ntop

ntopng [options]

Common usage examples:
ntopng -i eth0 -w 3000
ntopng -r capture.pcap

-i
    Specifies the network interface(s) to monitor (e.g., eth0, bond0) or a PCAP file to read traffic from (e.g., /path/to/capture.pcap). Can be specified multiple times.

-w
    Sets the HTTP web server port for accessing the ntopng interface (default: 3000). Use 0 to disable the web server.

-L
    Enables logging to syslog instead of standard output.

-d
    Specifies the data directory where ntopng stores its internal files and RRD historical data.

-u
    Drops privileges and runs ntopng as the specified user after initialization.

-g
    Drops privileges and runs ntopng as the specified group after initialization.

-A
    Prompts for setting up an administrator password for the web interface, securing access.

-F
    Applies a BPF (Berkeley Packet Filter) capture filter to limit the collected traffic.

-q
    Enables quiet mode, suppressing output to standard output.

-v
    Enables verbose mode, providing more detailed logging output.

-Z
    Disables the creation and storage of historical data, reducing disk I/O.

ntop (Network TOP) is a command-line tool that acts as a network probe, providing a web-based interface for monitoring and analyzing network traffic. It is designed to show network usage in a way similar to how the top command shows CPU usage.

While the original ntop has been around for many years, its modern successor, ntopng (ntop Next Generation), is the actively maintained and recommended version. ntopng offers improved performance, scalability, and features, leveraging technologies like Redis for data storage.

It captures network traffic from specified interfaces, organizes it, and presents detailed statistics on network bandwidth utilization, active hosts, top talkers, protocols used, and overall network health. This allows administrators to identify network bottlenecks, detect abnormal behavior, and understand network flow patterns through a user-friendly web browser interface.

ntopng, the modern successor to ntop, is the recommended version to use. The original ntop is largely deprecated and may not be actively maintained.

Running ntopng typically requires root privileges to capture network traffic from interfaces, though it's recommended to drop privileges using the -u and -g options once initialization is complete.

On high-traffic networks, ntopng can consume significant system resources (CPU, memory, disk I/O) due to extensive data processing and storage. Ensure adequate resources are available.

Unlike many other Linux network tools that operate directly in the terminal, ntop and ntopng primarily expose their functionality and collected data through a powerful web-based interface. Users interact with the tool and view statistics by navigating to its configured IP address and port in a web browser (e.g., http://localhost:3000).

ntopng provides extensive information about network traffic, including detailed statistics per host, protocol (e.g., HTTP, DNS, SSL), and application layer. It identifies top talkers, monitors bandwidth usage in real-time, tracks flow information, and offers historical data for trend analysis.

ntopng features a flexible plugin architecture that allows for extending its capabilities, such as integrating with external services or adding support for new protocols and data sources.

The original ntop project was started by Luca Deri in 1998 at the University of Pisa, aiming to provide a 'top' like view for network traffic. It quickly gained popularity for its ability to offer insights into network usage.

Recognizing the limitations and challenges of the original C-based architecture, especially with increasing network speeds and data volumes, Luca Deri initiated the ntopng (ntop Next Generation) project. Released in 2012, ntopng was a complete rewrite in C++ and Lua, leveraging modern technologies like Redis for persistent data storage and a more scalable design. ntopng superseded the original ntop and is now the actively developed and widely used version.

iftop(8), tcpdump(1), wireshark(1), netstat(8), ss(8), sar(1)