Overview
ntopng (ntop next generation) is a high-speed, web-based network traffic analysis tool that examines network traffic in real time. It provides a rich, intuitive web interface for monitoring network utilization, identifying top talkers, analyzing protocols, detecting anomalies, and generating detailed traffic reports. ntopng performs deep packet inspection (DPI) using the nDPI library to identify thousands of application protocols regardless of port numbers, including encrypted traffic identification via JA3/JA4 fingerprinting.
ntopng supports multiple traffic acquisition methods including live packet capture from interfaces, NetFlow/sFlow/IPFIX collection, PF_RING for high-speed capture, and pcap file analysis. It can monitor traffic at speeds exceeding 10 Gbps with appropriate hardware and drivers. Features include host behavior analysis, geographic mapping of traffic flows, alerting on security threats and anomalies, SNMP device monitoring, active directory integration, and REST API access. ntopng stores historical data in time series databases (InfluxDB or RRD) for long-term trend analysis.
Installation
Ubuntu/Debian
# Add ntop repository
sudo apt-get install software-properties-common wget
sudo add-apt-repository universe
wget https://packages.ntop.org/apt-stable/bookworm/all/apt-ntop-stable.deb
sudo dpkg -i apt-ntop-stable.deb
sudo apt-get update
# Install ntopng
sudo apt-get install ntopng ntopng-data
# Install optional nProbe for NetFlow
sudo apt-get install nprobe
# Start service
sudo systemctl start ntopng
sudo systemctl enable ntopng
CentOS/RHEL
# Add ntop repository
sudo yum install epel-release
sudo rpm -ivh https://packages.ntop.org/centos-stable/ntop.repo
sudo yum install ntopng ntopng-data
sudo systemctl start ntopng
sudo systemctl enable ntopng
Docker
docker run -d \
--name ntopng \
--net host \
-v /etc/ntopng:/etc/ntopng \
-v /var/lib/ntopng:/var/lib/ntopng \
ntop/ntopng:stable \
-i eth0
Core Commands
# Start with specific interface
sudo ntopng -i eth0
# Start with multiple interfaces
sudo ntopng -i eth0 -i eth1
# Start on custom port
sudo ntopng -i eth0 -w 8080
# HTTPS only
sudo ntopng -i eth0 -w 0 -W 4443
# Start with NetFlow collector
sudo ntopng -i "tcp://127.0.0.1:5556"
# Read from pcap file
sudo ntopng -i /path/to/capture.pcap
# Specify local networks
sudo ntopng -i eth0 -m "192.168.1.0/24,10.0.0.0/8"
# Set DNS mode
sudo ntopng -i eth0 -n 1 # Decode DNS, no resolution
sudo ntopng -i eth0 -n 2 # Full DNS resolution
# Specify data directory
sudo ntopng -i eth0 -d /var/lib/ntopng
# Enable debug logging
sudo ntopng -i eth0 --verbose 6
Command-Line Options
| Option | Description |
|---|
-i <interface> | Network interface to monitor |
-w <port> | HTTP port (0 to disable) |
-W <port> | HTTPS port |
-m <networks> | Local networks (CIDR) |
-n <mode> | DNS resolution mode (0-2) |
-d <path> | Data directory |
-r <redis> | Redis connection string |
-G <pid_file> | PID file path |
-e | Daemonize |
-S | Do not save packet data |
--community | Run in community edition mode |
--disable-login | Disable login (dev only) |
--verbose <level> | Verbosity (0-6) |
Configuration
Configuration File
# /etc/ntopng/ntopng.conf
-G=/var/run/ntopng.pid
-i=eth0
-i=eth1
-m=192.168.0.0/16,10.0.0.0/8,172.16.0.0/12
-w=3000
-W=3001
-d=/var/lib/ntopng
-r=localhost:6379
--local-networks="192.168.1.0/24=Office,10.0.0.0/8=VPN"
--dump-flows=influxdb
--ts-driver=influxdb
--ts-host=localhost:8086
InfluxDB Time Series
# Install InfluxDB for historical data
sudo apt-get install influxdb
sudo systemctl start influxdb
# Configure ntopng to use InfluxDB
# Add to ntopng.conf:
--dump-flows=influxdb
--ts-driver=influxdb
--ts-host=localhost:8086
--ts-dbname=ntopng
Redis Configuration
# ntopng requires Redis
sudo apt-get install redis-server
sudo systemctl start redis-server
# Specify Redis connection
sudo ntopng -i eth0 -r localhost:6379
# Use Redis with password
sudo ntopng -i eth0 -r "localhost:6379:mypassword"
Web Interface
Default Access
URL: http://hostname:3000
Username: admin
Password: admin (change on first login)
Key Web Interface Sections
| Section | Description |
|---|
| Dashboard | Overview of traffic, top hosts, protocols |
| Flows | Active network flows with DPI |
| Hosts | All discovered hosts with details |
| Interfaces | Per-interface statistics |
| Alerts | Security and performance alerts |
| Historical | Time-series traffic graphs |
| SNMP | SNMP device monitoring |
| Reports | Scheduled traffic reports |
REST API
# Base URL format
# http://hostname:3000/lua/rest/v2/
# Get interface data
curl -u admin:admin "http://localhost:3000/lua/rest/v2/get/interface/data.lua?ifid=0"
# Get active hosts
curl -u admin:admin "http://localhost:3000/lua/rest/v2/get/host/active.lua?ifid=0"
# Get host details
curl -u admin:admin "http://localhost:3000/lua/rest/v2/get/host/data.lua?ifid=0&host=192.168.1.100"
# Get active flows
curl -u admin:admin "http://localhost:3000/lua/rest/v2/get/flow/active.lua?ifid=0"
# Get top talkers
curl -u admin:admin "http://localhost:3000/lua/rest/v2/get/host/top_talkers.lua?ifid=0"
# Get alert list
curl -u admin:admin "http://localhost:3000/lua/rest/v2/get/alert/list.lua?ifid=0&status=engaged"
# Get interface traffic stats
curl -u admin:admin "http://localhost:3000/lua/rest/v2/get/interface/traffic.lua?ifid=0"
NetFlow/sFlow Collection
NetFlow v5/v9/IPFIX
# Run ntopng as NetFlow collector
sudo ntopng -i "tcp://127.0.0.1:5556" -m "10.0.0.0/8"
# With nProbe as NetFlow collector -> ntopng
sudo nprobe --zmq "tcp://*:5556" --collector-port 2055
sudo ntopng -i "tcp://127.0.0.1:5556"
# Direct NetFlow collection (no nProbe)
sudo ntopng -i "ntopng -F nflow://0.0.0.0:2055"
sFlow Collection
# Collect sFlow
sudo ntopng -i "sflow://0.0.0.0:6343"
# Multiple collectors
sudo ntopng -i "sflow://0.0.0.0:6343" -i "nflow://0.0.0.0:2055"
Advanced Usage
PF_RING High-Speed Capture
# Install PF_RING
sudo apt-get install pfring
# Run ntopng with PF_RING
sudo ntopng -i pfring:eth0
# With DNA (Direct NIC Access)
sudo ntopng -i dna0
Custom Alerts and Scripts
-- /usr/share/ntopng/scripts/callbacks/interface/alerts/custom_alert.lua
local alerts = require("alert_utils")
function checkAlert(ifname)
local info = interface.getStats()
if info.stats.bytes > 1000000000 then
alerts.store(ifname, "high_traffic",
"Traffic exceeded 1GB threshold")
end
end
Traffic Policies
# Block specific hosts via web UI
# Settings > Traffic Policies > Add Rule
# Define traffic quotas
# Hosts > Host Details > Quota
# Configure traffic shaping (Enterprise)
# Settings > Traffic Shaping
Packet Dump
# Enable packet dumping to disk
sudo ntopng -i eth0 --dump-flows=es
# Dump to Elasticsearch
sudo ntopng -i eth0 --dump-flows=es \
--es="http://localhost:9200;ntopng;flows"
# Dump flows to MySQL
sudo ntopng -i eth0 --dump-flows=mysql \
--mysql="localhost;ntopng;ntopng;password;3306"
SNMP Monitoring
# Enable SNMP in ntopng.conf
--snmp-community=public
--snmp-port-range=1-1024
# Configure via Web UI:
# Settings > SNMP > Add Device
# Enter IP, community string, version
Troubleshooting
| Issue | Solution |
|---|
| Web UI not accessible | Check port binding, firewall rules |
| No traffic data | Verify interface with tcpdump, check perms |
| Redis connection failed | Start Redis: systemctl start redis |
| High CPU usage | Reduce monitored hosts, use PF_RING |
| DNS resolution slow | Disable with -n 0 or use local resolver |
| Historical data missing | Configure InfluxDB or RRD backend |
| Alerts not triggering | Check alert thresholds in Settings > Alerts |
| NetFlow not showing | Verify collector port, check exporter config |
Diagnostic Commands
# Check ntopng status
sudo systemctl status ntopng
# View logs
sudo journalctl -u ntopng -f
tail -f /var/log/ntopng/ntopng.log
# Check Redis data
redis-cli info
redis-cli keys "ntopng.*" | head
# Verify interface capture
sudo tcpdump -i eth0 -c 10
# Check listening ports
sudo ss -tlnp | grep ntopng
# Memory usage
sudo ntopng --check-license
# Increase max hosts
--max-num-hosts=500000
# Increase max flows
--max-num-flows=5000000
# Disable unnecessary features
--disable-alerts
--disable-host-persistency
# Use hardware timestamping
--hw-timestamp-mode=ixia
