NetFlow is a protocol developed by Cisco used to collect information about traffic flowing through devices on a network. The type of information collected from IP traffic by NetFlow to determine a flow include:
- Source IP address
- Destination IP address
- Source port
- Destination port
- Layer 3 protocol
- Class of Service
- Ingress Interface
By collecting this information and analyzing it, a lot of insight can be gained about the network and used for several purposes including bandwidth monitoring, network performance troubleshooting and anomaly detection.
Here is our list of the top NetFlow Analyzers & Collectors:
- SolarWinds NetFlow Traffic Analyzer – FREE TRIAL A bandwidth monitoring and management package that also covers virtual switches. Installs on Windows Server.
- Noction Flow Analyzer – FREE TRIAL This monitoring tool uses NetFlow and other traffic statistics gathering protocols to generate an information pool about network activity and bandwidth usage in a multi-vendor site. Runs on Linux.
- ManageEngine NetFlow Analyzer – FREE TRIAL Tracks traffic volumes live and includes capacity planning tools. Available for Windows Server and Linux.
- Site24x7 Network Traffic Monitoring – FREE TRIAL A network monitoring service that is part of a wider system monitoring service that is delivered from the cloud.
- PRTG Network Monitor – FREE TRIAL A bundle of infrastructure monitoring tool that includes traffic monitoring. Installs on Windows Server.
- Plixer Scrutinizer A traffic analyzer that can be used for security investigations. Installs as a virtual machine or can be taken as a cloud service.
- nProbe and ntopng A traffic analysis combination with a browser-based interface. nProbe runs on Linux and Windows and ntopng is available for Windows, Linux, macOS, RaspbianOS, and FreeBSD.
When NetFlow is implemented on a network, there are usually two major components: Flow Exporter and Flow Collector. The Flow Exporter captures flow information to be sent to a collector. This exporter is usually configured on a device such as a router or a switch and in some cases, there may be multiple exporters for different flows. On the other hand, the Flow Collector receives flow records from the exporter, processes them and can analyze this information to be presented to users in sensible form.
Note: In some instances, the Flow Collector does not do the actual analysis of the flow records. Instead, the Flow Collector just receives the flow records and another application does this analysis.
NetFlow and Counterparts
It is important to point out at this point that even though NetFlow was developed by Cisco, it is supported by other vendors. At the same time, other vendors also have their own versions of NetFlow including J-Flow for Juniper and NetStream for Huawei. Moreover, there is also an IETF protocol for transmitting IP flow information across a network – IP Flow Information Export (IPFIX) – which is based on Cisco’s NetFlow version 9.
Note: There are several versions of NetFlow (from version 1 to 9), some of which have become obsolete. NetFlow version 5, 7 and 9 are the commonly used versions.
The top NetFlow Analyzers & Collectors
As we mentioned earlier in this article, there are Flow Collectors that receive flow records from exporters and analyze these records to produce sensible information. We will be highlighting some of these below in more detail.
The SolarWinds NetFlow Traffic Analyzer (NTA) is a network traffic analysis and bandwidth monitoring tool that supports various flow technologies including NetFlow, J-Flow, IPFIX and NetStream.
SolarWinds NTA can provide insight into bandwidth usage on a network such as which IP address or application is consuming the most bandwidth at a certain time. It can analyse patterns in traffic over a certain period of time, thereby making it able to perform network traffic forensics.
SolarWinds NTA starts at $1,875 for monitoring 100 elements although a 30-day free trial is available. Another thing to keep in mind is that SolarWinds NTA integrates with SolarWinds Network Performance Monitor (NPM) to perform its function.
This means that you must account for the cost (and requirements) of SolarWinds NPM along with the cost of SolarWinds NTA. SolarWinds NPM is also available for a 30-day free trial and license cost starts at $2,895 for monitoring 100 elements.
Free 30 Day Download: https://www.solarwinds.com/netflow-traffic-analyzer/registration
Noction Flow Analyzer is a network traffic analysis tool that performs live traffic monitoring, live network performance monitoring, and capacity planning analysis. The main source of data for this package is the statistics gathered from switches and routers, using communication standards. These are:
The capabilities of the Noction system to use all of these protocols enables it to work with multi-vendor sites and extract data from network equipment provided by various manufacturers, including:
- Juniper Networks
- Cisco Systems
- Hewlett Packard Enterprise
- Extreme Networks
- Huawei, and others
Moreover, NFA offers a great way to visualize the BGP traffic routing criteria along with traffic volume via its BGP Sankey and BGP Report sections. Extensive filtering capabilities can provide you with a clear picture of the paths your traffic is taking, the countries, regions, or cities your traffic originates and terminates in, traffic volume distribution by different paths, the best potential new peering candidates, and more.
The software for Noction Flow Analyzer installs on Linux (Ubuntu, CentOS, and RHEL).
Official Website: https://www.noction.com/flow-analyzer
Download: Get free access to this package for 30 days with a free trial:
ManageEngine has a similar offering of a NetFlow collector and analyzer as the other solutions we have previously discussed. Their NetFlow Analyzer also supports multiple flow technologies such as NetFlow, J-Flow and NetStream and is targeted at network traffic analysis and bandwidth monitoring.
ManageEngine NetFlow Analyzer packs some interesting features such as customizable dashboards, an iPhone app for anytime, anywhere monitoring and the ability to report on Cisco Medianet and Cisco WAAS.
ManageEngine offers an online demo of their NetFlow Analyzer which is good because you can try it out before deciding whether to download or buy. The NetFlow Analyzer comes in two editions: Essential and Distributed. Both editions can be tried for free for 30 days. The minimum license price is $495 for monitoring 10 interfaces on the Essential edition. There is also a free edition that can be used to monitor 2 interfaces without the need for any license.
Official Website: https://www.manageengine.com/products/netflow/
Download: Download this Tool Free & Get Started Right away!
Site24x7 Network Traffic Monitoring is part of a system monitoring service. This cloud-based service is offered in a series of packages that emphasize the supervision of different aspects of IT systems. The packages are designed to focus on websites, infrastructure, and applications. Although each of these packages have specific focus, they all include network monitoring. Site24x7 offers both network performance monitoring and bandwidth monitoring.
Site24x7 network monitoring deploys a range of communication protocols in order to extract data from network switches. The service is able to contact the devices of more than 200 vendors. Many manufacturers, such as Cisco systems and juniper Networks have created their own languages for traffic data querying. The Site24x7 system can communicate with NetFlow, IPFIX, J-Flow, sFlow, NetStream, CFlow, and AppFlow.
This monitoring tool is able to unify the monitoring of networks on different sites, on the cloud, and traveling through switches from different providers, using different communication protocols. This is a very flexible network traffic monitor.
This service shows live traffic volumes on its dashboard, which is hosted in the cloud and accessed through a Web browser. All of the processing power for the monitor is also resident in the cloud. An agent module on the monitored network collects data and uploads it to the Site24x7 server over an encrypted link.
This service also includes the ability to set thresholds, which trigger alerts. Those alerts can be sent out to key personnel as emails, SMS messages, or voice calls.
Site24x7 is a subscription service with a range of editions. You can try any of them on a 30-day free trial.
Official Website: https://www.site24x7.com/network-traffic-monitoring.html
PRTG Network Monitor is an all-in-one network monitoring solution which includes performance monitoring, bandwidth monitoring, server and application monitoring and so on. The benefit of this is that NetFlow monitoring is enabled by default in the tool – there is no add-on or upgrade required. PRTG Network Monitor can analyze various NetFlow versions (v5, v9), the industry standard (Internet Protocol Flow Information Export (IPFIX)), and other flow-based technologies such as sFlow and J-Flow.
One of the uses of the NetFlow monitoring available from PRTG Network Monitor is analysis of bandwidth usage. For example, you can determine the amount of bandwidth being used by different hosts, protocols and applications. This can be very helpful in network performance troubleshooting.
In the PRTG NetFlow setup, the Flow collector is different from the analysis software. The Flow collector is just any computer that receives flow reports from the exporters and has a PRTG probe installed on it. The analysis software is PRTG Network Monitor where the flow collector (the system with the PRTG probe) is setup as a sensor.
PRTG Network Monitor is available in two editions: Freeware and Commercial. The Freeware edition is a fully functional PRTG Network Monitor that allows you to monitor up to 100 sensors. If you would like to monitor more than 100 sensors, you will need a Commercial license that starts at $1600 for monitoring 500 sensors. You can start with either version on a 30-day free trial.
Official Website: https://www.paessler.com/netflow_monitoring
Rather than being just a NetFlow Analyzer, Scrutinizer is a full Incident Response System that can be used to analyze network traffic and report on security incidents. It can collect and analyze data from different flow types including NetFlow, J-Flow, NetStream and IPFIX. This means that Scrutinizer can be used for Cisco Networking devices and other vendors.
Scrutinizer can provide visibility into both physical and virtual environments. It also has fast and advanced reporting features, supports multi-tenancy and is very scalable because of its distributed architecture.
There are three (3) deployment options for Scrutinizer: Hardware, Virtual Machine and Software as a Service (SaaS). You can try Scrutinizer for free for 30 days after which the product downgrades to the free version which allows you to collect up to 5 hours of data from unlimited devices before resetting i.e. you lose the historical data and start afresh.
7. nProbe and ntopng
ntopng is an open-source tool for monitoring network traffic. It works by capturing packets off an interface and analysing it to give useful information such as Top X talkers – hosts and applications consuming the most bandwidth.
ntopng can connect to nProbe which is a NetFlow/IPFIX collector. In this way, nProbe serves as the flow collector which receives flow records from flow exporters and sends this information to ntopng which analyses the information and presents it in a usable format.
While ntopng has a free version (the community edition), you require a license to use nProbe (except you are an NGO or education institution). nProbe comes in two editions: Standard and Pro with Plugins. The Standard version costs 149.95 Euros while the Pro with Plugins costs 299.95 Euros.
In this article, we have discussed NetFlow and other flow-related technologies. We mentioned that the wealth of information provided by these flow technologies can help in several ways including network traffic analysis, performance troubleshooting and bandwidth monitoring.
We then went on to highlight a couple of tools that can be used for collecting and analysing NetFlow records including Scrutinizer, PRTG Network Monitor and ntopng/nProbe. There are other tools that we have not mentioned like NFDUMP and EHNT that are free and open source. The reason we did not discuss these other tools is because they are limited to NetFlow unlike the other tools we discussed that support NetFlow, J-Flow, NetStream and so on.
To conclude, if you are looking for a solution that does strictly NetFlow collection and analysis and has the ability to scale to different platforms and protocols, then we highly recommend SolarWinds NetFlow Traffic Analyzer (with Network Performance Monitor).
If you are more interested in NetFlow analysis as an add-on to a network monitoring solution, then try PRTG Network Monitor or ManageEngine NetFlow Analyzer. If you are interested in scalability and security analysis, then Scrutinizer may be another option for you. Finally, if you want an inexpensive solution with some open-source features, check out ntopng/nProbe.