ntopng is computer software for monitoring network traffic. It is designed to be the successor to ntop (ntopng = ntop Next Generation). There are versions of ntop for virtually every Unix platform, Windows and mac OS X. It can monitor network traffic, and does the following:

• It allows you to sort traffic by many criteria (for example, IP address, port, and protocol)
• It allows you to identify top talkers and listeners
• It provides flow reports
• It stores persistent traffic statistics
• It allows you to geolocate hosts and display reports based on host location

It can do all this and more with a simple web frontend and is not very resource intensive; its CPU/memory footprint is small. The ntopng package has been recently removed from the pfSense package list because it will not compile. According to the documentation for pfSense 2.3, however, ntopng will soon return to the package list.

To configure ntopng, navigate to Diagnostics | ntopng Settings. The Enable ntopng checkbox must be checked in order for ntopng to work. The Keep Data/Settings checkbox, if checked, will result in settings, graphs and traffic data being retained across package reinstalls and upgrades (if not checked, the settings will be wiped under these circumstances). You can enter an admin password on this page as well.

The Interface list box allows you to select the interfaces on which ntop will  collect information. The DNS Mode drop-down box allows you to select how  name resolution is handled. The default is Decode DNS responses and resolve  local numeric IPs only, but you can choose to resolve all IPs, no IPs, and you can also choose not to decode DNS responses. You can also get data from GeoIP for location information about IP addresses; to update this data, click on the Update GeoIP Data button.

The Local Networks drop-down box determines how local networks are defined by ntopng. You can select Consider all RFC1918 networks local, so that all IPs within local addresses spaces will be considered local, Consider selected interface networks local, or Consider only LAN interface local. The Historical Data Storage checkbox, if checked, enables historical data storage, but this consumes a great deal of disk space. The Delete (Historical) Data button allows us to delete this data. Finally, checking the Disable Alerts checkbox disables all alerts generated by ntopng.

Once you have enabled and configured ntopng, you can click on the Access ntopng tab. Clicking on this tab simply redirects you to port 3000 of your pfSense firewall, which allows you to access the ntopng web GUI.

The Active Flows page displays information about current sessions. The information presented includes the application (if known), level four protocol (TCP or UDP), the client IP address, server IP address, and the duration of the connection. The Breakdown column graphically shows how much of the traffic for the session is on the client side and how much is on the server side. Finally, the Bytes column informs you how much data has been transferred during the session.

The Top Flow Talkers page displays both the local and remote IP addresses that generate the most traffic on your network. There is also a graph that displays which application layer protocols are used the most.

The Local Hosts Matrix field displays which local hosts connect to each other, and how much traffic is generated. Finally, the hosts page provides a breakdown of each local interface: its IP address, MAC address, and the total traffic sent and traffic received by the interface.