Network Flow Monitoring with ntopng and NetFlow
You know your homelab network works. You can ping things, services respond, and your monitoring shows green. But do you actually know what's happening on your network? Which host is generating the most traffic? Is that backup job saturating the link to your NAS? What's making DNS queries at 4 AM? Is the IoT VLAN really isolated, or is something chatting across boundaries?
Traditional monitoring tools like Prometheus and Grafana tell you about application metrics. SNMP tells you interface counters -- bytes in, bytes out, error counts. But neither tells you about individual traffic flows: who is talking to whom, on what port, how much data, and for how long. That's what network flow monitoring does.
Understanding Flow Protocols
Network flow monitoring works by having your network equipment (switches, routers, firewalls) summarize traffic into "flow records" and export them to a collector. Each flow record describes a conversation: source IP, destination IP, source port, destination port, protocol, byte count, packet count, and timestamps.
Three protocols dominate this space:
| Protocol | Origin | Sampling | Key Differences |
|---|---|---|---|
| NetFlow v5 | Cisco (1996) | Optional | Fixed format, IPv4 only, widely supported |
| NetFlow v9 | Cisco (2004) | Optional | Template-based, flexible fields, IPv6 support |
| IPFIX | IETF standard | Optional | Based on NetFlow v9, vendor-neutral, extensible |
| sFlow | InMon (2001) | Always (1-in-N) | Samples packets, includes layer 2 info, lower overhead |
NetFlow/IPFIX tracks every flow (or can be configured to sample). The switch/router maintains a flow table and exports completed flows. This gives you accurate byte and packet counts per flow but requires more resources on the network device.
sFlow takes a different approach: it samples 1-in-N packets (commonly 1-in-1000 or 1-in-4096) and sends the sampled packet headers plus interface counters to the collector. The collector uses statistical methods to estimate total traffic. sFlow is simpler to implement, which is why most managed switches from TP-Link, MikroTik, and Ubiquiti support it even on cheaper hardware.
For homelab gear, sFlow is often the only option on affordable managed switches. If you're running OPNsense, pfSense, or a Linux router, you can export NetFlow/IPFIX using softflowd or pmacct.
Deploying ntopng
ntopng is an open-source network traffic monitoring tool that acts as both a flow collector and an analysis engine. It ingests NetFlow, IPFIX, and sFlow records, stores them, and provides a rich web interface for analysis. It also performs deep packet inspection when receiving mirrored traffic.
Docker Compose Setup
# ~/docker/ntopng/docker-compose.yml
services:
ntopng:
image: ntop/ntopng:stable
container_name: ntopng
restart: unless-stopped
network_mode: host # Required for flow collection on standard ports
volumes:
- ntopng-data:/var/lib/ntopng
- ./ntopng.conf:/etc/ntopng/ntopng.conf:ro
environment:
TZ: "America/Los_Angeles"
cap_add:
- NET_ADMIN
- SYS_PTRACE
volumes:
ntopng-data:
Using network_mode: host is important because ntopng needs to receive flow data on UDP ports (2055 for NetFlow, 6343 for sFlow) and optionally capture traffic on the host interface.
ntopng Configuration
Create ~/docker/ntopng/ntopng.conf:
# Network interfaces to monitor
# -i=eth0 # Direct packet capture on interface
-i=tcp://127.0.0.1:5556 # ZMQ interface for nProbe (optional)
# Flow collection interfaces
-i=udp://0.0.0.0:2055 # NetFlow v5/v9 and IPFIX collector
-i=udp://0.0.0.0:6343 # sFlow collector
# Web UI
-w=3000 # HTTP port
# -W=3001 # HTTPS port (uncomment for TLS)
# Data directory
-d=/var/lib/ntopng
# Local networks (for accurate in/out classification)
-m=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
# DNS resolution
-n=1 # 1=resolve IPs, 2=don't resolve
# Community edition (no license needed for basic features)
--community
# Data retention (days)
--data-retention=30
# Disable login for homelab (or set credentials)
# --disable-login # Uncomment to skip auth (not recommended)
Start it:
docker compose up -d
Navigate to http://your-server:3000. Default credentials are admin / admin.
Configuring Flow Export on Your Network Devices
OPNsense / pfSense (NetFlow)
OPNsense has built-in NetFlow export via the Insight plugin:
- Go to Reporting > NetFlow
- Enable the NetFlow exporter
- Set the Listening interfaces (WAN, LAN, VLANs you want to monitor)
- Set Capture version to 9 (or IPFIX)
- Add a Destination: your ntopng server IP, port 2055
- Click Apply
For pfSense, install the softflowd package:
# pfSense shell
pkg install softflowd
softflowd -i em0 -n ntopng-server:2055 -v 9
MikroTik RouterOS (NetFlow/Traffic Flow)
# Enable Traffic Flow
/ip traffic-flow
set enabled=yes interfaces=all
# Add the ntopng collector
/ip traffic-flow target
add dst-address=10.0.0.50 port=2055 version=9
Ubiquiti UniFi Switches (sFlow via CLI)
UniFi switches support sFlow but it's not exposed in the controller UI. SSH into the switch:
# SSH to your UniFi switch
ssh [email protected]
# Configure sFlow
configure
set protocols sflow agent-address 10.0.0.1
set protocols sflow collector-address 10.0.0.50
set protocols sflow collector-port 6343
set protocols sflow sampling-rate 1024
set protocols sflow polling-interval 20
commit
save
Note: UniFi switch sFlow configuration may reset on provisioning. You can make it persistent with a config.gateway.json on the controller.
Linux Hosts (softflowd)
If you want flow data from a Linux server (useful if it acts as a router or gateway):
# Install softflowd
sudo apt install softflowd # Debian/Ubuntu
sudo dnf install softflowd # Fedora
# Start exporting flows from eth0
sudo softflowd -i eth0 -n ntopng-server:2055 -v 9 -t maxlife=300
# Or as a systemd service
sudo systemctl enable --now softflowd
Configure /etc/softflowd/softflowd.conf:
interface eth0
options -n 10.0.0.50:2055 -v 9
Analyzing Traffic in ntopng
Once flows start arriving, ntopng categorizes and visualizes them in several ways.
Dashboard Overview
The main dashboard shows:
- Active flows: Current conversations happening on your network
- Top talkers: Hosts generating the most traffic
- Top protocols: Application protocols by bandwidth (HTTP, DNS, SSH, NFS, etc.)
- Alerts: Anomalies, threshold violations, suspicious activity
Useful Analysis Views
Flows page (/lua/flows_stats.lua): See every active flow with source, destination, protocol, throughput, and duration. Filter by VLAN, subnet, host, or application.
Host details: Click any host to see its traffic profile -- who it's talking to, what protocols, bandwidth over time, and any triggered alerts. This is invaluable for identifying that one IoT device making unexpected connections.
VLAN analysis: If you've segmented your network into VLANs (IoT, trusted, guest, management), ntopng shows traffic per VLAN and, critically, traffic crossing VLAN boundaries. This verifies your firewall rules are actually working.
Application Protocol Detection
ntopng uses nDPI (deep packet inspection) to classify flows by application, not just port number. This means it can tell the difference between HTTPS to Netflix versus HTTPS to your Nextcloud instance, even though both use port 443.
Common categories you'll see in a homelab:
| Category | Examples |
|---|---|
| Web | HTTP, HTTPS, QUIC |
| File Sharing | SMB, NFS, SFTP |
| Media | Plex, Jellyfin (via HTTPS), RTSP |
| Infrastructure | DNS, NTP, SNMP, DHCP |
| Remote Access | SSH, RDP, VNC, WireGuard |
| Database | PostgreSQL, MySQL, Redis |
| Monitoring | Prometheus scrapes, syslog, NetFlow |
Setting Up Alerts
ntopng supports threshold-based and behavior-based alerts.
Threshold Alerts
Configure in the web UI under Settings > Alerts:
- Host bandwidth: Alert when any host exceeds X Mbps
- Flow duration: Alert on flows lasting longer than N minutes (potential exfiltration)
- New devices: Alert when a previously unseen MAC address appears
- Unusual protocols: Alert on protocols that shouldn't be on your network
Alert Recipients
ntopng can deliver alerts via:
# Email notifications
# Configure under Settings > Preferences > Alerts > Email
# SMTP server, port, credentials, recipient list
# Webhook (for integration with Slack, Discord, etc.)
# Settings > Preferences > Alerts > Webhook
# POST to your webhook URL with JSON payload
# Syslog (for forwarding to your log aggregator)
# Settings > Preferences > Alerts > Syslog
Example: Detecting Cross-VLAN Traffic
If your homelab has an IoT VLAN (say, 10.0.30.0/24) that should never talk to your server VLAN (10.0.10.0/24), ntopng's VLAN analysis will show any traffic crossing that boundary. You can set an alert for any flow between these subnets, which would indicate either a firewall misconfiguration or a compromised device.
Long-Term Storage and Reporting
ntopng Community Edition stores data for a configurable retention period (default 30 days). For longer-term analysis, you have options:
InfluxDB Integration
ntopng can export time-series data to InfluxDB for long-term storage and Grafana dashboards:
# Add to ntopng.conf
-F=influxdb;http://influxdb-server:8086;ntopng;ntopng_user;ntopng_pass
This gives you historical traffic data in Grafana, alongside your other monitoring dashboards.
Grafana Dashboard
With InfluxDB as a data source, build dashboards showing:
- Bandwidth by host over time: Spot trends and identify bandwidth hogs
- Protocol distribution over time: See how your network usage patterns change
- Top external destinations: Which internet services your network talks to most
- VLAN traffic matrix: Heat map of inter-VLAN communication
Network Tap vs. Port Mirroring vs. Flow Export
Three ways to get traffic data into ntopng, each with tradeoffs:
| Method | What You Get | Overhead | Equipment Needed |
|---|---|---|---|
| Flow export (NetFlow/sFlow) | Flow summaries (IPs, ports, bytes, packets) | Minimal on network device | Managed switch/router with flow support |
| Port mirroring (SPAN) | Complete packet copies | Significant (doubles traffic on mirror port) | Managed switch with SPAN support |
| Network tap | Complete packet copies, passive | None on network device | Physical tap device ($50-500) |
For most homelabs, flow export is sufficient. You get "who talked to whom, how much, and using what protocol" without the overhead of copying every packet. Port mirroring is useful if you need packet-level inspection (debugging TLS issues, protocol analysis), but for ongoing monitoring, flow data gives you 95% of the insight at 5% of the overhead.
Resource Requirements
| Component | RAM | CPU | Disk |
|---|---|---|---|
| ntopng (Community) | 1-2 GB | 1-2 cores | 5-20 GB (30-day retention) |
| ntopng (Enterprise) | 2-4 GB | 2-4 cores | 10-50 GB |
| InfluxDB (optional) | 512 MB - 1 GB | 1 core | Varies with retention |
| softflowd (on router) | ~20 MB | Negligible | Negligible |
The ntopng memory footprint scales with the number of active flows and hosts. A typical homelab with 50-100 active hosts and a few thousand concurrent flows sits comfortably at 1-2 GB.
Practical Tips
- Start with sFlow or NetFlow only before adding packet capture. Flow data is easier to manage and sufficient for most visibility needs.
- Set accurate local network definitions (
-mflag). This lets ntopng correctly classify traffic as local vs. remote. - Use VLANs for segmentation and then use ntopng to verify the segmentation works. It's common to discover that a firewall rule isn't doing what you thought.
- Check the "Alerts" page daily for the first week. Tune thresholds to avoid alert fatigue, but don't ignore early warnings.
- Export to InfluxDB early. You'll regret not having historical data when you're trying to figure out when a problem started.
Network flow monitoring fills a blind spot that most homelab monitoring stacks ignore. Your Prometheus setup tells you when a service is down. Your flow data tells you why the network is slow, what your devices are doing when you're not watching, and whether your network segmentation is actually working. The combination of ntopng for real-time analysis and Grafana for historical trends gives you the kind of network visibility that network engineers at real companies would recognize.