High-Speed Web-based Traffic Analysis and Flow Collection.
ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Win32 as well.
ntopng users can use a a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntopng can be seen as a simple RMON-like agent with an embedded web interface. The use of:
- a web interface.
- limited configuration and administration via the web interface.
- reduced CPU and memory usage (they vary according to network size and traffic).
What ntopng can do for me?
- Sort network traffic according to many protocols
- Show network traffic and IPv4/v6 active hosts
- Store on disk persistent traffic statistics in RRD format
- Geolocate hosts
- Discover application protocols by leveraging on nDPI, ntop’s DPI framework.
- Characterise HTTP traffic by leveraging on characterisation services provided by block.si. ntopng comes with a demo characterisation key, but if you need a permanent one, please mail email@example.com.
- Show IP traffic distribution among the various protocols
- Analyse IP traffic and sort it according to the source/destination
- Display IP Traffic Subnet matrix (who’s talking to who?)
- Report IP protocol usage sorted by protocol type
- Act as a NetFlow/sFlow collector for flows generated by routers (e.g. Cisco and Juniper) or switches (e.g. Foundry Networks) when used together with nProbe.
- Produce HTML5/AJAX network traffic statistics
|Web GUI||A modern HTML 5 browser is needed to visualise ntopng traffic statistics.|
|Extensibility||ntopng engine is scripted using the LuaJIT language. Users can extend the web interface as well modify it in realtime without having to code into the ntopng C++ engine.|
Using ntopng as Flow Collector
In ntopng we have decided to collect flows through nProbe that can act as probe/proxy. This is because we wanted to keep the ntopng engine simple and clean from flow-based application needs. The communication between nProbe and ntopng happens though ZeroMQ that decouples ntopng from nProbe. You can collect flows as follows:
- Start nProbe that will act as a probe for ntopng
nprobe --zmq "tcp://*:5556" -i .....
- Start ntopng that will act as a collector (it listens on local port 5556)
ntopng -i "tcp://127.0.0.1:5556"
Flows exchanged between nProbe and ntopng are formatted in JSON and not on standard sFlow/NetFlow format.
ntopng is distributed under the GNU GPLv3 license and available in source code format.
Have a look at the download page.