Author: admin

  • Home
  • Articles by: admin
ntopng

Securing Flow Collection Using Data Encryption
NetFlow/IPFIX specifications have not considered privacy and confidentiality important. Exported flows are sent over unencrypted channels that prevent them to be exchanged on public networks unless techniques such as VPNs are used. Today encryption is no longer an option, and thus we have added encryption support in all our tools when flows are exchanged over ZMQ channels (e.g. when nProbe sends flows to ntopng). In order to use encryption a private/public keypair needs to be generated on the collector side (i.e. ntopng) and configured on all the probe applications sending …
ntopng

How We Managed to Turn ntopng Into a Cybersecurity Tool
Last year you have read how we have integrated Suricata support into ntopng. While an IDS is a good source of data, it is just a sensor, how has no knowledge of the big network picture including the network overview, past host/flow history and device type. In essence an IDS is a nice to have but it’s not enough. What it is necessary is the ability to analyse traffic, learn what is wrong, compare current behaviour with the past, and draw some conclusions (i.e. read them as emit alerts) that …
nDPI

Towards Traffic Behaviour Analysis: Introducing nDPI 3.2
This is to announce the new stable release of nDPI 3.2. The main trend of nDPI is to move from “simple” application protocol detection towards behavioral traffic interpretation. This has been implemented with the integration of modules for detecting attacks (e.g. SQL injections and XSS in HTTP) and behavioral indications on packet length/time/entropy as well indicators used for creating simple indicators typical of IDS systems. In essence nDPI is moving from protocol reporting to comprehensive traffic interpretation. nDPI now includes functions for efficiently serialising data in both JSON and binary …
ntop

Call for Talks for NtopConf ’20
Update Due to SARS-Covid-19 Infection, the conference will be rescheduled once the health situation will improve and travelling will be safe. Please stay tuned by monitoring our blog as we will organize new interactive seminars and tutorials so that our community can meet virtually. Thank you!   This year the annual ntop conference will take place in Milano, Italy on June 9-10, at Università Bocconi, one of the most prestigious university in Italy. As usual the first day will be used to train people on ntop tools and the second …
nDPI

Effective TLS Fingerprinting Beyond JA3
JA3 is a popular method to fingerprint TLS connections used by many monitoring tools and IDSs. JA3 focuses on encryption options specified during TLS connection setup to fingerprint the encryption library used by the application. Image courtesy of Cisco So in essence the same JA3 fingerprint will match multiple applications, making JA3 unreliable (when used as single feature) to fingerprint traffic. There are several JA3 fingerprint databases available on the Internet you can use to identify (remember with some grade of uncertainty, thus with false positives) client applications or malware …
ntopng

Towards ntopng v4: New User Interface Featuring Dark Theme
This February we’ll introduce ntopng v4 and we’re starting to write some blog posts to preview the new features. Let’s start with the user interface. Since v1 the UI has always been the same. People however asked us some more flexible layout where it is possible for instance to switch across network interfaces in a breeze. Furthermore the pervasive use of dark themes was also a driving force towards changes. While the UI in 4.2 will integrate new changes we already planned (for instance to switch from realtime to historical …
News

See you at Fosdem 2020
FOSDEM is the leading open source conference in Europe and it will take place this week-end in Brussels, Belgium. As we have developed open source software since 20 years, we believe we have right to belong to this community. This year we’ll have a stand on Sunday (Building K – Level 2) and also a talk in the Monitoring and Observability room on Sunday. The ntop core team will attend the conference, and it would be great for us to meet our community, and distribute you some gadgets. We need …
nDPI

Encrypted Traffic Analysis: A Primer
Monitoring encrypted traffic is must for providing visibility in modern traffic. Due to this we’ve put a lot of energy in extending nDPI so that it could be useful in this context. DPI (deep packet inspection) however is not enough for complete visibility, and thus we have started to add classification techniques and algorithm to nDPI to merge visibility and behavioural analysis. In fact flow-based analysis is not enough to understand what’s happening on a network without having a big picture. An this is what we’re doing in our tools, …
ntop

Important Geolocation Changes in ntop Products
ntop products have been using geolocation databases provided by MaxMind for a long time, to augment network IP addresses with geographical coordinates (cities, countries) and information on the Autonomous Systems. ntop have been freely packaging and redistributing such databases in ntopng-data. Unfortunately, new privacy regulations, such as GDPR and CCPA, place restrictions that impact our ability to continue distributing  databases in ntopng-data. Reasons are the same that have impacted MaxMind ability to do the redistribution and are explained in detail at the following page. Hence starting late December 2019, in …
ntopng

Introducing Automatic Package Update in ntopng
One of the most useful features in applications, is the ability to Update the application with a matter of click with no need to move to the terminal console. Instruct the system to update the application as a new version is available. We have realised that many of our users missed this feature in ntopng for a long time, and so we decided to implement it. Currently it is part of the nightly builds, and it will be included in the next stable release. As this feature depends on the …
nDPI

Rethinking Network Flow Visualisation
Traffic monitoring applications often aggregate traffic in flows, that in essence is a way to divide traffic according to a 5-tuple key (Protocol, IP/port source/destination). Flows are then aggregated for instance according to IP address or protocol, and often represented with timeseries as the one below. What is missing in all this is how the traffic is distributed over time as everything is flattened, protocols are merged (for instance according the source IP address) and it is not possible to understand intra-flow relationships. For instance to see that when I …
nDPI

How to use nDPI from CLI to analyse network traffic
Most people use nDPI indirectly being it part of ntopng and many other non-ntop developed tools. However not many people know that nDPI can also be used from the command line to analyse network traffic. This is useful to create scripts to automate detection of specific issues. ndpiReader is a testing tool used to demonstrate the library features as well run validation tests. With this tool is also possible to generate a report in CSV format that can be analysed with tools such as q. Below you can find some …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe