ntopng → Cisco Stealthwatch
ntopng ↔ Cisco Stealthwatch: integration to migration path.
ntopng deploys alongside Cisco Stealthwatch first — every exporter tee'd to both collectors, sampling rate frozen, Stealthwatch still owning every production detection. Only once ntopng has proven flow and detection parity in shadow does it take over the plane in phases. No flag day, no flow-exporter re-config that breaks an in-flight detection, and every step rolls back in minutes.
The honest end state is partial retirement: ETA, Cognitive Threat Analytics and Talos have no OSS parity and stay on Cisco as named, narrow controls. We say so up front — the rest only matters if you can trust it.
The idea
Tee every flow to both collectors first.
The trick that makes this zero-downtime is the router-side flow tee: each exporter (Catalyst, ASR, Nexus, Arista, Juniper) is given a second flow-exporter destination, so Stealthwatch's FlowCollector keeps its existing target while ntopng receives the exact same records. Sampling rate, template cadence and exporter CPU are untouched. From day one you get a side-by-side compare on identical input — ntopng classifies with nDPI and scores independently while Stealthwatch keeps owning dedup, ETA, CTA and Talos until you choose to move each detection.
The phases
Seven steps. Each one reversible.
Baseline & inventory
Read-only audit of every exporter: protocol version, sampling rate, template timeout, target collector, and CPU headroom. We enumerate every Stealthwatch Host Group, Custom Security Event, and which detections lean on ETA, CTA or Talos.
ntopng live behind a canary
ntopng stands up in HA with a ClickHouse cluster, and one canary site's exporters are tee'd to both Stealthwatch and ntopng. Stealthwatch stays the only production detection plane. We confirm ntopng reads the same flows-per-second within ±2%.
Estate-wide tee, dual dashboards
Every exporter is wave-pushed to tee to both collectors, sampling rate frozen throughout. ntopng and Grafana dashboards ship to the NOC and SecOps so analyst muscle memory builds on ntopng — without ever leaving Stealthwatch.
Detection parity in shadow
Every non-ETA/CTA/Talos Stealthwatch detection gets an ntopng equivalent — nDPI Score thresholds, Lua scripts, Suricata signatures, Zeek scripts. ntopng alerts fire to a shadow channel only; Stealthwatch still pages on-call.
ntopng becomes primary
Paging targets reverse: ntopng pages on-call, Stealthwatch's non-ETA/CTA detections demote to a shadow channel for a fortnight to catch any coverage gap. ETA, CTA and Talos detections stay Stealthwatch-only and untouched.
Narrow Cisco to ETA + CTA + Talos
Non-ETA-capable exporters are untee'd from Stealthwatch entirely and feed ntopng alone. Stealthwatch is resized to encrypted-egress ETA classification, CTA's cloud-ML feed, and Talos enrichment — a narrow control, not the primary platform. This is the final state.
Full retirement (not in scope)
Phase 5 is the recommended end state. Only if ETA's encrypted-C2 catch rate is judged below threshold — or Cisco bundling forces the question — would a full retirement be sequenced as a separate decision with its own risk register. This brief does not recommend it.
Feature parity
Where ntopng matches Cisco — and where it doesn't.
| Capability | ntopng | Cisco Stealthwatch | Parity |
|---|---|---|---|
| Flow ingest (NetFlow / IPFIX / sFlow) | Interfaces: NetFlow v5/v9, IPFIX, sFlow, jFlow, ZMQ from nProbe, PF_RING ZC | FlowCollector (NetFlow v9, IPFIX, sFlow, NSEL) | At parity |
| L7 / DPI classification | nDPI ~330 protocol IDs, ~30 categories, ID-level granularity | NBAR2 exporter-side / ETA inference; coarser categories | Partial |
| SPAN / TAP synthetic flow | Zeek/Suricata sensor or nProbe on span | FlowSensor (synthetic NetFlow from SPAN/TAP) | At parity |
| Risk / behavioural scoring | Score 0–1000 from the ndpi_risk flag set | Concern Index / Host Concern Index (vendor-curated) | Partial |
| Encrypted-traffic analytics | None (JA3/JA4 + flow-size histogram via Zeek is partial) | Encrypted Traffic Analytics (ETA): SPLT + byte distribution + ClientHello | SaaS only |
| Behavioural / ML detection | DIY (Lua scripts + Suricata + your own ML) | Cognitive Threat Analytics (CTA), cloud-side ML | SaaS only |
| Threat-intel enrichment | ET Open / OTX / MISP (partial) | Talos reputation enrichment | SaaS only |
| Per-flow custom detection | Lua user scripts (scripts/callbacks/interface/) | Custom Security Events (declarative, not scripted) | Partial |
| Cross-tool join key | Native Community ID (ntopng/Zeek/Suricata/Arkime) | Stealthwatch does not natively emit Community ID | OSS only |
| Dashboards / query | ntopng native UI + Grafana over ClickHouse | SMC web UI + API export | Partial |
| Long-term flow store | ClickHouse columnar, ZSTD, TTL ladder | Stealthwatch Data Store / cloud retention, SKU-capped | Partial |
| Multi-tenancy | Per-interface / IPFIX VRF IE 234/235 + ClickHouse row-policy | Stealthwatch 7.x Tenants feature | At parity |
| Cost model | CE free; Pro/Enterprise per-host/interface | Per-FPS / per-FlowCollector + ETA/CTA add-ons | Partial |
| Compliance boundary | Self-hosted; you own SOC 2 / PCI evidence | Vendor SOC 2 report + Cisco TAC/SOC backstop | SaaS only |
What we're honest about
The caveats most vendors leave out.
Encrypted Traffic Analytics has no OSS parity
ETA's encrypted-C2 detection rests on SPLT, byte-distribution histograms and ClientHello features captured on the Cisco exporter, scored by Cisco's labelled-flow ML model. JA3/JA4 plus flow-size histogramming via Zeek is partial substitution, not parity. We keep Stealthwatch + ETA as a named, narrow control on encrypted egress — we never pretend OSS replaces it.
Cognitive Threat Analytics and Talos stay on Cisco
CTA is cloud-side ML over web-proxy and flow — a vendor data-network-effect feature you cannot self-host. Talos is vendor-curated reputation enrichment. OSS substitutes (ET Open, OTX, MISP) are partial. Where these are load-bearing, they remain a Cisco SaaS feed into your SIEM, named honestly.
You own uptime, ops and the SOC backstop
Three new operational surfaces — Zeek, Suricata and ntopng/ClickHouse — replace one Cisco bill, and Cisco TAC is no longer your L2 backstop for non-ETA detections. We run it as HA across nodes and zones with a tested DR runbook, and budget a senior NDR analyst for the ramp. Managed, not just installed.
Detection coverage is not a 1:1 port
Stealthwatch's host-group behavioural rules and undocumented Custom Security Events must be rewritten as Zeek scripts, Suricata rules and ntopng Lua, then proven. Phase 3's gate is per-detection — 95% true-positive overlap on the same flow set for 30 days — not an aggregate hand-wave. Un-inventoried CSEs are the classic migration-killer, so Phase 0 captures every one.
Why this beats a flag day
Reversible per phase, gated before any cut.
Every phase rolls back in under 15 minutes while the parallel tee is live — Phase 1 in under 5, the Phase 5 de-tee in under 30 per wave — because nothing is cut until its replacement is proven. No detection moves to primary until it has held 30 consecutive days in shadow at 95% true-positive overlap on the same flow set, and Stealthwatch stays the primary plane through a soak window well beyond 30 days before its footprint is narrowed. You are never betting the network on one big cutover.
See whether your flow estate migrates cleanly.
A 30-minute call with a senior network-detection engineer. We inventory your exporters by protocol and sampling rate, find the ETA / CTA / Talos detections that should stay on Cisco, and tell you honestly what the path off Stealthwatch licensing looks like for your environment.
Map my migration →