The first important step to start with network monitoring is to analyze what we want to monitor and how to deploy the monitoring solution in the existing network.
Here are some important questions to ask ourselves before starting the actual monitoring:
- Do we need to monitor the entire network or just a specific segment?
- Do we already have network appliances with network flow export capabilities (e.g. NetFlow/sFlow devices)?
- Can we use port mirroring of a switch or a network TAP?
- Where are we deploying our network monitoring appliances to get visibility on the traffic of interest?
- Do we have a NAT/routers which possibly hides IP/MAC addresses? Can we place our monitor appliance before the actual NAT/router?
- Do we need full L7 application traffic analysis capabilities or we can go with a simpler port based approach?
In this article we will see how to deploy ntopng and optionally nProbe to fulfill some common network analysis requirements.
nProbe is a powerful network probe. It supports many standard flow formats as Netflow sFlow and IPFIX. nProbe itself does not provide a Graphical User Interface (GUI). When coupled with ntopng, however, it allows us to monitor traffic and display it on the ntopng GUI.
ntopng is a full-featured network monitoring tool. It provides a web GUI to access accurate monitoring data. It provides detailed views on active hosts, flows, IP addresses, Mac addresses, Autonomous systems. It cam be used to monitor and report live throughput, network and application latencies, Round Trip Time (RTT), TCP statistics (retransmissions, out of order packets, packet lost), and bytes and packets transmitted.
Let’s now review some of the most common network monitoring use cases with ntopng.
Monitoring Netflow/sFlow Traffic
If our network appliances supports the Netflow/sFlow flow export, we can send flows data to a remote server running ntopng. This setup is not appropriate if we need detailed L7 application dissection or per-packet realtime analysis. We will need to set up nProbe as an intermediate flow collector, which in turn will send flows to ntopng. The ntopng dashboard visualization will not be “real-time” actually as there are some export timeouts (both into nProbe and into the NetFlow appliance) involved.
In this example we have a Netflow capable router. We have to configure the router to export flows to nprobe. From the router admin interface (typically a web GUI), we configure Netflow export to our nProbe running server by specifying its IP address as well as a port, say 2055.
Now we have to configure nProbe to receive the Netflow data. We do this by creating the file /etc/nprobe/nprobe-none.conf on the nProbe host:
--zmq="tcp://*:5556" -T="@NTOPNG@" -i=none -n=none --collector-port=2055
We are also telling nProbe to send the flows to ntopng. This intermediate step is needed as ntopng does not know talk Netflow so nProbe acts like a translator.
Now we have to set up ntopng. Let’s install ntopng and configure it to receive flows from nProbe. Let’s modify /etc/ntopng/ntopng.conf:
-i="tcp://127.0.0.1:5556" --local-networks="172.16.1.0/24,172.16.2.0/24"
We are also telling ntopng which are the local networks to monitor, in this example 172.16.1.0/24 and 172.16.2.0/24. ntopng will mark hosts belonging to that networks as “local” and this will enable their historical data to be saved to disk.
After setting up the configuration files, we have to enable and start the system services:
systemctl enable ntopng systemctl enable nprobe@none systemctl restart ntopng systemctl restart nprobe@none
If we have many Netflow appliances we can direct all of the to exports flows to our single nprobe instance. In ntopng, we can then split the incoming traffic by using the Dynamic Interfaces Disaggregation from the ntopng preferences.
Monitoring a Port Mirror/TAP
In this example we have an appliance which mirrors the packets using a SPAN port. With this setup we can perform full L7 packet analysis and get a realtime view of the traffic.
We only need to set up ntopng to listen from the network interface connected to the SPAN port. Ideally the network interface should not have an IP address as it should only be used to receive the mirrored traffic.
The ntopng setup is really simple: we only need to tell it to monitor the -interface connected to the span port. Supposing the interface is eth1, the correspondent /etc/ntopng/ntopng.conf file will be:
-i=eth1 --local-networks="192.168.1.0/24"
Remember to restart the ntopng service after applying the changes.
Monitoring Multiple Locations
We may need to deploy multiple probes in our network to capture traffic at different points. We can use a single ntopng to gather all the information from the probes. Let’s assume we have two nProbe instances running on two different hosts, one at IP 192.168.10.10 and the other on 192.168.20.20. ntopng runs on a separate host with IP address 1.2.3.4. We assume that the probes read traffic from local SPAN ports, connected on the interface eth0 of each probe.
The first nprobe configuration (/etc/nprobe/nprobe-eth0.conf on host 192.168.10.10) is:
--zmq="tcp://1.2.3.4:5556" -T="@NTOPNG@" -i=eth0
The second nprobe configuration (/etc/nprobe/nprobe-eth0.conf on host 192.168.20.20) is:
--zmq="tcp://1.2.3.4:5557" -T="@NTOPNG@" -i=eth0
The ntopng configuration file /etc/ntopng/ntopng.conf will contain:
-i="tcp://*:5556c" -i="tcp://*:5557c" --local-networks="192.168.10.0/24,192.168.20.0/24"
We enable and start the nprobe@eth0 service on both probes, then enable and start the ntopng service. The ntopng GUI will show two network interfaces, each one represents one remote probe and its related traffic.
For advanced nProbe and ntopng communication see https://www.ntop.org/nprobe/advanced-flow-collection-with-ntopng-and-nprobe/ .
