Author: admin

  • Home
  • Articles by: admin
ntopng

Flow Direction Swapping Explained
A flow is a set of traffic packets sharing the same tuple (IP src, IP dst, port src, port dst, protocol, VLAN, …). When a flow is observed from the beginning, the first packet is sent by the client towards the server. Unfortunately, sometimes the flow was already in place when monitoring tools (e.g. ntopng or nProbe) started, and thus there is a chance that the flow direction is wrong simply because the first observed packet was from server to client. In this case, the flow is reported as if …
Features

Simplifying Packages Installation with ntop-installer
Depending on your Linux distribution, you can install ntop packages using your platform packager (apt on Debian/Ubuntu and yum/dnf on RedHat/RockyLinux). Some users asked us a simplified installation tool, for networkers not acquainted with packages and installers. For this reason we have created a new tool named ntop-installer that allows ntop packages to be installer/removed using a text-based GUI rather than using apt/dnf. This new tool can be installed as follows: One that you just need to start ntop-installer and install/remove packages graphically. Below you can find some examples of …
Cybersecurity

When SNIs Cannot be Trusted
SNI (Server Name Indication) is an optional extension in TLS/QUIC that contains the symbolic host name we’re connecting to. For instance, during the TLS handshake, the SNI allows the server to identify the correct TLS certificate of a server hosting multiple websites. nDPI reports SNIs in order to make it possible to detect name-based services deployed on the same server IP address. Below you can see an example of how nDPI reports SNIs in encrypted traffic. Client applications use the SNI to verify that the website it is connecting to matches …
Technologies and Trends

Announcing ntop Professional Training: November 2025
ntop tools range from packet capture, traffic analysis and processing, and sometimes it is not easy to keep up on product updates as well master all the tools. This has been the driving force for organising ntop professional training. This is to announce that in October we have scheduled the next ntop Professional Training session. It will take place online (Microsoft Teams) on 13th, 18th, 20th, 25th, 27th of November, 2025 at 3.00 PM CET (9.00 AM EDT). Training will be held in English language and each session lasts 90 …
ntopng

AS Traffic Observability using ntopng
Since the first version of our tools, we have focused on packets. Having access to packets is a privilege that is not always possible; observing packets provides high-detailed information. At the edge of the Internet, traffic received/sent by hosts can be captured and observed, but in the case of network operators that act as a transit from the customers to the Internet, observing packets is not a good practice. This is because network operators need to make sure the service is available, but without going too deep. For this reason, network operators usually leverage NetFlow/IPFIX, sometimes …
nDPI

Beyond JA3/JA4: Introducing nDPI Traffic Fingerprint
Traffic fingerprinting is a hot topic and we have discussed it several times both in this blog and at conferences. There are various fingerprints techniques and probably most of you know JA3/JA4. Let me do a short recap on the subject in nDPI we support several de-facto fingerprint such a JA4 and additional nDPI-native such as the OS (Operating System) fingerprint. In our research we have realized that in cybersecurity using a single fingerprint (e.g. JA4) leads to too many false positives making it a “nice to have” rather than …
nProbe

Best Practices for nProbe and ntopng Deployment
We often receive inquiries about the best practices for deploying nProbe and ntopng. This post will try to shed some light on this subject. The first thing to know is how many flows/second in total the nProbe instances will deliver to ntopng.  nProbe Flow CollectionEach nProbe instance can collect a high number of flows (in the 50/100k flows/sec range depending on hardware and flow types), but we typically suggest loading balance flows across multiple instances. Ideally, each nProbe instance should handle no more than 25k flow/sec. As ntop licenses are …
ntop

HowTo Monitor+nDPI Traffic on Mikrotik Devices Using TZSP
Mikrotik devices are very popular in the ntop community. The simplest way to monitor traffic of these devices is using flows as described in this blog post. However sometimes flows might not be the best choice for various reasons including the inability to perform DPI on the captured traffic.  For full visibility you can use a different option offered by Mikrotik devices. Under Tools -> Packet Sniffer  you can export packets over the TZSP protocol (it is a sort of remote span protocol): just specify the IP of the remote …
ntopng

ntopng and nDPI Technical Webinars
One of the feedbacks we have collected at the PacketFest conference is to schedule periodic webinars about popular ntop tools we develop. For this reason, we have decided to start with ntopng and nDPI: Below you can find the video of the webinars that took plance on May 27th and June 10th.     Enjoy ! …
ntop

PacketFest 2025 was an absolute blast!
PacketFest 2025 has been a great success. About 110 people, coming from more than 10 (European and overseas) countries, met in Zürich and attended the conference organized by ntop with support from Switch, AnyWeb, and Leutert NetServices. It was a three-day event where the ntop and Wireshark communities met to discuss network traffic visibility and cybersecurity. It was a great pleasure to have on stage many packet experts including Gerald Combs (Wireshark creator), Kelley Misata (president of OISF), and Thomas Graf (IETF chair), this in addition to the ntop core …
nDPI

Introducing nDPI 4.14: Added QoE (Quality of Experience) and New Protocols, Several Fixes
We’re excited to announce the release of nDPI 4.14, a maintenance release that also includes some cool new protocol dissectors and fixes. As you know, maintaining a DPI library is no easy task, and this release is no exception. We’ve worked hard to enhance existing dissectors, making them more robust and efficient. We’ve also cleaned up some outdated code and improved flow risks. We’ll be sharing more details about the plans for the next nDPI release at PacketFest. This might be the last release of the 4.x series, so we’re …
Cybersecurity

Using Network Fingerprints Beyond Cybersecurity
Last week ntop has been invited to give a talk at neacademy in Napoli, Italy. The topic was network fingerprints and nDPI. Network fingerprints such as JA4 have been made popular by cybersecurity that uses them to spot (with limited false positives) malware and use them to find traffic pattern similarities. During the talk, we explained that it’s possible to improve fingerprint reliability by combining some of them, in addition to use fingerprints for various other activities beyond cybersecurity including (but not limited to) traffic classification and micro-segmentation. This was …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe