Hi, If ntopng only have access to tunneled traffic, there is no much that can be done. OpenVPN traffic is encrypted. But if you have access to the machine running OpenVPN - Sec.Bridge.Dev I guess - then the traffic can be before it enters the tunnel. I believe Sec.Bridge.Dev will have a tunXXX interface. You should try and run ntopng on that interface with -i tunXX.
Simone > On 9 Mar 2021, at 15:19, Christina Phillips <cphill...@inei.com> wrote: > > Hi – so, I’ve run into an issue with ghost networks. I can see the ghost > networks. That’s fine. My situation is that I am using an OpenVPN based > layer 2 over layer 3 tunnel between security devices. > > Devices: > Cameras: 2 > Management Laptop: 1 > Security Edge Devices 3 > Security Bridge Device: 1 (this device runs ntopng) > > Diagram is basically: > > Camera1<>Sec.Edg.Dev1<-> Sec.Bridge.Dev <->Sec.Edg.Dev2<-> Camera2 > > <->Sec.Edg.Dev3<->Laptop > > Cameras and laptop have device IP addresses in 192.168.x.0/24 > > Edge devices make a secure tunnel on 172.31.X.0/24 > 192.168.X.0 is a ghost network. > Ntopng on bridge device records traffic on the bridge network (for example > interface br50), as well as other interfaces on the bridge device (this is a > Debian 9 VM that communicates over a network to the edge devices – which may > be geographically dispersed.) > > > The issue is that anything on the “bridge” interface and a ghost network > device – I only see the broadcast and multicast traffic of those devices. I > believe the 3.x ntopng and the 4.1 ntopng (before the big change) – recorded > the unicast traffic of the ghost devices (I’ve been using ntopng since 2017 – > and while I no longer have any older code versions running – I believe I was > seeing unicast traffic from a camera to a laptop (through the bridge). > > What happened? What can be done? Am I doing anything wrong? (traffic > flow is from laptop to camera – through the bridge device – I should be able > to see the http/https traffic between the laptop and camera – but I do not.) > > > Christina Phillips > VP of Technology > > m: 703.626 0385 > e: cphill...@onclave.net <mailto:cphill...@onclave.net> > w: www.onclave.net <http://www.onclave.net/> > > > > 7950 Jones Branch Drive, Suite 805, McLean, VA 22102 > <webextlink://7950%20Jones%20Branch%20Drive,%20Suite%20805,%20McLean,%20VA%2022102> > > > > _______________________________________________ > Ntop mailing list > Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it> > http://listgateway.unipi.it/mailman/listinfo/ntop > <http://listgateway.unipi.it/mailman/listinfo/ntop>
_______________________________________________ Ntop mailing list Ntop@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop