All Blog Posts

ntopng

Infrastructure Monitoring: Observing The Health and Status of Multiple ntopng Instances
Introduction Quis custodiet ipsos custodes? (Juvenal). In other words: who will guard the guards themselves? If you use ntopng to monitor your network, you also need to make sure ntopng is monitored as in case of failure, ntopng will not report any alert, and the network administrator can interpret that as a sign of good health, instead of interpreting it as lack of monitoring.Recent 4.3+ versions of ntopng have the capability to monitor other ntopng instances, being them in the same local LAN or physically/geographically distributed. This capability, also referred …
nProbe

nProbe 9.6 Released: IPS, ClickHouse, Observation Points, FreeBSD Support
This is to announce the release of nProbe 9.6 whose main features include: Support of IPS (Intrusion Prevention System) mode. Added support of high-capacity ClickHouse database enabling nProbe to dump ~125k Fps to database. Implemented the concept of Observation Point to enable distributed collection labelling. Added support for collecting and generating flows using Amazon Virtual Private Cloud (VPC) flow logs. Out of the box native FreeBSD/OPNsense/pfSense support. Support of traffic directions in collected traffic. Transparent VM systemId support to implement persistent systemId during VM migrations. Added companion tool nprobe-config for …
cento

Introducing nProbe Cento 1.14
This is to announce a new release of the ntop’s 100 Gbit probe, nProbe Cento 1.14. In this version we have integrated the latest features from nDPI, the ntop’s Deep-Packet-Inspection engine, that is now 2.5x faster than the previous version. Flows are enriched with Flow Risks, which represents a set of issues detected by nDPI, and a Flow Score, which is computed based on the risks severity, to indicates how bad is each flow. The flow dump has also been improved by adding the Community ID (a flow identifier which …
nDPI

Introducing nDPI 4.0: DPI for CyberSecurity and Traffic Analysis
This is to announce nDPI 4.0. With this new stable release we have extended the scope of nDPI that was originally conceived as a toolkit for detecting application protocols. nDPI is now a modern library for packet processing that in addition to DPI it includes self-contained, efficient (both in memory and processing speed) streaming versions of popular algorithms for data analysis including: Data Forecasting and Anomaly Detection Single, Double, Triple (Holt-Winters) Exponential Smoothing RSI (Relative Strength Index) Data Binning, Clustering, and Similarity Evaluation Network Data Analysis Jitter Entropy GeoIP Data …
nProbe

Collecting Flows from Hundred of Routers Using Observation Points
Collecting flows on large networks with hundred of routers can be challenging. Beside the number of flows to be collected, another key point is to be able to visualize the informations in a simple yet effective way. ntopng allows you to create up to 32 virtual flow collection interfaces that can be used to avoid merging collected flows: unfortunately they are not enough when collecting flows from 100+ routers. In the latest ntopng and nProbe dev versions (soon to become stable), we have implemented the concept of observation point, that …
nProbe

NetFlow/IPFIX At Scale: Comparing nProbe/ClickHouse vs nProbe/ntopng
In our previous post we have analysed the performance of the pipeline nProbe+ntopng for those who need to collect flows and analyse them, trigger alerts, create timeseries, provide a realtime monitoring console, dump them to nIndex and inform remote recipients in case of some problem is detected. This is the main difference between the ntop solution and a NetFlow collector whose main goal is to dump flows on a database with any or little flow analysis. In essence the current state of the art with 4 nProbe instances sending data …
nProbe

NetFlow Collection Performance Using ntopng and nProbe
Introduction ntopng, in combination with nProbe, can be used to collect NetFlow. Their use for NetFlow collection is described in detail here. In this post we measure the performance of nProbe and ntopng when used together to collect, analyze, and dump NetFlow data. The idea is to provide performance figures useful to understand the maximum rate at which NetFlow can be processed without loss of data. Before giving the actual figures, it is worth discussing briefly the most relevant unit of measure that will be used, i.e., the number of …
nProbe

How to Collect and Analyse AWS VPC Flow Logs
Amazon Virtual Private Cloud (VPC) flow logs and in essence text-based Netflow-like logs consisting of fields that describe the traffic flow. They are often collected on disk and published to S3 buckets or CloudWatch for an AWS-centric monitoring infrastructure (extra AWS charge is necessary). Now suppose that you want to use this information to monitor your VPC using ntop tools or turn these logs in industry standard NetFlow/IPFIX flows that can be ingested in any monitoring application unable to understand this proprietary log format. In this case you can use …
nProbe

Handling Traffic Directions with sFlow/NetFlow/IPFIX
Network interfaces natively support RX and TX directions, so tools such as ntopng can detect the traffic directions and depict this information accordingly. In the above picture that ntopng shows in the top menubar, TX traffic is depicted in blue and RX in green. All simple. Now suppose you need to analyse sFlow/NetFlow/IPFIX flows, and be interested to understand how much traffic leaves/enters your network. Example suppose you generate IPFIX flows on your Internet gateway: how much of this traffic is sent to the Internet and how much is received? …
nProbe

nProbe IPS: How To setup an Inline Layer-7 Traffic Policer in 5 Minutes
Introduction Recently, we have added Intrusion Prevention System (IPS) capabilities to our nProbe. Those capabilities are available starting from the latest 9.5 version, both for Linux and FreeBSD – including OPNsense and pfSense, and are available with all nProbe versions and licenses (see the product page for additional details). On Linux, nProbe leverages the netfilter framework. In essence, the kernel send packets to nProbe via NF_QUEUE which, in turn, gives each packet a pass/drop verdict so that it can be dropped or let it continue its journey through the network. …
Cybersecurity

How to Spot Unsafe Communications using nDPI Flow Risk Score
nDPI it is much more than a DPI library used to detect the application protocol. In the past year, nDPI has grown in terms of cybersecurity features used to detect threats and network issues leveraging on the concept of flow risk. Each nDPI-analysed flow has associated a numerical flow risk that in essence is a bitmap with a bit set to 1 whenever a risk has been detected for such flow. The list of (to date) supported flow risks are: HTTP suspicious user-agent HTTP numeric IP host contacted HTTP suspicious …
Cybersecurity

On Network Visibility and Cybersecurity
Today we had the change to talk about network visibility and cybersecurity during an event organised by the Milan Internet Exchange MIX-IT. In this talk we have presented the current state of development in this area at ntop and provided an outlook of some of the features that we’re developing and that will be released later this summer. These are the presentation slides for those who didn’t have the change to attend the event. Enjoy ! …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe