HowTo Automate & Manage NST Geolocation Results

Overview - nstgeolocate Session Manager

The nstgeolocate Session Manager page was designed to help manage and automate the generation of certain geolocation types. The NST script: nstgeolocate is mostly used for results presented on the page. Currently, auto-generated "ntop Host" geolocation sessions can be created, monitored and managed. Also, all previously generated "IPv4 Address Conversation" geolocation sessions can be viewed or managed. Using the NST menu, one can navigate to the nstgeolocate Session Manager page as shown in the screen shot below.

NST WUI nstgeolocate Session Manager Menu Selection

Collapse / Expand Session Sections

The amount of information presented on the nstgeolocate Session Manager page can be large depending on the number of ntop Host sessions configured and/or the number of IPv4 Address Conversations archived. To help focus, save time and limit the amount of information presented on the page, use a combination of either the "Collapse All Sessions" button or the "Expand All Sessions" button with one or more "Hide / Show" session section folder icons to display your desired page view.

Manage & Monitor ntop Host Sessions

There are 2 sections that display configured ntop Host sessions. One for auto-generating ntop Host Geolocations on one or more Mercator World Map projections and the other for auto-generating one or more ntop Host Geolocations KML documents that can be rendered on Google Earth. ntop Host sessions are created and configured in section: Create / Update / Import nstgeolocate Host Session. A running ntop session can be local (i.e., Running on your NST probe) or remote (i.e., Running on a system other than your local NST probe).

ntop Host Session - Table Column Descriptions

Each configured ntop Host session type is presented in a table layout format. The following describes each column header associated with the tables.

• World Map nstgeolocate Host Session Directory:

Click on a link in this column to use the NST Directory/File Browser to view supporting files associated with the generation of producing the ntop World Map Host bit image. Depending on how long you have set the "Map Pruning Interval" value for each session, one can also view historical generated maps in the associated directory.

• KML Document nstgeolocate Host Session Directory:

Click on a link in this column to use the NST Directory/File Browser to view supporting files associated with the generation of producing the ntop KML Document. Depending on how long you have set the "Map Pruning Interval" value for each session, one can also view historical generated KML Documents in the associated directory.

• C (Cron Control Status):

This column indicates if the configured ntop Host session is under cron control. A green circle icon indicates that it is and a red stop sign icon indicates that it is not. Use an associated "D" action button to disable cron control for the session.

• Active 'ntop' Session :

This column is used for linkage back to either the configured NST WUI probe ntop management interface or the ntop session user interface.

• ntop Mgt (HTTP):

Use this button to enter the NST WUI ntop web-based management interface (HTTP access) for the ntop session.

• ntop Mgt (HTTPS):

Use this button to enter the NST WUI ntop web-based management interface (HTTPS access) for the ntop session.

• HTTP Access:

Use this link to enter the ntop User web-based management interface (HTTP access) for the ntop session (Default port: 3000).

• HTTPS Access:

Use this link to enter the ntop User web-based management interface (HTTPS access) for the ntop session (Default port: 3001).

• Description:

The description for each ntop session includes the "Session Annotation", participating "Network Capture Interfaces" and the current "ntop Session Uptime".

• Action (Buttons):

• U (Update ntop Session Settings):

This action button will pre-fill all values associated with the ntop session into the "Create / Update / Import nstgeolocate Host Session" form. Use this action when making changes to an existing ntop session.

• R (Remove ntop Host Session):

This action button will remove an entire ntop session including supporting files and all previously generated maps or KML documents. Make backups accordingly prior to using this action.

• D (Disable Cron Control):

This action button is used to disable cron control for the session. The ntop session will still exist but auto-generation of maps or KML documents will not occur. To re-enable cron control, use a combination of the "U" action button and the "Create / Update nstgeolocate Session" button located in the "Create / Update / Import nstgeolocate Host Session" section.

• M (Monitor Auto-Generated Maps or KML Documents):

This action is used to monitor each auto-generated ntop Hosts session. See section: "Monitor ntop Hosts Mercator World Map" or section: "Monitor ntop Hosts KML Document (Google Earth)" for further details associated with each geolocation rendered type.

nstgeolocate Session Manager: Configured ntop Host Sessions

Monitor ntop Mercator World Map Hosts

The "ntop World Map Hosts" page allows one to monitor geolocated hosts from an ntop session in pseudo-realtime within your web browser using AJAX and image caching disabled. By enabling a full screen map view (Kiosk mode) , you could display the "ntop World Map Hosts" presentation in a NOC setting providing continual geolocated host updates.

The photo below demonstrates the Full Screen Map View of an "ntop World Map Host" session displayed on a 27" iMac using the Google Chrome web browser.

ntop World Map Host: Displayed on a 27" iMac using Google Chrome in a Full Screen Map View

Every 10 seconds a request is made from your web browser back to the NST probe to check for any new map updates and status information changes. The "Map Update Interval" for generating a new "ntop World Map Hosts" image can be configured in section: Create / Update / Import nstgeolocate Host Session.

ntop Hosts World Map

ntop Hosts World Map - with Information Tool Tip

ntop Hosts World Map - with ntop Tool Tip

One can hover the mouse pointer over the "Information" icon to reveal a tool tip providing the Map Description, ntop World Map Hosts Geolocation Update Information and Image Control Button Grid Usage. There are two status "Circle" icons depicting the state of the ntop session and the combination of running the NST script: nstgeolocate under cron control. Normally the status "Circle" icons will appear in the color green. A "Warning" or "Stopped" condition may occur and will appear in the color orange or red. Hover the mouse pointer over each status "Circle" icon to show the current state information and the associated color status definition. The ntop "Circle" icon tool tip will also show "ntop System" and "ntop Session information similar to what is displayed in the "ntop Hosts World Map - with ntop Tool Tip" screen shot above.

Monitor ntop Hosts KML Document (Google Earth)

Auto-generated ntop Hosts KML documents can be monitored and analyzed on a KML Earth Browser such as Google Earth (See: HowTo Setup Your Client System To View Geolocation Data). These documents will be updated each "Map Update Interval" which can be configured in section: Create / Update / Import nstgeolocate Host Session.

Each host that was geolocated appears as a host marker and contains a 'Host Description' balloon depicting selective ntop network traffic statistics information. Click on a host marker to reveal the 'Host Description' balloon. Hyperlinks are also provided to the ntop (Host Collector) user interface and to one or more NST WUI 'IP Tools' pages for additional network processing using the host's IP Address.

ntop Hosts KML Document

ntop Hosts KML Document - with Description Balloon

ntop Hosts KML Document - with Host Balloon

When using Google Earth, one can also view the 'Document Description' balloon by clicking on the generated KML ntop Hosts place found under Temporary Places within the sidebar on the left-hand side. You can also expand the ntop Hosts place to explore all geolocated hosts and associated network statistics.

Manage & View IPv4 Address Conversation Sessions

Each time IPv4 Address Conversations are geolocated using the decode section from either the Single or the Multi-Tap Network Packet Capture page, they will be cataloged here in this section. There are 2 sections for completed geolocated IPv4 Address Conversations which includes one for each geolocation rendered type (i.e., Mercator World Map or KML Document). Each section is Web Browser session aware. The sections are grouped by which browser generated the IPv4 Address Conversation geolocations (i.e., Your browser and all other browsers), sorted by date/time in descending order (i.e., More recent geolocations are listed first) and displayed in a table layout format.

The geolocate file naming convention used includes the geolocation render type (i.e., "wm" - Mercator World Map or "kml" - KML Document), network entity to geolocate (i.e, "conv" - IPv4 Address Conversation) and the generate date/time stamp (i.e., "YYMMDD-hhmmss" - YY - Year, MM - Month, DD - Day, hh - Hour, mm - Minute and ss - Second).

IPv4 Address Conversation - Table Column Descriptions

The archived IPv4 Address Conversation sessions rendered types are presented in a table layout format. Each table is grouped by which browser generated the IPv4 Address Conversation geolocations. The following describes each column header associated with the tables.

• World Map IPv4 Address Conversation:

Click on a link in this column to use the NST Directory/File Browser to view supporting files associated with the generation of producing the ntop World Map Host bit image. Depending on how long you have set the "Map Pruning Interval" value for each session, one can also view historical generated maps in the associated directory.

nstgeolocate Session Manager: Archived IPv4 Address Conversation Geolocations

Create / Update / Import ntop Host Sessions

nstgeolocate Session Manager: Create, Update and Import ntop Host Sessions