Some time ago I published a post introducing ntopng as an out-of-the-box network monitoring tool. I am running it on a Knoppix live Linux notebook with two network cards. However, I have a few customers that wanted a persistent installation of ntopng in their environment. So this is a step-by-step tutorial on how to install ntopng on a Ubuntu server with at least two NICs.
I already pointed to the many great features of ntopng in the previous post. If you are searching for an open source real-time network analyzer, ntopng is the choice.
Network Setup
This is a rough view of the network. On a switch in the network, a monitor port is configured to send all traffic from a certain port/vlan/routing-domain to the network analyzer. (There are different names for this scenario: mirror and monitor ports, SPAN ports, source and destination ports, etc.) The eth1 port on the Linux machine is used in promiscuous mode to process everything that comes in.
The other port, eth0, must be configured with a static IP address on the network. Through this port, the ntopng GUI (IP-address with default port 3000) appears.
Plan the place and bandwidth of the mirroring carefully! Before or after a firewall/router with NAT? Does the overall bandwidth exceed the physical link of the monitor port?
Installation of ntopng
I am using a fresh Ubuntu Server 14.04 LTS edition (64-bit <- which is required for ntopng). As always I am installing a few basic software packages before starting with the actual service. The packages for ntopng can be found here. Select either the “nightly” or “stable” builds. For more reliable versions, you should choose the stable one. Execute the following two commands on the server to add the repository of ntopng:
1 2 |
wget http://apt-stable.ntop.org/14.04/all/apt-ntop-stable.deb sudo dpkg -i apt-ntop-stable.deb |
Have a look at “/etc/apt/sources.list.d/”. There is now a “ntop-stable.list” file which has two lines. Now you can install ntopng with:
1 2 |
sudo apt-get update sudo apt-get install ntopng |
This will install a bunch of packages, incuding ntopng, ntopng-data, pfring, redis-server, redis-tools.
Before you can start ntopng, you need to create a configuration file: sudo nano /etc/ntopng/ntopng.conf . Read the documentation ( man ntopng ) for more details. The following template can be used as a starting point:
1 2 3 4 5 6 7 8 9 |
--pid-path=/var/tmp/ntopng.pid --daemon --interface=eth1 --http-port=3000 --local-networks="10.0.0.0/8,192.168.0.0/16,2001:db8::/48" --dns-mode=1 --data-dir=/var/tmp/ntopng --disable-autologout --community |
(There can be more than one “–interface=ethX” lines in this config file if several interfaces are used in parallel.)
Furthermore, you need a file called “ntopng.start”, which can be empty but must exist in the folder: sudo touch /etc/ntopng/ntopng.start
Now you can start ntopng with:
1 |
sudo service ntopng start |
It will also be started automatically after a reboot.
Promiscuous Interfaces
What’s still missing is the configuration of the eth1 interface to be in promisc mode. Furthermore, it should not get an IPv4 or IPv6 via DHCPv4 or SLAAC. Therefore, the following configuration steps are required.
Disable IPv6 on the interface: Open the following file:
1 |
sudo nano /etc/sysctl.conf |
and add the following line:
1 |
net.ipv6.conf.eth1.disable_ipv6=1 |
Start the eth1 interface in promiscuous mode: Open the following file:
1 |
sudo nano /etc/network/interfaces |
and add these lines:
1 2 3 4 |
auto eth1 iface eth1 inet manual up ifconfig eth1 promisc up down ifconfig eth1 promisc down |
Note: If there are already some lines that reference to eth1, delete them or comment them out. For example, there should be no “iface eth1 inet dhcp” line anymore!
Reboot the server: sudo reboot .
Now, after each reboot of the server, the eth1 interface card will be in promiscuous mode and ntopng will be started automatically.
To verify that ntopng is running, have a look at netstat, which should display the running process and the open TCP port 3000:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
weberjoh@jw-nb10:/etc/ntopng$ sudo netstat -l -p -n Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:6379 0.0.0.0:* LISTEN 1280/redis-server 1 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1110/sshd tcp6 0 0 :::22 :::* LISTEN 1110/sshd tcp6 0 0 :::3000 :::* LISTEN 8543/ntopng udp 0 0 192.168.120.10:123 0.0.0.0:* 1729/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 1729/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 1729/ntpd udp 0 0 0.0.0.0:161 0.0.0.0:* 1307/snmpd udp 0 0 0.0.0.0:58820 0.0.0.0:* 1307/snmpd udp 0 0 0.0.0.0:514 0.0.0.0:* 1236/syslog-ng udp6 0 0 2003:51:6012:120::1:123 :::* 1729/ntpd udp6 0 0 fe80::21d:92ff:fe53:123 :::* 1729/ntpd udp6 0 0 ::1:123 :::* 1729/ntpd udp6 0 0 :::123 :::* 1729/ntpd udp6 0 0 ::1:161 :::* 1307/snmpd |
Fine-Tuning ntopng
For further options to fine-tune ntopng, refer to this best practices guide from ntopng itself.
Featured image: “escargot / snail” by Olivier Bacquet is licensed under CC BY 2.0.
Dude…. I LOVE you. this walk through has been EXCELLENT. Thank you so much!
Brandon
Thanks for an awesome tutorial.
Do I need nProbe, I have a mikrotik sending netflow data to my ntopng host, and I have data in ntopng?
Yes, I am quite sure that you need nProbe. Currently you won’t see the real traffic but only netflow data.
My tutorial here works for mirror ports. For analyzing netflow data you need nProbe. Have a look at my other tutorial here: https://weberblog.net/2016/08/16/using-netflow-with-nprobe-for-ntopng/
Thank you for the amazing tutorial.
ntop made easy.
+100 bro points
Thanks for the good tutorial. I have a question. When logged in to ntop interface i am not able to see my other subnet machines and IPs. Using ddwrt based router and 2 local networks. The second one created for guests and i want to be able to monitor internet activity on that particular network specifically. Can you help to figure out why Ntop doesn’t show local subnet and its hosts?
Thank you!
Hey Al,
I am not quite sure what you’re meaning. Is your ntopng installation on the same machine as ddwrt? If so you can specify more than one interface in the ntopng config:
–interface=eth1
–interface=eth2
–interface=eth3
Or is your ntopng instance running with monitoring ports? Then you need an own monitor port for each subnet/vlan.
Cheers,
Johannes
SNMP tab disappears after 5 minutes of ntopng
Yes, this is because you are using the community version. Refer to: http://www.ntop.org/products/traffic-analysis/ntop/
You must purchage the pro version for using the SNMP tab all the time (as well as the great dashboard).
Hi thanks for your great post,I have a mikrotik router ,the scenario is to collect users connection and refer them as I need in future to track their connections. Is it possible with ntopng to do that? Do I need nprobe with license or not?
Hey Sali,
please have a look at the MySQL & ElasticSearch options for ntopng to export the data. (I have not yet worked with these features, sorry.)
If you simply want to log everything, you can also use Syslog messages for that. However, it is difficult to parse them. (Have a look at my syslog-ng blogpost.) Or you can use Splunk. Google for it.
Cheers.
Hi,
I want to connect ntopng with netflow cisco. How to do it?
Hi,
Firstly i would like to extend my gratitude to you for giving a tutorial on ntopng.
I have a few question,
1) I have a router with an ip and port for netflow.
2) can i use my router ip and port to monitor it with ntopng?
3) if can how can i do it?
thank you, and btw i’m new with networking
Hi afiq,
thanks for that.
I have another blogpost in which I am covering the usage of Netflow for ntopng: https://weberblog.net/using-netflow-with-nprobe-for-ntopng/
Maybe this one helps?
Hi,
I’m doing research that is monitoring dual stack network using ntopng.
On my ntopng, only ipv4 is detect, ipv6 does not show up at all. but I also have added ipv6 network on the ntopng.conf file like the steps on your website above.
Do you have a solution?
Hey RR.
The IPv6 networks in the ntopng.conf file are only for displaying them as “local networks”. This has nothing to do with the actual sniffing of traffic.
If you don’t see any IPv6 traffic then you’re probably not monitoring correctly. ;) Can you verify with tcpdump that IPv6 traffic is coming into your monitoring port?
Hi.
Thanks for your response.
When ntopng with mikrotik, ipv6 detected on ntopng web page.
But when mikrotik is replaced with cisco router, ipv6 is not detected at all. Only ipv4 is detected. The configuration in ntopng remains the same, nothing has changed.
How to handle it?
And you are *really* sure that you actually have IPv6 traffic behind the Cisco router?
Yes, I am sure. Because my client already can ipv6 from cisco router that I setting. But no one ipv6 is detected in my ntopng. So how?
I Folllow up this process a couple times and I stuck aert tryint to start ntopng
* Starting ntopng * Unable to start ntopng
[fail]
What is missing here. Thanks.
I used th same ubuntu version as you recommend.
More information:
ntopng:
Installed: 3.2.180214-4091
Candidate: 3.2.180214-4091
Version table:
*** 3.2.180214-4091 0
500 http://packages.ntop.org/apt-stable/14.04/ x64/ Packages
100 /var/lib/dpkg/status
Log:
22/Feb/2018 10:14:19 [Ntop.cpp:1422] Parent process is exiting (this is normal)
22/Feb/2018 10:14:53 [Ntop.cpp:1485] Setting local networks to 10.0.0.0/8,192.168.0.0/16,2001:db8::/48
22/Feb/2018 10:14:53 [Redis.cpp:111] Successfully connected to redis 127.0.0.1:6379@0
22/Feb/2018 10:14:53 [Redis.cpp:111] Successfully connected to redis 127.0.0.1:6379@0
22/Feb/2018 10:14:53 [Ntop.cpp:1422] Parent process is exiting (this is normal)
I fixed the issues, For some reason ntong does not recognize values below and I jsut commented both.
#–pid-path=/var/tmp/ntopng.pid
#–interface=eth1
Thanks!
Oh ok. Thanks for letting us know!
Johannes,
How can I change the listening IP address from localhost to something else?
tcp6 0 0 :::3000 :::* LISTEN 8543/ntopng
The above netstat output shows ntopng will only accept access to the web interface locally (http://localhost:3000/). I want to be able to able access the web interface remotely (like http://192.168.0.100:3000/).
Thank you in advance.
When I tried to specified:
1. -w 192.168.0.100:3000 OR
2. -w:3000
I got the following error message:
ERROR: Unable to start HTTP server (IPv4) on ports 127.0.0.1;3000: No such file or directory
Hey ed,
by default the ntopng process IS listening on everything with this config line:
–http-port=3000
My output shows:
tcp6 0 0 :::3000 :::* LISTEN 8543/ntopng
-> Note that it might be confusing since this statement shows the IPv6 address while it also listens on IPv4. Note the “::” which is the same as “0.0.0.0” in IPv4 followed by another colon with the port, in our case 3000. However, for some processes this single IPv6-looking line also reveals that IPv4 is listening as well.
If ntopng is ONLY listening on the localhost, the “Local Address” from netstat would show something like “127.0.0.1:3000”, which is not the case in my example.
Following my guide here you should be able to access ntopng from every IP address. Of course you must type in something like http://192.168.0.100:3000/ for that. (However, I have no up-to-date ntopng installation at the moment so I can’t test something for you.)
What is your “sudo netstat -tulpen | ntopng” listing?
Here is my ntopng version:
# ntopng –version
v.2.3.160415 [Community Edition]
GIT rev: :2.3.160415
If I need an upgrade, do you mind telling me how to do it please?
Thanks.