Monitor Linux Networks with ntopng: No More ‘Looking for a Needle in a Haystack’ During Lag – ITFROMZERO

Table of Contents

Network Slowness and Sleepless Nights ‘Searching for a Needle in a Haystack’

Recently, my team encountered a pretty tough case. The dashboard showed latency spiking from 20ms to 500ms, and users began complaining about slow application responses. I jumped in to check the server—CPU and RAM were perfectly fine (‘green’), and Disk I/O showed nothing unusual. At this point, the prime suspect could only be the network.

The most helpless feeling for a DevOps engineer is seeing network congestion without being able to ‘point a finger’ at exactly what is consuming the bandwidth. You could use iftop or nload for a general overview. However, if you want to know exactly which IP is connecting where, what protocol they are using (Netflix, YouTube, or a DDoS attack), those simple command-line tools start to fall short.

Why Manual Network Debugging Often Hits a Dead End

We often have the habit of typing netstat or ss to view active connections during an incident. This approach has three fatal flaws:

Loss of historical traces: You only see what is happening the moment you run the command. If a traffic spike lasts only 10 seconds and then stops, you will definitely miss it.
Information overload: Looking at thousands of text lines jumping continuously on a terminal is dizzying. It is almost impossible to recognize patterns or spot suspicious IPs blending in.
Difficult application classification: tcpdump returns raw data. It takes significant effort to analyze whether it is normal web traffic or a background port-scanning script.

The problem is that we lack a visual, real-time statistical perspective.

Which Tool Should You Choose for Effective Traffic Inspection?

Before finding the ‘key’ with ntopng, I went through various tools. The Prometheus + Grafana combo is extremely powerful but time-consuming to set up—not ideal for quick ‘firefighting.’ Configuring SNMP on Linux can be cumbersome, and the returned data is often just raw bytes in/out, failing to reach Layer 7 depth.

After several ‘stumbles,’ I realized ntopng is the most balanced choice. It is easy to install, has an intuitive Web UI, and analyzes user behavior rather than just displaying raw bandwidth.

Installing ntopng on Ubuntu/Debian

I usually install it from the official ntop repository to get the latest version. Run these commands:

# Update system
sudo apt update && sudo apt upgrade -y

# Install supporting packages
sudo apt install wget gnupg software-properties-common -y

# Add ntop repo (Example for Ubuntu 22.04 - Jammy)
wget https://packages.ntop.org/apt/22.04/all/apt-ntop.deb
sudo dpkg -i apt-ntop.deb

# Update and install
sudo apt update
sudo apt install ntopng nprobe n2disk -y

Configure to Run in 1 Minute

After installation, you need to tell ntopng which network interface to ‘listen’ to. Open the configuration file with:

sudo nano /etc/ntopng/ntopng.conf

Add or edit these lines:

-i=eth0
-w=3000
--community

Note: -i=eth0 is the network interface name (use ip addr to check). -w=3000 is the port for the web interface. Then restart the service:

sudo systemctl restart ntopng
sudo systemctl enable ntopng

Real-world Experience: Inspecting Network Traffic to the Core

Now, open your browser and type http://Server-IP:3000. The default User/Pass is admin/admin. The system will force you to change the password on your first login—set a strong one for security.

A little tip for you: When monitoring large IP ranges, quickly identifying the subnet of each department is crucial. To calculate subnets quickly for ntopng filtering, I often use toolcraft.app/en/tools/developer/ip-subnet-calculator. Entering the CIDR gives you the network range and host count immediately, helping map ntopng data to your infrastructure very fast.

Features I’m Most ‘Addicted’ to When Troubleshooting:

Flows: Where every connection is ‘exposed.’ You will see source IPs, destination IPs, and the “Application” column showing SSL/TLS, HTTP, or BitTorrent. If a database server starts showing Netflix traffic, you know exactly who to deal with.
Hosts: This tab ranks the top bandwidth consumers (Top Talkers). Extremely useful for finding machines infected with malware and sending spam continuously.
Alerts: ntopng will show bright red alerts on the homepage if it detects unknown IPs scanning your system ports.
GeoIP Map: If your system only serves users in Vietnam but you see a flood of international traffic, you are definitely being ‘visited.’

Notes on Performance and Security

ntopng captures packets in promiscuous mode, which consumes CPU if traffic reaches several Gbps. For low-spec servers, you should limit historical storage time to avoid running out of RAM or disk space.

Regarding security, if running behind a Firewall, remember to only open port 3000 for your specific IP. Absolutely do not open this port to the entire internet (0.0.0.0/0), as it exposes sensitive internal network topology information.

Hopefully, this tool will help you avoid those sleepless nights investigating network lag. With ntopng, you will have solid evidence to deal with your ISP or ‘remind’ those colleagues downloading torrents during work hours.