Lessons learnt at #SharkFest15

Posted · Add Comment

Last week we have made a couple of presentations at SharkFest 2015, introducing to the Wireshark community what ntopng is about. The most interesting part has been the feedback of those who attended the talks who commented on “how to integrate ntopng with Wireshark”. My personal conclusion is that the best way of doing this, is to turn ntopng into a pre-processor for Wireshark; namely use ntopng to permanently monitor a network, detect anomalies, and then analyse them with Wireshark. In fact a packet sniffer cannot be used as a permanent monitoring tools, as it requires human supervision and expertise to use it and interpret results. On a large network for instance, it is unlikely that Wireshark can be deployed permanently in all the places in order to report packet anomalies, as this tool has not been designed for this task.

In ntopng 2.0 we have added the ability to both dump traffic on disk in pcap format, and create tap interfaces (remember to start ntopng with –enable-taps so that ntopng can create them) to which you can attach Wireshark.

Packet Tap


This allows ntopng to stream Wireshark packets in realtime for specific hosts/flows or for specific events (e.g. a portscan).

Live Streaming to Wireshark

The wireshark community has asked to make this mechanism even more flexible. Packet-oriented people like to see low-level details such as TCP window size that monitoring folks (such as most ntopng users) do not usually care about. What it has been asked is to make ntopng scriptable and decide via a lua script when a specific flow needs to be streamed to a tap/saved to a pcap file. For instance we have been asked to let users decide based on various conditions such as for instance if the TCP window scale exceeds a given value or if drops are more than a certain threshold. In essence turn ntopng into a more sophisticated Wireshark packet pre-processor.

The second feedback received is to add in ntopng the ability to report about specific low-level details such as the TCP window scaling value or the backlog of in-ACKed packets on a TCP connection.

We are planning to implement these things in the coming months. However if you have further ideas or requirements, please file an issue on GitHub so that we can track it and make ntopng even better than what it is today. Thank you!