ntopng

Introducing ntopng 6.6: IXP/Telco Traffic Observability, Faster Flow Collection
We’re excited to announce the release of ntopng 6.6, available today! This release focuses on Autonomous Systems (AS) analytics, a major rework of the flow collection engine to provide better correlations and improve performance, and a native ClickHouse Cloud integration. But, as usual, there are many other improvements. Key Breakthroughs Autonomous Systems Intelligence ntopng 6.6 introduces brand new Autonomous Systems dashboards, Sankey visualizations, and comprehensive AS statistics.You can now easily understand traffic relationships between transit and origin ASes, track top contributors, and visualize AS-level traffic flows in real time. The release also brings: These …
nProbe

nProbe 11.0: Smarter Flow Analysis, Deeper Protocol Visibility, Enhanced GTP Traffic Correlation
We’re excited to announce the release of nProbe 11.0. This release incorporates several improvements and brings major improvements in flow analysis, tunnel handling, and TCP statistics, along with new features that make nProbe even more flexible and robust for complex network monitoring environments. Key Highlights Advanced TCP Flags Analysis nProbe 11.0 introduces enhanced TCP flag analysis, enabling more precise insights into TCP session behavior and improving visibility into flow state transitions. Enhanced GTP-C/GTP-U Traffic Correlation With this new release we have enhanced our GTP traffic processing and correlation (GTP-C with GTP-U) architecture. …
cento

Cento 2.4: Flexible Export, Improved Telco Support
This is to announce the release of cento 2.4, a major update focused on boosting export flexibility, improving telco-grade encapsulation support, and strengthening performance and reliability across the entire data pipeline.This release brings architectural enhancements, new features for ntopng users, and improved compatibility with modern hardware and Linux distributions. Below is an overview of what’s new. Key Features Template-based serialization (JSON/TLV) Cento 2.4 introduces support for template-driven serialization also when exporting data using JSON and TLV (used by ntopng). Users can now define exactly which fields to export, reducing overhead and …
nDPI

nDPI 5.0: Enhanced Traffic Fingerprinting and FPC, Many new Protocols
We are proud to announce the release of nDPI 5.0, the latest major update to our open-source Deep Packet Inspection (DPI) toolkit. This release introduces a powerful new fingerprinting system, unlimited protocol support, and enhanced detection capabilities that go beyond traditional methods. Major Highlights A Unified nDPI Fingerprint With nDPI 5.0, we are introducing a new fingerprinting mechanism that combines multiple layers of flow metadata into a single, robust fingerprint. This unified fingerprint integrates: This new approach allows nDPI to identify and correlate encrypted or obfuscated traffic more accurately than ever before.You can read more about the …
nProbe

HowTo Dump Collected Flows and nTap Packets with nProbe
When nProbe collects data (both sFlow/NetFlow/IPFIX and nTap), it immediately discards collected data after processing. However sometimes it is useful to dump such data. A typical use-case include: Probe can dump collected data to a virtual network interface on top of which applications such as n2disk or tcpdump can be enabled. This can be enabled with --dump-collected-pkts <interface> for dumping collected data onto the specified network interface. In case of nTap raw collectd packets are dumped “as is” to the interface, whereas collected flows are dumped with a dummy ethernet/IP/UDP header. You …
cento

HowTo Measure the Status and Performance of Network Flows
NetFlow has been originally designed to monitor network traffic using simple bytes/packets metrics. For TCP, it is also possible to know what TCP flags (that indicate the connection state) have been used on a flow, as NetFlow/IPFIX exports them as a cumulative OR of all TCP flags of the flow. This allows you to know if a SYN flag has been observed on a flow but not the number of SYN flags that have been reported for a flow. No other information elements have been implemented to report detailed TCP flow …
cento

How ntop Accelerated Network Telescope at Georgia Tech
If you are wondering what is a network telescope and how ntop tools have been used in research, we’re pleased to publish a guest post from Prof. A. Dainotti that describes the project. Enjoy ! At the Internet Intelligence Lab at Georgia Institute of Technology’s College of Computing, we have been using nProbe Cento and PF_RING ZC to help us build, monitor, and validate the output of an innovative research infrastructure — a dynamic network telescope — funded by the US National Science Foundation.   A network telescope uses a large …
ntopng

Flow Direction Swapping Explained
A flow is a set of traffic packets sharing the same tuple (IP src, IP dst, port src, port dst, protocol, VLAN, …). When a flow is observed from the beginning, the first packet is sent by the client towards the server. Unfortunately, sometimes the flow was already in place when monitoring tools (e.g. ntopng or nProbe) started, and thus there is a chance that the flow direction is wrong simply because the first observed packet was from server to client. In this case, the flow is reported as if …
Features

Simplifying Packages Installation with ntop-installer
Depending on your Linux distribution, you can install ntop packages using your platform packager (apt on Debian/Ubuntu and yum/dnf on RedHat/RockyLinux). Some users asked us a simplified installation tool, for networkers not acquainted with packages and installers. For this reason we have created a new tool named ntop-installer that allows ntop packages to be installer/removed using a text-based GUI rather than using apt/dnf. This new tool can be installed as follows: One that you just need to start ntop-installer and install/remove packages graphically. Below you can find some examples of …
Cybersecurity

When SNIs Cannot be Trusted
SNI (Server Name Indication) is an optional extension in TLS/QUIC that contains the symbolic host name we’re connecting to. For instance, during the TLS handshake, the SNI allows the server to identify the correct TLS certificate of a server hosting multiple websites. nDPI reports SNIs in order to make it possible to detect name-based services deployed on the same server IP address. Below you can see an example of how nDPI reports SNIs in encrypted traffic. Client applications use the SNI to verify that the website it is connecting to matches …
Technologies and Trends

Announcing ntop Professional Training: November 2025
ntop tools range from packet capture, traffic analysis and processing, and sometimes it is not easy to keep up on product updates as well master all the tools. This has been the driving force for organising ntop professional training. This is to announce that in October we have scheduled the next ntop Professional Training session. It will take place online (Microsoft Teams) on 13th, 18th, 20th, 25th, 27th of November, 2025 at 3.00 PM CET (9.00 AM EDT). Training will be held in English language and each session lasts 90 …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe