ntop on FreeBSD 6.2

Prerequisites:

 FreeBSD (Base + Autoconf, Automake, Bash and GCC)
GD - Graphics Libraries

Overview:
 Step #1 - Install ntop
 Step #2 - Simple test of ntop
 Step #3 - Create an “rc” script to start ntop at boot time
 Step #4 - Configure a NetFlow Collector on FreeBSD and export a NetFlow on the Cisco router

Step #1

ntop – View the types of applications running on your network

Home: 

 http://www.ntop.org

# Download (Notes: Users behind a Proxy Server should read this and users without Internet but have a CDRom read this.)

# Install Graphviz
cd /usr/ports/graphics/graphviz
make install clean

# Install xorg-fonts-type1
cd /usr/ports/x11-fonts/xorg-fonts-type1
make install clean

# Install urwfonts
cd /usr/ports/x11-fonts/urwfonts
make install clean

# Change to ntop ports src directory
cd /usr/ports/net/ntop

# Compile
make
# Dual CPU machines can compile faster with -j 2 option!
# make -j 2

# Install
make install

# Clean
make clean

# Note: If compiling from source fails, you can install the pre-built binary package:
# pkg_add -r ntop

# Fix an issue on FreeBSD
mkdir /var/db/ntop/rrd
chown -R www:www /var/db/ntop

 

Step #2

Simple test of ntop

Quick Start Test and set the admin password:
/usr/local/bin/ntop -u www

# Open your favorite web browser and point it to your NMS running ntop:
http://YourServerIP:3000/

# NTop Password Reset
# /usr/local/bin/ntop --set-admin-password=ntoppassword
# User: admin / Pass: ntoppassword
# If above fails, try this:
# Get a new copy of /var/db/ntop/ntop_pw.db (in case you need it reset)
# cd /var/db/ntop
# rm ntop_pw.db
# fetch http://www.nmsworld.com/UNIX/ntop_pw.zip
# unzip ntop_pw.zip
# rm ntop_pw.zip
# chown -R www:www /var/db/ntop
# chmod a+r /var/db/ntop/rrd
# chmod a+w /var/db/ntop/rrd

 

Step #3

Create an “rc” script to start ntop at boot time

# Create an “rc” script to start at boot time
vi /usr/local/etc/rc.d/ntop.sh

# Set script executable for boot time
chmod +x /usr/local/etc/rc.d/ntop.sh

# Fetch a copy of my huge protocol list (edit as you see fit):
mkdir /opt/scripts
cd /opt/scripts
fetch http://www.NMSWorld.com/UNIX/protocol.list.txt
dos2unix /opt/scripts/protocol.list.txt
chmod a+r /opt/scripts/protocol.list.txt
 

# Some commands to know:
 /usr/local/etc/rc.d/ntop.sh start
/usr/local/etc/rc.d/ntop.sh stop
tail -f /var/log/messages

# Get more NetFlow information here:
http://www.cisco.com/en/US/products/ps6601/products_ios_protocol_group_home.html
http://www.ntop.org/ntop.html

# Example raw command line:
 /usr/local/bin/ntop -d --use-syslog=local7 -M -w 10.0.0.1:3000 --no-fc --interface none -w 3000 -W 3001 -p /opt/scripts/protocol.list.txt
# or
/usr/local/bin/ntop -d --use-syslog=local7 -M --no-fc -u www --interface em0 -w 3000 -W 3001 -p /opt/scripts/protocol.list.txt
# or
/usr/local/bin/ntop -d --use-syslog=local7 -M --no-fc -u www --interface em0 -w 3000 -W 3001

 

Step #4

Configure a NetFlow Collector on FreeBSD and export a NetFlow on the Cisco router

# NOTE: You need to setup Netflow in 2 places: 1.) Ntop Plugins menu 2.) On your Cisco router (or MSFC VLAN)

# Setup a NetFlow Collector in the ntop web by first turning on the NetFlow Plugin


# Add a new NetFlow Device


# Configure a NetFlow Collector - Remember the Port number you choose for later when setting up the export on your router


# Telnet to your Cisco router and create and export a NetFlow to your FreeBSD ntop Collector:
telnet 10.0.0.254

config term

ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
ip flow-export version 5
ip flow-export destination 10.0.0.1 9991

interface Vlan 1
ip route-cache flow

end
copy running startup

# Test
show ip flow export

# You should see data in the ntop Summary web page (and other pages) indicating you are receiving NetFlow export data from the router!
# NOTE: This page was designed for the person using Cisco routers as the NetFlow source, but there is no reason why you can't get data other ways.
#            You could span or mirror a port (or use a dumb hub in place of a switch) to a cheap network card on your FreeBSD box for data.
#            Or you could setup or buy some cheap probes as described at www.ntop.org

# I also found some good information over at CRANNOG Software:
# (It looks like Crannog Software has some neat commercial NetFlow solutions.)

Configuring NetFlow Data Export

This is a brief guide to setting up NetFlow on a Cisco routing or route-switching device. For more information on this subject, visit http://www.cisco.com/go/netflow. We recommend that only people with experience in configuring Cisco devices follow these steps. If in doubt, contact your network administrator or Cisco consultant. Note that if you are running hybrid mode on a Supervisor Engine you must configure both CatOS on the Supervisor Engine and IOS on the MSFC. If you are running Native IOS the commands are slightly different.

 

Configuring Netflow Export on an IOS device

In configure mode on the router or MSFC, issue the following to enable NetFlow Export:

ip flow-export destination <address> 2055

Use the address of your NetFlow Monitor or NetFlow Tracker server and one of the ports configured in the listener ports configuration panel. Port 2055 is monitored by default.

ip flow-export source loopback 0

The source interface is used to set the source IP address of the NetFlow exports sent by the router. NetFlow Monitor and NetFlow Tracker will make SNMP requests of the router on this address. If you experience problems you can set the source interface to an Ethernet or WAN interface instead of the loopback

ip flow-export version 5 [peer-as | origin-as]

This sets the export version. Version 5 is the most recent full export version supported by routers. If your router uses BGP, you can specify that either the origin or peer ASs are included in exports – it is not possible to include both. Note that NetFlow Monitor does not support origin AS.

ip flow-cache timeout active 1

This breaks up long-lived flows into one-minute segments.

ip flow-cache timeout inactive 15

This ensures that flows that have finished are exported in a timely manner.

interface <interface>
ip route-cache flow
bandwidth <kbps>

You need to enable NetFlow on each interface through which traffic you are interested in will flow. This will normally be the Ethernet and WAN interfaces. You may also need to set the speed of the interface in kilobits per second. It is especially important to set the speed for frame relay or ATM virtual circuits.

ip cef

This enables Cisco Express Forwarding, which is required for NetFlow in most recent IOS releases.

show ip flow export

This will show the current NetFlow configuration. Issue this in normal (not configuration) mode.

show ip cache flow
show ip cache verbose flow

These commands issued in normal mode summarise the active flows and give an indication of how much NetFlow data the router is exporting.

 

Configuring NDE on a CatOS device

In privileged mode on the Supervisor Engine, issue the following to enable NDE:

set system name <name>

Set the name of your switch. Note that even if the prompt has been set to the name of the switch you still need this command.

set mls nde <address> 2055

Use the address of your NetFlow Monitor or NetFlow Tracker server and one of the ports configured in the listener ports configuration panel. Port 2055 is monitored by default.

set mls nde version 7

This sets the export version. Version 7 is the most recent full export version supported by switches.

set mls agingtime long 64

This breaks up long-lived flows into (roughly) one-minute segments.

set mls agingtime 32

This ensures that flows that have finished are exported in a timely manner.

set mls flow full

This sets the flow mask to full flows. This is required to get useful information from the switch.

set mls bridged-flow-statistics enable <vlanlist>

CatOS 7.(2) or higher is required for this command, which enables NDE for all traffic within the specified VLANs rather than just inter-VLAN traffic.

set mls nde enable

This enables NDE.

show mls nde
show mls debug

These commands can help debug your NDE configuration.

Configuring NDE on a Native IOS device

In configure mode on the Supervisor Engine, follow the instructions for an IOS device above, and then issue the following to enable NDE:

mls nde sender version 7

This sets the export version. Exporting version 7 from the Supervisor Engine is important to help NetFlow Monitor and NetFlow Tracker distinguish between flows coming from the Supervisor Engine and flows coming from the MSFC.

mls aging long 64

This breaks up long-lived flows into (roughly) one-minute segments.

mls aging normal 32

This ensures that flows that have finished are exported in a timely manner.

mls flow ip interface-full
mls nde interface

or

mls flow ip full

If you have a Supervisor Engine 2 or 720 running IOS version 12.1.13(E) or higher the first two commands are required to put interface and routing information into the NetFlow Exports. This information is unavailable with any earlier IOS version on the Supervisor Engine 2 or 720.
If you have a Supervisor Engine 1 the third command is required to put full information into the NetFlow Exports.
 

Configuring NetFlow Export on a 4000 series switch

The 4000 and 4500 series switches require a Supervisor IV with a NetFlow Services daughter card (WS-F4531) and IOS version 12.1(19)EW or above to support NetFlow. First configure the device as for an IOS device above, omitting the command ip route-cache flow on each interface, and then issue the following:

ip route-cache flow infer-fields

This ensures routing information is included in the flows.

Acknowledgements:
Cisco, Crannog and ntop are registered names and do not belong to me!