ntopng and ClickHouse: Lessons Learnt at California Institute of Technology

Posted · Add Comment

Caltech has been experimenting with ntopng on our network for slightly over a year now.  We send a decent amount of traffic to ntopng, bursting up to 20Gbps, utilising Cento to read the wire and forward the data to ntopng via PF_RING ZC.  This configuration has been working pretty well, though we were encountering issues once we reached about 16 – 20 days of data retention, where ntopng would begin to drop data points from that point forward, and I noticed InfluxDB would utilize 60% or more of available memory, even when using TSI indexes, as well as a considerable amount of CPU, and ntopng would also use quite a bit of available memory.  We really wanted to try and obtain no data point drops as well as reduce the amount of memory being used and went as far as looking into different solutions to increase performance, from isolating InfluxDB CPU and memory usage to separate cores and memory banks than ntopng, to using tuned to tweak various server performance settings, to potentially licensing InfluxDB Enterprise.

A few weeks ago I read about the work with ClickHouse and decided to implement the dev version of ntopng so we could give ClickHouse support a try.  This along with the implementation of InfluxDB and ClickHouse data stores on SSD has solved our dropped data points problem.

Implementing ClickHouse and InfluxDB with their data stores located on a mere 6 Gbps Micron SSD has proven more than sufficient so far.  InfluxDB RAM usage now rarely exceeds 7% and InfluxDB CPU bursts rarely rise about 120% for very short periods of time with no effect on 30 days of ntopng data point retention.  ntopng also has reduced RAM usage and I plan to continue to experiment by slowly and incrementally increasing the amount of time that data is retained, 30 days is nice, more is better.  :)

Congratulations to the ntop team for all of their hard work continually increasing the performance and usefulness of ntopng for Information Security purposes on high speed networks.


Greg Grasmehr
Lead Information Security Analyst
California Institute of Technology (Caltech)

This is a report from one of our educational users that uses ntop tools on a large educational network. We encourage other users willing to share their experiences to contact us for sharing information on this blog.