2 traffic monitoring, 1 dashboard, 2 flows – NEXCOM IFA 1610 User Manual

Copyright © 2014 NEXCOM International Co., Ltd. All Rights Reserved.

IFA 3610/IFA 2610/IFA 1610 User Manual

Chapter 8: The Logs and Reports Menu

78

8.2 Traffic Monitoring

The ntopng software is the successor of the ntop network traffic analyser, which adds a more intuitive interface and
more graphical representations of the traffic that flows through the appliance.

The management interface of ntopng provides now more usability and can be accessed easily accessed from any browser,
and therefore has been integrated more tightly with the appliance interface than in previous versions.

In few words, the abilities of ntopng can be summarised as follows:

▪ Real time monitoring of every network interface of the appliance.

▪ Web-accessible management interface.

▪ Less resource needed compared to ntop.

▪ Integration of nDPI (Application firewall).

▪ Traffic analysis according to different parameters (protocol, source/destination).

▪ Export of reports in JSON format

▪ Storage of traffic statistics on disk.

The ntopng GUI is organised into four tabs: Dashboard, Flows, Hosts, and Interfaces. Moreover, there is also a search box
to quickly display information about a given host.

In the footer of each tab, a couple of information are shown: Besides a copyright notice and a link to the ntop home
page, there is a chart showing the network traffic over the last 20 seconds, updated in real time, and some numerical
data about the current bandwidth used, the number of hosts and flows and the appliance‘s uptime.

8.2.1 Dashboard

The dashboard shows all connections that interest the appliance, that is, all established Flows in which the appliance is
involved.

The page is divided into several diagrams, with the first one -a so-called Sankey diagram showing all flows moving on
the appliance, updated in real time. The horizontal flows show the traffic between two hosts, while the vertical width
of each flows is proportional to the bandwidth used by that flows, i.e., to the amount of data flowing. The connections
-and therefore the direction of the data sent- are shown left to right: Hosts on the left hand-side of the diagram send
data to hosts on the right-hand side and are identified by either their IP address or hostname. A click on one host leads
to the Overview page in the Hosts tab, which shows several information about that host.

Below the Sankey diagram, four informative-only pie charts show in percentage the items that that generate the most
traffic, divided into: Total by host (top left); application protocols (top right), ASNs (bottom left), and live flow senders
(bottom right).

8.2.2 Flows

The active flows tab contains a big table with a number of information about the active flows:

▪ Info. A click on the icon opens a new page in which more detailed information about that flow is shown.

▪ Application. The application causing the flow. nDPI is used to recognise the application, therefore it might be necessary

to wait for a couple of packets to see the correct application displayed: In this case, the (Too Early) message appears
instead of the application name.

▪ L4 Proto. The network protocol used by the flow, which is usually TCP or UDP.

▪ Client. The hostname and port used by the flow on the client side. Clicking on either the hostname or port, more

information will be shown in a new page about the network traffic flowing that host or port.

▪ Server. The hostname and port used by the flow on the server side. Like for the Client above, more information is

shown when clicking on the hostname or port.

Hint: By clicking on the hostname or port, the table shows detailed information about it, opening a sub-tab in the Hosts tab.

▪ Duration. The length of the connection.

▪ Breakdown. The percentage of traffic generated by the client and by the server.

▪ Throughput. The amount of data currently exchanged between the client (on the left, in black) and server (on the

right, in green).

▪ Total Bytes. The total data exchanged since the connection was first established