[prev in list] [next in list] [prev in thread] [next in thread]
List: ntop
Subject: Re: [Ntop] ghost network devices
From: Christina Phillips <cphillips () inei ! com>
Date: 2021-03-11 15:00:58
Message-ID: MN2PR18MB2446220842DCF8061C8011BEC6909 () MN2PR18MB2446 ! namprd18 ! prod ! outlook ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
[Attachment #4 (text/plain)]
I figured a way out of this by using a remote ntopng and shipping via the ZMQ \
interface – and then defining the subnet of devices protected by the security \
devices as a "Local" subnet.
From: ntop-bounces@listgateway.unipi.it <ntop-bounces@listgateway.unipi.it> On Behalf \
Of Simone Mainardi
Sent: Wednesday, March 10, 2021 2:20 AM
To: ntop@unipi.it
Subject: Re: [Ntop] ghost network devices
Hi,
If ntopng only have access to tunneled traffic, there is no much that can be done. \
OpenVPN traffic is encrypted. But if you have access to the machine running OpenVPN - \
Sec.Bridge.Dev I guess - then the traffic can be before it enters the tunnel. I \
believe Sec.Bridge.Dev will have a tunXXX interface. You should try and run ntopng on \
that interface with -i tunXX.
Simone
On 9 Mar 2021, at 15:19, Christina Phillips \
<cphillips@inei.com<mailto:cphillips@inei.com>> wrote:
Hi – so, I've run into an issue with ghost networks. I can see the ghost networks. \
That's fine. My situation is that I am using an OpenVPN based layer 2 over layer 3 \
tunnel between security devices.
Devices:
Cameras: 2
Management Laptop: 1
Security Edge Devices 3
Security Bridge Device: 1 (this device runs ntopng)
Diagram is basically:
Camera1<>Sec.Edg.Dev1<-> Sec.Bridge.Dev <->Sec.Edg.Dev2<-> Camera2
<->Sec.Edg.Dev3<->Laptop
Cameras and laptop have device IP addresses in 192.168.x.0/24
Edge devices make a secure tunnel on 172.31.X.0/24
192.168.X.0 is a ghost network.
Ntopng on bridge device records traffic on the bridge network (for example interface \
br50), as well as other interfaces on the bridge device (this is a Debian 9 VM that \
communicates over a network to the edge devices – which may be geographically \
dispersed.)
The issue is that anything on the "bridge" interface and a ghost network device – I \
only see the broadcast and multicast traffic of those devices. I believe the 3.x \
ntopng and the 4.1 ntopng (before the big change) – recorded the unicast traffic of \
the ghost devices (I've been using ntopng since 2017 – and while I no longer have \
any older code versions running – I believe I was seeing unicast traffic from a \
camera to a laptop (through the bridge).
What happened? What can be done? Am I doing anything wrong? (traffic flow is \
from laptop to camera – through the bridge device – I should be able to see the \
http/https traffic between the laptop and camera – but I do not.)
Christina Phillips
VP of Technology
m: 703.626 0385
e: cphillips@onclave.net<mailto:cphillips@onclave.net>
w: www.onclave.net<http://www.onclave.net/>
[Logo Description automatically generated]
7950 Jones Branch Drive, Suite 805, McLean, VA \
22102<webextlink://7950%20Jones%20Branch%20Drive,%20Suite%20805,%20McLean,%20VA%2022102>
_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop
[Attachment #5 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">I figured a way out of this by using a remote ntopng and \
shipping via the ZMQ interface – and then defining the subnet of devices protected \
by the security devices as a "Local" subnet.<o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> ntop-bounces@listgateway.unipi.it \
<ntop-bounces@listgateway.unipi.it> <b>On Behalf Of </b>Simone Mainardi<br>
<b>Sent:</b> Wednesday, March 10, 2021 2:20 AM<br>
<b>To:</b> ntop@unipi.it<br>
<b>Subject:</b> Re: [Ntop] ghost network devices<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hi,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">If ntopng only have access to tunneled traffic, there is no much \
that can be done. OpenVPN traffic is encrypted. But if you have access to the machine \
running OpenVPN - Sec.Bridge.Dev I guess - then the traffic can be before it enters \
the tunnel. I believe Sec.Bridge.Dev will have a tunXXX interface. You should \
try and run ntopng on that interface with -i tunXX.<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Simone<o:p></o:p></p>
</div>
<div>
<div>
<div>
<p class="MsoNormal"><br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="MsoNormal">On 9 Mar 2021, at 15:19, Christina Phillips <<a \
href="mailto:cphillips@inei.com">cphillips@inei.com</a>> wrote:<o:p></o:p></p> \
</div> <p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">Hi – so, I've run into an issue with ghost networks. I \
can see the ghost networks. That's fine. My situation is that I am using \
an OpenVPN based layer 2 over layer 3 tunnel between security devices.<o:p></o:p></p> \
</div> <div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Devices:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Cameras: 2<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Management Laptop: 1<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Security Edge Devices 3<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Security Bridge Device: 1 (this device runs \
ntopng)<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Diagram is basically:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Camera1<>Sec.Edg.Dev1<-> Sec.Bridge.Dev \
<->Sec.Edg.Dev2<-> Camera2<o:p></o:p></p> </div>
<div>
<p class="MsoNormal">   \
; \
&n \
bsp; <->Sec.Edg.Dev3<->Laptop<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Cameras and laptop have device IP addresses in \
192.168.x.0/24<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Edge devices make a secure tunnel on \
172.31.X.0/24 <span \
class="apple-converted-space"> </span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal">192.168.X.0 is a ghost network.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Ntopng on bridge device records traffic on the bridge network \
(for example interface br50), as well as other interfaces on the bridge device (this \
is a Debian 9 VM that communicates over a network to the edge devices – which may \
be geographically dispersed.)<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">The issue is that anything on the "bridge" interface and a ghost \
network device – I only see the broadcast and multicast traffic of those \
devices. I believe the 3.x ntopng and the 4.1 ntopng (before the big change) \
– recorded the unicast traffic of the ghost devices (I've been using ntopng since \
2017 – and while I no longer have any older code versions running – I believe I \
was seeing unicast traffic from a camera to a laptop (through the \
bridge). <o:p></o:p></p> </div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">What happened? What can be done? Am I doing anything \
wrong? (traffic flow is from laptop to camera – through the \
bridge device – I should be able to see the http/https traffic between the laptop \
and camera – but I do not.)<o:p></o:p></p> </div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#0070C0">Christina \
Phillips</span></b><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#555759">VP of \
Technology</span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#555759"> </span><o:p></o:p></p>
</div>
<div style="margin-left:13.5pt">
<p class="MsoNormal" style="text-indent:-13.5pt"><b><span lang="FR" \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#595959">m:</span></b><b><span \
lang="FR" style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#555759"> </span></b><span \
lang="FR" style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#555759">703.626
0385</span><o:p></o:p></p>
</div>
<div style="margin-left:13.5pt">
<p class="MsoNormal" style="text-indent:-13.5pt"><b><span lang="FR" \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#595959">e:</span></b><b><span \
lang="FR" style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#555759"> </span></b><u><span \
lang="FR" style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#0070C0"><a \
href="mailto:cphillips@onclave.net">cphillips@onclave.net</a></span></u><o:p></o:p></p>
</div>
<div style="margin-left:13.5pt">
<p class="MsoNormal" style="text-indent:-13.5pt"><b><span lang="FR" \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#595959">w:</span></b><span \
lang="FR" style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#555759"> </span><span \
style="font-size:12.0pt;font-family:"Times New Roman",serif"><a \
href="http://www.onclave.net/"><span lang="FR" \
style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#0070C0">www.onclave.net</span></a></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span \
style="font-size:8.0pt;font-family:"Arial",sans-serif"> </span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:12.0pt;font-family:"Times New \
Roman",serif"><img border="0" width="93" height="32" \
style="width:.9666in;height:.3333in" id="Picture_x0020_1" \
src="cid:image001.png@01D7165D.6E5DF560" alt="Logo
Description automatically generated"></span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-size:8.0pt;font-family:"Times New \
Roman",serif"> </span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"><span \
style="font-size:7.0pt;font-family:"Arial",sans-serif;color:#595959"><a \
href="webextlink://7950%20Jones%20Branch%20Drive,%20Suite%20805,%20McLean,%20VA%2022102"><span \
style="color:#0072C6;text-decoration:none">7950 Jones Branch Drive, Suite 805, \
McLean, VA 22102</span></a></span><o:p></o:p></p> </div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p class="MsoNormal"><span \
style="font-size:9.0pt;font-family:"Helvetica",sans-serif">_______________________________________________<br>
Ntop mailing list<br>
</span><a href="mailto:Ntop@listgateway.unipi.it"><span \
style="font-size:9.0pt;font-family:"Helvetica",sans-serif">Ntop@listgateway.unipi.it</span></a><span \
style="font-size:9.0pt;font-family:"Helvetica",sans-serif"><br> </span><a \
href="http://listgateway.unipi.it/mailman/listinfo/ntop"><span \
style="font-size:9.0pt;font-family:"Helvetica",sans-serif">http://listgateway.unipi.it/mailman/listinfo/ntop</span></a><o:p></o:p></p>
</div>
</blockquote>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
</div>
</body>
</html>
["image001.png" (image/png)]
_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it
http://listgateway.unipi.it/mailman/listinfo/ntop
--===============8892833167819488938==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic