Virtual/Cloud Tap

nTap

Virtual Network Tap for Hosts/Cloud/Contrainers/VMs

ntap is a virtual software tap designed for deployment in physical, virtual, and cloud environments. It remotely captures network traffic at the monitoring location and securely delivers packets to the observation point.

Secure Remote Packet Capture for In-Depth Network Analysis

  • Secure Delivery

    Monitored traffic remotely delivered, utilizing secure packet transmission with robust encryption, eliminating the need for direct cable connections.

  • Advanced Packet Filtering

    Filters monitored traffic in real-time, offering a level of precision typically available only in more expensive packet brokers.

  • Cloud, Virtual, and Container Support

    Seamlessly integrates into modern environments — including containers, virtual machines, and Kubernetes — where traditional physical taps fall short.

Physical Tap vs. ntap

nTap is a virtual software tap that can be used in physical/virtual/cloud environments to remotely capture traffic (with respect to the monitoring location) and delivering packets to the observation point in a secure way. Packet capture is required whenever flow-based analysis tools such as nProbe/nProbe Cento are not suitable as packet-level analysis is required. The main differences between a physical tap and nTap include:

  • nTap is able to deliver monitored traffic remotely (a physical tap requires a direct cable connection forcing to monitor traffic where it is generated).

  • nTap delivers packets with end-to-end encryption preventing intruders from watching monitored traffic.

  • nTap can apply packet filtering on monitored traffic (physical taps are unable to do this: more expensive packet brokers provide this feature).

  • nTap can be used in containers and virtual machines as well highly dynamic environments such as Kubernetes (a physical tap can be used only on a physical network).

nTap is based on two components:

  • nTap remote it is installed on the remote device for which need to monitor traffic.

  • nTap collector receives encrypted packets sent by nTap remote, decrypts them, and push them on a virtual ethernet interface where you can attach applications such as Wireshark, tcpdump, Suricata or Snort.

Optionally the nTap collector can also send packets to Open vSwitch for maximum flexibility.

ntop applications such as nProbe (Enterprise M/L) and ntopng (Enterprise L), embed the nTap collector so that you can directly connect (one or more) nTap remote with nProbe/ntopng without the need to use the nTap collector.

Security and Performance

Contrary to many other commercial virtual tap applications, nTap delivers packets over encrypted channels over UDP. The communication is always unidirectional from the tap to the collector/ntopng/nProbe with no return channel communication: this is a key requirement in order to run nTap on a high-secure network that does not allow a return channel (note that a TCP connection is bi-directional as some packets such as ACK, need to be sent back).

The end-to-end encryption uses state-of-the-art symmetrical encryption that takes advantage (when available) of AVX instructions for maximum performance. nTap adds a micro-layer in addition to the original packet where some metadata (eg. packet capture time and length), whereas encryption does not enlarge the original packet size to be transmitted.

Containers, Kubernetes, and Virtual Machines

nTap works seamlessly in containers and virtual machines. Typically, the tap component is deployed on remote hosts or containers that may have dynamic IP addresses, while the collector application must run on a host with a static IP address to reliably receive packets. Best of all, no license is required on the host running the tap application.

License

Licensee’s use of this software is conditioned upon acceptance of the terms specified by ntop.

Operating Systems

Linux, Windows, Mac OS