How Historical Flows Replay Works

Posted · Add Comment

ntop users who have enabled ClickHouse, know that they can search/aggregate/export historical flows and create customized reports. However, in the past months some of our users were uncomfortable of this approach as they preferred to seamlessly analyze historical as live data with the full power of ntopng.

In the latest ntopng version we have added a new “play” button shown in the picture below.

In order to use this new feature, you need to:

  • Select the time span you are interested in (e.g. the last hour)
  • Optionally you can set a filter (e.g. only traffic of host X)
  • Click on the play button.

Once you have clicked on the button the following message is reported. Note that:

  • in order to exhaust all the available memory, in case there are too many flows to extract, ntopng limits their number (currently to 2 millions).
  • As data extraction can take a few seconds, please be patient (the speed depends on the ClickHouse extraction speed).

The extracted flows are used to populate a new interface named “Database”.

Once you select this interface, you can navigate all the pages as you do with live traffic. Note that in the menubar there is a blue icon (see the above picture) that shows if flow loading is still in progress or if the database extraction has been completed already. If you want you can make a new historical flows extraction, and in this case the previous data present in the Database interface will be overwritten.

Enjoy !