ntopng in Docker

Running ntopng in a container keeps your traffic analyzer off the firewall and on a host you can actually size for it — more RAM, real disk for historical timeseries, and clean upgrades by pulling a new image. This guide deploys the official ntop/ntopng image with Docker Compose alongside its required Redis backing store, covers the one networking trick that makes or breaks packet capture in a container, and persists data across restarts so you don't lose your history.

Stack: ntopng · redis  ·  Image: ntop/ntopng  ·  UI: web on port 3000  ·  OS: Linux
01 — Prerequisites & the Capture Problem
RequirementNotes
Docker + ComposeDocker Engine and the Compose v2 plugin on a Linux host
A host that sees the trafficntopng can only analyze packets it can capture — see the note below
Disk for historyntopng writes timeseries to /var/lib/ntopng; give it real storage, not a ramdisk
⚠  The core constraint: a container on a normal bridge network sees only its own virtual interface — almost no useful traffic. To analyze the host's real interfaces, ntop's own guidance is to run the container with network_mode: host. Even then, a normal NIC only sees traffic to and from the host itself unless it's in promiscuous mode fed by a SPAN/mirror port. To watch an entire LAN, feed ntopng from a switch mirror port or from flow data (section 06).
02 — Identify the Interface to Monitor

ntopng captures on a named interface, so you need the real device name on the host (not a Docker veth). List them first.

Find your interface name
ip -brief link # e.g. eth0, ens33, enp3s0, enxa0cec8...

Note the interface that carries the traffic you care about — typically the host's primary NIC, or a second NIC connected to a switch mirror port. You'll pass this name to ntopng with -i.

ℹ  Predictable names like ens33 or enp3s0 are common on modern systemd distros; USB NICs show up as long enx<mac> names. Copy the exact string — ntopng will silently capture nothing if the interface name is wrong.
03 — The Compose File

Two services: Redis (required state store) and ntopng. Both use host networking so ntopng can reach the real interface and Redis is reachable on localhost. Data directories are bind-mounted so nothing is lost on restart.

docker-compose.yml
services: redis: image: redis:alpine container_name: ntopng-redis command: ["redis-server", "--save", "900", "1"] network_mode: "host" volumes: - "./data/redis:/data" restart: unless-stopped ntopng: image: ntop/ntopng:stable container_name: ntopng command: > --community -i eth0 -r 127.0.0.1:6379 -w 0.0.0.0:3000 -d /var/lib/ntopng -m "192.168.1.0/24" network_mode: "host" volumes: - "./data/ntopng:/var/lib/ntopng" depends_on: - redis restart: unless-stopped
What the ntopng flags mean
FlagMeaning
--communityRun the free Community edition (no license needed)
-i eth0Interface to capture on — replace with your real device name
-r 127.0.0.1:6379Redis host:port (localhost works because of host networking)
-w 0.0.0.0:3000Bind the web UI to all addresses on port 3000
-d /var/lib/ntopngData directory (mapped to a persistent volume)
-m "192.168.1.0/24"Your local networks, so ntopng knows local vs remote hosts
⚠  Edit three things before deploying: the -i interface name, the -m local-network CIDR(s) to match your LAN, and the volume paths if you want them somewhere other than ./data. Leaving -i eth0 on a host whose NIC is ens33 is the most common reason nothing shows up.
04 — Create Volumes & Start

Make the persistent directories first (ntopng runs as a non-root user inside the container and needs to write to them), then bring the stack up.

Prepare data dirs & launch
mkdir -p data/ntopng data/redis chmod -R 777 data # simplest fix for the container user's write access docker compose up -d
Verify both containers are up
docker compose ps NAME IMAGE STATUS ntopng ntop/ntopng:stable Up ntopng-redis redis:alpine Up
Watch the logs if ntopng restarts
docker compose logs -f ntopng
ℹ  The official image can also expose NTOP_UID / NTOP_GID environment variables to match the container user to your host directory ownership — a tidier alternative to chmod 777 if you'd rather not loosen permissions.
05 — First Login

Open the web UI in a browser, pointing at the host running the container:

Web interface
http://your-docker-host-ip:3000
✓  Default credentials on a fresh install are admin / admin. ntopng forces a password change on first login — set a strong one immediately.

After logging in you'll land on the dashboard. If the interface you specified is capturing, live flows and top talkers begin populating within seconds. If it's empty, jump to the troubleshooting table in section 08 — it's almost always the interface name or the capture-visibility problem from section 01.

⚠  Port 3000 is also the default for several other popular tools (Grafana, some dev servers). With host networking there's no port remapping — if 3000 is taken, change the ntopng web port with -w 0.0.0.0:3001 and free up or relocate the conflicting service.
06 — Monitoring a Whole LAN: Flow Collection

A container on one host only sees that host's traffic. To analyze an entire network without a switch mirror port, use the ntop pattern from the firewall guide: run a lightweight nProbe exporter where the traffic is (e.g. on pfSense/OPNsense), and have the containerised ntopng collect those flows over ZMQ.

ntopng service — collect flows instead of sniffing
ntopng: image: ntop/ntopng:stable command: > --community -i tcp://0.0.0.0:5556 -r 127.0.0.1:6379 -w 0.0.0.0:3000 -m "192.168.1.0/24" network_mode: "host" # ... volumes / depends_on as before
On the firewall / sensor, nProbe exports to it
nprobe -i eth0 -n none --zmq-probe-mode \ --zmq tcp://your-ntopng-host:5556

Here ntopng's -i tcp://... turns the interface into a ZMQ flow collector rather than a packet sniffer. nProbe does the capture at the edge and ships compact flow records, so the ntopng box can sit anywhere on the LAN and be sized for analysis and retention.

ℹ  This is the recommended architecture for any non-trivial network: capture stays at the edge where the traffic is, heavy analysis and on-disk history live on a roomy container host. nProbe is a separately-licensed ntop tool, though it runs in demo mode for evaluation.
07 — Persistence, Upgrades & Licensing
ConcernHandling
ntopng dataPersisted via the /var/lib/ntopng volume — timeseries and settings survive restarts
Redis statentopng keeps configuration in Redis, so persist /data too (the --save directive writes snapshots)
Upgradesdocker compose pull && docker compose up -d — volumes carry your data forward
Community vs licensed--community = free edition. For Pro/Enterprise, mount the license read-only: -v /etc/ntopng.license:/etc/ntopng.license:ro
ℹ  One license covers all containers on a host — map the same license file into each ntop tool you run. For the free edition you don't mount anything; just keep the --community flag.
08 — Troubleshooting
SymptomCheck
Dashboard empty, no flowsWrong -i interface name? Container not on network_mode: host?
Only host's own traffic seenNormal for a non-mirrored NIC — need a SPAN/mirror port or flow collection (section 06)
ntopng exits / restartsRedis not reachable? Confirm the redis container is up and -r points to it
Permission errors on startData dirs not writable by the container user — chmod 777 data or set NTOP_UID/NTOP_GID
[PF_RING] Wrong RING versionHost kernel PF_RING module differs from the image's — ignore for plain capture, or align versions
Can't reach UIPort 3000 in use by another service? Firewall blocking it? Try a different -w port
Confirm the interface from inside the container
docker compose exec ntopng ntopng -h | head -40 # shows usage & options
09 — Reference
ItemValue
Official imagentop/ntopng (Docker Hub) — tags include stable
Required dependencyRedis (persist its /data)
Web UI port3000 (set with -w)
Data directory/var/lib/ntopng (persist this)
Networkingnetwork_mode: host to see real interfaces
Free edition flag--community
Default loginadmin / admin (change on first login)
Whole-LAN captureSPAN/mirror port, or nProbe → ntopng ZMQ collector