Monday, August 11, 2014

Network Monitoring with ntopng under Centos 70



I wanted to check the network flows on my Centos 70 system and was initially drawn to this article


http://www.binarytides.com/linux-commands-monitor-network/

However I soon found that many of the install instructions were not working so well  (nethogs for example) so instead I chose ntopng  (ntop for the new generation).  Here is how to install it:


Install C compiler
yum group install "Development Tools"

Add in EPEL repository
# turn on EPEL
wget http://dl.fedoraproject.org/pub/epel/beta/7/x86_64/epel-release-7-0.2.noarch.rpm

rpm -ivh epel-release-7-0.2.noarch.rpm


# check
yum repolist
repo id      repo name       status
base/7/x86_64    CentOS-7 - Base     8,465
*epel/x86_64     Extra Packages for Enterprise Linux 7 - x86_64      5,492
extras/7/x86_64      CentOS-7 - Extras      30
google-chrome    google-chrome       3
updates/7/x86_64     CentOS-7 - Updates    551



Install redis
yum install redis
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.switch.ch
 * epel: mirror.switch.ch
 * extras: mirror.switch.ch
 * updates: mirror.switch.ch
Resolving Dependencies
--> Running transaction check
---> Package redis.x86_64 0:2.8.13-3.el7 will be installed
--> Processing Dependency: libjemalloc.so.1()(64bit) for package: redis-2.8.13-3.el7.x86_64
--> Running transaction check
---> Package jemalloc.x86_64 0:3.6.0-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved


===============================================================================================================================================

 Package                           Arch                            Version                                 Repository                     Size
===============================================================================================================================================
Installing:
 redis                             x86_64                          2.8.13-3.el7                            epel                          403 k
Installing for dependencies:
 jemalloc                          x86_64                          3.6.0-1.el7                             epel                          105 k

Transaction Summary

===============================================================================================================================================
Install  1 Package (+1 Dependent package)

Total download size: 507 k


Installed size: 1.3 M

systemctl enable redis.service
systemctl start redis.service

systemctl --all | grep redis
redis.service                                                                                                  loaded active   running   Redis persistent key-value database

ntopng compilation and installation
cd /root
yum install -y subversion autoconf automake make gcc libpcap-devel libxml2-devel sqlite-devel libtool glib2-devel gcc-c++
svn co https://svn.ntop.org/svn/ntop/trunk/ntopng
cd /root/ntopng
./autogen.sh 
./configure
make
cp -p ntopng /usr/bin


Change user admin password

echo -n fatboy | md5sum
1f519e089fc11e3fe61fb424f76ca133  -

redis-cli ping
PONG
redis-cli SET user.admin.password 1f519e089fc11e3fe61fb424f76ca133
OK


Start ntopng

/usr/bin/ntopng &
08/Aug/2014 20:09:00 [Ntop.cpp:565] Setting local networks to 192.168.1.0/24,0.0.0.0/32,224.0.0.0/8,239.0.0.0/8,255.255.255.255/32,127.0.0.0/8
08/Aug/2014 20:09:00 [Redis.cpp:74] Successfully connected to Redis 127.0.0.1:6379
08/Aug/2014 20:09:02 [PcapInterface.cpp:81] Reading packets from interface eno16777736...
08/Aug/2014 20:09:02 [Ntop.cpp:672] Registered interface eno16777736 [id: 0]
08/Aug/2014 20:09:02 [PcapInterface.cpp:81] Reading packets from interface lo...
08/Aug/2014 20:09:02 [Ntop.cpp:672] Registered interface lo [id: 1]
08/Aug/2014 20:09:02 [Utils.cpp:251] User changed to nobody
08/Aug/2014 20:09:02 [main.cpp:180] PID stored in file /var/tmp/ntopng.pid
08/Aug/2014 20:09:02 [HTTPserver.cpp:351] HTTPS Disabled: missing SSL certificate /root/ntopng/httpdocs/ssl/ntopng-cert.pem
08/Aug/2014 20:09:02 [HTTPserver.cpp:352] Please read https://svn.ntop.org/svn/ntop/trunk/ntopng/README.SSL if you want to enable SSL.
08/Aug/2014 20:09:02 [HTTPserver.cpp:389] Web server dirs [/root/ntopng/httpdocs][/root/ntopng/scripts]
08/Aug/2014 20:09:02 [HTTPserver.cpp:392] HTTP server listening on port 3000
08/Aug/2014 20:09:02 [main.cpp:214] Using RRD version 1.4.8
08/Aug/2014 20:09:02 [main.cpp:230] Working directory: /var/tmp/ntopng
08/Aug/2014 20:09:02 [main.cpp:232] Scripts/HTML pages directory: /root/ntopng
08/Aug/2014 20:09:02 [Ntop.cpp:191] Welcome to ntopng x86_64 v.1.1.99 (r8079) - (C) 1998-14 ntop.org
08/Aug/2014 20:09:02 [PeriodicActivities.cpp:53] Started periodic activities loop...
08/Aug/2014 20:09:02 [RuntimePrefs.cpp:32] Dump alerts into syslog
08/Aug/2014 20:09:02 [NetworkInterface.cpp:800] Started packet polling on interface eno16777736...
08/Aug/2014 20:09:02 [NetworkInterface.cpp:800] Started packet polling on interface lo...


View in Browser at port 3000 and logon
http:/127.0.0.1:3000 for a local system
Use password you just set for admin





Just one operational screen from many


Summary
As UNIX old skool what I did not want to find is some old command line tool producing bare bones numeric output, that I somehow had to laboriously format and turn into a picture.

I want an integrated network analysis tool which graphically shows me what traffic is entering and leaving my Centos Linux system.

ntopng  (ntop new generation) was my first attempt because the initial article I read lead to commands that did not install well in my Centos environment.