ntopng is the next generation version of the original ntop, a network traffic probe that monitors network usage.
ntopng provides an intuitive and encrypted web user interface for the exploration of traffic information in real time and the hisyory of it. It was born as a traffic analysis tool and over time it has “evolved” to become an application filter.
What is NtopNG
ntopng is a traffic analysis networking tool that offers unprecedented visibility on packets traveling on the network.
One of the most interesting features of the latest version of ntopng is undoubtedly that of application filter, thanks to which we can control more than 250 applications including Facebook, Youtube, WhatsApp, Skype and Tor, blocking or limiting the bandwidth of requests client and preventing, in fact, their uncontrolled use. Now let’s look at some functions and discover their potential.
Overview of features
ntopng is released in three different versions: Community, Professional and Enterprise. The various features are shown in the following comparative table.
| Feature | Community | Professional | Enterprise |
|---|---|---|---|
| Monitoring of active flows and hosts of the network † | ✓ | ✓ | ✓ |
| Identification of application protocols (Facebook, Youtube, BitTorrent, etc) in traffic | ✓ | ✓ | ✓ |
| Recording and display of the use of application protocols for each host over time | ✓ | ✓ | ✓ |
| Grouping of hosts for VLAN, Operating System, Country, and Autonomous Systems | ✓ | ✓ | ✓ |
| Geographical map of network communications made by each host | ✓ | ✓ | ✓ |
| Identification of the top talker hosts (senders and receivers) with resolution per minute | ✓ | ✓ | ✓ |
| View the most requested HTTP sites from each host | ✓ | ✓ | ✓ |
| Export of communications on MySQL and ElasticSearch | ✓ | ✓ | ✓ |
| Generation of alarms based on time / traffic thresholds or suspicious behavior such as visiting a malicious site | ✓ | ✓ | ✓ |
| Alarms and warnings such as Slack messages | ✓ | ✓ | ✓ |
| Display of traffic for each VLAN | ✓ | ✓ | ✓ |
| Data collecting from nProbe to process the remote interfaces monitored by nProbe and flow export devices (eg routers and switches) as if they were local | ✓ | ✓ | ✓ |
| Displaying data collected by nProbe | ✓ | ✓ | ✓ |
| Grouping hosts into logical sets of IP and MAC addresses known as hosts pools †† | ✓ | ✓ | ✓ |
| Real-time view of the top talkers and application protocols and comparison with daily activities | ✗ | ✓ | ✓ |
| Browsing the registered MySQL data to identify the cause of network problems | ✗ | ✓ | ✓ |
| Generation of graphical reports with the top hosts, application protocols, countries, networks and autonomous systems in configurable time periods | ✗ | ✓ | ✓ |
| Traffic history based on profiles created using BPF (Berkeley Packet Filter) syntax ‡ | ✗ | ✓ | ✓ |
| Limiting/blocking host traffic with custom policies for each protocol * | ✗ | ✓ | ✓ |
| Integration with LDAP authentication servers | ✗ | ✓ | ✓ |
| Query SNMP devices for data such as port status, traffic and MAC address information | ✗ | ✓ | ✓ |
| Integration with Nagios * | ✗ | ✓ | ✓ |
| MySQL insertions to get writes to the fastest 5x database | ✗ | ✗ | ✓ |
| Data aggregation in MySQL for faster historical explorations | ✗ | ✗ | ✓ |
| Generate traffic and total activity reports for any host, network or interface | ✗ | ✗ | ✓ |
| Detection of attackers and victims through real-time alerts | ✗ | ✗ | ✓ |
| Exploration and filtering of alarms | ✗ | ✗ | ✓ |
| Viewing and storing traffic by SNMP port | ✗ | ✗ | ✓ |
| Viewing and storing NetFlow/sFlow device data | ✗ | ✗ | ✓ |
| Captive Portal for Internet browsing * | ✗ | ✗ | ✓ |
| Daily traffic quotas that are applied to clients * | ✗ | ✗ | ✓ |
| Parental control with the DNS integration of SafeSearch * | ✗ | ✗ | ✓ |
* Feature not available with Windows
† The Enterprise version allows simultaneous monitoring of up to 128 different network interfaces. Professional and Community versions allow monitoring of up to 32 different interfaces.
†† The Enterprise version allows simultaneous monitoring of up to 128 different host pools. Professional and Community versions allow simultaneous monitoring of up to 3 different host pools.
‡ The Enterprise version allows simultaneous monitoring of up to 128 different traffic profiles. The Professional version allows the creation of 16 traffic profiles.
Supported platforms**
- Unix (including Linux, * BSD, and MacOSX)
- Windows x64 (including the latest Windows 10)
- ARM
Web GUI
- Available via HTML5-ready/li web browser
- SSL / HTTPS support
Requirements
- Memory usage Depends on the ntop configuration, the number of hosts, and the number of active TCP sessions. Generally it varies from a few MB (small LAN) to 100 MB for a WAN.
- Use of CPUD depends on the ntop configuration and traffic conditions. On a modern PC and on a large LAN, it is less than 10% of the total CPU load.
Protocols
- Ethernet
- IPv4/IPv6
- TCP/UDP/ICMP
- GRE
- DHCP/BOOTP/NetBIOS/DNS…
- 250+ applications with Layer-7 protocol supported with nDPI
- …many others.
Extensibility
- Compatibility with scripts in LUA
- Web interface extensions without having to change the Ntopng C ++ engine.
Additional features
- sFlow, NetFlow (including v5 and v9) and IPFIX supported via nProbe (collection from multiple nProbes is supported).
- Statistic for: Internet Domain, AS (Autonomous Systems), VLAN (Virtual LAN).
- Decoding protocol for all application protocols supported by nDPI.
**NtopNg is also available for Ubiquiti EdgeRouter (Lite or X).
