netflow agent (fprobe)

Discussion in 'Tomato Firmware' started by patsissons, Feb 9, 2009.

    I am guessing this has probably been discussed before, but in case it hasn't, what is the status of netflow (rflow) support in future versions of tomato. As far as I am concerned, this is the only feature missing from the already impressive product. When combined with ntop, netflow allows you to monitor all router traffic at very detailed levels (most importantly, on a per client basis).

    It looks like this could be achieved by using fprobe. fprobe, however, requires the presence of libpcap and libpthread (not included with the vanilla tomato firmware packages). I haven't really looked into building tomato firmware from source, but i'll investigate further in the next few days (as this looks like a relatively easy mod).

    If anyone has any info on this topic or if others have started similar mod projects, please let me know so i can at the very least read up on what the status is.

    If i can get fprobe to compile along side the rest of the firmware (as well as libpcap and libpthread), then essentially, netflow should work in tomato. I believe this is basically what dd-wrt and open-wrt do for netflow support (but i could be wrong). With netflow support in tomato, a whole new world of traffic monitoring options open up.
    nice dude! I'll give this a go after work today. should be able to just pop this on a samba share and run it via ssh.
    It occurs to me that the ulog build is useless without a ULOG target ;), so I figured I'd offer one. Includes 1.23 with full SpeedMod, the ROUTE/tee target, and the ULOG target:


    ND ("classic" ND from Tomato, not the latest ND patch from Victek):

    Obviously, you will need to "insmod ipt_ULOG" prior to using it, and I'd recommend (at minimum):

    iptables -A INPUT -j ULOG
    iptables -A OUTPUT -j ULOG

    for use with fprobe-ulog. Also bear in mind that with either fprobe, setting a reasonable upper memory limit (with -m) isn't just a good idea, it's absolutely required unless enjoy crashing your router. =)

    Good luck!

    just a quick update, i gave this a shot (pcap version) and it more or less worked. I say more or less because I am not entirely sure all the traffic is getting logged to the ntop collector. Also, my ntop seemed to be seg-faulting when trying to view some pages.

    Quick run down:
    * grab the pcap binary and put it on a samba share (make sure it is executable, chmod +x)

    * mount the samba share to cifs1 or cifs2
    * ssh into the router
    * run /cifs1/fprobe -m 2048 -i br0 <ntop ip>:2055 (ntop ip is the ip of the machine running ntop)
    * br0 is the most likely interface to use (as it bridges wan and lan traffic)
    * 2048 allows for up to 2M of ram to be used (should be enough, without killing your router)
    * 2055 is the default port for netflow (i think)
    * -n 7 acts kind of strange in ntop (uses netflow v7, default is v5)

    on your ntop machine:
    * sudo ntop -i none
    * browse to http://localhost:3000/
    * enable the netflow plugin
    * set the port to 2055
    * set the virtual interface to be your subnet (i.e.
    * rrd plugin must be active for graphs
    * some pages are empty (blank, no html). these pages are the result of a segfault (check your syslog or dmesg), i don't know why
    * -i none tells ntop not to use any of your local interfaces

    ulog should have better performance, but i don't want to flash my router just yet (its not my router, it is the household router). I will likely flash my own router in the next few days and test out ulog.
    rhester72, site seems to be down :frown:.
    Can you, please, upload fprobe-1.1a.tar.gz to any filesharing site (rapidshare)?

    Unfortunately that server is indeed down at the moment - working on it, but it will probably be another week or so before things are fully repaired.

    I don't suppose anyone has this file they'd be willing to email or post somewhere please?
    My site is up and reachable (though sporadic), feel free to mirror.

    hey Rodney,

    I'm happy to put up a mirror, however it seems the files aren't on your server any more? Can you mail them to me please? PM me for email address.

    Sorry about that - I migrated the web server and accidentally left the tomato directory behind. Fixed.

    Thanks for sharing guys. Would this work for any software collector other than ntop?
    Forum newbie here...just like to say a big Thank You to toastman, rhester72, patsissons & kbekus! Since switching to Tomato I've been looking for an rflow equivalent to use with ntop. Grabbed fprobe from kbekus' mirror, followed patsissons' "Quick Rundown" described above, and everything worked perfectly. My ongoing project now is to upgrade all 12 WRT54GL routers in my little rural network to Toastman-7625, which so far has been rock solid in testing.
    Hi kbekus, I tried downloading the files from your server but I'm getting "tar: invalid magic" on fprobe-1.1a.tar.gz and Tomato_1_23ND+SM+ULOG+ROUTE.7z

    I was able to unzip fprobe-ulog, though.

    Could you check the files or let me know of another place to get them from? Thanks!

    EDIT: Nevermind, I had to use the -j option to untar.
    Hi All,

    So does this method works as the rflow feature on DDWRT? i need it since i use it with Sevone to get reports, graphics.etc... and im switching to Tomato, shibby's build more likely.

    Please advise.

    Thanks in advanced guys.
