最後更新: 2015-01-05
介紹
NetFlow = probe + collector
* NetFlow is copyright Cisco Systems.
Features:
Ability to natively save flows into MySQL and SQLite, as well as text and binary.
Support of detect protocols via DPI (deep packet inspection) and report protocol name in flows
flavours:
- Standard
- Pro
nProbe Plugins
- HTTP Decode HTTP traffic and HTTPS certificates.
- MySQL Decodes (unencrypted) MySQL traffic, and produce a log of SQL requests/responses along with performance indicators.
- IMAP, POP3, SMTP Email plugins for decoding (unencrypted) email traffic and generate flows and logs of email activities.
nprobe
HomePage: http://www.ntop.org/products/netflow/nprobe/
* NetFlow is probably the de-facto standard for network traffic accounting.
* you will need a license to get it working in production environnement
as the default-installation provides a 25K flows limit per nprobe thread, then it stops collecting them.
Probe mode:
NetFlow --> nProbe --> Collector (ntopng)
nprobe -i eth0 -n collector_ip:2055
Collector mode:
nProbe --save--> DB(MySQL)/Disk
nprobe –nf-collector-port 2055
ntopng
ntopng is the "next generation" version of the original ntop
License: GNU GPLv3
HomePage: http://www.ntop.org/products/traffic-analysis/ntop/
- ntopng acts as a web server
- RMON (Remote Network Monitoring)
- based on libpcap
- portable (Unix, Win32)
- a web interface.
- statistics in RRD format
- Act as a NetFlow/sFlow collector for flows generated by routers
- HTML5/AJAX
Package:
* 64 bit binary packages for Ubuntu and RedHat/CentOS
http://www.nmon.net/packages/
Usage: Ntopng to collect sFlow packets
# It cannot work as a netflow collector too
ntopng -i tcp://127.0.0.1:5556 -d /var/tmp -w 3000 -v >> /dev/null &
# * nProbe is distributed under the EULA and requires a license per system.
nprobe --collector-port 6343 --zmq tcp://127.0.0.1:5556 >> /dev/null &
n2disk
* layer 2 / layer 3
/etc/init.d/ntop
Configure file
/etc/ntop.conf
# limit ntop to listening on a specific interface and port
--http-server 127.0.0.1:3000 --https-server 127.0.0.1:3001
Configure Directory
/etc/ntop/
stand-alone => collector/display
front-end collector=> sFlow and/or netFlow plugins
# check version
-V | --version
# internal web server (-w)
-w http://
-W https://
i.e.
ntop -w 3000 -W 0
ntop -w 80 -W 443
-a | --access-log-file
accessible initially only to user admin with a password set during the first run of ntop. (stored in a database file.)
-A | --set-admin-password [admin-password=value]
# performance
Protocol decoders examine and collect information about layer 2 protocols such as NetBIOS or Netware SAP, as well as about specific tcp/ip (layer 3) protocols, such as DNS, http and ftp.
-b | --disable-decoders
-g | --track-local-hosts
By default, ntop tracks all hosts that it sees from packets captured on the various NICs.
-i | --interface
-i "eth0,lo".
-p | --protocols
This parameter is used to specify the TCP/UDP protocols that ntop will monitor.
example is --protocols="HTTP=http|www|https|3128,FTP=ftp|ftp-data"
<label>=<protocol list> <-- /etc/services
Web Panel Usage
http://192.168.88.222/info.html
libpcap Version
RRD Version
GeoIP Version
Network Load Statistics
http://192.168.88.222/thptStats.html
Host Information
http://192.168.88.222/hostsInfo.html
Traffic summary
http://192.168.88.222/trafficStats.html
ntop Log
http://192.168.88.222/viewLog.html
Restricted ntop URLs
http://192.168.88.222/showURLs.html
Change kernel (libpcap) filter expression
http://192.168.88.222/changeFilter.html
http://192.168.88.223/resetStats.html
Loading
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 8909 root 20 0 8668 2444 1208 R 41.0 1.0 47:10.29 openvpn 15078 ntop 20 0 143m 39m 8520 S 26.5 16.3 3:17.36 ntop 14947 root 20 0 2672 1116 876 R 0.3 0.4 0:01.32 top
Wire-speed packet capture
PF_RING
* Available for Linux kernels 2.6.32 and newer.
* Kernel-based packet capture and sampling.
PF_RING ZC(Zero Copy)
http://www.ntop.org/products/packet-capture/pf_ring/pf_ring-zc-zero-copy/
implements zero copy operations for
- inter-process
- inter-VM (KVM) communications.
Considered as the successor of DNA/LibZero
The communication between nProbe and ntopng happens though ZeroMQ that decouples ntopng from nProbe.
Usage:
# act as a probe for ntopng
nprobe --zmq "tcp://*:5556" -i .....
# act as a collector
ntopng -i "tcp://127.0.0.1:5556"
* Flows exchanged between nProbe and ntopng are formatted in JSON and not on standard sFlow/NetFlow format.
Windows Version
nProbe
安裝位置: C:\Program Files\nProbe
Download
http://packages.ntop.org/Windows/
Help
nprobe.exe /h
/i <service name> [nprobe options] - Install nprobe as service /c [nprobe options] - Run nprobe on a console /r <service name> - Deinstall the service
Version
nprobe.exe /c -v
05/Nov/2015 15:27:32 [nprobe.c:6640] ERROR: * NOTE: This is a DEMO version limited to 25000 flows export. *
* nProbe Standard [Unix/Win] Euro $150
Usage
# install service
nprobe /i nProbe -i 0 -n 192.168.0.1:2055
# Default: 127.0.0.1:2055
-n: collector addresses
Start it
net start redis
net start nProbe
Panel
Default login: admin / admin
http://127.0.0.1:3000
ntopng
community version
05/Nov/2015 15:52:52 [NtopPro.cpp:117] [LICENSE] Read license from Redis [] 05/Nov/2015 15:52:52 [NtopPro.cpp:159] ERROR: [LICENSE] Invalid or missing ntopng License [Empty license file] 05/Nov/2015 15:52:52 [NtopPro.cpp:172] WARNING: [LICENSE] ntopng will now run in pro mode for 10 minutes 05/Nov/2015 15:52:52 [NtopPro.cpp:174] WARNING: [LICENSE] before returning to community mode
# Start ntopng in community edition
ntopng --community
check-license
C:\Program Files\ntopng>ntopng /c --check-license
Starting ntopg
Running ntopng.
Demo mode license
Help
ntopng /c -h
....................................... [--max-num-flows|-X] <num> | Max number of active flows | (default: 131072) [--max-num-hosts|-x] <num> | Max number of active hosts | (default: 65536) [--disable-login|-l] <mode> | Disable user login authentication: | 0 - Disable login only for localhost | 1 - Disable login only for all hosts
* 會 show Available interfaces ( -i num 時會用到)
-i n # Input interface name (numeric/symbolic)