All Blog Posts

Announce

nDPI 2.8-stable is Out
This new release brings several fixes that make nDPI more stable. Such fixes involve especially DNS and HTTP traffic dissection. Here is the full list of changes: New Supported Protocols and Services Added Modbus over TCP dissector Improvements Wireshark Lua plugin compatibility with Wireshark 3 Improved MDNS dissection Improved HTTP response code handling Full dissection of HTTP responses Fixes Fixed false positive mining detection Fixed invalid TCP DNS dissection Releasing buffers upon realloc failures ndpiReader: Prevents references after free Endianness fixes Fixed IPv6 HTTP traffic dissection Fixed H.323 detection Other …
nProbe

How to export BGP routing information (AS Path) in network flows
Tools like traceroute have been used for a long time to track the forward path of packets, i.e. the journey of our packets to a remote destination. Unfortunately with traceroute nothing can be said about the path of ingress packets, it not assuming that routing is symmetrical, fact that is often not correct. For this reason we have designed a solution that allows path information to be report in emitted flows. As the most popular exterior gateway protocol used on the internet is BGP, we have designed a tool that …
nEdge

How to Track and Fight Malware, Ransomware, Botnets… using ntopng
Malware blacklists are not something new to ntopng. ntopng (including ntopng Edge) has integrated the emerging threats blacklist https://rules.emergingthreats.net for a long time. The 3.6 stable release also introduced some webmining blacklists, which would flag online mining sites and generate alerts. Despite the new integrations, ntopng lacked the ability to inform the user about the lists currently in use and let them verify the update status of each list. For these reasons, we’ve decided to implement the Category Lists, which gives the uses full visibility and control on the lists …
Announce

Introducing libebpfflow: packet-less network traffic and container visibility based on eBPF
As previewed during our FOSDEM 2019 talk, this is to introduce libebpfflow a new library for enabling network traffic and container visibility based on eBPF. Designed to be CPU and memory friendly (its presence it is almost unnoticeable) , it allows people to inspect network communications inside a system. It provides visibility for processes users containers Built from scratch on eBPF, it allows people to develop monitoring applications and network sensors without having to deal with packets. Sounds strange, but this is the idea: how to monitor networks without looking …
ntopng

Identifying Suspicious Flows: Network Issues or Misbehaving Hosts ?
Starting from the latest 3.9 version, ntopng features and handy dropdown menu that allows you to filter flows on the basis of their current TCP state. Being able to filter flows on the basis of their TCP state is particularly useful as it allows to separate the normal flows from those that are suspicious or symptomatic of certain network issues. For example, one can unveil: Flows that only have a client SYN. This can identify clients attempting to connect to a server that is no longer responding (down?) or misbehaving …
ntopng

How to Detect Malware Hosts and Scanners Using ntopng
Hosts directly connected to the Internet are often contacted by scanners and malware hosts. Since a few releases ntopng integrates a blacklist that is refreshed daily. Whenever a host part of this list contacts your ntopng instance and alert is triggered and displayed in the flow alerts. This feature allows you to see who has contacted you with (usually) bad things in mind. Instead, if you want to see in realtime who blacklisted hosts are contacting you, you can click in the hosts menu and select “Blacklisted Hosts” as shown …
ntopng

Network Traffic Analysis in ntopng (a.k.a. ntopng 2019 Roadmap)
Aut viam inveniam aut faciam, Hannibal 247-182 B.C. For years ntopng has been a solution for collecting, analysing and visualising network traffic, but with a major limitation. It is too rich in data display and reporting that users needs to be experts in know what they are looking for. If not, they will be lost with all the data you can find on the web GUI, that is the opposite of what we tried to do. It is now time to go beyond simple threshold analysis, as currently implemented in …
News

ntop at FOSDEM 2019: eBPF and High-Resolution Metrics
Hi all, this is to invite all of our community to meet the ntop team at FOSDEM 2019, later this week-end. We have two talks scheduled and we’ll be taking about system visibility and high-resolution network monitoring. Below you can find the talk schedule as well the presentation slides we’ll be using for our presentations. Merging packets with system events using eBPF [Sat, 11:40 AM, Slides] Augmented Network Visibility with High-Resolution Metrics [Sun, 9:50 AM, Slides] We would like to meet our community and spend some time with you talking …
Announce

Introducing Ubuntu 18 Support for ntopng Edge (nEdge)
After 6 months from the first nedge announcement, as a response to our customers feedback, nEdge now provides brand new features, like the ability to apply policies based on the device type, the RADIUS integration for captive portal users authentication, the ability to add static routes when running in router mode and the programmatic configuration of users and policies. Today, one of the most requested features is finally ready: the support for Ubuntu 18.04! Ubuntu 18.04 is the new LTS stable release of Ubuntu. It adopts a new environment for …
ntop

Honouring System Default Policies on ntop Packages
Many distributions provide mechanisms to let the system administrator decide if the new installed packages should be enabled and/or started automatically. Previously, the ntop services were always enabled and started automatically after the first package installation, regardless of any system preferences. Now the ntop packages rely on system utilities to properly start, stop and restart services after installation in order to correctly honor system policies. Due to the distribution specific defaults, this is now the default behaviour of the services installed by the ntop packages: Debian/Ubuntu Centos 7 Other Started …
Announce

Welcome to ntopng 3.8 with continuous drill down: packets, flows, activities
We are happy to announce ntopng stable 3.8. The is the core of the next 4.0 release as it integrates new features that will be consolidated in the next release scheduled for spring. The main features include: SQL database-free high-speed traffic indexing based on a new home-grown technology. As explained in this post, we managed to store compressed flow information on disk combined with high-speed retrieval. Just add “-F nindex” to ntopng to start using this new feature, currently available in the ntopng enterprise edition. You can read more here. …
n2disk

Drill Down Deeper: Using ntopng to Zoom In, Filter Out and Go Straight to the Packets
ntopng has grown significantly over the past years, providing an increasingly-interesting set of features to support network analysts and troubleshooters in their decisions. Among the most relevant features, it is worth mentioning that timeseries inspection pages have been redesigned and reworked profoundly to facilitate the drill-down of historical data. Similarly, a home-grown high-speed special-purpose flow database has been seamlessly integrated in ntopng to ease the storage and retrieval of historical flows. However, the circle was not really closed. A piece was missing. Something that could take us down to the …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe