Then start ntopng (flow collector – you need to use 1.2.1 or the code currently in SVN) as follows (note that you can merge process information coming from various hosts onto the same ntopng interface so that it is automatically merged): ntopng -i tcp://:1234,tcp://:1234 …Īt this point ntopng is ready to combine system with network activities as shown below. %FIRST_SWITCHED %LAST_SWITCHED” %TCP_FLAGS %PROTOCOL %L7_PROTO -zmq “tcp://*:1234” In order to activate system+network monitoring, you can start nProbe v7 (flow probe) as follows nprobe -T “%IPV4_SRC_ADDR %L4_SRC_PORT %IPV4_DST_ADDR %L4_DST_PORT %IN_PKTS %IN_BYTES Also remember that the sysdig kernel module must be loaded prior to run the system (i.e. That you can install via apt-get or yum depending on your platform: you need to install nprobe, pf_ring and ntopng. You can find binary, ready-to-use packages at However we have decided to do something special in ntopng to make system information a first class citizen. As this information is exported on a standard format, all flow collectors on the market can use nProbe generated flow to enhance their monitoring experience. Thanks to this new plugin it is possible to know for each flow peer the process name/PID/father-PID/memory/IO/CPU used during the duration of the flow. %DST_PROC_PCTG_IOWAIT Src process iowait time % (% * 100) %DST_PROC_NUM_PAGE_FAULTS Dst process num pagefaults %DST_PROC_AVERAGE_CPU_LOAD Dst process avg load (% * 100) %DST_PROC_PEAK_MEMORY Dst process peak memory (bytes) %DST_PROC_ACTUAL_MEMORY Dst process actual memory (bytes) %DST_FATHER_PROC_NAME Dst father process name %DST_FATHER_PROC_PID Dst father process PID %DST_PROC_USER_NAME Dst process user name %SRC_PROC_PCTG_IOWAIT Src process iowait time % (% * 100) %SRC_PROC_NUM_PAGE_FAULTS Src process num pagefaults %SRC_PROC_AVERAGE_CPU_LOAD Src process avg load (% * 100) %SRC_PROC_PEAK_MEMORY Src process peak memory (bytes) %SRC_PROC_ACTUAL_MEMORY Src process actual memory (bytes) %SRC_FATHER_PROC_NAME Src father process name %SRC_FATHER_PROC_PID Src father process PID %SRC_PROC_USER_NAME Src process user name The new information elements include: %SRC_PROC_PID Src process PID they are not sent by sysdig to the user-space app at all). The big challenge has been to monitor the system while keeping the CPU utilisation low, as busy systems can produce a lot of system events for this reason we have implemented event filters so that nProbe analyses only those events that are necessary to carry on the job, while discarding the others inside the kernel (i.e. In order to achieve all this we have extended our flow probe nProbe with sysdig, by developing a new process monitoring plugin that implements new information elements that can be exported via NetFlow/IPFIX or JSON to ntopng and other applications. As we’ve been playing with network flows for more than a decade, we believe that we can apply the same principle to system processes, by modelling them similar to flows. You can finally know what is the name of the process that sent the packet-of-death so that you can find it on the system and neutralise it. In essence we want empower system administrators and let them know what is happening on their system, also from the security point of view.
0 Comments
Leave a Reply. |