# ntopng — Web-Based Network Traffic Monitoring and Analysis

> A high-speed web-based network traffic monitoring tool that provides real-time flow analysis, deep packet inspection, and security alerts.

## Install

Save in your project root:

# ntopng — Web-Based Network Traffic Monitoring and Analysis

## Quick Use
```bash
# Debian/Ubuntu
sudo apt install ntopng
sudo ntopng -i eth0
# Open http://localhost:3000  (admin / admin)
```

## Introduction
ntopng is the next-generation version of ntop, a network traffic probe that monitors network usage in real time. It captures packets or ingests NetFlow/sFlow/IPFIX data, analyzes traffic patterns, and presents results through an interactive web dashboard with drill-down capabilities.

## What ntopng Does
- Captures live traffic from network interfaces or mirrors via libpcap
- Ingests NetFlow v5/v9, sFlow, and IPFIX from routers and switches
- Classifies applications using nDPI deep packet inspection (300+ protocols)
- Detects security anomalies like port scans, DDoS, and DNS tunneling
- Exports alerts to syslog, Elasticsearch, Kafka, or webhook endpoints

## Architecture Overview
ntopng is a C++ application that processes packets through the nDPI classification engine. Flow data is stored in a time-series backend (RRD or InfluxDB) for historical charts. The web UI is served by a built-in HTTP server using Lua templates. It supports multi-interface monitoring and can federate data across multiple ntopng instances via ZMQ.

## Self-Hosting & Configuration
- Install from official packages for Debian, Ubuntu, CentOS, or use Docker
- Run with `ntopng -i <interface>` for live capture or `-i tcp://*:5556` for ZMQ input
- Configure data retention, alert policies, and SNMP monitoring via the web UI
- Set up InfluxDB or ClickHouse as the time-series backend for long-term storage
- Use nProbe as a companion flow collector for distributed deployments

## Key Features
- Real-time top talkers, flow analysis, and application breakdown dashboards
- nDPI-based application-layer protocol detection without port assumptions
- Host behavior analysis with reputation scoring and alert correlation
- SNMP device monitoring with interface traffic graphs
- REST API and Lua scripting for custom dashboards and automated responses

## Comparison with Similar Tools
- **Netdata** — System and network metrics monitoring; broader scope but shallower packet analysis
- **Wireshark** — Packet-level analysis tool; not designed for continuous monitoring or web dashboards
- **Zeek (Bro)** — Network security monitor with script-based analysis; steeper learning curve
- **Elastiflow** — NetFlow collector feeding Elasticsearch; requires ELK stack infrastructure
- **LibreNMS** — SNMP-focused network monitoring; less emphasis on flow-level traffic analysis

## FAQ
**Q: Can ntopng monitor encrypted traffic?**
A: It classifies encrypted flows (TLS, QUIC) by metadata such as SNI, JA3 fingerprints, and certificate info without decrypting payloads.

**Q: What hardware do I need?**
A: A modern multi-core CPU handles 1 Gbps easily. For 10 Gbps+, use PF_RING ZC or DPDK for kernel-bypass packet capture.

**Q: Does ntopng replace a full SIEM?**
A: No. It focuses on network visibility and alerting. Export alerts to Elasticsearch or a SIEM for correlation with other log sources.

**Q: Is there a free vs. paid version?**
A: The Community edition is free and open source. The Enterprise edition adds features like encrypted traffic analysis, LDAP auth, and extended data retention.

## Sources
- https://github.com/ntop/ntopng
- https://www.ntop.org/products/traffic-analysis/ntop/

---
Source: https://tokrepo.com/en/workflows/asset-cf077644
Author: AI Open Source