ntopng is a network traffic probe designed to provide comprehensive network visibility. It gathers traffic information from various sources, including traffic mirrors, NetFlow exporters, SNMP devices, firewall logs, and intrusion detection systems. Written for portability, ntopng runs on Unix platforms like Linux, FreeBSD (including pfSense and OPNsense), MacOS, and Windows. It captures traffic from SPAN/mirror ports or TAP devices using libpcap or PF_RING (on Linux) for enhanced performance. It can also integrate with nProbe to collect NetFlow/sFlow data from routers and switches, or with nProbe Cento to analyze 100 Gbit links at full rate. The software features an intuitive, encrypted web user interface for exploring real-time and historical traffic data. It focuses on traffic visibility and cybersecurity, offering behavioral traffic analyses such as lateral movements and periodic traffic detection. A REST API facilitates integration with third-party applications, and native nTap support enables traffic collection from cloud environments, VMs, containers, and physical hosts.

Features & Benefits

• Traffic Sorting
  • Sorts network traffic based on criteria like IP address, port, Layer-7 application protocols, and Autonomous Systems (ASs).
• Real-time Monitoring
  • Displays real-time network traffic and active hosts.
• Long-term Reporting
  • Generates long-term reports for network metrics, including throughput and L7 application protocols.
• Top Talkers Identification
  • Identifies top talkers (senders/receivers), top ASs, and top L7 application protocols.
• Performance Monitoring
  • Monitors live throughput, network and application latencies, Round Trip Time (RTT), TCP statistics (retransmissions, out of order packets, packet lost), and bytes and packets transmitted.
• Persistent Statistics
  • Stores traffic statistics for future explorations and post-mortem analyses.
• Geographic Visualization
  • Geolocates and overlays hosts on a geographical map.
• Layer-7 Application Discovery
  • Discovers Layer-7 application protocols (e.g., Facebook, YouTube, BitTorrent) using nDPI technology.
• IP Traffic Analysis
  • Analyzes IP traffic and sorts it by source/destination.
• Protocol Usage Reporting
  • Reports IP protocol usage sorted by protocol type.
• HTML5/AJAX Statistics
  • Produces HTML5/AJAX network traffic statistics.
• IPv4 and IPv6 Support
  • Offers full support for IPv4 and IPv6.
• Layer-2 Support
  • Provides full Layer-2 support, including ARP statistics.
• GTP/GRE Detunnelling
  • Supports GTP/GRE detunnelling.
• Data Export
  • Supports ClickHouse, MySQL, and ElasticSearch for exporting monitored data.
• Historical Data Exploration
  • Enables interactive historical exploration of monitored data exported to ClickHouse.
• Alert Handling
  • Offers flexible alerts handling.
• SNMP Monitoring
  • Supports SNMP v1/v2c/v3 and continuous monitoring of SNMP devices.
• Identity Management
  • Includes identity management, correlating VPN users to traffic.
• Behavioral Traffic Analysis
  • Provides behavioral traffic analyses, such as lateral movements and periodic traffic detection.
• REST API
  • Offers a REST API to ease integrations with third-parties.
• Native nTap Support
  • Includes native nTap support for collecting traffic from cloud, VMs, containers, and physical hosts.