ntop

由 datahunter 在四, 21/05/2015 - 18:25 發表

最後更新: 2015-01-05

介紹

NetFlow = probe + collector

* NetFlow is copyright Cisco Systems.

Features:

Ability to natively save flows into MySQL and SQLite, as well as text and binary.

Support of detect protocols via DPI (deep packet inspection) and report protocol name in flows

flavours:

- Standard

- Pro

nProbe Plugins

- HTTP Decode HTTP traffic and HTTPS certificates.

- MySQL Decodes (unencrypted) MySQL traffic, and produce a log of SQL requests/responses along with performance indicators.

- IMAP, POP3, SMTP Email plugins for decoding (unencrypted) email traffic and generate flows and logs of email activities.

nprobe

HomePage: http://www.ntop.org/products/netflow/nprobe/

* NetFlow is probably the de-facto standard for network traffic accounting.

* you will need a license to get it working in production environnement

as the default-installation provides a 25K flows limit per nprobe thread, then it stops collecting them.

Probe mode:

NetFlow --> nProbe --> Collector (ntopng)

nprobe -i eth0 -n collector_ip:2055

Collector mode:

nProbe --save--> DB(MySQL)/Disk

nprobe –nf-collector-port 2055

ntopng

ntopng is the "next generation" version of the original ntop

License: GNU GPLv3

HomePage: http://www.ntop.org/products/traffic-analysis/ntop/

- ntopng acts as a web server
- RMON (Remote Network Monitoring)
- based on libpcap
- portable (Unix, Win32)
- a web interface.
- statistics in RRD format
- Act as a NetFlow/sFlow collector for flows generated by routers
- HTML5/AJAX

Package:

* 64 bit binary packages for Ubuntu and RedHat/CentOS

http://www.nmon.net/packages/

Usage: Ntopng to collect sFlow packets

# It cannot work as a netflow collector too

ntopng -i tcp://127.0.0.1:5556 -d /var/tmp -w 3000 -v >> /dev/null &

# * nProbe is distributed under the EULA and requires a license per system.

nprobe --collector-port 6343 --zmq tcp://127.0.0.1:5556 >> /dev/null &

n2disk

* layer 2 / layer 3

/etc/init.d/ntop

Configure file

/etc/ntop.conf

# limit ntop to listening on a specific interface and port
--http-server 127.0.0.1:3000 --https-server 127.0.0.1:3001

Configure Directory

/etc/ntop/

stand-alone => collector/display

front-end collector=> sFlow and/or netFlow plugins

# check version

-V | --version

# internal web server (-w)

-w http://
-W https://

i.e.

ntop -w 3000 -W 0
ntop -w 80 -W 443

-a | --access-log-file

accessible initially only to user admin with a password set during the first run of ntop. (stored in a database file.)

-A | --set-admin-password [admin-password=value]

# performance

Protocol decoders examine and collect information about layer 2 protocols such as NetBIOS or Netware SAP, as well as about specific tcp/ip (layer 3) protocols, such as DNS, http and ftp.

-b | --disable-decoders

-g | --track-local-hosts

By default, ntop tracks all hosts that it sees from packets captured on the various NICs.

-i | --interface
-i "eth0,lo".

<label>=<protocol list> <-- /etc/services

Web Panel Usage

http://192.168.88.222/info.html
       libpcap Version
       RRD Version
       GeoIP Version

Network Load Statistics
http://192.168.88.222/thptStats.html

Host Information
http://192.168.88.222/hostsInfo.html

Traffic summary
http://192.168.88.222/trafficStats.html

ntop Log
http://192.168.88.222/viewLog.html

Restricted ntop URLs
http://192.168.88.222/showURLs.html

Change kernel (libpcap) filter expression

http://192.168.88.222/changeFilter.html

http://192.168.88.223/resetStats.html

Loading

  PID USER      PR  NI  VIRT  RES  SHR S %CPU %MEM    TIME+  COMMAND
 8909 root      20   0  8668 2444 1208 R 41.0  1.0  47:10.29 openvpn
15078 ntop      20   0  143m  39m 8520 S 26.5 16.3   3:17.36 ntop
14947 root      20   0  2672 1116  876 R  0.3  0.4   0:01.32 top

Wire-speed packet capture

PF_RING

* Available for Linux kernels 2.6.32 and newer.
* Kernel-based packet capture and sampling.

PF_RING ZC(Zero Copy)

http://www.ntop.org/products/packet-capture/pf_ring/pf_ring-zc-zero-copy/

implements zero copy operations for
- inter-process
- inter-VM (KVM) communications.

Considered as the successor of DNA/LibZero

The communication between nProbe and ntopng happens though ZeroMQ that decouples ntopng from nProbe.

Usage:

# act as a probe for ntopng

nprobe --zmq "tcp://*:5556" -i .....

# act as a collector

ntopng -i "tcp://127.0.0.1:5556"

* Flows exchanged between nProbe and ntopng are formatted in JSON and not on standard sFlow/NetFlow format.

Windows Version

nProbe

安裝位置: C:\Program Files\nProbe

Download

http://packages.ntop.org/Windows/

Help

nprobe.exe /h

/i <service name> [nprobe options] - Install nprobe as service
/c [nprobe options]                - Run nprobe on a console
/r <service name>                  - Deinstall the service

Version

nprobe.exe /c -v

05/Nov/2015 15:27:32 [nprobe.c:6640] ERROR: * NOTE: This is a DEMO version limited to 25000 flows export.  *

* nProbe Standard [Unix/Win] Euro $150

Usage

# install service

nprobe /i nProbe -i 0 -n 192.168.0.1:2055

# Default: 127.0.0.1:2055
-n: collector addresses

Start it

net start redis

net start nProbe

Panel

Default login: admin / admin

http://127.0.0.1:3000

ntopng

community version

05/Nov/2015 15:52:52 [NtopPro.cpp:117] [LICENSE] Read license from Redis []
05/Nov/2015 15:52:52 [NtopPro.cpp:159] ERROR: [LICENSE] Invalid or missing ntopng License [Empty license file]
05/Nov/2015 15:52:52 [NtopPro.cpp:172] WARNING: [LICENSE] ntopng will now run in pro mode for 10 minutes
05/Nov/2015 15:52:52 [NtopPro.cpp:174] WARNING: [LICENSE] before returning to community mode

# Start ntopng in community edition

ntopng --community

check-license

C:\Program Files\ntopng>ntopng /c --check-license
Starting ntopg
Running ntopng.
Demo mode license