ntopng: actually seeing what is on your network

May 6, 2026

networkingobservabilityservice-spotlight

You plug something into your network and assume it is doing what you think it is doing. For a long time that assumption is probably right. Then one day you notice your internet feels sluggish, or you spot an unfamiliar device in your DHCP lease table, or you realize you have never actually looked at how much traffic your media server pushes at 2am. The assumption starts to feel thin.

Network traffic monitoring is the answer to “what is actually happening on my network?” — not the curated version your router hands you in a status page, but the full picture: which hosts are talking to which, what protocols they are using, how much bandwidth each device consumes, and whether anything is calling home to a destination you did not expect.

ntopng is how Sun does that in this homelab. This post explains what it is, why it earns its keep, and whether it belongs in yours.

What ntopng is, in plain language

ntopng is a network traffic analysis tool developed by ntop. The name is a nod to the classic Unix top command — just as top shows you what processes are consuming CPU, ntopng shows you what flows are consuming your network. The “ng” stands for “next generation,” distinguishing it from the original ntop project.

At its core, ntopng does three things:

  1. Deep packet inspection (DPI) — it looks inside the traffic (not at content, but at the conversation metadata) to identify the application layer: this is HTTP, that is BitTorrent, this other one is Netflix.

  2. Flow analysis — it tracks conversations between hosts over time, so you can see not just instantaneous throughput but historical patterns: who talked to whom, for how long, how much data changed hands.

  3. NetFlow and sFlow aggregation — rather than capturing raw packets itself, ntopng can also receive pre-summarized flow records exported by routers and firewalls. This is useful when you want to monitor traffic at the edge of your network without deploying a tap on every segment.

The community edition — which is free and open source — covers all three of those capabilities plus geo-IP enrichment (mapping external IPs to countries and autonomous systems). The commercial Pro edition adds longer historical retention, additional alert integrations, and plugin support.

The problem it actually solves

Consumer routers give you a traffic graph. Maybe it shows megabits per second in and out. That is useful for knowing whether you are saturating your uplink, but it tells you nothing about who is responsible.

More capable routers and firewalls — OPNsense, pfSense, Unifi — can show you per- device bandwidth, which is a meaningful step up. But they still tend to be fairly coarse: you see totals, not conversations. You see that a device used 40GB last week, not which servers it was talking to or what it was doing at 3am.

ntopng fills that gap. When you need to answer questions like:

  • “Why is my upload saturated right now?”
  • “Which device is making the most DNS queries?”
  • “Is anything on my network talking to a cloud service I don’t recognize?”
  • “What is my NAS actually doing at 2am?”

…ntopng gives you answers, in real time and historically.

For a homelab with a growing number of devices — IoT gadgets, media servers, infrastructure VMs, family laptops — this visibility matters more as the network grows, not less. The bigger your homelab gets, the less you can afford to just assume.

What the commercial world uses instead

Enterprise network monitoring is a substantial industry, and the tools reflect that.

NetScout / NIKSUN / Cisco Stealthwatch sit at the high end — purpose-built appliances and software suites designed for SOC teams and large-scale data centers. They do everything ntopng does and more, with SIEM integration, behavioral baselining, and compliance reporting baked in. They also cost more per year than most homelabs cost to build.

Darktrace is the AI-native answer to this space. It builds a behavioral model of your network and alerts on deviations — not just “this IP is talking to a known bad actor” but “this device is doing something it has never done before.” Impressive technology, enterprise price tag.

Splunk and similar SIEM platforms can do network analysis when fed the right data, but they are a log aggregation layer on top of something else doing the actual capture. They are more of an analytics tier than a monitoring tool in themselves.

⚠️ Unverified: Specific pricing for any of these commercial tools — license costs vary significantly by deployment size and negotiation. Treat all commercial comparisons as qualitative only.

The common thread: enterprise tools in this space assume enterprise budgets. They also assume an IT team to operate them. For a homelab, the overhead is not justified.

The self-hosted landscape

When you start looking at open-source network monitoring, a few names come up regularly.

Zeek (formerly Bro) is a powerful network analysis framework that has been a staple of academic and security research for decades. It does not have a built-in web UI — it produces detailed log files that you parse downstream, typically with something like Elasticsearch or Splunk. Zeek is extremely capable and extremely flexible, but it requires more operational investment than most homelabs want to put into a monitoring tool. If you are building a home SOC and want to write your own detection logic, Zeek is worth studying. If you want a dashboard you can open in a browser and immediately understand, it is not the right starting point.

Suricata is primarily an intrusion detection and prevention system (IDS/IPS). It can do flow-level logging and has some overlap with what ntopng offers, but its core strength is signature-based threat detection, not traffic visualization. Many homelabs run both — ntopng for visibility, Suricata for alerting on known-bad patterns.

ntopng occupies a sweet spot: it has a usable web UI out of the box, covers DPI and flow analysis without requiring you to build a logging pipeline, runs comfortably on modest hardware, and the community edition is genuinely useful without the license. The trade-off is that long-term historical data and some of the more sophisticated alerting features require the Pro edition.

Built-in firewall tools — OPNsense and pfSense both have traffic reporting and can run plugins that add flow visibility. For many homelabs that is sufficient. The case for a dedicated ntopng instance is that it gives you more depth, does not add load to your firewall, and separates the monitoring concern from the policy enforcement concern. Running them together means a misconfigured monitoring job can affect your firewall — not a risk worth taking.

How it runs in this homelab

The setup here is straightforward: ntopng runs in Docker, on a dedicated VM provisioned via Ansible. It uses host networking — this is not optional, it is how ntopng gets access to the network interfaces it needs to see traffic. Redis runs alongside it as the data store for flow state.

The VM is modest: four virtual CPUs and four gigabytes of RAM. For a homelab-scale network that is more than enough. ntopng is not a particularly hungry service under normal conditions; the community edition holds a rolling window of flow data in memory and Redis, not an unbounded historical archive.

NetFlow export from the firewall feeds ntopng with edge-level traffic summaries, which means it can see conversations that are entirely within the LAN (between two local devices) as well as anything crossing the internet uplink.

Authentication uses LDAP, which plugs ntopng into the same SSO stack as everything else in the homelab. This is one of those quality-of-life details that matters when you have a dozen dashboards to manage — one set of credentials, enforced centrally.

The web UI is what you would expect: a live dashboard showing active flows, a host map, top talkers by volume, protocol breakdowns, and geo-IP lookups for external addresses. There is enough depth to investigate a problem and enough at-a-glance clarity to know whether anything looks wrong on a daily check.

Who should bother

ntopng is worth running if:

  • You have more than a handful of devices. A handful of devices on a simple network does not generate enough interesting traffic to justify the overhead. Once you have IoT devices, servers, VMs, and family traffic all coexisting, the visibility becomes genuinely useful.

  • You want to understand your network, not just manage it. If you are the type who looks at DHCP leases, reads firewall logs occasionally, and wants to know why your link is saturated — ntopng rewards that curiosity.

  • You are already running a homelab with spare capacity. The VM resource requirements are modest. If you have the infrastructure, the marginal cost is low.

  • You care about catching unexpected behavior. IoT devices are notorious for phoning home. Knowing what is actually leaving your network is different from assuming it is only what you intended.

You probably do not need it yet if:

  • You are just starting out. Get your core services stable first. Monitoring is most valuable when there is something worth monitoring.

  • Your router’s built-in tools are enough for your use case. If you only want to know whether your internet connection is healthy, a simple uptime monitor covers that.

  • You are not comfortable with Docker or basic Linux administration. The deployment itself is not complicated, but troubleshooting host networking in Docker has some wrinkles. If you are not yet comfortable there, a few other projects will build the foundation first.

The honest trade-off

The community edition of ntopng is genuinely useful without paying anything. The limits are mostly around retention — community edition keeps a rolling window of data, not a deep historical archive. If you want to ask “what was my network doing three weeks ago,” you will hit the ceiling.

The Pro tier addresses this. Whether it is worth the license cost depends on how seriously you take network monitoring and whether you are also building out a broader observability stack. If you are shipping flows into Prometheus and Grafana already, the retention gap matters less because you have other data sources covering the long term.

For a homelab that wants deep, real-time traffic visibility without building a full SOC pipeline, community ntopng does the job. It is the kind of service that runs quietly in the background, earns its keep every time something unexpected happens on the network, and makes you wonder how you operated without it.

The assumption that your devices are doing what you think they are doing is comfortable. ntopng is the tool that lets you trade comfort for certainty.

← all posts

Comments

No comments yet — be the first.

Leave a comment

Moderated before it appears.
Theme
Font