ntop

Ntop Container Detail

Getting Started with VNS3 Plugin System

The Ntop Container is deployed to VNS3 as a plugin using the container system.

Please be familiar with the VNS3 Plugin Configuration Guide.

Ntop Container - What does it do?

The Ntop Container runs nprobe and ntopng, with nprobe acting as a collector for netflows and ntopng providing visualization of flow data.

Nprobe configuration is largely irrelevant to users of this container, with the exception of nProbe templates, which can be configured optionally.

You can learn more about ntop and read their documentation at https://www.ntop.org/.

Ntop Container - What does it need?

The Ntop Container requires VNS3 v4 or newer, as well as an external source of netflow data.

There are also optional parameters you can configure either via environment variables when you launch the container, or with a setup script by SSHing into the container.

These parameters are:

  • “flowport”: A UDP port number for flow collection (default is 2055)
  • “localnetworks”: A comma-separated list of CIDRs which should be considered “local” by ntopng (default is 127.0.0.0/8 only)
  • “httpport”: The TCP port on which the ntopng web UI should listen (default is 3000)
  • “template”: An nProbe template (default is “@NTOPNG@")

If you have a MySQL database to which you’d like ntopng to export flow data, you can also provide the requisite information using these parameters:

  • “sqlhost”: The IP address (or hostname) and port of your MySQL server. Example: “10.5.5.5:1433”
  • “sqldb”: The name of the MySQL database where ntopng will store flow data
  • “sqltbl”: The name of the MySQL table where ntopng will store flow data
  • “sqluser”: The username of the MySQL user ntopng will use
  • “sqlpass”: The password of the MySQL user ntopng will use

Note that while these parameters are optional, if you specify any of them, you must specify all of them in order for the connection to your MySQL server to work. In the case where ntopng cannot connect or cannot write to your MySQL server, ntopng may fail to start. You can correct such a condition by SSHing into the container and using the setup script to correct your configuration. You can learn more about that in the Configuring the Ntop Container section.

Deploying the Ntop Container

Getting the Ntop Container

The Linux-based (Ubuntu 18.04) Ntop Container Image is accessible at the following URL: https://vns3-containers-read-all.s3.amazonaws.com/ntop/ntop.tar.gz

This is a read-only Amazon S3 storage location. Only Cohesive Networks can update or modify files stored in this location.

This URL can be used directly in a VNS3 Controller via the Web UI or API to import the container image for use in that controller. (General screenshot walkthrough and help available in the VNS3 Plugin Configuration Guide.)

Uploading the Container Image to the VNS3 Plugin System

From the Container —> Images menu item, choose Upload Image.

Provide a name for the image and a short description if you wish.

Enter the Ntop Container Image file URL:
https://vns3-containers-read-all.s3.amazonaws.com/ntop/ntop.tar.gz

Click Upload.

Uploading the Container Image to the VNS3 Plugin System

Allocating a Container from the Image

When the Image has imported it will say Ready in the Status Column.

To launch a container from the image, choose Allocate from the Action menu.

Allocating a Container from the Image

After selecting Allocate from the Actions menu, name your container, provide a description (optional), and enter /usr/bin/supervisord as the Command to start the container.

If you are using VNS3 v4.8.2 or newer, you can provide environment variables to the container to configure it without having to SSH into it. These parameters are discussed in the next section.

You can allow VNS3 to auto-assign a container network IP, but it is recommended that you choose one manually. Note this address for the next step.

Launching the Ntop Container

Ntop Container Environment Variables

As an alternative to SSH configuration using the setup script, environment variables can be used to configure the Ntop Container in VNS3 v4.8.2 and newer. They should be provided as a comma-separated list of key=“value” pairs.

Here is an example:

flowport="9876",httpport="8888",localnetworks="10.0.0.0/20,172.31.1.0/24",template="@NTOPNG@"

Those settings will:

  • Configure nProbe to listen for netflow data on UDP port 9876
  • Configure the ntopng Web UI to listen for http connections on TCP port 8888
  • Configure ntopng to consider 10.0.0.0/20 and 172.31.1.0/24 local networks
  • Configure nProbe with the default template: “@NTOPNG@”

As mentioned in the “Ntop Container - What does it need?” section, you may also optionally provide the following set of parameters in order to use a MySQL database server for historical flows:

  • “sqlhost”: The IP address (or hostname) and port of your MySQL server. Example: “10.5.5.5:1433”
  • “sqldb”: The name of the MySQL database where ntopng will store flow data
  • “sqltbl”: The name of the MySQL table where ntopng will store flow data
  • “sqluser”: The username of the MySQL user ntopng will use
  • “sqlpass”: The password of the MySQL user ntopng will use

Ntop Container Firewall Rules

The Ntop Container requires the following firewall rules be added to the VNS3 controller:

Anywhere it appears, replace <container_ip>, <flow port>, and <http port> with the appropriate value.

#Port forward tcp44 to Ntop container for ssh
PREROUTING_CUST -i eth0 -p tcp --dport 44 -j DNAT --to <container_ip>:22
PREROUTING_CUST -p udp --dport <flow port> -j DNAT --to <container_ip>:<flow port>
PREROUTING_CUST -p tcp --dport <http port> -j DNAT --to <container_ip>:<http port>

# Allow traffic to/from Ntop container
FORWARD_CUST -s <container_ip> -j ACCEPT
FORWARD_CUST -d <container_ip> -j ACCEPT

#SNAT for Ntop container internet access
POSTROUTING_CUST -o eth0 -s <container_ip> -j MASQUERADE

Ntop Container Firewall Rules

Configuring the Ntop Container

After allocating the container and applying the necessary firewall rules to VNS3, you can SSH into the container on port 44.

The username is container_admin, and the default password is container_admin_123!

We recommend that you change this password immediately: ~$ sudo passwd container_admin

Configuring the Ntop Container

If you did not provide environment variables when you launched the container, or if you want to change the Ntop Container configuration, you can run a simple setup script.

SSH into the container, run ~$ ./setup.sh, and answer the questions as they appear.

The What does it need? section details the information required.

You may leave any field blank to use the default value for that parameter.

After you have answered all questions, the setup script will save the appropriate nprobe and ntopng configurations and restart the services to make the changes take effect.

Using the Ntop Container

Flow data may take some time to appear in the ntopng interface; please be patient.

Normal usage of the Ntop container should be guided by the ntopng documentation: https://www.ntop.org/guides/ntopng/

Feel free to reach out to Cohesive Networks support if you have any questions, issues, comments, or concerns.

Export a Container Image

In the event that your VNS3 controller needs to be replaced or upgraded, having a saved copy of your configured Ntop Container can be helpful. We recommend creating and downloading an image of your container as part of the deployment process:

From the Containers page in the VNS3 web UI, select Action > Save as Image for your new Ntop Container. Once that process is complete, you’ll be brought to the Images page. Select Action > Export on the new image, and provide a name.

Once Exporting is complete, you will have the option to download the image locally.