Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. NTop>
  3. Users
ghost network devices
cphillips at inei
Mar 9, 2021, 6:19 AM
Post #1 of 5 (1000 views)
Permalink
Hi - so, I've run into an issue with ghost networks. I can see the ghost networks. That's fine. My situation is that I am using an OpenVPN based layer 2 over layer 3 tunnel between security devices.

Devices:
Cameras: 2
Management Laptop: 1
Security Edge Devices 3
Security Bridge Device: 1 (this device runs ntopng)

Diagram is basically:

Camera1<>Sec.Edg.Dev1<-> Sec.Bridge.Dev <->Sec.Edg.Dev2<-> Camera2
<->Sec.Edg.Dev3<->Laptop

Cameras and laptop have device IP addresses in 192.168.x.0/24

Edge devices make a secure tunnel on 172.31.X.0/24
192.168.X.0 is a ghost network.
Ntopng on bridge device records traffic on the bridge network (for example interface br50), as well as other interfaces on the bridge device (this is a Debian 9 VM that communicates over a network to the edge devices - which may be geographically dispersed.)


The issue is that anything on the "bridge" interface and a ghost network device - I only see the broadcast and multicast traffic of those devices. I believe the 3.x ntopng and the 4.1 ntopng (before the big change) - recorded the unicast traffic of the ghost devices (I've been using ntopng since 2017 - and while I no longer have any older code versions running - I believe I was seeing unicast traffic from a camera to a laptop (through the bridge).

What happened? What can be done? Am I doing anything wrong? (traffic flow is from laptop to camera - through the bridge device - I should be able to see the http/https traffic between the laptop and camera - but I do not.)


Christina Phillips
VP of Technology

m: 703.626 0385
e: cphillips@onclave.net
w: www.onclave.net<http://www.onclave.net>

[Logo Description automatically generated]

7950 Jones Branch Drive, Suite 805, McLean, VA 22102<webextlink://7950%20Jones%20Branch%20Drive,%20Suite%20805,%20McLean,%20VA%2022102>

Attached Files:

Re: ghost network devices [ In reply to ]
mainardi at ntop
Mar 9, 2021, 11:19 PM
Post #2 of 5 (999 views)
Permalink
Hi,

If ntopng only have access to tunneled traffic, there is no much that can be done. OpenVPN traffic is encrypted. But if you have access to the machine running OpenVPN - Sec.Bridge.Dev I guess - then the traffic can be before it enters the tunnel. I believe Sec.Bridge.Dev will have a tunXXX interface. You should try and run ntopng on that interface with -i tunXX.

Simone

> On 9 Mar 2021, at 15:19, Christina Phillips <cphillips@inei.com> wrote:
>
> Hi – so, I’ve run into an issue with ghost networks. I can see the ghost networks. That’s fine. My situation is that I am using an OpenVPN based layer 2 over layer 3 tunnel between security devices.
>
> Devices:
> Cameras: 2
> Management Laptop: 1
> Security Edge Devices 3
> Security Bridge Device: 1 (this device runs ntopng)
>
> Diagram is basically:
>
> Camera1<>Sec.Edg.Dev1<-> Sec.Bridge.Dev <->Sec.Edg.Dev2<-> Camera2
> <->Sec.Edg.Dev3<->Laptop
>
> Cameras and laptop have device IP addresses in 192.168.x.0/24
>
> Edge devices make a secure tunnel on 172.31.X.0/24
> 192.168.X.0 is a ghost network.
> Ntopng on bridge device records traffic on the bridge network (for example interface br50), as well as other interfaces on the bridge device (this is a Debian 9 VM that communicates over a network to the edge devices – which may be geographically dispersed.)
>
>
> The issue is that anything on the “bridge” interface and a ghost network device – I only see the broadcast and multicast traffic of those devices. I believe the 3.x ntopng and the 4.1 ntopng (before the big change) – recorded the unicast traffic of the ghost devices (I’ve been using ntopng since 2017 – and while I no longer have any older code versions running – I believe I was seeing unicast traffic from a camera to a laptop (through the bridge).
>
> What happened? What can be done? Am I doing anything wrong? (traffic flow is from laptop to camera – through the bridge device – I should be able to see the http/https traffic between the laptop and camera – but I do not.)
>
>
> Christina Phillips
> VP of Technology
>
> m: 703.626 0385
> e: cphillips@onclave.net <mailto:cphillips@onclave.net>
> w: www.onclave.net <http://www.onclave.net/>
>
>
>
> 7950 Jones Branch Drive, Suite 805, McLean, VA 22102 <webextlink://7950%20Jones%20Branch%20Drive,%20Suite%20805,%20McLean,%20VA%2022102>
>
>
>
> _______________________________________________
> Ntop mailing list
> Ntop@listgateway.unipi.it <mailto:Ntop@listgateway.unipi.it>
> http://listgateway.unipi.it/mailman/listinfo/ntop <http://listgateway.unipi.it/mailman/listinfo/ntop>

Attached Files:

Re: ghost network devices [ In reply to ]
cphillips at inei
Mar 10, 2021, 3:13 AM
Post #3 of 5 (999 views)
Permalink
Hi. So the secure bridge decrypts the traffic on br50 interface. Ntopng is running on the bridge and I have the br50 interface in ntopng.conf. It does pickup broadcast and multicast where it is the endpoint. However traffic going from a laptop to a camera is not picked up. I will double check to see if we are decrypting all traffic when it gets to the bridge.
________________________________
From: ntop-bounces@listgateway.unipi.it <ntop-bounces@listgateway.unipi.it> on behalf of Simone Mainardi <mainardi@ntop.org>
Sent: Wednesday, March 10, 2021 2:19:45 AM
To: ntop@unipi.it <ntop@unipi.it>
Subject: Re: [Ntop] ghost network devices

Hi,

If ntopng only have access to tunneled traffic, there is no much that can be done. OpenVPN traffic is encrypted. But if you have access to the machine running OpenVPN - Sec.Bridge.Dev I guess - then the traffic can be before it enters the tunnel. I believe Sec.Bridge.Dev will have a tunXXX interface. You should try and run ntopng on that interface with -i tunXX.

Simone

On 9 Mar 2021, at 15:19, Christina Phillips <cphillips@inei.com<mailto:cphillips@inei.com>> wrote:

Hi ? so, I?ve run into an issue with ghost networks. I can see the ghost networks. That?s fine. My situation is that I am using an OpenVPN based layer 2 over layer 3 tunnel between security devices.

Devices:
Cameras: 2
Management Laptop: 1
Security Edge Devices 3
Security Bridge Device: 1 (this device runs ntopng)

Diagram is basically:

Camera1<>Sec.Edg.Dev1<-> Sec.Bridge.Dev <->Sec.Edg.Dev2<-> Camera2
<->Sec.Edg.Dev3<->Laptop

Cameras and laptop have device IP addresses in 192.168.x.0/24

Edge devices make a secure tunnel on 172.31.X.0/24
192.168.X.0 is a ghost network.
Ntopng on bridge device records traffic on the bridge network (for example interface br50), as well as other interfaces on the bridge device (this is a Debian 9 VM that communicates over a network to the edge devices ? which may be geographically dispersed.)


The issue is that anything on the ?bridge? interface and a ghost network device ? I only see the broadcast and multicast traffic of those devices. I believe the 3.x ntopng and the 4.1 ntopng (before the big change) ? recorded the unicast traffic of the ghost devices (I?ve been using ntopng since 2017 ? and while I no longer have any older code versions running ? I believe I was seeing unicast traffic from a camera to a laptop (through the bridge).

What happened? What can be done? Am I doing anything wrong? (traffic flow is from laptop to camera ? through the bridge device ? I should be able to see the http/https traffic between the laptop and camera ? but I do not.)


Christina Phillips
VP of Technology

m: 703.626 0385
e: cphillips@onclave.net<mailto:cphillips@onclave.net>
w: www.onclave.net<http://www.onclave.net/>

[Logo Description automatically generated]

7950 Jones Branch Drive, Suite 805, McLean, VA 22102



_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop

Attached Files:

Re: ghost network devices [ In reply to ]
cphillips at inei
Mar 10, 2021, 9:05 AM
Post #4 of 5 (998 views)
Permalink
Also – with the latest versions – does the hierarchical configuration of ntopng still work the same way with the ZMQ interfaces as was described in 2018?

From: ntop-bounces@listgateway.unipi.it <ntop-bounces@listgateway.unipi.it> On Behalf Of Simone Mainardi
Sent: Wednesday, March 10, 2021 2:20 AM
To: ntop@unipi.it
Subject: Re: [Ntop] ghost network devices

Hi,

If ntopng only have access to tunneled traffic, there is no much that can be done. OpenVPN traffic is encrypted. But if you have access to the machine running OpenVPN - Sec.Bridge.Dev I guess - then the traffic can be before it enters the tunnel. I believe Sec.Bridge.Dev will have a tunXXX interface. You should try and run ntopng on that interface with -i tunXX.

Simone


On 9 Mar 2021, at 15:19, Christina Phillips <cphillips@inei.com<mailto:cphillips@inei.com>> wrote:

Hi – so, I’ve run into an issue with ghost networks. I can see the ghost networks. That’s fine. My situation is that I am using an OpenVPN based layer 2 over layer 3 tunnel between security devices.

Devices:
Cameras: 2
Management Laptop: 1
Security Edge Devices 3
Security Bridge Device: 1 (this device runs ntopng)

Diagram is basically:

Camera1<>Sec.Edg.Dev1<-> Sec.Bridge.Dev <->Sec.Edg.Dev2<-> Camera2
<->Sec.Edg.Dev3<->Laptop

Cameras and laptop have device IP addresses in 192.168.x.0/24

Edge devices make a secure tunnel on 172.31.X.0/24
192.168.X.0 is a ghost network.
Ntopng on bridge device records traffic on the bridge network (for example interface br50), as well as other interfaces on the bridge device (this is a Debian 9 VM that communicates over a network to the edge devices – which may be geographically dispersed.)


The issue is that anything on the “bridge” interface and a ghost network device – I only see the broadcast and multicast traffic of those devices. I believe the 3.x ntopng and the 4.1 ntopng (before the big change) – recorded the unicast traffic of the ghost devices (I’ve been using ntopng since 2017 – and while I no longer have any older code versions running – I believe I was seeing unicast traffic from a camera to a laptop (through the bridge).

What happened? What can be done? Am I doing anything wrong? (traffic flow is from laptop to camera – through the bridge device – I should be able to see the http/https traffic between the laptop and camera – but I do not.)


Christina Phillips
VP of Technology

m: 703.626 0385
e: cphillips@onclave.net<mailto:cphillips@onclave.net>
w: www.onclave.net<http://www.onclave.net/>

[Logo Description automatically generated]

7950 Jones Branch Drive, Suite 805, McLean, VA 22102<webextlink://7950%20Jones%20Branch%20Drive,%20Suite%20805,%20McLean,%20VA%2022102>



_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop

Attached Files:

Re: ghost network devices [ In reply to ]
cphillips at inei
Mar 11, 2021, 7:00 AM
Post #5 of 5 (997 views)
Permalink
I figured a way out of this by using a remote ntopng and shipping via the ZMQ interface – and then defining the subnet of devices protected by the security devices as a “Local” subnet.



From: ntop-bounces@listgateway.unipi.it <ntop-bounces@listgateway.unipi.it> On Behalf Of Simone Mainardi
Sent: Wednesday, March 10, 2021 2:20 AM
To: ntop@unipi.it
Subject: Re: [Ntop] ghost network devices

Hi,

If ntopng only have access to tunneled traffic, there is no much that can be done. OpenVPN traffic is encrypted. But if you have access to the machine running OpenVPN - Sec.Bridge.Dev I guess - then the traffic can be before it enters the tunnel. I believe Sec.Bridge.Dev will have a tunXXX interface. You should try and run ntopng on that interface with -i tunXX.

Simone


On 9 Mar 2021, at 15:19, Christina Phillips <cphillips@inei.com<mailto:cphillips@inei.com>> wrote:

Hi – so, I’ve run into an issue with ghost networks. I can see the ghost networks. That’s fine. My situation is that I am using an OpenVPN based layer 2 over layer 3 tunnel between security devices.

Devices:
Cameras: 2
Management Laptop: 1
Security Edge Devices 3
Security Bridge Device: 1 (this device runs ntopng)

Diagram is basically:

Camera1<>Sec.Edg.Dev1<-> Sec.Bridge.Dev <->Sec.Edg.Dev2<-> Camera2
<->Sec.Edg.Dev3<->Laptop

Cameras and laptop have device IP addresses in 192.168.x.0/24

Edge devices make a secure tunnel on 172.31.X.0/24
192.168.X.0 is a ghost network.
Ntopng on bridge device records traffic on the bridge network (for example interface br50), as well as other interfaces on the bridge device (this is a Debian 9 VM that communicates over a network to the edge devices – which may be geographically dispersed.)


The issue is that anything on the “bridge” interface and a ghost network device – I only see the broadcast and multicast traffic of those devices. I believe the 3.x ntopng and the 4.1 ntopng (before the big change) – recorded the unicast traffic of the ghost devices (I’ve been using ntopng since 2017 – and while I no longer have any older code versions running – I believe I was seeing unicast traffic from a camera to a laptop (through the bridge).

What happened? What can be done? Am I doing anything wrong? (traffic flow is from laptop to camera – through the bridge device – I should be able to see the http/https traffic between the laptop and camera – but I do not.)


Christina Phillips
VP of Technology

m: 703.626 0385
e: cphillips@onclave.net<mailto:cphillips@onclave.net>
w: www.onclave.net<http://www.onclave.net/>

[Logo Description automatically generated]

7950 Jones Branch Drive, Suite 805, McLean, VA 22102<webextlink://7950%20Jones%20Branch%20Drive,%20Suite%20805,%20McLean,%20VA%2022102>



_______________________________________________
Ntop mailing list
Ntop@listgateway.unipi.it<mailto:Ntop@listgateway.unipi.it>
http://listgateway.unipi.it/mailman/listinfo/ntop

Attached Files:

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal