You won't get ANY https traffic in transparent mode unless you install a trusted cert on every single last client that will use your proxy.

This topic is quite old but. Me too. Im new on ntopng how can I save data on my drive ? I want to check usage data mouth by mouth.

@mgittelman said in Ntop time series graph in bytes now:

Looks like this issue: https://github.com/ntop/ntopng/issues/1960

You seem to be right. I see the same here. I thought it must have been some glitch but MBits vs Mbytes makes more sense.

I realize this is an old post. I thought I would respond so others will find a solution.

The issue is usually two fold.

New browser versions do not like mismatched certificates and your firewall software may also be blocking the SSL certificate.

First here is a link to some general information on deactivating SSL scanning on some firewall softwares. (scroll down to the middle bottom of this page for that section) https://ugetfix.com/ask/how-to-fix-err_ssl_version_or_cipher_mismatch-error/

Second and a more permanent fix is to create a new CA and Certificate then adding the CA to windows or the browser. Doing this will allow you to keep your firewall SSL scanning active and still allow you access to pfsense. Just be certain to follow the instructions precisely. https://www.ceos3c.com/pfsense/pfsense-generate-ssl-certificate-https-pfsense/

NOTE: You may find that you need to flush your DNS cache on Chrome afterwards to get things going again. Also possibly a browser reset. I also found some Chrome extensions do not play well with certain sites. So also try Incognito Mode (which disables extensions for that session) to see if an extension might be causing trouble.

EDIT NOTE: Also if you happen to have the latest version of Bitdefender they changed the name of Scan SSL. I'm attaching screenshots of that setting. It is the same setting.

0_1543333617481_BitdefenderScanSSLissue01.PNG

Hope this helps.

I have not seen that happen here but are you sure it passed on your credentials? IIRC the ntopng process will try to fetch some external resources and it's entirely possible they have those password protected using some other stored credentials.

You might install it again and capture outbound traffic going to that server, then load it up in wireshark and see what it's doing.

It probably is not doing anything nefarious, but a packet capture would tell you that definitively.

It's entirely possible but I've never had any issue with it before and using the same browser. It's possible it's local but as it's working right now I'm unsure what to do to make it fail.

Only thing I have extended to Chrome is uBlock Origin, then again I haven't cleared cookies/cache in a very long time.

If I have it again I will try to use IE or Edge to disprove extensions/cache.

I appreciate the help so far if you need any logs/etc to help figure out what it may have been let me know and I can provide them.

Same here with pfsense 2.4.4-RELEASE (amd64)
kompiliert am: Thu Sep 20 09:03:12 EDT 2018
FreeBSD 11.2-RELEASE-p3

pid 81079 (ntopng), uid 0: exited on signal 11 (core dumped)

:(

uninstalled with deleting settings, reinstalled, no change.
I'm using squid and squidguard, snort and lightsquid...

@johnpoz Hi John first congrats with the Moderator status 👍

@johnpoz said in More control on egress:

Just curious with so many different nodes - do you have these devices broken out into different vlans... For example you mention iot - do you have that isolated and locked down in any way?

Yes, these nodes are across 10 VLAN's (to name but a few IoT, Printers, Guests etc.). The reason is just as you mentioned, IoT's are locked down. Printers for instance are accessible from LAN, WLAN and Guest and to let them be accessible for IOS I have Avahi Enabled (Bonjour/Zeroconf proxy).

@johnpoz said in More control on egress:

What your going to find is pretty much all traffic going to be http/https.. Unless you have a lot of console game play or something? Are you actually using pop/smtp? You use fat clients for emails? Ie like outlook or thunderbird or something?

Yes, pop/smtp is used, maybe soon IMAP .

@johnpoz said in More control on egress:

Most of the traffic is prob going to be https traffic - so unless you plan on doing mitm on your own devices.. Other than say seeing that iot device phoned home via https to some amazon IP your not going to get much info, etc.

You are right https will not be readable and MiTM (man-in-the-middle) is not what I am planning on my own devices ;)

I was having an issue with Lets Encrypt certs as well. They worked fine for PFSense GUI, they just were not working for ntopng. As other's have indicated, when using the LE certs, the browser was giving a "ERR_SSL_VERSION_OR_CIPHER_MISMATCH" and the process core dumps when restarting. When using other SSL/TLS testing tools (like testssl.sh), the port was open by no TLS handshake was happening, no cipher was being offered.

Originally I was using a 384bit ECDSA LE certificate.

What seems to have allowed me to work around the issue was switching to a 2048 bit RSA certificate. Earlier in the thread @spambait mentioned that didn't help him, so not sure why it's working for me. I did manually cat the key and fullchain into the ntopng/httpdocs/ssl/ntopng-cert.pem file.

Switching certificate types in the existing certificate did not seem to actually change the type of certificate being generated. I had to create an entirely new certificate (Services -> Acme Certificates -> Certificates -> + Add).

@highc said in Report of network traffic by email:

You can do this with vnstat (the Status_Traffic_Totals package) and the mailreport package.

Install both, get vnstat going, and then under Status -> Email reports add a line that will mail you regularly (e.g., daily at midnight) the output of the commands

/usr/local/bin/vnstat -i pppoe0; /usr/local/bin/vnstat -i pppoe0 -h

which in this case would be the statistics for the pppoe0 interface.

For mailreport to work, you need to have setup System -> Advanced -> Notifications (the SMTP part there).

Better still create a shell script and run it with what ever options you want:-

[2.4.4-RELEASE][admin@pfsense] /root/scripts: more vnstat-daily
#!/bin/csh
foreach int ( igb0.2 igb0.3 igb0.4 igb0.5 igb0.6 igb0.7 enc0 pppoe0 )
echo
/usr/local/bin/vnstat -i $int -h
echo
end

Then don't do MitM. Use squid explicitly in conjunction with WPAD.

go to ntopsetting> uncheck your interface and save
then

check your pppoe interface and save you can get again all traffic info.

Hello,

I'm trying to configure Netflow on my Graylog too.
I saw in your graph settings you set up to "total" but you should setting up to "SUM" or "MEAN".
Could you give a feedback if this setting solved your issue ?

Many thanks

Who are these clients.. Why would they want to use 1/50 of lets call it 70mbps?? Why would they not just use their own LTE connection..

For that matter would wold even want to use 1/20 of 20mbps..

Your not going to find a way to divide up something that changes on the fly. Are you running into problems with people using up the whole pipe with p2p or something. Block p2p - or limit it to couple k...

@doktornotor thanks for providing the link anyway. seen you are banned. bad luck.