All Blog Posts

Cybersecurity

Incident Analysis: How to Correlate Alerts with Flows and Packets
In incident analysis it is important to provide evidence of the problem  at various level of details: Alerts Alerts are the result of traffic analysis (in ntopng based on checks) that have detected specific indicators in traffic that triggered the alert. For instance a host whose behavioural score has exceeded a given threshold or a flow that has is exfiltrating data. Flows Are the result of aggregation of packets belonging to the same connection and are used to compute alerts. Packets This is the most granular data that contains evidence …
ntopng

Using ntopng with Checkmk: A Tutorial
Today we’ll discuss the ntopng integration with Checkmk, a popular open source infrastructure monitoring tool to which ntopng adds traffic visibility. If IT infrastructure monitoring and network usage monitoring would see each other on Tinder, they would both for sure swipe right and match. Bringing the big picture perspective of IT infrastructure monitoring together with the in-depth information from network usage monitoring is thus a logical step. That’s why ntop and tribe29, the developers of the IT monitoring solution Checkmk partnered and jointly built a seamless integration of both tools. …
nDPI

You’re invited at FOSDEM 2022 (5 and 6 February) in the ntop stand
As most of our users know, every year we were used to meet the world of open source at FOSDEM in Brussels. Due to pandemic, this yearly event has been moved online so we invite you to attend it wherever you are. You can find more info at this page, but in summary we have two main events On Saturday we plan to show the latest tools we have developed, including ntopng 5.2 that we have just released. The idea is to highlight the main tool features, and discuss about …
ntop

Welcome to ntopng 5.2: Historical Data Analysis, Better Performance and Alerting
Initially designed as a maintenance release, 5.2 brings many improvements in its processing engine with over 3’000 code commits. The main goal is to enhance application scalability by optimising memory and CPU usage, while introducing a new persistency layer based on ClickHouse that has replaced nIndex a home-grown high-performance indexing system that we introduced years ago. This layer enables ntopng 5.2 to store billion of flow records and alerts with limited disk space and sub-second response time by providing full visibility in terms of packets, flows and alerts. In essence …
ntop

Introducing nDPI 4.2: More Protocols and Robustness with -80% Memory
This is to announce the availability of nDPI 4.2 stable that brings several improvements and a reduced per-flow memory footprint (about -80% with respect to 4.0). We have continued to improve the DPI engine adding richer protocol metadata, as well as adding support for many platforms. The continuous integration toolchain along with fuzzy-testing allowed us to improve the overall library robustness and reliability which is a key feature when analyzing traffic, in particular for cybersecurity. In our vision, nDPI should be a traffic analysis layer sitting on top of packet …
ntopng

ntopng and ClickHouse: Lessons Learnt at California Institute of Technology
Caltech has been experimenting with ntopng on our network for slightly over a year now.  We send a decent amount of traffic to ntopng, bursting up to 20Gbps, utilising Cento to read the wire and forward the data to ntopng via PF_RING ZC.  This configuration has been working pretty well, though we were encountering issues once we reached about 16 – 20 days of data retention, where ntopng would begin to drop data points from that point forward, and I noticed InfluxDB would utilize 60% or more of available memory, …
ntop

Historical Traffic Analysis at Scale: Using ClickHouse with ntopng
Last year we have announced the integration of ClickHouse, an open source high-speed database, with nProbe for high-speed flow collection and storage. Years before we have created nIndex, a columnar data indexing system that we have integrated in ntopng, but that was just an index and not a “real” database. We have selected ClickHouse for a few reasons: It is open source and developed by a vibrant community. It is very efficient in both speed and size, that were the main features for which we created nIndex. This is very …
nDPI

HowTo Define nDPI Risk Exceptions for Networks and Domains
In the past couple of years we have added the concept of flow risk in nDPI that allows issues with flows to be detected (for instance expired TLS certificates). Unfortunately we need to silence some of these risk exceptions as some hosts/domain names produce risks that need to be ignored (for instance an outdated device that cannot be replaced and that has been properly protected by the security policies). In ntopng you can disable them clicking on the flow alert that will open a window as the one below,   …
Cybersecurity

Short ntop Roadmap for 2022
Those who attended our latest 2021 webinar, had a feeling of what are ntop plans for this year. In summary we keep focusing on cybersecurity and visibility, planning to further enhance our existing tools as follows: nDPI: we plan to improve detection new threats and make it more configurable by end users. The idea is that endusers can further extend the core via configuration files in order to catch malware or contacts to suspicious/infected hosts. We do not want to turn nDPI into a rule-based tool such as many IDS …
nDPI

A Gentle Introduction To Timeseries Similarity in nDPI (and ntopng)
Introduction Let’s start from the end. In your organisation you probably have thousand of timeseries of various nature: SNMP interfaces, hosts traffic, protocols etc. You would like to know what timeseries are similar as this is necessary for addressing many different questions: Host A and host B are two different hosts that have nothing in common but have the same traffic behaviour. Host C is under attack: who else is also under attack? SNMP interface X and interface Y are load balancing/sharing the same traffic: is their timeseries alike or …
Cybersecurity

ntop tools and Log4J Vulnerability
Recently we have received many inquiries about ntop tools being immune to the Log4J vulnerability. As you know at ntop we take code security seriously, hence we confirm that: In ntop we do not use Java or Log4J. ntop tools are immune to the above vulnerability hence there is no action or upgrade required. Enjoy ! …
Webinar

ntop MiniConf Italia 2021: December 16, 16:00 CET
This year we have organised various online events for our international community. Considered that we have many Italian speaking users we have decided to organise an event in Italian that will take place December 16th. Conference Slides [English] Intro, nDPI, nProbe PF_RING ntopng Conference Video [Italian]   …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe