Who is eating my bandwidth

Who really knows what are the protocols used in the local network? Usually with netflow you can distinguish traffic per l4 port (80=http,443=https,..) but this is no more sufficient. Some applications use dynamic ports (see nfs, ftp, routed sap, …), several applications use the same ports, how can we distinguish them?

Applications grow and change really fast (like all stuff in IT world) and it is not easy to keep your netflow analysis tool aligned with this evolution.

Ntopng is able to automatically detect the applications that are generating the traffic without having to define and use filters.

How to know if certain applications are eating all your bandwidth?

With ntopng you can have an overview of the application protocols out of the box: just two clicks and you have the top application protocols.


Ok but … who is eating the bandwidth? Easy: Let ntopng show you the top downloaders and sort them by throughput:


You see, it is quite simple to discover unexpected talkers.

Ntopng provides you an overview of several statistics on Subnets, Autonomous Systems, Flows Matrix, Geolocalization and many others. If special plugins are enabled you see detailed information about protocols like SIP, RTP, HTTP, BGP, DHCP, DNS, IMAP, RADIUS.

Here is the example of a flow of the RTP protocol for a voice communication. We have all performance metrics in touch: jitter, lost packets,max interarrival time, MOS, R-Factor.


How to keep them all under control?

The solution does not only provide a pretty frontend for traffic statistics, it is also offers an engine to constantly keeping your network under control. Define alarms and get notifications through the NetEye integration.


There are standard thresholds that you can set directly from the GUI (for example the bytes throughput for each single host) to get the relative alarms in NetEye.



Define a ntopng host (example: ntopng-host) in NetEye and then a service with a passive check (example: NtopngAlert). Enable in ntopng alert preferences and do the Nagios integration (you may follow the steps described in this article).

There are predefined alerts on well known security issues like syn floods, connections with blacklisted hosts.Selection_586


There are never enough default alerts…

Thanks to a Lua API you can define fully customized rules to generate additional alarms, which obviously can be managed and monitored with NetEye.

Let’s consider an example: you want to make sure that some specific applications, which may be OneDrive,Dropbox or any others, do not eat too much internet bandwidth. In this case, it is enough to write a Lua callback that reads the statistics on the l7 traffic and generates an alert in case of exceeded bandwidth consumption.

Our consultants can help you in defining / implementing such Lua rules.


Luca Di Stefano

Luca Di Stefano

Solution Architect at Würth Phoenix
Hi everyone, I’m Luca, graduated in electrical engineering from the University of Bologna. I am employed by Würth Phoenix since its foundation. I worked mainly as enterprise architect and quality assurance engineer. Previously I was involved in systems measurement and embedded systems programming. I have gained experience on Unix (Solaris, HPUX), Windows, and C, C + +, Java. I personally contribute to the Open Source community as beta tester and developer. During my spare time I love piloting airplanes fly over the beautiful Alps. I practice many sports: tennis, broomball, skiing, alpine skiing, volleyball, soccer, mountain biking, middle distance, none have a sample but the competition excites me! I love hiking, tracking and traveling.
Tags: , , , , ,