David Vassallo's Blog

If at first you don't succeed; call it version 1.0

Configuring basic cisco network traffic monitoring with ntop and NetFlow

If you are the admin of a cisco (and sonicwall now in the newer firmware) network, NetFlow is a good and easy way of gathering insight into what exactly is passing through your cisco. Apart from seeing link usage, netflow also allows the admin to see which protocols, ports and hosts are being used. This is much more granular and informative than the simple interface utilization that SNMP offers. this allows for easier troubleshooting such as helping to identify worms, or P2P usage, and so on.

There are several Netflow collectors out there, but my favourite is by far Ntop (http://www.ntop.org/news.php). It’s free, open source and easy to setup. Ntop usually works by listening on an interface, and parsing packet capture files to display the results in a nice graph format. In this particular case, I will disable Ntop listening on an interface and will not feed Ntop any pcap files. I am only interested in setting up Ntop as a netflow receiver and graphing those results.

I installed this on an ubuntu server. The following commands were run as root. First, the obligatory apt-get command to install the program:

# apt-get install ntop

Next, start Ntop in “interfactive” mode. Simply enter ntop at the command line:

# ntop

This is a necessary first step since you will be prompted to enter the admin password. Enter your password of choice, and wait until the output stops scrolling across the screen. There should be no errors. Then, close the ntop program by pressing ctrl+C. This should kill off the process. Next, we run ntop as root, not listening on any of the server’s interfaces, and running a web server on port 8080. Run the command:

# ntop –u root –i none –d –w 8080

A breakdown of the switches:

– u : user

-i : interface to listen on (in our case, “none”, else ntop will listen on eth0 by default)

-w : http webserver listen port

You should now be able to open a browser and browse to http://[your_server_ip]:8080. Once there, on the top menu, select Plugins > Netflow and select “activate”. Next, add a netflow “device”. You will be shown the netflow configuration. The important points here were:

– Local UDP port. I set this to the default 2055. Remember to press the “Set Port” button after!

– Virtual Netflow Interface Network Address. I set this to, since the cisco sits in front of a 10.x.x.x network. Remember to press the “set interface address” button.

– Dump File Path. You will probably need to change this to someplace with a lot of storage. Remember to press the button.

Hit the link to return to plugin or from the Plugins menu, select “all”. You should see a blue “yes” under the “active” column for NetFlow

Last step : from the “Admin” menu select “switch NIC” and choose the netflow device you created earlier

That’s it from the Ntop side of things. Now, on the cisco, as copied from the Ntop FAQs:

To enable netFlow Data Export (NDE) from a Cisco device to an ntop netFlow receiver on port 2055 (default) at address

     ip flow-export destination 2055
     ip flow-export version 5

You may want to designate the source interface, e.g.:

     ip flow-export source Ethernet0

Enable netFlow on each interface to be monitored. netFlow normally only captures data from each incoming packet, so to see traffic in both directions netFlow must be enabled on both the incoming and outgoing interfaces. As an example, for an Internet access router this would mean enabling netFlow on both the internal (e.g. Ethernet) and the external (e.g. ISDN / Frame Relay etc) interfaces:

     interface Ethernet0
     ip route-cache flow
     interface Dialer1
     ip route-cache flow

By default netFlow will only export flow statistics shortly after the flow Terminates or when 30 minutes have elapsed. In many environments, you want ntop to be a bit more up to date. To change the timeout to five minutes:

     ip flow-cache timeout active 5

The following ‘show’ commands are useful for examining netFlow statistics directly on the Cisco box and may assist when setting up ntop:

     show ip flow export
     show ip cache flow
     show ip cache verbose flow


That’s all! A couple of screenshots will follow. Just in case you wonder what the colours mean:

Lower : An algorithm for predicting the values of a time series one time step

into the future

Upper : A measure of deviation between the predicted values and the observed


Anomalia : A mechanism to decide if and when an observed value or sequence of

observed values is ‘too deviant’ from the predicted value(s).

1. Traffic throughput / network load


2. Breakdown by protocol:


5 responses to “Configuring basic cisco network traffic monitoring with ntop and NetFlow

  1. Tal March 7, 2012 at 5:25 pm

    Exactly what I was looking for. Thanks!

  2. geronimo March 6, 2013 at 2:24 pm

    nice! thanks from france :)

  3. Stan March 27, 2013 at 6:41 am

    Great explanation! Thanks.

  4. Pingback: NTOP A Linux Netflow Collector - Temporal Solutions

  5. Lenkin November 7, 2015 at 9:12 am

    Thanks alot. worked well for me.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 250 other followers

%d bloggers like this: