Re: [Ntop-misc] How to detect new protocols?
Now is working.. it takes some time to detect it? From: ntop-misc-boun...@listgateway.unipi.it [mailto:ntop-misc-boun...@listgateway.unipi.it] On Behalf Of Sacha Yunusic Sent: miércoles, 14 de septiembre de 2016 11:18 To: ntop-misc@listgateway.unipi.it Subject: [Ntop-misc] How to detect new protocols? Hi, I'm trying to detect SEP traffic (Symantec Endpoint Protection). Clients connect to SEP Manager (SEPM) thru port tcp-8014. If I go to SEPM page in Ntopng GUI, then to flows, I see this: Application: Unknown, tcp, Client: SEPM:8014, Server:[Random_high_number] So, I created proto.txt with this: tcp:8014@sep-comm Re-run ntopng and there is no changes... My guess is due tcp-8014 appears in the client column, it doesn't recognize it as "sep-comm" or whatever... This is traffic from a backbone switch/router, so I can't say what is in and what is out, because everywhere are 192.168.x.x networks... Any guess on what I'm doing wrong? Sacha. ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Even there are 16 child processes, ntopng only uses 2
For some reason, after 1 hour of nothing happening, everything goes fine now… I’ll wait to happened again before open that ticket.. thanks. From: ntop-misc-boun...@listgateway.unipi.it [mailto:ntop-misc-boun...@listgateway.unipi.it] On Behalf Of Luca Deri Sent: martes, 13 de septiembre de 2016 14:34 To: ntop-misc@listgateway.unipi.it Subject: Re: [Ntop-misc] Even there are 16 child processes,ntopng only uses 2 Sacha, can you please file a ticket on github and attach the current status (# of hosts and flows etc) so we can trck this issue? Luca On 13 Sep 2016, at 18:32, Sacha Yunusic <sa...@akainix.com> wrote: Hi! I’m starting to use ntopng that is receiving flows from a Cisco switch 4507 thru netflow. I start nprobe and ntop in the same server (Dell R720, 24 cores, 128GB RAM, 1TB HD), and I can enter to the GUI, but as soon as I try to look into one specific host (http://server:4000/lua/host_details.lua?host=192.168.200.104 <http://server:4000/lua/host_details.lua?host=192.168.200.104> ), two child processes of ntopng takes 100% of one core each (so, two out of 24) and it takes forever this simple task. Now, after 45 minutes since I click on that link, nothing happened and the browser is still “thinking”. So, my questios are: - Why is taking so much CPU for that simple task - Why it doesn’t use more CPU if there are 16 child processes and is only using two I’m using ntopng Pro [Small Business Edition] v.2.5.160816, running on Centos 7.1 x64 installed with yum using /etc/yum.repos.d/ntop.repo. This is how I run nprobe: # nprobe --collector-port 2055 --zmq "tcp://*:5888 " --redis 127.0.0.1:6379 -n none This is how I run ntopng: # ntopng -i tcp://127.0.0.1:5888 --redis 127.0.0.1:6379 -w 4000 -m 192.168.0.0/16 This is what I see in stdout where I wun ntopng: 13/Sep/2016 13:02:09 [Lua.cpp:5420] WARNING: Script failure [/usr/share/ntopng/scripts/lua/find_host.lua][attempt to index a userdata value] Sacha Yunusic | Gerente Técnico | Pentagon Security & Akainix Av. Kennedy 4700, Piso 10, Of. 1002, Edificio New Century, Vitacura | Código Postal (ZIP Code) 7630454 Central: (56-2) 2246 1050 | Directo: (56-2) 2246 2620 | Cel: (56-9) 9883 4752 | www.penta-sec.com <http://www.penta-sec.com/> & www.akainix.com <http://www.akainix.com/> ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it <mailto:Ntop-misc@listgateway.unipi.it> http://listgateway.unipi.it/mailman/listinfo/ntop-misc <http://listgateway.unipi.it/mailman/listinfo/ntop-misc> ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Even there are 16 child processes, ntopng only uses 2
Hi! I'm starting to use ntopng that is receiving flows from a Cisco switch 4507 thru netflow. I start nprobe and ntop in the same server (Dell R720, 24 cores, 128GB RAM, 1TB HD), and I can enter to the GUI, but as soon as I try to look into one specific host (http://server:4000/lua/host_details.lua?host=192.168.200.104), two child processes of ntopng takes 100% of one core each (so, two out of 24) and it takes forever this simple task. Now, after 45 minutes since I click on that link, nothing happened and the browser is still "thinking". So, my questios are: - Why is taking so much CPU for that simple task - Why it doesn't use more CPU if there are 16 child processes and is only using two I'm using ntopng Pro [Small Business Edition] v.2.5.160816, running on Centos 7.1 x64 installed with yum using /etc/yum.repos.d/ntop.repo. This is how I run nprobe: # nprobe --collector-port 2055 --zmq "tcp://*:5888" --redis 127.0.0.1:6379 -n none This is how I run ntopng: # ntopng -i tcp://127.0.0.1:5888 --redis 127.0.0.1:6379 -w 4000 -m 192.168.0.0/16 This is what I see in stdout where I wun ntopng: 13/Sep/2016 13:02:09 [Lua.cpp:5420] WARNING: Script failure [/usr/share/ntopng/scripts/lua/find_host.lua][attempt to index a userdata value] Sacha Yunusic | Gerente Técnico | Pentagon Security & Akainix Av. Kennedy 4700, Piso 10, Of. 1002, Edificio New Century, Vitacura | Código Postal (ZIP Code) 7630454 Central: (56-2) 2246 1050 | Directo: (56-2) 2246 2620 | Cel: (56-9) 9883 4752 | www.penta-sec.com <http://www.penta-sec.com/> & www.akainix.com <http://www.akainix.com/> ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] ntopng/nprobe and BI tools
Hi everyone, We're connecting all of our data sources to a BI tool. So far, we've connect ElasticSearch, HDFS, MongoDB, InfluxDB, etc.. and now we want to connect ntopng/nprobe. How has to be done? Is there any guide on doing that? (DB type, port, API?) Thanks! Sacha Yunusic | Gerente Técnico | Pentagon Security & Akainix Av. Kennedy 4700, Piso 10, Of. 1002, Edificio New Century, Vitacura | Código Postal (ZIP Code) 7630454 Central: (56-2) 2246 1050 | Directo: (56-2) 2246 2620 | Cel: (56-9) 9883 4752 | www.penta-sec.com <http://www.penta-sec.com/> & www.akainix.com <http://www.akainix.com/> ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] The new guy on the block
It worked, thanks! From: ntop-misc-boun...@listgateway.unipi.it [mailto:ntop-misc-boun...@listgateway.unipi.it] On Behalf Of Luca Deri Sent: domingo, 15 de noviembre de 2015 17:44 To: ntop-misc@listgateway.unipi.it Subject: [Marketing Mail] Re: [Ntop-misc] The new guy on the block Sacha, if nprobe is used as collector do nprobe -n none -i none -3 2055 --zmq “tcp://*:5888” Regards Luca ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] The new guy on the block
Hi there, I'm starting using ntopng and nprobe and we want to use it in production, so I'm in the learning process. The lab I'm running has some boxes that send NetFlow v9 to the server where I've running nprobe and ntopng, thru udp-2055: [root~]# tcpdump port 2055 -nnn tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 16:58:22.508489 IP 192.168.xxx.yyy.58136 > 192.168.zzz.www.2055: UDP, length 1368 16:58:22.508529 IP 192.168.xxx.yyy.58136 > 192.168.zzz.www.2055: UDP, length 692 192.168.xxx.yyy is the box that sends Netflow, and 192.168.zzz.www is the server we're running nprobe and ntopng. What I want is to capture that Netflow v9 traffic, send it to ntopng, so, this is what I'm doing: # nprobe -n 127.0.0.1:2055 -i em1 --zmq "tcp://*:5888" --redis 127.0.0.1:6379 --flow-version 9 I'm not sure how usefull/needed is to have Redis in here... but still... In this case, I see traffic, but only traffic I see in em1 (eth0) that is sent directly to my probe server (not the netflow data), so I tried this: # nprobe -n 127.0.0.1:2055 -i none --zmq "tcp://*:5888" --redis 127.0.0.1:6379 --flow-version 9 And there I don't see any flows nor anything. At the nprobeng part, this is what I do: # ntopng -i tcp://127.0.0.1:5888 --redis 127.0.0.1:6379 --http-port 4000 What I'm doing bad? Sacha Yunusic | Gerente Técnico | Pentagon Security & Akainix Av. Kennedy 4700, Piso 10, Of. 1002, Edificio New Century, Vitacura | Código Postal (ZIP Code) 7630454 Central: (56-2) 2246 1050 | Directo: (56-2) 2246 2620 | Cel: (56-9) 9883 4752 | www.penta-sec.com <http://www.penta-sec.com/> & www.akainix.com <http://www.akainix.com/> ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] The new guy on the block
The -i none is wrong. Forget about that part. Sorry. From: Sacha Yunusic Sent: domingo, 15 de noviembre de 2015 17:14 To: 'ntop-misc@listgateway.unipi.it' Subject: The new guy on the block Hi there, I'm starting using ntopng and nprobe and we want to use it in production, so I'm in the learning process. The lab I'm running has some boxes that send NetFlow v9 to the server where I've running nprobe and ntopng, thru udp-2055: [root~]# tcpdump port 2055 -nnn tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes 16:58:22.508489 IP 192.168.xxx.yyy.58136 > 192.168.zzz.www.2055: UDP, length 1368 16:58:22.508529 IP 192.168.xxx.yyy.58136 > 192.168.zzz.www.2055: UDP, length 692 192.168.xxx.yyy is the box that sends Netflow, and 192.168.zzz.www is the server we're running nprobe and ntopng. What I want is to capture that Netflow v9 traffic, send it to ntopng, so, this is what I'm doing: # nprobe -n 127.0.0.1:2055 -i em1 --zmq "tcp://*:5888" --redis 127.0.0.1:6379 --flow-version 9 I'm not sure how usefull/needed is to have Redis in here... but still... In this case, I see traffic, but only traffic I see in em1 (eth0) that is sent directly to my probe server (not the netflow data), so I tried this: # nprobe -n 127.0.0.1:2055 -i none --zmq "tcp://*:5888" --redis 127.0.0.1:6379 --flow-version 9 And there I don't see any flows nor anything. At the nprobeng part, this is what I do: # ntopng -i tcp://127.0.0.1:5888 --redis 127.0.0.1:6379 --http-port 4000 What I'm doing bad? Sacha Yunusic | Gerente Técnico | Pentagon Security & Akainix Av. Kennedy 4700, Piso 10, Of. 1002, Edificio New Century, Vitacura | Código Postal (ZIP Code) 7630454 Central: (56-2) 2246 1050 | Directo: (56-2) 2246 2620 | Cel: (56-9) 9883 4752 | www.penta-sec.com <http://www.penta-sec.com/> & www.akainix.com <http://www.akainix.com/> ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc