Apr 06

NTOP A Linux Netflow Collector

    This week I had a customer who requested that the App Flow Monitor function be activated on his Sonicwall Firewall.  This was simple enough and required a reboot.   I then noticed that the Sonicwall could contain the data locally or can send the data to an external Netflow Collector.  My curiosity being piqued, I started to research what the Netflow Protocol was.

    Netflow is a protocol developed by Cisco to collect network traffic information (straight from wikipedia).  I then began looking for a free open-source netflow collector.  My corporate clients being Windows based, I tried a few Windows based solutions.  They were usually trial or limited versions of commercial products and didn’t fit the bill.  I then expanded my horizons to Linux.  I then came accross this post and saw that I could install it with good old “apt-get install” in Ubuntu.  So I built a guick simple Ubuntu server in a test VM environment and installed ntop.  I followed the posts instructions to get to the web interface, but then I got a little stuck.  Had to play with it to get it started.  Activating was easy, but I had to figure out how to actually “add a netflow device”.  I’ll included more detailed instructions hopefully (time allowing).  Ntop is rather easy and simple to setup.  I wasn’t able to put it to test against a live router yet, so I don’t know how useful the data is.  I do have a home ASA5505 I plan to monitor to see what kind of data I can collect.  I’ll post more on the topic in the future.

Update

    I discovered that when I ran “apt-get install ntop”, an older version of ntop was installed. Ntop on startup mentioned that a newer version was available and recommended upgrading. I then came across the following link to install the newest version.  If you’re running Ubuntu or Redhat/CentOS you just add the repositories for the installers.  Follow the links at the names for instructions to add the repositories for Ubuntu and Redhat/CentOS.  Remember to do “apt-get update” or “yum update” to refresh the repositories after adding them.  You then can go to “http://ip address of your computer” to get to the nbox management interface and then access Ntop from there.