1. Home
  2. Network Admin

The 5 Best NetFlow Collectors For Linux in 2019

Managing networks require the use of specialized tools that give you the necessary visibility to ensure all in running smoothly at all times. Unlike road traffic where slowdowns and obstructions can easily be pinpointed, network traffic is not something that’s easy to see. This is why tools like NetFlow can help. The NetFlow technology can give you some insight on what traffic is traversing your network instead of just how much traffic there is. Read on as we review some of the best NetFlow collectors and analyzers for Linux.

We’ll begin our journey by discussing the different methods network administrators can use to monitor their network and locate–and fix–issues before they become real problems. Then, we’ll explain what NetFlow is How it works and what’s needed to exploit it. And while we’re there, we’ll also discuss some NetFlow alternatives that might be of interest. We will then dive into the core of the matter and review some of the best NetFlow collectors and analyzers available for the Linux platform. In accordance with the open-source philosophy of Linux, some of them are available for free while others require a purchase or a subscription.

Monitoring Networks

As a network administrator, one of your responsibilities is to make sure that everything is running smoothly, that there are no slowdowns and that all network traffic gets to its destination within an acceptable time. Unfortunately, what happens on a network happens inside cables, routers, switches and other equipment where it is typically very hard to see what’s going on. This is where the concept of network monitoring comes from. using different tools, administrators can gain some visibility on what’s going on inside the network.

Command-line Utilities

There are several tools admins can use to monitor their network. The most basic tools are command-line diagnostic tools. You probably know them and are using them constantly. Ping, for instance, allows you to validate that a given IP address can be reached and provide some statistics on round-trip delays and packet loss. Tracert–or traceroute, depending on your OS–will trace the complete network path between two devices. Nmap will list all the devices that are present on a specific subnet.

Packet Capture And Analysis Tools

Next, are network monitoring tools that will let you capture traffic passing through a specific location and that will let you decode the packets and analyze them. They can be very useful when trying to solve application layer issues but they often won’t give you much information on the actual performance of your network. One such tool that has become very common is called Wireshark. Tcpdump is another similar tool that uses a command-line interface rather than a GUI.

Flow Analysis Software

For the most precise view of what’s going on, flow analysis what you need. It relies on networking devices to send traffic information so systems called collectors and/or analyzers which can, in turn, interpret flow data and present it in meaningful ways. The protocol that permits this is called NetFlow. It was created by Cisco Systems several years ago but it is now commonly used in one form or another on networking equipment from most major manufacturers.

What Is NetFlow?

NetFlow was developed by Cisco Systems and was introduced on their routers to provide the ability to collect IP network traffic as it enters or exits an interface. The collected data is then analyzed by network administrators to help determine the source and destination of traffic, the class of service, and the causes of congestion.

The flow exporter aggregates packets into flows and exports flow records towards one or more flow collectors. This is the component that is running on the monitored devices.

The flow collector is responsible for reception, storage and pre-processing of flow data received from a flow exporter.

Finally, the flow analyzer is an application that is used to analyze received flow data. Analysis can be used for traffic profiling, or for network troubleshooting.

How NetFlow Works

Routers, switches and any other device that supports NetFlow can be configured to output flow data in the form of flow records and send them to a NetFlow collector. A flow is a complete conversation in the IP sense. The device preparing flow records normally sends them to the collector when it determines that the flow is finished either through aging–there has not been any traffic within a specific timeout–or when it sees a TCP session termination.

NetFlow Architecture

The flow record contains a lot of information about the flow. It includes the input and output interfaces, the start and finish time stamps of the flow, the number of bytes and packets it contains, the layer 3 headers, the source and destination IP address and port number, the IP protocol, and the TOS value. Flow records don’t contain the actual data that made up the flow. The only contain information about the flow. This is important from a security standpoint.

Except in huge multi-site environments, the flow collectors where the records are sent are often also the flow analyzers. They use the information contained in flow records to present data about network traffic in a way that is useful to network administrators. Different NetFlow collectors and analyzers will have different ways of presenting data. This is where our list of the best NetFlow collectors and analyzers will come in handy.

Some Alternatives To NetFlow

As we’ve already hinted, NetFlow exists by several different names. But there are also alternatives to NetFlow, the two best-known are sFlow and IPFIX. The latter is heavily based on the latest version of NetFlow except that it is an IETF standard. We’re free to think that Cisco might even eventually replace NetFlow with IPFIX.

As for sFlow, it is a different, competing system. Its goal and general principles of operation are similar but different. Some NetFlow analyzers will also work with sFlow but, generally speaking, users of one don’t use the other.

The Best NetFlow Collectors For Linux

We’ve searched the market for the best NetFlow Collectors and analyzers for Linux. What we’ve got for you are five of the best products we could find, in order of preference with our favourite at the top of the list. Let’s review each one and explore their main features with the goal of helping you choose the package that best matches your needs.

1. ManageEngine NetFlow Analyzer

The ManageEngine NetFlow Analyzer gives the network administrator a detailed view of network bandwidth utilization as well as traffic patterns. The product is controlled by a web-based interface and offers an impressive number of different views on your network.

You can, for instance, view traffic by application, by conversation, by protocol, and several more options. You can also set alerts to warn you of potential issues. For example, you can set a traffic threshold on a specific interface and be alerted whenever traffic exceeds it.

ManageEngine Netflow Analyzer

But most of the strength of the product comes from its reports and dashboard. The tool comes with several very useful pre-built reports that are specifically tailored for specific purposes such as troubleshooting, capacity planning or billing. But you’re not stuck with built-in reports as the tool also allows administrators to create custom reports to their liking.

As for the tool’s dashboard we mentioned, it is just as impressive as its reports. It includes several pie charts with things such as top applications, top protocols or top conversations. It can also display a heat map with the status of the monitored interfaces. And as you might have guessed, dashboards can be customized to include only the information you find useful. The dashboard is also where alerts are displayed in the form of pop-ups. And for the on-the-go network administrator, there’s a smartphone app that will let you access the dashboard and reports.

The ManageEngine NetFlow Analyzer supports most flow technologies including NetFlow (of course), IPFIX, J-flow, NetStream and a few others. As a bonus, the too has excellent integration with Cisco devices, with support for adjusting traffic shaping and/or QoS policies right from the tool.

Like many competing products, the ManageEngine NetFlow Analyzer comes in two versions. The free version will be identical to the paid one for the first 30 days but it will then revert to monitoring only two interfaces of flows. While this is not much, it could be all that you need.

If you want the paid version, licenses are available in several sizes from 100 to 2500 interfaces or flows with prices varying between about $600 to over $50K plus annual maintenance fees.

2. Scrutinizer

Scrutinizer from Plixer is another great NetFlow Analyzer. In fact, it’s even more than that and many view it as a full incident response system. With its ability to monitor different flow types such as NetFlow, J-flow, NetStream, and IPFIX, you’re not limited to monitoring only Cisco devices.

Scrutinizer Architecture

With its hierarchical design, Scrutinizer offers streamlined and efficient data collection and allows you to start small and easily scale way up to many million flows per second. The network is often first blamed whenever something goes wrong, With Scrutinizer, you can quickly find the real cause of most any network issues. Scrutinizer works in both physical and virtual environments and comes with advanced reporting features.

Scrutinizer comes in four license tiers that go from the basic free version to the full-fledged SCR level which can scale up to over 10 million flows per second. The free version is limited to 10 thousand flows per second and it will only keep raw flow data for 5 hours but it should be more than enough to troubleshoot network issues. You can also try any license tier for 30 days after which it will revert back to the free version. The tool is available as a hardware appliance or as a virtual appliance which can run on a Linux host through KVM

3. nProbe and ntopng

nProbe and ntopng are somewhat more advanced–and more complicated–open-source tools. Ntopng is a web-based traffic analysis tool for monitoring networks based on flow data while nProbe is a NetFlow and IPFIX exporter and collector. Together, they make for a very flexible analysis package. If you’ve administered Linux networks before, you might be familiar with ntop. ntopng is the next-generation GUI version of this ageless tool.

NtopNG Screenshot

There’s a free community version of ntopng and you can also purchase enterprise versions. They can be expensive but they are free to educational and non-profit organizations. As for nProbe, you can try it for free but it is limited to a total of 25 000 exported flows. To go beyond that, you’ll need to purchase a license.

Like most modern network analysis tools, ntopng features a web-based user interface which can present data by traffic-such as top talkers, flows, hosts, devices, and interfaces. It has a mix of charts, tables, and graphs. most featuring drill-down options that let you explore in greater depth. The interface is quite flexible and allows for a lot of customization.

4. FlowScan

FlowScan is sort of a visualization tool that you can use to analyze Netflow data and report on it. It can produce visual graphs that are in near-real-time that show you what’s happening on your network. FlowScan can be deployed on a GNU/Linux or a BSD system. It uses several other packages in order to correctly collect and process flows. For instance, Cflowd is used as the flow collector. FlowScan is actually a Perl script that makes up the bulk of the software package. This component is responsible for loading and executing reports. One last major component is RRDtool, a popular tool for storing data in round-robin databases and plotting that data on graphs, which is used to store flow information and produce useful graphs.

Sample FlowScan Graph

Network administrators often find that they have either collected too little or too much data. Flow profiling as provided by FlowScan offers a pragmatic compromise between such extremes in data collection. Because flows aggregate data collected as packets travel across a given port or interface, they can be used as sort of an abbreviation for series of packets travelling between endpoints of interest. But this feature alone is insufficient for reliable continuous use: additional software tools are needed to define, parse, and analyze these flows. Those additional tools are included with FlowScan.

5. inMon sFlowTrend (Special Mention)

Although not a NetFlow collector and analyzer but rather one that handles sFlow, we felt that sFlowTrend deserved to be on this list. It can run on Linux and if your network’s components use sFlow rather than NetFlow, it is one of the best tool available. The tool is from inMon, the company behind sFlow. It is a basic and somewhat limited but very capable tool. The free version of the software lets you gather data from up to five sFlow-enabled switches, routers, or hosts and will only keep history data in RAM for up to an hour. It should be enough to troubleshoot most networking issues. And if you want to step thing up, you can upgrade to the pro version–at a cost, of course–which removes the number of devices limit and stores history data to disk.

sFlowTrend Screenshot

The sFlowTrend Dashboard tab provides a quick view of the current state of the monitored devices and networks, it includes top-level thresholds and interfaces with potential errors. When one clicks the Network tab, sflowTrend reveals summarized performance statistics and detailed traffic at the network or device level. Alerting thresholds can be defined. It lets you receive alerts when higher-than-usual bandwidth usage or network error happen. There’s even a root cause tab where you can drill down on the cause of an issue such as a threshold violation.

The Hosts tab is where you’ll find more detailed information about each device. It provides performance data on network, CPU, disk, etc, for sFlow-enabled servers–including virtual ones. Under the Services tab, you’ll find performance data for applications (including various web servers) that export sFlow data. On the Events tab, you’ll find a log of events like exceeded thresholds or detected errors. And finally, the Reports tab provides several predefined reports but it also supports creating custom reports. This is where you’ll go to run reports and then view their results.

sFlowTrend is written in Java and comes with both a Java-based or web-based user interface. It is available for Linux, Windows, and Mac. There’s also online help that’s available to assist you in configuring and using the tool. It is a great tool, especially for smaller organizations with sFlow-enabled equipment. And the upgrade path to the pro version makes it an equally valid choice for larger networks.

Wrapping Up

Although some of the very best NetFlow collectors and analyzers such as the SolarWinds NetFlow Traffic Analyzer will only run on Windows machines, there are still plenty of options available if your monitoring tool platform of choice is Linux. Between commercial products such as the ManageEngine NetFlow Analyzer or Plixer’s Scrutinizer and open source tools, there’s got to be one that will fit your needs perfectly.

All the products we’ve just reviewed are great options. Some may not be as full-featured or they may require a bit more work to set them up but any of them will do its job and do it well. And since they all offer some form of free trial—or are completely free, there’s no reason not to try a few of them and see for yourself which one is for you.

Leave a comment