All Blog Posts

nDPI

How nDPI Improved Bloom Filters Implementation
A Bloom filter is. probabilistic data-structure used to test whether an element is present in a set. Blooms are affected by false positives, meaning that when a bloom returns true it does not mean that the searched element is part of the set but that it is “likely” to be part of the set. nDPI (and most tools ntop develops) uses Bloom filters in order to speed-up search operations by using a quick membership check that avoids slower checks. For instance if ntopng needs to know whether host A has …
Features

How we Improved Alarm Delivery in ntopng
Sometimes, a critical issue shows up in your network and you’d like to be notified by ntopng on Telegram or by E-Mail. ntopng allows you to filter alerts for each recipient based on a few criteria including alert family, category, severity, or affected hosts. However in some case you want to be notified about a very specific alert, out of all alerts produced with the same family, category, severity. For example, it’s important to be notified when an Interface has no traffic, or when a new device (MAC) connects or …
ntop

Introducing PF_RING 8.6: Runtime Filtering and On Demand IDS at 100 Gbit
This is to announce a new PF_RING release 8.6 ! This stable release introduces a new Runtime component in PF_RING, which adds support for runtime filtering. This allows an external application to push filtering rules (through a Redis queue) while the socket is running, and offload them to the adapter when supported (e.g. on NVIDIA/Mellanox Connect-X adapters). This enables Zeek and Suricata “on-demand” at 100 Gbit as discussed in a previous post. This release also adds support for Debian 12 and latest 6.x kernel shipped with Ubuntu 22 LTS. Many other improvements …
ntop

Sorting Out and Clustering Alerts in ntopng
In a previous post, What’s In The (Alert) Inbox?, we’ve discussed how alerts are organised in the Alerts Explorer. The new “inbox” design allows us to cluster alerts into separate folders high-priority events, that require attention and needs to be addresses as soon as possible, from other minor events. This solves one issue: having all critical alerts under control, while still tracking and archiving all minor Network issues (that contribute to the hosts score, and may be still of interest when drilling down during our analysis). In a system which …
ntop

What’s In The (Alert) Inbox?
ntopng emits alerts in order to report relevant. They can be triggered by traffic thresholds, user scripts, behavioural checks, or due to Security issues, including those detected by IDS systems integrated with ntopng (the full list of built-in checks, and related alerts, that can be enabled in ntopng is available in the Alerts section of the documentation). Sometimes they are really critical and should be handled immediately to fix the problem, this is the case of Security events for instance (e.g. a compromised host that must be sanitized as soon as …
Cybersecurity

How Effective Are IP Blacklists When Used For Detecting Malicious Activities?
A blacklist is an access control mechanism which denies access to selected network resources to peers belonging to a curated list. Blacklists often represent the first line of defence for many networks as they can reduce internal hosts’ risk of establishing communications with peers with a bad reputation. Many companies use blacklists for detecting malicious activities. In ntopng we use IP blacklists to label traffic exchanged with malicious peers. While the concept of blacklist is very simple and many people are familiar with it, we know very little of how …
nDPI

How nDPI Identifies Fully Encrypted Protocols
In the paper How the Great Firewall of China Detects and Blocks Fully Encrypted Traffic it is described a technique used in censorship to identify and block fully encrypted protocols. This technique, limited to TCP flows, uses a few techniques that are applied on the first TCP packet with payload, making it fast and convenient although with a small (< 1%)  percentage of false positives: Ex1: popcount(pkt) ≤ 3.4 or popcount(pkt) ≥ 4.6. len(pkt) len(pkt) Ex2: The first six (or more) bytes of pkt are [0x20, 0x7e]. Ex3: More than …
ntopng

Understanding Timeseries Throughput Calculation
ntopng creates timeseries for traffic by periodically (e.g. every minute) writing into RRD/Influx the traffic volume observed. Below you can see an example. Traffic is used to keep track of the data volume exchanged. Over time timeseries are aggregated (roll-up) to save space, meaning for instance that 60 minute observations are used to compute a hourly observation. A timeseries rollup involves summarising the original time series data over larger time intervals. The purpose of doing a rollup is to reduce the volume of data and make it more manageable while …
ntopng

HowTo Trigger an Alert When Contacting a Website/IP with ntopng
ntopng has native blacklist support that enables generation of alerts when malware sites are contacted. You can enable/disable the list of active blacklist by accessing the blacklist page from the preferences menu of the left sidebar and also configure the list properties such as refresh rate as well enable/disable them. Now suppose you want to trigger an alert when contacting a specific IP address or a website (this regardless if using clear-text protocol such as HTTP or encrypted TLS-based communications). How can you do that? See it below: Define a …
Announce

ntopConf 2023 (25 years of ntop) Registration is Now Open
This is to announce that the registration for the ntop Conference 2023, 25 years since the first release of ntop, is now open. Similar to past conferences, this event is divided into two days: the first day will be allocated for training on ntop products, the second day for the main conference and workshop. You can read the conference and training agenda at the ntopConf 2023 page from which you can also reserve your seat. Finally a few notes. In order to make this event effective we have decided that: …
nEdge

Deploying nEdge with Multiple (Virtual) LANs (and WANs)
Exactly 3 years elapsed from the introduction of nEdge (ntopng Edge), and despite the fact we haven’t posted much about it in our blog, this tool continued to grow, many features have been added over time, and we see that every time new users have the chance to try it, they are amazed about the capabilities it provides. If it’s the first time you hear about nEdge, we suggest to read the introductory post which explains how nEdge enables Network administrators to enforce policies at Layer-7 on network users, the nEdge product page which is providing …
Features

Using Traffic Rules To Supervise Network Traffic
The Problem Let’s assume that you have a Network where local hosts generate a constant amount of traffic. How do you find if they are misbehaving? It happens that some local host starts behaving strangely, by having an abnormal amount of traffic (sent or received) with respect to their recent past: how can you spot these situations and report them with an alert. This is why we have created the Local Traffic Rules page: users can now define custom Volume/Throughput threshold for some (or all) local hosts. You can also …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe