Hi - so, I've run into an issue with ghost networks. I can see the ghost networks. That's fine. My situation is that I am using an OpenVPN based layer 2 over layer 3 tunnel between security devices.
Devices:
Cameras: 2
Management Laptop: 1
Security Edge Devices 3
Security Bridge Device: 1 (this device runs ntopng)
Diagram is basically:
Camera1<>Sec.Edg.Dev1<-> Sec.Bridge.Dev <->Sec.Edg.Dev2<-> Camera2
<->Sec.Edg.Dev3<->Laptop
Cameras and laptop have device IP addresses in 192.168.x.0/24
Edge devices make a secure tunnel on 172.31.X.0/24
192.168.X.0 is a ghost network.
Ntopng on bridge device records traffic on the bridge network (for example interface br50), as well as other interfaces on the bridge device (this is a Debian 9 VM that communicates over a network to the edge devices - which may be geographically dispersed.)
The issue is that anything on the "bridge" interface and a ghost network device - I only see the broadcast and multicast traffic of those devices. I believe the 3.x ntopng and the 4.1 ntopng (before the big change) - recorded the unicast traffic of the ghost devices (I've been using ntopng since 2017 - and while I no longer have any older code versions running - I believe I was seeing unicast traffic from a camera to a laptop (through the bridge).
What happened? What can be done? Am I doing anything wrong? (traffic flow is from laptop to camera - through the bridge device - I should be able to see the http/https traffic between the laptop and camera - but I do not.)
Christina Phillips
VP of Technology
m: 703.626 0385
e: cphillips@onclave.net
w: www.onclave.net<http://www.onclave.net>
[Logo Description automatically generated]
7950 Jones Branch Drive, Suite 805, McLean, VA 22102<webextlink://7950%20Jones%20Branch%20Drive,%20Suite%20805,%20McLean,%20VA%2022102>
Devices:
Cameras: 2
Management Laptop: 1
Security Edge Devices 3
Security Bridge Device: 1 (this device runs ntopng)
Diagram is basically:
Camera1<>Sec.Edg.Dev1<-> Sec.Bridge.Dev <->Sec.Edg.Dev2<-> Camera2
<->Sec.Edg.Dev3<->Laptop
Cameras and laptop have device IP addresses in 192.168.x.0/24
Edge devices make a secure tunnel on 172.31.X.0/24
192.168.X.0 is a ghost network.
Ntopng on bridge device records traffic on the bridge network (for example interface br50), as well as other interfaces on the bridge device (this is a Debian 9 VM that communicates over a network to the edge devices - which may be geographically dispersed.)
The issue is that anything on the "bridge" interface and a ghost network device - I only see the broadcast and multicast traffic of those devices. I believe the 3.x ntopng and the 4.1 ntopng (before the big change) - recorded the unicast traffic of the ghost devices (I've been using ntopng since 2017 - and while I no longer have any older code versions running - I believe I was seeing unicast traffic from a camera to a laptop (through the bridge).
What happened? What can be done? Am I doing anything wrong? (traffic flow is from laptop to camera - through the bridge device - I should be able to see the http/https traffic between the laptop and camera - but I do not.)
Christina Phillips
VP of Technology
m: 703.626 0385
e: cphillips@onclave.net
w: www.onclave.net<http://www.onclave.net>
[Logo Description automatically generated]
7950 Jones Branch Drive, Suite 805, McLean, VA 22102<webextlink://7950%20Jones%20Branch%20Drive,%20Suite%20805,%20McLean,%20VA%2022102>