A 1/10/40/100 Gbit NetFlow/IPFIX Probe, Traffic Classifier, and Packet Shunter
nProbe™ Cento is a high-speed NetFlow probe able to keep up with 1/10/100 Gbit. nProbe™ Cento is not just a fast Netflow probe, it has been designed as the first component of a modular monitoring system: besides capturing ingress packets and computing flow data, it can be used to classify the traffic via DPI (Deep Packet Inspection) and performs optional actions on selected packets/flows when used as traffic forwarder in combination with other applications such as IPS/IDS, traffic recorders, etc.
- NetFlow v5/v9/IPFIX support
- Flow export to JSON, Text, Kafka, Syslog, ntopng
- IPv4 and IPv6 support
- Native PF_RING and PF_RING ZC support for high-speed packet processing
- Support of Accolade, Intel, Myricom, Napatech 10/40/100 Gbit NICs, and Silicom/Fiberblaze 10/100 Gbit NICs
- Scalable, multithreaded design, ingress traffic can be load balanced across multiple streams on multi-core architectures
- Layer-7 application visibility using nDPI (Deep Packet Inspection) or micro-nDPI (a lightweight DPI library supporting the most important protocols such as HTTP/HTTPS/DNS) for improved performance
- Flow-based Load Balancing to IDS/IPS (Snort, Bro, Suricata)
- Traffic filtering based on protocols to reduce the load on the IDS
- Feedback channel for traffic filtering/shunting from an IPS: “forward this flow”, “drop this flow”, “divert this flow through the IPS”
- Traffic filtering and slicing for saving storage space removing meaningless data when forwarding traffic to a packet-to-disk application such as n2disk
nProbe™ Cento can be used in multiple configurations. Following is a non-exhaustive list of possible use cases.
Probe and Flow Exporter
cento -i zc:eth1 --v9 192.168.1.200:2055
Probe and ntopng Data Source
cento -i eth0 --zmq tcp://192.168.1.2:5556
ntopng --zmq-collector-mode -i tcp://192.168.1.2
Full-Duplex network TAP Aggregator and Flow Exporter
cento -i eth1,eth2 --v9 192.168.1.200:2055
Probe and Traffic Recording with Layer-7 Indexing
cento-ids -i zc:eth1 --aggregated-egress-queue --egress-conf egress.example --dpi-level 2 -v 4
n2disk -i zc:10@0 -o /storage --index --index-version 2 --timeline-dir /storage
npcapextract -f "host 192.168.2.222 and l7proto HTTP" -t /storage/ -b "2016-06-20 17:00:00" -e "2016-06-20 17:15:00" -o output.pcap
Probe and Traffic Balancer for IDS with Layer-7 Shunting/Filtering
cento-ids -i zc:eth1 --v9 127.0.0.1:1234 --balanced-egress-queues 2 --egress-conf egress.conf
SSL = shunt
YouTube = discard
suricata --pfring-int=zc:10@0 --pfring-int=zc:10@1 -c /etc/suricata/suricata.yaml --runmode=workers
Probe and Inline Traffic Bridge with Layer-7 Filtering
cento-bridge -i zc:eth1,zc:eth2 --bridge-conf bridge.example --banned-hosts banned.example --dpi-level 2
nProbe™ vs nProbe™ Cento
If you are wondering that are the differences between nProbe and nProbe Cento, you can read this page for the details
nProbe™ Cento has been designed to keep up with 1/10/100 Gigabit speeds on commodity hardware. On adequate hardware nProbe™ Cento is able to process 10 Gbit per physical core, and to scale almost linearly in the number of cores (as long as there is enough memory bandwidth available) as shown in the picture below.
In order to process 100 Gbit it is possible to load-balance the traffic across multiple cores using RSS-like techniques usually available on Intel cards or specialised packet-capture cards.
The picture below shows the result of a performance test using a 100 Gbit Napatech card configured with 26 strams. The total processed rate (sustained) was of 132 Mpps with 70-byte packets (0 drops). The configuration used for the test:
- nProbe™ Cento (native PF_RING support)
- CentoOS 6.x x64
- PF_RING 6.3.X
- 2 x CPU Intel E5 v3
- Napatech 100 Gbit card
- 500K rotating IP addresses
- Generation of 25 million flows/minute
- No flow storage on DB or disk, just forwarding (in NFv9 format) to a collector
For the latest news about nProbe™ Cento, please read the ntop blog.
nProbe™ Cento is distributed under the EULA and requires a license per system. Licenses are available in various flavours depending on the number and speed of network interfaces Cento can handle per system.
|Max Concurrent Ports||Cento S||Cento M||Cento L||Cento XL||Cento XXL|