Operating ntopng on large networks¶
ntopng, in its default configuration, works out-of-the-box for most of the users. Home networks and small- to medium-sized corporate networks rarely require changes and optimizations to the ntopng configuration.
However, under some circumstances, a fine-tuning of the configuration could prove to be very helpful. There are some clear indicators that suggest a tuning is required. Those indicators are discussed below.
Sometimes, badges shown in the bottom-right corner of ntopng can turn into red. A red hosts badge indicates ntopng has not enough room to handle all the hosts. Similarly, a red flows badge indicates ntopng has not enough room to handle all the flows.
To increase the maximum number of hosts and flows handled by ntopng,
it is possible to use options
respectively. It is recommended to use values that are much
greater than the actual number of hosts and flows.
For example, assuming that ntopng has, on average, 10000 hosts and
20000 flows, one could safely specify
-X=200000 to make sure there always be enough room.
When ntopng drops packets, it means that it cannot keep up with the rate at which packets are entering the NIC being monitored. In this case, one should consider operating PF_RING Zero Copy (ZC), and even use RSS to let multiple thread handle the incoming traffic. The configuration of PF_RING ZC and RSS fall outside the scope of this guide. Additional information can be found at the following links:
We recommend the user interested in fine-tuning ntopng to refer to this blog post for additional tips and tricks: https://www.ntop.org/ntopng/best-practices-for-running-ntopng/.