There are many solutions for capturing and analysing NetFlow traffic, but few that capture as many types of traffic – nor with as much detail – as nProbe. ntop – the company behind nProbe – provides a suite of leading web traffic analysis products. In combination, these offer some of the most effective ways to capture packets, record traffic, and monitor and analyse flows.
nProbe, like other ntop applications, is based on the concept of flow processing. As the name implies, this refers to the process of keeping track of connections from across the entire network. The analysis of NetFlow traffic is critical to optimising the security and performance of global networks, in which even the minutiae of information is valuable to network managers. NetFlow provides rich context to network topography: it accurately captures, in metadata derived from packets, the traffic passing from and within each network connection. For more information on what’s contained within NetFlow traffic, see our blog piece.
nProbe includes not only a NetFlow v5/v9/IPFIX probe, but also a collector, which can be used to interact with and modify NetFlow flows. It can be used to:
- Collect and export NetFlow flows generated by border gateways, switches, routers and any other device that can export in v5/v9;
- Replacement of existing embedded, low-speed NetFlow probes;
- Analyse multi-Gbit networks at full efficiency with no – or, at the most, very moderate – packet loss; and
- Send monitored flows towards a collector.
All NetFlow probes are scalable. nProbe specifically has been designed to match multi-Gbit speeds on commodity hardware. It also features a collector mode: nProbe will collect flows in NetFlow v5/v9/IPFIX format, and deliver them to ntopng. The bandwidth required for exporting flow information over ZMQ is <30 Mbit/sec for 10,000 flows a second, and this can be scaled based on the number of flows within the network.
Ease-of-deployment and usage
nProbe traffic information is delivered in binary format. Once installed, it’s ready to use: nProbe requires no additional configuration. While any standard NetFlow collector can be used to analyse the flows generated by nProbe, when nProbe is used in conjunction with ntopng an optimised, optionally compressed and encrypted format is used for data exchange. This leads to a lightweight monitoring architecture, in which the monitoring and visualisation and analysis are decoupled.
Below, we’ve included a comprehensive list of nProbe features. This list can also be found on the nProbe product page.
- Available for Linux, Windows, and embedded environments ARM and MIPS/MIPSEL.
- Layer-7 application visibility (250+ applications including Skype, BitTorrent and Citrix).
- Layer-7 application propagation in exported flows to enable accurate accounting.
- NetFlow v5/v9/IPFIX support for efficient flow handling.
- Cisco NetFlow-Lite support.
- Full IPFIX support: PEN (Private Enterprise Numbers) and variable-length encoding.
- Complete support for IPv4 and IPv6.
- Limited memory footprint (less than 2 MB of memory regardless of the network size) and CPU savvy.
- Ability to natively export flows to Apache™, Syslog, MySQL/MariaDB, Splunk (via TCP streaming).
- Ability to natively export flows to Kafka and ElasticSearch (using the Export Plugin).
- Ability to dump flows in a format ready for import in columnar databases.
- Native support for technologies PF_RING and the newest kernel-bypass PF_RING Zero Copy (ZC) for ultra-high-speed packet capture.
- Ability to act as a flow collector and proxy. All combinations are supported.
- Ability to collect sFlow flows and transparently translate them into NetFlow v5/v9/IPFIX.
- Ability to forge NetFlow interface identificators based on MAC/IP addresses.
- Collection of Cisco ASA flows and conversion into NetFlow v5/v9/IPFIX.
- Multi-threaded architecture for the exploitation of multi-processor, multi-core elaboration systems.
- Support of tunnelled (including GRE, PPP, VXLAN, and GTP) traffic and ability to export inner/outer envelope/packet information.
- Support for both flow and packet sampling.
- Support of Flexible Netflow for the creation of custom NetFlow templates, with optional PEN support.
- VoIP (SIP and RTP) traffic analysis including voice quality and (pseudo-)MOS.
- HTTP, MySQL/Oracle, DNS protocol analysis: the ability to generate logs of web, MySQL/Oracle and DNS activities in addition to flow export.
- BGP Plugin for establishing a BGP session with a router and generate flows with AS and AS path information.
- Plugin architecture for easy extensibility via custom V9/IPFIX tags.
- Fully interoperable with commercial collectors.
- Designed for running on environments with limited resources (the nProbe™ binary < 100 Kb) and embedded systems (e.g. ARM- and MIPSEL-based appliances).
- It can be used to build cheap NetFlow probes using commodity hardware.
- Ability to save flows on disk for later analysis or integration into an existing monitoring application.
- Fully user-configurable.
- High-performance probe: commercial probes included those embedded on routers and switches are often not able to keep up with high-speeds.
- Can be used with ntopng to visualize, collect, and analyze monitored traffic.
For more information on nProbe and capturing and analysing NetFlow traffic – and taking network performance and security optimisation to the next level – contact us today.