How to Analyse MikroTik Traffic Using ntopng

Posted · Add Comment

MikroTik routers are pretty popular in particular in the wireless community and many users of the original ntop are familiar with it. With the advent of ntopng, we have decided to avoid natively supporting netflow in ntopng due to the many “dialects” a of the protocol and leave to nProbe the task to do the conversion of flows onto something ntopng can understand. For this reason the workflow is the one depicted below:

Mikrotik

The first thing to do is to configure NetFlow (both v5 and v9 are used) on the MikroTik that cane done from the command line or from the GUI. Suppose that both nProbe and ntopng are running on the same PC active at 192.168.8.20 and suppose that nProbe collect flows at port 2055. The configuration to use is

SBTIM@T~M3`$NCS2X5R{_@K

or if configured from the command line

/ip traffic-flow
set active-flow-timeout=1m enabled=yes
/ip traffic-flow target
add dst-address=192.168.8.20 port=2055 v9-template-timeout=1m

that should be reported as

[admin@MikroTik] > /ip traffic-flow print
              enabled: yes
           interfaces: all
        cache-entries: 64k
  active-flow-timeout: 1m
inactive-flow-timeout: 15s
[admin@MikroTik] > /ip traffic-flow target print detail
Flags: X - disabled
 0   src-address=0.0.0.0 dst-address=192.168.8.20 port=2055 version=9
     v9-template-refresh=20 v9-template-timeout=1m

In all cases you should add

/interface bridge settings set use-ip-firewall=yes

to tell your Mikrotik to analyse all traffic passing through the device.

At this point you need to start nProbe and ntopng on 192.168.8.20 as follows

nprobe -i none -n none -3 2055 --zmq tcp://127.0.0.1:1234
ntopng -i tcp://127.0.0.1:1234

nProbe will receive flows, convert them to ZMQ/JSON and send them to ntopng running on the same host. You can now access the ntopng GUI as http://192.168.8.20:3000 and see incoming flows.

Note that if you collect NetFlow:

  • Flows are emitted periodically (in the example above the flow are cut at 1 min max duration, and 15 sec idle timeout).
  • As traffic ingress is not constant as with packets (flows are received periodically) the network throughput at the end of the ntopng page is not smooth as it could be when capturing packets from a physical interface.

We remind you that nProbe requires a license (you can use the community edition of ntopng or the professional) that you can find on our shop, but if you belong to education or no-profit we give them for free.