Netflow Analyzer Open Source

[Lauren Redder]

Everyexperienced IT professional knows a comprehensive view of your network is critical. As technology rapidly advances, challenges have arisen in understanding network behavior, particularly in the areas of compliance, network security vulnerabilities, network productivity and the dispersal of resources, and application usage. In 1996, Cisco released NetFlow as a network protocol to offer insight into all these areas within a cohesive operating environment.

Used to collect information about your network IP traffic and to monitor network traffic activity, NetFlow generates insights into application flows. By implementing a high-quality network performance monitor with a NetFlow reporting tool, you can troubleshoot network issues with a high level of specificity. For larger businesses with large IT departments, the information gleaned from NetFlow analysis can be used to facilitate more accurate capacity planning and decisions about how to best allocate network resources.

NetFlow works by interacting with IP flows, or sequences of packets connecting a server with a destination. Each packet that makes it through the router or switch is examined for certain IP packet attributes, which are then used as packet identifiers to determine whether a packet is unique or similar enough to other packets to be grouped with them.

NetFlow gathers all the data pulled from IP traffic leaving the device, inspects all the packets, and consolidates them into flows based on particular areas. Except for layer 3 protocols and router/switch interface, packets meeting all seven of the criteria above are grouped together. After their bytes and packets are tallied up, these compartmentalized flows are exported to a NetFlow collector.

Tools for NetFlow analysis incorporate three key components: exporters, collectors, and analyzers. Routers with NetFlow tools enabled create NetFlow reports, which are then processed and exported to a NetFlow collector. The NetFlow collector processes and compresses the data; the analyzer performs the necessary traffic analysis, and then breaks the analysis down into an easily digestible format. These tools can be separate pieces of hardware or they can be software-based, either paid or open-source.

Be careful not to confuse NetFlow with sFlow. While both are concerned with packets and network traffic, NetFlow uses templates, while sFlow is a NetFlow alternative using protocol extensions rather than templates.

SFlow can be retrofitted to snap into any network monitoring device. The sFlow exporter will take stock of all the packets going through a device and pluck out one of every n packets, where n equals the sample rate chosen in the settings. It will supplement those samples with other randomly chosen packets. SFlow takes the bytes from these samplings, transforms them into sFlow datagrams, and sends them off to the sFlow collector.

If we think of network traffic as traffic on a highway, NetFlow is a wide-lens camera capturing all the lanes, whereas sFlow takes pictures of isolated vehicles as they pass. Only NetFlow will give you a clear and all-inclusive view of your data.

NTA works by combining flow data and Cisco Class-Based Quality of Service (CBQoS) data with the performance data gleaned from NPM. NTA then processes and breaks down the data, to be put into interactive graphs to offer a comprehensive view of your traffic history.

NTA can manage the original NetFlow program plus any variants and alternatives, including sFlow. My favorite thing about this tool is its ability to give you the information you want right out of the box. NTA breaks down traffic usage into useful categories like top 5 conversations, top 5 applications, and top 10 sources by utilization. You can also sort according to source or destination and examine traffic patterns over different lengths of time, past and present.

ManageEngine NetFlow Analyzer provides key visibility into traffic usage and network bandwidth hogs. In addition to NetFlow, it supports alternative technologies like IPFIX, NetStream, and J-Flow. It analyzes and filters traffic according to many of the same metrics as SolarWinds NTA, plus volume and speed, and it comes equipped with tools specifically for managing NetFlow in complex networks. Interactive graphs are available via the default dashboard embedded in the web-based user interface, including the standard pie charts, as well as heat maps to show the status of nearly everything on your network.

I include Paessler PRTG Network Monitor on a lot of my lists because of the comprehensive nature of its network monitoring capabilities. PRTG has several use cases, including NetFlow monitoring, and it supports all the major flow protocols and more. You can only monitor a single site using the web application. If you want to monitor multiple sites or devices, you have to use the enterprise app on Windows.

PRTG lets you monitor the health of your devices and track bandwidth usage across WAN, VPN, and cloud services on a single, unified platform. It automatically finds devices on your network and alerts you to new changes, so you can account for potential issues as soon as they arise.

PRTG is popular for its user-friendly interface. The system is simple to set up and the navigation tree is easy to manage. The device tree shows you all the devices on your network and the sensors being used to monitor each of them. In addition to your standard applications, your device tree can include routers, access points, disk usage, IoT, firewalls, workstations, servers, and more. Digging into the device tree will show you relevant indicators and metrics at every level.

When you combine Kentik Data Engine, a high-performance datastore, with Kentik Portal, a user interface, you get Kentik Detect. This tool gathers details about the different types of data passing through your system and brings them together in one unified view. You can also integrate the data into other systems. The web-based interface is customizable, and the Kentik team continually adds new dashboards, giving you a wide variety of ways to look at your data.

The Kentik Portal includes a function called Data Explorer, which lets you explore your network by breaking traffic data down into tables and graphs. In addition, Kentik helps you make sure your traffic delivery is conforming to service-level agreement standards, which improves the client experience and cuts down on costs.

Before we move on to open-source NetFlow monitoring solutions, a word about open-source tools in general. Open-source software has exploded in popularity in recent years, for various reasons. Some people believe technology resources belong in the hands of the people and not behind a paywall, while others simply feel open-source tools are as good as the paid ones.

Be that as it may, when putting together lists like this one, I try to include open-source tools for those who are tech-savvy and not afraid of a challenge. When dealing with open-source, be sure to put the software through a stress test before you commit.

Nagios Core is the free, open-source version, and Nagios XI is the paid tool. As such, Nagios XI comes with more features and built-in tech support for configuration issues. Nagios Core can be difficult to get a handle on, though an active community of users can help you.

A word of caution about Nagios: their reputation for being a reliable, powerful, and scalable network monitoring option comes with a reputation for being difficult to configure. Furthermore, Nagios Core does not have an auto-discovery function. Its advantage is the ability to customize the tools to suit your organizational needs, which can help you get the most out of the software.

Another NetFlow monitoring open source tool, ntopng is a traffic analysis solution that captures packets to monitor flow data. To get the data, it relies on an open-source NetFlow collector called nProbe.

Looking for a Free Open Source NetFlow Analyzer for Windows, Linux, or Unix? Look no further, we've compiled the ultimate list of Open Source tools to help with your network monitoring tasks.

As many of you already know, NetFlow is a protocol/standard developed by Cisco for collecting/transferring/analyzing network data using software packages to get a better understanding of what is happening on your network, along with further analysis of bandwidth usage, etc.

Netflow allows administrators to take the processing of network data away from switches and routers and send the flow packets and information to a collector that further analyzes that data to free up resources on the network device itself.

There are many commercial Netflow (or sflow, jflow, rflow, cflow, or netstream) that are Available for Free Download and use that we've recently detailed in this post that are also free of charge too.

On the other hand, if you are looking for an Open-Source alternative, you're in luck. We've put together a large list of Free Open Source Netflow Analyzers/Collectors to help you collect, analyze and scrutinize traffic and bandwidth to help you keep track of what's going on in your network.

Probably the most well-known open source traffic analyzers, Ntop, is a web-based tool that runs on Ubuntu x64 versions, CentOS/Redhat x64 Linux flavors, Windows x64 Operating systems, BeagleBoard ARM, Ubiquity networks EdgeRouter and even Mac OSX per their github site. NTopng also includes support for sFlow and IPFIX (through nProbe add-on), as its becoming a new standard that many manufacturers are using for flow analysis. RRD is used for databases and storing data on a per-host level.

NTop is a pretty unique tool among other open-source Netflow analyzers. It can collect data from a wide range of networking protocols, which makes it more than just a data collector, but also a robust network monitor. Plus, ntopng comes with distinctive features such as geolocation, app recognition, and web-based graphs.

Why do we recommend it?We recommend NTop, especially its Next Generation version (nTopng) for its extensive protocol support on traffic data extraction and device status information (via graphical representation). Additionally, this network monitoring tool is pretty versatile; It runs on a variety of platforms (Linux, Unix, macOS, and Windows). It's also pretty powerful, thanks to its ability to utilize sFlow and IPFIX.

3a8082e126