Introducing ntopng 1.2

Posted · Add Comment

ntopng 1.2 is the result of  10 months of work. We have tried to both introduce new features, and make the product more robust, easy to use, and modern. The result is a simple tool with a refreshed GUI, user preferences, and new reports to display data in new ways.

Peers report

Leveraging on the multi-interface support, ntopng (unless a specific interface is specified) listens on all network interfaces so that you do not have to play with the command line to move from one interface to others

ntopng menu Interface Pause

All the tables are now dynamic with

Dynamic tables in ntopng

all the cells dynamically updating their value with up/down indicators.

We have improved significantly flow collection (sFlow and NetFlow) as well improved the overall performance. As with the previous versions, even in 1.2 we have built on top of the ntopng API and of the JSON data representation. As explained on this post, ntopng is not just a collector, but it can become also a probe so that you can create arbitrary application hierarchies and mix-and-match your ntopng instances the way you like best. You can have a central console monitoring various remote ntopng’s, and thanks to JSON+ZMQ you should not worry about slow network communications and server temporary unreachable as ntopng will take care of these issues on your behalf.

We have worked with the various package maintainer to ease the packaging of the tool on the various Linux and BSD platforms,  ported ntopng to Windows 64 bit platforms for a better experience, and added homebrew support so that OSX users can enjoy ntopng without being programmers. As 1.2 has been just released, please be patient before the updated packages will be included in your favourite distribution. Of course for all the intrepid that want to play with the development code, the SVN repository is still open.

Below you can find a comprehensive list of things we have changed in 1.2. We’ll now have a short vacation and then start working immediately at the next release. Many of our users have asked us to introduce into ntopng the ability to control traffic and thus act as a transparent monitoring + application traffic policer. Others would like to push ntopng in the cloud, by deploying ntopng on cheap boxes that push data on a personal cloud. Others might have other ideas. In essence, it’s now time for you to tell what you have in mind for the next ntopng version so that we can list the features that will be part of the roadmap.

Many thanks to our users that helped us to make ntopng better. Enjoy!



  • Fixed some bugs that caused crashes in particular on 32 bit platforms (mostly used on embedded systems).
  • Updated web GUI with the use of Bootstrap 3 and many new reports.
  • Added support for system probe analysis (via nProbe with processPlugin). Interface names are now identified with a symbolic name that can be changed by the user. Network interfaces can be enabled/disabled at runtime.
  • Starting ntopng without -i now causes it to open all the network interfaces present on the system.
  • Added support for hardware timestamped packets produced by IXIA devices (– hw-timestamp-mode).
  • Added coded to reconnect to redis automatically in case of redis restart.
  • Added changes for running ntopng on SecurityOnion.
  • Added -W flag for enable the HTTPS Server on a specific port.
  • Updated —i flag for aggregate multiple collectors traffic, specifying multiple pcap file simultaneously and aggregating their traffic.
  • Added —-json-label flag for using labels instead of numbers are used as keys to saving flows.
  • Added —I flag for exporting flows using the specified ZMQ endpoint in order to create and hierarchies of ntopng Instances.
  • Added -A flag for data aggregations for clustering information based on homogeneous information.
  • Added -g flag for bind the capture/processing thread to a specific CPU Core (Linux only).
  • Added the concept of runtime preferences and added a new menu in the web GUI for handling them.
  • Added -k flag for enable the http:bl service that can be used to trigger alerts for hosts that have been put on blacklist based on their bad behaviour.
  • Added alerts system with many customisable thresholds that can be logged on syslog.
  • Extended host reporting information with new reports and enhancements to existing ones.
  • Added the Historical Interface for loading flows saved in SQLite format, specifying an time and date interval.
  • Added VLAN and subnet support.
  • Performance improvements both in nDPI and the ntopng engine.
  • Improved host correlation techniques.
  • Added support for Windows 64 bit (32 bit ntopng support has been discontinued even though ntopng still works on Win32).
  • Added support for *BSD platforms and various Linux versions.

PS: Here at ntop we’re probably more ants than grasshoppers being us unable to communicate to our community all the work we do. If somebody wants to join us and help with (both) code development and communications, this is a good time to raise your hand.