PfSense–ntopng: Detectando protocolos usados en tu red con ndpiReader vía shel



  • Hola

    pfSense – ntopng : Detectando protocolos usados en tu red con ndpiReader vía shell

    Referencia: http://www.ntop.org/wp-content/uploads/2013/12/nDPI_QuickStartGuide.pdf

    Si tienes instalado el paquete ntopng en pfSense, ya sabrás que es una herramienta de monitorización de red.

    _    ntopng (replaces ntop) is a network probe that shows network usage in a way similar to what top does for processes. In interactive mode, it displays the network status on the user’s terminal. In Web mode it acts as a Web server, creating an HTML dump of the network status. It sports a NetFlow/sFlow emitter/collector, an HTTP-based client interface for creating ntop-centric monitoring applications, and RRD for persistently storing traffic statistics._

    Tiene un ejecutable /usr/local/bin/ndpiReader que permite la detección de protocolos de capa de aplicación (layer-7).

    Su uso vía shell:

        /usr/local/bin/ndpiReader
        Welcome to nDPI 1.8.0
    
        ndpiReader -i <file|device> [-f <filter>][-s <duration>]
        [-p <protos>][-l <loops> [-q][-d][-h][-t][-v <level>]
        [-n <threads>] [-w <file>] [-j <file>]
    
        Usage:
        -i <file.pcap|device>     | Specify a pcap file/playlist to read packets from or a device for live capture (comma-separated list)
        -f <bpf filter="">           | Specify a BPF filter for filtering selected traffic
        -s <duration>             | Maximum capture duration in seconds (live traffic capture only)
        -p <file>.protos          | Specify a protocol file (eg. protos.txt)
        -l <num loops="">            | Number of detection loops (test only)
        -n <num threads="">          | Number of threads. Default: number of interfaces in -i. Ignored with pcap files.
        -j <file.json>            | Specify a file to write the content of packets in .json format
        -d                        | Disable protocol guess and use only DPI
        -q                        | Quiet mode
        -t                        | Dissect GTP/TZSP tunnels
        -r                        | Print nDPI version and git revision
        -w <path>                 | Write test output on the specified file. This is useful for
        | testing purposes in order to compare results across runs
        -h                        | This help
        -v <1|2>                  | Verbose ‘unknown protocol’ packet print. 1=verbose, 2=very verbose</path></file.json></num></num></file></duration></bpf></file.pcap|device></file></file></threads></level></loops></protos></duration></filter></file|device>
    

    Por ejemplo: Una captura de tráfico durante 5sg en la interfaz em1

        /usr/local/bin/ndpiReader -i em1 -s 5
    
    

    Con output:

    ———————————————————–
        * NOTE: This is demo app to show some nDPI features.
        * In this demo we have implemented only some basic features
        * just to show you what you can do with the library. Feel
        * free to extend it and send us the patches for inclusion
        ————————————————————

    Using nDPI (1.8.0) [1 thread(s)]
        Capturing live traffic from device em1…
        Capturing traffic up to 5 seconds
        Running thread 0…

    nDPI Memory statistics:
        nDPI Memory (once):      107.66 KB
        Flow Memory (per flow):  1.88 KB
        Actual Memory:          2.01 MB
        Peak Memory:            2.01 MB

    Traffic statistics:
        Ethernet bytes:        5752          (includes ethernet CRC/IFC/trailer)
        Discarded bytes:      0
        IP packets:            17            of 17 packets total
        IP bytes:              5344          (avg pkt size 314 bytes)
        Unique flows:          5
        TCP Packets:          16
        UDP Packets:          1
        VLAN Packets:          0
        MPLS Packets:          0
        PPPoE Packets:        0
        Fragmented Packets:    0
        Max Packet size:      1082
        Packet Len < 64:      8
        Packet Len 64-128:    2
        Packet Len 128-256:    1
        Packet Len 256-1024:  5
        Packet Len 1024-1500:  1
        Packet Len > 1500:    0
        nDPI throughput:      3.09 pps / 8.18 Kb/sec
        Traffic throughput:    3.09 pps / 8.18 Kb/sec
        Traffic duration:      5.495 sec
        Guessed flow protos:  4

    Detected protocols:
        SSL                  packets: 12            bytes: 4785          flows: 3
        SSH                  packets: 4            bytes: 448          flows: 1
        OpenVPN              packets: 1            bytes: 111          flows: 1

    Protocol statistics:
        Safe                          4896 bytes
        Acceptable                    448 bytes

    Donde obtenemos en ese periodo en la interfaz em1 que se estan usando los protocolos:

    *  SSL
    *  SSH
    *  OpenVPN

    Obviamente vía GUI del paquete ntopng en pfSense la información es infinitamente más detallada y variada de lo que ocurre en tu red

    Salu2



  • Hola

    Se me olvidaba. Con la opción -v 2. (Verbose max). Se ven los sockets (ip:puerto origen <–-> ip:puerto destino)  de los protocolos detectados:

    1 TCP 192.168.0.12:58976 <-> 192.168.0.254:443 [proto: 91/SSL][2 pkts/588 bytes]
    2 TCP 192.168.0.12:58971 <-> 192.168.0.254:443 [proto: 91/SSL][2 pkts/534 bytes]
    3 TCP 192.168.0.12:58963 <-> 192.168.0.254:443 [proto: 91/SSL][2 pkts/607 bytes]
    4 TCP 192.168.0.12:43309 <-> 192.168.0.254:22 [proto: 92/SSH][3 pkts/302 bytes]
    5 TCP 192.168.0.12:46725 <-> 192.168.0.254:22 [proto: 92/SSH][6 pkts/712 bytes]
    6 UDP 10.168.0.13:1194 <-> 10..55.55.60:1194 [proto: 159/OpenVPN][2 pkts/222 bytes]

    Salu2


Log in to reply