ntopng

ntopng

Threshold vs Statistical Metric Alerts in ntopng
Threshold alerts and statistical alerts are two different methods for monitoring and detecting unusual or potentially problematic events in various systems, such as network monitoring where anomaly detection is essential. They differ in how they define and identify anomalies: Threshold Alerts Threshold alerts are based on fixed, predefined values or thresholds. You set specific thresholds for one or more parameters or metrics within your system. When these parameters cross the predefined thresholds, an alert is triggered. These thresholds are typically static and do not change automatically. You need to set …
ntopng

How to Send ntopng Alerts to PagerDuty
PagerDuty is a popular incident-response platform that allows problem notifications to be delivered in a flexible way to the correct team member. We have integrated it in ntopng Enterprise and this post shows you howto configure it. First of all you need to create a PagerDuty account and select a plan (there is a free one you can choose). Done that within PagerDuty you need to select “Event Orchestration” from the “Automation” menu and create a new event orchestration. Below you can see an example. Once you saved it click …
Features

How we Improved Alarm Delivery in ntopng
Sometimes, a critical issue shows up in your network and you’d like to be notified by ntopng on Telegram or by E-Mail. ntopng allows you to filter alerts for each recipient based on a few criteria including alert family, category, severity, or affected hosts. However in some case you want to be notified about a very specific alert, out of all alerts produced with the same family, category, severity. For example, it’s important to be notified when an Interface has no traffic, or when a new device (MAC) connects or …
ntop

Sorting Out and Clustering Alerts in ntopng
In a previous post, What’s In The (Alert) Inbox?, we’ve discussed how alerts are organised in the Alerts Explorer. The new “inbox” design allows us to cluster alerts into separate folders high-priority events, that require attention and needs to be addresses as soon as possible, from other minor events. This solves one issue: having all critical alerts under control, while still tracking and archiving all minor Network issues (that contribute to the hosts score, and may be still of interest when drilling down during our analysis). In a system which …
ntop

What’s In The (Alert) Inbox?
ntopng emits alerts in order to report relevant. They can be triggered by traffic thresholds, user scripts, behavioural checks, or due to Security issues, including those detected by IDS systems integrated with ntopng (the full list of built-in checks, and related alerts, that can be enabled in ntopng is available in the Alerts section of the documentation). Sometimes they are really critical and should be handled immediately to fix the problem, this is the case of Security events for instance (e.g. a compromised host that must be sanitized as soon as …
ntopng

Understanding Timeseries Throughput Calculation
ntopng creates timeseries for traffic by periodically (e.g. every minute) writing into RRD/Influx the traffic volume observed. Below you can see an example. Traffic is used to keep track of the data volume exchanged. Over time timeseries are aggregated (roll-up) to save space, meaning for instance that 60 minute observations are used to compute a hourly observation. A timeseries rollup involves summarising the original time series data over larger time intervals. The purpose of doing a rollup is to reduce the volume of data and make it more manageable while …
ntopng

HowTo Trigger an Alert When Contacting a Website/IP with ntopng
ntopng has native blacklist support that enables generation of alerts when malware sites are contacted. You can enable/disable the list of active blacklist by accessing the blacklist page from the preferences menu of the left sidebar and also configure the list properties such as refresh rate as well enable/disable them. Now suppose you want to trigger an alert when contacting a specific IP address or a website (this regardless if using clear-text protocol such as HTTP or encrypted TLS-based communications). How can you do that? See it below: Define a …
Features

Using Traffic Rules To Supervise Network Traffic
The Problem Let’s assume that you have a Network where local hosts generate a constant amount of traffic. How do you find if they are misbehaving? It happens that some local host starts behaving strangely, by having an abnormal amount of traffic (sent or received) with respect to their recent past: how can you spot these situations and report them with an alert. This is why we have created the Local Traffic Rules page: users can now define custom Volume/Throughput threshold for some (or all) local hosts. You can also …
nProbe

Monitoring Microsoft Teams Performance and Video/Call Quality
Months ago we have talked how ntopng identifies ad monitors Zoom calls quality. Today we show how call monitoring has been now seamlessly extended to Microsoft Teams. Thanks to nDPI, ntopng is now able to detect Teams calls and to label them according to the stream type: Video Audio Screen Sharing. For each call it is possible to visualise the stream type as well as the flow statistics. If ntopng collects RTP flows from nProbe it also reports the call quality as exported by nProbe. Both Zoom and Microsoft Teams …
nProbe

Scaling Up ntopng Flow and Packet Processing
As traffic rate increases, it is important to tune packet processing in order to avoid drops and thus educe visibility. This post will show you a few tricks for improving the overall performance and better exploit modern multicore systems. The Problem ntopng packet processing performance depends on the number of ingress pps (packets per second) as well the number of flows/hosts being monitored and number of enabled behavioural checks. With ntopng you can expect to process (your mileage varies according to the CPU/system you are using) a few (< 5) …
ntopng

Introducing Modbus Traffic Monitoring in ntopng
Modbus is an industrial protocol used to communicate with automation devices. The initial protocol version was implemented over a serial layer, whereas the current version named ModbusTCP is a variant of the original protocol running over TCP/IP. This blog post describes how ntopng monitors ModbusTCP traffic: it detects Modbus flows via nDPI and dissects them building an internal flow representation. For each flow, ntopng keeps track of the function codes uses, exceptions and registers accessed.  It also reports the transitions between function Ids and depicts them graphically: the more transitions …
cento

Enabling Zeek and Suricata On-Demand at 40/100 Gbit using PF_RING
Overview Those of you who have some experience with IDS or IPS systems, like Zeek and Suricata, are probably aware of how CPU intensive and memory consuming those applications are due to the nature of the activities they carry on (e.g. signatures matching). This leads to high system load and packet loss when the packet rate becomes high (10+ Gbi+) making these IDSs unlikely to be to deployed on high-speed networks. As nProbe Cento can analyse networks up to 100 Gbit while using nDPI for ETA (Encrypted Traffic Analysis), ntopng …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe