ntopng v5.6 releases: Web-based Traffic and Security Monitoring
ntopng
ntopng is the next-generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX, and on Windows as well.
ntopng users can use a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntopng can be seen as a simple RMON-like agent with an embedded web interface. The use of:
- a web interface.
- limited configuration and administration via the web interface.
- reduced CPU and memory usage (they vary according to network size and traffic).
What ntopng can do for me?
- Sort network traffic according to many criteria including IP address, port, L7 protocol, throughput, AS.
- Show network traffic and IPv4/v6 active hosts.
- Produce long-term reports about various network metrics such as throughput, application protocols
- Top X talkers/listeners, top ASs, top L7 applications.
- For each communication flow report network/application latency/RTT, TCP stats (retransmissions, packets OOO, packet lost), bytes/packets
- Store on disk persistent traffic statistics in RRD format.
- Geolocate hosts and display reports according to host location.
- Discover application protocols by leveraging on nDPI, ntop’s DPI framework.
- Characterise HTTP traffic by leveraging on characterisation services provided by Google and HTTP Blacklist.
- Show IP traffic distribution among the various protocols.
- Analyse IP traffic and sort it according to the source/destination.
- Display IP Traffic Subnet matrix (who’s talking to who?)
- Report IP protocol usage sorted by protocol type.
- Produce HTML5/AJAX network traffic statistics.
ntopng v5.6 releases.
Changelog
Breakthroughs
- Add XL license
- Add support Rocky9
- Add support to Kafka
- Increased max num of exporters
- Introduce nTap support
- Introduce support to ClickHouse Cluster
- Rework Historical Chart Page
- Rework pages using VueJS and moving towards responsive client
Improvements
- Handle allowed networks for unprivileged users
- Improve multitenancy support
- Improve thread names
- Improve mac formatting
- Improve top host sites adding reset method
- Improve pcap upload
- Improve ports formatting
- Improve handling for Cisco NBAR collection
- Improve source style
- Improve Linux OS detection
- Improve Engaged Time Report in Chart
- Improve passive DNS hosty resolution
- Improve alerts reports
- Improve OPNsense installation instruction
- Improve host report
- Improve support to NDPI_TCP_ISSUES flow risk
- Improve layout
- Improve ICMP flow handling
- Lowered memory consumption due to alert score
- Rework pro code directories
- Rework lua code
- Rework flow aggregation
- Rework capabilities support
- Socket code cleanup
- Use API to build interface report
- Update rrd calculations
- Update JP localization (courtesy of Yoshihiro Ishikawa)
- More…
Use Cases
Monitor a Physical Interface
A physical NIC card can be monitored simply by specifying its interface name as
./ntopng -i eth0
Flow Collection
Flow collection requires ntopng to be used in conjunction with nProbe which can act as probe/proxy. The communication between nProbe and ntopng takes place over ZeroMQ, a publish-subscribe protocol that allows ntopng to communicate with nProbe. An environment where a remote nProbe is physically monitoring from a NIC and sending monitored flows to ntopng can be deployed as
./nprobe -i eth1 –zmq tcp://192.168.1.1:5556
./ntopng -i tcp://192.168.1.1:5556
Copyright (C) 1998-2018 ntop
Source: https://github.com/ntop/