It’s no secret that I’m a big fan of the RouterBoard network devices paired with Mikrotik’s RouterOS. I discovered today that these devices offer Cisco NetFlow-compatible statistics gathering which can be directed to a Linux box running ntop. Mikrotik calls it “traffic flow” and it’s much more efficient than setting up a mirrored or spanned port and then using ntop to dump traffic on that interface.
These instructions are for Fedora 15, but they should be pretty similar on most other Linux distributions. Install ntop first:
/etc/ntop.conf so that ntop listens on something other than localhost:
I had to comment out the
sched_yield() option to get ntop to start:
Set an admin password for ntop:
Once you set the password, you may need to press CTRL-C to get back to a prompt in some ntop versions.
Open a web browser and open http://example.com:3000 to access the ntop interface. Roll your mouse over the Plugins menu, then NetFlow, and then click Activate. Roll your mouse over the Plugins menu again, then NetFlow, and then click Configure. Click Add NetFlow Device and fill in the following:
- Type “Mikrotik” in the NetFlow Device section and click Set Interface Name.
- Type 2055 in the Local Collector UDP Port section and click Set Port.
- Type in your router’s IP/netmask in the Virtual NetFlow Interface Network Address section and click Set Interface Address.
Enabling traffic flow on the Mikrotik can be done with just two configuration lines:
Wait about a minute and then try reviewing some of the data in the ntop interface. Depending on the amount of traffic on your network, you might see data in as little as 10-15 seconds.