In the next article we are going to take a look at Ntopng. It's about a network traffic monitor evolved from the original program known as Ntop, which was created by the English organization of the same name in 1998. Ntopng is an application for monitor the network traffic web-based and released under GPLv3. It will provide us with an intuitive and encrypted web user interface to explore network traffic information in real time and historically.
This application is designed to be a high performance, low resource consumption replacement for ntop. The name comes from "ntop next generation”. The source code versions are available for the operating systems: Unix, Gnu / Linux, BSD, Mac OS X and Windows. Binary versions are available for CentOS, Ubuntu, and OS X. The ntopng engine is written in C ++, while the web interface is written in Lua.
Ntopng basically is a network traffic probe that will monitor network usage. It is based on libpcap, a Library written as part of a larger program called TCP Dump. Ntopng is based on Redis key value server rather than traditional database, leverages nDPI for protocol discovery, supports host geolocation, and can display real-time flow analysis for connected hosts.
Ntopng is available in three versions; Community: Free and open source version hosted on GitHub licensed under the GNU GPLv3, Professional y Enterprise. The Professional and Enterprise versions will offer us some additional features.
General characteristics of Ntopng
- Packet capture → Packet capture / transmission using basic hardware with PF_RING. Zero-copy package distribution across threads, applications, and virtual machines. Includes Libpcap support for seamless integration with legacy applications.
- Traffic recording → Lossless network traffic recording of 10 Gbit and above with n2disk. Industry standard PCAP file format. It allows to quickly retrieve packages using BPF. Accurate traffic reproduction with disk2n.
- Network probe → nProbe- NetFlow v5 / v9 / IPFIX extensible probe with plug-in support for L7 content inspection.
- Report on the use of the IP protocol → Even going so far as to classify it by type of protocol.
- Traffic analysis → High speed web based traffic analysis and flow collection using ntopng. Persistent traffic statistics in RRD format. Layer 7 analysis leveraging nDPI, an open source DPI framework. Even going so far as to classify the traffic according to the source / destination.
- Geolocate and Overlay Hosts → This will be done on a geographic map.
- Alert engine → We can capture anomalous and suspicious hosts.
- Produce network traffic statistics → Using HTML5 / AJAX technology.
- We will have full support for current network protocols → Including IPv4 and IPv6.
These are just some of the features. They can consult all of them in the project website.
Installing ntopng on Ubuntu
To install this tool on Ubuntu 18.04All you have to do is open a terminal (Ctrl + Alt + T) and write the following command in it:
sudo apt install ntopng
The next thing we will have to do is edit the configuration file located at /etc/ntopng.conf and uncomment the line of our network interface or add it:
sudo vim /etc/ntopng.conf
The next step will be edit the /etc/ntopng.start file and add the IP of our server there:
sudo vim /etc/ntopng.start
After installation and configuration, we can restart ntopng service with this command:
systemctl restart ntopng
At this point, we can enter the Ntopng interface from the web browser using the following URL:
http://IP-DEL-SERVIDOR:3000
The default username and password are admin - admin for the first login. Right after, it will ask us to change this password.
Documentation
If you would like to learn more about how it works or get more information about ntopng, you can visit the User documentation and API documentation. More information can also be found in the project website.
This is a great free software tool that offers us excellent possibilities for network traffic monitoring. Ntopng is an excellent option to try for those who like to use applications a little more advanced than normal to analyze network traffic.