MikroTik routers are pretty popular in particular in the wireless community and many users of the original ntop are familiar with it. With the advent of ntopng, we have decided to avoid natively supporting netflow in ntopng due to the many “dialects” a of the protocol and leave to nProbe the task to do the conversion of flows onto something ntopng can understand. For this reason the workflow is the one depicted below:
The first thing to do is to configure NetFlow (both v5 and v9 are used) on the MikroTik that cane done from the command line or from the GUI. Suppose that both nProbe and ntopng are running on the same PC active at 192.168.8.20 and suppose that nProbe collect flows at port 2055. The configuration to use is
or if configured from the command line
/ip traffic-flow set active-flow-timeout=1m enabled=yes /ip traffic-flow target add dst-address=192.168.8.20 port=2055 v9-template-timeout=1m
that should be reported as
[admin@MikroTik] > /ip traffic-flow print enabled: yes interfaces: all cache-entries: 64k active-flow-timeout: 1m inactive-flow-timeout: 15s [admin@MikroTik] > /ip traffic-flow target print detail Flags: X - disabled 0 src-address=0.0.0.0 dst-address=192.168.8.20 port=2055 version=9 v9-template-refresh=20 v9-template-timeout=1m
In all cases you should add
/interface bridge settings set use-ip-firewall=yes
to tell your Mikrotik to analyse all traffic passing through the device.
At this point you need to start nProbe and ntopng on 192.168.8.20 as follows
nprobe -i none -n none -3 2055 --zmq tcp://127.0.0.1:1234 ntopng -i tcp://127.0.0.1:1234
nProbe will receive flows, convert them to ZMQ/JSON and send them to ntopng running on the same host. You can now access the ntopng GUI as http://192.168.8.20:3000 and see incoming flows.
Note that if you collect NetFlow:
- Flows are emitted periodically (in the example above the flow are cut at 1 min max duration, and 15 sec idle timeout).
- As traffic ingress is not constant as with packets (flows are received periodically) the network throughput at the end of the ntopng page is not smooth as it could be when capturing packets from a physical interface.
We remind you that nProbe requires a license (you can use the community edition of ntopng or the professional) that you can find on our shop, but if you belong to education or no-profit we give them for free.