Skip to content

Instantly share code, notes, and snippets.

@Howard-Chang

Howard-Chang/gist:bce9781e6b2966d83b85985156dab314

Last active October 23, 2017 08:11
Show Gist options
  • Save Howard-Chang/bce9781e6b2966d83b85985156dab314 to your computer and use it in GitHub Desktop.
Save Howard-Chang/bce9781e6b2966d83b85985156dab314 to your computer and use it in GitHub Desktop.
Download ZIP
ntopng_Restful(1)
Raw
gistfile1.txt
(1)由Source IP查詢
GET _search
{
"_source": { //指定要回傳的連線時間、離線時間、destination IP、封包流量、L7_PROTO_NAME ex:HTTP、Facebook、SSL.Amazon、NTP.Apple...也有可能是unknow
"includes": [ "FIRST_SWITCHED", "LAST_SWITCHED","IPV4_DST_ADDR","IPV4_SRC_ADDR","L7_PROTO_NAME","IN_BYTES","IN_PKTS","OUT_BYTES","OUT_PKTS"]
},
"from" : 0, "size" : 1000, //要回傳的資料筆數,上限是1000 這邊可以自己調整
"query": {
"bool": {
"must": [
{
"match" : { "_index" : "ntopng-2017.10.22" } //某日
},
{
"match":{"IPV4_SRC_ADDR":"120.127.163.189"} //某個source IP
},
{
"range" : {
"FIRST_SWITCHED" : {
"gte" : 1508601600, //在某個時間區間內
"lte" : 1508684400
}
}
}
]
}
},
"aggs": { //流量、封包加總
"IN_PKTS": {
"sum": {
"field": "IN_PKTS"
}
},
"IN_BYTES": {
"sum": {
"field": "IN_BYTES"
}
},
"OUT_BYTES": {
"sum": {
"field": "OUT_BYTES"
}
},
"OUT_PKTS": {
"sum": {
"field": "OUT_PKTS"
}
}
}
}
--------------------------------------------------------------------------------------------------------
回傳結果:
由於資料筆數太多了,所以只擷取部分資料
"took": 49,
"timed_out": false,
"_shards": {
"total": 16,
"successful": 16,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 5703, //回傳了5703筆資料
"max_score": 3,
"hits": [
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9BYf7IWkHrd_Wf6KKQ",
"_score": 3,
"_source": {
"L7_PROTO_NAME": "Apple",
"IPV4_SRC_ADDR": "120.127.163.189",
"IN_PKTS": 15,
"IN_BYTES": 4538,
"LAST_SWITCHED": 1508630137,
"OUT_PKTS": 0,
"IPV4_DST_ADDR": "17.252.157.36",
"OUT_BYTES": 0,
"FIRST_SWITCHED": 1508629981
}
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9BaSwpWkHrd_Wf6amY",
"_score": 3,
"_source": {
"L7_PROTO_NAME": "SSL.Apple",
"IPV4_SRC_ADDR": "120.127.163.189",
"IN_PKTS": 14,
"IN_BYTES": 2458,
"LAST_SWITCHED": 1508630869,
"OUT_PKTS": 11,
"IPV4_DST_ADDR": "17.125.249.10",
"OUT_BYTES": 4370,
"FIRST_SWITCHED": 1508630838
}
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9BbulsWkHrd_Wf6qwd",
"_score": 3,
"_source": {
"L7_PROTO_NAME": "HTTP.Apple",
"IPV4_SRC_ADDR": "120.127.163.189",
"IN_PKTS": 2488,
"IN_BYTES": 144394,
"LAST_SWITCHED": 1508631243,
"OUT_PKTS": 7291,
"IPV4_DST_ADDR": "17.253.85.202",
"OUT_BYTES": 10891244,
"FIRST_SWITCHED": 1508631234
}
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9BcszXWkHrd_Wf61IL",
"_score": 3,
"_source": {
"L7_PROTO_NAME": "SSL",
"IPV4_SRC_ADDR": "120.127.163.189",
"IN_PKTS": 14,
"IN_BYTES": 1795,
"LAST_SWITCHED": 1508631233,
"OUT_PKTS": 0,
"IPV4_DST_ADDR": "104.116.17.85",
"OUT_BYTES": 0,
"FIRST_SWITCHED": 1508631233
}
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9BdrBtWkHrd_Wf6-iq",
"_score": 3,
"_source": {
"L7_PROTO_NAME": "SSL.Apple",
"IPV4_SRC_ADDR": "120.127.163.189",
"IN_PKTS": 2,
"IN_BYTES": 110,
"LAST_SWITCHED": 1508631751,
"OUT_PKTS": 0,
"IPV4_DST_ADDR": "17.252.236.207",
"OUT_BYTES": 0,
"FIRST_SWITCHED": 1508631751
}
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9BdocNWkHrd_Wf6-A5",
"_score": 3,
"_source": {
"L7_PROTO_NAME": "HTTP.Apple",
"IPV4_SRC_ADDR": "120.127.163.189",
"IN_PKTS": 6,
"IN_BYTES": 455,
"LAST_SWITCHED": 1508631745,
"OUT_PKTS": 5,
"IPV4_DST_ADDR": "17.253.85.202",
"OUT_BYTES": 965,
"FIRST_SWITCHED": 1508631745
}
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9Bd4cXWkHrd_Wf7Amv",
"_score": 3,
"_source": {
"L7_PROTO_NAME": "SSL.Facebook",
"IPV4_SRC_ADDR": "120.127.163.189",
"IN_PKTS": 15,
"IN_BYTES": 2586,
"LAST_SWITCHED": 1508631811,
"OUT_PKTS": 11,
"IPV4_DST_ADDR": "31.13.87.52",
"OUT_BYTES": 1835,
"FIRST_SWITCHED": 1508631747
}
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9Bd4isWkHrd_Wf7Ap8",
"_score": 3,
"_source": {
"L7_PROTO_NAME": "SSL",
"IPV4_SRC_ADDR": "120.127.163.189",
"IN_PKTS": 35,
"IN_BYTES": 4240,
"LAST_SWITCHED": 1508631807,
"OUT_PKTS": 31,
"IPV4_DST_ADDR": "104.115.174.181",
"OUT_BYTES": 35169,
"FIRST_SWITCHED": 1508631777
}
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9BeoRcWkHrd_Wf7JW0",
"_score": 3,
"_source": {
"L7_PROTO_NAME": "NTP.Apple",
"IPV4_SRC_ADDR": "120.127.163.189",
"IN_PKTS": 5,
"IN_BYTES": 380,
"LAST_SWITCHED": 1508631733,
"OUT_PKTS": 1,
"IPV4_DST_ADDR": "17.253.68.125",
"OUT_BYTES": 76,
"FIRST_SWITCHED": 1508631725
}
}
.
.
.
.
.
.
.
.
.
,
"aggregations": { //總封包流量
"IN_BYTES": {
"value": 41521742
},
"IN_PKTS": {
"value": 427370
},
"OUT_PKTS": {
"value": 612876
},
"OUT_BYTES": {
"value": 798088610
}
}
}
-----------------------------------------------------------------------------------------------
(2)由Destination IP反查
GET _search
{
"_source": {
    "includes": [ "FIRST_SWITCHED","LAST_SWITCHED","L4_SRC_PORT","IPV4_SRC_ADDR","L7_PROTO_NAME","IN_BYTES","IN_PKTS","OUT_BYTES","OUT_PKTS","L4_DST_PORT"]
},
"from" : 0, "size" : 1000,
"query": {
"bool": {
"must": [
{
"match" : { "_index" : "ntopng-2017.10.22" }
},
{
"match":{"IPV4_DST_ADDR":"120.127.163.189"}
},
{
"range" : {
"FIRST_SWITCHED" : {
"gte" : 1508601600,
"lte" : 1508684400
}
}
}
]
}
},
"sort" :
{
      "IN_BYTES" : {"order" : "desc"}  //指定回傳的資料以IN_BYTES多寡進行排序
    },
"aggs": {
"IN_PKTS": {
"sum": {
"field": "IN_PKTS"
}
},
"IN_BYTES": {
"sum": {
"field": "IN_BYTES"
}
},
"OUT_BYTES": {
"sum": {
"field": "OUT_BYTES"
}
},
"OUT_PKTS": {
"sum": {
"field": "OUT_PKTS"
}
}
}
}
------------------------------------------------------------------------------------------------
回傳結果:
由於資料筆數太多了,所以只擷取部分資料
{
"took": 67,
"timed_out": false,
"_shards": {
"total": 21,
"successful": 20,
"skipped": 0,
"failed": 1,
"failures": [
{
"shard": 0,
"index": ".kibana",
"node": "NLAcXLopQtmUOd43MH8n8w",
"reason": {
"type": "query_shard_exception",
"reason": "No mapping found for [IN_BYTES] in order to sort on",
"index_uuid": "WFNw6F1PRNiFa-4URuM_dg",
"index": ".kibana"
}
}
]
},
"hits": {
"total": 42981,
"max_score": null,
"hits": [
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9DMyAOWkHrd_WfbKZF",
"_score": null,
"_source": {
"L7_PROTO_NAME": "HTTP",
"L4_DST_PORT": 9995,
"IPV4_SRC_ADDR": "17.253.85.202",
"IN_PKTS": 358735,
"IN_BYTES": 538077892,
"LAST_SWITCHED": 1508660882,
"L4_SRC_PORT": 80,
"OUT_PKTS": 0,
"IPV4_DST_ADDR": "120.127.163.189",
"OUT_BYTES": 0,
"FIRST_SWITCHED": 1508660652
},
"sort": [
538077892
]
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9DNXAYWkHrd_WfbUm3",
"_score": null,
"_source": {
"L7_PROTO_NAME": "HTTP",
"L4_DST_PORT": 9995,
"IPV4_SRC_ADDR": "17.253.85.202",
"IN_PKTS": 353951,
"IN_BYTES": 530916364,
"LAST_SWITCHED": 1508661058,
"L4_SRC_PORT": 80,
"OUT_PKTS": 0,
"IPV4_DST_ADDR": "120.127.163.189",
"OUT_BYTES": 0,
"FIRST_SWITCHED": 1508660650
},
"sort": [
530916364
]
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9DEJPiWkHrd_WfYhlw",
"_score": null,
"_source": {
"L7_PROTO_NAME": "HTTP",
"L4_DST_PORT": 55048,
"IPV4_SRC_ADDR": "17.253.85.202",
"IN_PKTS": 240148,
"IN_BYTES": 360193064,
"LAST_SWITCHED": 1508658346,
"L4_SRC_PORT": 80,
"OUT_PKTS": 0,
"IPV4_DST_ADDR": "120.127.163.189",
"OUT_BYTES": 0,
"FIRST_SWITCHED": 1508657510
},
"sort": [
360193064
]
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9EP1CjWkHrd_WfvR-N",
"_score": null,
"_source": {
"L7_PROTO_NAME": "SSL",
"L4_DST_PORT": 53767,
"IPV4_SRC_ADDR": "31.13.87.15",
"IN_PKTS": 139706,
"IN_BYTES": 196974748,
"LAST_SWITCHED": 1508678448,
"L4_SRC_PORT": 443,
"OUT_PKTS": 40747,
"IPV4_DST_ADDR": "120.127.163.189",
"OUT_BYTES": 2396830,
"FIRST_SWITCHED": 1508677599
},
"sort": [
196974748
]
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9CP1b2WkHrd_WfJlke",
"_score": null,
"_source": {
"L7_PROTO_NAME": "HTTP",
"L4_DST_PORT": 33146,
"IPV4_SRC_ADDR": "163.28.228.11",
"IN_PKTS": 123762,
"IN_BYTES": 184412661,
"LAST_SWITCHED": 1508644633,
"L4_SRC_PORT": 80,
"OUT_PKTS": 0,
"IPV4_DST_ADDR": "120.127.163.189",
"OUT_BYTES": 0,
"FIRST_SWITCHED": 1508644392
},
"sort": [
184412661
]
},
       .
       .
       .
       .
       .
       .
       .
       .
       .
,
"aggregations": {
"IN_BYTES": {
"value": 1315216552
},
"IN_PKTS": {
"value": 978304
},
"OUT_PKTS": {
"value": 141059
},
"OUT_BYTES": {
"value": 24184931
}
}
}
----------------------------------------------------------------------------------------------------------
(3)統計特定時間內特定source IP到destination IP&port分別tcp&udp session
GET _search
{
"_source": {
"includes": [ "FIRST_SWITCHED", "LAST_SWITCHED","IPV4_DST_ADDR","L4_DST_PORT","IPV4_SRC_ADDR","L7_PROTO_NAME","IN_BYTES","IN_PKTS","OUT_BYTES","OUT_PKTS"]
},
"from" : 0, "size" : 1000,
"query": {
"bool": {
"must": [
{
"match" : { "_index" : "ntopng-2017.10.22" }
},
{
"match_phrase":{"IPV4_SRC_ADDR":"120.127.163.189"}
},
{
"range" : {
"FIRST_SWITCHED" : {
"gte" : 1508682000,
"lte" : 1508684400
}
}
}
]
}
},
"aggs": {
"IN_PKTS": {
"sum": {
"field": "IN_PKTS"
}
},
"IN_BYTES": {
"sum": {
"field": "IN_BYTES"
}
},
"OUT_BYTES": {
"sum": {
"field": "OUT_BYTES"
}
},
"OUT_PKTS": {
"sum": {
"field": "OUT_PKTS"
}
},
"protocol" : {
"terms" : {
"field" : "PROTOCOL",
                "include" : ["17", "6"]       //計算 UDP_session TCP_session. UDP=17 TCP=6
              }
},
      "Using_port_count" : {                 //計算Source port被占用的總數量
          "cardinality" : {
"field" : "L4_SRC_PORT"
}
}
}
}
-------------------------------------------------------------------------------------------------
回傳結果:
{
"took": 76,
"timed_out": false,
"_shards": {
"total": 21,
"successful": 21,
"skipped": 0,
"failed": 0
},
"hits": {
"total": 1633,
"max_score": 3,
"hits": [
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9Eka40WkHrd_Wf2cAS",
"_score": 3,
"_source": {
"L7_PROTO_NAME": "HTTP",
"L4_DST_PORT": 80,
"IPV4_SRC_ADDR": "120.127.163.189",
"IN_PKTS": 5,
"IN_BYTES": 523,
"LAST_SWITCHED": 1508683588,
"OUT_PKTS": 0,
"IPV4_DST_ADDR": "61.221.181.18",
"OUT_BYTES": 0,
"FIRST_SWITCHED": 1508683558
}
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9EkdzeWkHrd_Wf2dLD",
"_score": 3,
"_source": {
"L7_PROTO_NAME": "HTTP",
"L4_DST_PORT": 80,
"IPV4_SRC_ADDR": "120.127.163.189",
"IN_PKTS": 2,
"IN_BYTES": 110,
"LAST_SWITCHED": 1508683863,
"OUT_PKTS": 0,
"IPV4_DST_ADDR": "23.236.104.19",
"OUT_BYTES": 0,
"FIRST_SWITCHED": 1508683863
}
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9EkmlIWkHrd_Wf2fp3",
"_score": 3,
"_source": {
"L7_PROTO_NAME": "SSL.Apple",
"L4_DST_PORT": 443,
"IPV4_SRC_ADDR": "120.127.163.189",
"IN_PKTS": 16,
"IN_BYTES": 2152,
"LAST_SWITCHED": 1508683900,
"OUT_PKTS": 13,
"IPV4_DST_ADDR": "17.132.73.76",
"OUT_BYTES": 6945,
"FIRST_SWITCHED": 1508683899
}
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9EkkPdWkHrd_Wf2fGO",
"_score": 3,
"_source": {
"L7_PROTO_NAME": "HTTP",
"L4_DST_PORT": 80,
"IPV4_SRC_ADDR": "120.127.163.189",
"IN_PKTS": 2,
"IN_BYTES": 110,
"LAST_SWITCHED": 1508683891,
"OUT_PKTS": 0,
"IPV4_DST_ADDR": "163.28.228.11",
"OUT_BYTES": 0,
"FIRST_SWITCHED": 1508683891
}
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9EkixJWkHrd_Wf2ejo",
"_score": 3,
"_source": {
"L7_PROTO_NAME": "HTTP",
"L4_DST_PORT": 80,
"IPV4_SRC_ADDR": "120.127.163.189",
"IN_PKTS": 2,
"IN_BYTES": 110,
"LAST_SWITCHED": 1508683883,
"OUT_PKTS": 0,
"IPV4_DST_ADDR": "163.28.228.8",
"OUT_BYTES": 0,
"FIRST_SWITCHED": 1508683883
}
},
{
"_index": "ntopng-2017.10.22",
"_type": "ntopng",
"_id": "AV9EkjO0WkHrd_Wf2exl",
"_score": 3,
"_source": {
"L7_PROTO_NAME": "HTTP",
"L4_DST_PORT": 80,
"IPV4_SRC_ADDR": "120.127.163.189",
"IN_PKTS": 4,
"IN_BYTES": 220,
"LAST_SWITCHED": 1508683885,
"OUT_PKTS": 2,
"IPV4_DST_ADDR": "163.28.228.9",
"OUT_BYTES": 112,
"FIRST_SWITCHED": 1508683883
}
},
     .
     .
     .
     .
     .
     .
     .
     .
.
,
"aggregations": {
"protocol": {
"doc_count_error_upper_bound": 0,
"sum_other_doc_count": 0,
"buckets": [
{
"key": 6,
"doc_count": 1545 //TCP session
},
{
"key": 17,
"doc_count": 82 //UDP session
}
]
},
"IN_BYTES": {
"value": 29671809
},
"IN_PKTS": {
"value": 189715
},
  "Using_port_count": {       //Source port被占用的總數量
"value": 1510
},
"OUT_PKTS": {
"value": 165507
},
"OUT_BYTES": {
"value": 199467509
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment