This week i set up a pfSense box with a ntopng instance enabled to get some insights on some traffic captured via a SPAN port. As expected – works great! pfsense and the installable ntopng package do a great job :-)
As is saw a significant amount of traffic marked as „UNKNOWN“ i asked myself if there is a way to get this traffic also „labeled“ – let’s say as „backup“ or something like that…
And indeed there is way – with the steps below one can create a file where some custom rules can be placed in.
Credits go to „RedieRoBo“, as he posted the steps in the thread Custom Applications in pfsesne ntopng : PFSENSE (reddit.com).
So, all these commands can be run at „Diagnostics“ => „Command Prompt“ in a „copy-paste“ style:
- mkdir /var/lib/ntopng
- touch /var/lib/ntopng/protos.txt
- chown -R ntopng:ntopng /var/lib/ntopng
The following additional parameter has to be added with „Diagnostics“ => „Edit File“.
- Add ‚-p /var/lib/ntopng/protos.txt‘ to the parameter list in /usr/local/etc/rc.d/ntopng.sh
My modified „ntopng.sh“ looks like this:
Afterwards you have to restart the ntopng service – do it with „Status“ => „Services“:
(!) Bear in mind, thart the additional parameter in „ntopng.sh“ gets deleted when you modifiy the ntopng settings under „Diagnostics“ => „ntopng Settings“. (!)
A good start writing new custom protocol definitions is nDPI/protos.txt at dev · ntop/nDPI · GitHub
One can edit the „protos.txt“ file via „File Editor“ or one can add new protocols directly via the ntopng GUI.