ntopng Installation

Some time ago I published a post introducing ntopng as an out-of-the-box network monitoring tool. I am running it on a Knoppix live Linux notebook with two network cards. However, I have a few customers that wanted a persistent installation of ntopng in their  environment. So this is a step-by-step tutorial on how to install ntopng on a Ubuntu server with at least two NICs.

I already pointed to the many great features of ntopng in the previous post. If you are searching for an open source real-time network analyzer, ntopng is the choice.

Network Setup

This is a rough view of the network. On a switch in the network, a monitor port is configured to send all traffic from a certain port/vlan/routing-domain to the network analyzer. (There are different names for this scenario: mirror and monitor ports, SPAN ports, source and destination ports, etc.) The eth1 port on the Linux machine is used in promiscuous mode to process everything that comes in.

The other port, eth0, must be configured with a static IP address on the network. Through this port, the ntopng GUI (IP-address with default port 3000) appears.

Plan the place and bandwidth of the mirroring carefully! Before or after a firewall/router with NAT? Does the overall bandwidth exceed the physical link of the monitor port?

Installation of ntopng

I am using a fresh Ubuntu Server 14.04 LTS edition (64-bit <- which is required for ntopng). As always I am installing a few basic software packages before starting with the actual service. The packages for ntopng can be found here. Select either the “nightly” or “stable” builds. For more reliable versions, you should choose the stable one. Execute the following two commands on the server to add the repository of ntopng:

wget http://apt-stable.ntop.org/14.04/all/apt-ntop-stable.deb
sudo dpkg -i apt-ntop-stable.deb

Have a look at “/etc/apt/sources.list.d/”. There is now a “ntop-stable.list” file which has two lines. Now you can install ntopng with:

sudo apt-get update
sudo apt-get install ntopng

This will install a bunch of packages, incuding ntopng, ntopng-data, pfring, redis-server, redis-tools.

Before you can start ntopng, you need to create a configuration file:

sudo nano /etc/ntopng/ntopng.conf

man ntopng

--pid-path=/var/tmp/ntopng.pid
--daemon
--interface=eth1
--http-port=3000
--local-networks="10.0.0.0/8,192.168.0.0/16,2001:db8::/48"
--dns-mode=1
--data-dir=/var/tmp/ntopng
--disable-autologout
--community

Furthermore, you need a file called “ntopng.start”, which can be empty but must exist in the folder:

sudo touch /etc/ntopng/ntopng.start

Now you can start ntopng with:

sudo service ntopng start

It will also be started automatically after a reboot.

Promiscuous Interfaces

What’s still missing is the configuration of the eth1 interface to be in promisc mode. Furthermore, it should not get an IPv4 or IPv6 via DHCPv4 or SLAAC. Therefore, the following configuration steps are required.

Disable IPv6 on the interface: Open the following file:

sudo nano /etc/sysctl.conf

and add the following line:

net.ipv6.conf.eth1.disable_ipv6=1

Start the eth1 interface in promiscuous mode: Open the following file:

sudo nano /etc/network/interfaces

and add these lines:

auto eth1
iface eth1 inet manual
        up ifconfig eth1 promisc up
        down ifconfig eth1 promisc down

Note: If there are already some lines that reference to eth1, delete them or comment them out. For example, there should be no “iface eth1 inet dhcp” line anymore!

Now, after each reboot of the server, the eth1 interface card will be in promiscuous mode and ntopng will be started automatically.

To verify that ntopng is running, have a look at netstat, which should display the running process and the open TCP port 3000:

weberjoh@jw-nb10:/etc/ntopng$ sudo netstat -l -p -n
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      1280/redis-server 1
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1110/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      1110/sshd
tcp6       0      0 :::3000                 :::*                    LISTEN      8543/ntopng
udp        0      0 192.168.120.10:123      0.0.0.0:*                           1729/ntpd
udp        0      0 127.0.0.1:123           0.0.0.0:*                           1729/ntpd
udp        0      0 0.0.0.0:123             0.0.0.0:*                           1729/ntpd
udp        0      0 0.0.0.0:161             0.0.0.0:*                           1307/snmpd
udp        0      0 0.0.0.0:58820           0.0.0.0:*                           1307/snmpd
udp        0      0 0.0.0.0:514             0.0.0.0:*                           1236/syslog-ng
udp6       0      0 2003:51:6012:120::1:123 :::*                                1729/ntpd
udp6       0      0 fe80::21d:92ff:fe53:123 :::*                                1729/ntpd
udp6       0      0 ::1:123                 :::*                                1729/ntpd
udp6       0      0 :::123                  :::*                                1729/ntpd
udp6       0      0 ::1:161                 :::*                                1307/snmpd