Technologies and Trends

  • Home
  • Technologies and Trends
nDPI

nDPI 5.0: Enhanced Traffic Fingerprinting and FPC, Many new Protocols
We are proud to announce the release of nDPI 5.0, the latest major update to our open-source Deep Packet Inspection (DPI) toolkit. This release introduces a powerful new fingerprinting system, unlimited protocol support, and enhanced detection capabilities that go beyond traditional methods. Major Highlights A Unified nDPI Fingerprint With nDPI 5.0, we are introducing a new fingerprinting mechanism that combines multiple layers of flow metadata into a single, robust fingerprint. This unified fingerprint integrates: This new approach allows nDPI to identify and correlate encrypted or obfuscated traffic more accurately than ever before.You can read more about the …
cento

HowTo Measure the Status and Performance of Network Flows
NetFlow has been originally designed to monitor network traffic using simple bytes/packets metrics. For TCP, it is also possible to know what TCP flags (that indicate the connection state) have been used on a flow, as NetFlow/IPFIX exports them as a cumulative OR of all TCP flags of the flow. This allows you to know if a SYN flag has been observed on a flow but not the number of SYN flags that have been reported for a flow. No other information elements have been implemented to report detailed TCP flow …
Features

Simplifying Packages Installation with ntop-installer
Depending on your Linux distribution, you can install ntop packages using your platform packager (apt on Debian/Ubuntu and yum/dnf on RedHat/RockyLinux). Some users asked us a simplified installation tool, for networkers not acquainted with packages and installers. For this reason we have created a new tool named ntop-installer that allows ntop packages to be installer/removed using a text-based GUI rather than using apt/dnf. This new tool can be installed as follows: One that you just need to start ntop-installer and install/remove packages graphically. Below you can find some examples of …
Cybersecurity

When SNIs Cannot be Trusted
SNI (Server Name Indication) is an optional extension in TLS/QUIC that contains the symbolic host name we’re connecting to. For instance, during the TLS handshake, the SNI allows the server to identify the correct TLS certificate of a server hosting multiple websites. nDPI reports SNIs in order to make it possible to detect name-based services deployed on the same server IP address. Below you can see an example of how nDPI reports SNIs in encrypted traffic. Client applications use the SNI to verify that the website it is connecting to matches …
Technologies and Trends

Announcing ntop Professional Training: November 2025
ntop tools range from packet capture, traffic analysis and processing, and sometimes it is not easy to keep up on product updates as well master all the tools. This has been the driving force for organising ntop professional training. This is to announce that in October we have scheduled the next ntop Professional Training session. It will take place online (Microsoft Teams) on 13th, 18th, 20th, 25th, 27th of November, 2025 at 3.00 PM CET (9.00 AM EDT). Training will be held in English language and each session lasts 90 …
cento

Handling High Flow Rates: Cento and ntopng at Scale
Cento is a high-speed NetFlow probe designed to analyse traffic from high-speed links (100+ Gbit/s) and export flows toward ntopng, third party collectors or big-data systems. When exporting data to ntopng, Cento uses ZeroMQ (ZMQ) as its primary mechanism for exporting flows in JSON or binary (TLV) format. In short, Cento acts as a ZMQ publisher, sending flow records over a TCP socket. ntopng subscribes to this socket as a ZMQ collector, receiving and processing the flows in real-time. This design allows flexible network deployment, with Cento running on the …
ntopng

AS Traffic Observability using ntopng
Since the first version of our tools, we have focused on packets. Having access to packets is a privilege that is not always possible; observing packets provides high-detailed information. At the edge of the Internet, traffic received/sent by hosts can be captured and observed, but in the case of network operators that act as a transit from the customers to the Internet, observing packets is not a good practice. This is because network operators need to make sure the service is available, but without going too deep. For this reason, network operators usually leverage NetFlow/IPFIX, sometimes …
Technologies and Trends

Breaking Free from Packet Brokers: How to Use nTap/PF_RING ZC for Traffic Aggregation
nTap is a lightweight software-based network tap designed by ntop to simplify remote traffic collection and analysis. Unlike traditional hardware-based packet brokers, nTap lets you capture, forward, and aggregate traffic using pure software—reducing complexity and cost. In this blog post, we’ll walk through: nTap fundamentals (FAQ highlights) Step-by-step configurations for popular use cases Integration with n2disk, nProbe, and ntopng Scaling from low (1 Gbps) to very high-speed (40/100 Gbps) deployments Best practices for performance optimization nTap FAQ Highlights Q: What is the network overhead introduced by nTap?Each captured packet incurs …
ntopng

Introducing ntopng Alerts Graph: Visualize Security Events Like Never Before
Network security analysts often struggle to understand how alerts are connected across different hosts. Traditionally, ntopng displayed flow alerts in a table format, perfect for listing issues, but limited when it comes to spotting patterns or identifying which host is the real problem or victim. Additionally, tabular visualization does not let security analysts or network managers quickly determine which problem to tackle first, causes alert fatigue what are the main network issues, such as brute force attempts, obsolete TLS or SSH version connections, periodic flows etc. These issues are now …
nDPI

Beyond JA3/JA4: Introducing nDPI Traffic Fingerprint
Traffic fingerprinting is a hot topic and we have discussed it several times both in this blog and at conferences. There are various fingerprints techniques and probably most of you know JA3/JA4. Let me do a short recap on the subject in nDPI we support several de-facto fingerprint such a JA4 and additional nDPI-native such as the OS (Operating System) fingerprint. In our research we have realized that in cybersecurity using a single fingerprint (e.g. JA4) leads to too many false positives making it a “nice to have” rather than …
Data Privacy

Export and Archive ClickHouse Flows in ntopng for Regulatory Compliance
Most ntopng users make extensive use of ClickHouse support for storing historical flow data and running analysis on it. ClickHouse is highly optimized and offers a high compression rate (estimated at an average of 60 bytes per flow), allowing for long data retention even with limited storage. However, to comply with regulations such as GDPR, SOX, HIPAA, and PCI DSS, it is often necessary to retain data for extended periods. This is manageable when flow rates are low to moderate, but can require significant disk space when flow rates are …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe