Chapter 8. Ntop NetFlow Collector Traffic Monitoring

Table of Contents

Ntop NetFlow Background
Ntop NetFlow with a WRT54GS Firewall/Router and NST Probe
WRT54GS IPTables Table and Chain Listings

NetFlow is a traffic monitoring technology developed by Cisco Networks. A demand for the need to measure network bandwidth, resource utilization accounting, performance, quality of service, and security oriented network services led Cisco engineers to develop this monitoring technology. A NetFlow packet format is defined as a unidirectional UDP data stream characterized by seven fields: source IP address, destination IP address, L3 protocol type, source port, destination port, ToS byte, and the input logical interface.

This chapter will demonstrate the ability to setup and monitor NetFlow data generated from a LINKSYS WRT54GS router which will be processed by a ntop collector running on a NST probe.

Ntop NetFlow Background

The ntop application was designed to be extended with a plugin architecture. NetFlow processing and handling within the ntop application is enabled by a NetFlow plugin. The NetFlow plugin supports the following features:

  • Export version 5 NetFlows to a NetFlow collector.

  • Import version 5 NetFlows from a NetFlow generator.

  • Act as both a NetFlow collector and probe (generator) at the same time.

Even though ntop alone has similar capability of monitoring, analyzing, and producing visual reports that one could derive from a NetFlow probe, there are certain circumstances where the implementation of NetFlow makes sense. The following list points out some reasons why one might need to use NetFlow as opposed to just using ntop:

  • Lack of a means to get access to network traffic (passive network tap) for ntop packet capture.

  • A passive network tap could be a source of a single point of failure in a high availability network design.

  • Networking gear may not support the ability for port mirroring which provides access to all network packets on particular port.

  • The system running ntop only has only one network interface (i.e eth0) and the internet side of the firewall (dirty side) needs to be monitored for all traffic entering and leaving the network.

  • You want to set up an distributed enterprise NetFlow design with a federation of NetFlow probes feeding back to a centralized ntop collector.