A few months ago at FOSDEM we introduced the concept of network and container visibility through system introspection and we released an opensource library based on eBPF that can be used for this scope. Based on this technology, we created a lightweight probe, nProbe™ Agent (formerly known ad nProbe mini), able to detect, count and measure all network activities taking place on the host where it is running. Thanks to this agent it is possible to enrich the information extracted with a traditional probe from network traffic packets, with system data such as users and processes responsible for network communications. In fact, this agent is able to extract and export a rich set of information, including:
- TCP and UDP network communications (5-tuple, status).
- TCP counters, including retransmissions, out-of-order packets, round-trip times read reliably from the Linux kernel without having to mimic them using packets.
- The user behind a communication.
- The process and executable behind a communication.
- Container and orchestrator information (e.g. POD), if any.
For example, nProbe Agent gives you the answer to questions like: who is the user trying to download a file from a malware host? Which process is he running? From which container, if any?
nProbe™ Agent does all this without even looking at Network packets, in fact it implements a low-overhead event-based monitoring mainly based on hooks provided by the Operating System, leveraging on well-established technologies such as Netlink and eBPF. In particular eBPF support is implemented my means on the open source libebpfflow library we developed to mask eBPF complexity. This also allows the agent to detect communications between containers on the same host. nProbe Agent is able to export all the extracted information in JSON format over a ZMQ socket or to a Kafka cluster.
nProbe™ Agent is natively integrated with ntopng out-of-the-box so you can finally seamlessly merge system and network information.
As eBPF requires modern Linux kernels, nProbe™ Agent is available only for Ubuntu 18.04 LTS and CentOS 7 (please upgrade your distro with the latest CentOS packages). If you just need basic system visibility information, there is also libebpflowexport a fully open-source tool that is also natively supported by ntopng out of the box.