ntopng v5.2.1 releases: Web-based Traffic and Security Monitoring
ntopng
ntopng is the next-generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX, and on Windows as well.
ntopng users can use a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntopng can be seen as a simple RMON-like agent with an embedded web interface. The use of:
- a web interface.
- limited configuration and administration via the web interface.
- reduced CPU and memory usage (they vary according to network size and traffic).
What ntopng can do for me?
- Sort network traffic according to many criteria including IP address, port, L7 protocol, throughput, AS.
- Show network traffic and IPv4/v6 active hosts.
- Produce long-term reports about various network metrics such as throughput, application protocols
- Top X talkers/listeners, top ASs, top L7 applications.
- For each communication flow report network/application latency/RTT, TCP stats (retransmissions, packets OOO, packet lost), bytes/packets
- Store on disk persistent traffic statistics in RRD format.
- Geolocate hosts and display reports according to host location.
- Discover application protocols by leveraging on nDPI, ntop’s DPI framework.
- Characterise HTTP traffic by leveraging on characterisation services provided by Google and HTTP Blacklist.
- Show IP traffic distribution among the various protocols.
- Analyse IP traffic and sort it according to the source/destination.
- Display IP Traffic Subnet matrix (who’s talking to who?)
- Report IP protocol usage sorted by protocol type.
- Produce HTML5/AJAX network traffic statistics.
ntopng v5.2 releases.
Changelog
Breakthroughs
- New ClickHouse support for storing historical data, replacing nIndex support (data migration available)
- Advanced Historical Flow Explorer, with the ability to define custom queries using JSON-based configurations
- New Historical Data Analysis page (including Score, Applications, Alerts, AS analysis), with the ability to define custom reports with charts
- Enhanced drill down from charts and historical flow data and alerts to PCAP data
- nEdge support for Ubuntu 20
- Enhanced support for Observation Points
Improvements
- Improve CPU utilization and memory footprint
- Improve historical data retention management for flows and timeseries
- Improve periodic activities handling, with support for strict and relaxed (delayed) tasks
- Improve filtering and analysis of the historical flows
- Improve alert explorer and filtering
- Improve Enterprise dashboard look and feel
- Improve the speedtest support and servers selection
- Improve support for ping and continuous ping (ICMP) for active monitoring
- Improve flow-direction handling
- Improve localization (including DE and IT translations)
- Improve IPS policies management
- Add IPS activities logging (e.g. block, unblock)
- Improve SNMP support
- Optimize polling of SNMP devices
- Improve SNMP v3 support
- Add more information including version
- Stateful SNMP alert to detect too many MACs on non-trunk
- Perform fat MIBs poll on average every 15 minutes
- Add preference to disable polling of SNMP fat MIBs
- Add more information to the historical flow data, including Latency, AS, Observation Points, SNMP interface, Host Pools
- Add detailed view of historical flows and alerts
- Add support for nProbe field L7_INFO
- Add ICMP flood alert
- Add Checks exclusion settings for subnets and for hosts and domains globally
- Add CDP support
- Add more regression tests
- Add support for obsolete client SSH version
- Add support for ERSPAN version 2 (type III)
- Add support for all the new nDPI Flow Risks added in nDPI 4.2
- Add extra info to service and periodicity map hosts
- Add Top Sites check
- REST API
- Getter for the bridge MIB
- Getter for LLDP adjacencies
- Check for BPF filters
- Score charts timeseries and analysis
Changes
- Encapsulated traffic is accounted for the lenght of the encapsulated packet and not of the original packet
- Remove nIndex support, including the flow explorer
- Remove MySQL historical flow explorer (export only)
- Hide LDAP password from logs
Fixes
- Fix a few memory leaks, double free, buffer overflow and invalid memory access
- Fix SQLite initialization
- Fix support for fragmented packets
- Fix IP validation in modals
- Fix netplan configuration manager
- Fix blog notifications
- Fix time range picker to support all browsers
- Fix binary application transfer name in alerts
- Fix glitches in chart drag operations
- Fix pools edit/remove
- Fix InfluxDB timeseries export
- Fix ELK memory leak
- Fix TLS version for obsolete TLS alerts when collecting flows
- Fix fields conversion in timeseries charts filters
- Fix some invalid nProbe field mapping
- Fix hosts Geomap
- Fix slow shutdown termination
- Fix wrong Call-ID 0 with RTP streams with no SIP stream associated
- Fix ping support for FreeBSD
- Fix active monitoring interface list
- Fix host names not always shown
- Fix host pools stats
- Fix UTF8 encoding issues in localization tools
- Fix time/timezone in forwarded syslog messages
- Fix unknown process alert
- Fix nil DOM javascript error
- Fix country not always shown in flow alerts
- Fix non-initialized traffic profiles
- Fix traffic profiles not working over ZMQ
- Fix syslog collection
- Fix async SNMP calls blocking the execution
- Fix CPU stats timeseries
- Fix InfluxDB attempts to alwa re-create retention policies
- Fix REST API ts.lua returning 24h data
- Fix processing of DNS packets under certain conditions
- Fix invalid space in SNMP Hostnames
- Fix REST API incompat. (/get/alert/severity/counters.lua, /get/alert/type/counters.lua)
- Fix map layout not saved correctly
- Fix LLDP topology for Juniper routers
- Fix not authorized error when editing SNMP devices
- Fix double 95perc, splitted avg and 95perc in sent/rcvd in charts
- Fix inconsistent local/remote timeseries
- Fix Risks generation in IPS policy configuration
- Fix deletion of sub-interface
- Fix deadline not honored when monitoring SNMP devices
- Fix traffic profiles on L7 protocols
- Fix TCP connection refused check
- Fix failures when the DB is not reacheable
- Fix segfault with View interfaces
- Fix hosts wrongly detected as Local
- Fix missing throughputs in countries
Misc
- Enforces proxy exclusions with env var
no_proxy
- Move Lua engine to 5.4
- Major code review and cleanup
nEdge
- Add support for Ubuntu 20
- Add ability to logout when using the Captive Portal
- Add per egress interface stats and timeseries
- Add active DHCP leases in UI and REST API
- Add daily/weekly/monthly quotas
- Add service and periodicity maps and alerts
- Fix Captive Portal not working due to invalid allowed interface
- Fix addition of static DHCP leases
- Fix factory reset
- Fix reboot button
Use Cases
Monitor a Physical Interface
A physical NIC card can be monitored simply by specifying its interface name as
./ntopng -i eth0
Flow Collection
Flow collection requires ntopng to be used in conjunction with nProbe which can act as probe/proxy. The communication between nProbe and ntopng takes place over ZeroMQ, a publish-subscribe protocol that allows ntopng to communicate with nProbe. An environment where a remote nProbe is physically monitoring from a NIC and sending monitored flows to ntopng can be deployed as
./nprobe -i eth1 –zmq tcp://192.168.1.1:5556
./ntopng -i tcp://192.168.1.1:5556
Copyright (C) 1998-2018 ntop
Source: https://github.com/ntop/