ntopng Installation

Some time ago I published a post introducing ntopng as an out-of-the-box network monitoring tool. I am running it on a Knoppix live Linux notebook with two network cards. However, I have a few customers that wanted a persistent installation of ntopng in their  environment. So this is a step-by-step tutorial on how to install ntopng on a Ubuntu server with at least two NICs.

I already pointed to the many great features of ntopng in the previous post. If you are searching for an open source real-time network analyzer, ntopng is the choice.

Network Setup

This is a rough view of the network. On a switch in the network, a monitor port is configured to send all traffic from a certain port/vlan/routing-domain to the network analyzer. (There are different names for this scenario: mirror and monitor ports, SPAN ports, source and destination ports, etc.) The eth1 port on the Linux machine is used in promiscuous mode to process everything that comes in.

The other port, eth0, must be configured with a static IP address on the network. Through this port, the ntopng GUI (IP-address with default port 3000) appears.

ntopng Installation

Plan the place and bandwidth of the mirroring carefully! Before or after a firewall/router with NAT? Does the overall bandwidth exceed the physical link of the monitor port?

Installation of ntopng

I am using a fresh Ubuntu Server 14.04 LTS edition (64-bit <- which is required for ntopng). As always I am installing a few basic software packages before starting with the actual service. The packages for ntopng can be found here. Select either the “nightly” or “stable” builds. For more reliable versions, you should choose the stable one. Execute the following two commands on the server to add the repository of ntopng:

Have a look at “/etc/apt/sources.list.d/”. There is now a “ntop-stable.list” file which has two lines. Now you can install ntopng with:

This will install a bunch of packages, incuding ntopng, ntopng-data, pfring, redis-server, redis-tools.

Before you can start ntopng, you need to create a configuration file: sudo nano /etc/ntopng/ntopng.conf  . Read the documentation ( man ntopng ) for more details. The following template can be used as a starting point:

(There can be more than one “–interface=ethX” lines in this config file if several interfaces are used in parallel.)

Furthermore, you need a file called “ntopng.start”, which can be empty but must exist in the folder: sudo touch /etc/ntopng/ntopng.start

Now you can start ntopng with:

It will also be started automatically after a reboot.

Promiscuous Interfaces

What’s still missing is the configuration of the eth1 interface to be in promisc mode. Furthermore, it should not get an IPv4 or IPv6 via DHCPv4 or SLAAC. Therefore, the following configuration steps are required.

Disable IPv6 on the interface: Open the following file:

and add the following line:

Start the eth1 interface in promiscuous mode: Open the following file:

and add these lines:

Note: If there are already some lines that reference to eth1, delete them or comment them out. For example, there should be no “iface eth1 inet dhcp” line anymore!

Reboot the server: sudo reboot .

Now, after each reboot of the server, the eth1 interface card will be in promiscuous mode and ntopng will be started automatically.

To verify that ntopng is running, have a look at netstat, which should display the running process and the open TCP port 3000:


Fine-Tuning ntopng

For further options to fine-tune ntopng, refer to this best practices guide from ntopng itself.

Featured image: “escargot / snail” by Olivier Bacquet is licensed under CC BY 2.0.

31 thoughts on “ntopng Installation

  1. Dude…. I LOVE you. this walk through has been EXCELLENT. Thank you so much!


  2. Thanks for an awesome tutorial.
    Do I need nProbe, I have a mikrotik sending netflow data to my ntopng host, and I have data in ntopng?

  3. Thanks for the good tutorial. I have a question. When logged in to ntop interface i am not able to see my other subnet machines and IPs. Using ddwrt based router and 2 local networks. The second one created for guests and i want to be able to monitor internet activity on that particular network specifically. Can you help to figure out why Ntop doesn’t show local subnet and its hosts?
    Thank you!

    1. Hey Al,
      I am not quite sure what you’re meaning. Is your ntopng installation on the same machine as ddwrt? If so you can specify more than one interface in the ntopng config:

      Or is your ntopng instance running with monitoring ports? Then you need an own monitor port for each subnet/vlan.


  4. Hi thanks for your great post,I have a mikrotik router ,the scenario is to collect users connection and refer them as I need in future to track their connections. Is it possible with ntopng to do that? Do I need nprobe with license or not?

    1. Hey Sali,
      please have a look at the MySQL & ElasticSearch options for ntopng to export the data. (I have not yet worked with these features, sorry.)
      If you simply want to log everything, you can also use Syslog messages for that. However, it is difficult to parse them. (Have a look at my syslog-ng blogpost.) Or you can use Splunk. Google for it.

  5. Hi,
    Firstly i would like to extend my gratitude to you for giving a tutorial on ntopng.
    I have a few question,

    1) I have a router with an ip and port for netflow.
    2) can i use my router ip and port to monitor it with ntopng?
    3) if can how can i do it?

    thank you, and btw i’m new with networking

  6. Hi,
    I’m doing research that is monitoring dual stack network using ntopng.
    On my ntopng, only ipv4 is detect, ipv6 does not show up at all. but I also have added ipv6 network on the ntopng.conf file like the steps on your website above.

    Do you have a solution?

    1. Hey RR.
      The IPv6 networks in the ntopng.conf file are only for displaying them as “local networks”. This has nothing to do with the actual sniffing of traffic.

      If you don’t see any IPv6 traffic then you’re probably not monitoring correctly. ;) Can you verify with tcpdump that IPv6 traffic is coming into your monitoring port?

      1. Hi.
        Thanks for your response.
        When ntopng with mikrotik, ipv6 detected on ntopng web page.
        But when mikrotik is replaced with cisco router, ipv6 is not detected at all. Only ipv4 is detected. The configuration in ntopng remains the same, nothing has changed.
        How to handle it?

          1. Yes, I am sure. Because my client already can ipv6 from cisco router that I setting. But no one ipv6 is detected in my ntopng. So how?

  7. I Folllow up this process a couple times and I stuck aert tryint to start ntopng
    * Starting ntopng * Unable to start ntopng

    What is missing here. Thanks.

    I used th same ubuntu version as you recommend.

    1. More information:
      Installed: 3.2.180214-4091
      Candidate: 3.2.180214-4091
      Version table:
      *** 3.2.180214-4091 0
      500 http://packages.ntop.org/apt-stable/14.04/ x64/ Packages
      100 /var/lib/dpkg/status


      22/Feb/2018 10:14:19 [Ntop.cpp:1422] Parent process is exiting (this is normal)
      22/Feb/2018 10:14:53 [Ntop.cpp:1485] Setting local networks to,,2001:db8::/48
      22/Feb/2018 10:14:53 [Redis.cpp:111] Successfully connected to redis
      22/Feb/2018 10:14:53 [Redis.cpp:111] Successfully connected to redis
      22/Feb/2018 10:14:53 [Ntop.cpp:1422] Parent process is exiting (this is normal)

      1. I fixed the issues, For some reason ntong does not recognize values below and I jsut commented both.


          1. Johannes,

            How can I change the listening IP address from localhost to something else?

            tcp6 0 0 :::3000 :::* LISTEN 8543/ntopng

            The above netstat output shows ntopng will only accept access to the web interface locally (http://localhost:3000/). I want to be able to able access the web interface remotely (like

            Thank you in advance.

  8. When I tried to specified:
    1. -w OR
    2. -w:3000

    I got the following error message:

    ERROR: Unable to start HTTP server (IPv4) on ports;3000: No such file or directory

    1. Hey ed,

      by default the ntopng process IS listening on everything with this config line:
      My output shows:
      tcp6 0 0 :::3000 :::* LISTEN 8543/ntopng
      -> Note that it might be confusing since this statement shows the IPv6 address while it also listens on IPv4. Note the “::” which is the same as “” in IPv4 followed by another colon with the port, in our case 3000. However, for some processes this single IPv6-looking line also reveals that IPv4 is listening as well.

      If ntopng is ONLY listening on the localhost, the “Local Address” from netstat would show something like “”, which is not the case in my example.

      Following my guide here you should be able to access ntopng from every IP address. Of course you must type in something like for that. (However, I have no up-to-date ntopng installation at the moment so I can’t test something for you.)

      What is your “sudo netstat -tulpen | ntopng” listing?

  9. Here is my ntopng version:

    # ntopng –version
    v.2.3.160415 [Community Edition]
    GIT rev: :2.3.160415

Leave a Reply

Your email address will not be published. Required fields are marked *