PfSense–ntopng: Detectando protocolos usados en tu red con ndpiReader vía shel
-
Hola
pfSense – ntopng : Detectando protocolos usados en tu red con ndpiReader vía shell
Referencia: http://www.ntop.org/wp-content/uploads/2013/12/nDPI_QuickStartGuide.pdf
Si tienes instalado el paquete ntopng en pfSense, ya sabrás que es una herramienta de monitorización de red.
_ ntopng (replaces ntop) is a network probe that shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user’s terminal. In Web mode it acts as a Web server, creating an HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics._
Tiene un ejecutable /usr/local/bin/ndpiReader que permite la detección de protocolos de capa de aplicación (layer-7).
Su uso vía shell:
/usr/local/bin/ndpiReader Welcome to nDPI 1.8.0 ndpiReader -i <file|device> [-f <filter>][-s <duration>] [-p <protos>][-l <loops> [-q][-d][-h][-t][-v <level>] [-n <threads>] [-w <file>] [-j <file>] Usage: -i <file.pcap|device> | Specify a pcap file/playlist to read packets from or a device for live capture (comma-separated list) -f <bpf filter=""> | Specify a BPF filter for filtering selected traffic -s <duration> | Maximum capture duration in seconds (live traffic capture only) -p <file>.protos | Specify a protocol file (eg. protos.txt) -l <num loops=""> | Number of detection loops (test only) -n <num threads=""> | Number of threads. Default: number of interfaces in -i. Ignored with pcap files. -j <file.json> | Specify a file to write the content of packets in .json format -d | Disable protocol guess and use only DPI -q | Quiet mode -t | Dissect GTP/TZSP tunnels -r | Print nDPI version and git revision -w <path> | Write test output on the specified file. This is useful for | testing purposes in order to compare results across runs -h | This help -v <1|2> | Verbose ‘unknown protocol’ packet print. 1=verbose, 2=very verbose</path></file.json></num></num></file></duration></bpf></file.pcap|device></file></file></threads></level></loops></protos></duration></filter></file|device>
Por ejemplo: Una captura de tráfico durante 5sg en la interfaz em1
/usr/local/bin/ndpiReader -i em1 -s 5
Con output:
———————————————————–
* NOTE: This is demo app to show some nDPI features.
* In this demo we have implemented only some basic features
* just to show you what you can do with the library. Feel
* free to extend it and send us the patches for inclusion
————————————————————Using nDPI (1.8.0) [1 thread(s)]
Capturing live traffic from device em1…
Capturing traffic up to 5 seconds
Running thread 0…nDPI Memory statistics:
nDPI Memory (once): 107.66 KB
Flow Memory (per flow): 1.88 KB
Actual Memory: 2.01 MB
Peak Memory: 2.01 MBTraffic statistics:
Ethernet bytes: 5752 (includes ethernet CRC/IFC/trailer)
Discarded bytes: 0
IP packets: 17 of 17 packets total
IP bytes: 5344 (avg pkt size 314 bytes)
Unique flows: 5
TCP Packets: 16
UDP Packets: 1
VLAN Packets: 0
MPLS Packets: 0
PPPoE Packets: 0
Fragmented Packets: 0
Max Packet size: 1082
Packet Len < 64: 8
Packet Len 64-128: 2
Packet Len 128-256: 1
Packet Len 256-1024: 5
Packet Len 1024-1500: 1
Packet Len > 1500: 0
nDPI throughput: 3.09 pps / 8.18 Kb/sec
Traffic throughput: 3.09 pps / 8.18 Kb/sec
Traffic duration: 5.495 sec
Guessed flow protos: 4Detected protocols:
SSL packets: 12 bytes: 4785 flows: 3
SSH packets: 4 bytes: 448 flows: 1
OpenVPN packets: 1 bytes: 111 flows: 1Protocol statistics:
Safe 4896 bytes
Acceptable 448 bytesDonde obtenemos en ese periodo en la interfaz em1 que se estan usando los protocolos:
* SSL
* SSH
* OpenVPNObviamente vía GUI del paquete ntopng en pfSense la información es infinitamente más detallada y variada de lo que ocurre en tu red
Salu2
-
Hola
Se me olvidaba. Con la opción -v 2. (Verbose max). Se ven los sockets (ip:puerto origen <–-> ip:puerto destino) de los protocolos detectados:
1 TCP 192.168.0.12:58976 <-> 192.168.0.254:443 [proto: 91/SSL][2 pkts/588 bytes]
2 TCP 192.168.0.12:58971 <-> 192.168.0.254:443 [proto: 91/SSL][2 pkts/534 bytes]
3 TCP 192.168.0.12:58963 <-> 192.168.0.254:443 [proto: 91/SSL][2 pkts/607 bytes]
4 TCP 192.168.0.12:43309 <-> 192.168.0.254:22 [proto: 92/SSH][3 pkts/302 bytes]
5 TCP 192.168.0.12:46725 <-> 192.168.0.254:22 [proto: 92/SSH][6 pkts/712 bytes]
6 UDP 10.168.0.13:1194 <-> 10..55.55.60:1194 [proto: 159/OpenVPN][2 pkts/222 bytes]Salu2