{"id":14076,"date":"2017-09-14T14:16:33","date_gmt":"2017-09-14T14:16:33","guid":{"rendered":"https:\/\/www.firewallhardware.it\/ntopng-monitoraggio-passivo-e-attivo-del-traffico-di-rete\/"},"modified":"2019-11-11T11:39:17","modified_gmt":"2019-11-11T11:39:17","slug":"ntopng-passive-and-active-monitoring-of-network-traffic","status":"publish","type":"post","link":"https:\/\/blog.miniserver.it\/en\/firewall\/ntopng-passive-and-active-monitoring-of-network-traffic\/","title":{"rendered":"ntopng: passive and active monitoring of network traffic"},"content":{"rendered":"

[vc_row css=”.vc_custom_1517227445866{margin-top: 30px !important;}”]Introduction<\/strong>
\nThe Internet runs faster and faster, the dangers in the digital world have increased and it
\nbecomes more and more complicated to explore the web.
\nOnce upon a time, when there was only Web 1.0 and the “good old” HTML, the biggest risk we ran was to find ourselves faced with a simple browser error. Who of us has never come across a “404 not found?”.
\nNow that, with Web 2.0, we interact and modify the contents of the pages directly online, we are exposed to daily threats that are undermined and hide behind simple actions such as clicking on a link.
\nMany have proposed and continue to propose solutions that we can use to protect ourselves and defend ourselves against cyber-attacks. In this article we will see ntopng, one of the best known solutions especially in the open source world.<\/p>\n

Presentation<\/strong>
\nNtopng was born as a traffic analysis tool and over time it has “evolved” to become an application filter. The project’s author is Prof. Luca Deri, “Research Scientist and Network Manager” at the Department of Computer Science of the University of Pisa.<\/p>\n

Visiting the web page of Luca, http:\/\/luca.ntop.org\/<\/a>, we can find all his publications made over the years, get an idea about the scope of his scientific research and understand a little ‘what the spirit with which he created ntopng.<\/p>\n

In this regard it is a must to quote one of his sentences: “The Internet today represents me free radio represented in the 70s. I think, do, create. Herein you can find all of the years that is my humble and tiny contribution to computer science (r) evolution.<\/em>“<\/p>\n

What is NtopNG<\/strong>
\nntopng is a traffic analysis networking tool that offers unprecedented visibility on packets traveling on the network.
\nOne of the most interesting features of the latest version of ntopng is undoubtedly that of application filter, thanks to which we can control more than 250 applications including Facebook, Youtube, WhatsApp, Skype and Tor, blocking or limiting the bandwidth of requests client and preventing, in fact, their uncontrolled use. Now let’s look at some functions and discover their potential.<\/p>\n

Overview of features<\/strong>
\nntopng is released in three different versions: Community, Professional and Enterprise. The various features are shown in the following comparative table.JTVCYWRyb3RhdGUlMjBiYW5uZXIlM0QlMjIzJTIyJTVEIntroduction<\/strong>
\nThe Internet runs faster and faster, the dangers in the digital world have increased and it
\nbecomes more and more complicated to explore the web.
\nOnce upon a time, when there was only Web 1.0 and the “good old” HTML, the biggest risk we ran was to find ourselves faced with a simple browser error. Who of us has never come across a “404 not found?”.
\nNow that, with Web 2.0, we interact and modify the contents of the pages directly online, we are exposed to daily threats that are undermined and hide behind simple actions such as clicking on a link.
\nMany have proposed and continue to propose solutions that we can use to protect ourselves and defend ourselves against cyber-attacks. In this article we will see ntopng, one of the best known solutions especially in the open source world.<\/p>\n

Presentation<\/strong>
\nNtopng was born as a traffic analysis tool and over time it has “evolved” to become an application filter. The project’s author is Prof. Luca Deri, “Research Scientist and Network Manager” at the Department of Computer Science of the University of Pisa.<\/p>\n

Visiting the web page of Luca, http:\/\/luca.ntop.org\/<\/a>, we can find all his publications made over the years, get an idea about the scope of his scientific research and understand a little ‘what the spirit with which he created ntopng.<\/p>\n

In this regard it is a must to quote one of his sentences: “The Internet today represents me free radio represented in the 70s. I think, do, create. Herein you can find all of the years that is my humble and tiny contribution to computer science (r) evolution.<\/em>“<\/p>\n

What is NtopNG<\/strong>
\nntopng is a traffic analysis networking tool that offers unprecedented visibility on packets traveling on the network.
\nOne of the most interesting features of the latest version of ntopng is undoubtedly that of application filter, thanks to which we can control more than 250 applications including Facebook, Youtube, WhatsApp, Skype and Tor, blocking or limiting the bandwidth of requests client and preventing, in fact, their uncontrolled use. Now let’s look at some functions and discover their potential.<\/p>\n

Overview of features<\/strong>
\nntopng is released in three different versions: Community, Professional and Enterprise. The various features are shown in the following comparative table.Generation of alarms based on time\/traffic thresholds or suspicious behavior such as visiting a malicious site<\/p>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Feature<\/strong><\/th>\nCommunity<\/strong><\/th>\nProfessional<\/strong><\/th>\nEnterprise<\/strong><\/th>\n<\/tr>\n
Monitoring of active flows and hosts of the network \u2020<\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Identification of application protocols (Facebook, Youtube, BitTorrent, etc) in traffic<\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Recording and display of the use of application protocols for each host over time<\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Grouping of hosts for VLAN, Operating System, Country, and Autonomous Systems<\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Geographical map of network communications made by each host<\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Identification of the top talker hosts (senders and receivers) with resolution per minute<\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
View the most requested HTTP sites from each host<\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Export of communications on MySQL and ElasticSearch<\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Generation of alarms based on time \/ traffic thresholds or suspicious behavior such as visiting a malicious site<\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Alarms and warnings such as Slack messages<\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Display of traffic for each VLAN<\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Data collecting from nProbe to process the remote interfaces monitored by nProbe and flow export devices (eg routers and switches) as if they were local<\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Displaying data collected by nProbe<\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Grouping hosts into logical sets of IP and MAC addresses known as hosts pools \u2020\u2020<\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Real-time view of the top talkers and application protocols and comparison with daily activities<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Browsing the registered MySQL data to identify the cause of network problems<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Generation of graphical reports with the top hosts, application protocols, countries, networks and autonomous systems in configurable time periods<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Traffic history based on profiles created using BPF (Berkeley Packet Filter) syntax \u2021<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Limiting\/blocking host traffic with custom policies for each protocol *<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Integration with LDAP authentication servers<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Query SNMP devices for data such as port status, traffic and MAC address information<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Integration with Nagios *<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
MySQL insertions to get writes to the fastest 5x database<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Data aggregation in MySQL for faster historical explorations<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Generate traffic and total activity reports for any host, network or interface<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Detection of attackers and victims through real-time alerts<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Exploration and filtering of alarms<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Viewing and storing traffic by SNMP port<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Viewing and storing NetFlow\/sFlow device data<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Captive Portal for Internet browsing *<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Daily traffic quotas that are applied to clients *<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n
Parental control<\/em> with the DNS integration of SafeSearch *<\/td>\n\u2717<\/strong><\/span><\/td>\n\u2717<\/strong><\/span><\/td>\n\u2713<\/strong><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

*<\/strong> Feature not available with Windows
\n\u2020 The Enterprise<\/em> version allows simultaneous monitoring of up to 128 different network interfaces. Professional<\/em> and Community<\/em> versions allow monitoring of up to 32 different interfaces.
\n\u2020\u2020 The Enterprise version allows simultaneous monitoring of up to 128 different host pools. Professional<\/em> and Community<\/em> versions allow simultaneous monitoring of up to 3 different host pools.
\n\u2021 The Enterprise version allows simultaneous monitoring of up to 128 different traffic profiles. The Professional<\/em> version allows the creation of 16 traffic profiles.<\/p>\n

Supported platforms**<\/strong><\/p>\n