ntopng — Web-Based Network Traffic Monitoring and Analysis

Introduction

ntopng is the next-generation version of ntop, a network traffic probe that monitors network usage in real time. It captures packets or ingests NetFlow/sFlow/IPFIX data, analyzes traffic patterns, and presents results through an interactive web dashboard with drill-down capabilities.

What ntopng Does

• Captures live traffic from network interfaces or mirrors via libpcap
• Ingests NetFlow v5/v9, sFlow, and IPFIX from routers and switches
• Classifies applications using nDPI deep packet inspection (300+ protocols)
• Detects security anomalies like port scans, DDoS, and DNS tunneling
• Exports alerts to syslog, Elasticsearch, Kafka, or webhook endpoints

Architecture Overview

ntopng is a C++ application that processes packets through the nDPI classification engine. Flow data is stored in a time-series backend (RRD or InfluxDB) for historical charts. The web UI is served by a built-in HTTP server using Lua templates. It supports multi-interface monitoring and can federate data across multiple ntopng instances via ZMQ.

Self-Hosting & Configuration

• Install from official packages for Debian, Ubuntu, CentOS, or use Docker
• Run with ntopng -i <interface> for live capture or -i tcp://*:5556 for ZMQ input
• Configure data retention, alert policies, and SNMP monitoring via the web UI
• Set up InfluxDB or ClickHouse as the time-series backend for long-term storage
• Use nProbe as a companion flow collector for distributed deployments

Key Features

• Real-time top talkers, flow analysis, and application breakdown dashboards
• nDPI-based application-layer protocol detection without port assumptions
• Host behavior analysis with reputation scoring and alert correlation
• SNMP device monitoring with interface traffic graphs
• REST API and Lua scripting for custom dashboards and automated responses

Comparison with Similar Tools

• Netdata — System and network metrics monitoring; broader scope but shallower packet analysis
• Wireshark — Packet-level analysis tool; not designed for continuous monitoring or web dashboards
• Zeek (Bro) — Network security monitor with script-based analysis; steeper learning curve
• Elastiflow — NetFlow collector feeding Elasticsearch; requires ELK stack infrastructure
• LibreNMS — SNMP-focused network monitoring; less emphasis on flow-level traffic analysis

FAQ

Q: Can ntopng monitor encrypted traffic? A: It classifies encrypted flows (TLS, QUIC) by metadata such as SNI, JA3 fingerprints, and certificate info without decrypting payloads.

Q: What hardware do I need? A: A modern multi-core CPU handles 1 Gbps easily. For 10 Gbps+, use PF_RING ZC or DPDK for kernel-bypass packet capture.

Q: Does ntopng replace a full SIEM? A: No. It focuses on network visibility and alerting. Export alerts to Elasticsearch or a SIEM for correlation with other log sources.

Q: Is there a free vs. paid version? A: The Community edition is free and open source. The Enterprise edition adds features like encrypted traffic analysis, LDAP auth, and extended data retention.

Sources

• https://github.com/ntop/ntopng
• https://www.ntop.org/products/traffic-analysis/ntop/