15. 02. 2023 Giovanni Davide Saccá Unified Monitoring

Ntopng and Behavior Analysis

Ever since version 5.4 of nBoxes with the Enterprise L license it’s been possible to use a new feature called Behavior Analysis. Let’s see what it is and how to take advantage of it.

This ntopng feature enables monitoring of periodic flows of network traffic, i.e., flows that frequently repeat, by highlighting the services it contains, and thus identifying the most frequently used applications.

Let’s see how to enable Behavior Analysis through the ntopng WEB GUI. You’ll need to go to Settings Menu > Preferences and enable the switch called Enable Traffic Behavior Analysis.

Enabling this feature then activates two new submenus in the Maps Menu called Service Map (which will contain all the services detected within a network) and Periodicity Map:

which will highlight those flows that are most frequently detected and repeated over time. Check out the picture below:

where it’s clear that inside the network flow we’ll be able, for example, to identify a Dropbox and/or BitTorrent flow from a host to the related destination which is a gateway, recognized by the relevant icon

The Behavior Analysis along with its related Alert provides a way to detect what are called Lateral Movements, and therefore gives us the ability to detect traffic flows that might identify an ongoing compromise of systems under our administration, or of a flow not in compliance with our corporate policies.

These Solutions are Engineered by Humans

Did you read this article because you’re knowledgeable about networking? Do you have the skills necessary to manage networks? We’re currently hiring for roles like this as well as other roles here at Würth Phoenix.

Giovanni Davide Saccá

Giovanni Davide Saccá

Hi all, my name is Davide and I was born in San Donato Milanese. Since I was a boy I've always been intrigued by PCs, and so I took my first steps with my Commodore VIC-20. Before joining Würth Phoenix as an SI consultant, I worked first as a Network Engineer for several ISPs (Internet Service Providers) in the late 90s, then for the first ASP (Application Service Provider) and next as a head of IT Network and Security. My various ITIL and Vendor certifications have allowed me to be able to cooperate at multiple project levels. I like tennis, music, motorcycles and going on nature walks with my family.

Author

Giovanni Davide Saccá

Hi all, my name is Davide and I was born in San Donato Milanese. Since I was a boy I've always been intrigued by PCs, and so I took my first steps with my Commodore VIC-20. Before joining Würth Phoenix as an SI consultant, I worked first as a Network Engineer for several ISPs (Internet Service Providers) in the late 90s, then for the first ASP (Application Service Provider) and next as a head of IT Network and Security. My various ITIL and Vendor certifications have allowed me to be able to cooperate at multiple project levels. I like tennis, music, motorcycles and going on nature walks with my family.

Latest posts by Giovanni Davide Saccá

16. 02. 2023 Unified Monitoring
NagVis Module: How to Create a Regular Map
15. 02. 2023 Unified Monitoring
NetEye GeoMap Module
15. 02. 2023 NetEye, Unified Monitoring
Grafana: InfluxDB Query to Extract More Than a Single Metric in a Single Panel
15. 06. 2022 Unified Monitoring
Into the Flows: Collecting Data with nProbe and nTop
14. 06. 2022 NetEye, Unified Monitoring
nTop and nDPI: How to Increase Network Traffic Analysis
See All

Related Content

Tags:

06. 05. 2024 Unified Monitoring

QUIC, What’s That?

As you may know, I do ntopng consulting, and support companies in their implementation of ntop solutions. For some time now, ntopng users have noticed a high amount of QUIC traffic in their respective networks. Most people don't really know Read More
05. 03. 2024 Unified Monitoring

nBox Mini

Every now and then I like to keep you up to date about news in the ntop environment. This time it's not news about analysis methods or software, but about a new hardware solution. If you're someone looking for a Read More
10. 07. 2023 Unified Monitoring

ntop News in the Next Release

At the end of June, Luca Deri gave a webinar presenting the new features of the next ntopng release. I'd like to take this opportunity now to present these innovations to all of you. The main enhancements of the new Read More
15. 06. 2022 Unified Monitoring

Into the Flows: Collecting Data with nProbe and nTop

The role of these two components is pretty clear: nProbe has the role of collecting traffic data, while nTop makes that data visible and easily analyzable. There is something, however, that needs to be explicitly stated, which is to decide Read More
14. 06. 2022 NetEye, Unified Monitoring

nTop and nDPI: How to Increase Network Traffic Analysis

nTop now uses the nDPI (network deep packet inspection) library to classify packets within network traffic for those protocols that either do not use a standard port (defined as well known ports like https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers and https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml) or that are dynamically Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

Search by technology

Contact

Contact us
Serviceportal

Archive