Hi. So the secure bridge decrypts the traffic on br50 interface. Ntopng is running on the bridge and I have the br50 interface in ntopng.conf. It does pickup broadcast and multicast where it is the endpoint. However traffic going from a laptop to a camera is not picked up. I will double check to see if we are decrypting all traffic when it gets to the bridge. ________________________________ From: [email protected] <[email protected]> on behalf of Simone Mainardi <[email protected]> Sent: Wednesday, March 10, 2021 2:19:45 AM To: [email protected] <[email protected]> Subject: Re: [Ntop] ghost network devices
Hi, If ntopng only have access to tunneled traffic, there is no much that can be done. OpenVPN traffic is encrypted. But if you have access to the machine running OpenVPN - Sec.Bridge.Dev I guess - then the traffic can be before it enters the tunnel. I believe Sec.Bridge.Dev will have a tunXXX interface. You should try and run ntopng on that interface with -i tunXX. Simone On 9 Mar 2021, at 15:19, Christina Phillips <[email protected]<mailto:[email protected]>> wrote: Hi – so, I’ve run into an issue with ghost networks. I can see the ghost networks. That’s fine. My situation is that I am using an OpenVPN based layer 2 over layer 3 tunnel between security devices. Devices: Cameras: 2 Management Laptop: 1 Security Edge Devices 3 Security Bridge Device: 1 (this device runs ntopng) Diagram is basically: Camera1<>Sec.Edg.Dev1<-> Sec.Bridge.Dev <->Sec.Edg.Dev2<-> Camera2 <->Sec.Edg.Dev3<->Laptop Cameras and laptop have device IP addresses in 192.168.x.0/24 Edge devices make a secure tunnel on 172.31.X.0/24 192.168.X.0 is a ghost network. Ntopng on bridge device records traffic on the bridge network (for example interface br50), as well as other interfaces on the bridge device (this is a Debian 9 VM that communicates over a network to the edge devices – which may be geographically dispersed.) The issue is that anything on the “bridge” interface and a ghost network device – I only see the broadcast and multicast traffic of those devices. I believe the 3.x ntopng and the 4.1 ntopng (before the big change) – recorded the unicast traffic of the ghost devices (I’ve been using ntopng since 2017 – and while I no longer have any older code versions running – I believe I was seeing unicast traffic from a camera to a laptop (through the bridge). What happened? What can be done? Am I doing anything wrong? (traffic flow is from laptop to camera – through the bridge device – I should be able to see the http/https traffic between the laptop and camera – but I do not.) Christina Phillips VP of Technology m: 703.626 0385 e: [email protected]<mailto:[email protected]> w: www.onclave.net<http://www.onclave.net/> [Logo Description automatically generated] 7950 Jones Branch Drive, Suite 805, McLean, VA 22102 _______________________________________________ Ntop mailing list [email protected]<mailto:[email protected]> http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list [email protected] http://listgateway.unipi.it/mailman/listinfo/ntop
