ntopng (2024)

High-Speed Web-based Traffic Analysis and Flow Collection

ntopng is a network traffic probe that provides 360° Network visibility, with its ability to gather traffic information from traffic mirrors, NetFlow exporters, SNMP devices, Firewall logs, Intrusion Detection systems.

ntopng has been written in a portable way in order to virtually run on every Unix platform, including Linux and FreeBSD, MacOS and on Windows as well.ntopng captures traffic from SPAN/mirror ports or TAP devices usinglibpcap, or PF_RING(on Linux) for best performance. Or you can use it in combination with nProbeto collect NetFlow/sFlow from routers and switches, or nProbe Centoto analyze 100 Gbit links at full rate.

ntopng – yes, it’s all lowercase – provides a intuitive, encrypted web user interface for the exploration of realtime and historical traffic information.

Main Features

Sort network traffic according to many criteria including IP address, port, Layer-7 (L7) application protocols, throughput, Autonomous Systems (ASs)
Show realtime network trafficand active hosts
Produce long-term reports for several network metrics including throughput and L7 application protocols
Top talkers (senders/receivers), top ASs, top L7 application protocols
Monitor and report live throughput, network and application latencies, Round Trip Time (RTT), TCP statistics(retransmissions, out of order packets, packet lost), and bytes and packets transmitted
Store on disk persistent traffic statistics to allow future explorations and post-mortem analyses
Geolocate and overlay hosts in a geographicalmap
Discover Layer-7 application protocols (Facebook, YouTube, BitTorrent, etc) by leveraging on nDPI, ntopDeep Packet Inspection (DPI) technology
Analyze IP traffic and sort it according to the source/destination
Report IP protocol usage sorted by protocol type
Produce HTML5/AJAX network traffic statistics
Full support for IPv4 and IPv6
Full Layer-2 support (including ARP statistics)
GTP/GRE detunnelling
Support for ClickHouse, MySQL, ElasticSearchexport of monitored data
Interactive historical exploration of monitored data exported to ClickHouse (no MySQL or ElasticSearch support)
Flexible alerts handling
SNMP v1/v2c/v3 support and continuous monitoring of SNMP devices
Identity Management, including correlation of VPN users to traffic
Focused on traffic visibility and cybersecurity.
Behavioral traffic analyses such as lateral movements and periodic traffic detection
REST API to ease integrations with third-parties.
Native nTap support for collecting traffic from cloud, VMs, containers and physical hosts.

Tech Specs

Platforms	Linux FreeBSD/OPNsense/pfSense Windows x64 (including the latest Windows 10/11) MacOS RaspbianOS
Web GUI	Available through any HTML5-ready web browser TLS/HTTPS support
Requirements	Hardware Sizing
Protocols	Ethernet IPv4/IPv6 TCP/UDP/ICMP GRE DHCP/BOOTP/NetBIOS/DNS… 250+ Layer-7 application protocols supported by nDPI …and many more
Extensibility	Lua scriptability Web interface extensions without having to change the ntopng C++ engine
Additional Features	sFlow, NetFlow (including v5 and v9) and IPFIX support through nProbe (collection from multiple nProbes is supported) Internet Domain, AS, VLAN (Virtual LAN) Statistics Protocol decoders for all application protocols supported by nDPI

Available Versions

ntopng comes in three versions: Community, Professional, and Enterprise M/L/XL. The Community version is free to use and opensource (code can be found on Github). The Professional and Enterprise offer some extra features that are particularly useful for SMEs orlarger organizations. Features are highlighted in the following table.

Feature	Community	Pro	Enterprise
			M	L	XL
Monitor the active flows and hosts of your network (number of interfaces) †	8	8	16	32	64
Monitor Remote Hosts using active monitoring (ICMP, Continuous ICMP, HTTP/S, Throughput, SpeedTest)	✓	✓	✓	✓	✓
Monitor the system, machine on which ntopng is running, Health (CPU usage, RAM usage, Disk Space used, …)	✓	✓	✓	✓	✓
Identify application protocols (Facebook, Youtube, BitTorrent, etc) in the network	✓	✓	✓	✓	✓
Record and Visualize hosts’ historical application protocols usage (timeseries)	✓	✓	✓	✓	✓
Group hostsby VLAN, Operating System, Country, and Autonomous Systems	✓	✓	✓	✓	✓
Get a geographicmap of your network communications with the rest of the world	✓	✓	✓	✓	✓
Discover the devices connected to your Local Network (Network Discovery)	✓	✓	✓	✓	✓
Identify top talkers (senders and receivers) hosts with minute resolution	✓	✓	✓	✓	✓
Visualise the top HTTP sites contacted by an host	✓	✓	✓	✓	✓
Export expired flows information to database, possibly augmented with nProbe data **	✓	✓	✓	✓	✓
Generate alerts (for Flows, Hosts, Interfaces, …) when certain conditions are detected (Threshold Crossed, Suspicious Behaviour, …)	✓	✓	✓	✓	✓
Navigate through the alerts, from the GUI, generated by ntopng to find the problem	✓	✓	✓	✓	✓
Get alerts notifications as Email, Discord, Telegram, WebHook, Slack, Syslog messages or execute Shell Scripts	✓	✓	✓	✓	✓
Split, merge, and visualize VLAN based traffic	✓	✓	✓	✓	✓
Collect datafrom nProbe totreat remote nProbe-monitored interfaces and flow exporter devices (for example routers and switches) as if they were local	✓	✓	✓	✓	✓
Split, merge, and visualize data collected from nProbe	✓	✓	✓	✓	✓
Group local hosts into logical setsof IP and MAC addresses known ashost pools ††	✓	✓	✓	✓	✓
Add/edit application protocols to ntopng (if a protocol file is configured) and edit protocol categories	✓	✓	✓	✓	✓
Mark and historicize traffic with user-defined traffic profiles to match hosts, ports and applications using the BPF syntax (number of profiles)	✗	16	128	128	128
Limit or block hosts’ traffic with customized per-application policies *	✗	✓	✓	✓	✓
Integrate ntopng login withLDAP authentication servers * **	✗	✓	✓	✓	✓
Send alerts to Elasticsearch, to MS Teams or to Fail2Ban	✗	✓	✓	✓	✓
Have access to other ntopng Checks (Alerts)	✗	✓	✓	✓	✓
Add the possibility to create the Network Matrix timeseries (gives the possibility to check traffic between Local Networks)	✗	✓	✓	✓	✓
Visualize and historicise other ntopng data (Interface Score Anomalies, Top Talkers, …)	✗	✗	✓	✓	✓
Graphical reports with top hosts, application protocols, countries, networks, and autonomous systems within any configurable time frame	✗	✗	✓	✓	✓
Automatic (periodic) graphical reports	✗	✗	✗	✓	✓
Graphical reports editor to build custom report templates/td>	✗	✗	✗	✗	✓
Query SNMP devices data, such as port status, traffic and and MAC address information	✗	✗	✓	✓	✓
Get total traffic and activity reports for any givenhost, network, orinterface	✗	✗	✓	✓	✓
Identify attackers and victims through analerts dashboard in realtime and in the past	✗	✗	✓	✓	✓
Visualize host pools’ historical applications protocols usage	✗	✗	✓	✓	✓
Explore and filter flow alerts in the past	✗	✗	✓	✓	✓
Trigger alerts when SNMP unexpected behavior shows up	✗	✗	✓	✓	✓
Have access to other ntopng Checks (Alerts, such as SNMP Alerts)	✗	✗	✓	✓	✓
Visualize and historicise SNMP per-device-port traffic	✗	✗	✓	✓	✓
Visualize and historicise NetFlow/sFlow devices data	✗	✗	✓	✓	✓
Aggregate and Analyze Long-term flow data	✗	✗	✓	✓	✓
Apply per-protocol daily traffic and time quotas to your clients *	✗	✗	✓	✓	✓
High performance flow export to ClickHouse and explorer (both aggregated data explorer and historical flow explorer) *	✗	✗	✓	✓	✓
Custom Interface Disaggregation †	✗	✗	✓	✓	✓
Monitor other ntopng instances (Infrastructure Monitoring)	✗	✗	✗	✓	✓
Hosts Map (find the hosts outliers)	✗	✗	✓	✓	✓
Netflow exporters and ports monitoring (number of exporters)	✗	✗	256	256	1024
Service / Periodicity Maps	✗	✗	✗	✓	✓
Identity Management with Firewalls and Active Directory	✗	✗	✗	✓	✓
Have access to all Behavioural Checks	✗	✗	✗	✓	✓
Native nTap Support	✗	✗	✗	✓	✓
Kafka Support	✗	✗	✗	✓	✓
OT/SCADA: IEC 60870-5-104 Traffic Analysis	✓	✓	✓	✓	✓
OT/SCADA: ModbusTCP Traffic Analysis	✗	✗	✗	✓	✓
Continuous Recording license Included (n2disk 1Gbit)†††† **	✗	✗	✗	Bundle L	Bundle L
Smart Recording license Included (n2disk 1Gbit)†††† **	✗	✗	✗	✗	Bundle XL
Flow Collection license Included (nProbe Pro)††††	✗	✗	✗	Bundle L	✗
Flow Collection license Included (nProbe Enterprise S)††††	✗	✗	✗	✗	Bundle XL

* Feature not available on Windows
** Feature not available on FreeBSD / OPNsense / pfsense
† On adequate hardware (the actual limit may be lower according to system resources).
†† The Enterprise version allows the creation of up to 128 different host pools with an unlimited number of pool members. Professional and Community versions allow the creation of up to 3 different host pools with a maximum of 8 members per pool.
†††† Here you can read more about the software bundled with the Bundle edition

All versions are meant to be used on a “full-fledged PC” such as an x86 machine. Users who plan to install ntopng on Raspberry devices, should consider using the RaspberryOS packages available for ARM.

Use Cases

Monitor a Physical Interface

A physical NIC card can be monitored simply by specifying itsinterface name as

ntopng -i eth0

Flow Collection

Flow collection requires ntopng to be used in conjunction with nProbe whichcan act as probe/proxy. The communication between nProbe and ntopng takes place overZeroMQ, a publish-subscribe protocol that allowsntopng to communicate withnProbe. An environment where a remote nProbe is physically monitoring from a NIC and sending monitored flows to ntopng can be deployed as

nprobe -i eth1 --zmq tcp://192.168.1.1:5556 -T @NTOPNG@

ntopng -i tcp://192.168.1.1:5556

Performance figures are given here.

Operating Systems

License

ntopng Community is distributed under the GNU GPLv3 license. Professional and Enterprise versions are subject to the EULA terms as well.
Enterprise L version already includes n2disk 1 Gbit (Continuous Recording) and nProbe Pro (Flow Collection) licenses.

Get It

Have a look at the download page for installation instructions and at the shop if you are considering to get a license. As all the other ntop products, a licensed ntopng includes installation support.