In order to be able to carry out detailed network monitoring, an IT administrator naturally wants to know what is happening in his or her network.
To obtain this information, the network flows must of course be analyzed. Many network devices offer the option of creating netflows, which are sent to a recipient who can evaluate them and display them graphically.
Here at Würth Phoenix we use two solutions for receiving, evaluating, storing and displaying netflows. On one hand, we use the ntop solutions with nprobe and ntopng as a graphical application, and on the other hand, we use Elastic with ElastiFlow.
I’ve thus selected a few key points to compare them.
Environment
ntopng can be installed as a module in NetEye or used on an nbox, i.e. on dedicated hardware.
When using ElastiFlow, an ELK environment must be set up, i.e. Elasticsearch and Kibana must be installed and configured.
Database
When using ntopng, the received flows are written to the ClickHouse database, whereas with ElastiFlow they are written to the Elastic database.
User Interface
In both user interfaces there are various predefined graphics that enable the data to be evaluated. All ElastiFlow dashboards are run in Kibana and therefore use its display options.
The dashboards of ntopng and ElastiFlow are somewhat similar and display the content in similar panels.
Flow Exporter
There is a significant difference between the two applications when it comes to displaying the flow exporters. While ntopng has a maximum number of 64, ElastiFlow does not specify a maximum number. I have personally seen an ElastiFlow installation in which several hundred flow exporters could be displayed individually.
View Export
In ntopng, a PDF export can be made via the “Traffic Report” menu item. ntopng only offers this option for creating PDF exports. The ElastiFlow views are shown in Kibana, so the views can be created using the Kibana export function.
Alarms – Anomalies
In ntopng you will find a number of predefined alarms that analyze the flows. The alarms can be switched on or off and in some cases their threshold values can also be adjusted. By configuring individual notifications, these alarms can also be forwarded to other systems.
ElastiFlow uses Elastic’s machine learning, i.e. ElastiFlow offers templates that make it possible to detect anomalies and calculate forecasts using Elastic’s machine learning. Any notifications of anomalies must be set up in Kibana by creating “detection rules”.
Conclusion
When using ntopng, additional functions can be used, such as the creation of netflows by connecting a port mirror, the forwarding of created netflows, or the ability to read and create pcap files. This means that ntopng has additional functions that can be useful for network analysis.
Elastiflow is a good option if you are already using Elastic and only want to receive and display netflows. We also recommend using Elastiflow if you want to list and evaluate a very large number of flow exporters (over 64) individually.
Tobias Goller
NetEye Solution Architect at Würth Phoenix
I started my professional career as a system administrator.
Over the years, my area of responsibility changed from administrative work to the architectural planning of systems.
During my activities at Würth Phoenix, the focus of my area of responsibility changed to the installation and consulting of the IT system management solution WÜRTHPHOENIX NetEye.
In the meantime, I take care of the implementation and planning of customer projects in the area of our unified monitoring solution.
Author
Latest posts by Tobias Goller
25. 10. 2024
Log-SIEM
Enhancing Cybersecurity with Elastic Defend: A Technical Consultant’s Perspective
28. 08. 2024
Unified Monitoring
ntopng Updates
06. 05. 2024
Unified Monitoring
QUIC, What’s That?
05. 03. 2024
Unified Monitoring
nBox Mini