Quantcast
Channel: ntop
Viewing all 544 articles
Browse latest View live

Exporting (Custom) Flows with Avro in nProbe Cento

December 12, 2024, 1:59 am
$
0
0

This summer we introduced nProbe Cento 2.0. Before this release, Cento was supporting JSON serialization only when exporting flows to Kafka. JSON is straightforward and widely used, but it can be verbose and less efficient for high-throughput or resource-sensitive environments. To address these challenges, when exporting flows to ntopng, some time ago we introduced a binary/TLV format for data serialization, implemented in our open-source nDPI library. However, despite this being an open format, it is not widely used. For this reason, in order to improve interoperability with other solutions, we decided to also introduce the Avro serialization format as an additional option when exporting to Kafka. In fact, the key Avro features are:

  • Compact and efficient: similar to the nDPI TLV, Avro uses a binary format, making it more compact than JSON. This results in reduced storage and bandwidth usage.
  • Flexible schema: Avro includes schemas with the data, which makes it easier to handle changes in the data structure over time. Kafka consumers can dynamically adapt to new schemas, ensuring forward and backward compatibility.
  • Faster processing: parsing binary data is faster than processing JSON, which can improve performance in high-throughput environments.

In addition to introducing Avro serialization, we’ve implemented custom templates for Kafka flow export. This feature allows you to define the Information Elements (IEs) to include in your flow exports, whether you’re using JSON or Avro serialization formats. Information Elements are the individual fields that describe the template of a network flow. For example they include source and destination IP addresses, ports, protocols, in/out packets, bytes, etc. Depending on your use case, you might not need all the available IEs in every export and further optimise exported data size and processing.

To start using these new features, follow these simple steps:

  1. Enable Avro Serialization:
    • Update your Kafka configuration in Cento and select Avro as the serialization format (avro). An Avro schema is automatically generated by Cento.
  2. Create a Custom Template:
    • Define in the Cento configuration file a template specifying the IEs you want to include in the export (–template). The corresponding Avro schema is automatically generated by Cento also in this case.

Example 1 – Exporting flows to Kafka with Avro serialization

cento -i eth0 --kafka “127.0.0.1:9092,127.0.0.1:9093,127.0.0.1:9094;topicFlows" --avro

Example 2 – Exporting flows to Kafka with JSON serialization using a custom template

cento -i eth0 --kafka “127.0.0.1:9092,127.0.0.1:9093,127.0.0.1:9094;topicFlows" --json-labels --template "%SRC_VLAN %SRC_MAC %DST_MAC %IP_PROTOCOL_VERSION %IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_ADDR %EXPORTER_IPV4_ADDRESS %DIRECTION %INPUT_SNMP %OUTPUT_SNMP %SRC_TO_DST_PKTS %SRC_TO_DST_BYTES %DST_TO_SRC_PKTS %DST_TO_SRC_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %PROTOCOL %L7_PROTO %L7_PROTO_NAME"

Example 3 – Exporting flows to Kafka with  Avro serialization using a custom template

cento -i eth0 --kafka “127.0.0.1:9092,127.0.0.1:9093,127.0.0.1:9094;topicFlows" --avro --template "%SRC_VLAN %SRC_MAC %DST_MAC %IP_PROTOCOL_VERSION %IPV4_SRC_ADDR %IPV4_DST_ADDR %IPV6_SRC_ADDR %IPV6_DST_ADDR %EXPORTER_IPV4_ADDRESS %DIRECTION %INPUT_SNMP %OUTPUT_SNMP %SRC_TO_DST_PKTS %SRC_TO_DST_BYTES %DST_TO_SRC_PKTS %DST_TO_SRC_BYTES %FIRST_SWITCHED %LAST_SWITCHED %L4_SRC_PORT %L4_DST_PORT %PROTOCOL %L7_PROTO %L7_PROTO_NAME"

Please also check the documentation for the full list of IEs and to learn more about all the export settings and customisations.

We’re committed to continuously improving our software to meet the evolving needs of our users. We look forward to hearing your feedback and seeing how you leverage Avro serialization and custom templates in your workflows. Stay tuned!

Search

Released nDPI 4.12: Obfuscated/Encrypted/Proxied Traffic and Fingerprints

December 17, 2024, 11:49 pm
$
0
0

This is to announce the release of nDPI 4.12, the first version after our 6 months release cycle announced earlier this year. The main changes of this release include support for encrypted/obfuscated/proxied in particular for OpenVPN and TLS, as well support for network fingerprints presented in November at the Sharkfest conference.

For all details see the enclosed changelog.

 

Enjoy !

nDPI 4.12 (Dec 2024)

Major Changes

For further details on these three topics, see https://www.ntop.org/ntop/a-deep-dive-into-traffic-fingerprints/

New Supported Protocols and Services

This is the list of the new supported protocols, grouped by category. Information about these new protocols is available on https://github.com/ntop/nDPI/blob/dev/doc/protocols.rst

New features

New algorithms

  • Implemented algorithms for K-Nearest Neighbor Search (KNN) (#2554)
  • Added ndpi_quick_encrypt() and ndpi_quick_decrypt() API calls (#2568)

New configuration knobs

Further information is available on https://github.com/ntop/nDPI/blob/dev/doc/configuration_parameters.md

Improvements

Misc

New Contributors

  • @wssxsxxsx made their first contribution in #2527
  • @liwilson1 made their first contribution in #2539
  • @YellowMan02 made their first contribution in #2607
  • @Klavishnik made their first contribution in #2633
  • @adipierro made their first contribution in #2638

Full Changelog: https://github.com/ntop/nDPI/compare/4.10…4.12

 

Introducing nScrub 1.6: Broader Support, More Offloads, Improved Algorithms

December 19, 2024, 5:19 am
$
0
0

We are excited to announce this new release of nScrub, 1.6, packed with new features, expanded hardware support, and key enhancements to strengthen network defense capabilities.

This release adds native support for NVIDIA/Mellanox ConnectX adapters, and extends support for Napatech adapters by enabling the TX offload support, which optimizes packet transmission performance and reduces CPU overhead. We also implemented native support for DPDK, making nScrub open to deployments where the users are widely using this SDK.

We’ve also improved the detection and scrubbing algorithms, including additional checks on TCP packet headers, ensuring better protection against malformed packets and potential attacks. It is now possible to enable per-target thresholds, allowing for granular control of mitigation engagement based on individual targets, while maintaining a global threshold for overarching protection. Enhancements to the auto-engage mechanism result in more intelligent and efficient mitigation activation, ensuring prompt responses to anomalies.

Also che APIs have been improved. Importing large blacklists is now significantly faster, improving system readiness and scalability for environments with extensive blocklists.

The new features and improvements in nScrub make it a must-have upgrade, we encourage all users to upgrade to 1.6. Please read the changelog below for the full list of changes and improvements.

Enjoy!

Changelog

Engine

  • Add native NVIDIA/Mellanox ConnectX adapters support
  • Add support for TX offload with Napatech adapters
  • Add DPDK support (v.20 or later)
  • Add IPsec basic policies control
  • Add more safety checks on TCP packet headers
  • Add check on max MSS
  • Add per target threshold (global threshold to engage the mitigation)
  • Improve SYN and SYN-ACK rate check (e.g. also check white traffic)
  • Improve RFC (more permissive) when always enabled
  • Improve auto-engage checks
  • Improve blacklist loading to speedup import of huge lists
  • Improve hardware bypass support
    • Improve watchdog management
    • Detect hardware bypass engage (e.g. due to watchdog) and trigger events
    • Fix false positives engaging the watchdog and reduce watchdog sensitivity
  • Check for blacklisted destinations on egress traffic
  • Historical data (RRD) improvements and fixes
    • Fix folder creation with the right user
  • Fix egress monitor queue selection with legacy PF_RING API (e.g. NVIDIA/Mellanox)
  • Fix GRE detection
  • Fix bridging with kernel drivers
  • Fix SYN proxy MITM
  • Fix conversion of the device name to the system device name in Netlink

Options

  • Add –force-promisc|-4 to force promiscuous in routing mode
  • Add –no-tx-stack-injection|-5 and –no-rx-stack-injection|-6 options to disable stack injection in routing mode

API

  • New API /tcp/syn/noseqnum/drop to drop SYN with no sequence number
  • Add threads info to the /status
  • Add stats for traffic discarded due to blacklist in the target stats
  • Add more bypass info
  • Add offset/limit when requesting for attackers on a target
  • Add stats for reforged and injected packets
  • Add number of hits for dynamically added IP addresses
  • Add human-readable discard reasons in stats
  • Fix and optimized attackers pagination, added ‘limit’ parameter
  • Fix port number parsing in the URI for high ports
  • Fix listing of dynamic attackers IP addresses
  • Fix stats when using regexp or * to match multiple targets

GUI

  • Add statistics for fragments
  • Add more engage/severity indicators
  • Redirection to the monitor page on login
    • Open monitor.html by default when requesting / from a browser (use /status for the status)

Tools

  • nscrub-cli
    • Add ability to purge a list by name
    • Added CIDR support when loading IP list from file
  • Improved nscrub-bl in blacklist generation
    • Added warn-list support to detect when some IPs are in a blacklist
    • Added whitelist support to filter the blacklist
    • Duplicated IPs are now removed

Packages

  • Add packages for Debian 11, 12
  • Add packages for Ubuntu 20, 22, 24

Misc

  • Add nscrub user to the ntop group
  • Add UNIT_NAME and INSTANCE_NAME env var to the systemd service
  • Fix nscrub-export support for python3

Introducing n2disk 3.8: NVIDIA Support, Smart Recording, Traffic Deduplication

January 7, 2025, 2:27 am
$
0
0

We’re excited to announce a new stable release of n2disk v. 3.8. This release is bringing significant new capabilities to the network monitoring and recording landscape, and it is packed with features that enhance both functionalities and performance.

Here’s a closer look at the highlights of this release:

  • New Smart Recording support to intelligently manage and optimize storage usage.
  • Multithreaded Packet Capture to take advantage of  RSS (Receive Side Scaling) capabilities on NVIDIA/Mellanox ConnectX adapters. In fact on those adapters it is not possible to scale the performance by spawning multiple (n2disk) processes, a multithreaded application is mandatory.
  • Inline Packet Deduplication with ndedup to eliminate duplicated packets eating up bandwidth and processing power on the monitoring tools, or save disk resources when dumping traffic to disk dramatically increasing data retention.

For the full list of changes and new features, please read the changelog below. Instead for detailed documentation and tutorials, visit our official documentation or the dedicated blog posts.

Enjoy!

Changelog

Breakthroughs

  • New Smart Recording support (disk2disk service)
  • New n2disk multithreaded capture (support for RSS with NVIDIA/Mellanox adapters)
  • New ndedup utility for inline packet deduplication
    • Zero-copy batch traffic forwarding as transparent bridge
    • Support for multiple segments or RSS queues with mulththreading
    • Configurable window size

n2disk

  • Add Device and Port ID to indexed metadata
  • Add support for Metawatch in packet capture mode
  • Add support for indexing tunneled traffic in VXLAN
  • Add support for IP-in-GRE-IP-in-VXLAN-in-IP encapsulation
  • Add support for ERSPAN
  • Add support for Arista 7280 headers
  • Add support for FT-driven slicing
  • Add threads for notifications (exec command) and queues to notify pcaps in order
  • Index L2 packets
  • Index ICMP protocol
  • Index Arista Metawatch Device and Port ID with –extended-index 4 (even without –hw-timestamp metawatch)
  • New options
    • Add –disable-rss option to disable RSS (send all traffic to queue 0)
    • Add –file-mode and –dir-mode options to set permissions on disk
    • Add –indexer-threads <cores> (same semantic of -k <cores> -K) to set indexer threads core affinity
    • Add –reader-priority, –writer-priority, –indexer-priority to set threads priority
    • Add –numa-affinity to set NUMA node affinity
    • Add –other-cpu-affinity option to set core affinity for auxiliary threads
    • Add –no-overwriting option to disable pcap recycling
    • Add –hole-detection <msec> option to detect traffic holes
    • Add –disable-chunk-mode option to disable chunk mode when automatically detected
    • Add –profiling option to enable pipeline profiling
    • Add –no-demo option to fail on no/expired license
  • Enable libpcap capture on Linux (fallback to libpcap when pf_ring is not available)
  • Improve Arista timestamps management to skip packets until the first keyframe is received
  • Disable dump to specific disks in case of write failure when multiple volumes are available
  • Fix standard BPF filters with zc interfaces
  • Fix used disk space computation with compressed npcap files
  • Fix exit status on failure
  • Fix fd leak
  • Fix DLT with vanilla pcap capture
  • Deprecate -n option

Flow export

  • Add –probe-ip option to specify the probe ip
  • Reworked ZMQ export (now using ZMQ export support provided by PF_RING FT)
  • Fix exported flows stats

npcapextract

  • Add match for Device and Port ID
  • Add support for time in epoch format in -b/-e
  • Add support for nanoseconds time interval
  • Handle extraction from pcap files which are not strictly honoring the timeline boundaries
  • Fix extraction filters on IPv6 add

npcap library (PF_RING timeline module)

  • Add support for nanoseconds time interval
  • Fix memory corruption with big pcap and big index files

disk2n (replay)

  • Add –keep-crc option to keep the CRC
  • Fix –takeoff-time

Misc

  • Add ARM support
  • Add Ubuntu 22/24 support and package
  • Add Debian 11/12 support and package
  • Add FreeBSD support and package
  • Add n2disk user to the ntop group
  • Add UNIT_NAME and INSTANCE_NAME env var to systemd services
  • Install binaries to /usr/bin
Viewing all 544 articles
Browse latest View live
Search