Ntopng High-Speed Web-based Traffic Analysis and Flow Collection installation

ntopng is the next generation version of the original ntop, a network traffic probe that monitors network usage. ntopng is based on libpcap/PF_RING and it has been written in a portable way in order to virtually run on every Unix platform, MacOS and on Windows as well.

ntopng – yes, it’s all lowercase – provides a intuitive, encrypted web user interface for the exploration of realtime and historical traffic information.

Features

• Sort network traffic according to many criteria including IP address, port, Layer-7 (L7) application protocols, throughput, Autonomous Systems (ASs)
• Show realtime network traffic and active hosts
• Produce long-term reports for several network metrics including throughput and L7 application protocols
• Top talkers (senders/receivers), top ASs, top L7 application protocols
• Monitor and report live throughput, network and application latencies, Round Trip Time (RTT), TCP statistics (retransmissions, out of order packets, packet lost), and bytes and packets transmitted
• Store on disk persistent traffic statistics to allow future explorations and post-mortem analyses
• Geolocate and overlay hosts in a geographical map
• Discover Layer-7 application protocols (Facebook, YouTube, BitTorrent, etc) by leveraging on nDPI, ntop Deep Packet Inspection (DPI) technology
• Analyze IP traffic and sort it according to the source/destination
• Report IP protocol usage sorted by protocol type
• Produce HTML5/AJAX network traffic statistics
• Full support for IPv4 and IPv6
• Full Layer-2 support (including ARP statistics)
• GTP/GRE detunnelling
• Support for ClickHouse, MySQL, ElasticSearch export of monitored data
• Interactive historical exploration of monitored data exported to ClickHouse
• Flexible alerts handling
• SNMP v1/v2c/v3 support and continuous monitoring of SNMP devices
• Identity Management, including correlation of VPN users to traffic
• Focused on cybersecurity
• Behavioral traffic analyses such as lateral movements and periodic traffic detection
• REST API to ease integrations with third-parties

Install Ntopng

You must add the official Ntopng repository to install the latest version of Ntopng. The default Ubuntu repository has older versions.

Add the necessary dependencies.

sudo apt install wget gnupg software-properties-common

Download and install the Ntopng repository package.

$ wget https://packages.ntop.org/apt/20.04/all/apt-ntop.deb
$ sudo dpkg -i apt-ntop.deb

sudo apt update

Install Ntopng.

sudo apt install pfring-dkms nprobe ntopng n2disk cento

Configure Ntopng

Find your server’s network interfaces.

ntopng -h

Ntopng shows your available interfaces at the end of the page.

Available interfaces (-i <interface index>):
    1. lo
    2. enp1s0

Open the Ntopng configuration file.

sudo nano /etc/ntopng/ntopng.conf

Add these lines to the end of the file. The -i=2 parameter instructs Ntopng to use the second interface, enp1s0. Change 2 to the interface you want to monitor. Leave 3000 as the web server port unless you require a different port.

# Network adapter name
-i=2
# HTTP port of the embedded web server.
-w=3000   

Restart the ntopng service and set it to run at boot.

$ sudo systemctl start ntopng
$ sudo systemctl enable ntopng

If you use a firewall like ufw, open the web server port.

sudo ufw allow 3000

Test the app

Navigate to your web interface at port 3000. Substitute your server’s IP address in this example:

http://x.x.x.x:3000

Log in as username admin and password admin.