High-Speed Web-based Traffic Analysis and Flow Collection.

ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well.

ntopng users can use a a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntopng can be seen as a simple RMON-like agent with an embedded web interface. The use of:

  • a web interface.
  • limited configuration and administration via the web interface.
  • reduced CPU and memory usage (they vary according to network size and traffic).

ntopng Screenshots

This slideshow requires JavaScript.

What ntopng can do for me?

  • Sort network traffic according to many criteria including IP address, port, L7 protocol, throughput, AS.
  • Show network traffic and IPv4/v6 active hosts.
  • Produce long-term reports about various network metrics such as throughput, application protocols
  • Top X talkers/listeners, top ASs, top L7 applications.
  • For each communication flow report network/application latency/RTT, TCP stats (retransmissions, packets OOO, packet lost), bytes/packets
  • Store on disk persistent traffic statistics in RRD format.
  • Geolocate hosts and display reports according to host location.
  • Discover application protocols by leveraging on nDPI, ntop’s DPI framework.
  • Characterise HTTP traffic by leveraging on characterisation services provided by Google and HTTP Blacklist.
  • Show IP traffic distribution among the various protocols.
  • Analyse IP traffic and sort it according to the source/destination.
  • Display IP Traffic Subnet matrix (who’s talking to who?)
  • Report IP protocol usage sorted by protocol type.
  • Produce HTML5/AJAX network traffic statistics.
  • Unix (including Linux, *BSD, and MacOSX)
  • Windows x64 (including the latest Windows 7/8)
Web GUI       A modern HTML 5 browser is needed to visualise ntopng traffic statistics.
  • Memory Usage
    It depends on the ntop configuration, number of hosts, and number of active TCP sessions. In general it ranges from a few MB (little LAN) to 100 MB for a WAN.
  • CPU Usage
    It depends on the ntop configuration, and traffic conditions. On a modern PC and large LAN, it is less than 10% of overall CPU load.
  • IPv4/IPv6
  • All IP protocols supported by nDPI (~180 and counting)
  • …and many more
Extensibility ntopng engine is scripted using the LuaJIT language. Users can extend the web interface as well modify it in realtime without having to code into the ntopng C++ engine.
Additional Features
  • sFlow, NetFlow (including v5 and v9) and IPFIX support through nProbe. ntop can collect simultaneously from multiple probes.
  • Network Flows
  • Local Traffic Analysis
  • Lua lightweight API for extending ntop via scripts
  • Traffic statistics are saved into RRD databases for long-run traffic analysis.
  • Internet Domain, AS (Autonomous Systems), VLAN (Virtual LAN) Statistics.
  • Protocol decoders for all application protocols supported by nDPI.
  • Advanced HTTP password protection with encrypted passwords
  • RRD support for persistently storing per-host traffic information

ntopng Pro vs. Community, Embedded vs. Standard

Since v2, ntopng comes in two versions. The standard version is the one you can run on a “full-fledged PC” such as an x86 machine, wheres the embedded version is designed for small ARM and MIPS devices with limited memory and CPU speed where specific functionalities are limited (for instance the number of hosts/flows that can be monitored simultaneously).

Regardless of the version, ntopng comes in two editions. The community edition is the one whose code can be found on Github. The professional edition, available for a little fee, has additional features with respect to the community edition including:

  • Ability to generate advanced HTML reports that can be exported in PDF.
  • Per-hour/day top activities monitoring such as top talkers, top ASs, top layer-7 protocols etc. that are computed without installing a database (but leveraging on ntopng’s capabilities) and with limited disk space being used.
  • Ability to operate in inline mode for dropping unwanted traffic and enforcing network policies (both in terms of layer-7 protocols and traffic shaping).
  • Support of SNMP for querying SNMP agents.

Using ntopng as Flow Collector

In ntopng we have decided to collect flows through nProbe that can act as probe/proxy. This is because we wanted to keep the ntopng engine simple and clean from flow-based application needs. The communication between nProbe and ntopng happens though ZeroMQ that decouples ntopng from nProbe. You can collect flows as follows:

  1. Start nProbe that will act as a probe for ntopng
    nprobe --zmq "tcp://*:5556" -i .....
  2. Start ntopng that will act as a collector (it listens on local port 5556)
    ntopng -i "tcp://"

Flows exchanged between nProbe and ntopng are formatted in JSON and not on standard sFlow/NetFlow format.

Operating Systems


ntopng is distributed under the GNU GPLv3 license and available in source code format.

Get It

Have a look at the download page.