tutorials

Announce

Using ClickHouse Cloud with ntopng

We are happy to announce that from the latest ntopng dev (6.1) version, ntopng supports exporting data (flows & alerts) to ClickHouse Cloud. Below you can find a step-by-step guide. Quick Start First of all let’s start by creating our account and service on the ClickHouse Cloud (you can find the official guide here); remember to save the ClickHouse username and password used for accessing your database. After that we have to jump to the ‘Connect’ section: Then, we have to select MySQL, turn on “Enable the MySQL protocol” and …
Features

Using Traffic Rules To Supervise Network Traffic

The Problem Let’s assume that you have a Network where local hosts generate a constant amount of traffic. How do you find if they are misbehaving? It happens that some local host starts behaving strangely, by having an abnormal amount of traffic (sent or received) with respect to their recent past: how can you spot these situations and report them with an alert. This is why we have created the Local Traffic Rules page: users can now define custom Volume/Throughput threshold for some (or all) local hosts. You can also …
Cybersecurity

What’s New in ntopng: Periodic Activities (a.k.a beaconing) !

Hello everybody! Welcome back to the weekly blog post of this serie used to update you with the latest ntopng features and graphical changes. Please let us know your feedback! Today we are going to talk about the Periodicity Map. You are probably asking yourself what’s so bad about periodic activities, right? First of all, let’s take a look at the Periodicity Map and what are the contained information. What we can see here is: The last seen – last time ntopng has seen a periodic activity (flow) The quintuplet …
Cybersecurity

Incident Analysis: How to Correlate Alerts with Flows and Packets

In incident analysis it is important to provide evidence of the problem  at various level of details: Alerts Alerts are the result of traffic analysis (in ntopng based on checks) that have detected specific indicators in traffic that triggered the alert. For instance a host whose behavioural score has exceeded a given threshold or a flow that has is exfiltrating data. Flows Are the result of aggregation of packets belonging to the same connection and are used to compute alerts. Packets This is the most granular data that contains evidence …
tutorials

Introducing ntop Professional Training Service

Many of you are asking professional training, in particular in companies and large installations. Over the years we have produced many software applications that allow you to improve network visibility and block cybersecurity threats. In this over increasing ecosystem, we acknowledge that blog posts and webinars might not be sufficient for everyone. For this reason we have created a professional training service designed for people who want to master ntop products in their daily activities. The idea is to divide the training in 5 session of 90 minutes each, so …
ntopng

Infrastructure Monitoring: Observing The Health and Status of Multiple ntopng Instances

Introduction Quis custodiet ipsos custodes? (Juvenal). In other words: who will guard the guards themselves? If you use ntopng to monitor your network, you also need to make sure ntopng is monitored as in case of failure, ntopng will not report any alert, and the network administrator can interpret that as a sign of good health, instead of interpreting it as lack of monitoring.Recent 4.3+ versions of ntopng have the capability to monitor other ntopng instances, being them in the same local LAN or physically/geographically distributed. This capability, also referred …
nProbe

nProbe IPS: How To setup an Inline Layer-7 Traffic Policer in 5 Minutes

Introduction Recently, we have added Intrusion Prevention System (IPS) capabilities to our nProbe. Those capabilities are available starting from the latest 9.5 version, both for Linux and FreeBSD – including OPNsense and pfSense, and are available with all nProbe versions and licenses (see the product page for additional details). On Linux, nProbe leverages the netfilter framework. In essence, the kernel send packets to nProbe via NF_QUEUE which, in turn, gives each packet a pass/drop verdict so that it can be dropped or let it continue its journey through the network. …
Features

How enable DPI-based Traffic Management in pfSense using nEdge

We have been receiving several inquiries from pfSense users who would love to complement the classical firewall-style pfSense features with the inline Layer-7-based traffic policing offered by nEdge. Being able place pfSense and nEdge side by side allows to overcome the common belief which sees the bad guys on the Internet and the good guys on the Local Area Network (LAN). Bad guys are on the Internet and this is true. Period. However, bad guys are also on the LAN, especially today in the Bring-Your-Own-Device (BYOD) era. Think to infected …
nProbe

sFlow Collection and Analysis with nProbe and ntopng

sFlow, short for sampled Flow, is a sampling technology designed to export network devices information, namely: Interface counters (à la SNMP MIB-II); Traffic packets (à la ERSPAN). sFlow agents run on switches, routers, firewalls and other devices, and periodically export interface counters and traffic packets via UDP towards one or more sFlow collectors. sFlow, relying on sampling processes to periodically counters and packets, is scalable and ultra-lightweight and has been embedded into network devices by tens of vendors and manufacturers. Contrary to NetFlow (please note that in sFlow parlance the …
nProbe

Using nProbe for Collecting Ixia IPFIX with IxFlow extensions

Ixia allows to enrich IPFIX records with value-add extensions. Additional information that can be exported, along with standard fields such as source and destination IP addresses, include: Geographical information such as region IP, latitude and city name Application ID or name, device, browser and even SSL cipher used Detail on application and handset (device) type for mobile users HTTP URL and hostname for web activity tracking HTTP and DNS metadata for rapid breach detection Transaction Latency for application performance tracking The latest version of nProbe provides full support for Ixia …
nProbe

Using nProbe and ntopng for Collecting and Visualizing Sonicwall Flows

nProbe is both a probe and a NetFlow/sFlow collector. Recently, we’ve also added added the ability to collect flows with proprietary information elements. This greatly improves nProbe flexibility as any custon, vendor-proprietary information element can be understood, correctly parsed, and exported downstream. Adding proprietary information elements to nProbe is a breeze. Indeed, it suffices to use a plain-text file with the elements description. That’s all. Once the fields have been loaded from the plain-text file, they can be treated as if they were regular fields. So for example they can …
Guides

Best Practices for the Collection of Flows with ntopng and nProbe

ntopng can be used to visualize traffic data that has been generated or collected by nProbe. Using ntopng with nProbe is convenient in several scenarios, including: The visualization of NetFlow/sFlow data originated by routers, switches, and network devices in general. In this scenario, nProbe collects and parse NetFlow/sFlow traffic from the devices, and send the resulting flows to ntopng for the visualization. The monitoring of physical network interfaces that are attached to remote systems. In this scenario, ntopng cannot directly monitor network interfaces nor it can see their packets. One …