All Blog Posts

ntopng

Say hello to nIndex: Personal Big Data System for Network Flows

Being able to store network flows is a very challenging task using generic databases. Networks are becoming faster and faster and, nowadays, flow-based analysis tools should store tens, or even hundreds, of thousands of flows per second, to keep up with SME and enterprise demands. Existing tools, such as relational databases, fail to accomplish this task. Unless you have unlimited resources available, tons of RAM and clusters of machines, chances are your database will choke, quickly becoming too slow to enable queries from being performed in a reasonable time. It was incredible …
ntop

Introducing n2disk 3.2: towards 100 Gbit to disk

This is to announce a new n2disk release 3.2. This release, besides addressing a few issues, includes new juicy features: Multithreaded dump and support for multiple volumes. This is useful in a few cases: If you want to record traffic above 30-40 Gbit/s to HDDs or SSDs, you should pay attention to the RAID controller limit. In fact, even if you use many disks in a RAID 0 configurations, many controllers are not able to scale above 30-40 Gbit/s of sustained write throughput. Load-balancing traffic across multiple controllers could be …
ntop

Introducing PF_RING 7.4: PF_RING FT, Containers and Virtual Functions Support

This is to announce a new PF_RING major release 7.4. This release includes many improvements to the PF_RING FT library, which is now more mature thanks to new API functionalities and features that provide more flexibility. This release also addresses many issues, and moves a step forward in the same direction of release 7.2, which included full support for Containers and Namespaces, adding support for CoreOS containers and ZC Virtual Function drivers, technologies commonly available in cloud services. This is the complete changelog: PF_RING Library New pfring_open PF_RING_DO_NOT_STRIP_FCS flag to disable …
ntop

Introducing nDPI 2.6: several new dissectors, DPDK and Hyperscan support

This is to announce the release of nDPI 2.6. Several dissectors have been improved and a few new ones have been added, as well we have improved the detection logic (this in case we have to guess the protocol due to incomplete data). This is also the first release of nDPI that natively supports Intel DPDK and also that improves Intel Hyperscan support. Please find below the complete changelog. Enjoy!   Changelog New Supported Protocols and Services New Bitcoin, Ethereum, ZCash, Monero dissectors all identified as Mining New Signal.org dissector New Nest …
nProbe

Measuring ntopng+nProbe Flow Processing Performance

NOTE: this post is outdated. Latest versions of ntopng and nProbe improve performance significantly. New figures are given in this post. In this post we try to analyze the performance of nProbe and ntopng for the collection of NetFlow. ntopng and nProbe will be broken down into smaller functional units and such units will be analyzed to understand the maximum performance of every single task as well as of the overall collection architecture. The machine used for the analysis is equipped with an 4-core Intel(R) Xeon(R) CPU E3-1230 v5 @ 3.40GHz …
ntopng

ntopng Disk Requirements for Timeseries and Flows

Being able to do a priori estimations of the space that ntopng is going to use in a production environment is fundamental for the provisioning of the storage. In this post we try to estimate the space used by ntopng to store timeseries and flows. Timeseries The number of timeseries generated by ntopng depends almost exclusively on the number of local hosts. Other timeseries generated, including those for the interfaces or SNMP devices, are generally orders of magnitude less than those generated for local hosts. For this reason, it is …
ntopng

Advanced SNMP Monitoring with ntopng

It has been a while since we have added SNMP support to ntopng. The first release, presented in this blog post, implemented basic SNMP support. Since then we have code various improvements and new feature, with the aim of turning ntopng in an advanced SNMP monitor. Among the extensions we have implemented are the following: A cache to decouple the polling of devices from the browsing of polled data Devices are polled periodically by ntopng with a background task that cycles them at 5-minute intervals and sends polled data to …
Components

Remote ntopng Authentication with RADIUS and LDAP

In large organizations, it is common to have a centralised authentication system usually named AAA (Authentication, Authorization and Accounting). Managing users typically involves the definition and enforcement of the rights to do some operations or to access certain resources in a network. Being able to grant (or deny) such rights using a centralized authentication system is the only viable solution when it comes to dealing with large organizations with hundreds, or even thousands, of users that periodically join and leave. AAA protocols include Remote Authentication Dial-In User Service (RADIUS) and …
n2n

Use Remote Assistance to Connect to ntopng Instances

A problem same ntop users how to face with, is the ability to remote access a ntopng instance running behind a firewall. This can be solved using a VPN or other means that often require to deploy an additional network service. Some of our ntop users are familiar with n2n, an open source peer-to-peer VPN ntop developed and maintains. With n2n in essence is possible to create a network overlay that allows you to access your assets in a secure way, this regardless of your network configuration. For this reason …
nDPI

Traffic Classification Using nDPI over DPDK

Last week we have attended the DPDK Summit North America 2018 and talked about how to use nDPI over DPDK, a kernel-bypass toolkit similar to PF_RING. For those who have not attended the presentation, they can read the presentation slides. As you will be read, nDPI is a cross platform deep packet inspection toolkit able to process about 10 Gbit of traffic with a single core on an Intel E3 CPU. Its code is portable across various architectures, you can use it from user space and kernel (not what we …
nProbe

sFlow Collection and Analysis with nProbe and ntopng

sFlow, short for sampled Flow, is a sampling technology designed to export network devices information, namely: Interface counters (à la SNMP MIB-II); Traffic packets (à la ERSPAN). sFlow agents run on switches, routers, firewalls and other devices, and periodically export interface counters and traffic packets via UDP towards one or more sFlow collectors. sFlow, relying on sampling processes to periodically counters and packets, is scalable and ultra-lightweight and has been embedded into network devices by tens of vendors and manufacturers. Contrary to NetFlow (please note that in sFlow parlance the …
nProbe

Using nProbe for Collecting Ixia IPFIX with IxFlow extensions

Ixia allows to enrich IPFIX records with value-add extensions. Additional information that can be exported, along with standard fields such as source and destination IP addresses, include: Geographical information such as region IP, latitude and city name Application ID or name, device, browser and even SSL cipher used Detail on application and handset (device) type for mobile users HTTP URL and hostname for web activity tracking HTTP and DNS metadata for rapid breach detection Transaction Latency for application performance tracking The latest version of nProbe provides full support for Ixia …