How To Install ntopng on Ubuntu or Debian Linux

In today’s article we shall perform the installation and configuration of ntopng on Ubuntu or Debian Linux system. The ntopng tool is useful in network traffic probing and it provides a 360° Network visibility. It can get traffic information from various sources such as firewall logs, traffic monitors in the network, from NetFlow exporters, Intrusion Detection systems, or SNMP devices. It comes with an encrypted and intuitive web user interface for management and analytics.

ntopng can be installed on Linux, Windows, FreeBSD and on macOS as well. It does the capturing of traffic from SPAN/mirror ports or TAP devices using libpcap, or PF_RING (on Linux) for best performance. It can also be used in combination with nProbe to collect NetFlow/sFlow from routers and switches, or nProbe Cento to analyze 100 Gbit links at full rate.

This article will provide installation guidance of ntopng on Ubuntu or Debian Linux machine. To get the latest package option, the installation is done from the official project’s upstream repository.

Add ntopng APT repository

Update APT package index and install key pre-reqs.

sudo apt update && sudo apt install software-properties-common wget

Next we add the repository to the system by executing the following commands.

Ubuntu Linux:

sudo add-apt-repository universe
source /etc/os-release
wget https://packages.ntop.org/apt/$VERSION_ID/all/apt-ntop.deb
sudo apt install ./apt-ntop.deb

Debian Linux:

source /etc/os-release
wget https://packages.ntop.org/apt/$VERSION_CODENAME/all/apt-ntop.deb
sudo apt install ./apt-ntop.deb

It will add the repository and import required GPG keys.

Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'apt-ntop' instead of './apt-ntop.deb'
The following NEW packages will be installed:
  apt-ntop
0 upgraded, 1 newly installed, 0 to remove and 45 not upgraded.
Need to get 0 B/3,370 B of archives.
After this operation, 8,192 B of additional disk space will be used.
Get:1 /root/apt-ntop.deb apt-ntop all 2.10-28 [3,370 B]
Selecting previously unselected package apt-ntop.
(Reading database ... 39498 files and directories currently installed.)
Preparing to unpack /root/apt-ntop.deb ...
Unpacking apt-ntop (2.10-28) ...
Setting up apt-ntop (2.10-28) ...
Installing ntop GPG key [no proxy]. Please wait...
gpg: keybox '/usr/share/keyrings/ntop-archive-keyring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 3D84C955924F7599: public key "Luca Deri <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
Keys installed successfully
Scanning processes...
Scanning linux images...

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

Install ntopng on Ubuntu / Debian

With the repository added, let’s install ntopng package.

sudo apt update && sudo apt install ntopng

Agree to the installation prompt.

...
1 upgraded, 126 newly installed, 0 to remove and 44 not upgraded.
Need to get 214 MB of archives.
After this operation, 771 MB of additional disk space will be used.
Do you want to continue? [Y/n] y

Check the service status to confirm it’s running.

 $ systemctl status ntopng.service
● ntopng.service - ntopng high-speed web-based traffic monitoring and analysis tool
     Loaded: loaded (/etc/systemd/system/ntopng.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2024-02-14 12:29:12 UTC; 2min 1s ago
    Process: 5036 ExecStartPre=/bin/sh -c /usr/bin/ntopng-utils-manage-config -a check-restore  && /usr/bin/ntopng-utils-manage-config -a restore || true (code=exited, status=0/SUCCESS)
    Process: 5051 ExecStartPre=/bin/sh -c /bin/cat /etc/ntopng/ntopng.conf > /run/ntopng.conf.raw (code=exited, status=0/SUCCESS)
    Process: 5053 ExecStartPre=/bin/sh -c /bin/cat /etc/ntopng/ntopng.conf.d/*.conf >> /run/ntopng.conf.raw 2>/dev/null || true (code=exited, status=0/SUCCESS)
    Process: 5056 ExecStartPre=/bin/sh -c /bin/sed "/^[ ]*-e.*$\|^[ ]*-G.*\|^[ ]*--daemon.*\|[ ]*--pid.*/s/^/#/" /run/ntopng.conf.raw > /run/ntopng.conf (code=exited, status=0/SUCCESS)
   Main PID: 5059 (ntopng-main)
      Tasks: 39 (limit: 2244)
     Memory: 221.2M
        CPU: 21.883s
     CGroup: /system.slice/ntopng.service
             └─5059 /usr/bin/ntopng /run/ntopng.conf

Feb 14 12:29:22 jammy ntopng[5059]: 14/Feb/2024 12:29:22 [PeriodicActivities.cpp:179] Found 10 activities
Feb 14 12:29:22 jammy ntopng[5059]: 14/Feb/2024 12:29:22 [NatsBroker.cpp:42] ERROR: NATS Connection to broker [0.0.0.0:4222] failed: (conn.c:1985): No server available for connection
Feb 14 12:29:22 jammy ntopng[5059]: 14/Feb/2024 12:29:22 [NatsBroker.cpp:42] ERROR: NATS Connection to broker [0.0.0.0:4222] failed: (conn.c:1985): No server available for connection
Feb 14 12:29:22 jammy ntopng[5059]: 14/Feb/2024 12:29:22 [NetworkInterface.cpp:3776] Started packet polling on interface 'lo' [id: 1]...
Feb 14 12:29:22 jammy ntopng[5059]: 14/Feb/2024 12:29:22 [NetworkInterface.cpp:3776] Started packet polling on interface 'eth0' [id: 2]...
Feb 14 12:29:22 jammy ntopng[5059]: 14/Feb/2024 12:29:22 [NetworkInterface.cpp:2497] Packets exceeding the expected max size have been received [eth0][len: 2906][max len: 1518].
Feb 14 12:29:22 jammy ntopng[5059]: 14/Feb/2024 12:29:22 [NetworkInterface.cpp:2503] WARNING: If TSO/GRO is enabled, please disable it for best accuracy
Feb 14 12:29:22 jammy ntopng[5059]: 14/Feb/2024 12:29:22 [NetworkInterface.cpp:2503] WARNING: If TSO/GRO is enabled, please disable it for best accuracy
Feb 14 12:29:22 jammy ntopng[5059]: 14/Feb/2024 12:29:22 [NetworkInterface.cpp:2507] WARNING: using: sudo ethtool -K eth0 gro off gso off tso off
Feb 14 12:29:22 jammy ntopng[5059]: 14/Feb/2024 12:29:22 [NetworkInterface.cpp:2507] WARNING: using: sudo ethtool -K eth0 gro off gso off tso off

Check the ports used by ntopng.

$ sudo ss -tunelp | grep ntop
udp   UNCONN 0      0                 0.0.0.0:33836      0.0.0.0:*    users:(("ntopng-main",pid=5059,fd=24)) ino:36140 sk:1 cgroup:/system.slice/ntopng.service <->
udp   UNCONN 0      0           49.13.172.139:41405      0.0.0.0:*    users:(("ntopng-main",pid=5059,fd=23)) ino:36138 sk:4 cgroup:/system.slice/ntopng.service <->
tcp   LISTEN 0      4096              0.0.0.0:3000       0.0.0.0:*    users:(("ntopng-main",pid=5059,fd=28)) ino:36192 sk:8 cgroup:/system.slice/ntopng.service <->

Access ntopng web dashboard

Open your browser and enter http://ServerIP:3000/

Use the default logins

• Username: admin
• Password: admin

You are requested to change admin password. Set strong password for the user.

Finally you land on ntopng web dashboard.

ntopng CLI usage

When systemd service of ntopng is not active, you can use CLI method.

List your network interfaces:

# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
    link/ether 96:00:03:04:9d:dc brd ff:ff:ff:ff:ff:ff
    altname enp0s3
    altname ens3

To monitor a physical NIC card, specify its interface name when running ntopng.

sudo ntopng -i eth0

Flow Collection

For network flow collection, ntopng need to be used in conjunction with nProbe which can act as probe/proxy. Exchange of data between nProbe and ntopng will be through ZeroMQ, which is a publish-subscribe protocol.

nprobe -i eth1 --zmq tcp://192.168.1.1:5556 -T @NTOPNG@
ntopng -i tcp://192.168.1.1:5556

Important links:

• ntopng github project
• ntopng licensing
• ntopng packages
• Official documentation