Monitoring network traffic with ntopng

Eyes on the Network

Installation and Commissioning

For the Linux distributions, including Raspbian, ntop provides a separate repository each for stable and nightly builds [6]. The nightly builds are more suitable for admins who like to try out the latest features. For production use, the stable versions are the more obvious choice. On Ubuntu 18.04 LTS, the installation comprises the few simple commands shown in Listing 1.

Listing 1

ntopng Installation

sudo apt install software-properties-common wget
sudo add-apt-repository universe
wget http://apt-stable.ntop.org/18.04/all/apt-ntop-stable.deb
sudo apt install ./apt-ntop-stable.deb
 **
sudo apt clean all
sudo apt update
sudo apt install pfring nprobe ntopng ntopng-data n2disk cento nbox

The "Supernode Remote Access" box describes how ntopng sets up remote support.

Supernode Remote Access

Ntopng usually runs on the internal network and thus behind a firewall, NAT gateway, or both. Accordingly, it is difficult to get external support or help from other administrators when you need it. To solve this dilemma, the developers have equipped ntopng with a "remote assistance" feature based on network-to-network (n2n) VPN technology, which is a Layer 2/3 VPN on a peer-to-peer basis that uses what is known as a "supernode" to establish the connection between the support provider and the ntopng instance.

Like remote maintenance products such as TeamViewer, the ntopng server establishes a connection to the supernode on the Internet, which is operated by the ntop developers. The external support provider in turn uses n2n to connect to the supernode and can then access the ntopng installation of the person seeking help with a reverse tunnel. During installation, the ntopng user account is created; ntopng then runs with this account's privileges.

First Launch and Web Interface

Ntopng launches automatically after installation; you can access the web interface directly over http://<IP address>:3000 . Unfortunately, the web server launches with an unencrypted connection; this setup is not a good idea for security reasons because ntop is delivered with self-signed SSL certificates that throw warning messages in the browser. If you prefer to run ntopng under an official domain name, you can secure the SSL/TLS connection with an official certificate.

The free Let's Encrypt CA is a good way to do this. A step-by-step guide can be found in a blog post online [7]. For internal use, self-signed certificates are certainly justifiable: Disable the unencrypted connection and enable the SSL-protected web server by adding the following lines to the /etc/ntopng/ntopng.conf file,

--http-port=0
--https-port=443

and restarting ntopng by typing:

sudo systemctl restart ntopng

To avoid conflicts with other web servers, you will want to make sure first that another web server is not already using TCP port 443 on the ntop server. If this cannot be avoided, you can move the ntopng HTTP server to another port above 1024 (e.g., use --https-port=4443 and then log in with the URL https://<IP address>:4443 ).

The first time you log in with the admin username and password, you will be prompted to set a new password. Because the admin user cannot be disabled, you will want to set a very secure password for this user and define a second user with admin rights for administration work later on. Click on the gear (Settings) icon top right on the dashboard (Figure 1) to enter user management and create a new user. From the dashboard, you can assign to each user individually the network interfaces or networks they are permitted to evaluate.

Figure 1: The traffic dashboard is the heart of ntopng, showing the administrator a real-time view of traffic.

On the Command Line

You can also start ntopng with the desired parameters directly at the command line. For an overview of the available options, type ntopng -h. For example, if you want ntopng to monitor only certain network interfaces (by default, all network interface cards are monitored), simply specify them with the -i parameter:

ntopng -i en01 -i enp3s0

You can just as easily disable DNS resolution completely, prevent automatic logout from the web interface, output a list of the application protocols recognized by ntopng as follows

ntopng -n 3
ntopng -q
ntopng --print-ndpi-protocols

and much, much more.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus