Flow-Based Traffic Analysis

nProbe™

An Extensible NetFlow v5/v9/IPFIX Probe for IPv4/v6

nProbe is a NetFlow v5/v9/IPFIX probe and collector that can be used to generate, collect, translate, enrich, and export NetFlow date to a variety of backend analysis tools, databases (Clickhouse) and SIEMs to include Splunk and Elastic. nProbe data may be exported to nTopNG to depict Real-time (Live) and Historical flow analysis.

Expand Your NetFlow Capabilities

  • Cross-Platform Compatibility & Efficiency

    Supports Linux, FreeBSD (including OPNsense and pfSense), Windows, and embedded environments (ARM, MIPS/MIPSEL). Designed for environments with limited resources, featuring a minimal memory footprint (<2MB) and a compact binary (<100KB).

  • Comprehensive Flow Export & Collection

    Supports NetFlow v5/v9/IPFIX, Cisco NetFlow-Lite, and sFlow collection with seamless translation to NetFlow. Enables flexible flow export to Apache, Syslog, MySQL/MariaDB, Splunk, Kafka, and ElasticSearch. Includes advanced features like Flexible NetFlow, flow sampling, and interface identification based on MAC/IP addresses.

  • Deep Packet & Application Visibility

    Provides Layer-7 visibility for over 250 applications (e.g., Skype, BitTorrent, Citrix) with application propagation in exported flows. Supports protocol analysis for VoIP (SIP, RTP), HTTP, MySQL/Oracle, and DNS, offering detailed logs alongside flow exports.

  • Advanced Traffic Control & IPS Capabilities

    Includes IPS mode for blocking and shaping traffic using nDPI. Supports analysis and export of tunneled traffic (GRE, PPP, VXLAN, GTP) with inner/outer packet visibility. Works with ntopng for real-time traffic visualization and analysis.

  • High-Performance & Scalable Architecture

    Multi-threaded design optimizes multi-core processors for high-speed flow processing. Utilizes PF_RING and PF_RING Zero Copy (ZC) for ultra-fast packet capture. Capable of saving flows for later analysis or integration with monitoring applications.

  • Extensibility & Interoperability

    Plugin-based architecture allows for easy customization with V9/IPFIX tags. Fully compatible with commercial collectors like IsarFlow, Fluke, Cisco, Arbor Networks, Plixer, SolarWinds, and more. Supports native nTap for traffic collection across cloud, VMs, containers, and physical hosts, along with agent mode for enriched metadata on Windows and Linux systems (eBPF-based).

Using nProbe

nProbe Versions

Version Features Pro Enterprise
S M L
nDPI Traffic Inspection
Flow Collection
PF_RING Acceleration
HTTP Plugin
DNS Plugin
DHCP Plugin

Performance

License

Licensee’s use of this software is conditioned upon acceptance of the terms specified by ntop.

Operating Systems

Linux, Windows, MacOS

nProbe Usage

nProbe is distributed in binary format. Once installed, nProbe™ is ready be used and does not require any additional configuration. In order to function properly in probe mode, nProbe™ needs to see/capture the traffic of interest. For this reason, in case of switched networks, it is necessary to either mirror traffic (VLAN or port mirror) or place the probe in a location (e.g. by the border gateway) that is traversed by the most part of the traffic. Under normal operating conditions nProbe™ will collect traffic data and emit NetFlow v5/v9/IPFIX flows towards the specified collector. Any standard NetFlow collector can be used to analyze the flows generated by nProbe™ — although not all the commercial collectors support v9. nProbe™ can also be used in conjunction with ntopng. In the latter case an optimized, optionally compressed and encrypted format will be used for data exchange, leading to a lightweight monitoring architecture that decouples the monitoring part from the visualization and analysis part.

nProbe Plug-ins

nProbe is extensible and includes several plugins which are unlocked based on the license version. For instance nProbe Enterprise S includes HTTP, DNS and a few more. Please refer to the comparison table above to check the compatibility. Below you can find the list of currently available plugins.

  • Decode HTTP traffic and HTTPS certificates. It can generate a comprehensive log of HTTP traffic, including page download and network/server delay.

  • Decode DHCP traffic and export DHCP information in flows or file dump.

  • Export to ElasticSearchPlugin/Kafka that can natively export flow information into ElasticSearch without third party converters such as Logstash.

  • Decodes DNS traffic, and produce a log of main domain name resolution activities. Microcloud friendly. Available only in binary format.

  • Dumps exported flows into a MySQL database. This plugin is part of nProbe Pro and it does not require a license.

  • Email plugins for decoding (unencrypted) email traffic and generate flows and logs of email activities.

  • Plugins for decoding VoIP (Voice over IP) traffic and producing call log, and voice information (jitter and packet loss, pseudo-MOS/R-Factor).

  • Plugin decoding Radius traffic including 3GPP extensions for mobile networks.

  • Plugin decoding Diameter traffic for both wired and mobile networks.

  • Same as GTPv1 plugin, just for v0 protocol version.

  • Plugin for decoding GTPv1-C (2G and 3G networks) signalling and producing comprehensive mobile user and traffic tracking.

  • Same as GTPv1 plugin, just for v2 protocol version used in LTE (Long Term Evolution) mobile networks.

  • Plugin decoding SSDP (Simple Service Discovery Protocol) traffic used on networks to discover network devices and services.

  • Plugin for collecting NetFlow-Lite traffic sent by some Cisco switches.

  • Plugin decoding NetBIOS traffic used in Windows networks.