Monitoring network traffic with ntopng
Eyes on the Network
Administrators are well advised to monitor the availability and quality of their networks continuously. The open source ntopng tool has been tried and tested for years. In this article, I investigate how to commission the latest Enterprise version and explore its feature set.
Ntopng was originally developed by Luca Deri, a scientist at the University of Pisa, under the name ntop [1], which explains why the business still operates under the name "ntop di Deri Luca." The name ntop is derived from the Unix top
program, which lets network administrators view system information related to CPU and memory usage and the currently running processes of a Unix system.
In this vein, ntopng is a network top
program that lets admins display all the relevant parameters for the connected networks. Ntopng is a passive network monitoring tool that supports statistical evaluation of traffic data on the connected networks; it does not actively intervene in the network traffic (but see the "Layer 7 Manipulation" box). Ntopng is therefore ideally suited as a tool for administrators wanting to answer, among others, the following questions:
- What devices are currently on the network?
- How much traffic do the various devices cause on the network?
- Which devices are communicating or exchanging data with others (internally and externally)?
- What kind of bandwidth is used by each device, or which device is currently hogging the Internet connection?
- What protocols exist on the network, and how is network traffic distributed among them?
- Is any suspicious data traffic on the network caused by, for example, viruses or Trojans?
Ntopng is ideally suited for monitoring small and medium-sized Class C networks at gigabit speeds but can also be used for monitoring larger networks, given appropriate hardware.
Layer 7 Manipulation
The ntopng Edge (nEdge) [2] version of ntopng actively manipulates network traffic. nEdge lets you analyze network traffic at the protocol level (Layer 7) and block or restrict application protocols for individual or all users (network application control). Therefore, you can block bandwidth-intensive applications such as Torrent and prevent data being uploaded to cloud applications such as Dropbox, Google Drive, and the like.
Open Source Editions
The Community edition already contains ntopng's most important features. Armed with the free version, you can analyze network traffic on up to 32 network interface cards in real time; identify application protocols such as BitTorrent, Facebook, Dropbox, and YouTube; and generate alerts (e.g., if a system is using too much bandwidth).
The commercial editions (see the "Versions and Licensing" box) offer five days of installation support, support for up to 128 network interface cards (Enterprise), and, above all, the possibility of permanently storing analysis data with the additional n2disk module, which is the only way to evaluate historical data. The ability to connect to third-party systems such as Nagios, Icinga, and Suricata or integrate with LDAP (for single sign-on authentication at the web interface) is reserved for the commercial versions. By the way, universities, educational and scientific research institutions, and nonprofit organizations can obtain licenses for all ntop products free of charge. Details of the requirements and registration can be found online [3]; also see the "Versions and Licensing" box.
Versions and Licensing
Community, Professional, and Enterprise versions of ntopng are available. An overview of the functions included in the respective version can be found on the ntop website [4]. The Community edition of ntopng does not require a license; only the basic features are included in this version. Licenses for the Professional and Enterprise editions are available from the online store [5]. Licensing is per server; the license includes five days of installation support and updates for one year.
Prices for the x64 platform at press time were:
- ntopng Enterprise for Linux/Windows: EUR500 (~$500)
- ntopng Professional for Linux/Windows: EUR150
- n2disk for ntopng for Linux: EUR300
Prices for the ARM platform:
- ntopng Embedded Enterprise for Linux: EUR150
- ntopng Pro Embedded for Linux: EUR50
Network Architecture
To give ntopng a wide view of network traffic, it makes sense to connect the system to the mirror port on the core switch by way of an (additional) network interface card. Otherwise, ntopng only sees the communication of its own computer and its communication partners.
The recommendation is to install ntopng on a computer with two network interface cards, one of which is used to collect network data and the other to manage the system itself. Usually you will not mirror all the ports of a switch to the mirror port – only the uplink to the Internet – so it is usually fine to monitor only the port to which the firewall is connected.
System Requirements
Ntopng is available for x64 Linux and Windows systems; the 32-bit architecture is no longer supported. An ARM version for the Raspberry Pi and Raspbian operating system is also available. Unfortunately, the Windows version lacks some important features for filtering network traffic, such as time and traffic quotas. More importantly, Windows does not provide for permanent storage of the analysis data with n2disk.
Ntopng focuses on two important Linux distribution branches: Debian/Ubuntu and Red Hat/CentOS. The packages required for ntopng are easily installed after setting up the operating system with the distributions' built-in tools (apt
/deb
or yum
/rpm
). A preconfigured distribution or appliance is not available.
Buy this article as PDF
(incl. VAT)