nTap is a virtual software tap that can be used in physical/virtual/cloud environments to remotely capture traffic (with respect to the monitoring location) and delivering packets to the observation point in a secure way. Packet capture is required whenever flow-based analysis tools such as nProbe or nProbe Cento are not suitable as packet-level analysis is required.
Main differences between a physical tap and nTap:
- nTap is able to deliver monitored traffic remotely (a physical tap requires a direct cable connection forcing to monitor traffic where it is generated).
- nTap delivers packets with end-to-end encryption preventing intruders from watching monitored traffic.
- nTap can apply packet filtering on monitored traffic (physical taps are unable to do this: more expensive packet brokers provide this feature).
- nTap can be used in containers and virtual machines as well highly dynamic environments such as Kubernetes (a physical tap can be used only on a physical network).
nTap is based on two components:
- nTap remote it is installed on the remote device for which need to monitor traffic.
- nTap collector receives encrypted packets sent by nTap remote, decrypts them, and deliver them to the traffic analysis software (ntopng, nProbe, or third party like Wireshark or Suricata).

at a glance
Key Features
- Efficiently mirrors remote network traffic with minimal latency and bandwidth overhead
- Filtering capabilities supporting BPF filtering to select and forward only relevant traffic to monitoring tools
- Deliver packets over an encrypted unidirectional channels over UDP, making it suitable in high-secure networks that do not allow a return channel
- End-to-end encryption using state-of-the-art symmetrical encryption and AVX instructions for maximum performance
- Bandwidth optimization to minimize the impacts on the network for transferring mirrored traffic
- Support for delivering traffic to a virtual ethernet interface as well as Open vSwitch
Ideal for Every Environment
Use Cases
Analyse Remote Traffic with ntop Tools
ntop applications such as nProbe (Enterprise M/L) and ntopng (Enterprise L), embed the nTap collector so that you can directly connect (one or more) nTap remote with nProbe/ntopng without the need to use the nTap collector.

Analyse Remote Traffic with Third-Party Tools
nTap collector can receive encrypted packets sent by nTap remote, decrypt them, and push them on a virtual ethernet interface where you can attach applications such as Wireshark, tcpdump, Suricata or Snort.

Deliver Remote Traffic to Open vSwitch
Optionally the nTap collector can also send packets to Open vSwitch for maximum flexibility.

Monitor Containers, Kubernetes and Virtual Machines
nTap can be used inside containers and VMs. Typically the tap component is deployed on remote hosts/containers whose IP address can be dynamic. Instead the collector application needs to be active on a host with a static IP address as it needs to receive packets sent by the tap. No license needs to be installed on the host where the tap application runs.
Specifications
Tech Specs
- Linux
- FreeBSD
- Windows x64 (including Windows 10/11)
- macOS
- RaspbianOS
No special hardware requirements necessary.
- All protocols over ethernet