It is possible to send the same packet to multiple apps. Using PF_RING (ZC) with ntopng has several benefits: ntopng can scale to 10 Gbit and above by spawning several ntopng instances each bound to a (few) core(s). PF_RING ZC (Zero Copy) is an extension that allows packets to received/transmitted in zero copy similar to what FPGA-accelerated cards (e.g. The original PF_RING is a good solution up to 3/5 Gbit but not above as the cost of packet copy into the ring is overkilling. Move to the next packet.ġ5 PF_RING In 2004 we have realised the the Linux kernel was not efficient enough to fulfil our packet capture requirements and thus we have written a in-kernel circular buffer named PF_RING. TCP Flows can be identified in up to 15 packets in total, otherwise the flow is marked as “Unknown”. Use nDPI to identify the flow application protocol UDP flows are identified in no more than 2 packets. Identify source/destination hosts and increment stats. IPv4/v6 Traffic only: Map the packet to a 6-tuple flow and increment stats. Packet decoding: no IP traffic is accounted. Packet capture: PF_RING, netfilter (Linux) or libpcap. Users can specify preferences for data retention: As the memory cannot be infinite, periodically non-recent information is harvested. Ntopng keeps in memory live information such as flows and hosts statistics. A system host is the host where ntopng is running and it is automatically considered local as well the networks of its ethernet interfaces. No persistent statistics are saved on disk. Remote hosts Non-local hosts for which we keep a minimum level of detail.įor local hosts (unless disabled via preferences) are kept all L7 protocol statistics, as well as basic statistics (e.g. These hosts are very relevant and thus ntopng keeps full statistics. For this reason at startup hosts are divided in: Local hosts/System Host The local host where ntopng is running as well the hosts belonging to some “privileged” IPv4/v6 networks. Ntopng keeps information in memory at different level of accuracy in order to save resources for hosts that are not “too relevant”. Information is clustered per: (Capture) Network Device Flow Host High-level Aggregations Flows are inspected with a home-grown DPI- library named nDPI aiming to discover the “real” application protocol (no ports are used). Many new features including HTML 5-based dynamic GUI, categorisation, DPI.ĩ ntopng Architecture Three different and self-contained components, communicating with clean API calls.Ĭoded in C++ and based on the concept of flow (set of packets with the same 6-tuple). Realtime: most monitoring tools aggregate data (5 mins usually) and present it when it’s too late. Platform scriptability for enabling extensions or changes at runtime without restart. Robust, crash-free engine (ntop was not really so). Many components were designed in 1998, and it was time to start over (spaghetti code).Ĩ ntopng Design Goals Clean separation between the monitoring engine and the reporting facilities. ntop could not be used as web-less monitoring engine to be integrated with other apps. The GUI was an old (no fancy HTML 5) monolithic piece written in C so changing/extending a page required a programmer. It is available for Unix and Windows under GPL.Ħ ntop Architecture Cisco NetFlow InMon sFlow HTTP/HTTPS RRDħ Why was ntop obsolete? Its original LAN-oriented design prevented ntop from handling more than a few hundred Mbit. Contrary to many tools available at that time, ntop used a web GUI to report traffic activities. It was a C-based app embedding a web server able to capture traffic and analyse it. Use open-source to spread the software, and let the community test it on unchartered places.ĥ Some History In 1998, the original ntop has been created. Use commodity hardware for producing affordable, long-living (no vendor lock), scalable (use new hardware by the time it is becoming available) monitoring solutions. Leverage on modern multi-core/NUMA architectures in order to promote scalability. Today our products range from traffic monitoring, to high-speed packet processing, deep-packet inspection, and IDS/IPS acceleration (snort, Bro and suricata).Ībility to capture, process and (optionally) transmit traffic at line rate, any packet size. ntop (circa 1998) is the first app we released and it is a web-based network monitoring application. Future roadmap items.ģ About ntop develops open source network traffic monitoring applications. Part 2: ntopng+Wireshark Monitoring Use Cases Using ntopng. Exploring system activities using ntopng. Presentation on theme: "Network Troubleshooting Using ntopng Luca Deri"- Presentation transcript:ġ Network Troubleshooting Using ntopng Luca Deri
0 Comments
Leave a Reply. |