Author: admin

  • Home
  • Articles by: admin
nDPI

Towards Traffic Behaviour Analysis: Introducing nDPI 3.2
This is to announce the new stable release of nDPI 3.2. The main trend of nDPI is to move from “simple” application protocol detection towards behavioral traffic interpretation. This has been implemented with the integration of modules for detecting attacks (e.g. SQL injections and XSS in HTTP) and behavioral indications on packet length/time/entropy as well indicators used for creating simple indicators typical of IDS systems. In essence nDPI is moving from protocol reporting to comprehensive traffic interpretation. nDPI now includes functions for efficiently serialising data in both JSON and binary …
ntop

Call for Talks for NtopConf ’20
Update Due to SARS-Covid-19 Infection, the conference will be rescheduled once the health situation will improve and travelling will be safe. Please stay tuned by monitoring our blog as we will organize new interactive seminars and tutorials so that our community can meet virtually. Thank you!   This year the annual ntop conference will take place in Milano, Italy on June 9-10, at Università Bocconi, one of the most prestigious university in Italy. As usual the first day will be used to train people on ntop tools and the second …
nDPI

Effective TLS Fingerprinting Beyond JA3
JA3 is a popular method to fingerprint TLS connections used by many monitoring tools and IDSs. JA3 focuses on encryption options specified during TLS connection setup to fingerprint the encryption library used by the application. Image courtesy of Cisco So in essence the same JA3 fingerprint will match multiple applications, making JA3 unreliable (when used as single feature) to fingerprint traffic. There are several JA3 fingerprint databases available on the Internet you can use to identify (remember with some grade of uncertainty, thus with false positives) client applications or malware …
ntopng

Towards ntopng v4: New User Interface Featuring Dark Theme
This February we’ll introduce ntopng v4 and we’re starting to write some blog posts to preview the new features. Let’s start with the user interface. Since v1 the UI has always been the same. People however asked us some more flexible layout where it is possible for instance to switch across network interfaces in a breeze. Furthermore the pervasive use of dark themes was also a driving force towards changes. While the UI in 4.2 will integrate new changes we already planned (for instance to switch from realtime to historical …
News

See you at Fosdem 2020
FOSDEM is the leading open source conference in Europe and it will take place this week-end in Brussels, Belgium. As we have developed open source software since 20 years, we believe we have right to belong to this community. This year we’ll have a stand on Sunday (Building K – Level 2) and also a talk in the Monitoring and Observability room on Sunday. The ntop core team will attend the conference, and it would be great for us to meet our community, and distribute you some gadgets. We need …
nDPI

Encrypted Traffic Analysis: A Primer
Monitoring encrypted traffic is must for providing visibility in modern traffic. Due to this we’ve put a lot of energy in extending nDPI so that it could be useful in this context. DPI (deep packet inspection) however is not enough for complete visibility, and thus we have started to add classification techniques and algorithm to nDPI to merge visibility and behavioural analysis. In fact flow-based analysis is not enough to understand what’s happening on a network without having a big picture. An this is what we’re doing in our tools, …
ntop

Important Geolocation Changes in ntop Products
ntop products have been using geolocation databases provided by MaxMind for a long time, to augment network IP addresses with geographical coordinates (cities, countries) and information on the Autonomous Systems. ntop have been freely packaging and redistributing such databases in ntopng-data. Unfortunately, new privacy regulations, such as GDPR and CCPA, place restrictions that impact our ability to continue distributing  databases in ntopng-data. Reasons are the same that have impacted MaxMind ability to do the redistribution and are explained in detail at the following page. Hence starting late December 2019, in …
ntopng

Introducing Automatic Package Update in ntopng
One of the most useful features in applications, is the ability to Update the application with a matter of click with no need to move to the terminal console. Instruct the system to update the application as a new version is available. We have realised that many of our users missed this feature in ntopng for a long time, and so we decided to implement it. As this feature depends on the operating system, we have decided to implement it for all the Linux distributions (sorry, no Windows support) for …
nDPI

Rethinking Network Flow Visualisation
Traffic monitoring applications often aggregate traffic in flows, that in essence is a way to divide traffic according to a 5-tuple key (Protocol, IP/port source/destination). Flows are then aggregated for instance according to IP address or protocol, and often represented with timeseries as the one below. What is missing in all this is how the traffic is distributed over time as everything is flattened, protocols are merged (for instance according the source IP address) and it is not possible to understand intra-flow relationships. For instance to see that when I …
nDPI

How to use nDPI from CLI to analyse network traffic
Most people use nDPI indirectly being it part of ntopng and many other non-ntop developed tools. However not many people know that nDPI can also be used from the command line to analyse network traffic. This is useful to create scripts to automate detection of specific issues. ndpiReader is a testing tool used to demonstrate the library features as well run validation tests. With this tool is also possible to generate a report in CSV format that can be analysed with tools such as q. Below you can find some …
ntopng

Exploring Physical Network Topologies Using ntopng
ntop tools are known for monitoring network traffic. However this traffic has to flow on physical networks and thus it is important to understand the physical network layout. LLDP (Link Layer Discovery Protocol) is a network protocol used to dynamically build network topologies and identify network device neighbours. In the latest ntopng dev build (that will be merged in the next v4 stable) we have enhanced the SNMP monitoring capabilities with LLDP support. if your SNMP devices have LLDP enabled, ntopng now polls this information and build an adjacency graph …
ntopng

Spotting Plaintext Information in Network Protocols
In short: encryption does not always mean that all the information exchanged is really encrypted. Another myth is that many people believe that the equation “encryption = security” holds. Unfortunately this is not true. This slide deck we presented at Sharkfest Europe 19 shows in practical terms what information is sent in clear text in popular protocol as well what information encrypted TLS traffic reports unencrypted. Enjoy! …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe