Ntopng provides a real-time summary of lab network traffic obtained from NetFlow records.You may have been involved in the design and implementation of a network or maybe you came on-board after the network had been built. Kibana is used to access and display the data for visualizations, using graphs and dashboards, through a web interface.įigure 7: NetFlow Dashboard for Bytes, Flows, and Packets by Protocol, and Statistics Summaryįigure 8: NetFlow Dashboards for Statistics by Source and Destination IP, Map of Traffic to Source and Destination, and Volume by Source and Destination Portįigure 9: NetFlow Dashboard for Statistics by Explorer, Statistics by Source and Destination AS, and Discovery Ntopng Logstash provides an input stream to Elastic for storage and search. ElasticSearch is a search engine that provides a distributed, multi-tenant-capable full-text search with an HTTP web interface and schema-free JSON documents.
SOF-ELK uses ElasticSearch, Logstash, and Kibana to organize and display NetFlow and network log files data. The back-end database is ElasticSearch, and the web interface is provided by Moloch Viewer. A Moloch Capture process then monitors that folder, and reads in the packets whenever that PCAP file closes (currently every 10k packets). A small program on the Moloch server (tazman-listener) receives the TaZmen stream and writes out the original packets to PCAP files in /data/moloch/raw. As an alternative, the router sends packets to the Moloch server using the TaZmen Sniffer Protocol (TZSP). However, the 'network tap' we are using (MainRouter) is a separate device, and using a SPAN/MIRROR port was notįeasible. Moloch is designed to listen for packetsĭirectly from a network interface. Moloch is an open source, large scale, full packet capturing, indexing, and database system. The third virtual machine runs Ntopng assigned to IP address 10.1.40.8, listening on port 2055 for NetFlow (v9) data from the router. The second virtual machine runs SOF-ELK assigned to IP address 10.1.40.6:5601 with port 80 redirected to 5601, listening on udp port 9995 for NetFlow (v5) data from the router. The first virtual machine runs Moloch assigned to IP address 10.1.40.5:8005 with port 80 redirected to 8005, listening on udp port 37008 for PCAP data from the router. We use three virtual machine ESXi host that are connected to the instructor VLAN (over the SFP+ interface). We used the Mikrotik CCR1009 router’s built in tool for capturing and sending PCAP and NetFlow data.
The quarantine network and public network will be monitored using the quarantine bridge interface (vlan20.bridge) and public bridge interface (public.bridge). Summary Toolįigure 1 shows the laboratory network design. Moloch is used to analyze PCAP data, SOF-ELK is used to analyze NetFlow and log files data, and Ntopng is used for a real-time view of NetFlow traffic. The router’s built in tool is used to capture a livestream of PCAP and NetFlow data. Data collected includes full packet capture (PCAP), flow summary data (NetFlow), log files for key network services, and protocol specific data. The goal is to implement a system for capturing and analyzing laboratory network traffic.
0 kommentar(er)
