Author: admin

  • Home
  • Articles by: admin
nDPI

Observing nDPI from the Inside: Introducing USDT Tracepoints
by Ivan Nardi One of the recurring challenges when embedding the nDPI library into a production application is answering a deceptively simple question: what is nDPI actually doing right now? You know packets are coming in, flows are being classified, and risks are being flagged — but at what rate? With what latency? Are some protocols taking longer to classify than usual? Is that CPU spike caused by a wave of TLS flows, a flood of DNS queries, or something else entirely? Your application or monitoring backend probably already exports …
ntopng

HowTo Enable Multi-Factor Authentication (MFA) in ntopng
Multi-Factor Authentication (MFA) is a security system that requires users to provide two or more verification factors to gain access to a resource such as an application, online account, or VPN. The use of MFA with sensitive information as network traffic is a key feature, in particular for the ntopng admin users. In the current dev branch (and soon stable) of ntopng we have introduced MFA. Once you have created a user, you need to click on the MFA tab and click on the blue button for enabling it. Using …
Artificial Intelligence

HowTo Use (Local) LLMs with ntopng: Part I
A Large Language Model  (LLM) is a type of artificial intelligence system that uses deep learning to  understand, generate, and manipulate human language.  Examples include Antropic Claude, OpenAI GPT, Meta Llama and Google Gemini. They can be used to answer questions and explain concepts, write and edit code, perform logical reasoning and summarize documents. At ntop we are making experiments with Artificial Intelligence (AI) and LLMs, and we’ll introduce new features in the coming months. For the time being we want to start introducing our community to the use of …
nProbe

Network Telemetry Demystified: Microscope vs Telescope
As an ntopng developer, I often hear from users who are confused about the building blocks of network monitoring. Today, I’ll explain three fundamental concepts that will help you understand what your monitoring tools are actually showing you. Introduction If you’ve ever looked at ntopng’s flow reports and wondered “What exactly am I looking at?” or “Why does this tool show me different information than my packet capture?”, you’re not alone. Network monitoring gives us two primary ways to observe traffic, each with its own strengths. Think of it like …
nProbe

Capacity Planning for IT Teams: A Practical Guide Using ntop Tools
Transform network data into actionable infrastructure decisions with ntopng Introduction Every IT team faces the same challenge: how much network capacity is enough? Too little, and applications grind to a halt during peak hours. Too much, and you’re wasting budget on infrastructure you don’t need. Capacity planning doesn’t have to be guesswork. With the right tools and methodology, you can predict growth, identify bottlenecks before they cause outages, and make data-driven decisions about infrastructure investments. ntopng—the high-performance network traffic analyzer—gives you the visibility needed for effective capacity planning . Whether you’re managing a …
Cybersecurity

Security Investigation for Beginners (using ntopng)
Introduction When I first started investigating network security incidents, I felt overwhelmed by the complexity. Packets flying everywhere, mysterious connections, alerts I didn’t understand—sound familiar? Whether you’re an IT professional new to security, a small business owner wearing multiple hats, or simply someone who wants to understand what’s really happening on your network, this guide is for you. ntopng is more than just a network monitoring tool—it’s your window into the invisible world of network traffic. And the best part? You don’t need to be a security veteran to start using …
Cybersecurity

Slow DoS Detection and Prevention
A slow DoS (Denial of Service) attack is a type of cyberattack designed to overwhelm a server or web application by exploiting protocol weaknesses—not through high-volume traffic, but by sending requests very slowly or keeping connections open as long as possible. This consumes server resources (like concurrent connection limits, memory, or threads) with minimal bandwidth usage by the attacker. Instead of flooding the target with huge amounts of data, the attacker sends legitimate-looking requests at an extremely slow pace, or sends partial requests and delays completing them.The server keeps these connections open, waiting for …
ntopng

How Flow Deduplication Works in nProbe and ntopng
Flow deduplication is the process of identifying and removing duplicate flow records that appear in NetFlow/IPFIX data when the same traffic is monitored and exported by multiple observation points (typically network devices) in the network. Without deduplication there are various issues that can arise including: Common flows duplication scenarios include: Said that flow duplication needs to be avoided, ntopng (Enterprise XL and superior) and nProbe (Enterprise L and superior) implement flow deduplication. In ntopng it is enabled automatically, and it works only with flow collection (i.e. ZMQ) and not with …
nDPI

Is JA4 Now Obsolete?
JA4 is a modern network fingerprinting standard used to identify and profile clients initiating encrypted TLS (Transport Layer Security) connections. JA4 it is the successor to the widely used but now deprecated JA3 standard. JA3 is considered obsolete because it cannot provide a stable identifier for modern browsers and is easily bypassed by attackers. Its reliance on the specific sequence of fields in the TLS ClientHello message makes it highly fragile in today’s networking environment. One (but not the only one) of the main limitations is JA3 is sensitivity to …
Webinar

ntop Winter Webinar: ntopng 6.6 and New ntop Software Releases
Last week, we released a new release of the ntop tools: ntopng 6.6, nProbe 11.0, nDPI 5.0, Cento 2.4, PF_RING 9.2, and nScrub 1.8. As we have implemented many new features, including a brand-new ntopng component designed for monitoring large networks, we would like to introduce all this with a webinar. The goal of this event is to go through the new features and show them live, in addition to Q&A at the end of the event. For those who missed the event, please find enclosed below the presentation slides …
Technologies and Trends

ntop License Sizing Guide
A popular question we receive from users is the type of ntop license that should be used in projects. Below we try to answer this question to ease your choice. Packet Processing For use cases where you need to capture raw packets and analyze them. Note that up to 1 Gbit you can use PF_RING (no ZC), however above that speed PF_RING ZC is required. Network Speed ntopng (Standalone) ntopng + nProbe ntopng + nProbe Cento < 1 Gbit ✓ ✓ < 5 Gbit ✓ ✓ ✓ < 10 Gbit …
nProbe

HowTo Dump Collected Flows and nTap Packets with nProbe
When nProbe collects data (both sFlow/NetFlow/IPFIX and nTap), it immediately discards collected data after processing. However sometimes it is useful to dump such data. A typical use-case include: Probe can dump collected data to a virtual network interface on top of which applications such as n2disk or tcpdump can be enabled. This can be enabled with --dump-collected-pkts <interface> for dumping collected data onto the specified network interface. In case of nTap raw collectd packets are dumped “as is” to the interface, whereas collected flows are dumped with a dummy ethernet/IP/UDP header. You …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe