Technologies and Trends

Breaking Free from Packet Brokers: How to Use nTap/PF_RING ZC for Traffic Aggregation
nTap is a lightweight software-based network tap designed by ntop to simplify remote traffic collection and analysis. Unlike traditional hardware-based packet brokers, nTap lets you capture, forward, and aggregate traffic using pure software—reducing complexity and cost. In this blog post, we’ll walk through: nTap fundamentals (FAQ highlights) Step-by-step configurations for popular use cases Integration with n2disk, nProbe, and ntopng Scaling from low (1 Gbps) to very high-speed (40/100 Gbps) deployments Best practices for performance optimization nTap FAQ Highlights Q: What is the network overhead introduced by nTap?Each captured packet incurs …
ntopng

Introducing ntopng Alerts Graph: Visualize Security Events Like Never Before
Network security analysts often struggle to understand how alerts are connected across different hosts. Traditionally, ntopng displayed flow alerts in a table format, perfect for listing issues, but limited when it comes to spotting patterns or identifying which host is the real problem or victim. Additionally, tabular visualization does not let security analysts or network managers quickly determine which problem to tackle first, causes alert fatigue what are the main network issues, such as brute force attempts, obsolete TLS or SSH version connections, periodic flows etc. These issues are now …
nDPI

Beyond JA3/JA4: Introducing nDPI Traffic Fingerprint
Traffic fingerprinting is a hot topic and we have discussed it several times both in this blog and at conferences. There are various fingerprints techniques and probably most of you know JA3/JA4. Let me do a short recap on the subject in nDPI we support several de-facto fingerprint such a JA4 and additional nDPI-native such as the OS (Operating System) fingerprint. In our research we have realized that in cybersecurity using a single fingerprint (e.g. JA4) leads to too many false positives making it a “nice to have” rather than …
Data Privacy

Export and Archive ClickHouse Flows in ntopng for Regulatory Compliance
Most ntopng users make extensive use of ClickHouse support for storing historical flow data and running analysis on it. ClickHouse is highly optimized and offers a high compression rate (estimated at an average of 60 bytes per flow), allowing for long data retention even with limited storage. However, to comply with regulations such as GDPR, SOX, HIPAA, and PCI DSS, it is often necessary to retain data for extended periods. This is manageable when flow rates are low to moderate, but can require significant disk space when flow rates are …
nProbe

Best Practices for nProbe and ntopng Deployment
We often receive inquiries about the best practices for deploying nProbe and ntopng. This post will try to shed some light on this subject. The first thing to know is how many flows/second in total the nProbe instances will deliver to ntopng.  nProbe Flow CollectionEach nProbe instance can collect a high number of flows (in the 50/100k flows/sec range depending on hardware and flow types), but we typically suggest loading balance flows across multiple instances. Ideally, each nProbe instance should handle no more than 25k flow/sec. As ntop licenses are …
ntop

New, Fast, Scalable ClickHouse Integration for High-Volume Networks
When it comes to monitoring very large networks and the flows’ cardinality reaches into the billions, the performance of historical data storage and query systems becomes a critical bottleneck. Network operators, analysts, and engineers need to access flow records quickly and reliably, whether for traffic analysis, security investigations, or compliance reporting. When faced with massive datasets, even small inefficiencies in the data pipeline can result in slow queries, high CPU and disk usage, and poor responsiveness. At ntop, our mission is to help users gain visibility into their networks with …
ntop

Network Visibility and Observability: ntopng vs SNMP+
Recently, we’ve encountered users with high monitoring requirements. Some users need to monitor 1,000 routers and want to know who are the top talkers or top protocols. Others have a network with 200 branches, each with a NetFlow-enabled router. They need to know from a central location who are the top bandwidth users and ports on selected branches. Essentially, these users don’t need fine-grained network traffic monitoring. They just need a rough idea of who the top network users are (IP and ports). Often, users who ask us these questions …
ntop

HowTo Monitor+nDPI Traffic on Mikrotik Devices Using TZSP
Mikrotik devices are very popular in the ntop community. The simplest way to monitor traffic of these devices is using flows as described in this blog post. However sometimes flows might not be the best choice for various reasons including the inability to perform DPI on the captured traffic.  For full visibility you can use a different option offered by Mikrotik devices. Under Tools -> Packet Sniffer  you can export packets over the TZSP protocol (it is a sort of remote span protocol): just specify the IP of the remote …
ntopng

ntopng and nDPI Technical Webinars
One of the feedbacks we have collected at the PacketFest conference is to schedule periodic webinars about popular ntop tools we develop. For this reason, we have decided to start with ntopng and nDPI: Below you can find the video of the webinars that took plance on May 27th and June 10th.     Enjoy ! …
ntop

PacketFest 2025 was an absolute blast!
PacketFest 2025 has been a great success. About 110 people, coming from more than 10 (European and overseas) countries, met in Zürich and attended the conference organized by ntop with support from Switch, AnyWeb, and Leutert NetServices. It was a three-day event where the ntop and Wireshark communities met to discuss network traffic visibility and cybersecurity. It was a great pleasure to have on stage many packet experts including Gerald Combs (Wireshark creator), Kelley Misata (president of OISF), and Thomas Graf (IETF chair), this in addition to the ntop core …
nEdge

Released ntopng 6.4: More Insightful Than Ever
We’re excited to announce a new ntopng stable release 6.4, a feature-packed update! With a strong focus on assets visibility and QoE monitoring. This version introduces groundbreaking new dashboards, advanced reporting, better alerting, and a lot of improvements to keep your network monitoring efficient and insightful. Breakthroughs Asset Inventory & Digital Twin DashboardVisualize your infrastructure like never before. The new dashboard provides a clear inventory of network assets with their virtual representations. Infrastructure DashboardManage multi-region deployments with a bird’s-eye view of your infrastructure and performance across distributed environments. Autonomous Systems …
Announce

Introducing nProbe 10.8: QoE, AWS/GCP VPC Support, Better GTP Traffic Correlation
We’re excited to announce the new nProbe 10.8 release! This release introduces features that improve visibility, performance, and protocol intelligence, while also addressing many community-requested improvements and fixes. Quality of Experience (QoE) Monitoring Understanding network performance from the user’s perspective is more important than ever. With QoE computation, nProbe now allows you to assess the quality of application flows, enabling proactive troubleshooting and smarter optimization. Improved GTP-C/GTP-U Correlation This release improves GTP traffic correlation for stitching mobile subscribers to their traffic (e.g. you can know the IMSI of the user …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe