ntopng Network Traffic Monitor: Identify Bandwidth Consumption and Network Bottlenecks

ntopng is an open-source network traffic analysis tool accessed through a web-based interface. It goes beyond simple packet counting by providing visibility into bandwidth distribution, flagging security vulnerabilities, and helping administrators resolve issues before they escalate into network failures.

The platform tracks network activity through several methods:

• Passive Capture: It monitors traffic silently in the background without introducing latency or noise to the network. • Flow Collection: It aggregates and processes NetFlow, sFlow, and IPFIX data. • Active Monitoring: It probes specific devices to verify their status and availability. • SNMP Monitoring: It monitors the core infrastructure of the network, such as switches and routers.

The primary difference between ntopng and a standard flow collector is the level of analysis. While basic collectors generate static spreadsheets of data, ntopng analyzes conversation patterns. It identifies the specific nature of the traffic—distinguishing between video streaming, backup routines, or unauthorized scans—and correlates this data with security metrics to provide a holistic view of network health.

Installing ntopng

The development cycle typically spans six to nine months. For the latest updates, consult the ntop blog or the official GitHub repository.

Linux Stable and development packages are available at packages.ntop.org. Use the stable version for production environments and the development version if you require the latest experimental features.

MacOS

1. Installation: Download the official package. The installer requires Redis; if it is not present on your system, the installer will attempt to fetch it. Once installed, access the interface at http://127.0.0.1:3000.
2. Uninstallation: Open the Terminal and execute sudo /usr/local/bin/ntopng-uninstall.sh.
3. GeoIP Configuration: You must manually place the GeoIP database in /usr/local/share/ntopng/httpdocs/geoip. Restart the ntopng service to enable map-based visualizations.
4. Configuration: Modify settings by editing /usr/local/etc/ntopng/ntopng.conf.
5. Service Control: Use launchctl load or unload with the associated plist file to manage the service.
6. Homebrew Method: Run brew install ntopng redis, then start the services with brew services start redis and sudo ntopng.

Windows Windows support is currently limited to development builds. Note: You must install Npcap first. If you already have Wireshark installed, Npcap should be present. Otherwise, install Npcap and ensure you select the option "Install Npcap in WinPcap API-compatible Mode". Skipping this step will result in a "wpcap.dll missing" error.

FreeBSD & Firewalls (OPNsense/pfSense) Consult the specific integration guides on the ntop website. For pfSense users, it is critical to edit redis.conf. Ensure the dir parameter points to persistent disk storage (e.g., /var/db/pkg/ntopng/) rather than a RAM disk. Failure to do this will result in the loss of all historical data upon reboot. If your hardware has limited resources, consider running nProbe on the firewall and exporting the data to a more powerful host running ntopng.

Containers Official Docker images are available on Docker Hub. Detailed instructions can be found in the guide titled Using ntop tools with Docker.

Updates Update status can be verified via the web UI. You can perform manual checks or enable automatic nightly updates under Settings > Preferences > Updates. Because updates require a service restart, automatic updates are disabled by default.

Configuration & Daemon Control

Command-line parameters are managed within the ntopng.conf file. This configuration file is required when running the tool as a system daemon.

Sample Configuration Snippet:

--http-port=:3000
--dns-mode=3
--max-num-flows=200000
--dump-flows=clickhouse

Running as a Daemon (systemd)

• To start the service: systemctl start ntopng
• To enable start on boot: systemctl enable ntopng
• To check service status: systemctl status ntopng

Managing Multiple Instances If you need to run multiple instances of ntopng, use the @ syntax to differentiate them: systemctl start ntopng@eno1 This configuration requires a corresponding file named ntopng-eno1.conf in /etc/ntopng. Each instance must be assigned its own unique Redis database (-r), HTTP port (-w), and data directory (-d).

Proxy Configuration If ntopng must download blocklists through a proxy server, you must set the following environment variables: export HTTP_PROXY=http://127.0.0.1:3128 For systemd services, define these in the DefaultEnvironment section of /etc/systemd/system.conf or modify the specific service unit file directly.