• No results found

ntopng: Realtime Network Traffic View

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "ntopng: Realtime Network Traffic View"

Copied!
22
0
0

Loading.... (view fulltext now)

Download now ( 22 Page )

Full text

(1)

ntopng: Realtime Network Traffic View

(2)

In 1998, the original

ntop has been created.

Available for Unix and

Windows under GPL.

Contrary to many tools

available at that time,

ntop used a web GUI to

report traffic activities.

Modern enough

to be usable from

90s mobile phones.

(3)

Clean separation between the monitoring engine and the reporting

facilities.

Robust, crash-free engine (ntop was not really so).

Platform scriptability for enabling extensions and changes at

runtime without restart.

Realtime: most monitoring tools aggregate data (5 mins usually)

and present it when it’s too late.

Many new features including HTML 5-based dynamic GUI,

categorization, (generic) flow collection, system drill-down, DPI.

(4)
(5)

• The C++ monitoring engine is designed to be fast (10 Gbit line

rate), resource savvy, and be accessible via Lua scripts.

• Scriptability enable the creation of dynamic HTML 5 pages

without having to understand/modify the inner ntopng engine or

low-level monitoring concepts.

• In ntopng every object is serialisable in JSON (JavaScript Object

Notation) that is the native format that modern web browsers can

handle.

• This means that through HTTP and JavaScript you can create

dynamic web pages for realtime monitoring as every activity in

ntopng is asynchronous.

(6)

• A design principle of ntopng has been the clean separation of the GUI from engine (in ntop it was all mixed).

• This means that ntopng can (also) be used (via HTTP) to feed data onto third party apps such as Nagios or OpenNMS.

• All data export from the engine happens via Lua.

• Lua methods invoke the ntopng C++ API in order to interact with the monitoring engine.

PS: Lua is a simple to use, fast, crash-free scripting language that is used to script many popular applications ranging from Wireshark to network-based games.

(7)

• In essence ntopng is your source of traffic monitoring information. • Data sources include:

• Captured packets (native in ntopng).

• Collected flows (NetFlow/sFlow sent by nProbe).

• Collected events received via ØMQ (e.g. firewall events or syslog).

• As ntopng natively speak JSON, it can be export monitoring data towards applications such as:

• Splunk

• Kibana/ElasticSearch

(8)

• We have developed a free (GPLv3) Splunk application (available on the Splunk store) that shows how to collect generic (e.g. flows) or specific (e.g. HTTP) traffic and visualise it.

(9)

• Similar to Splunk, it is possible to export live traffic reports to LogStash/ElasticSearch/Kibana/NetEye. • nProbe (soon ntopng too) allow to do live JSON

streaming to such apps as follows:

--tcp <elasticsearch host>:<port> • For those brave enough to move to the next level

we are working at a direct ntop -> Hadoop Distributed File System (HDFS) integration so that you can store all events and flows onto a big data system.

• Currently we support Apache Kafka (distributed messaging), but we are planning to add native support for Flume in the foreseeable future.

Integrating Live ntop Apps with

(10)

• In ntopng all counters can be polled by the browser (or any other application via HTTP) while they are updated.

• All charts, graphs, counters report the current value without delays.

(11)

• Most monitoring tools are not able to show what is happening when such activity is happening.

• Paradigms such as flow-based monitoring are inherently non-realtime as they accumulate packets for some time (e.g. 1 or 2 mins) and then report average values.

• SNMP-based monitoring tools poll counters every 5 minutes, so you will always see average values.

• So, is realtime view just a plus or a compulsory feature?

(12)

• Using average counters you miss many details that might explain you why your network performance is poor.

(13)

• ntopng is scriptable even for generating alarms based on traffic conditions.

• Lua can be used to extend featured alarms, so that the ntopng can trigger events “à la carte” as every network administrator knows its network best.

(14)

• Analysing network packets is definitively a simple way to see what happens on a network. But…

• Some protocols are encrypted (more and more will be).

• Sniffing traffic is not always an option (privacy, need to setup network taps/span ports…).

• How can you capture traffic on your cloud-based VMs?

• You are unable to understand what is really happening on your core servers where even serving a simple HTML page is complex

(reverse proxy <-> HTTP server <-> PHP script <-> Database). • In essence: can we finally monitor our services at high granularity,

without sniffing traffic, watching process interactions and pin-pointing resource waste (CPU, memory, I/O, network)?

(15)

• At ntop we have decided that it was time to complement our traditional network-based tools with an (optional) agent (installed on every

monitored system we want to drill-down) able of viewing in realtime what a network probe will never be able to do.

• Leveraging on sysdig, an open-source technology developed by the creators of WinPcap and Wireshark, we are working at a system probe (thus the name sProbe) that is able to view what is happening on a system.

• sProbe is initially available for Linux but it will be ported to other platforms (including Windows) in the near future.

(16)

• It is a system probe that can track in realtime all activities: • Network

• I/O

• CPU Usage • Memory

• In essence it allows to tell you:

• Where inside your system is the bottleneck.

• What user and application caused the bottleneck.

• What is the latency introduced by each and every active application. • What network activities are performed by which application.

• What is the real network protocol complementing DPI. • All live, in realtime, when the bottleneck is happening.

(17)

sProbe Processes Drill Down [1/2]

Live Traffic View and

Live Latency View Client vs Server

(18)
(19)

Flows View

(with Details You Have Never Seen Before)

Who is Doing What System Load

(20)
(21)

• Combining system with network view allows you to spot where your bottlenecks are.

• You can drill down in realtime down to users and processes to identify exactly what is happening where.

• We can measure traffic activities as well latency with an accuracy the network cannot offer (microseconds) and with high reliability.

• You can install sProbe on those systems where capturing traffic would not be possible or feasible (VMs and cloud services).

• sProbe migrates with your elastic services when servers dynamically grow, move, or shrink.

(22)

• Monitoring realtime activities is compulsory today.

• Periodic activity monitoring does not allow bottlenecks to be spotted

properly (we know we have a problem, but we are unable to say exactly who is the responsible for it).

• Thanks to the asynchronous and multithreaded ntopng monitoring platform, it is possible to report live activities while triggering alerts, analysing network traffic, exporting data to third parties products via HTTP/JSON.

• All at 10 Gbit, using the open source software ntop has created.

References

Download now ( PDF - 22 Page - 1.22 MB )

Related documents

Damages for loss of chance in negligence: the availability of an alternative remedy. Andrew Barker

It also found that there was a high likelihood (75%) that, if she was asked, Mrs Benton would have signed the matrimonial property agreement. In the end, the court took a

User Guide. PC3-ALLEGRO CompactPCI PlusIO CPU Card Intel Core i7-3xxx Processor Quad-Core (Ivy Bridge) Document No Edition January 2016

High speed signal lines (PCI Express®, SATA, Gigabit Ethernet and USB) are passed from the PC3-ALLEGRO through the special UHM connector to the backplane, for usage either on a

Bericht der Arbeitsgruppe. "Gesamtstrategie Blutversorgung angesichts vcjk"

Tissue distribution of protein resistant prion protein in variant Creutzfeldt-Jakob disease using a highly sensitive immunoblotting assay... Silveira JR, Raymond GJ, Hughson AG,

Leveraging Business Process Management and Six Sigma in Process Improvement Initiatives

The TeamWorks BPM platform is designed to facilitate ongoing process improvement initiatives in two ways: provide a graphical process authoring environment in which to quickly

This study extends existing information technology (IT) productivity research by evaluating the contributions

Most studies use a production function frame- work, treat services outsourcing as an intermediate input in a production function, and measure value based on the contribution

Learning User Preferences in Distributed Calendar Scheduling

We adopt a passive machine learning approach that observes the user engaging in a series of meeting scheduling episodes with other meeting participants and infers the user’s

Online Lombard-adaptation in incremental speech synthesis

This paper presented a first system for online Lombard speech synthesis which adjusts synthesis parameters in order to main- tain a high level of intelligibility in changing

Sandra van Aalderen-Smeets a & Juliette Walma van der Molen a a Research Center for Science Education and Talent Development,

These results show that factor analysis supports the underlying scale structure of the DAS Instrument, which was based on the theoretical framework of pre-service and in-service