FloCon 2017

Flow-based network traffic monitoring plays a crucial role when it comes to troubleshoot application problems, investigate security incidents, and comply with industry and government regulations. However, most flow-based probes embedded in network devices are limited to basic counters such as packets and bytes. Alongside of this, probes embedded in security devices often produce 'event-driven' flows based on the firewall status (e.g. when a connection is created/deleted from the firewall table), making measurements complicated without adding any specific security information elements, beside DPI.

For years both research and industry have been focusing on how to overcome the limitations of flow devices. We have decided to focus on the 'augmented' flow generation using both raw packets and other sources of network data (e.g. sFlow- and NetFlow-capable devices), as we believe that rich flow generation is the first step towards the next-generation traffic monitoring. With this belief at the core our our mission, we created the nProbe family of flow-based traffic monitoring software, efficient enough to keep up with the latest 100 Gbit technologies, while being able to enrich flows with hundreds of new information elements.

nProbe is a family of software-based flow collectors and probes able to handle standard and extended flow formats (e.g. those produced by Cisco ASA devices and PaloAlto firewalls). It contextualizes and harmonizes heterogeneous data into 'augmented' flows enriched with information (almost 300 information elements are supported by nProbe) on Layer-7 applications, telemetry data, DNS queries, HTTP URLs, SSL/TLS certificates and more for real traffic troubleshooting and security analyses. Lua scriptability enables custom applications to leverage on the framework to create monitoring solutions directly on the probe, rather than using the classic flow-probe/flow-collector model that is less efficient
and cannot timely execute actions on monitored data. nProbe can also deliver augmented flow data in standard formats to simple text files and syslog, as well as to more sophisticated Apache Kafka clusters, MySQL, ElasticSearch and Splunk. This great flexibility allows companies to quickly, efficiently and seamlessly integrate the software in their existing infrastructures.