nProbe

Capacity Planning for IT Teams: A Practical Guide Using ntop Tools
Transform network data into actionable infrastructure decisions with ntopng Introduction Every IT team faces the same challenge: how much network capacity is enough? Too little, and applications grind to a halt during peak hours. Too much, and you’re wasting budget on infrastructure you don’t need. Capacity planning doesn’t have to be guesswork. With the right tools and methodology, you can predict growth, identify bottlenecks before they cause outages, and make data-driven decisions about infrastructure investments. ntopng—the high-performance network traffic analyzer—gives you the visibility needed for effective capacity planning . Whether you’re managing a …
Cybersecurity

Security Investigation for Beginners (using ntopng)
Introduction When I first started investigating network security incidents, I felt overwhelmed by the complexity. Packets flying everywhere, mysterious connections, alerts I didn’t understand—sound familiar? Whether you’re an IT professional new to security, a small business owner wearing multiple hats, or simply someone who wants to understand what’s really happening on your network, this guide is for you. ntopng is more than just a network monitoring tool—it’s your window into the invisible world of network traffic. And the best part? You don’t need to be a security veteran to start using …
Cybersecurity

Slow DoS Detection and Prevention
A slow DoS (Denial of Service) attack is a type of cyberattack designed to overwhelm a server or web application by exploiting protocol weaknesses—not through high-volume traffic, but by sending requests very slowly or keeping connections open as long as possible. This consumes server resources (like concurrent connection limits, memory, or threads) with minimal bandwidth usage by the attacker. Instead of flooding the target with huge amounts of data, the attacker sends legitimate-looking requests at an extremely slow pace, or sends partial requests and delays completing them.The server keeps these connections open, waiting for …
cento

nProbe Cento at Scale: Flow Offload Acceleration on Napatech
High-speed networks continue to push the limits of software-based monitoring and security applications. As link speeds grow and traffic patterns become more complex, efficiently analyzing packets while maintaining per-flow state, for updating stats and running Deep Packet Inspection, is increasingly challenging. By leveraging on our long term experience with high-speed packet processing, modern architectures, and state of the art data structures, during the past years we developed nProbe Cento, a high-performance NetFlow probe able to keep up with 100+ Gbit/s on adequate servers. However, this requires quite some resources (mainly …
ntopng

How Flow Deduplication Works in nProbe and ntopng
Flow deduplication is the process of identifying and removing duplicate flow records that appear in NetFlow/IPFIX data when the same traffic is monitored and exported by multiple observation points (typically network devices) in the network. Without deduplication there are various issues that can arise including: Common flows duplication scenarios include: Said that flow duplication needs to be avoided, ntopng (Enterprise XL and superior) and nProbe (Enterprise L and superior) implement flow deduplication. In ntopng you can enable it from preferences and it works only with flow collection (i.e. ZMQ) and …
ntopng

ntopng Direct Dump Mode for High-Speed Flow Collection
When ntopng receives flows from nProbe (NetFlow collector) or nProbe Cento (100 Gbit probe) over ZMQ or Kafka, each flow must go through several processing stages before it is finally stored in the database. These stages include metadata enrichment, classification, analytics, behavioural checks, and additional internal operations. While this processing pipeline is essential for ntopng’s real-time monitoring, it naturally adds latency between the moment a flow arrives and when it becomes queryable in the (ClickHouse) storage backend. In large deployments ingesting thousands or hundreds of thousands of flows per second, …
nDPI

Is JA4 Now Obsolete?
JA4 is a modern network fingerprinting standard used to identify and profile clients initiating encrypted TLS (Transport Layer Security) connections. JA4 it is the successor to the widely used but now deprecated JA3 standard. JA3 is considered obsolete because it cannot provide a stable identifier for modern browsers and is easily bypassed by attackers. Its reliance on the specific sequence of fields in the TLS ClientHello message makes it highly fragile in today’s networking environment. One (but not the only one) of the main limitations is JA3 is sensitivity to …
Webinar

ntop Winter Webinar: ntopng 6.6 and New ntop Software Releases
Last week, we released a new release of the ntop tools: ntopng 6.6, nProbe 11.0, nDPI 5.0, Cento 2.4, PF_RING 9.2, and nScrub 1.8. As we have implemented many new features, including a brand-new ntopng component designed for monitoring large networks, we would like to introduce all this with a webinar. The goal of this event is to go through the new features and show them live, in addition to Q&A at the end of the event. For those who missed the event, please find enclosed below the presentation slides …
Technologies and Trends

ntop License Sizing Guide
A popular question we receive from users is the type of ntop license that should be used in projects. Below we try to answer this question to ease your choice. Packet Processing For use cases where you need to capture raw packets and analyze them. Note that up to 1 Gbit you can use PF_RING (no ZC), however above that speed PF_RING ZC is required. Network Speed ntopng (Standalone) ntopng + nProbe ntopng + nProbe Cento < 1 Gbit ✓ ✓ < 5 Gbit ✓ ✓ ✓ < 10 Gbit …
nScrub

nScrub 1.8: Performance, Flexibility, and Hardware Support
We are excited to announce the release of nScrub 1.8, the latest version of our high-performance DDoS protection and traffic scrubbing solution. This update brings significant improvements to the engine, new configuration options, expanded hardware support, and broader packaging availability. Engine Enhancements The 1.8 release introduces several performance optimizations and functional upgrades across the nScrub engine: New Options API Improvements The REST API has been extended to give administrators finer control over traffic mirroring: Tools and Packaging Updates Miscellaneous Improvements nScrub 1.8 is now available! We recommend all users upgrade to …
Technologies and Trends

PF_RING 9.2: Extended Offloads On Napatech and NVIDIA
We are excited to announce the release of PF_RING 9.2. This release brings numerous improvements across the core library, kernel module, and drivers, with a strong focus on stability, performance, and compatibility with modern Linux kernels and hardware platforms. PF_RING Kernel Module and Library The user-space library has been refined to improve stability and compatibility, with improvements in IPv6 and GRE packet decoding, and compatibility with the latest nDPI library for Layer-7 detection. The kernel module introduces several important enhancements, including improved namespace and container support, enabling smoother operation in virtualized and …
ntopng

ntopng 6.6: IXP/Telco Traffic Observability, Faster Flow Collection
We’re excited to announce the release of ntopng 6.6, available today! This release focuses on Autonomous Systems (AS) analytics, a major rework of the flow collection engine to provide better correlations and improve performance, and a native ClickHouse Cloud integration. But, as usual, there are many other improvements. Key Breakthroughs Autonomous Systems Intelligence ntopng 6.6 introduces brand new Autonomous Systems dashboards, Sankey visualizations, and comprehensive AS statistics.You can now easily understand traffic relationships between transit and origin ASes, track top contributors, and visualize AS-level traffic flows in real time. The release also brings: These …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe