Using ntopng with nProbe Cento

nProbe Cento is a high-performance flow probe designed to process network traffic at line rate (10/40/100 Gbit and above) using hardware-accelerated capture technologies such as PF_RING ZC. It decouples the heavy-duty packet processing from the analysis and visualization performed by ntopng, making it the recommended solution for monitoring large or high-speed networks.

Note

An nProbe Cento and PF_RING ZC license is required to operate Cento at line rate on high-speed adapters.

ntopng can collect flows from nProbe Cento in two ways:

  • ZMQ: Cento exports flows over ZMQ to ntopng. This works over the network and supports remote ntopng instances. This is the same mechanism used by nProbe.

  • PF_RING ZC Queue: A local, zero-copy connection between Cento and ntopng running on the same physical host, providing the highest performance.

In addition, Cento can export flows directly to a ClickHouse database, which ntopng can then query for historical flow analysis and visualization. This is described in the Flow Dump to ClickHouse section.

Collecting Flows via ZMQ

The ZMQ-based integration between Cento and ntopng works in the same way as described in the Using ntopng with nProbe section. Cento acts as a ZMQ publisher and ntopng acts as a ZMQ subscriber (or collector).

Following is a minimum working configuration example assuming both Cento and ntopng run on the same host. In case they run on separate machines, replace 127.0.0.1 with the IP address of the machine hosting Cento.

ntopng Configuration

ntopng -i tcp://127.0.0.1:5556c

Cento Configuration

cento -i zc:eth1 --zmq tcp://127.0.0.1:5556

Cento acts as the connection initiator, and the trailing c in the ntopng endpoint tells ntopng to listen for incoming connection (collector mode).

Collecting Flows via PF_RING ZC

When Cento and ntopng run on the same physical host, a PF_RING ZC Socket provides a zero-copy, lower-latency alternative to ZMQ. In this mode Cento passes flows directly to ntopng without any serialization overhead.

Start Cento with the --monitor|-A option to enable the ZC socket export. Cento will print the interface name to use in ntopng in its startup log, for example:

ntopng -i zcflow:10@0

Note

The PF_RING ZC queue is a local connection only and supports a single consumer. Use ZMQ if ntopng runs on a different host or if multiple consumers are needed.

For scenarios with multiple capture queues and direct monitoring, Cento can be started as:

cento -i zc:eth1@[0-3] -A --direct-monitor

This eliminates aggregation overhead and enables parallel processing across multiple ntopng interafaces.

Data Encryption

ntopng and Cento support data encryption over ZMQ, based on the native CURVE encryption support in ZMQ (available with ZMQ >= 4.1).

In order to enable encryption, add the --zmq-encryption option to the ntopng configuration. A private/public key pair is automatically generated by ntopng and the public key is displayed in the interface status page.

The public key should then be configured in Cento using the --zmq-encryption-key '<pub key>' option.

Example:

  • Start ntopng as follows: ntopng -i tcp://127.0.0.1:5556c --zmq-encryption

  • Connect to the ntopng web GUI, navigate to the ZMQ interface status page and copy the value of --zmq-encryption-key '...'

  • Start Cento as follows: cento -i zc:eth1 --zmq tcp://127.0.0.1:5556 --zmq-encryption-key '<pub key>'

Note

Unless a private key is provided, ntopng generates a public/private keypair and stores it under /var/lib/ntopng/key.{pub,priv}.

Flow Dump to ClickHouse

nProbe Cento can export flows directly to a ClickHouse database, bypassing the ZMQ channel. ntopng then connects to the same ClickHouse instance in read-only mode for historical flow analysis and visualization.

The architecture follows this pattern:

Network Traffic --> nProbe Cento (write) --> ClickHouse <-- ntopng (read-only)

This approach is particularly suited to high-speed environments where storing all flows through ntopng would become a bottleneck.

Cento ClickHouse Options

The following Cento options control the ClickHouse export:

  • --clickhouse <host[:port]> — ClickHouse server address and native TCP port (default port: 9000). Append s to enable SSL (e.g. 192.168.1.1:9000s).

  • --clickhouse-auth <user:password> — Credentials for the ClickHouse user. Default user is default.

  • --clickhouse-dbname <name> — Target ClickHouse database name. Defaults to ntopng, which matches ntopng’s naming convention.

  • --clickhouse-interface-id <id> — Associates flows exported by Cento with a specific ntopng interface ID, required to bind flows to the correct ntopng interface. Default value is 0.

Configuration Example

Step 1 — Launch nProbe Cento with ClickHouse export:

cento -i zc:eth1 --zmq tcp://127.0.0.1:5556 --clickhouse 192.168.1.1 --dpi-level 2

Step 2 — Start ntopng in read-only flow dump mode:

ntopng -i tcp://*:5556c -F clickhouse --readonly-flows-dump

The --readonly-flows-dump option tells ntopng not to write flows to ClickHouse itself, since Cento is the writer in this setup.

For a local all-in-one deployment where Cento, ClickHouse, and ntopng all run on the same host:

cento -i zc:eth1 --clickhouse 127.0.0.1 --clickhouse-interface-id 1
ntopng -i tcp://*:5556c -F clickhouse --readonly-flows-dump