ntopng is a network probe that shows network usage in a way similar to
what top does for processes. It acts as a Web
server, creating an HTML dump of the network status.
It is a successor to ntop, which is discontinued. Main differences seem
to be:
a. No terminal interface present. Only web.
b. No built-in flow collector, at least not for NetFlow or sFlow.
When installing ntopng, pay attention to the following:
1. UID/GID
ntopng needs to run under its own user/group. This has been assigned to
the following by SlackBuilds.org, but feel free to change it on your
system for consistency with local assignments.
User: ntopng UID: 212 GID: 212
group: ntopng GID: 212
You can change pass alternate values for the user and group using
NTOPUSER and NTOPGROUP variables when running the build script.
The build script will suggest creating these groups if they are not
present.
2. Log rotation.
Logs are placed in /var/log/ntopng/ and will be rotated every week. The
log rotation will restart the ntopng server which will reset the ntopng
statistics. If you want to keep the statistics you have to edit or
delete the /etc/logrotate.d/ntopng file.
3. Flow collection
ntopng now uses a custom flow collection format, based on zeromq. To
convert a standard NetFlow or sFlow into this format, the developer
suggess bying their commercial tool called nProbe.
However, there exists a free software flow collection (supporting only)
NetFlowV9, called netflow2ng. It is not available on SBo, but there is
an unfinished SlackBuild for it, which can be found on
https://gitlab.com/Lockywolf/lwfslackbuilds/-/raw/master/\
10_unfit-for-sbo-require-network/netflow2ng/\
netflow2ng.SlackBuild?ref_type=heads
4. Geoidentification and dynamic data
ntopng depends on some dynamic data in order to display relevant
information about the flows.
a. Geographical distribution of IP addresses. ntopng can use both
maxmind, and db-ip information, both free-low-quality, and
paid-high-quality. Maxmind data can be updated by running
geoipupdate from cron on a weekly basis. These data are usually
installed globally, into /var/lib/GeoIP/. For more information,
consult doc/README.geolocation.md, and keep in mind that ntopng-data
does not exist on Slackware, but geoipupdate does.
b. Various lists:
'Abuse.ch URLhaus' [https://urlhaus.abuse.ch/downloads/hostfile/]
'Emerging Threats' [https://rules.emergingthreats.net/fwrules/\
emerging-Block-IPs.txt]
'NoCoin Filter List' [https://raw.githubusercontent.com/hoshsadiq/\
adblock-nocoin-list/master/hosts.txt]
'SSLBL Botnet C2 IP Blacklist' [https://sslbl.abuse.ch/blacklist/\
sslipblacklist.txt]
'Stratosphere Lab' [https://mcfp.felk.cvut.cz/publicDatasets/\
CTU-AIPP-BlackList/Todays-Blacklists/\
AIP_historical_blacklist_prioritized_by_newest_attackers.csv]
'ThreatFox' [https://threatfox.abuse.ch/downloads/hostfile/]
'dshield 7 days' [https://raw.githubusercontent.com/firehol/\
blocklist-ipsets/master/dshield_7d.netset]
Those lists are updated automatically by ntopng, periodically.
There is a configuration option to disable these updates.
5. nDPI
ntopng depends on nDPI, a Deep Packet Inspection library. SBo has a
SlackBuild for nDPI, however, in recent versions ntopng prefers to use
its own version of nDPI, linked-in statically. If you find that the
built-in version deviates in features from the standalone one, you are
welcome to report this.
6. redis
ntopng requires redis. The version on SBo is enough, but it needs to
be running before ntopng can be started.
7. ntopng crashes when started as a daemon. I am not sure why. The
initscript at the moment just starts it in the background and disowns.
ntopng also does not terminate on sigterm normally, hence the rc script
kill-9's it. If you have better ideas, submit a patch to the slackbuild.
Due to all this stupidities, rc.ntopng is a .new script, so it will not
be overwritten on upgrade. We really need a better version.
8. ntopng goes insane when it sees "virtual ethernets" that are usually
created to communicate between network namespaces. Do not be surprised
if weird effect appear, and possibly remove those virtual ethernets
from the listening list.