Orchestrating Network Intelligence Through ntopng and Grafana Integration

Published by TechMarmot Editorail Staff on | Category Grafana

The convergence of deep packet inspection and advanced telemetry visualization represents the pinnacle of modern network observability. At the center of this convergence lies the synergy between ntopng, a high-performance network traffic monitoring tool, and Grafana, the industry-standard open-source platform for metrics monitoring and alerting. This integration facilitates a transition from reactive troubleshooting to proactive, data-driven network intelligence. By leveraging the granular metrics captured by ntopng—ranging from interface throughput in bits per second (bps) and packets per second (pps) to complex Layer-7 application protocol identification—administrators can construct interactive, actionable dashboards. This ecosystem allows for the monitoring of specific network entities, such as Facebook or YouTube traffic patterns, by mapping raw packet data to high-level business logic.

The architectural beauty of Grafana lies in its storage-agnostic design, which allows it to function as a unified glass pane for disparate data silos. It does not merely display data; it interacts with various storage backends through specialized datasource plugins. In the context of ntopng, this means an engineer can simultaneously query real-time interface metrics via a direct ntopng plugin, historical flow data stored in ClickHouse, or long-term aggregated trends residing in InfluxDB. This multi-dimensional view is essential for modern DevOps and NetOps professionals who must correlate transient network spikes with long-term capacity planning.

The Evolution of ntopng Data Architecture and Plugin Availability

The methodology for connecting ntopng to Grafana has undergone significant architectural shifts, moving from direct plugin-based polling to more robust, time-series-centric approaches. Understanding this evolution is critical for engineers designing new monitoring stacks or maintaining legacy infrastructures.

The original integration relied heavily on a dedicated ntopng datasource plugin. This plugin allowed Grafana to query the ntopng web interface directly. While this provided immediate access to real-time metrics, the industry has seen a strategic pivot toward more scalable time-series databases. Specifically, ntopng has redirected its development focus toward native support for InfluxDB, which has been a core feature since version 3.8. Consequently, the development and support for the older, direct-connection plugin have been discontinued in favor of the InfluxDB Grafana datasource plugin.

The current landscape is divided into two primary methodologies:

  1. Direct ntopng Datasource Plugin
    This method is utilized for real-time, live-streamed metrics directly from the ntopng instance. It is particularly useful for monitoring active interface throughput and immediate protocol shifts.

  2. Time-Series Backend Integration (ClickHouse and InfluxDB)
    This method utilizes external databases to store historical flows and alerts. This architecture is significantly more scalable and allows for complex, long-term analytical queries that would be too resource-intensive for a live ntopng instance to handle alone.

Feature Direct Plugin Approach InfluxDB/ClickHouse Approach
Primary Use Case Real-time monitoring/Live metrics Historical analysis/Long-term trends
Data Source ntopng HTTP Endpoint InfluxDB or ClickHouse Database
Scalability Limited by ntopng instance resources Highly scalable via distributed databases
Metric Latency Near-zero (Real-time) Dependent on ingestion/polling intervals
Complexity Low (Simple plugin installation) Higher (Requires database configuration)

Implementing the ntopng Datasource Plugin

For environments requiring real-time visibility, installing the ntop-ntopng-datasource plugin remains a viable path for accessing the current state of the network. The installation process is standardized via the Grafana command-line interface.

The installation procedure is as follows:

  1. Open the terminal on the host machine where Grafana is installed.
  2. Execute the plugin installation command:
    grafana-cli plugins install ntop-ntopng-datasource
  3. Monitor the terminal output for a confirmation message. A successful installation will display a message similar to:
    installing ntop-ntopng-datasource @ x.y.z from url: https://grafana.com/api/plugins/ntop-ntopng-datasource/versions/x.y.z/download Installed ntop-ntopng-datasource successfully
  4. Restart the Grafana service to ensure the new plugin is loaded into the runtime environment.

Once the plugin is active, the administrator must configure the connection within the Grafana web interface. This is achieved by navigating to the Plugins page, where ntopng will now be listed under the available datasources tab. A significant advantage of this plugin is the ability to create multiple ntopng datasources. This allows a single Grafana instance to monitor several running ntopng instances distributed across different physical or virtual machines, providing a centralized view of a fragmented network topology.

Configuration Parameters for Direct ntopng Connections

Configuring a new datasource requires precise input of connection strings and authentication credentials. Errors in these parameters will prevent Grafana from communicating with the ntopng endpoint.

The configuration process follows these rigorous steps:

  1. Navigate to the Grafana ‘Data Sources’ page.
  2. Click the ‘+ Add datasource’ button.
  3. Select ntopng as the Datasource Type.
  4. Assign a mnemonic Name to the datasource. This name serves as a unique identifier within Grafana and should clearly indicate which ntopng instance it represents (e.g., Core_Switch_London).
  5. Configure the HTTP URL. The URL must point specifically to the ntopng endpoint designed for Grafana integration. The required path is /lua/modules/grafana. An example for an instance running on localhost at port 3001 would be:
    http://localhost:3001/lua/modules/grafana
  6. Set the Access method to Direct.
  7. Configure Authentication:
  • If the ntopng instance has authentication enabled, you must check the Basic Auth checkbox.
  • Enter the User and Password credentials. These credentials must correspond to a valid, existing user within the ntopng system.
  • If the ntopng instance was started with the --disable-login flag (meaning no authentication is required), leave the Basic Auth checkbox unticked.
  1. Finalize the configuration by clicking Save and Test. If the configuration is correct, Grafana will return a success message verifying the connection.

Architecting High-Performance Analytics with ClickHouse

When the requirement shifts from real-time monitoring to deep, historical forensic analysis, the ClickHouse integration becomes the preferred architecture. ClickHouse serves as a powerful, high-performance time-series backend capable of handling the massive volume of flows generated by ntopng.

The architectural workflow for ClickHouse-based visualization consists of three distinct layers:

  1. Data Generation: ntopng generates rich, high-frequency network metrics and historical flows.
  2. Efficient Storage: ClickHouse receives these flows and stores them using columnar storage technology, which enables extremely fast analytical queries over large datasets.
  3. Visualization: Grafana queries ClickHouse to transform raw rows of data into custom, interactive, and actionable dashboards.

To implement this, the grafana-clickhouse-datasource plugin must be installed in Grafana. The setup requires pointing the ClickHouse datasource in Grafana to the exact same server and database instance that ntopng is utilizing for its storage. Once the connection is established, administrators can import pre-defined JSON dashboard templates. These templates are essential because they are pre-configured to understand the specific schema and table structures used by ntopng within ClickHouse. For advanced configuration templates and additional dashboard examples, the official ntopng Grafana repository on GitHub serves as the authoritative resource.

Deploying the InfluxDB Pipeline for Scalable Telemetry

For organizations already invested in the InfluxDB ecosystem, ntopng provides native support for exporting time-series data to InfluxDB. This is particularly useful for long-term metric aggregation and integration with broader IoT or infrastructure monitoring stacks.

The deployment of an InfluxDB-based monitoring pipeline involves a three-stage configuration process:

  1. ntopng Export Configuration:
    The administrator must configure ntopng to act as a data producer. This is done by visiting the ntopng Timeseries preferences page. Within this menu, the driver must be set to InfluxDB. Following this selection, the specific InfluxDB connection parameters (such as host, port, and database name) must be entered. Once these preferences are saved, ntpong will immediately begin the process of exporting time-series data to the specified InfluxDB instance.

  2. Grafana InfluxDB Datasource Configuration:
    Grafana must be configured as a data consumer. This involves creating a new datasource of type InfluxDB within the Grafana configuration menu. The connection parameters used in the ntopng configuration (host, port, etc.) must be mirrored exactly in the Grafana datasource setup to ensure the paths align.

  3. Dashboard Construction:
    With the data flowing from ntopng to InfluxDB and finally to Grafana, the final step is the creation of panels. These panels use the InfluxDB datasource to extract and visualize the time-series data.

Metric Identification and Data Granularity

A critical component of building effective dashboards is the ability to distinguish between different types of monitored entities. ntopng organizes its exported metrics using a standardized naming convention, which allows for programmatic querying and precise dashboarding.

Every metric in ntopng is identifiable by a unique, self-explanatory string. This nomenclature is structured to reflect the scope of the data:

  • Interface Metrics: Any metric pertaining to a physical or virtual network interface is prefixed with interface_. This includes data such as interface_rx_bytes or interface_tx_packets.
  • Host Metrics: Any metric pertaining to a specific IP address or host on the network is prefixed with host_. This includes metrics like host_throughput or host_protocol_distribution.

This systematic approach to metric naming allows engineers to use wildcards in Grafana queries (e.g., interface_*) to create dynamic dashboards that automatically update when new interfaces are added to the ntopng configuration.

Comprehensive Analysis of Integration Architectures

The choice between the direct ntopng plugin, ClickHouse, and InfluxDB is not merely a matter of preference, but a strategic decision based on the operational requirements of the network infrastructure.

The direct ntopng plugin approach is optimal for "Live Ops" scenarios. It provides the lowest possible latency between a network event and its visual representation in Grafana. However, its utility is constrained by the computational overhead placed on the ntopng process itself. As the volume of monitored interfaces and hosts increases, the overhead of responding to HTTP queries from Grafana can degrade the performance of the primary packet inspection engine. Therefore, this method should be reserved for targeted, real-time monitoring of critical segments.

The ClickHouse architecture represents the "Forensic and Analytical" tier. This is the most robust solution for large-scale enterprises. By offloading the heavy lifting of data storage and complex querying to ClickHouse, ntopng is freed to focus on high-speed packet inspection. ClickHouse's ability to process billions of rows with sub-second latency makes it the only viable option for deep-dive investigations into historical network anomalies, such as analyzing a DDoS attack that occurred three days prior. The trade-off is increased architectural complexity, requiring the management of a separate, high-performance database cluster.

The InfluxDB integration represents the "Integrated Ecosystem" tier. This approach is most effective for organizations that have already standardized on InfluxDB for their broader infrastructure monitoring. It allows for the seamless correlation of network performance metrics with server health metrics (CPU, RAM, Disk I/O) within a single Grafana dashboard. While it requires careful configuration of the export driver within ntopng, it provides a unified, longitudinal view of the entire IT estate.

Ultimately, the successful integration of ntopng and Grafana transforms raw, chaotic network traffic into a structured, visual narrative. Whether through the real-time precision of the direct plugin, the analytical power of ClickHouse, or the ecosystem-wide visibility of InfluxDB, this integration provides the technical foundation required for modern, data-driven network management.

Sources

  1. ntopng Grafana Integration: The Beauty of Data Visualization
  2. ntopng Third Party Integrations: Grafana
  3. Building Custom Dashboards with Grafana
  4. ntopng-grafana-datasource GitHub Repository
  5. ntopng InfluxDB and Grafana: A Step-by-Step Guide

Related Posts