All Blog Posts

nScrub

Introducing nScrub 1.6: Broader Support, More Offloads, Improved Algorithms
We are excited to announce this new release of nScrub, 1.6, packed with new features, expanded hardware support, and key enhancements to strengthen network defense capabilities. This release adds native support for NVIDIA/Mellanox ConnectX adapters, and extends support for Napatech adapters by enabling the TX offload support, which optimizes packet transmission performance and reduces CPU overhead. We also implemented native support for DPDK, making nScrub open to deployments where the users are widely using this SDK. We’ve also improved the detection and scrubbing algorithms, including additional checks on TCP packet …
Announce

Released nDPI 4.12: Obfuscated/Encrypted/Proxied Traffic and Fingerprints
This is to announce the release of nDPI 4.12, the first version after our 6 months release cycle announced earlier this year. The main changes of this release include support for encrypted/obfuscated/proxied in particular for OpenVPN and TLS, as well support for network fingerprints presented in November at the Sharkfest conference. For all details see the enclosed changelog.   Enjoy ! nDPI 4.12 (Dec 2024) Major Changes Added detection of encrypted/obfuscated OpenVPN flows (#2547, #2560) Added detection of encrypted/obfuscated/proxied TLS flows (#2553) Implemented nDPI TCP fingerprint (https://github.com/ntop/nDPI/commit/6b6dad4fdb2e60cd2887f7d381bcab2387ba9507) For further details …
cento

Exporting (Custom) Flows with Avro in nProbe Cento
This summer we introduced nProbe Cento 2.0. Before this release, Cento was supporting JSON serialization only when exporting flows to Kafka. JSON is straightforward and widely used, but it can be verbose and less efficient for high-throughput or resource-sensitive environments. To address these challenges, when exporting flows to ntopng, some time ago we introduced a binary/TLV format for data serialization, implemented in our open-source nDPI library. However, despite this being an open format, it is not widely used. For this reason, in order to improve interoperability with other solutions, we …
ntop

HowTo Monitor Router Interfaces Congestion Using SNMP
Sometimes it happens that your router is congested, and you ask yourself “How is it possible?” or “Who is responsible for congesting the network?” or “Which router/port is congested?”. You could simply answer the last question by using the SNMP/Flow Exporters Usage: HowTo Monitor SNMP Interfaces Utilisation and Congestion Rate; but what about the other two? Let’s start by looking at SNMP. As explained in the previous post, if SNMP is enabled on the routers/switches, using ntopng it is possible to figure out if an interface is congested. On the …
ntop

How nDPI Introduced Behaviour Analysis in Suricata
Last week we have attended Suricon 2024, the annual conference about Suricata and presented our work on how nDPI has been integrated with Suricata. At ntop we like to contribute to other open source projects we use and like, such as Suricata and Wireshark. One of the main limitations of Suricata is its inability to monitor many protocols (currently the engine supports ~20 protocols compared to 450+ protocols supported by nDPI) and the lack of behaviour analysis that would very well complement Suricata signature-based analysis. These have been the reasons …
Cybersecurity

A Deep Dive Into Traffic Fingerprints
Last week during SharkFest Europe 2024 we have presented what are network fingerprints and how they work. During the talk we (Luca and Ivan) have described how we have extended nDPI with support of network fingerprints, and how this work has been also integrated in Wireshark. We believe that fingerprints are an interesting technology that can help in better understanding the nature of traffic flows, detect inconsistencies on crafted traffic (e.g. a Windows box that pretends to impersonate an iOS device), and of course in cybersecurity. In the coming months …
ntopng

Introducing ntopng Hosts Activity Monitor
Many users requested us a simple way to visualise hosts activity overtime. In essence have the ability to answer questions like: What hosts were active during the week-end When a host is using most of the network. What hosts were active when a certain event happened. This is what hosts activity monitor does. In the dev branch, ntopng has been enhanced with a new menu entry under the hosts page, that shows in a heatmap the activity of local hosts. From the menubar it is possible to specify an arbitrary …
nProbe

How To Implement Packet and Flow Deduplication
Depending on the network topology and configuration, your monitoring tools can receive the same traffic multiple times. This problem is called data duplication. Duplication can happen at packet or flow level: Packet duplication The same packet is received multiple (usually twice) times, either one after the other, or within a short mount of time. Note that this has nothing to do with TCP data retransmission that is a totally different scenario. Flow duplication Two or more flow-devices observe the same traffic, and emit the same flow at the same time. …
Announce

Introducing Centralized License Manager for Dynamic Environments
We continually strive to make the software configuration and management more flexible and easier for the users. To this end, we are excited to announce the launch of a new way of licensing the software feature: the centralised License Manager (LM). This tool simplifies software license management by dynamically allocating licenses to various application instances running within your network. The LM is another option you can use in addition to “traditional” systemId-based licenses that we use today. What is the centralised License Manager? Managing software licenses across multiple instances within …
Cybersecurity

Can ntopng be considered an IDS (Intrusion Detection System) ?
ntopng is not typically classified as an Intrusion Detection System (IDS) in the traditional sense, but it does have some features that overlap with IDS functionalities. Let me explain the differences and how ntopng might serve a similar role: What is ntopng? ntopng is an open-source network traffic monitoring tool that provides visibility into network traffic and performance. It is primarily used for: Network Monitoring: Tracking traffic flows, bandwidth usage, and the behaviour of network devices. Traffic Analysis: Deep Packet Inspection (DPI) based on nDPI to analyse protocols, applications, and …
ntop

Introducing Multilanguage AI/LLM Support (beta)
In order to assist our community with 24/7 support, we have built an AI/LLM-based bot that has been trained on the ntop documentation (all products including ntopng, nProbe, nDPI…) and blog posts on this website. Currently this service is available in beta version and it is accessible using Discord on our ntop server (read here how to access it). You can use it asking questions in plain English/German/Italian/French/Dutch/Spanish…. so we hope that the language barrier will finally be solved.   Please send us your comments and in case there is …
nProbe

HowTo Configure Flow Collection in nProbe and ntopng
In flow (sFlow/NetFlow/IPFIX) collection, nProbe acts as a “flow processor” for ntopng . nProbe is responsible for sending ntopng flows after they have been processed that includes Probe mode. nProbe captures network packets that are converted into flows that are then exported to ntopng. Collection mode. nProbe collects flows produced by a probe such as a router. Flow normalization that is the process of converting flows on a format that ntopng can understand. This happens if flow exporter devices (e.g. a router) use custom information elements. In addition nProbe takes care …

High-performance network traffic monitoring and analysis tools.

Explore
Newsletter
Subscribe