NetFlow is a protocol developed by Cisco used to collect information about traffic flowing through devices on a network. The type of information collected from IP traffic by NetFlow to determine a flow include:
- Source IP address
- Destination IP address
- Source port
- Destination port
- Layer 3 protocol
- Class of Service
- Ingress Interface
By collecting this information and analyzing it, a lot of insight can be gained about the network and used for several purposes including bandwidth monitoring, network performance troubleshooting and anomaly detection.
When NetFlow is implemented on a network, there are usually two major components: Flow Exporter and Flow Collector. The Flow Exporter captures flow information to be sent to a collector. This exporter is usually configured on a device such as a router or a switch and in some cases, there may be multiple exporters for different flows. On the other hand, the Flow Collector receives flow records from the exporter, processes them and can analyze this information to be presented to users in sensible form.
Note: In some instances, the Flow Collector does not do the actual analysis of the flow records. Instead, the Flow Collector just receives the flow records and another application does this analysis.
NetFlow and Counterparts
It is important to point out at this point that even though NetFlow was developed by Cisco, it is supported by other vendors. At the same time, other vendors also have their own versions of NetFlow including J-Flow for Juniper and NetStream for Huawei. Moreover, there is also an IETF protocol for transmitting IP flow information across a network – IP Flow Information Export (IPFIX) – which is based on Cisco’s NetFlow version 9.
Note: There are several versions of NetFlow (from version 1 to 9), some of which have become obsolete. NetFlow version 5, 7 and 9 are the commonly used versions.
Here’s a list of the top NetFlow Analyzers and Collectors:
- Solarwinds NetFlow Traffic Analyzer
- PRTG Network Monitor
- ManageEngine NetFlow Analyzer
- nProbe and ntopng
As we mentioned earlier in this article, there are Flow Collectors that receive flow records from exporters and analyze these records to produce sensible information. We will be highlighting some of these below in more detail.
Solarwinds NetFlow Traffic Analyzer
The Solarwinds NetFlow Traffic Analyzer (NTA) is a network traffic analysis and bandwidth monitoring tool that supports various flow technologies including NetFlow, J-Flow, IPFIX and NetStream.
Solarwinds NTA can provide insight into bandwidth usage on a network such as which IP address or application is consuming the most bandwidth at a certain time. It can analyse patterns in traffic over a certain period of time, thereby making it able to perform network traffic forensics.
Solarwinds NTA starts at $1,875 for monitoring 100 elements although a 30-day free trial is available. Another thing to keep in mind is that Solarwinds NTA integrates with Solarwinds Network Performance Monitor (NPM) to perform its function.
This means that you must account for the cost (and requirements) of Solarwinds NPM along with the cost of Solarwinds NTA. Solarwinds NPM is also available for a 30-day free trial and license cost starts at $2,895 for monitoring 100 elements.
Free 30 Day Download:
PRTG Network Monitor
PRTG Network Monitor is an all-in-one network monitoring solution which includes performance monitoring, bandwidth monitoring, server and application monitoring and so on. The benefit of this is that NetFlow monitoring is enabled by default in the tool – there is no add-on or upgrade required. PRTG Network Monitor can analyze various NetFlow versions (v5, v9), the industry standard (Internet Protocol Flow Information Export (IPFIX)), and other flow-based technologies such as sFlow and J-Flow.
One of the uses of the NetFlow monitoring available from PRTG Network Monitor is analysis of bandwidth usage. For example, you can determine the amount of bandwidth being used by different hosts, protocols and applications. This can be very helpful in network performance troubleshooting.
In the PRTG NetFlow setup, the Flow collector is different from the analysis software. The Flow collector is just any computer that receives flow reports from the exporters and has a PRTG probe installed on it. The analysis software is PRTG Network Monitor where the flow collector (the system with the PRTG probe) is setup as a sensor.
PRTG Network Monitor is available in two editions: Freeware and Commercial. The Freeware edition is a fully functional PRTG Network Monitor that allows you to monitor up to 100 sensors. If you would like to monitor more than 100 sensors, you will need a Commercial license that starts at $1600 for monitoring 500 sensors.
Official Website: https://www.paessler.com/prtg
Rather than being just a NetFlow Analyzer, Scrutinizer is a full Incident Response System that can be used to analyze network traffic and report on security incidents. It can collect and analyze data from different flow types including NetFlow, J-Flow, NetStream and IPFIX. This means that Scrutinizer can be used for Cisco Networking devices and other vendors.
Scrutinizer can provide visibility into both physical and virtual environments. It also has fast and advanced reporting features, supports multi-tenancy and is very scalable because of its distributed architecture.
There are three (3) deployment options for Scrutinizer: Hardware, Virtual Machine and Software as a Service (SaaS). You can try Scrutinizer for free for 30 days after which the product downgrades to the free version which allows you to collect up to 5 hours of data from unlimited devices before resetting i.e. you lose the historical data and start afresh.
ManageEngine NetFlow Analyzer
ManageEngine has a similar offering of a NetFlow collector and analyzer as the other solutions we have previously discussed. Their NetFlow Analyzer also supports multiple flow technologies such as NetFlow, J-Flow and NetStream and is targeted at network traffic analysis and bandwidth monitoring.
ManageEngine NetFlow Analyzer packs some interesting features such as customizable dashboards, an iPhone app for anytime, anywhere monitoring and the ability to report on Cisco Medianet and Cisco WAAS.
ManageEngine offers an online demo of their NetFlow Analyzer which is good because you can try it out before deciding whether to download or buy. The NetFlow Analyzer comes in two editions: Essential and Distributed. Both editions can be tried for free for 30 days. The minimum license price is $495 for monitoring 10 interfaces on the Essential edition. There is also a free edition that can be used to monitor 2 interfaces without the need for any license.
Official Website: https://www.manageengine.com/products/netflow/
nProbe and ntopng
ntopng is an open-source tool for monitoring network traffic. It works by capturing packets off an interface and analysing it to give useful information such as Top X talkers – hosts and applications consuming the most bandwidth.
ntopng can connect to nProbe which is a NetFlow/IPFIX collector. In this way, nProbe serves as the flow collector which receives flow records from flow exporters and sends this information to ntopng which analyses the information and presents it in a usable format.
While ntopng has a free version (the community edition), you require a license to use nProbe (except you are an NGO or education institution). nProbe comes in two editions: Standard and Pro with Plugins. The Standard version costs 149.95 Euros while the Pro with Plugins costs 299.95 Euros.
In this article, we have discussed NetFlow and other flow-related technologies. We mentioned that the wealth of information provided by these flow technologies can help in several ways including network traffic analysis, performance troubleshooting and bandwidth monitoring.
We then went on to highlight a couple of tools that can be used for collecting and analysing NetFlow records including Scrutinizer, PRTG Network Monitor and ntopng/nProbe. There are other tools that we have not mentioned like NFDUMP and EHNT that are free and open source. The reason we did not discuss these other tools is because they are limited to NetFlow unlike the other tools we discussed that support NetFlow, J-Flow, NetStream and so on.
To conclude, if you are looking for a solution that does strictly NetFlow collection and analysis and has the ability to scale to different platforms and protocols, then we highly recommend Solarwinds NetFlow Traffic Analyzer (with Network Performance Monitor).
If you are more interested in NetFlow analysis as an add-on to a network monitoring solution, then try PRTG Network Monitor or ManageEngine NetFlow Analyzer. If you are interested in scalability and security analysis, then Scrutinizer may be another option for you. Finally, if you want an inexpensive solution with some open-source features, check out ntopng/nProbe.