• No results found

Monitoring Network Traffic using ntopng

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Monitoring Network Traffic using ntopng"

Copied!
58
0
0

Loading.... (view fulltext now)

Download now ( 58 Page )

Full text

(1)

Monitoring Network Traffic using ntopng

(2)

Outlook

• What are the main activities of ntop.org ? • ntop’s view on network monitoring.

• From ntop to ntopng.

• ntopng architecture and design. • Using ntopng.

• Advanced monitoring with ntopng. • Future roadmap items.

(3)
(4)

About ntop.org [1/2]

• Private company devoted to development of

open source network traffic monitoring applications.

• ntop (circa 1998) is the first app we released and

it is a web-based network monitoring application.

• Today our products range from traffic

monitoring, high-speed packet processing, deep-packet inspection, and IDS/IPS acceleration.

(5)

About ntop.org [2/2]

• Our software is powering many commercial

(6)

Problem Statement [1/2]

• In 90s standard-based (e.g. RMON) and

proprietary solutions (e.g. HP OpenView) were dominating the market.

• The explosion of the Internet(working) reduced

the number of vendors but increased the number of monitoring devices and protocols.

• ntop tried to fill the lack of simple traffic

monitoring application releasing the original ntop application aimed at simplifying the analysis of

(7)

Problem Statement [2/2]

• Today the market is partially driven by hardware

manufacturers that manufacture costly, limited (usually no analysis beyond packet header) and often not extensible solutions.

• Consequences:

◦ Monitoring evolution is capped by hardware vendors.

◦ Commercial probes monitor what the vendor wants (e.g. Cisco TelePresence) and not what the user needs.

◦ Often people believe in speed=hardware, so they buy hardware probes that are unlike to provide timely

(8)

ntop Goals

• Provide better, yet price effective, traffic

monitoring solution by enabling users to have increased traffic visibility.

• Go beyond standard metrics and increase traffic

visibility by analyzing key protocols in detail.

• Provide users comprehensive and accurate traffic

reports able to offer at a fraction of price what many commercial products do together.

(9)

ntop’s Approach to Traffic Monitoring

• Ability to capture, process and (optionally)

transmit traffic at line rate, any packet size.

• Leverage on modern multi-core/NUMA

architectures in order to promote scalability.

• Use commodity hardware for producing

affordable, long-living (no vendor lock), scalable (use new hardware by the time it is becoming available).

(10)

Network Health Monitoring is

Complex

• Traditional network monitoring systems can limit their

supervision activities to “home” networks.

• Mobile users, intra-VM data exchange, or cloud services

are often invisible to network monitoring systems.

• Traditional firewalls are becoming blind as:

◦ Generic (e.g. HTTP) protocols can be used to tunnel non-hypertext services (e.g. music streaming).

◦ HTTPS is not checked so often it flows unrestricted.

• Cloud services access can’t be monitored with simple

(11)

Limitations of (Many) Monitoring Systems

• Visibility limited to packet header (payload

agnostic).

• Packet encapsulations (e.g. GRE, PPP, GTP) are

not always handled, so that we don’t know what happens inside tunnels.

• Unable to monitor intra-virtual machines (VMs)

traffic (no cloud-friendly).

• Windows PCs are not first-class citizens.

(12)

Some History

• In 1998, the original

ntop has been created.

• It was a C-based app

embedding a web server able to capture traffic

and analyze it.

• Contrary to many tools available at that time,

ntop used a web GUI to report traffic activities. It is available for Unix and Windows under GPL.

(13)

ntop Architecture

HTTP/HTTPS RRD Cisco NetFlow

(14)

Why was ntop obsolete?

• Its original LAN-oriented design prevented ntop

from handling more than a few hundred Mbit.

• The GUI was an old (no fancy HTML 5)

monolithic piece written in C so changing/ extending a page required a programmer.

• ntop could not be used as web-less monitoring

engine to be integrated with other apps.

• Many components were designed in 1998, and it

(15)

ntopng Design Goals

• Clean separation between the monitoring engine

and the reporting facilities.

• Robust, crash-free engine (ntop was not really so). • Platform scriptability for enabling extensions or

changes at runtime without restart.

• Realtime: most monitoring tools aggregate data (5

mins usually) and present it when it’s too late.

• Many new features including HTML 5-based

(16)

ntopng Architecture

• Three different and self-contained components,

communicating with clean API calls.

Users

HTTP

Lua-based Web Reports nDPI-based C++ Monitoring Engine PF_RING Kernel Module

and Drivers InternetTraffic

Lua API Calls

PF_RING C API Calls (Linux) Kernel

(17)

PF_RING (Circa 2003)

Read Index Write Index Incoming Packets

Outgoing Packets Userspace

Kernel Socket (ring) Network Adapter mmap() Socket (ring) PF_RING Application A Application Z

(18)

Vanilla vs DNA (Direct NIC Access)

Device Driver Application DMA PF_RING Userland Kernel Circular Buffer NAPI Polling PF_RING Polling Device Driver Application DMA Accelerated Cards Userland Kernel NIC Memory Map FPGA Application Polling

(19)

PF_RING DNA: Features

• DNA is a Linux kernel-bypassing technology developed

by ntop/Silicom for 1/10 Gbit network adapters.

• It can receive/transmit traffic at line rate any packet size

(14.88 Mpps, 60+4 bytes) using x86 servers.

• Feature-rich set of companion tools distributed in

source format (e.g. line-rate traffic generation and pcap traffic replay) so that people can customize and use existing (pcap-based) apps as low-cost

alternatives to hardware-based tools (e.g. traffic generator).

(20)

ntopng Monitoring Engine

• Coded in C++ and based the concept of flow (se

of packets with the same 6-tuple).

• Flows are inspected with a home-grown

DPI-library named nDPI aiming to discovering the “real” application protocol (no ports are used).

• Information is clustered per:

 (Capture) Network Device  Flow

(21)

Information Lifecycle

• All information (e.g. hosts and flows) is stored in

memory.

• Using command line options, users can specify

how many hosts/flows can be kept in memory.

• Idle flows and are periodically purged to free

memory.

• Hosts are serialized and stored in JSON format

in Redis for 1 hour, so that in case new traffic is detected ntopng can restore them from cache.

(22)

Packet Processing Journey

1.Packet capture: PF_RING (Linux) or libpcap. 2.Packet decoding: no IP traffic is accounted. 3.IPv4/v6 Traffic only:

1.Map the packet to a 6-tuple flow and increment stats.

2.Identify source/destination hosts and increment stats.

3.Use nDPI to identify the flow application protocol

1.UDP flows are identified in no more than 2 packets.

2.TCP Flows can be identified in up to 15 packets in total, otherwise the flow is marked as “Unknown”.

(23)

The need for DPI in Monitoring [1/2]

• Limit traffic analysis at packet header level it no

longer enough (nor cool).

• Network administrators want to know the real

protocol without relying on the port being used.

• Selected protocols can be “precisely

dissected” (e.g. HTTP) in order to extract

information, but on the rest of the traffic it is

necessary to tell network administrators what is the protocol flowing in their network.

(24)

The need for DPI in Monitoring [2/2]

• DPI (Deep Packet Inspection) is a technique for inspecting

the packet payload for the purpose of extracting metadata (e.g. protocol).

• There are many DPI toolkits available but they are not

what we looked for as:

◦ They are proprietary (you need to sign an NDA to use them), and

costly for both purchase and maintenance.

◦ Adding a new protocol requires vendor support (i.e. it has a high

cost and might need time until the vendor supports it) = you’re locked-in.

(25)

Say hello to nDPI

• ntop has decided to develop its own GPL DPI

toolkit in order to build an open DPI layer for ntop and third party applications.

• Supported protocols (~170) include:

◦ P2P (Skype, BitTorrent)

◦ Messaging (Viber, Whatsapp, MSN, The Facebook)

◦ Multimedia (YouTube, Last.gm, iTunes)

◦ Conferencing (Webex, CitrixOnLine)

◦ Streaming (Zattoo, Icecast, Shoutcast, Netflix)

(26)
(27)

Is nDPI Computationally Expensive?

• nDPI requires

◦ Full packet payload capture (free with PF_RING DNA).

◦ Inspection of the packet payload.

• The above activities are not cheap, but they are

performed only at the beginning of the

connection: the longer is the connection the cheaper.

• nDPI increases the application load of less than

(28)

ntopng and Redis

• Redis is an open source key-value in-memory

database.

• ntop uses it to cache data such as:

◦ Configuration and user preferences information.

◦ DNS name resolution (numeric to symbolic).

◦ Volatile monitoring data (e.g. hosts JSON representation).

• Some information is persistent (e.g. preferences)

(29)

Welcome to the MicroCloud [1/2]

Cloud Node (redis) Cloud Node (redis) Cloud Node (redis) Cloud Get/Put Cloud Get/Put nProbe nProbe ntopng Cloud Get/Put Cloud Get/Put MicroCloud Monitoring Application Cloud Subscribe Cloud Get n n n n n n

(30)

Welcome to the MicroCloud [2/2]

• The microcloud is a semi-persistent cache, used

to aggregate heterogeneous data onto a single place for promoting data correlation and thus better traffic visibility.

• ntopng is a first-class microcloud citizen, but

additional applications (e.g. WinLogon, Captive Portals) can fill the cloud or access (read-only) data present on it.

(31)

Using the MicroCloud

• Typical usage scenarios include:

◦ Store the DNS cache and HTTP host, so that we can associate the correct symbolic hostname to a flow

(often a issue in particular with CDNs).

◦ Keep coherency across tunnels (e.g. GTP) so that probes can associate traffic directions properly.

◦ Store user-data (e.g. Radius IP/User association) so that the probe, can report collectors both the username

who produced a given flow and the symbolic flow hostnames.

(32)

Lua-based ntopng Scriptability [1/3]

• A design principle of ntopng has been the clean

separation of the GUI from engine (in ntop it was all mixed).

• This means that ntopng can (also) be used (via

HTTP) to feed data into third party apps such as Nagios or OpenNMS.

• All data export from the engine happens via Lua. • Lua methods invoke the ntopng C++ API in order

(33)

Lua-based ntopng Scriptability [2/3]

• /scripts/callback/

scripts are executed

periodically to perform specific actions.

• /scripts/lua/ scripts

are executed only by the web GUI.

• Example:

(34)

Lua-based ntopng Scriptability [3/3]

• ntopng defines (in C++) two Lua classes:

◦ interface

Hook to objects that describe flows and hosts.  Access to live monitoring data.

◦ ntop

 General functions used to interact with ntopng configuration.

• Lua objects are usually in “read-only” mode

◦ C++ sets their data, Lua reads data (e.g. host.name).

◦ Some Lua methods (e.g. interface.restoreHost()) can however modify the information stored in the engine.

(35)

Multithreading in ntopng

• ntopng can monitor simultaneously various

network interfaces, each using a thread.

• Packet processing per-interface is lockless.

• Lua scripts can access monitoring data while

packets are being processed: locks occur in very few places and are not per-packet.

• Multiple Lua scripts and HTTP requests can be

served (on different threads) while packets are being processed.

(36)
(37)
(38)
(39)
(40)
(41)
(42)
(43)
(44)
(45)
(46)

Activity Map

• 1 second resolution host and aggregation activity • Compressed bitmap

• Saved persistently on disk (Local Hosts only)

> ls -l client14.dropbox.com

(47)

Traffic Aggregations [1/2]

• nDPI extracts specific attributes from traffic that

ntopng aggregates (if configured):

◦ DNS/Whois responses

◦ HTTP host names

◦ Operating System (from HTTP headers)

• Aggregations can be enabled (they are off by

(48)
(49)
(50)

Geolocation

Map Centered Using HTML 5 Geolocation Maxmind GeoIP

(51)
(52)

Historical Activities

• All relevant counters are saved on disk in RRD. • Interface counters are saved with 1 second

resolution. Hosts counters every 5 minutes.

Ajax-based charts (no RRD graphs)

(53)

Using ntopng as a Live Data Source

• ntopng is a server able to serve data to third

party applications via HTTP.

• Data is exported via JSON.

(54)
(55)

Using ntopng with NetFlow/sFlow

• ntopng can handle flows (Net/sFlow) via nProbe.

• Data Collector (ntopng)

◦ ntopng -i tcp://127.0.0.1:5556

• Probe (nProbe)

nprobe --zmq "tcp://*:5556" -i eth1 -n none (probe mode)

◦ nprobe --zmq "tcp://*:5556" -i none -n none --collector-port 2055 (sFlow/NetFlow collector mode)

(56)

Embedding ntopng [1/2]

• Historically we have started our first embed

attempt in 2003 with the Cyclades TS100.

• The nBox was used to analyze traffic then sent to

ntop for representation.

(57)

Embedding ntopng [2/2]

• The ntopng code compiles smoothly for cheap

(36 Euro) boxes such as the BeagleBone Black.

• You can now create

your personal/cheap traffic analyzer

without having to use a PC.

• Post 1.1 release we

(58)

Final Remarks

• Over the past 15 years ntop created a software

framework for efficiently monitoring traffic.

• “We have a story to tell you, not just hacks”.

• Commodity hardware, with adequate software,

can now match the performance and flexibility that markets require. With the freedom of open source.

• Available under GNU GPLv3 from

References

Download now ( PDF - 58 Page - 3.97 MB )

Related documents

Discourses of widening participation and social inclusion

Adopting a Foucauldian genealogical approach I explore the ways in which a specific widening participation initiative, that of Adult Learners’ Week (ALW), has been used by

Sex workers in Nairobi: Services users at BHESP

This study finds economic empowerment and skills development of young female sex workers are a priority for BHESP and other partners in their future work and programing.. Most of

Land Market With Fragmented Landownership Rights in Bulgaria: An Institutional Approach

The reasons for comparatively high level of land fragmentation in the Plovdiv case are: most of the land is restituted in old real boundaries; no subdivided property rights

ONLINE COUNSELLING SYSTEM

• General counseling :- Candidates in General Category enter in this counseling then he is allotted to see the status of vacant and occupied gen- eral eats in every institute

MESKUK & ZIYNET TURKISH STATE MINT SECTIONS. The Turkish State Mint was founded in 1452 by the Ottoman Sultan Mehmet II.

Meskuks and Ziynets do not record the gold purity, weight of fine gold content or legal tender value on their obverse or reverse sides... *Based on normal

How To Get A Credit Card From A Bank With A Creditcard

[r]

Phase 4: Evaluate Safer Medical Device(s)

We asked staff participating in the trial to consider the following characteristics: Ease of safety feature activation, quality of the retraction mechanism, the weight of the

MARCH 14, 2014 VOLUME 289 NUMBER 11 JOURNAL OF BIOLOGICAL CHEMISTRY 7505

fibroblasts but not in bronchial or alveolar epithelial cells; (iii) PKA activation mediates the antifibrotic effects of noscapine; and (iv) the mechanism of PKA stimulation