nProbe™ Cento

A 1/10/40/100 Gbit NetFlow/IPFIX Probe, Traffic Classifier, and Packet Shunter


nProbe™ Cento is a high-speed NetFlow probe able to keep up with 1/10/100 Gbit. nProbe™ Cento is not just a fast Netflow probe, it has been designed as the first component of a modular monitoring system: besides capturing ingress packets and computing flow data, it can be used to classify the traffic via DPI (Deep Packet Inspection) and performs optional actions on selected packets/flows when used as traffic forwarder in combination with other applications such as IPS/IDS, traffic recorders, etc.

Features

  • NetFlow v5/v9/IPFIX support
  • Flow export to JSON, Text, Kafka, Syslog, ntopng
  • IPv4 and IPv6 support
  • Native PF_RING and PF_RING ZC support for high-speed packet processing
  • Support of Accolade, Intel, Myricom, and Napatech NICs
  • Scalable, multithreaded design, ingress traffic can be load balanced across multiple streams on multi-core architectures
  • Layer-7 application visibility using nDPI (Deep Packet Inspection) or micro-nDPI (a lightweight DPI library supporting the most important protocols such as HTTP/HTTPS/DNS) for improved performance
  • Flow-based Load Balancing to IDS/IPS (Snort, Bro, Suricata)
  • Traffic filtering based on protocols to reduce the load on the IDS
  • Feedback channel for traffic filtering/shunting from an IPS: “forward this flow”, “drop this flow”, “divert this flow through the IPS”
  • Traffic filtering and slicing for saving storage space removing meaningless data when forwarding traffic to a packet-to-disk application such as n2disk

 

Use Cases

nProbe™ Cento can be used in multiple configurations. Following is a non-exhaustive list of possible use cases.

Probe and Flow Exporter

cento -i zc:eth1 --v9 192.168.1.200:2055

nprobe_cento_100Gbps_probe_and_flow_exporter

Probe and ntopng Data Source

cento -i eth0 --zmq tcp://192.168.1.2:5556
ntopng --zmq-collector-mode -i tcp://192.168.1.2:5556

nprobe_cento_100Gbps_probe_and_ntopng_data_source

Full-Duplex network TAP Aggregator and Flow Exporter

cento -i eth1,eth2 --v9 192.168.1.200:2055

nprobe_cento_full_duplex_tap_aggregator_and_flow_exporter

Probe and Traffic Recording with Layer-7 Indexing

cento-ids -i zc:eth1 --aggregated-egress-queue --egress-conf egress.example --dpi-level 2 -v 4
n2disk -i zc:10@0 -o /storage --index --index-version 2 --timeline-dir /storage

nprobe_cento_100Gbps_probe_and_traffic_aggregator_

 

npcapextract -f "host 192.168.2.222 and l7proto HTTP" -t /storage/ -b "2016-06-20 17:00:00" -e "2016-06-20 17:15:00" -o output.pcap

Probe and Traffic Balancer for IDS with Layer-7 Shunting/Filtering

cento-ids -i zc:eth1 --v9 127.0.0.1:1234 --balanced-egress-queues 2 --egress-conf egress.conf
cat egress.conf
[egress.balanced.protocol]
SSL = shunt
YouTube = discard

suricata --pfring-int=zc:10@0 --pfring-int=zc:10@1 -c /etc/suricata/suricata.yaml --runmode=workers

nprobe_cento_100Gbps_probe_and_traffic_balancer

Probe and Inline Traffic Bridge with Layer-7 Filtering

cento-bridge -i zc:eth1,zc:eth2 --bridge-conf bridge.example --banned-hosts banned.example --dpi-level 2

nprobe_cento_100Gbps_probe_and_bridge

Performance

nProbe™ Cento has been designed to keep up with 1/10/100 Gigabit speeds on commodity hardware. On adequate hardware nProbe™ Cento is able to process 10 Gbit per physical core, and to scale almost linearly in the number of cores (as long as there is enough memory bandwidth available) as shown in the picture below.

CentoScalability

In order to process 100 Gbit it is possible to load-balance the traffic across multiple cores using RSS-like techniques usually available on Intel cards or specialised packet-capture cards.

cento-rss

The picture below shows the result of a performance test using a 100 Gbit Napatech card configured with 26 strams. The total processed rate (sustained) was of 132 Mpps with 70-byte packets (0 drops). The configuration used for the test:

  • nProbe™ Cento (native PF_RING support)
  • CentoOS 6.x x64
  • PF_RING 6.3.X
  • 2 x CPU Intel E5 v3
  • Napatech 100 Gbit card
  • 500K rotating IP addresses
  • Generation of 25 million flows/minute
  • No flow storage on DB or disk, just forwarding (in NFv9 format) to a collector

For the latest news about nProbe™ Cento, please read the ntop blog.

License

nProbe™ Cento is distributed under the EULA and requires a license per system. Licenses are available in various flavours depending on the number and speed of network interfaces Cento can handle per system.

 

 Max Concurrent Ports Cento S Cento M Cento L Cento XL Cento XXL
 1 Gbit 2 Unlimited Unlimited Unlimited Unlimited
10 Gbit 2 Unlimited Unlimited Unlimited
40 Gbit 2 Unlimited Unlimited
100 Gbit 2 Unlimited

 

Get It

nProbe™ Cento is available in beta as part of the nProbe package (nightly builds) in binary format. Licenses are provided on request (please drop us a mail), you will be able to purchase online your copy of nProbe™ Cento at the ntop e-shop.