Integrating ntop with NetFlow

Cisco NetFlow is a tecnology developed by Cisco that many people are using for IP accounting and billing.

A Cisco router (with NetFlow support) properly configured, exports via UDP to an external machine traffic information in so called flows. The external machine collect such flows and aggregates them as needed.

Ntop NetFlow support is instrumented via the NetFlow plugin and it acts as both a collector and probe. The NetFlow plugin can be accessed as follows:

• select the Stats menu (top menu)
• select the Plugins links from the left menu
• select the NetFlow plugin

Thanks to the NetFlow plugin, ntop can:

• export flows (version 5) to the collector
• act as a collector
• be both a collector and probe at the same time

Flows are generated when:

• TCP: a connection is terminated
• UDP/ICMP: as soon as ntop receives a packet

The main difference between ntop and a Cisco router, is that a router can be configured in a way that it emits a flow packet for a TCP connection that is not yet terminated (expired in the Cisco terminology). This means that for a long standing connection (e.g. a copy via FTP of a large file) ntop sends only one packet containing flow information at the end of the connection, whereas a router sends periodic packets (e.g. every 15 minutes) that contain partial flow information. Beside this difference (and that ntop cannot return information about ASs, Authonomous Systems, as it is not a router) ntop acts as a software-based NetFlow data export, similar to a real network device such as a router.

Finally, if you need a slim, easy to embed, performant, resource savvy software NetFlow probe that you can use with ntop you should give nProbe a try.

Have fun with ntop and NetFlow!