ntopng: An Open Source Network Monitoring App with a Web GUI

Network monitoring and analyzing isn’t limited to servers; home network users should consider it too, including Linux users. And let’s be honest, not all of us enjoy dealing with text-based logs or CLI tools. That’s why an open source network analyzer with a dedicated GUI can be incredibly useful — and that’s where ntopng comes into play.

But before diving into ntopng’s features and installation, you might ask: Why should we, as Linux desktop users, monitor and analyze our networks?

Why Monitor Your Home Network?

The main reason, as you might guess, is to enhance your devices’ security and protect your privacy. With network monitoring, you can:

• Identify unauthorized access, such as unknown devices connected to your Wi-Fi.
• Detect compromised or infected devices that may be sending your personal data to malicious actors.
• Spot suspicious activity like port scans and brute-force login attempts.
• Identify unwanted outbound connections, such as trackers and telemetry, so you can block them using your firewall (whose efficiency you can also evaluate through network analysis).

Other important reasons include:

• Troubleshooting connectivity issues, like dropped packets.
• Diagnosing Wi-Fi problems such as channel congestion and interference.
• Gaining hands-on experience with cybersecurity tools, understanding network protocols, and analyzing traffic—skills that are valuable in digital forensics.

So, do these benefits convince you to start monitoring your network? If yes, you’re ready to dive into ntopng’s features.

What Are the ntopng Features?

Released under the GPLv3 license, ntopng is a free, cross-platform network monitoring software. With ng standing for next generation, it is designed as a high-performance alternative to the original ntop.

What makes ntopng superior to standard traffic collectors is its ability to not only collect traffic data but also analyze it. That means you can draw meaningful conclusions from network activity, track cybersecurity metrics, and explore real-time and historical traffic information in a sleek, user-friendly interface.

The interface works in any modern HTML5-compatible web browser (hopefully, you’re using an open source one). Even better, ntopng includes both dark and light themes so your eyes won’t hurt when you’re doing your detective work!

In terms of traffic gathering, ntopng is impressively versatile. It can:

• Passively capture network traffic¹ from SPAN/mirror ports or TAP devices using libpcap, or PF_RING on Linux for better performance.
• Collect network flows using NetFlow, sFlow, and IPFIX².
• Actively monitor devices using SNMP³.
• Import data from firewall logs and intrusion detection systems.

Once the traffic information is collected, ntopng can sort it by a wide range of criteria, including IP addresses, ports, Layer-7⁴ (L7) application protocols, and Autonomous Systems (ASs)⁵.

AS information is particularly valuable because it helps you understand where your data is going—revealing which major internet players your devices are communicating with. If you consistently spot an unfamiliar or suspicious AS, that could be a red flag.

Application protocol insights tell you what people are doing on your network. Are they mostly streaming, browsing, downloading? This can help you manage bandwidth more efficiently, for example, by limiting BitTorrent during work hours. ntopng also allows you to store traffic stats to disk for historical analysis.

Even more impressive: ntopng can geolocate hosts and overlay them on a geographic map, detect GTP/GRE tunnels and perform detunneling⁶, and offers a full-featured REST API for integration with other tools.

Oh, and did I mention protocol support? ntopng handles everything from Ethernet to IPv4/IPv6, TCP/UDP/ICMP, DNS, NetBIOS, DHCP, and over 250+ Layer-7 application protocols, thanks to nDPI⁷.

How to Install ntopng?

We will focus on how to install ntopng on Linux, but this doesn’t prevent us from stating that ntopng is also available for Windows, macOS, Raspbian, Raspberry Pi OS, and even as a Docker container.

However, installing ntopng on your Linux laptop or desktop alone won’t give you its full potential. That’s because it needs full visibility into all network traffic, and most home routers don’t support NetFlow, sFlow, IPFIX, or port mirroring, which are essential for that level of monitoring.

To overcome this limitation, the best solution in my opinion is to replace your current router with one that supports one of these traffic export or mirroring features. So, is ntopng useless without a special router? Not at all.

Even if your router doesn’t support NetFlow, sFlow, IPFIX, or port mirroring, ntopng can still analyze all network activity on the Linux device it’s installed on. This includes:

• Realtime bandwidth and traffic volume
• Apps and services in use
• Latency, packet loss, TCP retransmissions, RTT
• IPs you’re communicating with, plus geolocation
• IPv4/IPv6 statistics, protocol usage
• Alerts on unusual traffic patterns

This helps you detect suspicious connections and unexpected data usage, allowing you to better understand how your apps use the internet and protect your privacy. Additionally, even without full visibility into other devices’ traffic, ntopng can still:

• Discover active devices on your network
• Show IP addresses, MAC addresses, and hardware vendors
• Provide limited stats for devices that interact with your laptop

This helps you identify unauthorized or unknown devices and monitor your device’s connection status without needing access to your router.

And I believe these benefits are more than enough to convince you to give ntopng a try.

As Linux users, and since our favorite distributions vary, ntopng provides binary packages to avoid the headache of compiling—especially after reading an article like this that already stormed your brain with networking info.

In Ubuntu 24.04, you can install ntopng using the following combined command line:

sudo apt install software-properties-common wget && sudo add-apt-repository universe && wget https://packages.ntop.org/apt-stable/24.04/all/apt-ntop-stable.deb && sudo apt install ./apt-ntop-stable.deb && sudo apt clean all && sudo apt update && sudo apt install -y pfring-dkms ntopng

In Debian 11, you’ll need to add contrib at the end of each line that begins with deb or deb-src in /etc/apt/sources.list. You can do that with:

sudo sed -i -E '/^deb(-src)? / s/ (main|main restricted|main universe|main multiverse)( |$)/\1 contrib /g' /etc/apt/sources.list

Then install ntopng:

wget https://packages.ntop.org/apt-stable/bullseye/all/apt-ntop-stable.deb && sudo apt install ./apt-ntop-stable.deb -y && sudo apt clean all && sudo apt update && sudo apt install -y pfring-dkms ntopng

There is no official repository for Fedora, but you can run ntopng in Docker (official repos exist for Red Hat and derivatives like Rocky Linux and AlmaLinux).

1. Install Docker and Redis:

sudo dnf install docker valkey -y && sudo systemctl enable --now docker valkey && sudo usermod -aG docker $USER

2. Create a data folder for ntopng:

mkdir -p $HOME/ntopng-data

3. Run ntopng container:

sudo docker run -d --name ntopng --net=host -v $HOME/ntopng-data:/var/lib/ntopng:Z ntop/ntopng:latest -i YOUR_INTERFACE --community

If you use Arch Linux, you can install ntopng from the AUR:

yay -Sy ntopng

Once ntopng is installed, open your web browser and go to either http://127.0.0.1:3000 or http://localhost:3000.

Log in using admin for both the username and password. After logging in, you’ll be prompted to change the default password. Enter a new one, click Change Password, and voilà—enjoy visualizing your home network traffic.

💬 Did you identify suspicious activity on your home network using ntopng? Do you use other open source tools to monitor your network? Share your thoughts in the comments.

1. Passive monitoring is like watching traffic from the side of the road—you observe cars (network data) as they pass by without doing anything to affect their movement. ↩︎
2. These ‘flows’ tell you which devices are communicating, how much data is being sent, and when—without capturing every single packet. ↩︎
3. It means keeping an eye on your network devices—like routers, switches, and servers—using a standard tool called SNMP (Simple Network Management Protocol). ↩︎
4. “Layer 7 is the top layer of the data processing that occurs just below the surface or behind the scenes of the software applications that users interact with. The HTTP requests and responses used to load webpages, for example, are layer 7 events,” explains Cloudflare. ↩︎
5. An autonomous system (AS) is a collection of IP routing prefixes under the control of a single administrative entity that presents a common routing policy to the Internet. ↩︎
6. ntopng can detect GTP and GRE tunnels—commonly used in mobile and VPN traffic—and break them down to analyze the actual data inside. ↩︎
7. “nDPI is a ntop-maintained DPI toolkit. Released under the LGPL license, its goal is to extend the original library by adding new protocols that are otherwise available only on the paid version of OpenDPI.” explains ntop ↩︎