This post documents the process of setting up network traffic monitoring with a Raspberry Pi using ntopng as well as configuring an OpenWRT router to mirror packets to the Pi.
Perform the following commands a root on your Raspberry Pi to install ntopng and nprobe
apt-key add ntop.key echo "deb http://apt.ntop.org/jessie_pi armhf/" > /etc/apt/sources.list.d/ntop.list echo "deb http://apt.ntop.org/jessie_pi all/" >> /etc/apt/sources.list.d/ntop.list apt-get update apt-get install ntopng nprobe
Execute the following commands in separate sessions to confirm that everything is working:
ntopng -i tcp://127.0.0.1:5556 nprobe --zmq "tcp://*:5556" -i ethX -n none -b 2
Browse to your Pi at port 3000 to login to ntopng:
http://pi:3000/
You should start seeing packet statistics but only for traffic that the Pi can see. We need to mirror all packets to the Pi so that we can see everything happening on the network.
I'm using an OpenWRT router. To mirror packets to the Raspberry Pi, I used these instructions. They amount to setting the iptables mangle table to mirror packets to ntopng. For example, if the ntop system is at IP 192.168.1.120, you would execute these commands:
opkg install iptables-mod-tee iptables -t mangle -A PREROUTING -j TEE --gateway 192.168.1.120 iptables -t mangle -A POSTROUTING -j TEE --gateway 192.168.1.120
To view the mangle table, enter the command:
iptables -vL -t mangle