NetFlow is a protocol developed by Cisco used to collect information about traffic flowing through devices on a network. The type of information collected from IP traffic by NetFlow to determine a flow include:
- Source IP address
- Destination IP address
- Source port
- Destination port
- Layer 3 protocol
- Class of Service
- Ingress Interface
By collecting this information and analyzing it, a lot of insight can be gained about the network and used for several purposes including bandwidth monitoring, network performance troubleshooting and anomaly detection.
Here is our list of the top NetFlow Analyzers & Collectors:
- Auvik – EDITOR’S CHOICE This SaaS cloud platform provides both network device monitoring and network traffic analysis. Use the network inventory and map in conjunction with flow protocol data to identify bottlenecks and fault devices so that you can keep network performance at its peak. Get a 14-day free trial.
- SolarWinds NetFlow Traffic Analyzer – FREE TRIAL A bandwidth monitoring and management package that also covers virtual switches. Installs on Windows Server. Register for a 30-day free trial.
- ManageEngine NetFlow Analyzer – FREE TRIAL Tracks traffic volumes live and includes capacity planning tools. Available for Windows Server and Linux. Get a 30-day free trial.
- Site24x7 Network Traffic Monitoring – FREE TRIAL A network monitoring service that is part of a wider system monitoring service that is delivered from the cloud. Start a 30-day free trial.
- PRTG Network Monitor – FREE TRIAL A bundle of infrastructure monitoring tool that includes traffic monitoring. Installs on Windows Server. Download a 30-day free trial.
- Noction Flow Analyzer This monitoring tool uses NetFlow and other traffic statistics gathering protocols to generate an information pool about network activity and bandwidth usage in a multi-vendor site. Runs on Linux.
- Plixer Scrutinizer A traffic analyzer that can be used for security investigations. Installs as a virtual machine or can be taken as a cloud service.
- nProbe and ntopng A traffic analysis combination with a browser-based interface. nProbe runs on Linux and Windows and ntopng is available for Windows, Linux, macOS, RaspbianOS, and FreeBSD.
When NetFlow is implemented on a network, there are usually two major components: Flow Exporter and Flow Collector. The Flow Exporter captures flow information to be sent to a collector. This exporter is usually configured on a device such as a router or a switch and in some cases, there may be multiple exporters for different flows. On the other hand, the Flow Collector receives flow records from the exporter, processes them and can analyze this information to be presented to users in sensible form.
Note: In some instances, the Flow Collector does not do the actual analysis of the flow records. Instead, the Flow Collector just receives the flow records and another application does this analysis.
NetFlow and Counterparts
It is important to point out at this point that even though NetFlow was developed by Cisco, it is supported by other vendors. At the same time, other vendors also have their own versions of NetFlow including J-Flow for Juniper and NetStream for Huawei. Moreover, there is also an IETF protocol for transmitting IP flow information across a network – IP Flow Information Export (IPFIX) – which is based on Cisco’s NetFlow version 9.
Note: There are several versions of NetFlow (from version 1 to 9), some of which have become obsolete. NetFlow version 5, 7 and 9 are the commonly used versions.
The top NetFlow Analyzers & Collectors
Our methodology for selecting the NetFlow analyzers and collectors
- Check if it can collect and summarize passing packets
- Does it support communication with sFlow, J-Flow, NetFlow, and other packet capture systems
- Does it send alerts on reaching the bandwidth capacity threshold limit?
- Can you generate live stats reports with illuminating graphs and charts?
- Does it offer tools for capacity planning and bottleneck investigation?
As we mentioned earlier in this article, there are Flow Collectors that receive flow records from exporters and analyze these records to produce sensible information. We will be highlighting some of these below in more detail.
Auvik is a SaaS platform that is based in the cloud but links to your network through the installation of an agent. This tool operates SNMP processes to discover the network and track device statuses. It also uses flow protocols to extract traffic statistics for analysis.
- Network inventory
- Network diagram
- Traffic analysis
- Path tracing
The traffic analysis module on the Auvik platform is called TrafficInsights. It can communicate with switches and routers by using NetFlow v5, NetFlow v9, IPFIX, sFlow, and J-Flow. This gives the tool compatibility with the devices produced by most network system manufacturers in the world and enables it to manage multi-vendor networks.
Auvik is packaged in two editions: Essentials and Performance. Both plans provide network discovery and mapping plus live device status monitoring with SNMP. However, only the higher plan includes the TrafficInsights module.
- NetFlow, IPFIX, sFlow, and J-Flow
- Consolidates the monitoring of multiple networks
- Network configuration management
- Syslog collection and management
- Web-based dashboard
- Doesn’t have NetStream capabilities
You can examine the Auvik system with a 14-day free trial.
Auvik is our top pick for a NetFlow analyzer and collector for monitoring in real time because has the ability to communicate with switches and routing through the NetFlow v5, NetFlow v9, IPFIX, J-Flow, and sFlow protocols. Traffic analysis is available in the higher edition of Auvik, which is called Performance. The system also provides SNMP-based device monitoring and using these two systems together will help you identify which device on your system is causing problems with traffic throughput rates.
Official Site: https://www.auvik.com/lp/network-traffic-analysis/
The SolarWinds NetFlow Traffic Analyzer (NTA) is a network traffic analysis and bandwidth monitoring tool that supports various flow technologies including NetFlow, J-Flow, IPFIX and NetStream.
- For multi-vendor environments
- Path analysis
- VoIP QoS
- Runs on Windows Server
SolarWinds NTA can provide insight into bandwidth usage on a network such as which IP address or application is consuming the most bandwidth at a certain time. It can analyse patterns in traffic over a certain period of time, thereby making it able to perform network traffic forensics.
SolarWinds NTA starts at $1,875 for monitoring 100 elements although a 30-day free trial is available. Another thing to keep in mind is that SolarWinds NTA integrates with SolarWinds Network Performance Monitor (NPM) to perform its function.
This means that you must account for the cost (and requirements) of SolarWinds NPM along with the cost of SolarWinds NTA. SolarWinds NPM is also available for a 30-day free trial and license cost starts at $2,895 for monitoring 100 elements.
- Supports NetFlow, J-Flow, IPFIX, and several other flow technologies
- Generates insights related to a network’s bandwidth utilization
- Analyzes traffic patterns and sends real-time alerts
- Monitors bandwidth, analyzes performance, and manages multi-vendor networks
- Allows tracking performance of the wireless network as well as VMware vSphere
- Not a great option for small LANs or home users as it was designed for enterprises that process large data
You can start a 30-day free trial.
ManageEngine has a similar offering of a NetFlow collector and analyzer as the other solutions we have previously discussed. Their NetFlow Analyzer also supports multiple flow technologies such as NetFlow, J-Flow and NetStream and is targeted at network traffic analysis and bandwidth monitoring.
- Traffic analysis
- Monitors network changes
- Security monitoring
ManageEngine NetFlow Analyzer packs some interesting features such as customizable dashboards, an iPhone app for anytime, anywhere monitoring and the ability to report on Cisco Medianet and Cisco WAAS.
- Offers visibility into network bandwidth performance in real-time
- Analyzes network traffic and its patterns
- Generates one-minute granularity and custom search reports on bandwidth usage, Cisco Medianet, and Cisco WAAS
- Users can set custom alerts depending on traffic thresholds
- The intuitive interface helps identify bandwidth hogs and other abnormal network traffic instantly
- Not a suitable option for small home networks
ManageEngine offers an online demo of their NetFlow Analyzer which is good because you can try it out before deciding whether to download or buy. The NetFlow Analyzer comes in two editions: Essential and Distributed. Both editions can be tried for free for 30 days. The minimum license price is $495 for monitoring 10 interfaces on the Essential edition. There is also a free edition that can be used to monitor 2 interfaces without the need for any license.
Site24x7 Network Traffic Monitoring is part of a system monitoring service. This cloud-based service is offered in a series of packages that emphasize the supervision of different aspects of IT systems. The packages are designed to focus on websites, infrastructure, and applications. Although each of these packages have specific focus, they all include network monitoring. Site24x7 offers both network performance monitoring and bandwidth monitoring.
- Full stack package
- Cloud based
- Suitable for SMBs
Site24x7 network monitoring deploys a range of communication protocols in order to extract data from network switches. The service is able to contact the devices of more than 200 vendors. Many manufacturers, such as Cisco systems and juniper Networks have created their own languages for traffic data querying. The Site24x7 system can communicate with NetFlow, IPFIX, J-Flow, sFlow, NetStream, CFlow, and AppFlow.
This monitoring tool is able to unify the monitoring of networks on different sites, on the cloud, and traveling through switches from different providers, using different communication protocols. This is a very flexible network traffic monitor.
This service shows live traffic volumes on its dashboard, which is hosted in the cloud and accessed through a Web browser. All of the processing power for the monitor is also resident in the cloud. An agent module on the monitored network collects data and uploads it to the Site24x7 server over an encrypted link.
This service also includes the ability to set thresholds, which trigger alerts. Those alerts can be sent out to key personnel as emails, SMS messages, or voice calls.
- Allows watching over bandwidth as well as network traffic
- You can extract information from network switches via different communication methods
- Provides stats on traffic patterns for various devices and apps
- Keep a track of data that is being transmitted over a network
- Check the network’s capacity quality and track if it is allocated properly.
- Site24x7 offers various features and customization options that may take time to fully understand
Site24x7 is a subscription service with a range of editions. You can try any of them on a 30-day free trial.
Paessler PRTG Network Monitor is an all-in-one network monitoring solution which includes performance monitoring, bandwidth monitoring, server and application monitoring and so on. The benefit of this is that NetFlow monitoring is enabled by default in the tool – there is no add-on or upgrade required. PRTG Network Monitor can analyze various NetFlow versions (v5, v9), the industry standard (Internet Protocol Flow Information Export (IPFIX)), and other flow-based technologies such as sFlow and J-Flow.
- Customizable package
- Device and traffic monitoring
- Path analysis
One of the uses of the NetFlow monitoring available from PRTG Network Monitor is analysis of bandwidth usage. For example, you can determine the amount of bandwidth being used by different hosts, protocols and applications. This can be very helpful in network performance troubleshooting.
In the PRTG NetFlow setup, the Flow collector is different from the analysis software. The Flow collector is just any computer that receives flow reports from the exporters and has a PRTG probe installed on it. The analysis software is PRTG Network Monitor where the flow collector (the system with the PRTG probe) is setup as a sensor.
- No upgrade or add-on is necessary as NetFlow monitoring is available by default
- The bandwidth usage of various hosts, protocols, and apps can be ascertained
- Helps troubleshoot network performance
- Users can save and process flows using the PRTG NetFlow Analyzer
- Allows tracking and performing analysis on all vital Flow protocols
- It is a detailed solution, as a result, may take time to fully understand all of its features
PRTG Network Monitor is available in two editions: Freeware and Commercial. The Freeware edition is a fully functional PRTG Network Monitor that allows you to monitor up to 100 sensors. If you would like to monitor more than 100 sensors, you will need a Commercial license that starts at $1600 for monitoring 500 sensors. You can start with either version on a 30-day free trial.
6. Noction Flow Analyzer
Noction Flow Analyzer is a network traffic analysis tool that performs live traffic monitoring, live network performance monitoring, and capacity planning analysis.
- Identifies internal and inbound traffic
- Protocol analysis
- Great graphics
The main source of data for this package is the statistics gathered from switches and routers, using communication standards. These are:
The capabilities of the Noction system to use all of these protocols enables it to work with multi-vendor sites and extract data from network equipment provided by various manufacturers, including:
- Juniper Networks
- Cisco Systems
- Hewlett Packard Enterprise
- Extreme Networks
- Huawei, and others
Moreover, NFA offers a great way to visualize the BGP traffic routing criteria along with traffic volume via its BGP Sankey and BGP Report sections. Extensive filtering capabilities can provide you with a clear picture of the paths your traffic is taking, the countries, regions, or cities your traffic originates and terminates in, traffic volume distribution by different paths, the best potential new peering candidates, and more.
The software for Noction Flow Analyzer installs on Linux (Ubuntu, CentOS, and RHEL).
- Discovers the source of network performance issues and promptly fixes them.
- Works with NetFlow data to analyze traffic patterns within a network
- Uses illuminating graphs and charts to show real-time traffic data
- Users can even perform manual historical analysis
- If traffic congestion is found and efficiency suffers, the Noction system can be configured to issue alerts.
- Not works well with Windows operating system
- Essential to host it on your own site
Official Website: https://www.noction.com/flow-analyzer
Download: Get free access to this package with a free trial: https://nfa.noction.com/register.php
Rather than being just a NetFlow Analyzer, Scrutinizer is a full Incident Response System that can be used to analyze network traffic and report on security incidents. It can collect and analyze data from different flow types including NetFlow, J-Flow, NetStream and IPFIX. This means that Scrutinizer can be used for Cisco Networking devices and other vendors.
- Incident response
- Security monitoring
- Preventative measures
Scrutinizer can provide visibility into both physical and virtual environments. It also has fast and advanced reporting features, supports multi-tenancy and is very scalable because of its distributed architecture.
There are three (3) deployment options for Scrutinizer: Hardware, Virtual Machine and Software as a Service (SaaS). You can try Scrutinizer for free for 30 days after which the product downgrades to the free version which allows you to collect up to 5 hours of data from unlimited devices before resetting i.e. you lose the historical data and start afresh.
- Analyzes network traffic and updates on security breaches in real-time
- Performs analysis on data collected from different flows
- Provides clarity and visibility into physical as well as virtual environments
- Supports multi-tenancy and advanced reporting features
- Supports multiple deployments and is great for large enterprise networks
- The user needs to send request to the sales team for quotes
- Involves the use of a significant amount of the system’s resources
8. nProbe and ntopng
ntopng is an open-source tool for monitoring network traffic. It works by capturing packets off an interface and analysing it to give useful information such as Top X talkers – hosts and applications consuming the most bandwidth.
- Packet sniffer
- Also collects SNMP data
- Open source
ntopng can connect to nProbe which is a NetFlow/IPFIX collector. In this way, nProbe serves as the flow collector which receives flow records from flow exporters and sends this information to ntopng which analyses the information and presents it in a usable format.
While ntopng has a free version (the community edition), you require a license to use nProbe (except you are an NGO or education institution). nProbe comes in two editions: Standard and Pro with Plugins. The Standard version costs 149.95 Euros while the Pro with Plugins costs 299.95 Euros.
- A highly customizable tool that works great for Unix and macOS platforms
- You can even track the health of your devices using the collected SNMP data
- Great for anomaly-based intruder detection
- Uses NetFlow and IPFIX protocols to probe network devices
- Displays stats on latencies and TCP
- Non-technical users may find it difficult to understand the tool in the initial stage
- A paywall prevents access to the fully functional edition
In this article, we have discussed NetFlow and other flow-related technologies. We mentioned that the wealth of information provided by these flow technologies can help in several ways including network traffic analysis, performance troubleshooting and bandwidth monitoring.
We then went on to highlight a couple of tools that can be used for collecting and analysing NetFlow records including Scrutinizer, PRTG Network Monitor and ntopng/nProbe. There are other tools that we have not mentioned like NFDUMP and EHNT that are free and open source. The reason we did not discuss these other tools is because they are limited to NetFlow unlike the other tools we discussed that support NetFlow, J-Flow, NetStream and so on.
To conclude, if you are looking for a solution that does strictly NetFlow collection and analysis and has the ability to scale to different platforms and protocols, then we highly recommend SolarWinds NetFlow Traffic Analyzer (with Network Performance Monitor).
If you are more interested in NetFlow analysis as an add-on to a network monitoring solution, then try PRTG Network Monitor or ManageEngine NetFlow Analyzer. If you are interested in scalability and security analysis, then Scrutinizer may be another option for you. Finally, if you want an inexpensive solution with some open-source features, check out ntopng/nProbe.