Maybe you’ve asked yourselves what’s going on in the network at the moment? Why the Internet is currently running slow? Who is using the bandwidth and what is he downloading?
To answer those questions, you need an intuitive and visible dashboard, where you can quickly get an overview of the current state of the network traffic, but also dig-into the detailed of who is using what. You can monitor your network traffic on your main firewall or router, but usually those devices don’t give a clear way to see what’s happening in real time. But what is more common is that your router or firewall device, can export netflow traffic statistics to another system, which can then display them in a more convenient way.
Ntopng – Web based traffic analysis tool
Ntopng is more sophisticated version of the original ntop. It shows network usage similar to what ntop does.
Also, ntopng can be used as flow collector through nProbe.
Installing Ntopng and Nprobe
Before introducing what ntopng can do for you, first we will show you how to install it. Here are the commands, for installing on a Ubuntu 14.04 virtual machine. Or, you can start Ntopng image from VapourApps Dashboard.
/bin/echo -e "deb http://www.nmon.net/apt-stable/14.04/ x64/\ndeb http://www.nmon.net/apt-stable/14.04/ all/" > /etc/apt/sources.list.d/ntop.list wget -qO - http://www.nmon.net/apt-stable/ntop.key | sudo apt-key add - apt-get update apt-get install nprobe ntopng ntopng-data n2disk nbox libsnmp-base snmp-mibs-do wnloader
You should then configure your router to send netflow traffic to the ntopng system, for example on UDP port 7002.
To see whether there is traffic coming to the router, we can use tcpdump:
tcpdump -n -i eth0 port 7002
Next we should start the netflow collector (nprobe), which will receive the netflow traffic from the router and send it to the ntopng traffic analyser, in this case on port 5556 (which is the default configuration).
Running Nprobe to collect the netflow traffic, on port 7002:
nprobe --zmq "tcp://127.0.0.1:5556" -i none -n none --collector-port 7002 &
After Nprobe is started, we should also start the ntopng server, to retrieve the traffic flows from nprobe and display it on a web interface. When starting ntopng, we should configure the local-network, in order for ntopng to distinguish local and remote hosts/traffic.
Running Ntopng
ntopng -e --local-networks "192.168.100.0/24" -i tcp://127.0.0.1:5556 -G=/run/ntopng.pid
You can then access the web interface on:
http://{IP-ADDESS}:3000
What can you monitor with Ntopng?
1. Current top-talkers dashboard:
You can monitor the top flows in real-time in the network with the help of a very clear visualization like on the image below. It’s a Sankey diagram that represents the client hosts on the left and the servers on the right connected with a bar proportional to the amount of traffic exchanged.
2. All hosts, can be sorted per total bytes or throughput
All hosts in the monitoring network, that have been seen by the monitoring interfaces are shown here and can be sorted descending (ascending) based on the criteria we need, can be based on throughput, traffic, activity…
3. Geomap – who is sending traffic
If you choose the Geo Map page form The Hosts tab, you can see a world map with the host arranged based on their geographical position.
4. Information for one particular host
You can find detailed information about any monitored host here, including host MAC Address (or the last router MAC address if the host is remote), IP Address (with network mask if detected), a toggle to activate/deactivate alerts for the host, a checkbox to enable packet dump for the specific host, symbolic hostname (or IP address), location (local or remote), date and time of first and last packet seen for the host, traffic breakdown, amount of traffic packets received/sent, number of flows as client/server host.
The heat map provides the Activity Map for each host. Each box represents one minute of traffic. By default, Activity Map shows the last six hours, but it is possible to set a different timeframe using the controls.
Also, you can monitor the traffic through a pie chart showing L-4 protocol breakdown that is show at the top of page and a table with detailed statistics shown below the chart.
5 . Who is this host talking to and which protocols are used
The Peers page shows the top contacted peers and top protocols used. Also, you can see a table with top application per peer below the graphical overview. Every information is clickable to allow the user to drill down and find insights.
And in the Protocols page you can see a pie chart and tabular format of the amount of traffic divided by application. An additional pie chart provides a statistics about protocol type.
Every data can be clicked and explored even in more detail both on the Peers and the Protocols page.
6. Overview of total activity
You can monitor total activity by protocol, through a pie chart and a specific table with nDPI-detected protocols for the selected interface.
In the two top pie charts ntopng shows the application distribution and its categorisation. Below the pie charts there is a list of protocols detected with the corresponding total traffic, both in absolute terms and as a percentage of the total traffic.
By selecting any Application Protocol, it is possible to display a statistics page with temporal charts for that protocol. Similarly, by clicking on the magnifying lens icon, it is possible to display all active flows for that protocol.
7. Local host activity over time
You can also monitor historical traffic statistics for the selected interface. The user can choose to filter statistics on a protocol basis and display data in several formats (e.g., bytes, packets, flows, and so on).
8. Who is talking to who
Top Hosts Traffic page presents traffic of top hosts in order to typology selected
9-local. Local hosts ordered by traffic
From the All Hosts, you can choose to monitor Local Hosts and their activities. Sorting also applies here and you can monitor their activity.
