This week i set up a pfSense box with a ntopng instance enabled to get some insights on some traffic captured via a SPAN port. As expected – works great! pfsense and the installable ntopng package do a great job :-)
As is saw a significant amount of traffic marked as “UNKNOWN” i asked myself if there is a way to get this traffic also “labeled” – let’s say as “backup” or something like that…
And indeed there is way – with the steps below one can create a file where some custom rules can be placed in.
Credits go to “RedieRoBo”, as he posted the steps in the thread Custom Applications in pfsesne ntopng : PFSENSE (reddit.com).
So, all these commands can be run at “Diagnostics” => “Command Prompt” in a “copy-paste” style:
- mkdir /var/lib/ntopng
- touch /var/lib/ntopng/protos.txt
- chown -R ntopng:ntopng /var/lib/ntopng
The following additional parameter has to be added with “Diagnostics” => “Edit File”.
- Add ‘-p /var/lib/ntopng/protos.txt’ to the parameter list in /usr/local/etc/rc.d/ntopng.sh
My modified “ntopng.sh” looks like this:
Afterwards you have to restart the ntopng service – do it with “Status” => “Services”:
(!) Bear in mind, thart the additional parameter in “ntopng.sh” gets deleted when you modifiy the ntopng settings under “Diagnostics” => “ntopng Settings”. (!)
A good start writing new custom protocol definitions is nDPI/protos.txt at dev · ntop/nDPI · GitHub
One can edit the “protos.txt” file via “File Editor” or one can add new protocols directly via the ntopng GUI.