How-to – Configuring Ntopng to collect sFlow packets

Maybe you thought the same as I thought when I searched online for good ntopng tutorials : “damn, I’ll have to make my own”. Well, as I will have to install the whole setup myself again, I prefer write it here and share it with you.


Just to clarify things before we put our hands in the dirt, ntopng is a netflow analyzer with a nice web-interface, that can get the traffic of its own interface. HOWEVER. It cannot work as a netflow collector too. That means that if you have a couple network devices on a network, and you want to know what kind of flows are going through your network, you will have to install a separate tool, which is also developped by the ntopng guys : nProbe. Sadly, this one is not free, and you will need a license to get it working in production environnement as the default-installation provides a 20K flows limit per nprobe thread, then it stops collecting them.

So to make it short, you will have to :

  • install ntopng and nprobe
  • configure your network devices to send net/sflow packets to ntopng server
  • configure nProbe to collect net/sflow packets and to stream them in JSON to ntopng
  • configure ntopng to listen for nProbe JSON streams


I used Ubuntu 12.04 amd64 with latest updates for this setup. But I’m pretty sure it works with 14.04, maybe I’ll test it and update this post according to it.

The easiest way to get these packages installed would be installing their sources in APT :

sudo dpkg -i apt-ntop.deb

and do an update of package list :

apt-get clean all
apt-get update
apt-get install nprobe ntopng

Well, the other way to get these packages installed would be downloading the .deb files and install them manually (follow the right steps because there are some dependencies):


Once you’ve downloaded the files, install them like this:

dpkg -i  pfring_6.0.1-7598_amd64.deb
dpkg -i  nprobe_6.16.140627-4223_amd64.deb
dpkg -i  ntopng_1.2.1-8121_amd64.deb
dpkg -i  ntopng-data_1.1.4-7806_all.deb

N.B. : You could download the subversion repository and build the packages by your own but I don’t see the point while you can directly download the built packages. Note that for Centos, there are pre-built packages too on .


My test server has the IPv4

First, launch ntopng :

ntopng -i tcp:// -d /var/tmp -w 3000 -v >> /dev/null &

Then, launch the nprobe collector:

nprobe --collector-port 6343 --zmq tcp:// >> /dev/null &

I want packet samples from my Brocade router so I configure it:

(config)#sflow enable
(config)#sflow destination 6343
(config)#sflow polling-interval 1
(config)#sflow sample 1024

And then activate sflow forwarding on the ports you want:

(config)#interface ethernet 1/6
 (config-if-e1000-1/6)#sflow forwarding

NTOP Next-Generation network analyzer

Go to and login with admin/admin. Change the password in Settings and wait for traffic coming in.

Congrats! Now you can see a lot of details concerning traffic flows inside your network.


Activate the whole for production

The last thing to do to get this working outside your lab in the real world, is activating the nProbe. For this, you have to purchase a license here (Ntopng itself is free on Unix systems) :

Once you got it, just generate the license file on the ntopng website (composed of order ID and system ID). Create the file like this:

 echo 10225F63D0LICENSE5216043489 > /etc/nprobe.license

Just restart the nprobe, it should recognize the license and no longer limit the flows to 25k.

PS: take care with mods on the server, be it CPU/RAM/HDD wise or IP wise, the license could fail from then on because of mismatching Install ID/SystemID and you’ll have to re-buy support from Nmon to get it activated.


11 thoughts on “How-to – Configuring Ntopng to collect sFlow packets

  1. You are awesome … been looking for some proper documentation on how to get this to work.

    Just one question if you don’t mind when you are exporting from your router .

    I want packet samples from my Brocade router so I configure it:

    (config)#sflow enable
    (config)#sflow destination 4444
    (config)#sflow polling-interval 1
    (config)#sflow sample 1024

    Why port 4444?

    • Hi Darryn,
      This is an error, If I configure collector port as 6343 on nprobe, I’ll have to configure it on 6343 on the sFlow-sending device. 6343 is default for sFlow, 4444 is the port on which nProbe listens for sFlow per default. So, it’s your choice but doesn’t matter as long as the ports are the same.

      Thanks for the hint!

  2. Ok Great stuff,

    Thanks a million for this document was really difficult to find something on this but this is exactly what I needed.

  3. Pingback: Using NetFlow with nProbe for ntopng | Blog

    • Now, what you want is the nprobe to collect data and send it to ntopng. To avoid redirecting sflows and json everywhere, I would install both on the same server. Because nprobe and ntopng beeing local to a linux host, you will be taking the sflows with nprobe on the LAN interface, sending them through localhost to ntopng and then binding the webserver to the LAN interface again.

      It’s quite a similar setup to a postfix server with amavis, except there you’re doing a locahost loop, here you just “pass” the trafic to ntopng. Maybe if something isn’t clear in the tutorial, let me know, I’ll edit.

  4. i tried to send IPV6 record from the device to collector but ntop is showing NOIP/ in GUI and displaying it as ipv4 traffic. Is it bug or am missing some configuration?

  5. Pingback: ntop for netflow – JD's Notepad

  6. Pingback: ntopng nProbe for NetFlow and IPFIX | samuelnotes

  7. Pingback: Setup ntopng nprobe for Traffic Analysis and Flow collection | samuelnotes

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s