ContextQMD
Back to Ntopng

Using ntopng with nProbe Cento

doc/src/using_with_other_tools/cento.rst

6.65.9 KB
Original Source

.. _UsingNtopngWithCento:

Using ntopng with nProbe Cento ##############################

nProbe Cento <https://www.ntop.org/products/netflow/nprobe-cento/>_ is a high-performance flow probe designed to process network traffic at line rate (10/40/100 Gbit and above) using hardware-accelerated capture technologies such as PF_RING ZC <https://www.ntop.org/guides/pf_ring/zc.html>_. It decouples the heavy-duty packet processing from the analysis and visualization performed by ntopng, making it the recommended solution for monitoring large or high-speed networks.

.. note::

An nProbe Cento and PF_RING ZC license is required to operate Cento at line rate on high-speed adapters.

ntopng can collect flows from nProbe Cento in two ways:

  • ZMQ: Cento exports flows over ZMQ to ntopng. This works over the network and supports remote ntopng instances. This is the same mechanism used by nProbe.
  • PF_RING ZC Queue: A local, zero-copy connection between Cento and ntopng running on the same physical host, providing the highest performance.

In addition, Cento can export flows directly to a ClickHouse database, which ntopng can then query for historical flow analysis and visualization. This is described in the Flow Dump to ClickHouse_ section.

Collecting Flows via ZMQ

The ZMQ-based integration between Cento and ntopng works in the same way as described in the :ref:UsingNtopngWithNprobe section. Cento acts as a ZMQ publisher and ntopng acts as a ZMQ subscriber (or collector).

Following is a minimum working configuration example assuming both Cento and ntopng run on the same host. In case they run on separate machines, replace :code:127.0.0.1 with the IP address of the machine hosting Cento.

ntopng Configuration

.. code:: bash

ntopng -i tcp://127.0.0.1:5556c

Cento Configuration

.. code:: bash

cento -i zc:eth1 --zmq tcp://127.0.0.1:5556

Cento acts as the connection initiator, and the trailing :code:c in the ntopng endpoint tells ntopng to listen for incoming connection (collector mode).

Collecting Flows via PF_RING ZC

When Cento and ntopng run on the same physical host, a PF_RING ZC Socket provides a zero-copy, lower-latency alternative to ZMQ. In this mode Cento passes flows directly to ntopng without any serialization overhead.

Start Cento with the :code:--monitor|-A option to enable the ZC socket export. Cento will print the interface name to use in ntopng in its startup log, for example:

.. code:: bash

ntopng -i zcflow:10@0

.. note::

The PF_RING ZC queue is a local connection only and supports a single consumer. Use ZMQ if ntopng runs on a different host or if multiple consumers are needed.

For scenarios with multiple capture queues and direct monitoring, Cento can be started as:

.. code:: bash

cento -i zc:eth1@[0-3] -A --direct-monitor

This eliminates aggregation overhead and enables parallel processing across multiple ntopng interafaces.

Data Encryption

ntopng and Cento support data encryption over ZMQ, based on the native CURVE encryption support in ZMQ (available with ZMQ >= 4.1).

In order to enable encryption, add the :code:--zmq-encryption option to the ntopng configuration. A private/public key pair is automatically generated by ntopng and the public key is displayed in the interface status page.

The public key should then be configured in Cento using the :code:--zmq-encryption-key '<pub key>' option.

Example:

  • Start ntopng as follows: :code:ntopng -i tcp://127.0.0.1:5556c --zmq-encryption
  • Connect to the ntopng web GUI, navigate to the ZMQ interface status page and copy the value of :code:--zmq-encryption-key '...'
  • Start Cento as follows: :code:cento -i zc:eth1 --zmq tcp://127.0.0.1:5556 --zmq-encryption-key '<pub key>'

.. note::

Unless a private key is provided, ntopng generates a public/private keypair and stores it under :code:/var/lib/ntopng/key.{pub,priv}.

.. _Flow Dump to ClickHouse:

Flow Dump to ClickHouse

nProbe Cento can export flows directly to a ClickHouse database, bypassing the ZMQ channel. ntopng then connects to the same ClickHouse instance in read-only mode for historical flow analysis and visualization.

The architecture follows this pattern:

.. code:: text

Network Traffic --> nProbe Cento (write) --> ClickHouse <-- ntopng (read-only)

This approach is particularly suited to high-speed environments where storing all flows through ntopng would become a bottleneck.

Cento ClickHouse Options

The following Cento options control the ClickHouse export:

  • :code:--clickhouse <host[:port]> — ClickHouse server address and native TCP port (default port: :code:9000). Append :code:s to enable SSL (e.g. :code:192.168.1.1:9000s).
  • :code:--clickhouse-auth <user:password> — Credentials for the ClickHouse user. Default user is :code:default.
  • :code:--clickhouse-dbname <name> — Target ClickHouse database name. Defaults to :code:ntopng, which matches ntopng's naming convention.
  • :code:--clickhouse-interface-id <id> — Associates flows exported by Cento with a specific ntopng interface ID, required to bind flows to the correct ntopng interface. Default value is :code:0.

Configuration Example

Step 1 — Launch nProbe Cento with ClickHouse export:

.. code:: bash

cento -i zc:eth1 --zmq tcp://127.0.0.1:5556 --clickhouse 192.168.1.1 --dpi-level 2

Step 2 — Start ntopng in read-only flow dump mode:

.. code:: bash

ntopng -i tcp://*:5556c -F clickhouse --readonly-flows-dump

The :code:--readonly-flows-dump option tells ntopng not to write flows to ClickHouse itself, since Cento is the writer in this setup.

For a local all-in-one deployment where Cento, ClickHouse, and ntopng all run on the same host:

.. code:: bash

cento -i zc:eth1 --clickhouse 127.0.0.1 --clickhouse-interface-id 1 ntopng -i tcp://*:5556c -F clickhouse --readonly-flows-dump