Part1 - Monitoring Network Traffic with ntopng and nProbe

Ntopng is the next generation version of the original ntop, a network traffic probe that monitors network usage. It provides a intuitive, encrypted web user interface for the exploration of realtime and historical traffic information. ntopng comes in three versions, Community, Professional (Small Business Edition) and Enterprise. The Community version is free to use and opensource. A physical NIC card of the server can be monitored by by specifying its interface name as

./ntopng -i eth0

However, we will use ntopng in flow collection mode along with nProbe which can act as probe/proxy. The communication between nProbe and ntopng takes place over ZeroMQ, a publish-subscribe protocol that allows ntopng to communicate with nProbe.

ntpong community version is installed on Ubuntu Server 18.04.1 with IP address 172.17.100.7/16. Ubuntu is running inside VirtualBox VM. The IP address of the host (Asus k55vm) is 172.17.100.2/16. The host is connected to the SOHO router that functions as gateway to the Internet gateway with the IP address 172.17.100.1/16. The network diagram is shown on the Picture 1.

nProbe is installed on Raspberry Pi 3B with the IP address 172.17.100.50/16. Windows 7 is installed on the monitored PC with IP address 172.17.100.10/16 which is connected to the FastEthernet0/3 of Cisco Catalyst switch 3550. Raspberry PI with installed nProbe is connected to the FastEthernet0/24. Cisco switch is connected to the SOHO router.

Picture 1 - Network Topology

Here is the default password list for all devices in our topology.

Device - username/password
Raspberry Pi: pi/raspberry
Ubuntu Server 18.04 : ubuntu/ubuntu
ntopng: admin/admin123
Cisco Catalyst 3550: admin/admin, enable password: cisco

ntpong web interface: http://172.17.100.7:3000

Hardware
Raspberry PI 3B
- Raspbian GNU/Linux 9.4 (stretch)
- nProbe v.8.5.180917

Asus K55Vm 16GB RAM
- host OS: Linux Kubuntu 18.04.1
- Oracle VirtualBox 5.2 with guest VM:
-- Ubuntu 16.04.5 Server and with installed Ntopng

1. Port Mirroring Configuration

In order to send traffic from monitored (source) port Fa0/3 with connected PC (172.17.100.10/16) to the destination port Fa0/24 with connected Raspberry PI, we need to configure port-mirroring feature on Cisco as:

Switch(config)# monitor session 1 source interface Fa0/3
Switch(config)# monitor session 1 destination interface Fa0/24 encapsulation dot1q ingress vlan 1

It ensures that nProbe sends flows to the ntpong.

2. Raspbian Stretch Installation on Raspberry Pi 3B

Raspbian Strech is installed on Raspberry Pi 3B. nProbe is installed on the top of Raspbian Stretch.

2.1 Downloading Raspbian Stretch for Raspberry Pi3 and Copy Image to SD Card

We will download the latest Raspbian Stretch and save it to x86-64 Kubuntu 18.04.

$ wget https://downloads.raspberrypi.org/raspbian_lite_latest

Extract the image.

$ unzip raspbian_lite_latest

Be sure that SD card is not mounted. If yes, umount the card.

$ sudo umount /dev/mmcblk0

Copy the extracted piCore image to SD card.

$ sudo dd bs=4M if=2018-06-27-raspbian-stretch-lite.img of=/dev/mmcblk0 status=progress conv=fsync

Remove SD card from Kubuntu and insert it to Raspberry Pi. Login with username pi and password raspberry.

2.2. Utilize All Space on SD card

By default the image utilizes only 4GB of your SD card space. Issue the command below.

# raspi-config

Navigate to Advanced Options-> A1 Expand Filesystem Ensures that all of the SD card storage is available to the OS. The filesystem will be enlarged upon the next reboot.

2.3 Configure Static IP Address

Set static IP address for interface eth0.

# echo "interface eth0" >> /etc/dhcpcd.conf
# echo "static ip_address=172.17.100.50/16" >> /etc/dhcpcd.conf
# echo "static routers=172.17.100.1" >> /etc/dhcpcd.conf
# echo "static domain_name_servers=172.17.100.1 8.8.8.8" >> /etc/dhcpcd.conf

2.4 Enable SSH Server

Navigate to Interface Options-> SSH and click Yes to enable SSH server.

# raspi-config

2.5 Set Timezone

We need to configure the correct timezone (Picture 2).

# dpkg-reconfigure tzdata

Picture 2 - Timezone Configuration on Raspberry PI

3. nProbe Installation and Configuration on Raspbian

3.1 nProbe Installation

Download and import the public key.

$ wget http://packages.ntop.org/apt/ntop.key
$ sudo su

# apt-key add ntop.key

Add ntop repository.

# echo "deb http://apt.ntop.org/stretch_pi armhf/" > /etc/apt/sources.list.d/ntop.list
# echo "deb http://apt.ntop.org/stretch_pi all/" >> /etc/apt/sources.list.d/ntop.list
# apt-get update

Install nprobe from the repository.

# apt-get install nprobe

3.2 nProbe Configuration

We discuss nProbe configuration in  the separate article.

4. Ubuntu 18.04.1 Server Installation and Configuration

Ubuntu 18.04.1 is running as VirtualBox guest VM and its installation is not covered in the tutorial.

4.1 Static IP Address Configuration for Ubuntu 18.04.1 Server

Ubuntu 18.04 uses netplan to configure network interfaces (Picture 3). Change the network card name if needed, mine is enp0s3.

$ cat /etc/netplan/01-systemd-networkd-eth.yaml

Picture 3 - Static IP Address Configuration for Ubuntu 18.04

Save changes.

$ sudo netplan apply

4. Ntopng Installation and Configuration on Ubuntu 18.04.x LTS Server

ntpong can be installed either from repository or we can compile and install it from sources. We will show both ways,  select your preferred  installation method.

4.1 ntpong Installation from Repository

Add repository universe to the /etc/apt/sources.list (Picture 4). Use your favorite file editor.

$ sudo su
# vi /etc/apt/sources.list

Picture 4 - Adding Universe to Ubuntu Repository List

# apt-get update
# apt-get install ntopng

4.2 Ntop Compilation and Installation from Sources

In case, you prefer manual installation, below are the steps.

$ sudo su

Add universe repository as we are going to install redis server form the repository (Picture 4).

Install Dependencies for PF_RING, nDPI and ntpong.

$ sudo apt-get install autoconf pkg-config libtool libcurl4-openssl-dev rrdtool librrd-dev libmysqlclient-dev bison flex libpcap0.8-dev libmaxminddb-dev libsqlite3-dev libpcap-dev

4.2.1 Redis Server Installation from Repository

$ sudo apt-get install redis-server redis-tools

4.2.2 PF_RING Installation

$ git clone https://github.com/ntop/PF_RING.git
$ cd PF_RING/kernel
$ make
$ sudo insmod ./pf_ring.ko
$ cd ../userland
$ make

$ cd ~

4.2.3 nDPI Installation

$ git clone https://github.com/ntop/nDPI.git
$ cd nDPI
$ ./autogen.sh
$ ./configure –with-pic
$ make

$ cd ~

4.2.4 ntopng Installation

$ git clone https://github.com/ntop/ntopng.git

$ cd ntopng
$ ./autogen.sh

$ ./configure
$ make geoip
$ make

$ sudo make install

4.2.5 After Install Steps for ntopng

In case you notice permission problems when ntpong is started, change owner from root to nobody for the following directory.

# chown -R nobody /var/lib/ntopng/

5. Testing

Open your favorite web browser and type the URL http://172.17.100.7:3000. If you followed the instructions correctly, you will see the Ntopng login page. The default username is admin and password is admin. You will be prompted to change the password during a first login.

We discuss ntpong flow collection modes in the next tutorial.