Introducing nProbe v7

Posted · Add Comment

After more than three years of work, we are announcing the release of nProbe v7. This is a major evolution of v6 that many of you used in the bast few years. In essence we have worked a lot for improving the application performance, supporting new protocols (including mobile 3G/LTE network monitoring), adding new information elements and moving towards an accurate probe. nProbe still exports the data in NetFlow/IPFIX but we have opened it to new ways of handling monitoring data (e.g. using Splunk and ElasticSearch). This because today we cannot monitor traffic up to layer 4 as many probes still do. People want to see what happens at application level, know what processes are doing what (in terms of network traffic, CPU, I/O) and with whom are speaking to. For years network monitoring has been perceived as a special problem with special solutions. We do not think this statement is still true. nProbe is a data source, that can emit data using legacy formats (e.g. IPFIX/NetFlow) or on more “modern” formats as previously discussed on this blog. ntopng can be used as web console for nProbe so that you can have a complete probe/collector solution, even though you can still use your favourite flow collector.

The main changes are listed below:

  • Various fixes for improving probe reliability
  • Support for multi-tag VLAN packets
  • Added Layer-7 traffic categorisation (via nDPI)
  • Flow export in JSON format for integration with products such as ElasticSearch and Splunk
  • Implemented de-duplication of IPv4 packets
  • Redesigned hash implementation to improve overall performance
  • Added support for PF_RING clusters and non-commodity adapters
  • Improved flow and packet sampling
  • Support of encapsulations such as GTP (v0, v1, v2), PPP (including multilink), ERF (Endace), PPPoE, ESP, GRE, Mobile IP
  • Added SCTP support
  • Enhanced CPU binding and core affinity
  • Implemented smart UDP fragment handling for reducing fragment processing overhead
  • Added ability to specify a black list of IP networks for discarding specific flows
  • Added ability to account layer-2 traffic into flows
  • Implemented ability to dump on pcap files suspicious packets (e.g. those that cannot be decoded properly)
  • Added ability to handle hardware timestamped packets such as those generated by specialised hardware NICs and IXIA devices
  • Replaced FastBit support with MySQL/InfiniDB for flow dump on a database
  • Improved flow generation capability when using pcap files instead of live capture
  • Added support of microcloud for creating a distributed probe knowledge base
  • Improved application/network latency computation that is now also computed in the middle of a TCP connection and not just at the beginning
  • Major improvements in various plugins such as HTTP, VoIP (SIP, RTP) and DNS
  • Added plugins for decoding GTP-C traffic (V0, v1, v2)
  • Added DHCP, FTP, POP3, IMAP, Oracle, MySQL, whois plugins
  • Added process plugin for monitoring system activities and combining them with network traffic
  • Implemented enhanced VoIP plugins that feature voice quality (pseudo-MOS/R-Factor) measurement
  • Support of Windows x64 (Win32 is now an obsoleted platform).

In the coming days we will introduce in detail some major features of this new release such as the process plugin (that inspects in detail application traffic) and VoIP analysis plugins that report you about voice quality.

nProbe is available in both binary (for selected platforms such as Windows x64 and CentOS/Ubuntu server) and source format. Plugins are available only in binary format and we’ll evaluate case-by-case the release of their source (e.g. research institutions).

 

Enjoy!