This week I had a customer who requested that the App Flow Monitor function be activated on his Sonicwall Firewall. This was simple enough and required a reboot. I then noticed that the Sonicwall could contain the data locally or can send the data to an external Netflow Collector. My curiosity being piqued, I started to research what the Netflow Protocol was.
Netflow is a protocol developed by Cisco to collect network traffic information (straight from wikipedia). I then began looking for a free open-source netflow collector. My corporate clients being Windows based, I tried a few Windows based solutions. They were usually trial or limited versions of commercial products and didn’t fit the bill. I then expanded my horizons to Linux. I then came accross this post and saw that I could install it with good old “apt-get install” in Ubuntu. So I built a guick simple Ubuntu server in a test VM environment and installed ntop. I followed the posts instructions to get to the web interface, but then I got a little stuck. Had to play with it to get it started. Activating was easy, but I had to figure out how to actually “add a netflow device”. I’ll included more detailed instructions hopefully (time allowing). Ntop is rather easy and simple to setup. I wasn’t able to put it to test against a live router yet, so I don’t know how useful the data is. I do have a home ASA5505 I plan to monitor to see what kind of data I can collect. I’ll post more on the topic in the future.
I discovered that when I ran “apt-get install ntop”, an older version of ntop was installed. Ntop on startup mentioned that a newer version was available and recommended upgrading. I then came across the following link to install the newest version. If you’re running Ubuntu or Redhat/CentOS you just add the repositories for the installers. Follow the links at the names for instructions to add the repositories for Ubuntu and Redhat/CentOS. Remember to do “apt-get update” or “yum update” to refresh the repositories after adding them. You then can go to “http://ip address of your computer” to get to the nbox management interface and then access Ntop from there.