2014年9月24日星期三

ntopng简介

ntopng

High-Speed Web-based Traffic Analysis and Flow Collection.

ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Win32 as well.
ntopng users can use a a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntopng can be seen as a simple RMON-like agent with an embedded web interface. The use of:
  • a web interface.
  • limited configuration and administration via the web interface.
  • reduced CPU and memory usage (they vary according to network size and traffic).

    What ntopng can do for me?

    • Sort network traffic according to many protocols
    • Show network traffic and IPv4/v6 active hosts
    • Store on disk persistent traffic statistics in RRD format
    • Geolocate hosts
    • Discover application protocols by leveraging on nDPI, ntop’s DPI framework.
    • Characterise HTTP traffic by leveraging on characterisation services provided byblock.si. ntopng comes with a demo characterisation key, but if you need a permanent one, please mail info@block.si.
    • Show IP traffic distribution among the various protocols
    • Analyse IP traffic and sort it according to the source/destination
    • Display IP Traffic Subnet matrix (who’s talking to who?)
    • Report IP protocol usage sorted by protocol type
    • Act as a NetFlow/sFlow collector for flows generated by routers (e.g. Cisco and Juniper) or switches (e.g. Foundry Networks) when used together with nProbe.
    • Produce HTML5/AJAX network traffic statistics
    Platforms
    • Unix (including Linux, *BSD, and MacOSX)
    • Win32 (including the latest Windows 7/8)
    Web GUI      A modern HTML 5 browser is needed to visualise ntopng traffic statistics.
    Requirements
    • Memory Usage
      It depends on the ntop configuration, number of hosts, and number of active TCP sessions. In general it ranges from a few MB (little LAN) to 100 MB for a WAN.
    • CPU Usage
      It depends on the ntop configuration, and traffic conditions. On a modern PC and large LAN, it is less than 10% of overall CPU load.
    Protocols
    • IPv4/IPv6
    • All IP protocols supported by nDPI (~170 and counting)
    • …and many more
    Extensibilityntopng engine is scripted using the LuaJIT language. Users can extend the web interface as well modify it in realtime without having to code into the ntopng C++ engine.
    Additional Features
    • sFlow, NetFlow (including v5 and v9) and IPFIX support through nProbe
    • Network Flows
    • Local Traffic Analysis
    • Lua lightweight API for extending ntop via scripts
    • Support of both NetFlow andsFlow as flow collector. ntop can collect simultaneously from multiple probes.
    • Traffic statistics are saved into RRD databases for long-run traffic analysis.
    • Internet Domain, AS (Autonomous Systems), VLAN (Virtual LAN) Statistics.
    • Protocol decoders for all application protocols supported by nDPI.
    • Advanced HTTP password protection with encrypted passwords
    • RRD support for persistently storing per-host traffic information

    Using ntopng as Flow Collector

    In ntopng we have decided to collect flows through nProbe that can act as probe/proxy. This is because we wanted to keep the ntopng engine simple and clean from flow-based application needs. The communication between nProbe and ntopng happens though ZeroMQ that decouples ntopng from nProbe. You can collect flows as follows:
    1. Start nProbe that will act as a probe for ntopng
      nprobe --zmq "tcp://*:5556" -i .....
    2. Start ntopng that will act as a collector (it listens on local port 5556)
      ntopng -i "tcp://127.0.0.1:5556"
    Flows exchanged between nProbe and ntopng are formatted in JSON and not on standard sFlow/NetFlow format.
发帖者 时间:

没有评论:

发表评论

订阅: 博文评论 (Atom)