nProbe™ Mini

A System-Introspected Network Probe


nProbe™ Mini enhances network visibility by means of system introspection. It enriches classical network data such as IP addresses, bytes and packets with system-introspected processes, users, containers, orchestrators, and other performance indicators. This makes nProbe™ Mini very effective to respond to a new series of questions that generally remain unanswered, among which:

  • What is the process which is generating traffic towards a malware host? Who is the owner of this process?
  • What is the latency of the communications experienced by my containers when they are communicating each other?

nProbe™ Mini is a lightweight probe that implements a low-overhead event-based monitoring, mostly based on technologies such as eBPF and Netlink.

Features

Key features:

  • Enrich network with system data such as users and processes responsible for network communications
  • Export in JSON format
  • Out-Of-The-Box integration with ntopng
  • IPv4 and IPv6 support with performance indicators
  • TCP and UDP support
  • Containers and orchestrators visibility (Docker, Kubernetes)

The information nProbe™ Mini is able to extract includes:

  • All the TCP and UDP network communications (peers, ports, status)
  • TCP counters including retransmissions, out-of-orders, and round-trip times
  • Users, processes and executables behind communications
  • Container IDs and names, orchestrator PODs and namespaces

Use Cases

nProbe™ Mini can be used to:

  • Trace-back the actual users and processes behind any given network activity
  • Have visibility into the inter-container network communications, even when communicating containers are deployed on the same host and thus their traffic never gets to the wires
  • Per-Container and Per-POD network activity and performance indicators such as round trip times
  • Provide application visibility to network flows, complementing the Deep Packet Inspection provided by nDPI.
  • Understand system interactions while performing a network action (e.g. open a web page).

To fully leverage its capabilities, it is recommended to use it in combination with the visualization and analysis tool ntopng.

Trace-Back Users and Processes Behind Network Activities

Wondering who is the user trying to download a file from a malware host? Which process is he/she running? nProbe™ Mini gives you the answer.

Let’s say you have detected certain flows towards a blacklisted host

Just by looking at the flows list you can easily spot the responsible which turns out to be user root attempting to perform a download using process curl.

At this point, you can perform an additional drill down to get to the process and user ids, along with other details

It’s easy to find the culprit, isn’t it?

Have Visibility Into the Inter-Container Network Communications

It is common for multiple inter-communicating containers to be deployed on the same host. In this case, the traffic of their communications never reaches the wire as it always stay on the host. Hence, any attempt to monitor their traffic using mirror ports or TAPs would fail. Fortunately, nProbe™ Mini is able to detect, count and measure the network activity also when it is taking place on the host.

Following is a network communication as discovered by nProbe™ Mini, communication which is taking place between process /sidecar running inside container sidecar part of Kubernetes POD kube-dns-6bfbdd666c-jjt75,  and process /usr/bin/dnsmasq running inside container dnsmasq part of the same Kubernetes POD.

Container DNS Communication

Example of exported information:

Per-Container and Per-POD Network Activity and Performance Indicators

Curious about the performance of a given container? Interested in spotting the true bottlenecks in your OS-virtualized infrastructure? Using nProbe™ Mini you can uncover container and POD activity and performance using, for example, the measured Round-Trip times of their communications

nProbe™ vs nProbe™ Mini

nProbe™ is a flow probe able to process raw packets or collect Netflow. nProbe™ leverages on Deep Packet Inspection to identify the application protocol by
 looking at the packet payload. nProbe™ Mini takes it a step further, it provides visibility on the application that generated a given traffic, the user running the application, the real metrics the system sees (e.g. latency).

License

nProbe™ Mini is distributed under the EULA and requires a license per system (i.e. all containers running on the same system will share the same license).

Get It

nProbe™ Mini is available in our repositories for Ubuntu 18 and Centos 7. You can purchase online your copy of nProbe™ Mini at the ntop e-shop.