ntop

TruePath is the Premiere reseller of all ntop software and hardware nBox products.The ntop project was started in 1998 as an opeclnsource network monitoring tool by Luca Deri. With more than 15 year spent in R&D in the networking world, the ntop team, still lead by the project founder, is now a reference in packet capture and analysis community.

Product families include Network Monitoring Solutions, Linux kernel modules for wire-speed packet capture and transmission and Packet-to-Disk Solutions

nBox Netflow

NetFlowTM v5/v9/IPFIX Probe nBox is a Flow-based network traffic analyzer capable of Cisco NetFlowTM data export and analysis. The ability to characterize IP traffic is critical for network availability, performance and troubleshooting. nBox offers a scalable, manageable and reliable solution to provide the necessary data and information to optimize and troubleshoot your network. nBox includes both a NetFlowTM v5/v9/IPFIX probe (nProbe) and a collector (ntopng).

nBox has been developed on Linux, and thanks to an optimised kernel module (PF_RING) significantly improves the packet capture process on 1 and 10 Gbit networks. nBox is able to monitor network trunks at full speed without the requirement of special and expensive hardware accelerated network card. nBox is easy to set-up and thanks to its embedded and intuitive web GUI it is immediately ready to use with little configuration export. Improvements and/or software updates released by the nBox team are immediately available as upgrade via Internet using a simple web interface.

It can be effectively used:

to analyse NetFlowTM flows generated by your border gateway or, generally, by your NetFlowTM enabled device

to replace the embedded, low-speed, NetFlowTM probe available on your router

as a NetFlowTM probe to send flows towards one or more collectors (ntopng or any NetFlowTM/IPFIX collector)

to analyse full speed Gbit networks trunk with no packet loss and delay

both as a probe and collector at the same time

Key Features

High-performance embedded NetFlowTM v5/v9/IPFIX probe.

Embedded NetFlowTM v5/v9/IPFIX collector.

IPv4, IPv6, MPLS, GTP, GRE support. Easy to setup and configure.

No additional delay in both mirrored traffc and existing network.

User friendly web GUI for nProbe and ntopng.

Multiple collector mode for load balancing or redundancy.

Firmware and packages upgrade via Internet.

All software reside on flash disk.

Optional Hard-disk for permanent storing of traffic flows.

Ability to dump NetFlowTM flows on-disk or on Database Server.

Over 130+ Application protocols recognised by DPI library including email, messaging, P2P, Skype, Citrix.

nBox_L_S1GC

Half Depth 1U 19″ rackmount server

Up to 2.5 Mpps

Fixed 200W PSU with NEMA-15P (US) cord included

2 x (10/100/1g) Onboard Mgmt Ports

1 x ssd boot drive

1 x Dual Port 1Gbit Copper card

2 x 1 Gbit PF_Ring ZC Intel (per port) license

1 x ntopng Pro license

1 x nProbe Pro with Plugin Support license

1 year hardware warranty: 3-5 business days replacement

nBox_H10_D1GC

1U 19″ rackmount server
Up to 14.88 Mpps
Fixed 350W PSU w/ NEMA-15P (US) cord included
2 x (10/100/1g) Onboard Mgmt Ports
1 x ssd boot drive
1 x Dual Port 1Gbit Copper card
2 x 1 Gbit PF_Ring ZC Intel (per port) license
1 x ntopng Pro license
1 x nProbe Pro with Plugin Support license
1 year hardware warranty: 3-5 business days replacement

nBox_H10_D10GF

1U 19″ rackmount server
Up to 14.88 Mpps
Fixed 350W PSU w/ NEMA-15P (US) cord included
2 x (10/100/1g) Onboard Mgmt Ports
1 x ssd boot drive
1 x Dual Port 10Gbit Fiber SFP+ with Short range optics (SR) card
2 x 10/40 Gbit PF_Ring ZC Intel (per port) license
1 x ntopng Pro license
1 x nProbe Pro with Plugin Support license
1 year hardware warranty: 3-5 business days replacement

nBox Recorder

High-speed network packet recording system nBox Recorder is a network recorder application. With nBox Recorder you can capture full-sized network packets at gigabit rate from a live network interface and write them into files. It has been designed and developed mainly because most network security systems rely on capturing all packets (headers and payload), since any packets may have been responsible for the attack or could contain the problems that we are trying to find. nBox Recorder uses the industry standard PCAP file format to dump packets into files so the resulting output can be easily integrated with existing third party or even open-source analysis tools like ntop, Wireshark. or Snort.

Modern data networks keep growing and growing in terms of speed. In a few years data throughput increased from 100 Mbit/s to 10 Gbit/s, reaching multi-10 Gbit/speed. This has caused network trac recording activity a challenging experience. In this scenario ntop decided to enclose all the developed technology into a single network appliance: nBox Recorder. Recording configuration, management and packets retrieval can be performed just using the web interface. Also pcap file analysis can be performed directly on the web interface allowing users to display captured pcap or search result straight on the web browser.

Key Features

  • Multi 10 Gbit/s packet to disk with zero packet loss in pcap file format
  • On-the-fly indexing and compression/decompression
  • Web configuration and management
  • API accessible search indexes
  • Pcap re-injection into network
  • User customisable appliance
  • Up to 24 TB of storage available in 2U appliance format
  • Appliance available in 1U or 2U rackable format
  • Extended pcap analysis immediately available using ntopng graphical web interface

nBox_R1_S1GC

Half Depth 1U 19″ rackmount server
Up to 1 Gbit/sec
Fixed 200W PSU w/ NEMA-15P (US) cord included
2 x (10/100/1g) Onboard Mgmt Ports
1 x ssd boot drive – and – 1 x 1TB drive
1 x Dual Port 1Gbit Copper card
1 x 1 Gbit PF_Ring ZC Intel (per port) license
1 x ntopng Pro license
1 x n2disk 1Gbit license
1 year hardware warranty: 3-5 business days replacement

nBox_R4_D1GC

1U 19″ rackmount
Up to 5 Gbit/sec
Fixed 350W PSU w/ NEMA-15P (US) cord included
2 x (10/100/1g) Onboard Mgmt Ports
1 x RAID CARD
1 x SSD Boot Drive
4 x 1TB Drives
1 x Dual Port 1Gbit Copper card
2 x 1 Gbit PF_Ring ZC Intel (per port) license
1 x ntopng Pro license
1 x n2disk 1Gbit license
1 year hardware warranty: 3-5 business days replacement

nBox_R8_D10GF

2U 19″ rackmount server (with rails)
Up to 10 Gbit/sec
Hot Swap 450W PSU w/ NEMA-15P (US) cord included
2 x (10/100/1g) Onboard Mgmt Ports
1 x RAID CARD
2 x ssd redundant boot drive – and – 8 x 1TB
2 x Dual Port 10Gbit Fiber SFP+ with Short range optics (SR) card
2 x 10/40 Gbit PF_Ring ZC Intel (per port) license
1 x ntopng Enterprise license
1 x n2disk 10/40Gbit license
1 year hardware warranty: 3-5 business days replacement

Much more that a simple NetFlow probe. nProbe can be a probe, probe+collector, collector, or a proxy. In proxy mode you can convert from/to IPFIX/NetFlow v5/v9 in order to smoothly upgrade to newer netflow protocol versions while capitalizing on previous protocol versions. So you can for instance convert flows coming from your v5 router into IPFIX and vice-versa.

Available for Unix (including MacOS X and Solaris), Windows, and embedded environments.

Added layer 7 application visibility (including Skype, BitTorrent, Citrix….).

NetFlow v9/IPFIX support for efficient flow handling.

Full IPFIX support: PEN (Private Enterprise Numbers) and Variable length encoding.

Added Cisco NetFlow-Lite support (as of version 6.5).

Support for IPv4 and v6.

Ability to natively save flows into MySQL and SQLite, as well as text and binary.

Native PF_RING support for high speed flow generation (nProbe™ Pro Unix and above).

Ability to act as flow collector and proxy. All combinations are supported.

Ability to collect sFlow flows and turn them into flows (v5/v9/IPFIX).

Support of detect protocols via DPI (deep packet inspection) and report protocol name in flows for precise collector protocol accounting.

Ability to forge NetFlow interfaceIds based on MAC/IP addresses.

Collection of Cisco ASA flows and conversion in ‘standard’ flows.

Support of tunnelled (including GRE, PPP and GTP) traffic and ability to export in flows inner/outer envelope/packet information.

Support of both flow and packet sampling.

Support of Flexible Netflow: create your netflow templates, now with PEN support.

ntop can be used as collector and analyzer for NetFlow v5/v9/IPFIX flows such as those generated by nProbe™ and commercial routers.

Generic packet header-based traffic monitoring is no longer enough. Network administrators need to pin-point problems, understand bottlenecks but in particular to know exactly what is the cause of a certain problem. For this reason it is now necessary to inspect specific protocols in order to understand what’s happened. nProbe™ currently features HTTP, Oracle and MySQL that in addition to exporting information via NetFlow, it also allows administrators to create log of activities that can help understanding what’s really happening on the network.

Additional nProbe Plugins

MySQL Plugin [Unix/Win32] – Decodes (unencrypted) MySQL traffic, and produce a log of SQL requests/responses along with performance indicators.

IMAP/SMTP/POP Plugins [Unix/Win32] – Email plugins for decoding (unencrypted) email traffic and generate flows and logs of email activities.

SIP/RTP Plugins [Unix/Win32] – Plugins for decoding VoIP (Voice over IP) traffic and producing call log, and voice information (jitter and packet loss).

Oracle Plugin [Unix/Win32] – Similar to MySQL plugin, just for Oracle databases.

HTTP Plugin [Unix/Win32] – Decode HTTP traffic and HTTPS certificates. It can generate a comprehensive log of HTTP traffic, including page download and network/server delay. Microcloud friendly.

DNS Plugin [Unix/Win32] – Decodes DNS traffic, and produce a log of main domain name resolution activities. Microcloud friendly.

NetFlow-Lite Plugin [Unix] – Plugin for collecting NetFlow-Lite traffic sent by some Cisco switches.

GTPv1 Plugin [Unix/Win32] – Plugin for decoding GTPv1-C (2G and 3G networks) signalling and producing comprehensive mobile user and traffic tracking. Microcloud friendly. Available only in binary format.

GTPv2 Plugin [Unix/Win32] – Same as GTPv1 plugin, just for v2 protocol version used in LTE (Long Term Evolution) mobile networks.

Radius Plugin [Unix/Win32] – Plugin decoding Radius traffic including 3GPP extensions for mobile networks. Microcloud friendly.

PF_Ring

High-speed packet capture, filtering and analysis. PF_RING™ is a new type of network socket that dramatically improves the packet capture speed, and that’s characterized by the following properties:

Available for Linux kernels 2.6.32 and newer.

No need to patch the kernel: just load the kernel module.

PF_RING™-aware drivers for increased packet capture acceleration.

10 Gbit Hardware Packet Filtering using commodity network adapters

User-space DNA (Direct NIC Access) drivers for extreme packet capture/transmission speed as the NIC NPU (Network Process Unit) is pushing/getting packets to/from userland without any kernel intervention. Using the 10Gbit DNA driver you can send/received at wire-speed at any packet sizes.

Libzero for DNAfor distributing packets in zero-copy across threads and applications.

Device driver independent.

Kernel-based packet capture and sampling.

Libpcap support (see below) for seamless integration with existing pcap-based applications.

Ability to specify hundred of header filters in addition to BPF.

Content inspection, so that only packets matching the payload filter are passed.

PF_RING™ plugins for advanced packet parsing and content filtering.

Ability to work in transparent mode (i.e. the packets are also forwarded to upperlinks so existing applications will work as usual).

ntopng

ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well.

ntopng users can use a a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntopng can be seen as a simple RMON-like agent with an embedded web interface.

The Community edition is the standard ntopng that you can use free of charge and that implements a robust and easy to use web-based traffic monitoring application. The Professional edition is an enhanced version of ntopng that includes modern reports and many new features listed below on this article. This edition is available at a small cost to better serve the ntop community.

Community Edition

Moved the code to GitHub for easier collaboration

Added ability to aggregate traffic from various network interfaces on the same interface view while keeping interface traffic split. Example ntopng -i eth1, -i eth2 -i view:eth1,eth2

Added support for the latest nDPI that includes support for various new protocols (e.g. QUIC) and new versions of existing ones (e.g. Skype). nDPI is also used to drop application traffic in the professional noting edition

Hardened the code to support mid/large organisations and high traffic volumes, as well for operating on hosts with little memory

Added network latency in flows (server vs client network latency)

Added flow TCP traffic statistics (packets retransmitted, lost, and out of order)

Enhanced host alerts (including traffic quotas) and added interface alerts. You can now for instance generate traffic alerts when an interface has too much traffic or if a host has passed its daily traffic quota

Ability to sniff from netfilter interface

Alerts are now generated when ntopng detects a flooder or a network scanner (as well when accessing malware sites [-c plugin])

Integration of ntopng with nagios: you can now create nagios plugins to query ntopng and thus emit alerts based not traffic conditions

Ability to categorise malware (-c option) using the Google Safe Browsing API that replaces the block.si service present in ntopng 1.x

Added ability to fine-tune RRD configurations

Added ability to generate a traffic report for all hosted HTTP servers (on local networks): ISPs can now create a hourly report of all the thousand of servers they are hosting

Ability to work behind an HTTP reverse proxy

Enhanced the ElasticSearch export facility to cope with latest additions such as host geolocation

Enhanced host GeoIP location

Added reports per AS, geo-location, network, HTTP servers

Added per-network RRDs

ntopng can now be queried via HTTP tools such as curl or wget with authentication enabled

Added ability to dump specific traffic (e.g. of a selected host) or when specific traffic conditions arise (e.g. too much traffic) on a tap interface and attach applications such as Wireshark/tcpdump to it. Similarly added ability to dump traffic to disk in pcap format

Added HTTP virtual hosts support in HTML reports

Added ability to send data in Lua using UDP (for instance you can use it for exporting metrics to Graphite)

Professional Edition

Dynamic dashboard that includes a realtime view of traffic

PDF-printable reports including top hosts/activities/protocols

Ability to operate in inline mode and thus implement a layer-7 firewall (even on low-end embedded boxes) and traffic shaper (drop traffic that matches certian protocols)

Graphs now rendered in a pretty way with zoomable (in and out) drill-down facility

Per-minute accurate reports (in JSON format) of top X activities so that users can use them to generate further traffic reports in addition to all those included in the pro version

Added SNMP support for visualising MIB-II host information through the ntopng web interface

ntop integrates with CloudShark

ntop n2disk Line Rate Packet Recorder is a diverse company with solutions for network monitoring, VPN, as well as packet-to-disk and wire-speed packet capture and transmission. These solutions, including n2disk, allow you to capture at multi-Gigabit rates on a live network interface without packet loss. With n2disk’s CloudShark integration, you can view those captures immediately, right in your browser.