ntop 2016 Roadmap

Posted · Add Comment

2015 has been a year full of activities that allowed us to consolidate our tools and thus provide a better service to the community. In 2016 the plan is the following:

  1. 100 Gbit
    As in 2015 we have added support for 40 Gbit in PF_RING, 2016 will be the year of 100 Gbit. We already support the Accolade and Napatech 100 Gbit NICs in PF_RING, but the plan is to make 100 Gbit commodity, and thus as soon as the new Intel Red Rock Canyon adapters will be available (we expect them Jan or Feb at latest) we will support them in PF_RING. This new adapter is very interesting as it supports various speeds 10/25/40/100 Gbit and it integrates an ethernet switch that we plan/hope to use to offload some tasks to the adapter instead of using the main CPU. In addition to Intel RRC we are adding support of additional 100Gbit adapters such as Netcope 100Gbit adapters.
  2. nProbe Cento
    As happened years ago when moving from 1 Gbit to 10 Gbit, the 100 Gbit challenge does not mean just more speed but it is a complete redesign of applications. Thanks to innovation in computing and to a mature PF_RING ZC framework, we want yo make 100 Gbit and multi-10Gbit monitoring commodity. For this reason next week at the Flocon conference, we will present a new version of nProbe named cento, that it is able to generate flows at 100 Gbit on a standard Intel-based server. This efficiency has allowed us to handle 10 Gbit of traffic (500k concurrent flows with ingress traffic of 14.88 M pps) on a single CPU core, that means for instance that you can do 40 Gbit netflow monitoring using a sub 1000$ Intel E3 server.
  3. Flow monitoring and Security
    Last november at the Suricata conference, we have demonstrated for PF_RING can successfully accelerate applications such as Suricata, Snort and Bro. As often people want to have both flow evidence (on 100% of traffic) and run IDS on selected traffic (e.g. all but encrypted traffic), in cento we have built and engine that allows to do exactly this. This will promote IDS scalability (currently they can hardly handle 10 Gbit) at higher speeds while avoiding spending un-necessary time analysing not interesting traffic for an IDS (e.g. YouTube or Netflix traffic).
  4. ntopng
    In the current development version of ntopng, we have implemented full Nagios support and supported nfsen-like filtering (soon we’ll add a post about it). This year we want to integrate ntopng with pfsense for classifying traffic that the firewall can then selectively drop, add traffic categorisation (e.g. divide traffic in categories such as social network, news, business…) so that we can drop/prioritise traffic not only based on application protocols but also based on information content. Another area of interest for most of our users, is the ability to classify traffic in categories (e.g. social network, sport, chat, …)  and decide what users can access what information; this is particularly interesting for schools and children so that inappropriate content is blocked. In essence we want to extend ntopng inline capabilities introduced with v2 to the next level to make this tool even more flexible.
  5. Affordable Sensors Everywhere
    As our users know, one of the main ntop goals has been to make commodity what used to be very expensive. This year we want to combine ntopng/n2disk/nprobe (not all components will be necessary, the minimum is ntopng) to create a simple and user-friendly system able to serve needs of small networks as of a large enterprise. People should be able to permanently monitor their network activities by building themselves a network sensor based on the ntop software. In the current ntopng git development branch you can already see a preview of pcap-extraction capability integrated with flow-search stored by ntopng int MySQL.

For those attending the FloCon 2016 conference, we will organise a ntop BoF Wedn at 5.30PM where  we will cover this roadmap more in detail.

Stay tuned!