ERROR IN NTOPNG

[Sardar Sadaqat]

Hi Doug & Wes

hope yoyu guys are good i have three interfaces among them one monitoring and two others are sniffing i try to install ntopng ti monitored these interfaces i fallow the steps and try to figure out the problem throuugh different =source but cannot 

itt give fallowing error

an exception occur during ens32,ens190,ens160 interfaces creation

startup error mising super user privillaged

pf_ring wrong version:kernel is 16 ,libfring was compiled with 17

i also try to change local networks addresses but still unable to resolve it

i attached here my configuration and related information about ntop kindly guide me

[Wes Lambert]

Kevin Branch has an installer script detailed in the docs, however, if you did not use it, you may have run into issues with conflicting pf_ring versions.  Please keep in mind, we don't officially support use of ntopng on Security Onion.

Thanks,

Wes

--
Follow Security Onion on Twitter!
https://twitter.com/securityonion
---
You received this message because you are subscribed to the Google Groups "security-onion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
To post to this group, send email to securit...@googlegroups.com.
Visit this group at https://groups.google.com/group/security-onion.
To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CA%2Biqikm34T7%3DY0eDQ2z2uE-HYMzr49o7HEv0%3DYT7H%3DFm1V-R3g%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

--

https://twitter.com/therealwlambert

https://securityonion.net/

[Kevin Branch]

Hi Sardar,

The issue is that the current ntopng package from ntop.org, which is used by my installer script, now wants a newer version of PF_RING than what Security Onion installs via its own custom package.  That is why you wee the "pf_ring wrong version" complaint. That does not actually prevent ntopng from running, just from using PF_RING.  However ntopng depends on PF_RING to support aggregated interfaces (like --interface=ens32,ens190,ens160) so in this case you need to tell ntopng to use the interfaces separately as below:

In /etc/ntopng/ntopng.conf, change the line

--interface=ens32,ens190,ens160

to separate lines per interface

--interface=ens32

--interface=ens190

--interface=ens160

Then from the ntopng page in your browser, you can click on the Interfaces pull down menu to switch between them.

If you really want ntopng to present the traffic on all three interfaces in an aggregated way, you could create a bonding interface that enslaves all three monitoring interfaces and then point ntopng at the bonding interface.

Are you actually using PF_RING on your SO sensor at this point?  Please temporarily shut down ntopng and then check the output of 

cat /proc/net/pf_ring/info

SO defaults these days to using AFPACKET instead of PF_RING (with Suricata and Bro at least) so very possibly you will see "Total rings: 0" in the above output.

Doug/Wes,

If an SO sensor is already using AFPACKET for both Bro and Suricata, such that PF_RING is not in any actual use, would you foresee any trouble with installing the stock ntop.org packages for pfring and ntopng on SO?  I know we won't support AFPACKET for Snort until 3.0 comes out, but assuming Suricata is in use, maybe in that case would will be no need to use my custom installer script at all to get ntopng installed.  

Kevin

On Thu, May 9, 2019 at 4:13 AM Sardar Sadaqat <sardarsa...@gmail.com> wrote:

[Sardar Sadaqat]

Thanks sir it’s work am so great full 

To view this discussion on the web visit https://groups.google.com/d/msgid/security-onion/CA%2BdGL9H6WmOuqKHnUHOuC-bs9HXMjHBJy%3DKsAwDZ%3D2-cSU3EoQ%40mail.gmail.com.