NTOPNG - Is it safe to use on the WAN IF?

  • Hi everyone,

    I was recently testing NTOPNG and I found it pretty useful.

    Would this be safe to use on the WAN interface? I mean how is it capturig all the information?
    Is it connecting to a kind of API on pf so any bugs in NTOPNG would't be a security issue? Or is it directly listening on the interface so that there is a chance of buffer overflows and other bugs that would allow breakig into pfSense or runnig a DoS attack (if someone sends a special malformed package that NTOPNG captures)? Or does it work in a completely different way?

  • I hope so!  (Not a very useful response but this is what I have just started using it for - since it is specifically WAN traffic I am trying to identify.)

    It does include some alert items that suggest it is intended for the WAN interface (eg: Suspicious Activity: "Probing or Server Down" messages).

    As for how it is capturing this information, you are probably best advised to look at the ntop website http://www.ntop.org/products/traffic-analysis/ntop/  they speak about being based on libpcap and collecting flows through nprobe.

Log in to reply