nTap is a lightweight software-based network tap designed by ntop to simplify remote traffic collection and analysis. Unlike traditional hardware-based packet brokers, nTap lets you capture, forward, and aggregate traffic using pure software—reducing complexity and cost.
In this blog post, we’ll walk through:
nTap fundamentals (FAQ highlights)
Step-by-step configurations for popular use cases
Integration with n2disk, nProbe, and ntopng
Scaling from low (1 Gbps) to very high-speed (40/100 Gbps) deployments
Best practices for performance optimization
nTap FAQ Highlights
Q: What is the network overhead introduced by nTap?
Each captured packet incurs a 20-byte overhead, added before encapsulating in UDP. Large packets may be fragmented depending on MTU size.
Q: How many remote taps can a collector handle?
There’s no strict limit, but we recommend keeping it to ≤ 64 taps per collector. Typically 1–2 taps per collector are ideal.
Q: Can I capture container traffic?
Yes, install the ntap package inside the container and forward traffic (e.g., eth0) to the collector using ntap_remote. Dynamic IPs in containers aren’t a problem if the collector has a static IP.
Q: Is nTap available for Windows/MacOS?
Yes, binaries are available from packages.ntop.org.
Q: How do I disable encryption in nTap?
By default, nTap encrypts traffic using AVX instructions. You can disable encryption with -K on both sender and collector, but only do this in secure networks.
All FAQs can be found on our nTap user guide: https://www.ntop.org/guides/ntap/faq.html
Core Use Cases
1. Remote Tap → nProbe
On remote host
ntap_remote -i eth0 -c 1.2.3.4:5678 -k helloOn local host
nprobe -3 5678 -n none --ntap hello2. Remote Tap → ntopng
On remote host
ntap_remote -i eth0 -c 1.2.3.4:5678 -k helloOn local host
ntopng -i ntap:5678:hello3. Remote Tap → Collector → Local Interface
On remote host
ntap_remote -i eth0 -c 1.2.3.4:5678 -k helloOn local host
ntap_collector -p 5678 -k hello -i ntap0Use collected interface with tcpdump or Wireshark
tcpdump -i ntap04. Remote Tap → Open vSwitch
On remote host
ntap_remote -i eth0 -c 1.2.3.4:5678 -k helloOn local host
ovs-vsctl add-port br0 ntap0 -- set Interface ntap0 type=internal
ifconfig ntap0 upCollector Setup
Remote → Collector
On remote host
ntap_remote -i eth0 -c 1.2.3.4:5678 -k helloOn local host
ntap_collector -p 5678 -k hello -o 127.0.0.1Open vSwitch Setup Example
ovs-vsctl add-br br-ovs
ovs-vsctl add-port br-ovs vxlan0 -- set interface vxlan0 type=vxlan options:local_ip=127.0.0.1 options:remote_ip=0.0.0.0
ip link set mtu 1600 dev vxlan_sys_4789
ip link set br-ovs up
ip link set vxlan_sys_4789 upEncryption Key Guide (-k parameter)
-k hello tells ntap_remote to use “hello” as the encryption key.
The collector (nProbe / ntopng / ntap_collector) must be started with the same key so that packets can be decrypted.
If the keys don’t match, the collector won’t be able to decrypt the traffic.
- By default, encryption is enabled and based on AES with AVX instructions (so it’s very efficient).
- If you’re on a trusted network and want to avoid the CPU overhead of encryption, you can disable it with
-K(uppercase K) — but this means traffic is sent in clear text.
Scaling nTap Deployments
One key advantage of nTap is that you don’t need a physical packet broker—aggregation can be performed in software with ntop tools.
Low-Speed (~1 Gbps)
Configuration 1: Into n2disk first, then forward to nProbe
# n2disk
n2disk -i ntap0 -o /data/captures -p 1G
# nProbe
nprobe -i ntap0 -n collector_ip:2055Configuration 2: Into nProbe first, then forward to n2disk + ntopng
# nProbe
nprobe -i ntap0 -n none --zmq tcp://127.0.0.1:5556
# n2disk
n2disk -i tcp://127.0.0.1:5556 -o /data/capturesMedium/High-Speed (10+ Gbps)
You need to use PF_RING ZC for zero-copy packet capture as nTap is designed for low-speed networks. With ZC you can aggregate traffic and load balance it across multiple consumers using Inter/nVidia adapters in addition to FPGA NICs. You can read more about this topic in the PF_RING ZC User’s Guide.
- Adapter acceleration: Intel/nVidia NICs with RSS or FPGA
- CPU & Memory: Scale servers with sufficient NUMA-aware CPU cores and multiple memory banks/channels
Best Practices
- Aggregation in Software: nTap removes the need for external packet brokers.
- Encryption: Keep enabled unless operating in a trusted LAN.
- Performance Tuning: Use PF_RING ZC for >10 Gbps, RSS for load balancing.
- Application Sharing: When multiple apps (ntopng + n2disk + nProbe) need the same feed, use nTap collector + virtual interfaces or ZC clusters.
Deployment Reference Table
Conclusion
nTap allows organizations to move beyond NetFlow-only monitoring and embrace full packet visibility without additional hardware. As nTap acts as a remote span, make sure you limit it to 1 Gbit networks as. For 10 Gbit + you need to use other techniques such as ZC that are directly connected to the packet source with a wire without sending traffic over a LAN.
By combining n2disk, nProbe, and ntopng, you can build a powerful pipeline for packet capture, flow analysis, and real-time monitoring—all with software-based aggregation.