ntopng

High-Speed Web-based Traffic Analysis and Flow Collection

ntopng is the next generation version of the original ntop, a network traffic probe that monitors network usage. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well.

ntopng – yes, it’s all lowercase – provides a intuitive, encrypted web user interface for the exploration of realtime and historical traffic information.

Main Features

Sort network traffic according to many criteria including IP address, port, L7 protocol, throughput, Autonomous Systems (ASs)

Show realtime network traffic and active hosts

Produce long-term reports for several network metrics including throughput and application protocols

Top talkers (senders/receivers), top ASs, top L7 applications

Monitor and report live throughput, network and application latencies, Round Trip Time (RTT), TCP statistics (retransmissions, out of order packets, packet lost), and bytes and packets transmitted

Store on disk persistent traffic statistics to allow future explorations and post-mortem analyses

Geolocate and overlay hosts in a geographical map

Discover application protocols (Facebook, YouTube, BitTorrent, etc) by leveraging on nDPI, ntop Deep Packet Inspection (DPI) technology

Characterise HTTP traffic by leveraging on characterisation services provided by Google and HTTP Blacklist.

Analyse IP traffic and sort it according to the source/destination.

Report IP protocol usage sorted by protocol type

Produce HTML5/AJAX network traffic statistics.

Full support for IPv4 and IPv6

Full Layer-2 support (including ARP statistics)

GTP/GRE detunnelling

Support for MySQL, ElasticSearch and LogStash export of monitored data

Interactive historical exploration of monitored data exported to MySQL

Alerts engine to capture anomalous and suspicious hosts

SNMP v1/v2c support and continuous monitoring of SNMP devices

Identity Management, including correlation of VPN users to traffic

Tech Specs

Platforms Unix (including Linux, *BSD, and MacOSX)

Windows x64 (including the latest Windows 10)

ARM Web GUI Available through any HTML5-ready web browser

SSL/HTTPS support Requirements Memory Usage

It depends on the ntop configuration, number of hosts, and number of active TCP sessions. In general it ranges from a few MB (little LAN) to 100 MB for a WAN.

It depends on the ntop configuration, number of hosts, and number of active TCP sessions. In general it ranges from a few MB (little LAN) to 100 MB for a WAN. CPU Usage

It depends on the ntop configuration, and traffic conditions. On a modern PC and large LAN, it is less than 10% of overall CPU load. Protocols Ethernet

IPv4/IPv6

TCP/UDP/ICMP

GRE

DHCP/BOOTP/NetBIOS/DNS…

250+ Layer-7 application protocols supported by nDPI

…and many more Extensibility LUA scriptability

Web interface extensions without having to change the ntopng C++ engine. Additional Features sFlow, NetFlow (including v5 and v9) and IPFIX support through nProbe (collection from multiple nProbes is supported)

Internet Domain, AS (Autonomous Systems), VLAN (Virtual LAN) Statistics.

Protocol decoders for all application protocols supported by nDPI.

Available Versions

ntopng comes in four versions, Community, Professional, Enterprise M, Enterprise L. The Community version is free to use and opensource (code can be found on Github). The Professional and Enterprise offer some extra features that are particularly useful for SMEs or larger organizations. Features are highlighted in the following table.

Feature Community Pro Enterprise M Enterprise L Monitor the active flows and hosts of your network † ✓ ✓ ✓ ✓ Identity application protocols (Facebook, Youtube, BitTorrent, etc) in the network ✓ ✓ ✓ ✓ Record and Visualize hosts’ historical applications protocols usage ✓ ✓ ✓ ✓ Group hosts by VLAN, Operating System, Country, and Autonomous Systems ✓ ✓ ✓ ✓ Get a geographic map of your network communications with the rest of the world ✓ ✓ ✓ ✓ Identify top talkers (senders and receivers) hosts with minute resolution ✓ ✓ ✓ ✓ Visualize the top HTTP sites contacted by an host ✓ ✓ ✓ ✓ Export expired flows information to MySQL, possibly augmented with nProbe data ✓ ✓ ✓ ✓ Generate alerts when hosts cross configurable time/traffic thresholds or have suspicious behaviours ✓ ✓ ✓ ✓ Get alerts notifications as Slack messages ✓ ✓ ✓ ✓ Split, merge, and visualize VLAN based traffic ✓ ✓ ✓ ✓ Collect data from nProbe to treat remote nProbe-monitored interfaces and flow exporter devices (for example routers and switches) as if they were local ✓ ✓ ✓ ✓ Split, merge, and visualize data collected from nProbe ✓ ✓ ✓ ✓ Group local hosts into logical sets of IP and MAC addresses known as host pools †† ✓ ✓ ✓ ✓ Get a realtime view of top talkers and application protocols and compare them with daily activities ✗ ✓ ✓ ✓ Explore recorded MySQL data to identify the cause of network problems ✗ ✓ ✓ ✓ Generate graphical reports with top hosts, application protocols, countries, networks, and autonomous systems within any configurable time frame ✗ ✓ ✓ ✓ Mark and historicise traffic with user-defined traffic profiles to match hosts, ports and applications using the BPF syntax ‡ ✗ ✓ ✓ ✓ Limit or block your hosts’ traffic with customized per-protocol policies * ✗ ✓ ✓ ✓ Integrate ntopng login with LDAP authentication servers * ✗ ✓ ✓ ✓ Send ntopng generated alerts to nagios * ✗ ✓ ✓ ✓ Query SNMP devices data, such as port status, traffic and and MAC address information ✗ ✗ ✓ ✓ Advanced MySQL insertions yielding 5x faster database writes ✗ ✗ ✓ ✓ Optimized MySQL aggregations for faster historical flow data explorations ✗ ✗ ✓ ✓ Get total traffic and activity reports for any given host, network, or interface ✗ ✗ ✓ ✓ Identify attackers and victims through an alerts dashboard in realtime and in the past ✗ ✗ ✓ ✓ Visualize host pools’ historical applications protocols usage ✗ ✗ ✓ ✓ Explore and filter flow alerts in the past ✗ ✗ ✓ ✓ Visualize and historicise SNMP per-device-port traffic ✗ ✗ ✓ ✓ Visualize and historicise NetFlow/sFlow devices data ✗ ✗ ✓ ✓ Apply per-protocol daily traffic and time quotas to your clients * ✗ ✗ ✓ ✓ High Performance Embedded Flow Index * ††† ✗ ✓ ✓ ✓ Continuous Traffic Recording * ✗ ✗ ✓ ✓ Custom Interface Disaggregation ✗ ✗ ✓ ✓ Identity Management ✗ ✗ ✗ ✓ Continuous Recording license Included (n2disk 1Gbit) ✗ ✗ ✗ ✓ Flow Collection license Included (nProbe Pro) ✗ ✗ ✗ ✓ * Feature not available on Windows

† The Enterprise version allows the simultaneous monitoring of up to 128 different network interfaces. Professional and Community versions allows the monitoring of up to 32 different interfaces.

†† The Enterprise version allows the creation of up to 128 different host pools with an unlimited number of pool members. Professional and Community versions allow the creation of up to 3 different host pools with a maximum of 8 members per pool.

‡ The Enterprise version allows the creation of up to 128 different traffic profiles. The Professional version allows the creation of up to 16 traffic profiles.

††† Max 3 days retention on Pro, unlimited retention on Enterprise

All versions are meant to be used on a “full-fledged PC” such as an x86 machine. Users who plan to install ntopng on embedded devices, should consider using the embedded packages available for ARM.

Use Cases

Monitor a Physical Interface

A physical NIC card can be monitored simply by specifying its interface name as

ntopng -i eth0

Flow Collection

Flow collection requires ntopng to be used in conjunction with nProbe which can act as probe/proxy. The communication between nProbe and ntopng takes place over ZeroMQ, a publish-subscribe protocol that allows ntopng to communicate with nProbe. An environment where a remote nProbe is physically monitoring from a NIC and sending monitored flows to ntopng can be deployed as

nprobe -i eth1 --zmq tcp://192.168.1.1:5556 -T @NTOPNG@

ntopng -i tcp://192.168.1.1:5556

In this configuration ntopng is able to process more than 100’000 flows/second on an Intel Xeon E3-1230 v3 3GHz (note: ntopng and nProbe are running on different hosts, running both on the same host could lead to performance degradation).

License

ntopng Community is distributed under the GNU GPLv3 license. Professional and Enterprise versions are subject to the EULA terms as well.

Enterprise L version already includes n2disk 1 Gbit (Continuous Recording) and nProbe Pro (Flow Collection) licenses.

Get It

Have a look at the download page for installation instructions and at the shop if you are considering to get a license. As all the other ntop products, a licensed ntopng includes installation support.

Screenshots