ntopngntopng is the next generation version of the original ntop, a network traffic probe that monitors network usage.
ntopng provides an intuitive and encrypted web user interface for the exploration of traffic information in real time and the hisyory of it. It was born as a traffic analysis tool and over time it has “evolved” to become an application filter.

What is NtopNG
ntopng is a traffic analysis networking tool that offers unprecedented visibility on packets traveling on the network.
One of the most interesting features of the latest version of ntopng is undoubtedly that of application filter, thanks to which we can control more than 250 applications including Facebook, Youtube, WhatsApp, Skype and Tor, blocking or limiting the bandwidth of requests client and preventing, in fact, their uncontrolled use. Now let’s look at some functions and discover their potential.

Overview of features
ntopng is released in three different versions: Community, Professional and Enterprise. The various features are shown in the following comparative table.

[adrotate banner="3"]
Feature Community Professional Enterprise
Monitoring of active flows and hosts of the network †
Identification of application protocols (Facebook, Youtube, BitTorrent, etc) in traffic
Recording and display of the use of application protocols for each host over time
Grouping of hosts for VLAN, Operating System, Country, and Autonomous Systems
Geographical map of network communications made by each host
Identification of the top talker hosts (senders and receivers) with resolution per minute
View the most requested HTTP sites from each host
Export of communications on MySQL and ElasticSearch
Generation of alarms based on time / traffic thresholds or suspicious behavior such as visiting a malicious site
Alarms and warnings such as Slack messages
Display of traffic for each VLAN
Data collecting from nProbe to process the remote interfaces monitored by nProbe and flow export devices (eg routers and switches) as if they were local
Displaying data collected by nProbe
Grouping hosts into logical sets of IP and MAC addresses known as hosts pools ††
Real-time view of the top talkers and application protocols and comparison with daily activities
Browsing the registered MySQL data to identify the cause of network problems
Generation of graphical reports with the top hosts, application protocols, countries, networks and autonomous systems in configurable time periods
Traffic history based on profiles created using BPF (Berkeley Packet Filter) syntax ‡
Limiting/blocking host traffic with custom policies for each protocol *
Integration with LDAP authentication servers
Query SNMP devices for data such as port status, traffic and MAC address information
Integration with Nagios *
MySQL insertions to get writes to the fastest 5x database
Data aggregation in MySQL for faster historical explorations
Generate traffic and total activity reports for any host, network or interface
Detection of attackers and victims through real-time alerts
Exploration and filtering of alarms
Viewing and storing traffic by SNMP port
Viewing and storing NetFlow/sFlow device data
Captive Portal for Internet browsing *
Daily traffic quotas that are applied to clients *
Parental control with the DNS integration of SafeSearch *

* Feature not available with Windows
† The Enterprise version allows simultaneous monitoring of up to 128 different network interfaces. Professional and Community versions allow monitoring of up to 32 different interfaces.
†† The Enterprise version allows simultaneous monitoring of up to 128 different host pools. Professional and Community versions allow simultaneous monitoring of up to 3 different host pools.
‡ The Enterprise version allows simultaneous monitoring of up to 128 different traffic profiles. The Professional version allows the creation of 16 traffic profiles.

Supported platforms**

  • Unix (including Linux, * BSD, and MacOSX)
  • Windows x64 (including the latest Windows 10)
  • ARM


  • Available via HTML5-ready/li web browser
  • SSL / HTTPS support


  • Memory usage Depends on the ntop configuration, the number of hosts, and the number of active TCP sessions. Generally it varies from a few MB (small LAN) to 100 MB for a WAN.
  • Use of CPUD depends on the ntop configuration and traffic conditions. On a modern PC and on a large LAN, it is less than 10% of the total CPU load.


  • Ethernet
  • IPv4/IPv6
  • GRE
  • 250+ applications with Layer-7 protocol supported with nDPI
  • …many others.


  • Compatibility with scripts in LUA
  • Web interface extensions without having to change the Ntopng C ++ engine.

Additional features

  • sFlow, NetFlow (including v5 and v9) and IPFIX supported via nProbe (collection from multiple nProbes is supported).
  • Statistic for: Internet Domain, AS (Autonomous Systems), VLAN (Virtual LAN).
  • Decoding protocol for all application protocols supported by nDPI.

**NtopNg is also available for Ubiquiti EdgeRouter (Lite or X).