Monitoring network traffic with ntopng
Eyes on the Network
Installation and Commissioning
For the Linux distributions, including Raspbian, ntop provides a separate repository each for stable and nightly builds [6]. The nightly builds are more suitable for admins who like to try out the latest features. For production use, the stable versions are the more obvious choice. On Ubuntu 18.04 LTS, the installation comprises the few simple commands shown in Listing 1.
Listing 1
ntopng Installation
sudo apt install software-properties-common wget sudo add-apt-repository universe wget http://apt-stable.ntop.org/18.04/all/apt-ntop-stable.deb sudo apt install ./apt-ntop-stable.deb ** sudo apt clean all sudo apt update sudo apt install pfring nprobe ntopng ntopng-data n2disk cento nbox
The "Supernode Remote Access" box describes how ntopng sets up remote support.
Supernode Remote Access
Ntopng usually runs on the internal network and thus behind a firewall, NAT gateway, or both. Accordingly, it is difficult to get external support or help from other administrators when you need it. To solve this dilemma, the developers have equipped ntopng with a "remote assistance" feature based on network-to-network (n2n) VPN technology, which is a Layer 2/3 VPN on a peer-to-peer basis that uses what is known as a "supernode" to establish the connection between the support provider and the ntopng instance.
Like remote maintenance products such as TeamViewer, the ntopng server establishes a connection to the supernode on the Internet, which is operated by the ntop developers. The external support provider in turn uses n2n to connect to the supernode and can then access the ntopng installation of the person seeking help with a reverse tunnel. During installation, the ntopng user account is created; ntopng then runs with this account's privileges.
First Launch and Web Interface
Ntopng launches automatically after installation; you can access the web interface directly over http://<IP address>:3000 . Unfortunately, the web server launches with an unencrypted connection; this setup is not a good idea for security reasons because ntop is delivered with self-signed SSL certificates that throw warning messages in the browser. If you prefer to run ntopng under an official domain name, you can secure the SSL/TLS connection with an official certificate.
The free Let's Encrypt CA is a good way to do this. A step-by-step guide can be found in a blog post online [7]. For internal use, self-signed certificates are certainly justifiable: Disable the unencrypted connection and enable the SSL-protected web server by adding the following lines to the /etc/ntopng/ntopng.conf file,
--http-port=0 --https-port=443
and restarting ntopng by typing:
sudo systemctl restart ntopng
To avoid conflicts with other web servers, you will want to make sure first that another web server is not already using TCP port 443 on the ntop server. If this cannot be avoided, you can move the ntopng HTTP server to another port above 1024 (e.g., use --https-port=4443 and then log in with the URL https://<IP address>:4443
).
The first time you log in with the admin username and password, you will be prompted to set a new password. Because the admin user cannot be disabled, you will want to set a very secure password for this user and define a second user with admin rights for administration work later on. Click on the gear (Settings) icon top right on the dashboard (Figure 1) to enter user management and create a new user. From the dashboard, you can assign to each user individually the network interfaces or networks they are permitted to evaluate.
Figure 1: The traffic dashboard is the heart of ntopng, showing the administrator a real-time view of traffic.
On the Command Line
You can also start ntopng with the desired parameters directly at the command line. For an overview of the available options, type ntopng -h. For example, if you want ntopng to monitor only certain network interfaces (by default, all network interface cards are monitored), simply specify them with the -i parameter:
ntopng -i en01 -i enp3s0
You can just as easily disable DNS resolution completely, prevent automatic logout from the web interface, output a list of the application protocols recognized by ntopng as follows
ntopng -n 3 ntopng -q ntopng --print-ndpi-protocols
and much, much more.
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
New versions of the Endian and Sophos UTM solutions
UTM systems combat all kinds of dangers under the policy of Unified Threat Management. The demands and expectations of customers fuel competition. Two of the most popular manufacturers – Endian and Sophos – have now released new versions of their solutions. -
Improved visibility on the network
OpenNMS collects and visualizes flows so you can discover which network devices communicate with each other and the volume of data transferred. -
Successful protocol analysis in modern network structures
Virtual networks and server structures require additional mechanisms to ensure visibility of data streams. We show how to monitor and analyze network functions, even when virtualization is involved. -
Open Source Security Information and Event Management system
Systems, network, and security professionals face a big problem managing disparate security data from a variety of sources. OSSIM gives IT security professionals the capacity to cut through the noise and gain wisdom and foresight in defending and managing their networks. -
Implementing custom security frameworks with Bro
The Bro security framework takes a new approach to security monitoring, with the emphasis on trends and long-term analysis.