All Blog Posts

Announce

May 27th: Webinar on DPI-based traffic enforcement, ntop tools on pfSense/OPNsense

For a long time, ntop mainly focused on passive traffic analysis. As cybersecurity is becoming a main concern for many organisation and individuals, we have boosted our tools by introducing facilities for spotting threats and blocking unsafe traffic. This month we will organise a webinar that will cover two main topics: How to use the nProbe IPS mode to block traffic based on nDPI and other traffic policies. Tutorial on using ntopng and nProbe on pfSense/OPNsense. This event took place on Thursday May 27th at 4PM CET / 10AM EST. …
nProbe

Introducing nProbe IPS: 10 Gbit nDPI-based Traffic Policer and Shaper

This is to introduce a new nProbe feature that brings IPS (Intrusion Prevention System) support via nDPI for Linux and FreeBSD (including OPNsense and pfSense). As shown in the picture below, nProbe acts as a transparent bridge (with kernel offload) for applying pass/drop/shape rules to the forwarded traffic. Our goal is to combine the power of DPI and nDPI cybersecurity features to all nProbe users. When deployed on a firewall/gateway (including OPNsense/pfSense), nProbe can both monitor and apply policies to monitored traffic. Typical use case include (but are not limited …
Cybersecurity

Combining nDPI and Wireshark for Cybersecurity Traffic Analysis

At the upcoming Sharkfest Europe 2021 we’ll talk about using Wireshark in cybersecurity. Part of the talk will focus on nDPI and Wireshark integration. Since the last release nDPI features flow risk analysis, that is basically a numerical indication of potential risks associated with a network communication ranging from ‘TLS Certificate Expired’ to more complicated ‘Suspicious DGA domain name’ and ‘SQL injection’. You can find a comprehensive list of increasingly growing risks here. For the impatiens, this is a quick guide on how to play with this integration. Prerequisite Download …
ntopng

Detecting and Analysing Qakbot Traffic Using ntopng

In this post Martin shows how he has used ntopng to detect Qakbot trojan. Many thanks for this contribution. Introduction I am using ntopng for network monitoring quite some time now and I was curios to see, what ntopng would alert when detecting malware. The website malware traffic analysis is a great source for malware captured in network traffic. I decided to take a Qakbot infection with spambot activity [1]. From the pcap file name we see to expect Qakbot, a active [2] banking trojan [3] Cobalt Strike, a commercial …
nProbe

Best Practices for High Speed Flow Collection

Most people use nProbe and ntopng to collect flows using an architecture similar to the one below where nprobe and ntopng are started as follows: nprobe -3 <collector port> -i none -n none —zmq "tcp://*:1234" --zmq-encryption-key <pub key> ntopng -i tcp://nprobe_host:1234 --zmq-encryption-key <pub key> In this case ntopng communicates with nProbe over an encrypted channel and flows are sent in a compact binary format for maximum performance. If you do not need nProbe to cache and aggregate flows, you can also add --collector-passthrough on the nProbe side to further increase …
ntopng

What is Score, and How It can Drive You Towards Network Issues

Telemetry protocols such as sFlow/NetFlow, SNMP or packet-based traffic analysis are the source of data for network traffic monitoring. For a long time visibility was the main issue and people were attracted by new tools such as Grafana that allowed them to put on a screen a lot of data. A big misconception in this area is that the more data you see the less you understand as networks are constantly growing in both size and complexity and adding second or a third screen a PC isn’t the perfect way …
nProbe

How To Monitor Traffic Behind a Firewall (During and Post Pandemic)

Due to pandemic, many people are now working in a delocalised world: some work from home, others from the office. To make things even more complicated, in the past remote workers used to connect to the company network via a VPN. While this option is still possible, many resources are now available from the cloud thus making VPNs obsolete in some environments, in particular for mobile workforce that connects to the Internet by means of a cellular network. In the past months, some people contact us to ask how they …
Announce

Join FOSDEM 2021 ntop sessions, Sat-Sun Feb 6-7th (online)

We are proud to announce that a couple of talks have been accepted at FOSDEM 2021, one of the most important FOSS conferences in the world that this yar will take place online due to the pandemic. In the Network monitoring, discovery and inventory devroom we will give two presentations titled “Using nDPI for  Monitoring and Security” and  “ntopng network monitoring and discovery“. In addition, ntop has been given a virtual stand to present its opensource-related activities. The ntop team will always be available in a chatroom and a series …
Announce

Bringing Network Visibility, Cybersecurity and Encrypted Traffic Analysis to OPNsense, pfSense and FreeBSD

This is to announce the immediate availability of both ntopng and nProbe for OPNsense, pfSense and FreeBSD, directly supported by ntop, with nightly builds and all the features present on all other supported platforms such as Linux, Windows and MacOS. You can now Monitor network traffic based on nDPI. Encrypted traffic analysis (ETA) that enables you to have visibility of encrypted traffic and answer to questions such as: what portion of my available bandwidth is used by Netflix? Cyber threats analysis: ntopng con be used to effectively detect attacks, anomalies …
nProbe

Introducing nProbe 9.4: New Platforms Support and Product Editions

This is to announce nProbe 9.4 stable that is an incremental update of 9.2 released last fall. The goal of this maintenance release is to pave the way to pervasive embedded systems support as we now support OPNsense/pfSense/FreeBSD Soon we’ll make a separate announcement as soon as more ntop packages will be available for these platforms. Ubiquity EdgeRouter X Read this blog post for learning more about sub 100$ Ubiquity-based hardware probes. OpenWRT In addition we have decided to simplify the nProbe versions that were hard to understand for most …
Guides

ntopng, InfluxDB and Grafana: A Step-By-Step Guide to Create Dashboards

Creating Grafana dashboards out of ntopng data basically boils down to: Configuring ntopng to export timeseries data to InfluxDB Configuring the Grafana InfluxDB datasource to extract timeseries data from InfluxDB Adding Grafana Dashboards panels with ntopng data This post aims at covering the topics above to serve as reference for those who want to create Grafana dashboards. Configuring ntopng to Export Timeseries Data to InfluxDB To configure ntopng to export timeseries data to InfluxDB, visit the ntopng Timeseries preferences page, and pick InfluxDB as driver. Then, it suffices to configure …
nScrub

A Step-By-Step Guide for Protecting Your Network with nScrub

Distributed Denial of Service (DDoS) attacks represent a family cyber-attacks that are more and more common nowadays. They aim to make the service unavailable by overwhelming the victim with high traffic volumes (this is the case of volumetric or amplification attacks based on UDP, ICMP, DNS, …) or an high number of requests (including TCP connection attacks like the SYB flood, or Layer 7 attacks able to exhaust the resources of the service at the application level). This differentiate them from other cyber-attacks like intrusion attacks or malwares aiming to destroying, stealing …