High-Speed Web-based Traffic Analysis and Flow Collection.
ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well.
ntopng users can use a a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntopng can be seen as a simple RMON-like agent with an embedded web interface. The use of:
- a web interface.
- limited configuration and administration via the web interface.
- reduced CPU and memory usage (they vary according to network size and traffic).
What ntopng can do for me?
- Sort network traffic according to many criteria including IP address, port, L7 protocol, throughput, AS.
- Show network traffic and IPv4/v6 active hosts.
- Produce long-term reports about various network metrics such as throughput, application protocols
- Top X talkers/listeners, top ASs, top L7 applications.
- For each communication flow report network/application latency/RTT, TCP stats (retransmissions, packets OOO, packet lost), bytes/packets
- Store on disk persistent traffic statistics in RRD format.
- Geolocate hosts and display reports according to host location.
- Discover application protocols by leveraging on nDPI, ntop’s DPI framework.
- Characterise HTTP traffic by leveraging on characterisation services provided by Google and HTTP Blacklist.
- Show IP traffic distribution among the various protocols.
- Analyse IP traffic and sort it according to the source/destination.
- Display IP Traffic Subnet matrix (who’s talking to who?)
- Report IP protocol usage sorted by protocol type.
- Produce HTML5/AJAX network traffic statistics.
|Web GUI||A modern HTML 5 browser is needed to visualise ntopng traffic statistics.|
|Extensibility||ntopng engine is scripted using the LuaJIT language. Users can extend the web interface as well modify it in realtime without having to code into the ntopng C++ engine.|
ntopng Pro vs. Community, Embedded vs. Standard
Since v2, ntopng comes in two versions. The standard version is the one you can run on a “full-fledged PC” such as an x86 machine, wheres the embedded version is designed for small ARM and MIPS devices with limited memory and CPU speed where specific functionalities are limited (for instance the number of hosts/flows that can be monitored simultaneously).
Regardless of the version, ntopng comes in two editions. The community edition is the one whose code can be found on Github. The professional edition, available for a little fee, has additional features with respect to the community edition including:
- Ability to generate advanced HTML reports that can be exported in PDF.
- Per-hour/day top activities monitoring such as top talkers, top ASs, top layer-7 protocols etc. that are computed without installing a database (but leveraging on ntopng’s capabilities) and with limited disk space being used.
- Ability to operate in inline mode for dropping unwanted traffic and enforcing network policies (both in terms of layer-7 protocols and traffic shaping).
- Support of SNMP for querying SNMP agents.
Using ntopng as Flow Collector
In ntopng we have decided to collect flows through nProbe that can act as probe/proxy. This is because we wanted to keep the ntopng engine simple and clean from flow-based application needs. The communication between nProbe and ntopng happens though ZeroMQ that decouples ntopng from nProbe. You can collect flows as follows:
- Start nProbe that will act as a probe for ntopng
nprobe --zmq "tcp://*:5556" -i .....
- Start ntopng that will act as a collector (it listens on local port 5556)
ntopng -i "tcp://127.0.0.1:5556"
Flows exchanged between nProbe and ntopng are formatted in JSON and not on standard sFlow/NetFlow format.
ntopng is distributed under the GNU GPLv3 license and available in source code format.
Have a look at the download page.