X
  • start ntop on host Y (note that both ntop and nProbe can run on the same host simultaneously)

the configuration to use is the following

  • nProbe
    • Start nProbe as nprobe -i eth1 -n X:2055
      In this case nProbe computes flows and sends them to host X on port 2055
  • ntop
    • Start ntop as usual
    • Enable the NetFlow plugin (menu Plugins -> NetFlow -> Activate)
    • Inside the NetFlow plugin create a new virtual interface configured as follows:
      • NetFlow Device: pick a name you like (e.g. MyNetFlow) and click “Set Interface Name”.
      • Local Collector UDP port: 2055 and click “Set Port”.
      • ntop automatically detects the flow version and decodes the flows without any further configuration.
    • At this point switch the ntop view to the netflow interface you have just created (menu Admin -> Switch NIC -> MyNetFlow)

As soon as nProbe sends flows to ntop, the ntop web interface will show the flows being received. In case you see no flows coming you can:

  • Check if you have a firewall or similar blocking flows
  • See if there are decoding problems. You can do this accessing the NetFlow statistics (menu Plugins -> NetFlow -> Statistics).