search

ntop / ntopng

Web-based Traffic and Security Network Traffic Monitoring
http://www.ntop.org
GNU General Public License v3.0
6.31k stars 658 forks source link

Host pool vlan matching - consider no vlan or any vlan #7521

Open melicherm opened 1 year ago

melicherm commented 1 year ago

Hello all, tried now debugging traffic which was not matched by the ntopng hosts pool feature.

v.5.6.230322 rev.19881 Debian 11

Scenario: Router with downlink interface: 100G 0/1/30 interface which has sFlow enabled. 100G 0/1/30.10 tagged subinterface

For simplification, e.g. it's the same, a trunk port with tagged vlan 10 traffic, where sFlow runs on the trunk port.

router sFlow -> nprobe -> ntopng

Hosts pool: TEST Network: 192.168.1.0/24 Vlan (blank): 0 -> should match no vlan, or any vlan. That makes sense

Issue: If i have an tagged interfaces based on which sFlow exports data to nprobe that are imported through ZMQ to ntopng it does not match the hosts pool if there is no vlan selected.

If vlan is added to the host pool (in this example vlan tag 10) it begin's to match the traffic.

There seems to be a BUG.

Suggestion: If no vlan is used in the host pool no VLAN matching should be done, and just prefixes/IP should be used. This is not happening.

Or adding * option to the 0 should mean no vlan, or any vlan. 0 Should mean only not tagged packets?

MatteoBiscosi commented 1 year ago

Hi @melicherm VLAN 0 means the untagged traffic, so traffic with no VLANs, for this reason your traffic is not matched.

melicherm commented 1 year ago

@MatteoBiscosi Thank you for that info. Would it be possible to integrate the option * to match any VLAN? In our case, we have hundreds of vlan-tagged routed subinterfaces, so enabling sFlow only on the main one is convenient. In other cases, it would be necessary to configure sFlow only on not tagged interfaces and use the vlan 0 option (untagged).

As a second example I could say if your sFlow exporter is a switch, where you don't know exactly what VLANs are passed through how would you find the needed VLAN tag? mirroring traffic, detecting the VLAN tag, and finally creating the Host pool with the corresponding VLAN tag. This approach is extremely inconvenient.

So my proposed solution has merit. If you want to find any and all traffic coming from and to an prefix/IP/network, it would be wise to allow the use of multiple options -> VLAN, UNTAGGED, ANY-VLAN.