PacketFest 25 PacketFest '25
Where ntop and Wireshark Communities Meet

Zürich, Switzerland
Pre-Conference May 7th
PacketFest May 8th to 9th




Welcome to PacketFest '25


Listen to PacketFest '25 Conference Presentation

PacketFest is a two-day technical event that convenes the ntop and Wireshark communities to discuss network traffic monitoring, visibility, cybersecurity, and open source technologies. The event's primary objective is to demonstrate how contemporary traffic monitoring challenges can be effectively addressed utilizing preferred tools. Additionally, attendees will gain insights into monitoring challenges and gain a comprehensive understanding of the latest advancements in ntop and Wireshark.

What to expect from this event:

  • Practical guidance on solving real-world packet-related challenges
  • Discovery of the latest features offered by ntop and Wireshark
  • Opportunities to connect with like-minded individuals
  • Inspiration from industry experts who share their acquired knowledge
  • The chance to contribute to the development of future roadmap items by providing feedback and insights
  • Interaction with developers and instructors
  • Acquisition of novel ideas and techniques that can be directly applied to daily work

 

PacketFest is not a marketing venue or a passive meeting. We actively encourage interaction and the exchange of perspectives among attendees. Sessions will be recorded and shared after the event, but no live streaming will be offered to promote in-person attendance.

 

All talks and sessions will be in English.

 

Registration


PacketFest registration fees (includes lunch and coffee breaks for both days):

  • Until Feb 28th
    125 CHF
  • From Match 1st
    150 CHF

The Pre-Conference event is included in the registration fee, but it's limited in number of available seats.. Sorry, the pre-conference event is sold-out.

You can register online, or if you prefer to pay differently (e.g. bank) drop us a mail. A tax invoice is issued with every registration.

Students (University, Hochschule, PhD) and no-profit can participate free of charge (restrictions apply). Please fill this form to register.

 

Agenda


Day 1: Thursday May 8th

  • 9:00
    Welcome to PacketFest
  • 9:15
    Kelley Misata - OISF
    Beyond the Code: The Expansive Role of Open Source in Building Stronger Communities and Driving Innovation
    Open Source Suricata IDS
    Open source is not just about code—it’s about community, collaboration, and the shared values that drive innovation and problem-solving. This session explores the broader implications of open source, emphasizing why licenses matter, how vibrant communities can achieve far more than technical solutions, and why we need to look beyond basic engagement strategies to realize their full potential. Drawing from years of experience in open-source leadership, including managing Suricata and other community-driven initiatives, this talk provides a holistic view of open source as a strategic force for change.

    Dr. Kelley Misata is a visionary leader and speaker in cybersecurity strategy, open source, and nonprofits. As Founder of Sightline Security, she empowers nonprofits to build robust cybersecurity. As President of OISF for over a decade, she strengthens global network security through Suricata, a premier open-source technology. Renowned for translating complex cybersecurity challenges into actionable solutions, Dr. Misata has transformed her journey as a cyberstalking survivor into advocacy for security, privacy, and open source practices. With a Ph.D. in Information Security from Purdue University and an Business Administration and Marketing degree from Bentley University, she exemplifies the fusion of expertise, passion, and leadership to address real-world threats and drive transformative change so security is accessible to everyone.
  • 10:00
    Pierre Sarda - Nagravision
    Using DPI (Deep Packet Inspection) To Fight Against Content Privacy
    Deep Packet Inspection High-Speed Traffic Analysis
    This talk discusses howto use DPI (Deep Packet Inspection) To Fight Against Content Privacy

    More than 20 years involved at protecting audio-visual content & fighting piracy, then for a few years using Network information to help on that fight
  •  

  • 10:30
    Coffee Break
  •  

  • 11:00
    Adrian Ruoss and Aleksandra Haak - Alabus
    Active response system with ntopng+AbuseIP DB+Alabus
    Cybersecurity ntopng
    After a brief introduction to what alabus is and what it does, the presentation will demonstrate how, as an SME, we were able to achieve a high level of network security based on ntop, despite limited resources (personnel, time, and budget). This was accomplished through the use of the ntop API, external data sources (such as AbuseIPDB and DNS blocklists), smart aggregation of network alerts, and partially automated handling and blocking of attackers.

    Adrian Ruoss began his IT career in 1997 at Telecom PTT. Adrian Ruoss completed his degree as a Dipl. Ing FH in 2006 in Rapperswil and subsequently moved through various roles until he joined alabus ag. He is a member of the extended management team, responsible for development and operations as well as serving as CISO for alabus ag. In addition to his earlier technical certifications in networking (such as CCNA), he is currently furthering his education as an ICT Information Security Manager with a Swiss Federal Diploma.
    Aleksandra Haak has a technical background from her Apple training, solid experience as an insurance broker in consulting, and the development of tailored insurance solutions, as well as being a paralegal from ZHWA, Aleksandra Haak brings a unique combination of IT, insurance, and legal expertise. After several years of working directly with clients, she decided to channel her knowledge into joining the software company aalabus, specifically focused on the insurance market.
  • 11:20
    Alfredo Cardigliano - ntop
    Squeezing Network Adapters: Tips and Tricks to Offload and Scale Up
    High-Speed Traffic Monitoring PF_RING
    Want to get the most out of your network adapters? This talk is packed with hands-on tips, clever tricks, and lesser-known techniques to push your NICs to the limits. From practical tweaks to advanced configurations, you’ll learn how to leverage on features provided by Intel, NVIDIa, and other (including FPGA-based) adapters to different use cases, whether you're chasing higher throughput or better scalability. If you're looking to unlock hidden performance and stretch your NICs further than you thought possible, this session is for you.

    Alfredo Cardigliano is Principal Engineer at ntop, where he leads the development of high-performance device drivers and network monitoring solutions. With 15 years of experience in network technologies and systems optimization, Alfredo specializes in creating scalable tools for real-time visibility and cybersecurity. He is a key contributor to several open-source projects and regularly speaks at industry events about network traffic analysis and efficient packet processing.
  • 12:00
    Fabio Zambrino - CSCS
    400 Gbps Observability
    High-Speed Traffic Monitoring SmartNICs
    Monitoring and securing high-speed networks in High-Performance Computing (HPC) environments is a complex challenge. The massive data volumes and the strict performance requirements leave little room for traditional security tools. In this presentation, we will discuss how ntopng, is being deployed to monitor and respond to incidents in a production HPC infrastructure, impacting overall system performance the least possible.

    Fabio Zambrino is an IT Security Engineer at CSCS, specialising in digital forensics. Passionate about bridging the gap between innovation and security, Fabio focuses on deploying solutions that enhance detection and protection while maintaining the highest possible performance.
  •  

  • 12:30
    Lunch Break
  •  

  • 13:30
    Andreas Diedrich - Interview Network Solutions
    Sharkmon - monitor your shark data
    Wireshark
    This talks explains howto implement packet monitoring using Tshark Data using Sharkmon. Sharkmon uses parallel tshark processes to extract metrics from large volumes of pcap files, which are continuously imported from various sources. It supports flexible analysis profiles based on tshark filters, and applies anomaly detection across selected fields and protocols.

    Andreas is the founder of Interview Network Solutions and creator of Sharkmon, a tool designed to close the gap between traditional packet monitoring and deep inspection with Wireshark.
  • 13:50
    Walter Hofstetter - AnyWeb
    Decoding Cyber Threats: Wireshark Tips and Tricks for Analyzing Suspicious Traffic Patterns
    Cyberecurity Wireshark
    Understand common attack patterns through analysis of decoded network traffic. Walter will cover different options for SSL interception, comparing browser-based and proxy-based. Identify and analyze various attack vectors, from scans to full exploits. Explore some plugins, connecting it with platforms like MISP (Malware Sharing Platform).

    Walter is a veteran in network and protocol analysis, having earned his stripes as a "Sniffer University Certified Instructor" from Network General in 1994. Throughout his career, he quickly advanced into the cybersecurity arena, where his expertise in protocols proved invaluable.
  • 14:30
    Thomas Graf - Swisscom
    Transform and Innovate Network Operations with Network Analytics
    Network Anomaly Detection Network Telemetry
    In this presentation you learn what Network Telemetry metrics we collect, how we automate monitoring with Network Anomaly Detection, what analytical conclusions we draw from network incident postmortems and what role IETF standardization and industry collaboration plays in all of this.

    Thomas is a Distinguished Network Engineer and Network Analytics Architect at Swisscom.
  • 15:00
    Ahmed Elhassany - Swisscom
    NetGauze: the open-source blocks for building resilient and scalable network telemetry platforms
    IPFIX/NetFlow Network Telemetry
    NetGauze is a rapidly maturing project that aims to provide a set of libraries for any network software engineer to build advanced network telemetry platforms. NetGauze is currently used to build the next-generation telemetry collection for NetFlow, IPFIX, BGP Monitoring Protocol (BMP), and YANG-Push In this talk, we present our motivation for building yet another telemetry platform, the design choices that set NetGauze apart, and our techniques for parsing and dissecting various networking protocols.

    Ahmed is a Tech Lead at Swisscom. Currently working on advancing the state of network telemetry and visibility. He works across the entire stack, from advancing protocols at the IETF to building scalable data collections in Rust and real-time anomaly detection systems using Apache Flink. Ahmed holds a PhD degree from ETH Zürich on intent-based methods and tools to operate computer networks more efficiently.
  • 15:15
    Marco Graziano - Graziano Labs
    MCP Server Magic: Integrating ntopng with Large Language Models for Smarter Networks
    ntopng Artificial Intelligence
    The presentation explores how integrating network monitoring tools like ntopng with Large Language Models can transform security analysis through multi-agent architectures.

    Marco Graziano is an entrepreneur, engineer, and technologist dedicated to solving meaningful problems. As a tech founder with strong engineering skills and a management background, he has a proven track record of delivering novel products to market, with leadership experience spanning the entire product lifecycle. Marco maintains hands-on development expertise across multiple technologies while building world-class teams and quality products. His technical specialties include Blockchain and Web3, IoT, Cloud Computing, Networking, Security, Computer Vision, Operating Systems, Linux Kernel, and Machine Learning. With experience in startup formation, bootstrapping, and skunk works initiatives, Marco combines core engineering skills with business acumen to drive innovation. He is passionate about Web3, blockchain, alternative proteins, networks, computer vision, biotechnology, energy, automotive technologies, vegan food, and electric vehicles.
  •  

  • 15:30
    Coffee Break
  •  

  • 16:00
    Walter Hofstetter - AnyWeb, Gabriele Deri - ntop
    How AI Will Improve Network Traffic Analysis?
    Artificial Intelligence
    Walter will discuss and demonstrate practical (and less practical) examples of leveraging AI to support your network and security analysis tasks, highlighting both benefits and limitations. Gabriele provides some insides on the next steps for AI in ntopng.

    Walter is a veteran in network and protocol analysis, having earned his stripes as a "Sniffer University Certified Instructor" from Network General in 1994. Throughout his career, he quickly advanced into the cybersecurity arena, where his expertise in protocols proved invaluable.
     
    Gabriele is a Computer Science Master's student specializing in ICT Solutions Architecture and a Junior Software Developer at ntop. Passionate about new technology, automation, and pattern recognition.

  • 16:45
    Gerald Combs, Wireshark Foundation
    Wiresharchaeology: How it started and where we're headed
    Wireshark
    Wireshark started out as a tool that supported a handful of protocols and two operating systems. Over the years we have adapted our code, infrastructure, and sponsorship model to match the needs of our user and developer communities, and Wireshark is now used by millions of people around the world to keep their networks fast, reliable, and secure. In this talk Gerald Combs, the project's creator and lead developer will cover the history of Wireshark, lessons learned along the way, and discuss possible future directions.

    Gerald is the creator and lead developer of Wireshark. Works at Sysdig.
  • 17:30
    End of Day 1
  •  

    Day 2: Friday May 9th

    • 9:00
      Rolf Leutert - Leutert NetServices
      Wireshark, the 7 Senses Packet Detective
      Wireshark TCP/IP
      A brief look back at 40 years of network analysis & management. Introducing new Wireshark features. Filtering, Wireshark's most versatile feature. The TCP Expert, a powerful assistant for isolating network errors (use case).

      In 1984, Rolf began working for Swissair airline. His first task was setting up a broadband network for passenger information at Zurich Airport. In 1988, he took over as head of the LAN group. His team planned and implemented Zurich Airport's local LAN (Token Ring), at the time the largest in Europe. In 1999, his team implemented the first WLAN for aircraft handling personnel. In 1995, Rolf began as the first sniffer trainer in Europe and switched to first Wireshark trainer in 2006.
    • 9:45
      Mischa Diehm - Narrowin
      Building Digital Twins with Containerlab: Using ntop Tools and Wireshark for Advanced Network Traffic Analysis
      ntopng Wireshak
      We will explore how to create fast, sharable and realistic labs of network infrastructures using Containerlab, enabling rapid experimentation and safe validation of new configurations. Attendees will see how to attach ntop tools for traffic analysis and Wireshark for live packet inspection, gaining clear visibility into network behaviors. By replicating production environments in a controlled lab, participants will learn to streamline troubleshooting, optimize configurations, and ultimately strengthen their network’s resilience and scalability.

      After many technical years, among others at a German firewall manufacturer and at the computer center of the University of Basel, Mischa deals with responsible organizations and the sensible, appreciative use of resources. The principle "Focus on purpose over profits" appeals him very much hoping that together we will manage to make this a general principle.
    •  

    • 10:15
      Coffee Break
    •  

    • 10:45
      Ivan Nardi - AI2M
      First Packet Classification, Fingerprints and Obfuscated Flows Detection in nDPI
      Traffic Classification nDPI
      Deep Packet Inspection is a complex technology with a lot of technical low-level details, which can be difficult to follow or to fully understand. Therefore in this talk we will focus instead on some practical, real life problems that the latest nDPI versions can easily help you to solve. Particular attention will be paid to First Packet Classification and to detection of obfuscated traffic.

      Ivan is a network and software engineer at AI2M, where they develop data retention and traffic analysis systems. He has been involved in DPI for more than 10 years and he is helping with developing and maintaining nDPI.
    • 11:20
      Martin Scheu - Switch
      Unfold the OT Network Jungle
      OT/SCADA
      OT networks are often thought to be static, but they are more dynamic than they seem. Devices change, new connections appear, and interactions with IT systems increase. On top of that, many OT environments have remote access connections — for support, maintenance, or from system integrators — which adds even more complexity. To stay in control, it’s important to focus on key security aspects: understanding what goes in and out of the OT network, knowing all internet-facing points, and having relevant logs. This presentation will show how monitoring traffic between firewalls and the internet, as well as between IT and OT networks, can help make sense of the network and reduce blind spots.

      Martin Scheu works at Switch CERT, where he supports critical infrastructure operators in the field of OT security. His focus is on helping organizations improve their visibility, understand their networks, and respond to security challenges in industrial environments.
    • 11:50
      Raphael Vallazza - Endian
      Building a Unified Cybersecurity Platform for IT & OT
      OT Cybersecurity
      As IT and OT networks converge, a unified approach to cybersecurity is essential. This talk presents the development of a platform that bridges both worlds, with a focus on how ntop technologies were integrated to enhance traffic visibility and threat detection. Key takeaways include architecture insights, integration challenges, and lessons learned in securing complex, hybrid environments.

      Raphael Vallazza, Co-Founder and CEO of Endian, discovered his passion for technology at age seven with a C64, started coding at twelve, and sold his first software by fourteen. A Linux enthusiast since high school, he combined his interests in networking and cybersecurity to found Endian in 2003 in Appiano, South Tyrol. Beyond tech, Raphael is passionate about music, plays guitar, and has a keen interest in finance.
    •  

    • 12:20
      Lunch Break
    •  

    • 13:20
      Piotr Kałuża - Sycope
      How to use nProbe DPI and Sycope to improve security in every company
      NetFlow Cybersecurity
      Sycope is a network monitoring tool which use the NetFlow data to provide visibility into network traffic and detect security anomalies and threats. Although Sycope can use different versions of NetFlow the enhanced NetFlow provided by nProbe can really improve the detection and help with in deepth analysis. The presentation will show how the integration of both systems can take the traffic observability and threat hunting to higher level.

      Piotr is a veteran with 15+ Years of experience in IT Security and Network Monitoring.
    • 13:50
      Rolf Leutert - Leutert NetServices, Walter Hofstetter - AnyWeb
      What if Packets are not Enough ?
      Stratoshark System Monitoring
      Using Stratoshark, you can capture network activity on your Linux machine- including containerized workloads - and analyze it directly in the familiar Wireshark GUI. Walter and Rolf will present a live demo demonstrating how to simultaneously capture network packets and record system calls, as well as explore additional methods for adding valuable system-level context to your Wireshark traces.

      In 1984, Rolf began working for Swissair airline. His first task was setting up a broadband network for passenger information at Zurich Airport. In 1988, he took over as head of the LAN group. His team planned and implemented Zurich Airport's local LAN (Token Ring), at the time the largest in Europe. In 1999, his team implemented the first WLAN for aircraft handling personnel. In 1995, Rolf began as the first sniffer trainer in Europe and switched to first Wireshark trainer in 2006.
       
      Walter is a veteran in network and protocol analysis, having earned his stripes as a "Sniffer University Certified Instructor" from Network General in 1994. Throughout his career, he quickly advanced into the cybersecurity arena, where his expertise in protocols proved invaluable.
    • 14:20
      Matteo Biscosi - ntop
      Advanced Network Analysis Using ntopng
      ntopng
      Thi talk introduces the latest features and innovations introduced in the latest ntopng version.

      Graduated at the University of Pisa in Software Engineering, Matteo has been working for 5 years in ntop as a Software Engineer, both as a front-end and back-end Developer
    • 14:50
      Luca Deri - ntop
      25+ Years of Open Source: ntop past and future plans
      Open Source ntop
      In this talk Luca will go through the historty of ntop, describe why this project was created and what problem tracked. It will give an overview of the technolody creared through the years and how is has been used in the industry and in the opensource world. Finally it gives and overview of the current developments and open challenges.

      Luca is the founder of ntop. Well-known in the open-source and Linux community, he currently shares his time between the ntop project and the University of Pisa where he has been appointed as a lecturer at the CS department.
    •  

    • 15:30
      Coffee Break
    •  

    • 16:00
      Roundtable/Panel
      Panelists: Criznic Petru Ciprian - Sunrise, Giordano Zambelli - VerXo, Mischa Diehm - Narrowin, Ahmed Elhassany - Swisscom
      Criznic Petru Ciprian has a egree in Electronics and Telecommunications Systems Engineering. Currently Lead DevNet Engineer at Sunrise, with 12 years of experience specializing in IP Network Visibility and Automation.

      What's Next in Traffic Monitoring and Packet Analysis ? Open Issues and Future Opportunities.
      Community Discussion
    • 17:00
      Closing Remarks

Pre-Conference Event


ntop Training: Wednesday May 7th

  • 14:00
    Alfredo Cardigliano - ntop
    Using ntop Tools in Cybersecurity
  • 14:45
    Michael Muenz - m.a.x. Informationstechnologie
    Integrating ntopng in Wazuh SIEM
  • 15:15
    Matteo Biscosi - ntop
    A Deep Dive into ntopng
  • 16:00
    Martin Scheu - Switch
    Open Source OT monitoring
  • 16:45
    Luca Deri - ntop
    How to use nDPI for Network Visibiity and Traffic Enforcement
  • 17:15
    ntop Team
    Q&A: All You Wanted to Know About ntop Tools

Location


The meeting venue is walking distance from Zurich Hauptbahnhof (main train station) close to the Zürich city centre.

  • Conference
    PH Zürich, Lagerstrasse 2, 8090 Zürich, Switzerland
  • Pre-Conference
    Switch, Werdstrasse 2, 8004 Zürich, Switzerland

Note that the pre-conference and the conference are located on two different locations (still in walking distance).

Accommodation


Zurich has many accommodations you can find on sites such as Airbnb, Trip or Booking. Below a selection of accomodations close to the conference and city center.

About PacketFest


PacketFest is organized by ntop with support of Switch, AnyWeb, and Leutert NetServices.