PfSense–ntopng: Detectando protocolos usados en tu red con ndpiReader vía shel

javcasta

Hola

pfSense – ntopng : Detectando protocolos usados en tu red con ndpiReader vía shell

Referencia: http://www.ntop.org/wp-content/uploads/2013/12/nDPI_QuickStartGuide.pdf

Si tienes instalado el paquete ntopng en pfSense, ya sabrás que es una herramienta de monitorización de red.

_    ntopng (replaces ntop) is a network probe that shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user’s terminal. In Web mode it acts as a Web server, creating an HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics._

Tiene un ejecutable /usr/local/bin/ndpiReader que permite la detección de protocolos de capa de aplicación (layer-7).

Su uso vía shell:

    /usr/local/bin/ndpiReader
    Welcome to nDPI 1.8.0

    ndpiReader -i <file|device> [-f <filter>][-s <duration>]
    [-p <protos>][-l <loops> [-q][-d][-h][-t][-v <level>]
    [-n <threads>] [-w <file>] [-j <file>]

    Usage:
    -i <file.pcap|device>     | Specify a pcap file/playlist to read packets from or a device for live capture (comma-separated list)
    -f <bpf filter="">           | Specify a BPF filter for filtering selected traffic
    -s <duration>             | Maximum capture duration in seconds (live traffic capture only)
    -p <file>.protos          | Specify a protocol file (eg. protos.txt)
    -l <num loops="">            | Number of detection loops (test only)
    -n <num threads="">          | Number of threads. Default: number of interfaces in -i. Ignored with pcap files.
    -j <file.json>            | Specify a file to write the content of packets in .json format
    -d                        | Disable protocol guess and use only DPI
    -q                        | Quiet mode
    -t                        | Dissect GTP/TZSP tunnels
    -r                        | Print nDPI version and git revision
    -w <path>                 | Write test output on the specified file. This is useful for
    | testing purposes in order to compare results across runs
    -h                        | This help
    -v <1|2>                  | Verbose ‘unknown protocol’ packet print. 1=verbose, 2=very verbose</path></file.json></num></num></file></duration></bpf></file.pcap|device></file></file></threads></level></loops></protos></duration></filter></file|device>

Por ejemplo: Una captura de tráfico durante 5sg en la interfaz em1

    /usr/local/bin/ndpiReader -i em1 -s 5

Con output:

———————————————————–
    * NOTE: This is demo app to show some nDPI features.
    * In this demo we have implemented only some basic features
    * just to show you what you can do with the library. Feel
    * free to extend it and send us the patches for inclusion
    ————————————————————

Using nDPI (1.8.0) [1 thread(s)]
    Capturing live traffic from device em1…
    Capturing traffic up to 5 seconds
    Running thread 0…

nDPI Memory statistics:
    nDPI Memory (once):      107.66 KB
    Flow Memory (per flow):  1.88 KB
    Actual Memory:          2.01 MB
    Peak Memory:            2.01 MB

Traffic statistics:
    Ethernet bytes:        5752          (includes ethernet CRC/IFC/trailer)
    Discarded bytes:      0
    IP packets:            17            of 17 packets total
    IP bytes:              5344          (avg pkt size 314 bytes)
    Unique flows:          5
    TCP Packets:          16
    UDP Packets:          1
    VLAN Packets:          0
    MPLS Packets:          0
    PPPoE Packets:        0
    Fragmented Packets:    0
    Max Packet size:      1082
    Packet Len < 64:      8
    Packet Len 64-128:    2
    Packet Len 128-256:    1
    Packet Len 256-1024:  5
    Packet Len 1024-1500:  1
    Packet Len > 1500:    0
    nDPI throughput:      3.09 pps / 8.18 Kb/sec
    Traffic throughput:    3.09 pps / 8.18 Kb/sec
    Traffic duration:      5.495 sec
    Guessed flow protos:  4

Detected protocols:
    SSL                  packets: 12            bytes: 4785          flows: 3
    SSH                  packets: 4            bytes: 448          flows: 1
    OpenVPN              packets: 1            bytes: 111          flows: 1

Protocol statistics:
    Safe                          4896 bytes
    Acceptable                    448 bytes

Donde obtenemos en ese periodo en la interfaz em1 que se estan usando los protocolos:

*  SSL
*  SSH
*  OpenVPN

Obviamente vía GUI del paquete ntopng en pfSense la información es infinitamente más detallada y variada de lo que ocurre en tu red

Salu2

javcasta

Hola

Se me olvidaba. Con la opción -v 2. (Verbose max). Se ven los sockets (ip:puerto origen <–-> ip:puerto destino)  de los protocolos detectados:

1 TCP 192.168.0.12:58976 <-> 192.168.0.254:443 [proto: 91/SSL][2 pkts/588 bytes]
2 TCP 192.168.0.12:58971 <-> 192.168.0.254:443 [proto: 91/SSL][2 pkts/534 bytes]
3 TCP 192.168.0.12:58963 <-> 192.168.0.254:443 [proto: 91/SSL][2 pkts/607 bytes]
4 TCP 192.168.0.12:43309 <-> 192.168.0.254:22 [proto: 92/SSH][3 pkts/302 bytes]
5 TCP 192.168.0.12:46725 <-> 192.168.0.254:22 [proto: 92/SSH][6 pkts/712 bytes]
6 UDP 10.168.0.13:1194 <-> 10..55.55.60:1194 [proto: 159/OpenVPN][2 pkts/222 bytes]

Salu2