ntopng ignoring "Additional configuration for ntopng.conf"

HeMan321

Hi,
I am just trying ntopng and have found I need to ignore certain IP addresses (e.g. cameras very quickly fill up the top-talkers list as they are constantly streaming video, so I need to just exclude those IPs). In the pfSense settings page for ntopng there is a "Additional configuration for ntopng.conf" section that I have added the following to:
--packet-filter="not host 192.168.10.4"
--packet-filter="not host 192.168.10.5"
--packet-filter="not host 192.168.10.6"
As I believe, from the ntopng docs, that will do what I need. However, ntopng seems to be ignoring this, so the IPs are not being ignored.

Firstly, has anyone had this working?

Secondly, is there a better way to ignore these IPs (or traffic types?) maybe?

Thirdly, ntopng seems very slick, but it might be an overkill, as all I want is to have an idea of which machines on my network are talking to what services on the web; is there a simpler option?

Thanks.

dennypage

@HeMan321 said in ntopng ignoring "Additional configuration for ntopng.conf":

In the pfSense settings page for ntopng there is a "Additional configuration for ntopng.conf" section that I have added the following to:
--packet-filter="not host 192.168.10.4"
--packet-filter="not host 192.168.10.5"
--packet-filter="not host 192.168.10.6"
As I believe, from the ntopng docs, that will do what I need. However, ntopng seems to be ignoring this, so the IPs are not being ignored.

You may only have one BPF filter, and attempting to add additional filters just overrides the prior filter. In other words, you are only ignoring 192.168.10.6.

Try

--packet-filter="not host 192.168.10.4 && not host 192.168.10.5 && not host 192.168.10.6"

You can put almost any type of filter you can dream up in there. See the pcap-filter man page for further information.

michmoor

@dennypage hey Denny.
What other optional conf can I use in ntop. I never explored this so curious what else I can door help visualize.
Maybe it’s a more powerful plugin then I realize?

dennypage

@michmoor ntopng is a very big and powerful package indeed. I only run it when I am trying to track a specific issue. IMHO, it's way too much to run continually. YMMV

michmoor

@dennypage and he only roadblock I’ve hit is bandwidth tracking per IP. I thought using a backend TSDB like Influx could get me that but it seems the database option only exists to store local data somewhere else and not offer deeper analysis.
I’m going to explore more of the custom options that seems exciting

HeMan321

@dennypage That is brilliant, thanks. Oddly, it only filtered on one interface though, I could still see the IPs on the other interface...

But, to be honest, I am starting to realize that ntopng is probably somewhat too complex for my needs anyway. It is very slick and powerful, but I just wanted to keep an eye on outbound connections and so probably don't need to burden my Netgate box with everything else that ntopng does.

Thanks for your help though.

dennypage

@HeMan321 said in ntopng ignoring "Additional configuration for ntopng.conf":

But, to be honest, I am starting to realize that ntopng is probably somewhat too complex for my needs anyway. It is very slick and powerful, but I just wanted to keep an eye on outbound connections and so probably don't need to burden my Netgate box with everything else that ntopng does.

Smart choice.