All Blog Posts

ntopng

HowTo Use ntopng for Pcap Analysis
Many times traffic analysts receive pcap files containing some traffic to analyse. The usual steps for analysing the pcap file with ntopng have been for a long time: Save the pcap file to disk and upload it to the host where ntopng is running. Stop the ntopng service and restart it from shell as ‘ntopng -i uploaded_file.pcap’ Once the analysis is over, stop ntopng, delete the uploaded pcap, and restart ntopng as a service. These steps are too complex for many people, and do not ease the adoption of ntopng …
Announce

Introducing nTap: a Virtual Tap for Monitoring and Cybersecurity (including Wireshark, Suricata, Zeek, OpenvSwitch)
This is to announce a new product named nTap that implements a software tap, to be used in physical and virtual/containerised environments.   Using nTap with ntop applications nTap with Third Party Applications nTap allows you to capture and deliver packets using a secure and encrypted communication channel from remote hosts to a collector host where traffic is received and injected on a virtual interface. In essence nTap allows you to create a virtual interface from which you can receive packets originating from remote hosts. Thanks to this design, all …
nProbe

HowTo Implement Flow Relay, Replication and Fanout with nProbe
Sometimes flow (sFlow/NetFlow/IPFIX) collection can become a complicated activity when you need to: Collect, on your private network, flows originated by devices with a public IP. Migrate your infrastructure to nProbe/ntopng while sending flows to both nProbe and your legacy collector. Implementing all this is often an expensive exercise with non-ntop solutions, therefore in order to ease migration to ntop tools, we made available in the nProbe package a couple of tools that can implement typical activities such as flow relay, replication and fanout easily. Below you can learn how …
ntop

HowTo Select the Right Network Adapter for Traffic Monitoring and Cybersecurity
Since the introduction of PF_RING ZC drivers for Mellanox/NVIDIA, and the new family of Intel E810 adapters, the activity of selecting the best, cost-effective adapter, based on the use case and the performance we need to achieve, has become more complicated. Let’s try to shed some light. Intel Adapters Most commodity adapters, including Intel and Mellanox, are based on ASIC chipsets, which are cheap and provide simple RX/TX operations, with no (or limited) programmability. Those adapters have been designed for general purpose connectivity and are not really optimized for moving …
Cybersecurity

What is CyberScore and How it Works: a Technical Overview
ntop users as familiar with concepts such as flow risk and cyberscore. This week we have presented a conference paper [slides] at 2022 IEEE International Conference on Cyber Security and Resilience where we describe in detail what is cyberscore, how it works, and how we have validated it in real life. In essence this is the explanation of the idea that are powering our tools, validated by the academia and not just by our users. This is in addition to what ntop users are doing every day when using ntop …
ntop

Introduced RHEL/RockyLinux 9 support (and new GPG Package Signing Keys)
This is to announce the availability of ntop packages for RedHat EL9 / RockyLinux 9 at packages.ntop.org. This has forced us to change many things in the way we build packages due to the deprecation of the SHA-1 algorithm. Because of this we had to modify the GPG signing keys used to sign the ntop packages for all platforms (and thus not limited to RHEL/RockyLinux 9). This has the side effect that for installed system, you need to reinstall the apt-ntop/apt-ntop-stable (Ubuntu/Debian) or yum update (CentOS/RHEL/RockyLinux). For all details we …
ntop

Welcome to ntopng 5.4: Enhanced Traffic Analysis and Cybersecurity
The previous stable release introduced a new persistency layer based on ClickHouse, paving the way for a more flexible yet fast historical data analysis, with its ability to store billion of records (alerts and flows) with limited disk space and very low query time. This new 5.4 release introduces many enhancements in the historical data analysis with more comprehensive information and additional analysis pages to provide clear insights about Network issues. In order to further easy the analysis, the search bar has also been reworked, to let you find what you are …
nProbe

Welcome to nProbe 10: Agent-mode, Timeseries, AWS/Google Cloud, Custom Flow Collection
nProbe 1.0 was introduced in 2002. After 20 years we are glad to introduce nProbe 10 that introduces several new features and improvements: Agent mode for process monitoring on Linux (eBPF) and Windows Implemented timeseries support for nProbe self-monitoring and sFlow-based counter timeseries Conversion of Amazon AWS VPC files into flows Export of flows towards Google Pub/Sub Improved collection of proprietary flows, including Nokia and Calix Support for collecting flows from syslog Agent Mode When nProbe in deployed on a host, it is possible to use the new –agent-mode command …
Cybersecurity

Introducing nDPI 4.4: Many New Protocols, Improvements and Cybersecurity Features
This is to introduce nDPI 4.4 that includes the development activities of the last six months. As with previous releases we are improving protocol support, automatic testing to harden the code for critical environments, and introducing new cybersecurity features for detecting risks and extracting metadata from protocols. Our idea is to make nDPI more user friendly, going beyond protocol detection, and adding the ability to interpret traffic and tell what is wrong and why. You can read the full changelog, or find below an excerpt of the most relevant changes. …
ntopng

HowTo Visualise ntopng Alerts in Kibana
ntopng can export both flows and alerts in Elastic according to the Elastic Common Schema (ECS) format. You can dump flows (not alerts) in Elastic starting ntopng with -F “es;<mapping type>;<idx name>;<es URL>;<http auth>”. For instance you can do ntopng -F "es;ntopng;ntopng-%%Y.%%m.%%d;http://localhost:9200/_bulk;" We do not advise to use Elastic as flow collector, as when the record cardinality increases the database slows down and you are forced to use an Elastic cluster even on mid-size networks. We definitively advise you to enable -F clickhouse instead that is able to handle billion …
PF_RING

Introducing PF_RING 8.2: New Mellanox Support
This is to announce a new PF_RING release 8.2! This new stable version adds support for a new family of ASIC-based adapters from Mellanox/NVIDIA, including ConnectX-5 and ConnectX-6 (please check the User’s Guide for the exact list of supported firmwares). This new driver/adapter combination delivers high performance (in our tests nProbe Cento was able to scale up to 100 Gbps with worst case traffic using a few CPU cores) and provides high flexibility, with support for hardware packet filtering, traffic duplication, load-balancing and nanosecond hardware timestamping as described in a previous post. This …
nProbe

HowTo Use nProbe To Create Traffic Timeseries in InfluxDB
One of the latest additions in nProbe, is the ability to create network traffic timeseries that will be stored in the popular InfluxDB database. This features allows nProbe users to create timeseries that can be depicted and integrated in Grafana dashboard for instance. Timeseries are dumped by means of two new nProbe command line options: --influxdb-dump-dir <dir> This allows timeseries to be stored in Line protocol format into the specified directory. A new file is created every minute. --influxdb-exec-cmd <cmd> This option allows to process an timeseries file as soon …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe