How To Install Ntopng on CentOS Stream 10

Network traffic monitoring has become essential for maintaining secure and efficient IT infrastructure. Ntopng stands out as one of the most powerful open-source network monitoring tools available today, offering real-time visibility into bandwidth usage, protocol distribution, and potential security threats. This comprehensive guide walks you through installing Ntopng on CentOS Stream 10, enabling you to monitor your network traffic with precision and efficiency.

CentOS Stream 10 represents the cutting edge of RHEL-based distributions, offering a rolling-release model that keeps your system current with the latest features and security patches. Installing Ntopng on this platform provides network administrators with a robust solution for traffic analysis, anomaly detection, and performance optimization. Whether managing a small office network or an enterprise infrastructure, this tutorial delivers the knowledge needed to deploy Ntopng successfully.

By the end of this guide, you’ll have a fully functional Ntopng installation monitoring your network interfaces, displaying real-time statistics through an intuitive web interface, and providing actionable insights into network behavior. The installation process requires approximately 30 minutes and basic Linux command-line knowledge.

What is Ntopng?

Ntopng represents the next generation of the original ntop network traffic probe, rebuilt from the ground up to deliver superior performance and modern web-based functionality. This open-source network monitoring solution captures and analyzes network packets in real-time, providing administrators with comprehensive visibility into network usage patterns, bandwidth consumption, and security threats.

The application leverages nDPI (Deep Packet Inspection) technology to identify over 200 application protocols automatically, including encrypted traffic patterns. This capability allows administrators to see exactly which applications consume bandwidth, from streaming services to business-critical applications. Ntopng supports both IPv4 and IPv6 networks, making it future-proof for modern network environments.

Key features include flow-based traffic analysis, which tracks individual network sessions from initiation to termination. The geolocation functionality maps IP addresses to physical locations worldwide, helping identify the geographical origin of network traffic. Historical data retention enables trend analysis over days, weeks, or months, revealing usage patterns that inform capacity planning decisions.

Unlike its predecessor, Ntopng utilizes Redis as an in-memory data structure store, significantly improving data retrieval performance and enabling more complex queries. The web-based dashboard provides intuitive navigation through hosts, flows, interfaces, and protocols. Real-time graphs update continuously, displaying current network conditions at a glance.

Released under the GPLv3 license, Ntopng remains free for community use, with professional and enterprise editions available for organizations requiring advanced features like NetFlow collection, SNMP monitoring, and extended historical data storage. The active development community ensures regular updates and security patches.

Prerequisites and System Requirements

Before beginning the installation process, ensure your system meets the necessary requirements. CentOS Stream 10 must be installed and fully functional on your server or virtual machine. Root privileges or sudo access is mandatory for installing packages and configuring system services.

A stable internet connection is required to download packages from official repositories. The system should have at least 2GB of RAM, though 4GB or more is recommended for monitoring busy networks. Disk space requirements vary based on historical data retention settings, but allocate at least 10GB for the application and its data storage.

Your server needs at least one network interface card (NIC) to monitor traffic. For comprehensive monitoring, identify all interfaces that require monitoring beforehand. Port 3000 must be available for the web interface, though this can be customized in the configuration. Basic familiarity with Linux command-line operations, including text editing and service management, will facilitate a smoother installation experience.

Understanding CentOS Stream 10 Compatibility

CentOS Stream 10 functions as a continuously delivered distribution that tracks just ahead of Red Hat Enterprise Linux 10. This rolling-release model means the system receives updates regularly, maintaining current software versions and security patches. Understanding this architecture helps explain why package management differs slightly from traditional point-release distributions.

The DNF package manager serves as the primary tool for software installation and updates on CentOS Stream 10. DNF offers improved dependency resolution and performance compared to older YUM implementations, though the commands remain largely compatible. This modern package management system ensures smooth installation of Ntopng and its dependencies.

CentOS Stream 10 maintains excellent compatibility with RHEL-based software repositories, including the official Ntop repository. The platform supports both the stable and development Ntop package streams. Kernel versions in CentOS Stream receive regular updates, which benefits PF_RING module functionality by incorporating the latest networking enhancements and performance optimizations.

Step 1: Update Your System

Begin by updating all system packages to their latest versions. This critical first step ensures compatibility with new software and patches known security vulnerabilities. Open your terminal and execute the following command:

sudo dnf update -y

The DNF package manager will check all configured repositories for updated packages, download them, and install the updates automatically. The -y flag automatically confirms installation prompts, streamlining the process. This operation may take several minutes depending on the number of available updates and your internet connection speed.

After the update completes, review the output for any errors or warnings. Pay particular attention to kernel updates, as these require a system reboot to take effect. If a new kernel was installed, reboot your system:

sudo reboot

Once the system restarts, verify the current kernel version to confirm the update succeeded:

uname -r

System updates provide a stable foundation for installing Ntopng and reduce potential conflicts between outdated system libraries and new software requirements.

Step 2: Install Required Dependencies

Ntopng requires several dependency packages to function correctly. The EPEL (Extra Packages for Enterprise Linux) repository provides many essential packages not included in the default CentOS repositories. Install EPEL first:

sudo dnf install epel-release -y

Next, enable the CodeReady Builder (CRB) repository, which contains additional development packages and libraries required by Ntopng:

sudo dnf config-manager --set-enabled crb

Redis serves as the data storage backend for Ntopng, storing flow data and statistics in memory for rapid retrieval. Install Redis and its development libraries:

sudo dnf install redis hiredis -y

These commands install the Redis server along with the Hiredis C client library, which Ntopng uses to communicate with Redis. The installation process automatically resolves and installs any additional dependencies these packages require.

Verify the installation completed successfully by checking the installed package versions:

rpm -qa | grep redis

This command lists all installed packages containing “redis” in their name, confirming successful installation.

Step 3: Add the Official Ntop Repository

The official Ntop repository provides the latest stable builds of Ntopng optimized for RHEL-based distributions. Adding this repository enables access to all Ntop packages through the standard package manager. Execute the following command to download and install the repository configuration:

curl https://packages.ntop.org/centos-stable/ntop.repo > /etc/yum.repos.d/ntop.repo

This command uses curl to download the repository configuration file and places it in the system’s repository directory. The centos-stable path ensures you receive stable, production-ready builds rather than experimental development versions.

Verify the repository file was created correctly by displaying its contents:

cat /etc/yum.repos.d/ntop.repo

The output should show repository configuration details including the base URL, GPG key location, and enabled status. The repository file tells DNF where to find Ntop packages and how to verify their authenticity using GPG signatures.

Repository configurations include both stable and development channels. The stable repository provides tested releases suitable for production environments, while development repositories offer cutting-edge features with potential stability trade-offs.

Step 4: Clean Package Cache and Update Repository Metadata

Before installing Ntopng, clean the DNF package cache to ensure fresh metadata downloads. This step prevents potential issues caused by stale repository information:

sudo dnf clean all

This command removes all cached package files, metadata, and temporary data from the DNF cache directory. Following the cache cleanup, update the repository metadata to include the newly added Ntop repository:

sudo dnf update -y

The update command refreshes package lists from all configured repositories, including the Ntop repository just added. This process downloads current package information, enabling DNF to locate and install Ntopng and its associated packages.

If you encounter errors during the metadata update, verify your internet connection and confirm the repository URL remains accessible. Repository mirrors occasionally experience temporary outages, so retrying after a few minutes often resolves such issues.

Step 5: Install Ntopng and Related Packages

With repositories configured and updated, install Ntopng along with its companion packages. The complete installation includes several components that work together to provide comprehensive network monitoring:

sudo dnf install pfring-dkms n2disk nprobe ntopng cento ntap -y

This command installs multiple packages simultaneously. The pfring-dkms package provides the PF_RING kernel module, which enables high-speed packet capture with minimal CPU overhead. The n2disk application records packets to disk for forensic analysis and compliance requirements.

Nprobe functions as a NetFlow and IPFIX probe, collecting flow data from network devices and forwarding it to Ntopng for analysis. The cento and ntap packages provide additional utilities for network monitoring and tap functionality. The installation automatically resolves dependencies and downloads all required files.

For enhanced performance in high-throughput environments, optionally install the PF_RING ZC (Zero Copy) drivers:

sudo dnf install pfring-drivers-zc-dkms -y

Zero Copy drivers eliminate memory copy operations during packet capture, significantly reducing CPU utilization in networks exceeding 1 Gbps throughput. These drivers require compatible network interface cards and specific licensing for production use.

Monitor the installation output for any errors or warnings. Successful installation concludes with a completion message and returns you to the command prompt. Verify the installation by checking the ntopng version:

ntopng --version

Step 6: Configure Redis Service

Redis must be running before starting Ntopng, as the application relies on Redis for data storage. Start the Redis service with the following command:

sudo systemctl start redis

Enable Redis to start automatically when the system boots:

sudo systemctl enable redis

Verify Redis is running correctly and listening for connections:

sudo systemctl status redis

The status output should display “active (running)” in green text, indicating Redis started successfully. The service listens on port 6379 by default, which Ntopng uses for communication.

Redis configuration resides in /etc/redis.conf or /etc/redis/redis.conf depending on the installation. The default configuration works well for most Ntopng deployments, but large networks may require memory allocation adjustments. Edit the configuration file to modify the maximum memory limit:

sudo nano /etc/redis/redis.conf

Locate the maxmemory directive and set an appropriate value based on available system memory. For systems with 8GB RAM, allocating 2-4GB to Redis provides good performance without impacting other services. After configuration changes, restart Redis:

sudo systemctl restart redis

Step 7: Configure Ntopng

Ntopng configuration determines which network interfaces to monitor, where to store data, and how to present information through the web interface. Create the configuration directory if it doesn’t exist:

sudo mkdir -p /etc/ntopng

Create the main configuration file:

sudo nano /etc/ntopng/ntopng.conf

Add the following configuration parameters, adjusting for your specific environment:

--interface=eth0
--local-networks="192.168.1.0/24"
--data-dir=/var/lib/ntopng
--pid-file=/var/run/ntopng.pid
--http-port=3000
--user=ntopng
--daemon

The --interface parameter specifies which network interface to monitor. Replace eth0 with your actual interface name. List all available interfaces with:

ip addr show

The --local-networks parameter defines your internal network ranges. Ntopng uses this information to distinguish local traffic from external traffic, improving accuracy of traffic analysis. Multiple networks can be specified separated by commas.

The --data-dir parameter sets where Ntopng stores historical data and statistics. Ensure this directory has sufficient space for your data retention requirements. The --http-port parameter defines the web interface port, defaulting to 3000 but customizable to avoid conflicts.

Save the configuration file and create the data directory with appropriate permissions:

sudo mkdir -p /var/lib/ntopng
sudo chown ntopng:ntopng /var/lib/ntopng

For monitoring multiple interfaces, separate them with commas in the interface parameter or use multiple --interface directives.

Step 8: Configure Firewall Rules

CentOS Stream 10 uses firewalld for firewall management. The firewall must allow incoming connections on port 3000 to access the Ntopng web interface. First, verify firewalld is running:

sudo systemctl status firewalld

If firewalld isn’t running, start and enable it:

sudo systemctl start firewalld
sudo systemctl enable firewalld

Open port 3000 for TCP traffic permanently:

sudo firewall-cmd --zone=public --add-port=3000/tcp --permanent

The --permanent flag ensures the rule persists across reboots. Reload the firewall to apply the changes immediately:

sudo firewall-cmd --reload

Verify the rule was added successfully:

sudo firewall-cmd --list-all

The output displays all active firewall rules, including the newly added port 3000. If Redis requires remote access from other systems, also open port 6379, though this is typically unnecessary for local Ntopng installations.

For enhanced security in production environments, restrict access to specific IP addresses or subnets:

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="3000" accept' --permanent
sudo firewall-cmd --reload

This rule allows access only from the 192.168.1.0/24 subnet, blocking external access attempts.

Step 9: Start and Enable Ntopng Service

With configuration complete and firewall rules in place, start the Ntopng service:

sudo systemctl start ntopng

Enable Ntopng to start automatically on system boot:

sudo systemctl enable ntopng

Check the service status to confirm it started successfully:

sudo systemctl status ntopng

A successful start displays “active (running)” status. The output also shows the process ID and recent log entries. If the service fails to start, examine the log file for error messages:

sudo journalctl -u ntopng -n 50

This command displays the last 50 log entries for the ntopng service, helping identify configuration errors or missing dependencies. Common startup issues include incorrect interface names, permission problems on data directories, or Redis connection failures.

After resolving any issues, restart the service:

sudo systemctl restart ntopng

Ntopng typically takes 10-30 seconds to fully initialize, load network interfaces, and begin capturing traffic.

Step 10: Access Ntopng Web Interface

Open a web browser and navigate to your server’s IP address on port 3000. The URL format is:

http://your-server-ip:3000

To find your server’s IP address, execute:

hostname -I

The first IP address displayed is typically the primary network interface. The Ntopng login page appears, requesting credentials. Default login credentials are:

• Username: admin
• Password: admin

Upon first login, Ntopng immediately prompts you to change the default password. Choose a strong password containing uppercase and lowercase letters, numbers, and special characters. This security measure protects your network monitoring data from unauthorized access.

After setting a new password, the main dashboard loads, displaying real-time network statistics. The dashboard shows current bandwidth utilization, active hosts, top talkers, and protocol distribution in colorful, interactive graphs. Navigation menus provide access to hosts, flows, interfaces, settings, and advanced features.

The interface updates continuously as new traffic flows through monitored interfaces. Click on individual hosts to view detailed statistics including historical bandwidth usage, protocol breakdown, and active connections. Flows show individual network sessions with source, destination, protocol, and data transfer amounts.

Understanding Ntopng Dashboard and Features

The Ntopng dashboard provides comprehensive network visibility through multiple views and analysis tools. The Hosts section lists all devices detected on your network, showing IP addresses, MAC addresses, manufacturers, and current traffic volumes. Click any host to drill down into detailed statistics including application usage, contacted servers, and traffic timelines.

Flow analysis tracks individual network connections from establishment to termination. This granular view reveals which applications and services communicate across your network, helping identify unauthorized activity or bandwidth-intensive applications. Flows display source and destination IP addresses, ports, protocols, and data transfer volumes.

Protocol distribution charts visualize traffic composition by protocol. Common protocols like HTTP, HTTPS, DNS, and SSH appear with percentage breakdowns and byte counts. This information helps understand network usage patterns and identify unusual protocol activity that might indicate security issues.

Application traffic identification leverages nDPI to recognize over 200 application protocols automatically. The dashboard shows which applications consume bandwidth, from video streaming services to business applications. This visibility enables informed decisions about bandwidth allocation and quality of service policies.

Geolocation features map IP addresses to physical locations worldwide, displaying traffic flows on an interactive world map. This visualization quickly identifies the geographical distribution of network traffic, useful for detecting unauthorized access attempts from unexpected locations.

Top talkers identify devices consuming the most bandwidth in real-time and historically. Sort by sent data, received data, or total traffic to find bandwidth hogs. This feature helps troubleshoot network congestion and enforce usage policies.

Historical data analysis reveals traffic trends over hours, days, weeks, or months. Trend graphs help capacity planning by showing growth patterns and peak usage periods. Export functionality generates reports for management or compliance purposes.

The alert system monitors for suspicious activity including port scans, unusual traffic patterns, and potential security threats. Configure custom alerts based on bandwidth thresholds, protocol usage, or connection patterns. Alerts can trigger notifications via email or syslog.

Troubleshooting Common Issues

Service Won’t Start: If Ntopng fails to start, examine log files for specific error messages. The systemd journal provides detailed startup information:

sudo journalctl -u ntopng -xe

Common causes include incorrect interface names in the configuration file, insufficient permissions on data directories, or Redis connection failures. Verify Redis is running and accessible before troubleshooting further.

Cannot Access Web Interface: If the browser cannot connect to port 3000, verify the firewall allows incoming connections. Check that Ntopng is actually listening on the expected port:

sudo netstat -tulpn | grep 3000

If no output appears, Ntopng isn’t listening on port 3000. Review the configuration file for the correct --http-port parameter. SELinux policies might also block network access; check SELinux status with:

sudo sestatus

Permission Denied Errors: Ntopng requires appropriate permissions to read network interfaces and write to data directories. Ensure the ntopng user has necessary capabilities:

sudo setcap cap_net_raw,cap_net_admin=eip /usr/bin/ntopng

This command grants Ntopng the capabilities to capture network traffic without running as root.

Redis Connection Failures: Verify Redis is running and Ntopng can connect to it. Test Redis connectivity:

redis-cli ping

A “PONG” response confirms Redis is operational. If connection fails, check Redis configuration and ensure it’s listening on the expected port.

No Network Traffic Visible: If the dashboard shows no traffic, verify the correct network interface is specified in the configuration. Test interface capturing with tcpdump:

sudo tcpdump -i eth0 -c 10

Replace eth0 with your interface name. If tcpdump shows packets but Ntopng doesn’t, the PF_RING module might not have loaded correctly. Check kernel module status:

lsmod | grep pf_ring

Port Already in Use: If another application uses port 3000, Ntopng won’t start. Identify the conflicting process:

sudo lsof -i :3000

Either stop the conflicting service or change Ntopng’s port in the configuration file.

Security Best Practices

Immediately change the default admin password after installation. Default credentials pose significant security risks as attackers commonly target default configurations. Use a password manager to generate and store complex passwords securely.

Enable HTTPS encryption for the web interface to protect credentials and monitoring data during transmission. Generate SSL certificates using Let’s Encrypt or your organization’s certificate authority. Configure Ntopng to use SSL with the --https-port parameter in the configuration file.

Restrict web interface access to trusted IP addresses using firewall rules. Create specific firewall rules allowing only administrator workstations or management subnets to access port 3000. This prevents unauthorized access attempts from untrusted networks.

Create additional user accounts with limited privileges for team members who need monitoring access but shouldn’t modify configurations. Ntopng supports multiple user roles with granular permissions. Avoid sharing the admin account among multiple people.

Maintain current software versions by regularly checking for updates and applying security patches. Subscribe to the Ntop mailing list or monitor the GitHub repository for security announcements:

sudo dnf update ntopng -y

Review Ntopng access logs periodically to detect unauthorized login attempts or suspicious activity. Configure log retention policies that balance security monitoring needs with disk space constraints.

Data privacy requires careful consideration when monitoring network traffic. Establish clear policies regarding what data is collected, how long it’s retained, and who can access it. Ensure compliance with organizational policies and relevant regulations regarding network monitoring and data privacy.

Backup configuration files regularly to facilitate disaster recovery. Store backups securely and test restoration procedures periodically:

sudo cp /etc/ntopng/ntopng.conf /backup/ntopng.conf.backup

Advanced Configuration Options

Ntopng supports NetFlow and sFlow collection from network devices including routers, switches, and firewalls. Configure your network devices to send flow data to the Ntopng server, then configure Ntopng to listen for incoming flows. This capability extends monitoring beyond directly connected networks to remote sites and network segments.

Start nprobe as a flow collector to receive NetFlow v5/v9 or IPFIX flows:

nprobe --zmq "tcp://127.0.0.1:5556" -i none -n none --collector-port 2055

Then configure Ntopng to receive flows from nprobe by adding to the configuration file:

--zmq=tcp://127.0.0.1:5556

Multiple interface monitoring enables comprehensive visibility across complex network architectures. Specify multiple interfaces in the configuration using comma separation:

--interface=eth0,eth1,eth2

Each interface appears separately in the dashboard with individual statistics and flows.

SNMP integration allows Ntopng to query network devices for additional metrics including interface statistics, CPU utilization, and device health. Configure SNMP polling by adding device information to Ntopng through the web interface under Settings → SNMP.

API access enables automation and integration with external systems. The Ntopng REST API provides programmatic access to statistics, configurations, and administrative functions. Enable API access and generate authentication tokens through the web interface for secure API calls.

Community, Professional, and Enterprise editions offer different feature sets. The Community edition provides core network monitoring functionality free of charge. Professional and Enterprise editions add features like NetFlow collection, SNMP monitoring, extended historical data retention, and priority support.

Performance Optimization Tips

Adjust data retention periods based on storage capacity and monitoring requirements. Shorter retention periods reduce disk space consumption and improve query performance. Configure retention in the web interface under Settings → Preferences:

• Flow data: 7-30 days typical
• Host statistics: 30-90 days typical
• Interface statistics: 90-365 days typical

Optimize Redis memory allocation for your network size. Networks with thousands of active hosts require more Redis memory than small networks. Monitor Redis memory usage with:

redis-cli info memory

Adjust the maxmemory parameter in /etc/redis/redis.conf based on actual usage patterns.

PF_RING ZC drivers provide dramatic performance improvements for networks exceeding 1 Gbps throughput. These drivers eliminate memory copy operations and reduce CPU utilization significantly. Install ZC drivers on supported hardware for optimal performance:

sudo dnf install pfring-drivers-zc-dkms -y

Disable unnecessary features to reduce resource consumption. If geolocation isn’t required, disable it to save memory and CPU cycles. Similarly, disable flow collection if only host statistics are needed.

Regular database maintenance prevents performance degradation over time. Ntopng automatically manages its database, but periodic optimization improves query speed:

sudo systemctl stop ntopng
sudo ntopng --data-dir /var/lib/ntopng --optimize
sudo systemctl start ntopng

Hardware selection significantly impacts monitoring capacity. High-throughput environments benefit from multi-core processors, fast SSDs for data storage, and abundant RAM. Allocate at least 4GB RAM for monitoring networks with 500+ active hosts.

Updating and Maintaining Ntopng

Maintain current Ntopng versions to benefit from security patches, bug fixes, and new features. Check for available updates regularly:

sudo dnf check-update ntopng

Apply updates when available:

sudo dnf update ntopng -y

Before updating, backup the configuration directory to preserve custom settings:

sudo tar -czf ntopng-config-backup-$(date +%Y%m%d).tar.gz /etc/ntopng/

Read release notes before applying updates to understand changes and potential impacts. Major version updates sometimes introduce breaking changes requiring configuration adjustments. The Ntop blog and GitHub repository provide detailed release information.

Test updates in non-production environments when possible. Virtual machines or test servers allow verification that updates don’t disrupt monitoring operations. This practice prevents unexpected downtime in production environments.

Rollback procedures provide recovery options if updates cause issues. DNF maintains package history, enabling downgrades to previous versions:

sudo dnf history list ntopng
sudo dnf history undo <transaction_id>

Subscribe to the Ntop community mailing list for announcements about new releases, security advisories, and important updates. The mailing list archives provide valuable troubleshooting resources and best practice discussions.

Congratulations! You have successfully installed Ntopng. Thanks for using this tutorial for installing Ntopng server monitoring on CentOS Stream 10 systems. For additional help or useful information, we recommend check the official Ntopng website.