Also – with the latest versions – does the hierarchical configuration of ntopng still work the same way with the ZMQ interfaces as was described in 2018?
From: ntop-boun...@listgateway.unipi.it <ntop-boun...@listgateway.unipi.it> On Behalf Of Simone Mainardi Sent: Wednesday, March 10, 2021 2:20 AM To: n...@unipi.it Subject: Re: [Ntop] ghost network devices Hi, If ntopng only have access to tunneled traffic, there is no much that can be done. OpenVPN traffic is encrypted. But if you have access to the machine running OpenVPN - Sec.Bridge.Dev I guess - then the traffic can be before it enters the tunnel. I believe Sec.Bridge.Dev will have a tunXXX interface. You should try and run ntopng on that interface with -i tunXX. Simone On 9 Mar 2021, at 15:19, Christina Phillips <cphill...@inei.com<mailto:cphill...@inei.com>> wrote: Hi – so, I’ve run into an issue with ghost networks. I can see the ghost networks. That’s fine. My situation is that I am using an OpenVPN based layer 2 over layer 3 tunnel between security devices. Devices: Cameras: 2 Management Laptop: 1 Security Edge Devices 3 Security Bridge Device: 1 (this device runs ntopng) Diagram is basically: Camera1<>Sec.Edg.Dev1<-> Sec.Bridge.Dev <->Sec.Edg.Dev2<-> Camera2 <->Sec.Edg.Dev3<->Laptop Cameras and laptop have device IP addresses in 192.168.x.0/24 Edge devices make a secure tunnel on 172.31.X.0/24 192.168.X.0 is a ghost network. Ntopng on bridge device records traffic on the bridge network (for example interface br50), as well as other interfaces on the bridge device (this is a Debian 9 VM that communicates over a network to the edge devices – which may be geographically dispersed.) The issue is that anything on the “bridge” interface and a ghost network device – I only see the broadcast and multicast traffic of those devices. I believe the 3.x ntopng and the 4.1 ntopng (before the big change) – recorded the unicast traffic of the ghost devices (I’ve been using ntopng since 2017 – and while I no longer have any older code versions running – I believe I was seeing unicast traffic from a camera to a laptop (through the bridge). What happened? What can be done? Am I doing anything wrong? (traffic flow is from laptop to camera – through the bridge device – I should be able to see the http/https traffic between the laptop and camera – but I do not.) Christina Phillips VP of Technology m: 703.626 0385 e: cphill...@onclave.net<mailto:cphill...@onclave.net> w: www.onclave.net<http://www.onclave.net/> [Logo Description automatically generated] 7950 Jones Branch Drive, Suite 805, McLean, VA 22102<webextlink://7950%20Jones%20Branch%20Drive,%20Suite%20805,%20McLean,%20VA%2022102> _______________________________________________ Ntop mailing list Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it> http://listgateway.unipi.it/mailman/listinfo/ntop
_______________________________________________ Ntop mailing list Ntop@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop
