NTop Memo
ntop - network top をちょっと前に入れたのだけど、前に一度やったことがある割には、あきれるほど何も覚えていなかったのでメモ。
NTop Setup
# /etc/init.d/ntop --set-admin-password Wed Jun 9 21:18:52 2010 NOTE: Interface merge enabled by default Wed Jun 9 21:18:52 2010 Initializing gdbm databases NOTE: --set-admin-password requested, no password. Did you forget the =? ntop startup - waiting for user response! Please enter the password for the admin user: Please enter the password again: Wed Jun 9 21:18:59 2010 Admin user password has been set $
- 起動
# /etc/init.d/ntop start
- チェック
# ps ax | grep ntop 30114 ? S<sl 0:00 /usr/sbin/ntop -d -L -u ntop -P /var/lib/ntop --access-log-file /var/log/ntop/access.log -i eth0 -p /etc/ntop/protocol.list -O /var/log/ntop 30129 pts/1 S<+ 0:00 grep ntop # # netstat -anp | grep ntop tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 30114/ntop #
- 起動すると tcp/3000 で Web UI が起動しているのでここからはブラウザで接続して操作。
- NetFlow設定
[plugin]-[NetFlow] -[Activate] -[View/Configure] [Edit NetFlow Device] Flow Collection Local Collector UDP Port : 2055 (default) Virtual NetFlow Interface Network Address
- これで 2055 で netflow packet を受け取るようになる。確認。
# netstat -anp | grep ntop tcp 0 0 0.0.0.0:3000 0.0.0.0:* LISTEN 30489/ntop udp 0 0 0.0.0.0:2055 0.0.0.0:* 30489/ntop
Cisco 1812J Netflow Setup
Cisco NetFlowの設定:: ユーザガイド あたりがコンパクトに書いてあって見やすい。
- 設定
ip cef interface FastEthernet1 ip route-cache flow ip flow ingress ip flow egress ip flow-cache timeout active 1 ip flow-export source FastEthernet1 ip flow-export version 5 ip flow-export destination <server_ip> 2055
- 確認
Router#sh ip flow export Flow export v5 is enabled for main cache Export source and destination details : VRF ID : Default Source(1) 192.168.0.1 (FastEthernet1) Destination(1) <server_ip> (2055) Version 5 flow records 533461 flows exported in 41872 udp datagrams 0 flows failed due to lack of export packet 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures Router#
あとは NTop Web UI からいろいろ見て回る。のだけど、UIが独特でかつ多機能なので何をたどるとどこに行くのか、どうも直観的にわかりにくいのがなあ。