Clustering Network Devices using ntopng Host Pools

Posted · Add Comment

In computer networks, devices are identified by an IP and a MAC. The IP can be dynamically assigned (so it might not be persistent), whereas the MAC is (in theory) unique and persistent for identifying a device. Non-technical users, do not know these low-level details, and in general it makes sense to cluster devices using other criteria. VLANs are a way to logically group devices belonging to the same administrative domain, but this is still a low-level network-level properly.

When administering a network, we have have realised that we need a way to cluster devices onto logical groups, that have nothing to do with network-level properties such as IP address. In order to address this need, in ntopng (development version only at the moment, but soon also in the stable release) we have implemented what we have called Host Pool. They are logical group of devices, that can identified by IP address and/or MAC. In order to define a host pool you need to select the interface view and click on the host pool icon.

There you can define a pool by setting its name, and on the membership tab you can see what are the devices belonging to the pool. Remember that you can set both the MAC and the IP address (or network).

At this point in the host view you can see the pool associated with a host that is depicted on the green badge next to the IP address/network it belong to.

It is worth to remark that host pools are a logical cluster of devices that do not have to belong to the same network. Example you can group all printers of your company, all mobile phones etc. In essence this is a way to cluster devices and to easily spot those that are unknown and thus suspicious (e.g. a new MAC we have not listed and thus that can hide a device that should not have been connected) or simply ungrouped. You can list all active devices belonging to a pool by clicking on the pool badge. Example, if you want to list all local devices that do not belong to any pool, just click on the pool badge of a host not belonging to any pool, then from the “Filter Hosts” menu select local hosts only and you will see the host list.

We plan to further expand the host pool concept before the next stable ntopng release, by easing the association of hosts to pools, multi-pool support (e.g. my smartphone should belong both to “Luca’s Devices” and to “Smartphone” pools), and applying actions to pools (e.g. execute Lua script action.lua when a new device belonging to pool MyPool appears on the network). In a future blog post, we’ll discuss how host pools are used by ntopng in bridge mode with the captive portal, to automatically bind network devices to users.

Stay tuned, and report us suggestions or enhancements you would like to see by opening a ticket on github.