Pandora: Documentation en: Netflow
- 1 Introduction to real time network analysis
- 2 NetFlow network monitoring
- 2.1 Introduction to Netflow
- 2.2 Installation and requirements
- 2.3 Working with NetFlow under Pandora FMS
- 2.4 Filters
- 2.5 Reports
- 2.6 Netflow live view
- 2.7 Network traffic maps
- 2.8 Distributed configuration
- 3 Network monitoring with Pandora NTA
1 Introduction to real time network analysis
Pandora FMS uses two alternative and complementary systems to analyze the network in real time: Pandora NTA and Netflow. Both systems use the same principle: "listening" to the ethernet cable constantly and analyzing the traffic to generate statistics. In both cases, it is necessary to "intercept" network traffic in some way to send it to a probe that analyzes it and sends those results to Pandora FMS.
In order to intercept network traffic and be able to analyze it, it is necessary to have physical access to that network or at least understand its topology, since the network capture point must be the most appropriate one. It is not the same, for example, capturing network traffic on a router or local AP, than all server network traffic just before reaching the outgoing router.
There are two possible ways to capture traffic:
- Reroute traffic from one switch port to another one by means of a port-mirror. Not all network devices allow this (only high/medium range). You may also port-mirror some commercial firewalls. It is the easiest way to intercept traffic and requires no additional hardware. By sending all traffic to a port, that port connects directly to the network analyzer (netflow probe or pandora nta/ntop).
- Capture traffic using a network TAP. A tap is a very simple network device that copies traffic from one port to another in one direction only (it is impossible to interfere with the network). It is a PASSIVE device that cannot be "down" or cause trouble of any kind as it is a hardware driven physical copy of network traffic. It is undetectable. There are TAPs from €12 to €900, but the principle is the same. The tap generates an output for each direction of communication, so you will need a probe that listens in two ports, or just listen to a single address.
If you are going to use Netflow to analyze your network only through Pandora FMS and you have a high end switch or firewall, it will be possible to monitor in a simple way. This is due to the fact that these devices allow to send network flow statistical information directly to Pandora FMS Netflow collector without using an independent probe. Check out the hardware characteristics to find out whether you can enable Netflow and send the flows to an independent Netflow collector (in this case Pandora FMS Netflow collector).
In short, this could be a working scenario to be able to analyze network traffic in real time. It would only be necessary a pair of TAPS of 12€ (or a pair of port-mirrors) and the Pandora FMS OpenSource version:
2 NetFlow network monitoring
2.1 Introduction to Netflow
Pandora FMS version 5 and above are designed to monitor IP traffic by using the NetFlow protocol. This protocol allows to review the traffic's most useful patterns and general data.
'NetFlow' is a network protocol, developed by Cisco Systems to collect IP traffic information. It has become an industrial standard for network traffic monitoring and is currently supported by several platforms besides Cisco IOS and NXOS like Juniper devices, Enterasys Switches and operating systems like Linux, FreeBSD, NetBSD and OpenBSD.
There is an article about Netflow on our blog, go check it out https://blog.pandorafms.org/what-is-netflow/
2.1.1 NetFlow protocol
NetFlow-enabled devices generate "NetFlow records", which consist of small pieces of information which are sent to a central device (NetFlow server or collector), which receives device information (Netflow probes), stores and processes it.
Data is transmitted using the NetFlow protocol based on UDP or SCTP protocols. A NetFlow record is a small packet that contains only statistical information about a connection, not the whole raw data. That means it does not send the traffic payload that goes through the collector, only statistical data.
There are several NetFlow implementations that may differ from the original specification and include additional information, but most of them provide at least the following information. Although Netflow has been described in many ways, Cisco's traditional definition is using a 7-element key, where the flow is defined as one-way sequence of packets that share the following 7 values:
- The source IP address.
- The target IP address.
- The source UDP or TCP port.
- The target UDP or TCP port.
- The IP protocol.
- An interface (SNMP ifIndex)
- The type of service.
In time, some manufacturers have designed similar protocols with different names but for the same purpose:
- Juniper Networks Jflow or cflowd
- 3Com/H3C/HP NetStream
- Huawei NetStream
- Alcatel Lucent Cflowd
- Ericsson Rflow
2.1.2 NetFlow Collector
A NetFlow collector is a device (a PC or a Server), embedded in a network to gather all NetFlow information which is sent by routers and switches.
NetFlow generates and collects that information, but if needs a software that allows to store and analyze said traffic. Pandora FMS uses an specific server for this purpose, that will be started and shut down when Pandora FMS starts. That server's name is nfcapd and it is necessary to install it to be able to use Netflow monitoring.
2.1.3 NetFlow Probe
Probes are usually NetFlow-enabled routers, configured to send information to NetFlow collector (in this case Pandora FMS server with 'nfcapd' daemon running).
There is an step-by-step technical article in our blog about how to create a Netflow probe using a 60€ RaspBerry Pi hardware, take a look at https://blog.pandorafms.org/netflow-probe-using-raspberry/
2.2 Installation and requirements
Pandora FMS uses an open-source tool called 'nfcapd' (that belongs to the nfdump package) to process all NetFlow traffic. This daemon is automatically started by the Pandora FMS Server. This system stores data in binary files at a specific location. Install 'nfcapd' on your system before working with NetFlow in Pandora FMs. 'nfcapd' listens on port 9995/UDP by default, so keep it in mind if you have firewalls to open this port and when configuring Netflow probes.
2.2.1 nfcapd installation
Install nfcapd manually, because Pandora FMS will not install it by default. For more information on how to install it, visit the
Official NFCAPD Project Page.
Pandora FMS uses the directory '/var/spool/pandora/data_in/netflow' by default to process information, so when it is started 'nfcapd' will use that directory. Do not modify it unless you know exactly what you are doing.
In order to test whether 'nfcapd' is properly installed, execute this command to start the process.
nfcapd -l /var/spool/pandora/data_in/netflow -D
If everything works, you should see an output similar to this one:
Add extension: 2 byte input/output interface index Add extension: 4 byte input/output interface index Add extension: 2 byte src/dst AS number Add extension: 4 byte src/dst AS number Add extension: 4 byte output bytes Add extension: 8 byte output bytes Add extension: NSEL Common block Add extension: NSEL xlate ports Add extension: NSEL xlate IPv4 addr Add extension: NSEL xlate IPv6 addr Add extension: NSEL ACL ingress/egress acl ID Add extension: NSEL username Add extension: NSEL max username Add extension: NEL Common block Bound to IPv4 host/IP: any, Port: 9995 Startup. Init IPFIX: Max number of IPFIX tags: 62
Keep in mind that Pandora FMS Console (and more specifically the web server that runs it) must have access to those data. In this example they are located at '/var/spool/pandora/data_in/netflow'.
2.2.2 Probe Installation
If a NetFlow-enabled router is not available, but you use a Linux server to route your traffic, you may install a NetFlow software to work as a probe and sends all NetFlow-related information to the collector.
In Linux, there is a program called 'fprobe' which captures traffic and sends it to a NetFlow Server. You may generate Netflow traffic with it, among all the traffic that goes through its interfaces.
To download the rpm package you may use the following command and then install it:
wget http://repo.iotti.biz/CentOS/7/x86_64/fprobe-1.1-2.el7.lux.x86_64.rpm yum install fprobe-1.1-2.el7.lux.x86_64.rpm
For instance, executing this command, all eth0 interface traffic will be sent to the Netflow collector listening on port 9995 of the IP 192.168.70.185:
/usr/sbin/fprobe -ieth0 -fip 192.168.70.185:9995
Once the traffic has been generated, you may its statistics in the Netflow collector by entering this command:
nfdump -R /home/netflow_data/
It should display similar information to the one shown below.
Aggregated flows 1286 Top 10 flows ordered by packets: Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2011-12-22 20:41:35.697 901.035 TCP 192.168.60.181:50935 -> 192.168.50.2:22 2105 167388 4 2011-12-22 20:41:35.702 900.874 TCP 192.168.50.2:22 -> 192.168.60.181:50935 1275 202984 4 2011-12-22 20:48:15.057 1.347 TCP 220.127.116.11:80 -> 192.168.50.15:40044 496 737160 1 2011-12-22 20:48:14.742 1.790 TCP 18.104.22.168:80 -> 192.168.50.15:60101 409 607356 1 2011-12-22 20:46:02.791 76.616 TCP 192.168.50.15:80 -> 192.168.60.181:40500 370 477945 1 2011-12-22 20:48:15.015 1.389 TCP 192.168.50.15:40044 -> 22.214.171.124:80 363 22496 1 2011-12-22 20:46:02.791 76.616 TCP 192.168.60.181:40500 -> 192.168.50.15:80 303 24309 1 2011-12-22 20:48:14.689 1.843 TCP 192.168.50.15:60101 -> 126.96.36.199:80 255 13083 1 2011-12-22 20:48:14.665 1.249 TCP 188.8.131.52:80 -> 192.168.50.15:38476 227 335812 1 2011-12-22 20:48:21.350 0.713 TCP 184.108.40.206:80 -> 192.168.50.15:47551 224 330191 1 Top 10 flows ordered by bytes: Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2011-12-22 20:48:15.057 1.347 TCP 220.127.116.11:80 -> 192.168.50.15:40044 496 737160 1 2011-12-22 20:48:14.742 1.790 TCP 18.104.22.168:80 -> 192.168.50.15:60101 409 607356 1 2011-12-22 20:46:02.791 76.616 TCP 192.168.50.15:80 -> 192.168.60.181:40500 370 477945 1 2011-12-22 20:48:14.665 1.249 TCP 22.214.171.124:80 -> 192.168.50.15:38476 227 335812 1 2011-12-22 20:48:21.350 0.713 TCP 126.96.36.199:80 -> 192.168.50.15:47551 224 330191 1 2011-12-22 20:48:15.313 1.603 TCP 188.8.131.52:80 -> 192.168.50.15:52019 212 313432 1 2011-12-22 20:48:14.996 1.433 TCP 184.108.40.206:80 -> 192.168.50.15:36940 191 281104 1 2011-12-22 20:51:12.325 46.928 TCP 192.168.50.15:80 -> 192.168.60.181:40512 201 245118 1 2011-12-22 20:52:05.935 34.781 TCP 192.168.50.15:80 -> 192.168.60.181:40524 167 211608 1 2011-12-22 20:41:35.702 900.874 TCP 192.168.50.2:22 -> 192.168.60.181:50935 1275 202984 4 Summary: total flows: 1458, total bytes: 5.9 M, total packets: 15421, avg bps: 49574, avg pps: 15, avg bpp: 399 Time window: 2011-12-22 20:40:46 - 2011-12-22 20:57:21 Total flows processed: 1458, Records skipped: 0, Bytes read: 75864 Sys: 0.006s flows/second: 208345.2 Wall: 0.006s flows/second: 221177.2
If your system works properly, the following step is configuring Pandora FMS in order to use this particular configuration.
2.3 Working with NetFlow under Pandora FMS
Pandora FMS works along with Netflow as an auxiliary system, that means it does not store NetFlow data in its database. Pandora FMS shows that information as reports on demand.
Pandora FMS works with NetFlow data by using filters, which are sets of rules that match certain traffic patterns. A rule can be as simple as 'all the traffic from 192.168.70.0/24 network' or a complex 'pcap' filter expression.
Once filters are created, define reports that determine how the information matched by those filters will be displayed (e.g. charts and tables) and the time frame. When defining filters and reports, set that information so that it can be accessed on demand similar to Pandora FMS reports.
Netflow reports appear as "report type" in Pandora FMS custom report section, to be able to add them to Pandora FMS "normal" reports
There is also a real-time console view to analyze the traffic, creating rules on the spot. It can be very useful to investigate problems or temporarily display charts that do not match a specific filter.
First of all, enable NetFlow in order for it to become accessible from the 'Operation' and 'Administration' menus. In the Configuration section (management menu) there is an option for enabling or disabling Netflow globally.
Once activated, a new Netflow configuration option will appear in the setup section.
This section must be correctly configured so that the nfcapd daemon may be started together with the Pandora FMS server:
Data storage path:
The directory where NetFlow data files are stored.
Time interval in seconds for data rotation. The recommended value is '3600'. A wider interval means potentially bigger files, which means less I/O overhead, but it also renders accessing data for a specific time interval slower.
Daemon binary path:
The path to the 'nfcapd' binary.
Nfdump binary path:
The path to the 'nfdump' binary.
Nfexpire binary path:
The path to the 'nfexpire' binary.
Maximum chart resolution:
The maximum number of points displayed by a NetFlow area chart. The higher the resolution, the lower the performance. Values between '50' and '100' are recommended here.
Disable custom live view filters:
Disables defining custom filters from Netflow view (only for previously created filters).
Netflow max. lifespan:
Maximum number of days Netflow data will be stored before being deleted.
Enable IP address name resolution:
Aloows IP resolution to try to retrieve the hostnames form Netflow devices.
Hard drive access speed where Netflow data are stored is usually the key factor for performance limits.
Once NetFlow is configured in the console, restart Pandora FMS Server so that it starts the 'nfcapd' server. This server must be properly installed before trying to run it. Check server logs in case of doubt.
The Netflow server will not appear in Pandora FMS server view mode, since it is not considered a Pandora FMS Server.
You may access the creation and edition of filters by clicking on Ressources > NetFlow Filters. This section contains a list of already created filters which can be modified or deleted.
You may also create a filter directly from the "Netflow live view", saving the active filter as a new one. Netflow filters can be "basic" or "advanced". The difference is that the former have fixed filtering fields (source IP, target IP, source port, target port) and the advanced ones are defined by the expression pcap (standard in filtering expressions for network traffic) and use all kinds of tools.
2.4.1 Filter creation
This would be a basic editing view of a Netflow filter:
- Name: It is recommended for the filter's name to be quite descriptive.
- Group: A user can only create a filter or edit the filter of a group it has access to.
- Filter: There are two types of filters: Basic and advanced. Advanced filters allow using advanced expressions in the same format as 'nfdump'. Basic filters can filter traffic by source and target IP and source or target port. Lists of comma-separated IPs or ports are also accepted here.
- Aggregate by: All traffic data can be grouped by one of the following criteria:
Source IP: It displays the traffic of each IP from a different source.
Target IP: It displays the traffic of each IP with a different target.
Source port: It displays the traffic of each port from a different source.
Target port: It displays the traffic of each port with a different target.
Basic web traffic filter example:
Advanced intranet traffic filter example:
Here are other examples of advanced filters:
- Capture traffic to or from 192.168.0.1:
- Capture traffic to 192.168.0.1:
dst host 192.168.0.1
- Capture traffic from 192.168.0.0/24:
src net 192.168.0.0/24
- Capture HTTP and HTTPS traffic:
(port 80) or (port 443)
- Capture all traffic except DNS:
port not 53
- Capture SSH traffic to 192.168.0.1:
(port 22) and (dst host 192.168.0.1)
Netflow reports are integrated with Pandora FMS reports (see Reports for more information).
To create a report item, choose one of the available netflow report items.
And configure it. The following options are available:
- Type: Item types will be explained below.
- Filter: Netflow filter to use.
- Description: Item description.
- Period: Length of the interval of data to display.
- Resolution: Some reports require samples to be collected every certain period. This parameter is used to define the number of samples. The resolution may be low (6 samples), medium (12 samples), high (24 samples) or ultra-high (30 samples). There are two special values (hourly and daily) so that a fixed value of samples is not collected but one every certain period.
- Max. values: Maximum number of elements for aggregates. For example, if a chart of HTTP traffic is drawn aggregated by source IP address and Max. values is set to 5, only 5 IP addresses will be shown.
There are three types of netflow report items:
- Area chart: An area chart, either aggregated or unaggregated.
- Data table: A text representation of the area chart.
- Netflow summary chart: Summary of traffic for the given period. There are three elements: a table with global information, a pie chart with the most relevant IPs or ports and a table with the same information as the broken down pie chart.
2.6 Netflow live view
This view is used to check captured data history based on different search filters. You may use filters and different ways of information display. It is necessary to define the way to group the displayed information, as well as the way to obtain this information in order to start viewing data.
The way to get the information can be by: Source IP, target IP, source port or target port. If you choose, for example, to show the target IP information, the information ordered by the IP traffic to the target will be shown. The same would apply to finding out network consumption by protocol, choosing by destination port.
The possible display options are the following:
- Area graphs (stacked): show over time (from source date to target date) data evolution. The precision level of the graph in the "Resolution" token must be chosen.
- Summary: It displays a summary table, a pie chart and a table with data for the entire period.
- Detailed: It shows a map of portions that represents IP traffic.
- Data table: It displays a data table with each IP and a number of rows that depends on the chosen resolution.
- Circle graph: It displays an interactive pie chart representing connection pairs between IP and traffic volume.
Filters can be viewed in real time from "Operation > Netflow Live View". This tool allows you to see the changes that are made to a filter and save it once the desired result is obtained. It is also possible to load and modify existing filters.
2.7 Network traffic maps
This is a new feature added in OUM 733 and will be improved in the future. It creates dynamic network maps, based on the traffic between nodes. It shows the relationship (connections) between different addresses, showing the top N connections (by size of data transferred between them).
2.8 Distributed configuration
It is possible to locate the Pandora FMS node that collects Netflow data on a host independent from the console. In environments with a lot of Netflow data it is more than recommended to place it on a server with fast disks and a fast CPU of at least two cores. In order for Pandora FMs console to retrieve Netflow data, it will be necessary to modify the default system configuration, following the steps described below:
- Configure automatic SSH authentication between the user who owns the web daemon and the user with the ability to run nfdump on the collector node.
For its configuration, follow these steps:
Enable the apache user login. In order to do this, modify the line of the apache user in the file /etc/passwd with this configuration :
Create the .ssh directory inside the /var/www directory and give it the correct permissions:
#mkdir /var/www/.ssh #chown apache:apache /var/www/.ssh
Create ssh keys from the apache user and copy them to the server where the Netflow traffic is hosted.
#su apache bash-4.2$ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/var/www/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /var/www/.ssh/id_rsa. Your public key has been saved in /var/www/.ssh/id_rsa.pub. The key fingerprint is: SHA256:vYvl5V00E4faa14zN08ARzGUQ9IfAQJnMzkaqLAGRHI [email protected]<server> The key's randomart image is: +---[RSA 2048]----+ |+oE ...*o=B+.| |.o . . .oo+o++ | | . o . o o o+o| | o . o = +| | . S . . oo.| | . +o| | o . o+=| | + + + +*| | . o . o .| +----[SHA256]-----+ bash-4.2$ ssh-copy-id [email protected]<netflow_server>
Once shared, it must be verified that it is possible to access the server through the apache user without entering a password:
bash-4.2$ ssh [email protected]<netflow_server>
- Create a script in Pandora FMS console that replaces /usr/bin/nfdump with one similar to the following
#!/bin/bash NFDUMP_PARAMS=$(sed 's/(\(.*\))/\"\(\1\)\"/' <<< "[email protected]"); ssh [email protected]<netflow_server> "/usr/bin/nfdump $NFDUMP_PARAMS"
Give the script execution permissions:
chmod 755 /usr/bin/nfdump
Try executing the script like this:
It should return something similar to:
nfdump: Version: 1.6.13
3 Network monitoring with Pandora NTA
Pandora Network Traffic Analyzer (Pandora NTA) is a network traffic analysis tool designed for environments where you do not wish or it is not possible to use Netflow to do a network analysis. It is important to highlight that it offers slightly different features: Netflow shows information (related to ports) that Pandora NTA does not show and Netflow allows a much more advanced real time interface, as well as unique features such as being able to create data modules as a result of advanced filters of PCAP expressions.
As a base for Pandora NTA/NTOP, a fork of the NTOP project (of version licensed as GPL2) is used, besides the Pandora FMS project code itself. It is in charge of collecting data and sending it in XML format to Pandora FMS server. All that code is available in our public repository for anyone who wants it, because it is a 100% open source feature.
Pandora NTA uses one or several network sensors to inspect traffic and generate consumption statistics by source IP and destination IP. It does not generate specific traffic information by port or application, for that more advanced function NetFlow should be used.
Pandora NTA is a simple way to monitor your network at a low level, without investing in specialized hardware or third party tools, and incorporate this information in your existing monitoring platform. Pandora NTA offers:
- Detailed consumption by incoming and outgoing traffic of each local IP of the local network.
- Network failure detection (by generating events).
- Specific reports on network consumption, by source IP.
- A list of target IPs with the most traffic per source IP on the network.
- Reports of local network consumption by origin, dynamic maps and search and filtering options with the accumulated data.
With the individual traffic data of each network equipment, Pandora NTA will be able to generate alerts, TopN reports and use any other Pandora FMS function, since they are saved as agent modules.
3.1 Architecture and functioning
Install the Pandora-NTOP probe in a machine that has access to the LAN network traffic, usually in a Linux server that works as a router or firewall or by redirecting the traffic to a certain port by means of a port-mirror from a switch, firewall or router. Traffic can also be duplicated one-way through TAP, but it will require an specific hardware equipment.
It is important to understand that if Pandora NTA is installed in an ordinary computer, without previously making a port-mirror or connecting a TAP that redirects traffic to that machine, it will not receive all the network traffic, it will only observe the traffic generated by that machine.
Pandora-NTOP will listen to the traffic and will generate data without storing them anywhere (it keeps them in the RAM). Pandora NTA will send the data collected by Pandora-NTOP to Pandora FMS Data Server. You may install as many Pandora NTA as you need, if there are several local networks and several listening points, you may perform a distributed deployment.
Pandora NTA also offers information related to problems in the local network in real time, since it can generate events of three types:
- Invalid mask (Wrong netmask).
- Sending data via port p (Host sent data to zero port).
- Duplicate MAC Address (Duplicated mac).
Event alerts can be created to know in real time, for example, when a duplicate MAC appears in your system. The text strings described above should be used to create an event alert.
A tarball compatible with CentOS 7 is currently available. It is distributed compressed in a tgz, available in Pandora FMS modules library in the Pandora FMS library. To install it unzip it:
tar xvzf pandora_nta.tgz
Then run the installation script inside the uncompressed directory.
cd pandora_nta_tarball ./install_pandora_nta.sh --install
To uninstall Pandora NTA, launch the same script in the following way:
If Pandora FMS version distributed in ISO is installed, it will already be installed in the system, so just activate it (From OUM 733).
To start it, just execute in a CentOS7
systemctl start pandora_nta
The Perl part of Pandora NTA needs some dependencies, besides having a Perl interpreter in the machine where it runs.
Pandora NTA uses external Perl modules. Some of them are part of the Core and others are distributed in the normal installations of the interpreter. This is the list of external modules used:
To find out if a dependency is missing, just run the main script with the -h option, and if an error appears instead of a help window, it means that dependencies are missing. This error also shows which ones are missing and they can be installed with CPAN or directly by downloading the Perl packages from the official repositories of each distribution.
From the binary part of Pandora NTA based on NTOP (Pandora-NTOP), you may obtain the code for its compilation from the public github repository (https://github.com/pandorafms), or use one of the precompiled binaries that are distributed in Pandora FMS module library in (https://pandorafms.com/library). It is distributed by default in the ISO images of Pandora FMS installation from NG 733 onwards.
3.3 Pandora NTA setup
Parameters accepted by command line
-h: Shows help. -f: Path of the configuration file. It is not necessary because the default configuration can be used. The user must have read permissions on the file.
Parameters of the Configuration file pandora_nta.conf
If set to 1, the program is executed in the background (0 by default).
Encoding of XML sent through Tentacle. It will go in the XML header (UTF-8 by default).
Interval in seconds between two Pandora NTA work cycles (300 seconds by default).
File where to dump application logs. It has to have writing permissions on the file and the folder that contains it. If it does not exist, Pandora NTA creates it automatically (by default it overturns it to STDOUT).
The number of consecutive failures that the application can give before it is considered to be a serious error and stops. If it is at 0, it will never stop, no matter how many bugs there are (2 by default).
Maximum time in seconds to send files by Tentacle. If this time is exceeded, Pandora NTA will restart all its state and memory (15 seconds by default).
Level of information dumped by the log. The higher it is, the more information it yields. With 0 nothing is shown, with 3 serious errors are shown, with 5 warnings are shown and with 9 everything is shown. Very high values are not recommended so that it does not consume too much disk (3 by default).
Does not show error messages.
Folder where the application cache file is. It is necessary to write in this file. If it is not created, Pandora NTA creates it. Be careful when changing it, because you can create a new one and duplicate the agents that send information to Pandora FMS, since it does not find their names and would generate new ones (* /tmp/pandorata_cache.json*).
Host to which make Pandora-NTOP web server requests (localhost by default).
Port through which Pandora-NTOP process requests are made (default 3000).
Subnets that are considered local by NTOP. If more than one subnet must be specified, concatenate them with commas (for example ntop_local_subnets 192.168.50.0/24,220.127.116.11/16.
If there is no subnet configured, it will dump information to Pandora FMS from all hosts discovered by NTOP (default option). Please make sure to configure at least one local network.
If it is set to 1 NTOP, it dumps its logs into syslog. Otherwise it does not dump them anywhere (0 by default).
Alias of the auto-monitoring agent. Once the cache file has been created, it cannot be changed since the Data Server does not support changing the alias through XML (pandoraNTA by default).
Host where the Tentacle server that will receive the XML is (by default localhost).
Port where the Tentacle server is listening to receive the XML (default 41121).
Directory where XML is written for the Tentacle client to send them. You must have write permissions. (default /tmp).
3.3.1 Deployment and boot
The pandora_db script deletes NTA connection data from the history. The number of days this information remains in the system can be configured in the "Performance" section of the console configuration.
An agent called Pandora NTA will be created by default (although this behavior can be modified in the configuration of pandora_nta.conf), which will contain the following metrics:
- The state of the NTA system
- The number of IPs discovered by the system.
- Sum of the traffic flow of the whole network (input and output).
- Current transfer rate of the network (input and output).
- Network packets (input and output).
In addition, the system will create an agent for each one of the IPs it finds in the local network (as defined in pandora_nta.conf).
For each managed IP, the same parameters will be monitored:
- Sum of the traffic flow of the whole network (input and output).
- Current network transfer rate (input and output).
- Packages in the network (input and output).
- MAC address associated to the IP.
An NTA-specific report is available when creating reports:
This report shows a top-N of network consumption in the last X days of all IP analyzed by Pandora NTA:
3.6 NTA explorer
Pandora has a view where network data provided by Pandora NTA are viewed in real time. It is a much more flexible view than reports and it is useful to detect network problems with just a few clicks.
This view shows the IPs with the most outgoing or incoming traffic. The top of IPs can be set by number of packets or by number of bytes. In addition, there is the possibility of filtering by a specific IP, to see the IPs to which there is traffic from that specific source.
For example, if there is an IP that sends lots of data and you wish where they are sent to, just click on the filter icon next to the IP and you will see a list and a graph with the addresses that receive data from that IP. That way, detecting the most overloaded pairs on a given date is quite simple.
3.7 NTA usage map
This view allows to display the traffic in a certain time interval under the form of a topological map. Just select a start date and an end date, showing the IPs with the most outgoing or incoming traffic.