Re: [Ntop-misc] Analysing just inbound internet traffic with ntopng
Thanks, I'll break down the questions and submit one by one. But I don't understand about breaking nDPI. I don't think any packet inspection is possible here, as I'm using nprobe to collect flow information sent by routers. No actual traffic is available to it. Peter Shute Sent from my iPad > On 2 Sep 2016, at 5:47 PM, Luca Deri wrote: > > Peter > analysing only one traffic direction will break (most of) nDPI. Please don;t > do that. > > As you’re asking several questions, I suggest you to file individual issues > on https://github.com/ntop/ntopng/issues so we can answer one by one > > Luca > >> On 29 Aug 2016, at 23:36, Peter Shute wrote: >> >> I've now got NetFlow data being logged in MySQL via nprobe and ntopng. I'm >> mostly interested in analysing the inbound traffic from the internet to help >> me find out why we're going over our ISP's download quota. For example, I'd >> like to find out which device here downloaded the most from the internet >> yesterday. >> >> I assumed I must use the Historical Data Explorer, but I can't see any way >> to filter out all the other flows - ie internal and outgoing. I think I need >> to look at just the flows where the src ip address is not 192.168.x.y and >> the dst ip address is 192.168.x.y. >> >> I've defined a Traffic Profile called "Incoming only" as "dst net 192.168 >> and not src net 192.168", but the only place I can see to use this is to >> click on Interfaces, then select my interface, then click on the funny >> little symbol that I think is a doctor with a stethoscope, and then on the >> chart symbol beside the "Incoming only" profile name. (Can I suggest tool >> tips for all the symbols so one doesn't have to click on them to find out >> what they are?) >> >> But then what? I'd like to be able to select a data range that covers, say, >> yesterday from midnight to midnight, and see which address downloaded the >> most data. I can choose a one day range, but it will end at the current >> time. And I can't see how to get a list of top downloaders for that whole >> day. If I hover over the chart, it shows a list which I think is for that >> minute only. And it lists senders and receivers - how can there be both if >> my filter only matches external sources and internal destinations? >> >> If I choose a week for the chart length, it still ends at the current time, >> and I think it still shows the top senders and receivers for one minute >> periods. I can't tell for sure which day I've chosen because it only >> displays times, not dates. (Could I suggest that dates are also shown, or at >> least a clear vertical line for each midnight?) >> >> Am I looking in the wrong place for the data I want? Or do I need to query >> the MySQL database myself? >> >> Peter Shute >> ___ >> Ntop-misc mailing list >> Ntop-misc@listgateway.unipi.it >> http://listgateway.unipi.it/mailman/listinfo/ntop-misc > > ___ > Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
Re: [Ntop-misc] Analysing just inbound internet traffic with ntopng
Peter analysing only one traffic direction will break (most of) nDPI. Please don;t do that. As you’re asking several questions, I suggest you to file individual issues on https://github.com/ntop/ntopng/issues so we can answer one by one Luca > On 29 Aug 2016, at 23:36, Peter Shute wrote: > > I've now got NetFlow data being logged in MySQL via nprobe and ntopng. I'm > mostly interested in analysing the inbound traffic from the internet to help > me find out why we're going over our ISP's download quota. For example, I'd > like to find out which device here downloaded the most from the internet > yesterday. > > I assumed I must use the Historical Data Explorer, but I can't see any way to > filter out all the other flows - ie internal and outgoing. I think I need to > look at just the flows where the src ip address is not 192.168.x.y and the > dst ip address is 192.168.x.y. > > I've defined a Traffic Profile called "Incoming only" as "dst net 192.168 and > not src net 192.168", but the only place I can see to use this is to click on > Interfaces, then select my interface, then click on the funny little symbol > that I think is a doctor with a stethoscope, and then on the chart symbol > beside the "Incoming only" profile name. (Can I suggest tool tips for all > the symbols so one doesn't have to click on them to find out what they are?) > > But then what? I'd like to be able to select a data range that covers, say, > yesterday from midnight to midnight, and see which address downloaded the > most data. I can choose a one day range, but it will end at the current time. > And I can't see how to get a list of top downloaders for that whole day. If I > hover over the chart, it shows a list which I think is for that minute only. > And it lists senders and receivers - how can there be both if my filter only > matches external sources and internal destinations? > > If I choose a week for the chart length, it still ends at the current time, > and I think it still shows the top senders and receivers for one minute > periods. I can't tell for sure which day I've chosen because it only displays > times, not dates. (Could I suggest that dates are also shown, or at least a > clear vertical line for each midnight?) > > Am I looking in the wrong place for the data I want? Or do I need to query > the MySQL database myself? > > Peter Shute > ___ > Ntop-misc mailing list > Ntop-misc@listgateway.unipi.it > http://listgateway.unipi.it/mailman/listinfo/ntop-misc ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
[Ntop-misc] Analysing just inbound internet traffic with ntopng
I've now got NetFlow data being logged in MySQL via nprobe and ntopng. I'm mostly interested in analysing the inbound traffic from the internet to help me find out why we're going over our ISP's download quota. For example, I'd like to find out which device here downloaded the most from the internet yesterday. I assumed I must use the Historical Data Explorer, but I can't see any way to filter out all the other flows - ie internal and outgoing. I think I need to look at just the flows where the src ip address is not 192.168.x.y and the dst ip address is 192.168.x.y. I've defined a Traffic Profile called "Incoming only" as "dst net 192.168 and not src net 192.168", but the only place I can see to use this is to click on Interfaces, then select my interface, then click on the funny little symbol that I think is a doctor with a stethoscope, and then on the chart symbol beside the "Incoming only" profile name. (Can I suggest tool tips for all the symbols so one doesn't have to click on them to find out what they are?) But then what? I'd like to be able to select a data range that covers, say, yesterday from midnight to midnight, and see which address downloaded the most data. I can choose a one day range, but it will end at the current time. And I can't see how to get a list of top downloaders for that whole day. If I hover over the chart, it shows a list which I think is for that minute only. And it lists senders and receivers - how can there be both if my filter only matches external sources and internal destinations? If I choose a week for the chart length, it still ends at the current time, and I think it still shows the top senders and receivers for one minute periods. I can't tell for sure which day I've chosen because it only displays times, not dates. (Could I suggest that dates are also shown, or at least a clear vertical line for each midnight?) Am I looking in the wrong place for the data I want? Or do I need to query the MySQL database myself? Peter Shute ___ Ntop-misc mailing list Ntop-misc@listgateway.unipi.it http://listgateway.unipi.it/mailman/listinfo/ntop-misc
