Lead Image © Natalia Lukiyanova, 123RF.com

Lead Image © Natalia Lukiyanova, 123RF.com

Monitoring network traffic with ntopng

Eyes on the Network

Article from ADMIN 58/2020
By
The open source ntopng tool provides deep insights into network traffic and supports troubleshooting when network problems occur.

Administrators are well advised to monitor the availability and quality of their networks continuously. The open source ntopng tool has been tried and tested for years. In this article, I investigate how to commission the latest Enterprise version and explore its feature set.

Ntopng was originally developed by Luca Deri, a scientist at the University of Pisa, under the name ntop [1], which explains why the business still operates under the name "ntop di Deri Luca." The name ntop is derived from the Unix top program, which lets network administrators view system information related to CPU and memory usage and the currently running processes of a Unix system.

In this vein, ntopng is a network top program that lets admins display all the relevant parameters for the connected networks. Ntopng is a passive network monitoring tool that supports statistical evaluation of traffic data on the connected networks; it does not actively intervene in the network traffic (but see the "Layer 7 Manipulation" box). Ntopng is therefore ideally suited as a tool for administrators wanting to answer, among others, the following questions:

  • What devices are currently on the network?
  • How much traffic do the various devices cause on the network?
  • Which devices are communicating or exchanging data with others (internally and externally)?
  • What kind of bandwidth is used by each device, or which device is currently hogging the Internet connection?
  • What protocols exist on the network, and how is network traffic distributed among them?
  • Is any suspicious data traffic on the network caused by, for example, viruses or Trojans?

Ntopng is ideally suited for monitoring small and medium-sized Class C networks at gigabit speeds but can also be used for monitoring larger networks, given appropriate hardware.

Layer 7 Manipulation

The ntopng Edge (nEdge) [2] version of ntopng actively manipulates network traffic. nEdge lets you analyze network traffic at the protocol level (Layer 7) and block or restrict application protocols for individual or all users (network application control). Therefore, you can block bandwidth-intensive applications such as Torrent and prevent data being uploaded to cloud applications such as Dropbox, Google Drive, and the like.

Open Source Editions

The Community edition already contains ntopng's most important features. Armed with the free version, you can analyze network traffic on up to 32 network interface cards in real time; identify application protocols such as BitTorrent, Facebook, Dropbox, and YouTube; and generate alerts (e.g., if a system is using too much bandwidth).

The commercial editions (see the "Versions and Licensing" box) offer five days of installation support, support for up to 128 network interface cards (Enterprise), and, above all, the possibility of permanently storing analysis data with the additional n2disk module, which is the only way to evaluate historical data. The ability to connect to third-party systems such as Nagios, Icinga, and Suricata or integrate with LDAP (for single sign-on authentication at the web interface) is reserved for the commercial versions. By the way, universities, educational and scientific research institutions, and nonprofit organizations can obtain licenses for all ntop products free of charge. Details of the requirements and registration can be found online [3]; also see the "Versions and Licensing" box.

Versions and Licensing

Community, Professional, and Enterprise versions of ntopng are available. An overview of the functions included in the respective version can be found on the ntop website [4]. The Community edition of ntopng does not require a license; only the basic features are included in this version. Licenses for the Professional and Enterprise editions are available from the online store [5]. Licensing is per server; the license includes five days of installation support and updates for one year.

Prices for the x64 platform at press time were:

  • ntopng Enterprise for Linux/Windows: EUR500 (~$500)
  • ntopng Professional for Linux/Windows: EUR150
  • n2disk for ntopng for Linux: EUR300

Prices for the ARM platform:

  • ntopng Embedded Enterprise for Linux: EUR150
  • ntopng Pro Embedded for Linux: EUR50

Network Architecture

To give ntopng a wide view of network traffic, it makes sense to connect the system to the mirror port on the core switch by way of an (additional) network interface card. Otherwise, ntopng only sees the communication of its own computer and its communication partners.

The recommendation is to install ntopng on a computer with two network interface cards, one of which is used to collect network data and the other to manage the system itself. Usually you will not mirror all the ports of a switch to the mirror port – only the uplink to the Internet – so it is usually fine to monitor only the port to which the firewall is connected.

System Requirements

Ntopng is available for x64 Linux and Windows systems; the 32-bit architecture is no longer supported. An ARM version for the Raspberry Pi and Raspbian operating system is also available. Unfortunately, the Windows version lacks some important features for filtering network traffic, such as time and traffic quotas. More importantly, Windows does not provide for permanent storage of the analysis data with n2disk.

Ntopng focuses on two important Linux distribution branches: Debian/Ubuntu and Red Hat/CentOS. The packages required for ntopng are easily installed after setting up the operating system with the distributions' built-in tools (apt/deb or yum/rpm). A preconfigured distribution or appliance is not available.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=