Network traffic moving across a link often contains various types of traffic, for example in large companies it can include a mix of traffic coming from:
- Employees network
- Core company servers
- Guests network
- Other
Analysing the traffic as a whole is usually complicated and as a consequence many things are hard to see. It is more convenient to split it into smaller subsets based on traffic type and analyse it unbundled. This is because with a lot of heterogeneous traffic specific patters might be hard to be identified.
In many cases each subset is identified by a different VLAN. Sometimes it is seen by a different flow exporter (it happens to have a single nProbe instance collecting flows from multiple NetFlow/sFlow exporters and forwarding them to ntopng). In some other case, we need custom filters to identify it.
In ntopng it is now possible to split the interface into several logical sub-interfaces, and divert packets or flows to one or more sub-interfaces based on a traffic disaggregation criterion. This criterion can be dynamic or static/custom.
Dynamic Disaggregation
Dynamic disaggregation can be used whenever we want to automatically create one sub-interface per traffic type and there is a 1:1 mapping between traffic type and packets or flows fields (e.g. the VLAN ID).
ntopng today supports the below disaggregation criterion:
- VLAN ID: ntopng creates a sub-interface for each VLAN ID.
- Probe IP: when nProbe is collecting flows from multiple NetFlow/sFlow exporters and forwarding them to a single ntopng interface via ZMQ, disaggregating traffic by Probe IP ntopng creates one sub-interface per exporter based on the %EXPORTER_IPV4_ADDRESS.
- Interface: ntopng creates a sub-interface for %INPUT_SNMP and another for %OUTPUT_SNMP (a single flow will be duplicated on both interfaces).
- Ingress Interface: ntopng creates a sub-interface for each %INPUT_SNMP.
- VRF ID: ntopng creates a virtual interface for each %INGRESS_VRFID.
Please note that besides the VLAN ID, this kind of disaggregation requires the corresponding template field to be present in the collected flow, thus you need to properly configure the nProbe template.
Dynamic disaggregation can be configured in the Interface page under the Settings tab, by selecting the desired disaggregation criterion in the Dynamic Traffic Disaggregation dropdown and restarting ntopng.
Custom Disaggregation
In some cases dynamic disaggregation does not work well as we have complex criterion to identify a traffic type, or simply there is no 1:1 mapping. In this case ntopng allows you to define a custom filter, using a BPF-like syntax, to disaggregate incoming traffic and divert it to logical sub-interfaces. Please note that overlapping is allowed in this case: a single packet or flow can be diverted to multiple sub-interfaces.
An extended BPF format is supported when defining custom filters, in fact in addition to the standard BPF primitives (that applies to both packets and flows), NetFlow fields (and combinations of them) can also be used, including INPUT_SNMP, OUTPUT_SNMP, SRC_VLAN, DST_VLAN when collecting flows from nProbe.
Custom disaggregation can be enabled by disabling Dynamic Traffic Disaggregation (setting it to None) and creating new rules in the Custom Traffic Disaggregation tab. Please keep in mind that ntopng should be restarted in order to apply the changes.
Please note that traffic directed to dynamic or custom sub-interfaces is not shows in the main interface by default. If you still want to have a view of the whole traffic in the main interface, you need to enable the Duplicate Disaggregated Traffic flag in the interface Settings page.
For further details about the configuration, please check the documentation.
Enjoy!