search

ntop / ntopng

Web-based Traffic and Security Network Traffic Monitoring
http://www.ntop.org
GNU General Public License v3.0
6.21k stars 651 forks source link

Use nProbe -L local networks in ntopng #5833

Open dkrey opened 3 years ago

dkrey commented 3 years ago

Hi, could it be that the local networks defined at an nprobe instance are not taken into account by ntopng?

I've got the following setup (simplified):

Site A has two local B networks defined with -L="172.16.0.0/24" Site B has two other local class B networks -L="172.18.0.0/24" The central site has the local network -L="172.20.0.0/24"

Each site has its own interface at ntopng, let's say: 172.20.0.10:5516c, 172.20.0.10:5518c, 172.20.0.10:5520c (172.20.0.10 is the receiving ntopng interface) The probes are running in probe mode.

The -m option (ntopng) is not used for now.

Selecting interface 172.20.0.10:5516c shows only traffic from/to SiteA - this works so far.BUT a flow from (Site A)172.16.0.1 to (Central Site) 172.20.0.1 should be local/remote, but is shown as remote/remote.

The local network information from nprobe.conf at site A is being ignored.

When I use the -m option in ntopng, I can define the local networks globally for all interfaces. So when I add this -m="172.16.0.0/24,172.18.0.0/24,172.20.0.0/24" all traffic is considered to be local, although it is WAN traffic and therefore local/remote.

Is this a bug or am I missing an option to take the local networks from nprobe into account?

ntopng is version 5.0.210901, nprobe is version 9.6.210901 Thanks!

dkrey commented 3 years ago

Just a quick update - I still can't get it to work. I've now added all internal networks to ntopng (via the -m option). So now ntopng knows about all networks in detail as expected. But also as expected all the networks are considered local from the point of view of central instance. I tried to fiddle with network pools but I also could not assign those to sites or interfaces.

So in a nutshell: local networks defined on nprobe do not show up in ntopng at all right now.

Local networks in ntopng just apply to the instance of ntopng (which makes sense, as I suppose it is intended to use if you let ntopng capture and analyse traffic).

Here's my config with simplified network info

ntopng 5.0.210901 (Enterprise L)

-G=/var/run/ntopng.pid
-i=tcp://172.20.0.10:5516c
-i=tcp://172.20.0.10:5518c
-i=tcp://172.20.0.10:5520c
-w=3000
-m=172.16.0.0/24,172.18.0.0/24,172.20.0.0/24  # commented out initially, currently in
-n=1
-X=524288

nprobe 9.6.210901 (Pro)

-i=ens224
-n=none
-T=@NTOPNG@
--zmq=tcp://172.20.0.10:5516
--zmq-probe-mode
-L=172.16.0.0/24
-W
--discard-tcp-probing-flows
--enable-ipv4-deduplication
simonemainardi commented 3 years ago

The -m option (ntopng) is not used for now.

This must be used. ntopng local networks are specified with -m and are independent from nProbe. As you've correctly noted, local networks are currently instance-wide and cannot be indicated on a per-interface basis. A feature request is already open (https://github.com/ntop/ntopng/issues/4539) and will be handled with the 5.2 release

dkrey commented 3 years ago

Thanks for the feedback, so -L in nprobe is currently not being used? To analyse onsite local traffic, I'm now deploying ntopng community instances on the local nprobe systems. Anyway I'm looking forward to v5.2 :)