Netflow v5 to NTOPNG reporter/converter/hack
This is not stable, was thrown together in one day, use only for testing
Please use nProbe for production environments where you actually care about your network metrics
This receives netflow V5 packets( from rflow/fprobe/etc) on port 2055(default)
and reports them via ZMQ(ZeroMQ) to NTOPNG.
This should support more than one netflow reporter, but YMMV.
- ddwrt router with optware
- installed fprobe since rflow wasn't available
- run on router with:
fprobe -i br0 <netflow2ntopng addr>:2055
- raspberry pi 4 with ntopng(default repo) and this script
- run this
python3 netflow2ntopng.py -v info -i ddwrt -z tcp://localhost:5555
- ntopng
sudo -u ntopng ntopng -i tcp://localhost:5555 -m <local network cidr>
(you probably want this as a service)
- run this
At this time, nProbe doesn't seem to support Raspbian 10 (buster) out-of-the-box, having dependency issues. See this Also, NTOPNG doesn't seem to be able to run on ddwrt (needs local interface to sniff traffic)
-h --help Show this help message
-v --verbosity <level> CRITICAL, ERROR, WARNING, INFO, DEBUG
-i --ntop-iface-name <name> Interface name reported to ntop (default: w00t)
-a --ntop-probe-addr <addr> Address of this probe reported to ntop (default: 127.0.0.1)
-z --zmq-bind-addr <zmq addr fmt> ZMQ bind address, example: tcp://10.0.0.0:5555 or tcp://*:5555 (default)
-p --netflow-v5-port <port> NetflowV5 port (default 2055)
-b --netflow-v5-bind <bind addr> NetflowV5 bind address (default 0.0.0.0)
- first 'event' message is treated as corrputed by ntopng
- some netflow v5 fields are ignored (input/output SNMP, SRC_TOS, SRC/DEST AS)
- avg_bps and avg_pps also are weird
- this is not setup to run as a service, but shouldn't be too hard support externally
- this doesn't support IPV6? well, netflow v5 doesn't