All Blog Posts

ntop

Monitoring Traffic Using ntop: Cisco Traffic Analyzer

Most network administrators use ntop for monitoring ethernet traffic. ntop can do much more than this and also monitor  Fibre Channel and SCSI traffic. Cisco Traffic Analyzer is a software product based on ntop whose goal is to give Cisco MDS 9000 users a view of the network traffic. Did you know that ntop can also do this? …
PF_RING

Using PF_RING with Snort and Suricata for IDS/IPS Acceleration

Some users are exploiting PF_RING acceleration to improve popular IDS/IPS applications such as Snort and Suricata. Suricata leveraged PF_RING since day one thanks to Will Metcalf, whereas I have added (again together with Will) support in snort using the DAQ library part of the 2.9 version. Acceleration does not mean just improved packet capture, but also the ability to fully exploit multicore architectures by spreading packets across multiple application instances. This is a unique feature that can’t be found in pcap-based libraries. This is an excerpt from the snort-users mailing …
PF_RING

Meet ntop at RIPE 61 Rome (15-19 November)

Those who are interested in hearing about high-speed packet capture and filtering and to monitoring in general, can show up at the next RIPE 61 meeting that till take place in Rome (15-19 November). I will be speaking about hardware packet filtering using commodity adapters and how this work can be used in real life, ranging from ntop/nProbe to snort and network troubleshooting. …
PF_RING

Improving snort performance using PF_RING and multi-queue adapters

As of PF_RING 4.5.x, the user-space tools part of PF_RING have been enhanced with native snort support. As of version 2.9, snort sits on top of a library called DAQ (Data Acquisition library) that creates a transparent layer between snort and the packet capture modules. PF_RING is now a first class citizen in DAQ, as in PF_RING/userland/snort you can find the PF_RING DAQ module. This modules not only allows snort to take advantage of PF_RING acceleration, but it allows to offload to PF_RING some of its processing tasks. For instance …
ntop

A safe network for a relaxed life

My friends at Würth-Phoenix (I have to thank them for spreading the word about it) have prepared this presentation. It has not been conceived for professionals, but rather for those wishing to have a clue what’s ntop about. …
nProbe

Using ntop as a flow collector for nProbe

nProbe is an efficient netflow/IPFIX probe that can also act as a collector dumpling flows on disk or onto a database (MySQL, sqlite and Fastbit). As ntop has not been designed to operate on large/fast networks, it’s possible to use nProbe as pre-processor. In this configuration, nProbe captures packets from a network interface (or collects flows on a socket), computes flows based on packets, and sends them to ntop. Thus ntop acts as a flow collector. Supposing to: receive packets to account/analyze on interface eth1 of host X start ntop …
Announce

Monitoring and Solving Network Management Challenges

One of the unique nProbe features is its architecture that’s open to extensions. Plixer International is exploiting these nProbe features in their products. If interested you should attend this presentation. 2010 ACUTA Fall Seminar 10/24/2010 – 10/27/2010 Sheraton Premier at Tysons Corner Vienna, VA Presenter: Michael Patterson President/CEO Plixer International 1 Eagle Drive Sanford, ME 04073 Bio sketch: Michael Patterson leverages his 16+ years of experience in network management to oversee the direction of the company’s network management solutions. Under Mike’s direction, Plixer has worked with more than 100 universities …
nProbe

Introducing nProbe v6

Today the new nProbe v6 has been released. It includes several improvements with respect to the previous version including: Full IPFIX support: PEN (Private Enterprise Numbers) and Variable length encoding. Ability to natively dump flows in FastBit format that allows to outperform relational and raw flow-based collectors. Ability to collect sFlow flows and turn them into flows (v5/v9/IPFIX). Collection of Cisco ASA flows and conversion in ‘standard’ flows. New nprobe architecture for better performance and exploitation of multicore architectures. Support of tunneled (including GRE, PPP and GTP) traffic and ability to export in flows inner/outer envelope/packet information. …
nProbe

nProbe Internals

nProbe is an efficient processing engine able to produce flows based on captured packets, converts flow format (e.g. from NetFlow v5 to v9), or from sFlow to NetFlow. Its engine is fully extensible by means of plugins, and it can handle many application-level protocols. This short document gives an overview of the nProbe internals and it describes the nProbe plugins structure. …
PF_RING

10 Gbit Hardware Packet Filtering Using Commodity Network Adapters

The promise of filtering packets in hardware is not new. Unfortunately filtering network adapters are pretty expensive, not to mention if they run at 10 Gbit. Furthermore many commercial FPGA-based NICs feature hardware packet filtering, but often require card reconfiguration whenever flow rules are added/removed and have a limited set of rules that can be configured. The release of Intel X520, the first NIC based on the 82599-controller, has triggered my interest as this controller is much more powerful than what Linux can do with it. Thanks to support from …
PF_RING

PF_RING/TNAPI-based 10 Gbit Network Monitoring on Multicore Systems

Over the past couple of years, PF_RING has been enhanced to exploit innovations in computer hardware. In particular the availability of multicore systems and efficient controllers such as those introduced by Intel with the i7 family (in particular Nehelem and Sandy Bridge) has allowed applications to spread their load across all available processors (24 cores in dual-CPU Westmere systems). In addition to this, modern 82599-based 10 Gbit network adapters feature hardware-based packet filtering and prioritization across RX queues, have opened up a whole world of opportunities. For this reason in …
ntop

Twelve years of ntop

The Internet is pretty volatile. As new information become available, the old one disappears. Sometimes we have to look back and see what’s happened in the past years. Shall you be interested in seeing how ntop changed in the past twelve years, you can have a look at this URL, that has several snapshots of the ntop web site. …