Ntopng

ntopng is a web-based network traffic monitoring tool and flow data aggregator. It functions as a network security monitor, an SNMP network management system, and an industrial protocol analyzer for OT and SCADA environments.

The system provides specialized inspection for industrial protocols such as Modbus, DNP3, and IEC 60870. It distinguishes itself through behavioral threat detection, encrypted traffic analysis via handshake fingerprinting, and the ability to identify hardware and operating systems using DHCP and MAC address patterns.

Its broader capabilities include real-time traffic analysis and packet capture, network topology mapping, and the orchestration of tiered collector hierarchies. The platform also manages network access control through captive portals, enforces traffic quotas, and exports flow and alert data to external databases such as ClickHouse, Elasticsearch, and Kafka.

The project supports executing multiple independent monitoring instances on a single host using isolated configurations.

Features

Real-Time Network Monitors - Provides real-time observation of live network traffic and bandwidth usage.

Network Security Analysis - Detects security threats and anomalies through behavioral analysis, encrypted traffic inspection, and security tool integration.

Industrial - Inspects OT and SCADA traffic including Modbus, DNP3, and IEC 60870 for critical infrastructure monitoring.

Flow Data Ingestion - Ingests network flow records from multiple routers and observation points to monitor traffic patterns.

Flow Tracking Engines - Maintains real-time tables of active network connections to correlate IP and non-IP traffic activity.

Network Flow Analyzers - Ingests flow data from remote probes via TCP endpoints to centralize network traffic analysis.

Protocol Dissectors - Uses modular dissectors to parse and extract structured data from diverse industrial and network protocols.

Packet Capture Engines - Captures raw network traffic using BPF filters to extract flow records and protocol-specific metadata.

Traffic Flow Aggregators - Collects and distributes network flow records by grouping individual packets into logical connections.

Behavioral Threat Detection - Identifies attackers and anomalies through behavioral analysis and indicators of compromise scores.

Device Fingerprinting - Identifies hardware and operating systems by matching DHCP options, HTTP headers, and MAC addresses against known patterns.

Network Security Monitors - Detects security threats and anomalies through behavioral analysis and indicators of compromise.

Industrial Protocol Inspectors - Inspects OT, ICS, and SCADA traffic including Modbus, DNP3, and IEC 60870 for infrastructure monitoring.

Industrial IoT Ingestion - Inspects OT and SCADA protocols like Modbus and DNP3 to monitor critical infrastructure and industrial control systems.

Network Traffic Analysis - Reports IP and non-IP traffic generated and received by each host using the network.

Network Traffic Analyzers - Provides a web-based analyzer for monitoring real-time network data packets and host communication patterns.

SNMP Management - Polls network devices using SNMP to map topology and track interface health.

Historical Data Analysis - Retrieves archived network flows and security alerts from historical records for trend analysis.

Data Export - Exports flow and alert data to external systems including ClickHouse, Elasticsearch, Kafka, and InfluxDB.

Elasticsearch Exporters - Sends network flows and security alerts to an external Elasticsearch index for long-term storage and analysis.

Distributed Storage - Distributes network monitoring data across database nodes to ensure high availability and scalable storage.

Multi-Backend Data Export - Serializes network flows and security alerts to external time-series and document databases like ClickHouse and Elasticsearch.

Network Traffic Export - Sends flow records and security alerts to external databases like Elasticsearch, ClickHouse, or Kafka for long-term storage.

Network Statistics APIs - Offers a programmatic interface to retrieve host statistics and active flow time series for performance analysis.

Network Connectivity Mapping - Visualizes network device relationships and interface connectivity using SNMP data and LLDP mappings.

Packet Capture Utilities - Provides tools for recording raw network traffic to pcap files for offline analysis.

Tiered Collector Hierarchies - Organizes remote monitoring instances in a star or tiered topology to forward data to a central collector.

Network Access Control - Implements a captive portal and dynamic blacklists to regulate network traffic flow based on identity.

Active Network Monitors - Tests network health and latency by sending ICMP, HTTP, and HTTPS requests to hosts and services.

Encrypted Traffic Analysis - Inspects TLS and SSH handshakes using fingerprints to identify self-signed certificates and unsafe ciphers.

Monitoring Orchestrators - Links remote monitoring instances to a central collector using star or tiered topologies.

Network Alerting Systems - Triggers security and performance notifications via email, Slack, Discord, and Webhooks.

Performance Metrics APIs - Provides an authenticated REST API to retrieve interface data and network performance metrics for external tools.

Network Traffic Dashboards - Creates custom dashboards and plots from exported flow data to visualize network health and security trends.

System Monitoring - Web-based network traffic and security monitoring.

ntopntopng

Features

Star history