.. _UsingNtopngWithCento:

Using ntopng with nProbe Cento
##############################

`nProbe Cento <https://www.ntop.org/products/netflow/nprobe-cento/>`_ is a high-performance
flow probe designed to process network traffic at line rate (10/40/100 Gbit and above) using
hardware-accelerated capture technologies such as `PF_RING ZC <https://www.ntop.org/guides/pf_ring/zc.html>`_.
It decouples the heavy-duty packet processing from the analysis and visualization performed by ntopng,
making it the recommended solution for monitoring large or high-speed networks.

.. note::

   An nProbe Cento and PF_RING ZC license is required to operate Cento at line rate on
   high-speed adapters.

ntopng can collect flows from nProbe Cento in two ways:

- **ZMQ**: Cento exports flows over ZMQ to ntopng. This works over the network and supports
  remote ntopng instances. This is the same mechanism used by nProbe.
- **PF_RING ZC Queue**: A local, zero-copy connection between Cento and ntopng running on
  the same physical host, providing the highest performance.

In addition, Cento can export flows directly to a **ClickHouse** database, which ntopng can
then query for historical flow analysis and visualization. This is described in the
`Flow Dump to ClickHouse`_ section.

Collecting Flows via ZMQ
========================

The ZMQ-based integration between Cento and ntopng works in the same way as described in the
:ref:`UsingNtopngWithNprobe` section. Cento acts as a ZMQ publisher and ntopng acts as a
ZMQ subscriber (or collector).

Following is a minimum working configuration example assuming both Cento and ntopng run on
the same host. In case they run on separate machines, replace :code:`127.0.0.1` with the
IP address of the machine hosting Cento.

*ntopng Configuration*

.. code:: bash

   ntopng -i tcp://127.0.0.1:5556c

*Cento Configuration*

.. code:: bash

   cento -i zc:eth1 --zmq tcp://127.0.0.1:5556

Cento acts as the connection initiator, and the trailing :code:`c` in the ntopng endpoint
tells ntopng to listen for incoming connection  (collector mode).

Collecting Flows via PF_RING ZC
===============================

When Cento and ntopng run on the same physical host, a PF_RING ZC Socket provides a
zero-copy, lower-latency alternative to ZMQ. In this mode Cento passes flows directly
to ntopng without any serialization overhead.

Start Cento with the :code:`--monitor|-A` option to enable the ZC socket export. Cento will print
the interface name to use in ntopng in its startup log, for example:

.. code:: bash

   ntopng -i zcflow:10@0

.. note::

   The PF_RING ZC queue is a local connection only and supports a single consumer.
   Use ZMQ if ntopng runs on a different host or if multiple consumers are needed.

For scenarios with multiple capture queues and direct monitoring, Cento can be started as:

.. code:: bash

   cento -i zc:eth1@[0-3] -A --direct-monitor

This eliminates aggregation overhead and enables parallel processing across multiple
ntopng interafaces.

Data Encryption
===============

ntopng and Cento support data encryption over ZMQ, based on the native CURVE encryption
support in ZMQ (available with ZMQ >= 4.1).

In order to enable encryption, add the :code:`--zmq-encryption` option to the ntopng
configuration. A private/public key pair is automatically generated by ntopng and the
public key is displayed in the interface status page.

The public key should then be configured in Cento using the
:code:`--zmq-encryption-key '<pub key>'` option.

Example:

- Start ntopng as follows: :code:`ntopng -i tcp://127.0.0.1:5556c --zmq-encryption`
- Connect to the ntopng web GUI, navigate to the ZMQ interface status page and copy the
  value of :code:`--zmq-encryption-key '...'`
- Start Cento as follows: :code:`cento -i zc:eth1 --zmq tcp://127.0.0.1:5556 --zmq-encryption-key '<pub key>'`

.. note::

   Unless a private key is provided, ntopng generates a public/private keypair and stores
   it under :code:`/var/lib/ntopng/key.{pub,priv}`.

.. _`Flow Dump to ClickHouse`:

Flow Dump to ClickHouse
=======================

nProbe Cento can export flows directly to a **ClickHouse** database, bypassing
the ZMQ channel. ntopng then connects to the same ClickHouse instance in read-only mode for
historical flow analysis and visualization.

The architecture follows this pattern:

.. code:: text

   Network Traffic --> nProbe Cento (write) --> ClickHouse <-- ntopng (read-only)

This approach is particularly suited to high-speed environments where storing all flows
through ntopng would become a bottleneck.

Cento ClickHouse Options
------------------------

The following Cento options control the ClickHouse export:

- :code:`--clickhouse <host[:port]>` — ClickHouse server address and native TCP port
  (default port: :code:`9000`). Append :code:`s` to enable SSL (e.g.
  :code:`192.168.1.1:9000s`).
- :code:`--clickhouse-auth <user:password>` — Credentials for the ClickHouse user.
  Default user is :code:`default`.
- :code:`--clickhouse-dbname <name>` — Target ClickHouse database name. Defaults to
  :code:`ntopng`, which matches ntopng's naming convention.
- :code:`--clickhouse-interface-id <id>` — Associates flows exported by Cento
  with a specific ntopng interface ID, required to bind flows to the correct ntopng
  interface. Default value is :code:`0`.

Configuration Example
---------------------

**Step 1** — Launch nProbe Cento with ClickHouse export:

.. code:: bash

   cento -i zc:eth1 --zmq tcp://127.0.0.1:5556 --clickhouse 192.168.1.1 --dpi-level 2

**Step 2** — Start ntopng in read-only flow dump mode:

.. code:: bash

   ntopng -i tcp://*:5556c -F clickhouse --readonly-flows-dump

The :code:`--readonly-flows-dump` option tells ntopng not to write flows to ClickHouse
itself, since Cento is the writer in this setup.

For a local all-in-one deployment where Cento, ClickHouse, and ntopng all run on the same
host:

.. code:: bash

   cento -i zc:eth1 --clickhouse 127.0.0.1 --clickhouse-interface-id 1
   ntopng -i tcp://*:5556c -F clickhouse --readonly-flows-dump