ntopng: The Network Traffic Monitor That Refuses to Die (Now Faster Than Ever)

First released in 1998, ntop has been quietly watching network traffic for over two decades. Now it's been rewritten and reborn as ntopng — a modern, web-based network traffic monitor that feels like a time capsule of Unix wisdom wrapped in a clean JavaScript UI.

If you've ever needed to quickly understand "what the heck is using all my bandwidth" or "why is my server talking to that IP in Belarus," ntopng is the tool you probably didn't know you needed. It's like tcpdump went to finishing school and got a web server.

What It Does

ntopng is a network traffic probe that shows you your network usage in real time, right in your browser. It captures traffic from a network interface (or reads a pcap file) and presents it as interactive dashboards, sorted by host, protocol, application, or any dimension you care about.

Think of it as a friendly, web-based version of nload or iftop, but with a decade of feature accumulation. It shows you:

• Who is talking to whom (flows)
• What protocols are being used (HTTP, DNS, SSH, etc.)
• How much bandwidth each host is using
• Geolocation data for remote hosts
• Application-level visibility (like which websites are being visited)

It runs on Linux, macOS, and Windows, and can handle 10 Gbps+ traffic on commodity hardware. The rewrite (from C to C++ with a C core) made it significantly faster and more memory efficient.

Why It's Cool

The rewrite is the hidden gem here. The original ntop was written in C and had grown into a monolith. The ntopng rewrite moved to a modular architecture with a lightweight C core and the rest in C++, making it:

• Blazing fast: Handles millions of flows without breaking a sweat
• Memory efficient: Uses hash tables and bloom filters to keep RAM usage sane
• API-first: Every feature is accessible via REST API, so you can integrate it into monitoring stacks like Prometheus or build custom dashboards
• True real-time: Uses a publish/subscribe model over WebSockets, so your dashboard updates instantly without constant polling

But the killer feature is the historical reporting. ntopng doesn't just show you live traffic — it saves historical data in RRD (Round Robin Database) format, so you can answer questions like "what was our peak bandwidth usage last Tuesday at 3 PM?" It's like having a full traffic historian that doesn't eat your disk space.

Real use case: I once used ntopng to find a rogue DHCP server on a client's network. The traffic flow view showed a host responding to DHCP requests that wasn't the authorized server. Ntopng's DNS and DHCP analysis made it obvious within minutes.

How to Try It

The fastest way to see it in action is with Docker:

docker run -d --network="host" --privileged \
  -v /etc/localtime:/etc/localtime:ro \
  ntop/ntopng:latest

Then open http://localhost:3000 in your browser. Login with admin/admin (change that immediately in production).

For a native install on Ubuntu/Debian:

# Add the repository
wget -O /tmp/apt-ntop.sh https://packages.ntop.org/apt-stable/buster/all/apt-ntop.sh
chmod +x /tmp/apt-ntop.sh
sudo /tmp/apt-ntop.sh

# Install
sudo apt-get update
sudo apt-get install ntopng

You'll need to edit /etc/ntopng/ntopng.conf to specify which interface to monitor (e.g., --interface=eth0), then restart the service.

Pro tip: Start by reading a pcap file to explore without affecting your network:

ntopng -i /path/to/capture.pcap

Final Thoughts

ntopng is one of those tools that has quietly been solving real problems for network engineers and developers for 25+ years. The fact that it exists, is free (open source GPLv3), and was recently rewritten to be faster and more modern is genuinely impressive.

For developers, it's especially handy when you're debugging network issues in microservices architectures. Spin it up on a node, watch the flow data, and you'll often see patterns that log aggregators miss — like a service calling an external API on every request when it should cache, or a DNS misconfiguration causing 3-second timeouts.

Is it as polished as commercial tools like SolarWinds? No. But it's free, it's fast, and it's been running since 1998 for a reason. Sometimes the boring tools that just work are the most exciting.

Follow us @githubprojects for more developer tools and open source projects worth your attention.