Welcome to ntopng 3.8 with continuous drill down: packets, flows, activities

Posted · Add Comment

We are happy to announce ntopng stable 3.8. The is the core of the next 4.0 release as it integrates new features that will be consolidated in the next release scheduled for spring.

The main features include:

  • SQL database-free high-speed traffic indexing based on a new home-grown technology. As explained in this post, we managed to store compressed flow information on disk combined with high-speed retrieval. Just add “-F nindex” to ntopng to start using this new feature, currently available in the ntopng enterprise edition. You can read more here.
  • Continuous drill-down that allows you do start from activities, down to flows and packets. All using the ntopng user interface, all with a few clicks. This allows to finally merge pieces that ntop has developed for years as separate components hat are finally available from a single place. Read more about continuous recording in ntopng.
  • Remote assistance for connecting to your ntopng instances, regardless of IP addresses, NAT, and firewalls. This thanks to ntop’s open source n2n peer-to-peer VPN.
  • Initial work towards traffic analysis with the implementation of statistical traffic indicators that will be exploited in the next major release to implement network behaviour analysis.

Enjoy !


New features


  • Alerts
    • Scan-detection for remote hosts
    • Configurable alerts for long-lived and elephant flows
    • InfluxDB export failed alerts
    • Remote-to-remote host alerts
    • Optional JSON alerts export to Syslog
  • Improved InfluxDB support
    • Handles slow and aborted queries
    • Uses authentication
  • Adds RADIUS and HTTP authenticators
  • Lua 5.3 support
    • Improved performance
    • Better memory management
    • Native support for 64-bit integers
    • Native support for bitwise operations
  • Adds the new libmaxminddb geolocation library
  • Storage utilization indicators
    • Global storage indicator to show the disk used by each interface
    • Per-interface storage indicator to show the disk used to store timeseries and flows
  • Support for Sonicwall PEN field names
  • Option to disable LDAP referrals
  • Requests and configures Keepalive support for ZMQ sockets
  • Three-way-handshake detection
  • Adds SNMP mac addresses to the search function


  • Implement nEdge policies test page
  • Implement device presets
  • DNS
    • Add more DNS servers
    • Remove deprecated DNS


  • Fixes missing flows dump on shutdown
  • HTTP dissection fixes
  • SNMP
    • Fix SNMP step when high resolution timeseries are enabled
    • Fixes SNMP devices permissions to prevent non-admins to delete or add devices
  • Properly handles endianness over ZMQ
  • Fixes early expiration of some TCP flows
  • Fixes non-deterministic expiration of flows