High-Speed Web-based Traffic Analysis and Flow Collection.

ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Win32 as well.

ntopng users can use a a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntopng can be seen as a simple RMON-like agent with an embedded web interface. The use of:

  • a web interface.
  • limited configuration and administration via the web interface.
  • reduced CPU and memory usage (they vary according to network size and traffic).

ntopng Screenshots

This slideshow requires JavaScript.

What ntopng can do for me?

  • Sort network traffic according to many protocols
  • Show network traffic and IPv4/v6 active hosts
  • Store on disk persistent traffic statistics in RRD format
  • Geolocate hosts
  • Discover application protocols by leveraging on nDPI, ntop’s DPI framework.
  • Characterise HTTP traffic by leveraging on characterisation services provided by block.si. ntopng comes with a demo characterisation key, but if you need a permanent one, please mail info@block.si.
  • Show IP traffic distribution among the various protocols
  • Analyse IP traffic and sort it according to the source/destination
  • Display IP Traffic Subnet matrix (who’s talking to who?)
  • Report IP protocol usage sorted by protocol type
  • Act as a NetFlow/sFlow collector for flows generated by routers (e.g. Cisco and Juniper) or switches (e.g. Foundry Networks) when used together with nProbe.
  • Produce HTML5/AJAX network traffic statistics
  • Unix (including Linux, *BSD, and MacOSX)
  • Win32 (including the latest Windows 7/8)
Web GUI       A modern HTML 5 browser is needed to visualise ntopng traffic statistics.
  • Memory Usage
    It depends on the ntop configuration, number of hosts, and number of active TCP sessions. In general it ranges from a few MB (little LAN) to 100 MB for a WAN.
  • CPU Usage
    It depends on the ntop configuration, and traffic conditions. On a modern PC and large LAN, it is less than 10% of overall CPU load.
  • IPv4/IPv6
  • All IP protocols supported by nDPI (~170 and counting)
  • …and many more
Extensibility ntopng engine is scripted using the LuaJIT language. Users can extend the web interface as well modify it in realtime without having to code into the ntopng C++ engine.
Additional Features
  • sFlow, NetFlow (including v5 and v9) and IPFIX support through nProbe
  • Network Flows
  • Local Traffic Analysis
  • Lua lightweight API for extending ntop via scripts
  • Support of both NetFlow andsFlow as flow collector. ntop can collect simultaneously from multiple probes.
  • Traffic statistics are saved into RRD databases for long-run traffic analysis.
  • Internet Domain, AS (Autonomous Systems), VLAN (Virtual LAN) Statistics.
  • Protocol decoders for all application protocols supported by nDPI.
  • Advanced HTTP password protection with encrypted passwords
  • RRD support for persistently storing per-host traffic information

Using ntopng as Flow Collector

In ntopng we have decided to collect flows through nProbe that can act as probe/proxy. This is because we wanted to keep the ntopng engine simple and clean from flow-based application needs. The communication between nProbe and ntopng happens though ZeroMQ that decouples ntopng from nProbe. You can collect flows as follows:

  1. Start nProbe that will act as a probe for ntopng
    nprobe --zmq "tcp://*:5556" -i .....
  2. Start ntopng that will act as a collector (it listens on local port 5556)
    ntopng -i "tcp://"

Flows exchanged between nProbe and ntopng are formatted in JSON and not on standard sFlow/NetFlow format.

Operating Systems


ntopng is distributed under the GNU GPLv3 license and available in source code format.

Get It

Have a look at the download page.