I noticed one of my servers had significantly higher outbound bandwidth than usual one month. netstat told me there were active connections, but not much about what kind of traffic it was or where it was going.
ntopng gave me the answer in a few minutes: one container was making constant API calls to an external service that I'd forgotten to rate-limit. Nothing malicious, but the kind of thing that shows up as an unexpected bandwidth bill. With ntopng I can see per-host traffic, protocol breakdown, top connections, and historical bandwidth — enough to debug most traffic anomalies quickly.
This guide covers installation on Ubuntu 22.04 and the configuration to make ntopng actually useful for VPS traffic analysis.
This guide installs ntopng on Ubuntu 22.04 with Nginx and HTTPS, secured with authentication.
I run ntopng on Tencent Cloud Lighthouse to monitor traffic patterns and catch unusual connections. The Lighthouse control panel also shows basic bandwidth usage metrics, which I use alongside ntopng's detailed per-connection data — the two views complement each other. When ntopng shows unusual outbound traffic, I can cross-reference with the Lighthouse console's bandwidth graph to see when it started. This kind of network visibility is one reason I prefer self-managed servers for projects where I want to understand exactly what's happening.
- Key Takeaways
| View | What you see |
|---|---|
| Dashboard | Real-time traffic rate, top hosts, top protocols |
| Hosts | All IP addresses communicating with/through your server |
| Flows | Active connections: src IP, dst IP, protocol, bytes, duration |
| Interfaces | Traffic breakdown by network interface |
| Protocols | Traffic by application protocol (HTTP, DNS, TLS, etc.) |
| Alerts | Anomalies, port scans, suspicious traffic |
| Reports | Historical bandwidth, top talkers over time |
| Requirement | Notes |
|---|---|
| Cloud server | Tencent Cloud Lighthouse Ubuntu 22.04 |
| 2 GB+ RAM | ntopng is memory-intensive |
| Nginx | For reverse proxy |
ssh ubuntu@YOUR_SERVER_IP
sudo apt update && sudo apt upgrade -y
# Add ntopng repository
sudo apt install -y wget gnupg
wget -qO - https://packages.ntop.org/APT-STABLE/ntop.key | sudo apt-key add -
echo "deb https://packages.ntop.org/apt-stable/22.04/ x86_64/" | \
sudo tee /etc/apt/sources.list.d/ntop-stable.list
sudo apt update
# Install ntopng and nDPI (deep packet inspection library)
sudo apt install -y ntopng
# Verify installation
ntopng --version
sudo nano /etc/ntopng/ntopng.conf
# Network interface to monitor
-i=eth0
# Listen port for web UI
-w=3000
# Data directory
-d=/var/lib/ntopng
# Enable community edition features
--community
# Disable geolocation (reduces startup time)
# --disable-autologout
# Log to file
-l=/var/log/ntopng/ntopng.log
# Admin password (change this!)
# Set via the web UI first login
Find your network interface name:
ip link show
# Look for the main interface: eth0, ens3, ens4, etc.
sudo systemctl enable ntopng
sudo systemctl start ntopng
sudo systemctl status ntopng
sudo apt install -y nginx
sudo nano /etc/nginx/sites-available/ntopng
server {
listen 80;
server_name monitor.yourdomain.com;
# Restrict to your IP (recommended for security)
allow YOUR_HOME_IP;
deny all;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
sudo ln -s /etc/nginx/sites-available/ntopng /etc/nginx/sites-enabled/
sudo ufw allow ssh
sudo ufw allow 'Nginx Full'
sudo ufw enable
sudo nginx -t && sudo systemctl reload nginx
sudo apt install -y certbot python3-certbot-nginx
sudo certbot --nginx -d monitor.yourdomain.com
Visit https://monitor.yourdomain.com.
Default credentials: admin / admin — change the password immediately (admin → Settings → Change Password).
Dashboard — The overview shows:
Hosts → All Hosts
Flows → Active Flows
Protocols
Interfaces → [interface name]
ntopng Community Edition includes basic alerting:
Admin → Alerts → Alert Endpoints
Supported endpoints:
Alert categories:
Configure email alerts:
ntopng stores traffic statistics that you can query historically:
Reports → Traffic Report
Reports → Interface Reports
For longer retention, ntopng Community stores a limited amount of historical data. The Pro version supports longer retention and more detailed history.
ntopng stores network flow state in memory. On servers with heavy traffic (many concurrent connections), memory usage grows significantly.
Symptoms: server becomes unresponsive, ntopng OOMs (Out of Memory).
Mitigation:
sudo nano /etc/ntopng/ntopng.conf
Add memory limits:
# Limit maximum number of hosts tracked
--max-num-hosts=2048
# Limit maximum number of flows tracked
--max-num-flows=8192
# Reduce flow idle timeout (removes stale flows sooner)
--flow-table-time=300
Also consider adding swap if your server doesn't have much:
sudo fallocate -l 2G /swapfile
sudo chmod 600 /swapfile
sudo mkswap /swapfile
sudo swapon /swapfile
echo '/swapfile none swap sw 0 0' | sudo tee -a /etc/fstab
| Metric | What to look for |
|---|---|
| Total traffic | Sudden spikes may indicate attack or misconfiguration |
| Top hosts | Your server should be the most active host; unexpected IPs are suspicious |
| Outbound flows | Unexpected outbound connections (e.g., to known malware C2 servers) |
| DNS queries | Excessive DNS queries to unknown servers |
| Protocol breakdown | Unexpected protocols (BitTorrent, IRC) on a web server |
| Flow duration | Very long-lived flows may be persistent backdoors |
| Blacklisted IPs | ntopng flags connections to known bad IPs |
| Issue | Likely Cause | Fix |
|---|---|---|
| Connection refused | Service not running or wrong port | Check systemctl status SERVICE and verify firewall rules |
| Permission denied | Wrong file ownership or permissions | Check file ownership with ls -la and use chown/chmod to fix |
| 502 Bad Gateway | Backend service not running | Restart the backend service; check logs with journalctl -u SERVICE |
| SSL certificate error | Certificate expired or domain mismatch | Run sudo certbot renew and verify domain DNS points to server IP |
| Service not starting | Config error or missing dependency | Check logs with journalctl -u SERVICE -n 50 for specific error |
| Out of disk space | Logs or data accumulation | Run df -h to identify usage; clean logs or attach CBS storage |
| High memory usage | Too many processes or memory leak | Check with htop; consider upgrading instance plan if consistently high |
| Firewall blocking traffic | Port not open in UFW or Lighthouse console | Open port in Lighthouse console firewall AND sudo ufw allow PORT |
How much resource does ntopng use on the server?
ntopng is designed to be lightweight. It typically uses minimal CPU and 50–200 MB RAM. Run it on the same server as your applications without significant impact.
How do I get alerts when a service goes down?
Configure ntopng's notification integrations — most support email, Telegram, Slack, Discord, and webhook. Set appropriate check intervals (every 60 seconds is typical) and recovery thresholds to avoid alert fatigue from brief glitches.
Can I monitor multiple servers with one ntopng instance?
Yes. Add the server IPs or domains as separate monitors. For agent-based monitoring, install the agent on each server you want to track.
How do I monitor SSL certificate expiry?
Add a certificate check to your monitoring. Most monitoring tools including ntopng support HTTPS checks that alert when certificates are within a configurable days-to-expiry threshold.
Monitor your server traffic today:
👉 Tencent Cloud Lighthouse — Ubuntu VPS for network monitoring
👉 View current pricing and promotions
👉 Explore all active deals and offers