ntopng 4.0:
Breakthroughs
* Plugins engine to tap into flows, hosts and other network elements
* Migration to Bootstrap 4 and Font Awesome 5 for a renewed ntopng look-and-feel with light and dark themes
* Processes and containers monitoring thanks to the eBPF integration via libebpfflow https://github.com/ntop/libebpfflow
* Active monitoring of hosts ICMP/ICMPv6/HTTP/HTTPS Round Trip Times (RTT)
New features
* X.509 client certificate authentication
* ERSPAN transparent ethernet bridging
* Webhook export module for exporting alarms
* Identifications of the hosts in broadcast domain
* Category Lists editor to manage ip/domain lists
* Handling of PEN fields from nProbe
* Added anomalous flows to the looking glass
* Visibility of ICMP port-unreachable flows IPv4
* TCP states filtering (est., connecting, closed and rst)
* Ability to serialize local hosts in the broadcast domain via MAC address
* Japanese, portugese/brazilian localization
* Added process memory, cpu load, InfluxDB, Redis status pages and charts
* Implement ntopng Plugins, self contained modules to extend the ntopng functionalities
* Implement ZMQ/Suricata companion interface
* SSL traffic analysis and alerts via JA3 fingerprint, unsafe ciphers detection
* SSH traffic analysis and alerts via HASSH fingerprint
* Host traffic profile generation via the (MUD) Manufacturer Usage Descriptor
* Experimental Prometheus timeseries export
* Introduce the System interface to manage system wide settings and status
* Read events from Suricata and generate alerts
* SNMP network topology visualization
* Automatic ntopng update check and upgrade
* Calculate host anomaly score and trigger alerts when it exceeds a threshold
* Add ability to extract timeseries data with a click
* Initial Marketplace droplet using Fabric
* Alerts on duplex status change on SNMP interface
Improvements
* View interfaces are now optimized for big networks and use less memory
* Systemd macros are now used to start/restart the ntopng services
* Handles n2disk traffic extractions from recording processes non managed by ntopng
* Interface in/out now available also for non PF_RING interfaces (read from /proc)
* Automatic InfluxDB rollup support
* MDNS discovery improvements
* Rework of the alerts engine and api for efficient engaged alerts triggering
* Faster ZMQ communication to nProbe thanks to the implementation of a binary TLV format
* Stats update for ZMQ interfaces is now based on the idle/active flows timeout
* Timeseries export improvements via queues, detect if InfluxDB is down and stop the export
* Implemented reusable Lua engine to reduce the overhead of periodic scripts
* Improve Lua error handling
* Exclude certain categories from Elephant/Long lived flows alerts
nEdge
* Ability to set up port forwarding
* Support for Ubuntu 18.04
* Fix users and other prefs deleted during nEdge data reset
* Japanese localization
* Block unsupported L3 protocols (currently only ARP and IPv4 are supported)
* DNS mapping port to avoid conflicts with system programs
Fixes
* Fixed export to mysql on shutdown in case of Pcap file in community mode
* Fixed failing SYN-scan detection
* Fixed ZMQ decompression errors with large templates
* Fixed possible XSS in login.lua referer param and `runtime.lua`
* Update geolocation due to changes in the library usage policy
* Fixes to support browsers dark mode
* Option `--zmq-encryption-key <pub key>` can be used with `-I <endpoint>` to encrypt data hi hierarchical mode
* Fixed nIndex missing data while performing some queries and throughput calculation
3.8 Stable
New features
* Remote assistance to temporarily grant encrypted ntopng access to remote
parties
* Custom URLs and IP addresses mappings to traffic categories
* Continuous traffic recording
* User activities logging
* Extended chart metrics
Improvements
* Alerts
* Improved InfluxDB support
* Handles slow and aborted queries
* Uses authentication
* Adds RADIUS and HTTP authenticators
* Options to allow users login via RADIUS and HTTP
* Lua 5.3 support
* Improved performance
* Better memory management
* Native support for 64-bit integers
* Native support for bitwise operations
* Adds the new libmaxminddb geolocation library
* Storage utilization indicators
* Global storage indicator to show the disk used by each interface
* Per-interface storage indicator to show the disk used to store timeseries and flows
* Support for Sonicwall PEN field names
* Option to disable LDAP referrals
* Requests and configures Keepalive support for ZMQ sockets
* Three-way-handshake detection
* Adds SNMP mac addresses to the search function
nEdge
* Implement nEdge policies test page
* Implement device presets
* DNS
Fixes
* Fixes missing flows dump on shutdown
* HTTP dissection fixes
* SNMP
* Properly handles endianness over ZMQ
3.6.1 Stable
Brew formula fixes
3.6 Stable
New features
------------
New pro charts
Ability to compare data with the past (time shift)
Trend lines based on ASAP
Average and percentile lines overlayed on the graph and animated
New color scheme that uses pastel colors for better visualization
https://www.ntop.org/ntopng/ntopng-and-time-series-from-rrd-to-influxdb-new-charts-with-time-shift/
New timeseries API with support for RRD and InfluxDB
Abstracts and handles multiple sources transparently
https://www.ntop.org/guides/ntopng/api/lua/timeseries/index.html
Streaming pcap captures with BPF support
Download live packet captures right from the browser
New SNMP devices caching
Periodically cache information of all the SNMP device configured
Calculate and visualize interfaces throughput
Improvements
------------
Security
Access to the web user interface is controlled with ACLs
Secure ntopng cookies with SameSite and HttpOnly
HTTP cookie authentication
Improved random session id generation
Various SNMP improvemenets
Caching
Interfaces status change alerts
Device interfaces page
Devices and interfaces added to flows
Fixed several library memory leaks
Improved device and interface charts
Interfaces throughput calculation and visualization
Ability to delete all SNMP devices at once
Improved active devices discovery
OS detection via HTTP User-Agent
Alerts
Crypto miners alerts toggle
Detection and alerting of anomalous terminations
Module for sending telegram.org alerts
Slack
Configurable Slack channel names
Added Slack test button
Charts
Active flows vs local hosts chart
Active flows vs interface traffic chart
Ubuntu 18.04 support
Support for ElasticSearch 6 export
Added support for custom categories lists
Added ability to use the non-JIT Lua interpreter
Improved ntopng startup and shutdown time
Support for capturing from interface pairs with PF_RING ZC
Support for variable PPP header lenght
Migrated geolocation to GeoLite2 and libmaxminddb
Configuration backup and restore
Improved IE browser support
Using client SSL certificate for protocol detection
Optimized host/flows purging
* Memory-management, stability and speed have been fundamentally improved
* We have kept an eye on security and hardened the code to prevent privileges escalation and XSS
* Alerts have been extended to include support for
. Re-arming to avoid raising trains of identical alerts in short periods of time
. Alert propagation to the infrastructure monitoring software Nagios
. CIDR-based triggers to monitor the behavior of whole networks
. The detection of suspicious probing attempts
* Netfilter support has been added together with optional packet dropping features
* Routing visibility is now possible through RIPE RIS
* Availability of fine-grained historical data drill-down features, including top talkers, top applications, and interactions between hosts (more details here)
* Integrations with other software
. LDAP authentication support
. alerts forwarding/withdrawal to Nagios
. nBox integration to request full packet pcaps of monitored flows
. Data export to Apache Kafka
* We have extended and improved traffic monitoring
. Visibility of TCP sessions throughput estimations and state breakdown (e.g., connections established, connections reset, etc.)
. Goodput monitoring
. Trends detection
. Highlight of low-goodput flows and hosts
. Visibility of hosts top-visited sites
* Built-in support is now included for
. GRE detunnelling
. per-VLAN historical statistics
. ICMP and ICMPv6 dissection
* We have extended the set of supported OSes to include: Ubuntu 16, Debian 7, EdgeOS
* There is also an optional support for hosts categorization via service flashstart.it
probe that shows the network usage, similar to what the popular top Unix
command does. ntopng is based on libpcap and it has been written in a portable
way in order to virtually run on every Unix platform, MacOSX and on Windows as
well.
ntopng users can use a a web browser to navigate through ntop (that acts as
a web server) traffic information and get a dump of the network status. In
the latter case, ntopng can be seen as a simple RMON-like agent with
an embedded web interface. The use of:
* a web interface.
* limited configuration and administration via the web interface.
* reduced CPU and memory usage (they vary according to network size and traffic)
