Scribd
Upload
147 views53 pages

Ntop Users Meeting Sharkfest 2016 (Ntopng)

Let's analyze this trace file with ntopng! meeting Arnhem, The Netherlands • October 17, 2016 Analysing the Security Incident Trace - Load the pcap file into ntopng - Look at top talkers, countries, ASNs involved - Filter by suspicious ports/protocols - Inspect individual flows of interest - Compare to packet captures from Wireshark - Try to piece together the timeline of events This should help understand what happened during the security incident and gain additional context compared to only packet level analysis. meeting Arnhem, The Netherlands • October 17, 2016

Uploaded by

Azhar Mohd Ghazali
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
147 views53 pages

Ntop Users Meeting Sharkfest 2016 (Ntopng)

Let's analyze this trace file with ntopng! meeting Arnhem, The Netherlands • October 17, 2016 Analysing the Security Incident Trace - Load the pcap file into ntopng - Look at top talkers, countries, ASNs involved - Filter by suspicious ports/protocols - Inspect individual flows of interest - Compare to packet captures from Wireshark - Try to piece together the timeline of events This should help understand what happened during the security incident and gain additional context compared to only packet level analysis. meeting Arnhem, The Netherlands • October 17, 2016

Uploaded by

Azhar Mohd Ghazali
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 53

ntop Users Group Meeting

Web-Based Traffic Monitoring


Using ntopng
Simone Mainardi, PhD
[email protected]

meeting
Arnhem, The Netherlands October 17, 2016
Outlook

ntopng architecture and design

ntopng as a flow collector

Using ntopng

Advanced monitoring with ntopng

meeting
Arnhem, The Netherlands October 17, 2016
ntopng Design Goals

Clean separation between the monitoring engine and the reporting facilities

Robust, crash-free engine

Platform scriptability for enabling extensions or changes at runtime without


restart

Realtime: most monitoring tools aggregate data (5 mins usually) and


present it when its too late

Manynew features including HTML 5-based dynamic GUI, categorization,


Deep Packet Inspection (DPI)
meeting
Arnhem, The Netherlands October 17, 2016
ntopng Architecture

HTTP
Lua-based Web Reports
Threedifferent and self- Lua API Calls
Users
contained components, nDPI-based C++
Data Cache
Monitoring Engine
communicating with clean (Linux) Kernel PF_RING C API Calls

API calls. PF_RING Kernel Module Internet


and Drivers Traffic

meeting
Arnhem, The Netherlands October 17, 2016
ntopng Monitoring Engine

Coded in C++ and based on the concept of flow (set of packets with the same 5-tuple)

Flowsare inspected with a home-grown DPI-library named nDPI aiming to discover the real
application protocol (no ports are used)

Information is clustered per

(Capture) Network Device

Flow

Host

Network

High-level Aggregations
meeting
Arnhem, The Netherlands October 17, 2016
Lua-based ntopng Scriptability [1/3]

A design principle of ntopng is the clean separation of the GUI from engine

Thismeans that ntopng can (also) be used (via HTTP) to feed data into
third party apps such as Nagios or OpenNMS

All data export from the engine happens via Lua

Lua
methods invoke the ntopng C++ API in order to interact with the
monitoring engine

meeting
Arnhem, The Netherlands October 17, 2016
Lua-based ntopng Scriptability [2/3]

/scripts/callback/
scripts are executed
periodically to perform
specific actions.

/scripts/lua/ scripts
are executed only by the
web GUI.

Example:
http://ntopng:3000/lua/flow_stats.lua

meeting
Arnhem, The Netherlands October 17, 2016
Lua-based ntopng Scriptability [3/3]

ntopng defines (in C++) two Lua classes:

interface

Hook to objects that describe flows and hosts

Access to live monitoring data

ntop

General functions used to interact with ntopng configuration

Lua objects are usually in read-only mode

C++ sets their data, Lua reads data (e.g. host.name)

Some Lua methods (e.g. interface.restoreHost()) can however modify the information stored in
the engine
meeting
Arnhem, The Netherlands October 17, 2016
Using ntopng for traffic analysis,
troubleshooting, and flow collection

meeting
Arnhem, The Netherlands October 17, 2016
Using ntopng for traffic analysis,
troubleshooting, and flow collection

meeting
Arnhem, The Netherlands October 17, 2016
Selecting Facebook Traffic

meeting
Arnhem, The Netherlands October 17, 2016
Analyzing Facebook Traffic

SSL: encrypted
Facebook certificate name
: fun for SSL

DNS: domain
Facebook
: fun A query for DNS

meeting
Arnhem, The Netherlands October 17, 2016
Inspecting a Facebook Flow

Access to the
historical
Facebook Flows
Goodput:
application level
throughput

meeting
Arnhem, The Netherlands October 17, 2016
Historical Facebook Chart

Layer-7
Application stats
are (optionally)
stored for local
hosts

Facebook is just
one application

Minute interface
top talkers shown
as well
meeting
Arnhem, The Netherlands October 17, 2016
Historical Facebook Flows

Application,
host, time
range, etc.

Results with
summary, flows,
top talkers, etc

meeting
Arnhem, The Netherlands October 17, 2016
Historical Facebook Flows

meeting
Arnhem, The Netherlands October 17, 2016
Historical Top Facebook Talkers

This is the guy


that did most
Facebook with
192.168.2.130

TXT download
or even pcap
extraction

meeting
Arnhem, The Netherlands October 17, 2016
Traffic Analysis: Take Home

Ability to Inspect Traffic up to the Layer-7

Realtime flows with information on peers, throughput, TCP status, HTTP


requests, SSL/TLS certificates

Historical charts: bytes, packets per host / network / application protocol /


etc

Ability to record flows and browse / export them according to multiple


search criteria.

meeting
Arnhem, The Netherlands October 17, 2016
Using ntopng for traffic analysis,
troubleshooting, and flow collection

meeting
Arnhem, The Netherlands October 17, 2016
Sorting out Network and Security Issues

Network Issues

Application Latency / Round Trip Time / Retransmissions

Bandwidth usage

Top Talkers / AS / Networks / Countries / OSes etc.

Security Issues

Scans / SYN floods / flow floods

post-mortem analyses of trace files to investigate security incidents


meeting
Arnhem, The Netherlands October 17, 2016
Analysing Traces of a Security Incident

ntopng is able to process pcap trace files and visualise them as if they
were live captures

ntopng -i /path/to/the/capture.pcap

Looking at the issue from an additional perspective

Wireshark offers a packet-centered view

ntopng offers a flow-centered view

meeting
Arnhem, The Netherlands October 17, 2016
Getting the Traces

Incident:
http://www.malware-traffic-analysis.net/2016/09/20/index.html

Trace: 2016-09-20-traffic-analysis-exercise.pcap

Courtesy of Brad (@malware_traffic malware-traffic-analysis.net)

What happened?

meeting
Arnhem, The Netherlands October 17, 2016
Skimming the Flows

HTTP Almost all


Host: server-2-client Requested GET
contacted (download?) location
Navigate to the
flows page

Sort by total
bytes

meeting
Arnhem, The Netherlands October 17, 2016
Googling Around

meeting
Arnhem, The Netherlands October 17, 2016
Security Incident: Summary

Reasonable evidence that the


host is the victim of locky
ransomware

Ransomware has been


downloaded through mail
attachment

no need to use other files


(e.g., .eml, .docm, .dll)

meeting
Arnhem, The Netherlands October 17, 2016
Monitoring VoIP Calls

ntopng can be used to visualize VoIP calls

Visualization of SIP and RTP that are the de-facto standards in the VoIP
industry

meeting
Arnhem, The Netherlands October 17, 2016
SIP

SIP is a signalling
protocol used by
the call parties to
negotiate
parameters such
Caller and
as Called parties

Encoding

RTP
addresses
and Ports

etc
meeting
Arnhem, The Netherlands October 17, 2016
A SIP Flow

Call-ID
Ability to jump
to the RTP Flow

Negotiated RTP
Stream Peers

meeting
Arnhem, The Netherlands October 17, 2016
RTP

RTP is the Call-ID ( same


transport of the SIP flow)

protocol actually
used to carry the
voice

meeting
Arnhem, The Netherlands October 17, 2016
An RTP Flow

Call Quality
Indicators

meeting
Arnhem, The Netherlands October 17, 2016
Using ntopng for traffic analysis,
troubleshooting, and flow collection

meeting
Arnhem, The Netherlands October 17, 2016
Flow Collection with ntopng and nProbe

nProbe (a home-grown NetFlow/sFlow collector/probe) is responsible for


collecting/generating flows and convert them to JSON so that ntopng can
understand it

The communication ntopng <-> nProbe is over MQ a simple/fast


messaging system that allows the two peers to be decoupled while:

Avoiding fat communication protocols such as HTTP

Relying on a system that works per message (no per packet) and
handles automatic reconnection if necessary
meeting
Arnhem, The Netherlands October 17, 2016
MQ Communications

Flows are sent in the following format

{"8":"192.12.193.11","12":"192.168.1.92","15":"0.0.0.0","10":0,"14":0,"2":5,"1":
406,"22":1412183096,"21":1412183096,"7":3000,"11":55174,"6":27,"4":6,"5":0,"16":
2597,"17":0,"9":0,"13":0,"42":4}

Where:

<Element ID>: <value> (example 8 = IPV4_SRC_ADDR)

Multiple collectors can connect to the same probe.

No traffic is created when no collector is attached to the probe.


meeting
Arnhem, The Netherlands October 17, 2016
Advanced Flow Collection: A Diagram

nProbe capture packets


from NICs and talks with
NetFlow/IPFIX/sFlow/etc
exporters

NICs subscription
ntopng subscribes with
the nProbe for a flows
JSON flows data
topic NetFlow v5/v9
IPFIX nProbe ntopng
Flow Exporters

nProbe periodically (1
second) pushes data for
the subscribed topic
meeting
Arnhem, The Netherlands October 17, 2016
Configuring ntopng and nProbe

nProbe

Packet Capture

./nprobe --zmq "tcp://*:5556" -i en4 -n none

*Flow collection

./nprobe --zmq "tcp://*:5556" -i none -n none --collector-


port 2055

ntopng

./ntopng -i "tcp://127.0.0.1:5556"
meeting
Arnhem, The Netherlands October 17, 2016
Visualising the Remote Interface

Remote probe
interface
name, speed
and ip
addresses

Treated by
ntopng as if it
was a local
interface

meeting
Arnhem, The Netherlands October 17, 2016
Visualising Remotely Monitored Flows

meeting
Arnhem, The Netherlands October 17, 2016
Flow Collection: Take Home

Flow protocols implementation logic on the nProbe

ntopng focuses on statistics/aggregation of the received data

Simple JSON-over-ZMQ flows data nProbe -> ntopng

Optional support for encryption and compression

meeting
Arnhem, The Netherlands October 17, 2016
Thank You!

Simone Mainardi, PhD


[email protected]

meeting
Arnhem, The Netherlands October 17, 2016
Historical Flow Navigation

ntopng can send (-F)


network flows to
MySQL

a built-in database
explorer retrieves such
flows and allows them
to be navigated and
searched

meeting
Arnhem, The Netherlands October 17, 2016
Historical Talkers

Top Talkers can be automatically extracted from flows

Every top talker can be clicked to inspect its peers

Every peer can be clicked to inspect L7 application protocols

Flows matching inspection criteria can be downloaded at any stage

meeting
Arnhem, The Netherlands October 17, 2016
Drilling Down Historical Talkers [1/2]

meeting
Arnhem, The Netherlands October 17, 2016
Drilling Down Historical Talkers [2/2]

meeting
Arnhem, The Netherlands October 17, 2016
Historical Applications

Top Applications can be automatically extracted from flows as well

Every top application can be clicked to inspect hosts that have used it

Every host can be clicked to inspect peers that have used a given
application to communicate with the host

Flows matching inspection criteria can be downloaded at any stage

meeting
Arnhem, The Netherlands October 17, 2016
Drilling Down Historical Applications [1/2]

meeting
Arnhem, The Netherlands October 17, 2016
Drilling Down Historical Applications [2/2]

meeting
Arnhem, The Netherlands October 17, 2016
ntopng as a NetFlow/sFlow Collector [1/3]

The old ntop included a NetFlow/


sFlow collector. Considered the effort
required to support all the various
NetFlow dialects (e.g. Cisco ASA
flows are not really flows), in ntopng
we have made a different design
choice.

meeting
Arnhem, The Netherlands October 17, 2016
Flow Collection Setup: an Example

Flow collection/generation (nProbe)


Probe mode
nprobe --zmq "tcp://*:5556" -i eth1 -n none
sFlow/NetFlow collector mode
nprobe --zmq "tcp://*:5556" -i none -n none --collector-port
2055

Data Collector (ntopng)


ntopng -i tcp://127.0.0.1:5556

meeting
Arnhem, The Netherlands October 17, 2016
Advanced Flow Collection with ntopng and nProbe [1/2]

ntopng uses a poll-mode architecture to fetch flows data from nProbe

fetched data is pure JSON

nProbe implements flow protocols (e.g., IPFIX/NetFlow v5-v9-v10 sFlow,


etc.) and deals with flow export devices (e.g., routers/switches)

meeting
Arnhem, The Netherlands October 17, 2016
Local vs Remote Hosts [1/2]
ntopng keeps information in memory at different level of accuracy in order
to save resources for hosts that are not too relevant.

For this reason at startup hosts are divided in:

Local hosts
The local host where ntopng is running as well the hosts belonging
to some privileged IPv4/v6 networks. These hosts are very relevant
and thus ntopng keep full statistics

Remote hosts
Non-local hosts for which we keep a minimum level of detail
Local vs Remote Hosts [2/2]

For local hosts (unless disabled via preferences) are kept all L7 protocol
statistics, as well basic statistics (e.g. bytes/packets in/out).

No persistent statistics are saved on disk.

A system host is the host where ntopng is running and it is automatically


considered local as well the networks of its ethernet interfaces.
Information Lifecycle

ntopng keeps in memory live information such as flows and hosts


statistics.

As the memory cannot be infinite, periodically non-recent information is


harvested.

Users can specify preferences for data purge:


Packet Processing Journey
1.Packet capture: PF_RING (Linux) or libpcap

2.Packet decoding: no IP traffic is accounted

3.IPv4/v6 Traffic only

1.Map the packet to a 6-tuple flow and increment stats

2.Identify source/destination hosts and increment stats

3.Use nDPI to identify the flow application protocol

1.UDP flows are identified in no more than 2 packets

2.TCP Flows can be identified in up to 15 packets in total, otherwise the flow is marked as
Unknown

4.Move to the next packet

You might also like