Author: Alfredo Cardigliano

  • Home
  • Articles by: Alfredo Cardigliano
n2disk

Howto Build a (Cheaper) 100 Gbit Continuous Packet Recorder using Commodity Hardware
Those who follow this blog probably read a few posts where we described how to build a 100 Gbit continuous packet recorder using n2disk and PF_RING, providing specs for recommended hardware and sample configurations (if you missed them, read part 1, part 2 and part 3). In those posts we recommended the use of FPGA-based adapters (e.g. Napatech) with support for PCAP chunk mode (e.g. ability for the NIC to collapse packets onside the adapter in pcap format without the need to read packet-by-packet as with most network adapters), in addition …
ntop

Fixing Packet Deduplication: Introducing nDedup
When it comes to monitor a busy network, network monitoring tools can become bogged down, or even worse produce misleading information for your analysis, by a hidden culprit: duplicate packets. Imagine a firehose of data streaming across your network, much of this data can be redundant, with identical packets being sent multiple times due to retransmissions or mirroring configurations. As an example, when a SPAN (Switch Port Analyzers) port is used to mirror ingress and egress direction of switch ports, the resulting mirrored traffic might contain up to 50% of …
ntopng

Introducing ntopng Customised Reports
In ntopng 6.0 Dashboard and Traffic Reports have been completely redesigned and rewritten from scratch with a new, flexible engine which is template-based. In a previous webinar we demonstrated how cute and powerful the new engine is, with the ability to automatically generate periodic reports, and with the promise of releasing a graphical editor for customising it, and let everyone to create its own traffic view on both historical and live traffic data. The graphical editor has been implemented and it is available in ntopng 6.1 (and later versions). In this …
cento

HowTo Build a 100 Gbit NetFlow Sensor Using nProbe Cento
When it comes to monitor a distributed network, to get a picture of the Network traffic flowing through the uplinks or on critical Network segments, NetFlow like technologies are usually the answer. nProbe Pro/Enterprise and nProbe Cento are software probes that can be used to build versatile sensors able to export flow information in many different formats, including NetFlow v5/v9/IPFIX, Kafka, Elasticsearch, ClickHouse, MySQL, CSV files, etc. All this at very high speed. nProbe Pro/Enterprise has been designed for low/mid rate (1/10 Gbps) while nProbe Cento has been designed to …
ntop

Introducing PF_RING 8.6: Runtime Filtering and On Demand IDS at 100 Gbit
This is to announce a new PF_RING release 8.6 ! This stable release introduces a new Runtime component in PF_RING, which adds support for runtime filtering. This allows an external application to push filtering rules (through a Redis queue) while the socket is running, and offload them to the adapter when supported (e.g. on NVIDIA/Mellanox Connect-X adapters). This enables Zeek and Suricata “on-demand” at 100 Gbit as discussed in a previous post. This release also adds support for Debian 12 and latest 6.x kernel shipped with Ubuntu 22 LTS. Many other improvements …
ntop

Sorting Out and Clustering Alerts in ntopng
In a previous post, What’s In The (Alert) Inbox?, we’ve discussed how alerts are organised in the Alerts Explorer. The new “inbox” design allows us to cluster alerts into separate folders high-priority events, that require attention and needs to be addresses as soon as possible, from other minor events. This solves one issue: having all critical alerts under control, while still tracking and archiving all minor Network issues (that contribute to the hosts score, and may be still of interest when drilling down during our analysis). In a system which …
ntop

What’s In The (Alert) Inbox?
ntopng emits alerts in order to report relevant. They can be triggered by traffic thresholds, user scripts, behavioural checks, or due to Security issues, including those detected by IDS systems integrated with ntopng (the full list of built-in checks, and related alerts, that can be enabled in ntopng is available in the Alerts section of the documentation). Sometimes they are really critical and should be handled immediately to fix the problem, this is the case of Security events for instance (e.g. a compromised host that must be sanitized as soon as …
nEdge

Deploying nEdge with Multiple (Virtual) LANs (and WANs)
Exactly 3 years elapsed from the introduction of nEdge (ntopng Edge), and despite the fact we haven’t posted much about it in our blog, this tool continued to grow, many features have been added over time, and we see that every time new users have the chance to try it, they are amazed about the capabilities it provides. If it’s the first time you hear about nEdge, we suggest to read the introductory post which explains how nEdge enables Network administrators to enforce policies at Layer-7 on network users, the nEdge product page which is providing …
cento

Enabling Zeek and Suricata On-Demand at 40/100 Gbit using PF_RING
Overview Those of you who have some experience with IDS or IPS systems, like Zeek and Suricata, are probably aware of how CPU intensive and memory consuming those applications are due to the nature of the activities they carry on (e.g. signatures matching). This leads to high system load and packet loss when the packet rate becomes high (10+ Gbi+) making these IDSs unlikely to be to deployed on high-speed networks. As nProbe Cento can analyse networks up to 100 Gbit while using nDPI for ETA (Encrypted Traffic Analysis), ntopng …
ntop

How to Enable Smart Recording in ntopng (and n2disk)
Recently, we have introduced Smart Recording in n2disk to combine Cybersecurity with Packet-to-Disk. In this previous post (and in the documentation) we described the idea behind it and described how to enable it in a few simple steps.  For those of you who prefer a video resource, and want to learn more about the technology and how to get the most out of it,  here’s the step-by-step video tutorial. Enjoy!       …
Announce

Introducing Smart Recording in n2disk: Combining Cybersecurity with Packet-to-Disk
In short Continuous network traffic recorders are applications (or appliances) that write network traffic on disk. In case of issues (e.g. security breach or network outage) they enable network and security analysts to go back in time and see how a problem originated. The main limitation of this practice is that a lot of data it is written to disk even when there is nothing special happening on the network. Similar to the evolution of surveillance cameras that implemented “motion detection” to trigger recording when some meaningful even happen, this …
ntop

Hardware Traffic Duplication on Intel Adapters Using PF_RING
Those of you who are familiar with kernel-bypass drivers like PF_RING ZC know that it is not possible to run multiple applications on top of the same Network interface and capture the same traffic twice. This is the case of Intel and most FPGA adapters. In fact, since the application takes full control of the adapter and configures it to copy packets directly to the application’s memory in hardware, access to the device must be exclusive. This unless the adapter natively support multiple consumers: this is the case of Mellanox/NVIDIA  and …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe