Introducing nTap: a Virtual Tap for Monitoring and Cybersecurity (including Wireshark, Suricata, Zeek, OpenvSwitch)

Posted · Add Comment

This is to announce a new product named nTap that implements a software tap, to be used in physical and virtual/containerised environments.

Using nTap with ntop applications
nTap with Third Party Applications

nTap allows you to capture and deliver packets using a secure and encrypted communication channel from remote hosts to a collector host where traffic is received and injected on a virtual interface. In essence nTap allows you to create a virtual interface from which you can receive packets originating from remote hosts. Thanks to this design, all applications are compatible with nTap and they do not need to be modified or recompiled.

The main differences between a physical tap and nTap include:

  • nTap is able to deliver monitored traffic remotely (a physical tap requires a direct cable connection forcing to monitor traffic where it is generated).
  • nTap delivers packets with end-to-end encryption preventing intruders from watching monitored traffic.
  • nTap can apply packet filtering on monitored traffic (physical taps are unable to do this: more expensive packet brokers provide this feature).
  • nTap can be used in containers and virtual machines as well highly dynamic environments such as Kubernetes (a physical tap can be used only on a physical network).

For maximum flexibility you can also use nTap to inject packets in Open vSwitch

that you can use to redistribute packets to applications as if they were generated locally and not originating from a remote host.

nTap is based on two components:

  • nTap remote it is installed on the remote device for which need to monitor traffic.
  • nTap collector receives encrypted packets sent by nTap remote, decrypts them, and push them on a virtual ethernet interface where you can attach applications such as Wireshark, tcpdump, Suricata or Snort.

A single nTap collector can receive packets from multiple nTap remote instances, so you can for instance easily create a virtual interface receiving packets from multiple collector devices (e.g. user laptops working from home).


nTap packages (Linux, FreeBSD, additional platforms are planned) are available at The nTap user’s guide is available at this page.


The principle is that nTap does not need a commercial license when used with ntopng and nProbe. This is possible as ntopng Enterprise L and nprobe Enterprise M/L include native code support. In short:

  • The remote tap application never needs a license. This allows you to deploy it in highly dynamic environments such as containers and VMs.
  • The collector application requires a license, and it needs to be used with applications except ntopng Enterprise L and nprobe Enterprise M/L.

You can buy nTap licenses on the ntop shop if you plan to use nTap with non-ntop/multiple applications.

Enjoy !