How to set up web-based network traffic monitoring system on Linux

Last updated on October 22, 2020 by Dan Nanni

When you are tasked with monitoring network traffic on the local network, you can consider many different options to do it, depending on the scale/traffic of the local network, monitoring platforms/interface, types of backend database, etc.

ntopng is an open-source (GPLv3) network traffic analyzer which provides a web interface for real-time network traffic monitoring. It runs on multiple platforms including Linux and MacOS X. ntopng comes with a simple RMON-like agent with built-in web server capability, and uses Redis-backed key-value server to store time series statistics. You can install ntopng network traffic analyzer on any designated monitoring server connected to your network, and use a web browser to access real-time traffic reports available on the server.

In this tutorial, I will describe how to set up a web-based network traffic monitoring system on Linux by using ntopng.

Features of ntopng

Install ntopng on Linux

The official website offers binary packages for Ubuntu and CentOS. So if you use either platform, you can install these packages.

If you want to build the latest ntopng from its source, follow the instructions below. (Update: these instructions are valid for ntopng 1.0. For ntopng 1.1 and higher, see the note below).

To build ntopng on Debian, Ubuntu or Linux Mint:

$ sudo apt-get install libpcap-dev libglib2.0-dev libgeoip-dev redis-server wget libxml2-dev
$ tar xzf ntopng-1.0.tar.gz -C ~
$ cd ~/ntopng-1.0/
$ ./configure
$ make geoip
$ make

In the above steps, make geoip will automatically download a free version of GeoIP databases with wget from maxmind.com. So make sure that your system is connected to the network.

To build ntopng on Fedora:

$ sudo yum install libpcap-devel glib2-devel GeoIP-devel libxml2-devel libxml2-devel redis wget
$ tar xzf ntopng-1.0.tar.gz -C ~
$ cd ~/ntopng-1.0/
$ ./configure
$ make geoip
$ make

To install ntopng on CentOS or RHEL, first enable EPEL repository, and then follow the same instructions as in Fedora above.

Building ntopng 1.1 and higher:

For ntopng 1.1 and higher, GeoIP data files are available as a separate package file (e.g., ntopng-data-1.1_6932.tgz for ntopngp 1.1). Thus it is no longer necessary to make geoip. Simply copy the GeoIP files over to your system manually.

$ tar xvfvz ntopng-data-1.1_6932.tgz
$ cd ntopng-data-1.1_6932
$ sudo cp -r ./usr/* /usr

The ntopng 1.1 package includes pre-built .o blobs for third party tools, probably by accident, which will cause you trouble when building ntopng yourself. Thus you will need to clean them before building ntopng.

$ tar xvfvz ntopng-1.1_6932.tgz
$ cd ntopng-1.1_6932
$ ./configure
$ make clean

That still does not clean up all the third-party tools properly. So manually run "make clean" in the following directories before building it.

Configure ntopng on Linux

After building ntopng, create a configuration directory for ntopng, and prepare default configuration files as follows. I assume that 192.168.1.0/24 is the CIDR address prefix of your local network.

$ sudo mkir /etc/ntopng -p
$ sudo -e /etc/ntopng/ntopng.start
--local-networks "192.168.1.0/24"
--interface 1
$ sudo -e /etc/ntopng/ntopng.conf
-G=/var/run/ntopng.pid

Launch ntopng on Linux

Before running ntopng, make sure to first start redis, which is a key-value store for ntopng.

To start ntopng on Debian, Ubuntu or Linux Mint:

$ sudo /etc/init.d/redis-server restart
$ cd ~/ntopng-1.0/
$ sudo ./ntopng

To start ntopng on Fedora, CentOS or RHEL:

$ sudo service redis restart
$ cd ~/ntopng-1.0/
$ sudo ./ntopng

By default, ntopng listens on TCP/3000 port. Verify this is the case using the command below.

$ sudo netstat -nap|grep ntopng
tcp        0      0 0.0.0.0:3000            0.0.0.0:*      LISTEN     29566/ntopng

Monitor Network Traffic in Web-Based Interface

Once ntopng is successfully running, go to http://<ip-address-of-host>:3000 on your web browser to access the web interface of ntopng.

You will see the login screen of ntopng. Use the default username and password: admin/admin to log in.

Here are a few screenshots of ntopng in action.

Real-time visualization of top flows

Live statistics of top hosts, top protocols and top AS numbers

Real time report of active flows with DPI-based automatic application/service discovery

Historic traffic analysis

Support Xmodulo

This website is made possible by minimal ads and your gracious donation via PayPal or credit card

Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.

Xmodulo © 2021 ‒ AboutWrite for UsFeed ‒ Powered by DigitalOcean