Best way to identify top talkers

[Craig]

Can someone tell me if there is a good way to identify top talkers within Moloch? I have a large amount of pcap data being captured by netsniff-ng and I'd like to see what the majority of that traffic is based on bytes transmitted and then write a bpf filter for netsniff-ng. Is there a good way to identify this so that I can prune some of this out if possible?

Thanks!!

[Matt C]

You can use Kibana, but it's difficult to interpret because the IPs are stored as integers.  The best way I've found is to query the elasticsearch backend directly with my own queries so I can convert back to dotted quads.  I got good results by reporting on the top ASNs and then dumping the announced blocks for them to use as filters.  I've attached a perl script that runs a few top talker queries and one that fetches the announced blocks for an AS and merges them into the largest aggregates it can.

- Matt

[Andrew W]

I've utilized (installed) ntop in tandem with Moloch which provides this data along with other useful analysis capabilities.  I'm looking forward to the next release (Elastic v5) which will provide integration with other capabilities (logstash, kibana, X-Pack).

-Andrew

[erik clark]

How would you rate ntop community versus ntopng?