ntopng

ntopng is the next-generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX, and on Windows as well.

ntopng users can use a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntopng can be seen as a simple RMON-like agent with an embedded web interface. The use of:

• a web interface.
• limited configuration and administration via the web interface.
• reduced CPU and memory usage (they vary according to network size and traffic).

What ntopng can do for me?

• Sort network traffic according to many criteria including IP address, port, L7 protocol, throughput, AS.
• Show network traffic and IPv4/v6 active hosts.
• Produce long-term reports about various network metrics such as throughput, application protocols
• Top X talkers/listeners, top ASs, top L7 applications.
• For each communication flow report network/application latency/RTT, TCP stats (retransmissions, packets OOO, packet lost), bytes/packets
• Store on disk persistent traffic statistics in RRD format.
• Geolocate hosts and display reports according to host location.
• Discover application protocols by leveraging on nDPI, ntop’s DPI framework.
• Characterise HTTP traffic by leveraging on characterisation services provided by Google and HTTP Blacklist.
• Show IP traffic distribution among the various protocols.
• Analyse IP traffic and sort it according to the source/destination.
• Display IP Traffic Subnet matrix (who’s talking to who?)
• Report IP protocol usage sorted by protocol type.
• Produce HTML5/AJAX network traffic statistics.

ntopng v5.0 releases.

Changelog

Breakthroughs

• Advanced alerts engine with security features, including the detection of attackers and victims
  • Integration of 30+ nDPI security risks
  • Generation of the score indicator of compromise for hosts, interfaces and other network elements
• Ability to collect flows from hundredths of routers by means of observation points
• Anomaly detection based on Double Exponential Smoothing (DES) to uncover possibly suspicious behaviors in the traffic and in the score
• Encrypted Traffic Analysis (ETA) with special emphasis on the TLS to uncover self-signed, expired, invalid certificates and other issues

New features

• Ability to configure alert exclusions for individual hosts to mitigate false positives
• FreeBSD / OPNsense / pfSense packages
• Ability to see the TX/RX traffic breakdown both for physical interfaces and when receiving traffic from nProbe
• Add support for ECS when exporting to Syslog
• Improved TCP analysis, including analysis of TCP flows with zero window and low goodput
• Ability to send alerts to Slack
• Implementation of a token-based REST API access

Improvements

• Reworked the execution of hosts and flows checks (formerly user scripts), yielding a reduced CPU load of about 50%
• Improved 100Kfps+ NetFlow/sFlow collection performance
• Drilldown of nIndex historical flows much more flexible
• Migration to Bootstrap 5
• Check malicious JA3 signatures against all TLS-based protocols
• Reworked Doh/DoT handling

Fixes

• Fixes SSRF and stored-XSS injected with malicious SSDP responses
• Fixes several leaks in NetworkInterface

Notes

• To ensure optimal performance and scalability and to prevent uneven resource utilization, the maximum number of interfaces handled by a single ntopng instance has been reduced to
  • 16 (Enterprise M)
  • 32 (Enterprise L)
  • 8 (all other versions)
• REST API v1/ is deprecated and will be dropped in the next stable release in favor of REST API v2/
• The old alerts dashboard has been removed and replaced by an advanced alerts drilldown page with integrated charts

Download

Use Cases

Monitor a Physical Interface

A physical NIC card can be monitored simply by specifying its interface name as

./ntopng -i eth0

Flow Collection

Flow collection requires ntopng to be used in conjunction with nProbe which can act as probe/proxy. The communication between nProbe and ntopng takes place over ZeroMQ, a publish-subscribe protocol that allows ntopng to communicate with nProbe. An environment where a remote nProbe is physically monitoring from a NIC and sending monitored flows to ntopng can be deployed as

./nprobe -i eth1 –zmq tcp://192.168.1.1:5556

./ntopng -i tcp://192.168.1.1:5556

Copyright (C) 1998-2018 ntop 

Source: https://github.com/ntop/