Monday, August 11, 2014

Network Monitoring with ntopng under Centos 70

I wanted to check the network flows on my Centos 70 system and was initially drawn to this article

However I soon found that many of the install instructions were not working so well  (nethogs for example) so instead I chose ntopng  (ntop for the new generation).  Here is how to install it:

Install C compiler
yum group install "Development Tools"

Add in EPEL repository
# turn on EPEL

rpm -ivh epel-release-7-0.2.noarch.rpm

# check
yum repolist
repo id      repo name       status
base/7/x86_64    CentOS-7 - Base     8,465
*epel/x86_64     Extra Packages for Enterprise Linux 7 - x86_64      5,492
extras/7/x86_64      CentOS-7 - Extras      30
google-chrome    google-chrome       3
updates/7/x86_64     CentOS-7 - Updates    551

Install redis
yum install redis
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base:
 * epel:
 * extras:
 * updates:
Resolving Dependencies
--> Running transaction check
---> Package redis.x86_64 0:2.8.13-3.el7 will be installed
--> Processing Dependency: for package: redis-2.8.13-3.el7.x86_64
--> Running transaction check
---> Package jemalloc.x86_64 0:3.6.0-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved


 Package                           Arch                            Version                                 Repository                     Size
 redis                             x86_64                          2.8.13-3.el7                            epel                          403 k
Installing for dependencies:
 jemalloc                          x86_64                          3.6.0-1.el7                             epel                          105 k

Transaction Summary

Install  1 Package (+1 Dependent package)

Total download size: 507 k

Installed size: 1.3 M

systemctl enable redis.service
systemctl start redis.service

systemctl --all | grep redis
redis.service                                                                                                  loaded active   running   Redis persistent key-value database

ntopng compilation and installation
cd /root
yum install -y subversion autoconf automake make gcc libpcap-devel libxml2-devel sqlite-devel libtool glib2-devel gcc-c++
svn co
cd /root/ntopng
cp -p ntopng /usr/bin

Change user admin password

echo -n fatboy | md5sum
1f519e089fc11e3fe61fb424f76ca133  -

redis-cli ping
redis-cli SET user.admin.password 1f519e089fc11e3fe61fb424f76ca133

Start ntopng

/usr/bin/ntopng &
08/Aug/2014 20:09:00 [Ntop.cpp:565] Setting local networks to,,,,,
08/Aug/2014 20:09:00 [Redis.cpp:74] Successfully connected to Redis
08/Aug/2014 20:09:02 [PcapInterface.cpp:81] Reading packets from interface eno16777736...
08/Aug/2014 20:09:02 [Ntop.cpp:672] Registered interface eno16777736 [id: 0]
08/Aug/2014 20:09:02 [PcapInterface.cpp:81] Reading packets from interface lo...
08/Aug/2014 20:09:02 [Ntop.cpp:672] Registered interface lo [id: 1]
08/Aug/2014 20:09:02 [Utils.cpp:251] User changed to nobody
08/Aug/2014 20:09:02 [main.cpp:180] PID stored in file /var/tmp/
08/Aug/2014 20:09:02 [HTTPserver.cpp:351] HTTPS Disabled: missing SSL certificate /root/ntopng/httpdocs/ssl/ntopng-cert.pem
08/Aug/2014 20:09:02 [HTTPserver.cpp:352] Please read if you want to enable SSL.
08/Aug/2014 20:09:02 [HTTPserver.cpp:389] Web server dirs [/root/ntopng/httpdocs][/root/ntopng/scripts]
08/Aug/2014 20:09:02 [HTTPserver.cpp:392] HTTP server listening on port 3000
08/Aug/2014 20:09:02 [main.cpp:214] Using RRD version 1.4.8
08/Aug/2014 20:09:02 [main.cpp:230] Working directory: /var/tmp/ntopng
08/Aug/2014 20:09:02 [main.cpp:232] Scripts/HTML pages directory: /root/ntopng
08/Aug/2014 20:09:02 [Ntop.cpp:191] Welcome to ntopng x86_64 v.1.1.99 (r8079) - (C) 1998-14
08/Aug/2014 20:09:02 [PeriodicActivities.cpp:53] Started periodic activities loop...
08/Aug/2014 20:09:02 [RuntimePrefs.cpp:32] Dump alerts into syslog
08/Aug/2014 20:09:02 [NetworkInterface.cpp:800] Started packet polling on interface eno16777736...
08/Aug/2014 20:09:02 [NetworkInterface.cpp:800] Started packet polling on interface lo...

View in Browser at port 3000 and logon
http:/ for a local system
Use password you just set for admin

Just one operational screen from many

As UNIX old skool what I did not want to find is some old command line tool producing bare bones numeric output, that I somehow had to laboriously format and turn into a picture.

I want an integrated network analysis tool which graphically shows me what traffic is entering and leaving my Centos Linux system.

ntopng  (ntop new generation) was my first attempt because the initial article I read lead to commands that did not install well in my Centos environment.