1. Home
  2. Network Admin

NetFlow and SNMP: Differences and Best Tools to Use

It seems like networks often suffer from congestion and a handful of other problems linked to insufficient bandwidth or over-utilization. This is a fact of life when you’re a network administrator. At the same time, applications are handling more and more data and need to move it through the network. This puts an additional toll on network bandwidth, an already limited resource.

In order to avoid trouble, one needs to keep a constant watch on the network and the evolution of its utilization and one of the best ways of doing that is to use some sort of bandwidth monitoring tool. Two technologies are very common when it comes to monitoring network usage: NetFlow and SNMP. Today, we’re having a look at these two technologies and how they differ.

NetFlow and SNMP: Differences and Best Tools to Use

We’ll begin by discussing network monitoring in general. We’ll briefly explain what it is and the different types of monitoring that are typically available. Next, we’ll have a deeper at the two main monitoring technologies available: the Simple Network Management Protocol (SNMP) and NetFlow. Without going into too many details, we’ll try to cover what’s important to know about each technology, how it works, and how they can be used to measure or calculate network bandwidth utilization. Once we’re all on the same page, we’ll first review some of the best SNMP monitoring tools available and follow with our top NetFlow collectors and analyzers.

About Network Monitoring

For a network administrator, congestion is the number one enemy. If you compare a network to a highway where traffic is the network’s data, network congestion is similar to traffic jams. But unlike automobile traffic—where congestion can easily be spotted by simply looking at the road—network traffic happens within cables, switches, and routers where it’s invisible. Furthermore, it all happens at blazing speeds. Even if it was visible, it would happen too fast for us to see it. This is why network monitoring tools are so important. They provide network administrators with the visibility they need to ensure things are running smoothly. They can identify congestion or other issues, allowing administrators to take the necessary measures to address the situation.

Another important benefit of network bandwidth monitoring tools is with capacity planning. There is no way around the fact that network usage always grows over time. Just like disk space, the more you have, the more you need. While the current bandwidth of your network might be sufficient now, it will eventually need to be increased. By monitoring bandwidth usage, you’ll be able to plan the bandwidth upgrade before over-utilization becomes a problem.

RELATED READING: 5 Best Tools For Deep Packet Inspection

Different Ways Of Monitoring Networks

There are several ways that can network utilization can be monitored. One way, if your networking equipment supports it, is to have it send out flow data to a flow analyzer that will report on which users, which devices, and/or which applications are using the network. Alternatively, and this is often the preferred way of doing it, SNMP can be used. Its main advantage is that it’s built right into almost every networking device. SNMP is different from NetFlow as it works by polling devices rather than having them send out traffic information. Let’s briefly examine how each type of monitoring works.

SNMP

The Simple Network Management Protocol (SNMP) is a rather complex technology—despite its somewhat misleading name—which can be used to remotely monitor, configure and control different types of networking equipment. The best thing about SNMP, though, is that you don’t have to know everything about it to use it to monitor a network’s bandwidth utilization. For now, let’s just state that SNMP is used by monitoring tools to read interface traffic counters of networking devices and use that data to compute the bandwidth usage and graph its evolution over time.

It may sound complicated but it’s actually quite simple. After all, the “Simple” in SNMP might be there for a reason. Each network interface has a pair of counters (bytes in and bytes out) which are incremented as traffic enters or exits it. The SNMP protocol allows a monitoring tool to read these counters on a regular basis. Every five minutes is a common interval. Then, all the monitoring tool has to do is subtract the previous value of the counter from the current one to get the number of bits sent or received during the polling interval. That number is then multiplied by 8 as there are 8 bits to a byte and we want the results in bits. Finally, that figure is divided by the number of seconds in the polling interval, giving the number of bits per second (Bps).

ALSO READ: 5 Best SNMP Network Monitoring Software Reviewed

NetFlow

NetFlow was developed by Cisco Systems and was introduced on their routers to provide the ability to collect IP network traffic as it enters or exits an interface. The collected data is then analyzed to determine the source and destination of traffic, its type, and the eventual causes of congestion. There are three main components to the NetFlow technology:

  • The flow exporter aggregates packets into flows and exports flow records towards one or more flow collectors. This is the component that is running on the monitored devices.
  • The flow collector is responsible for reception, storage and pre-processing of flow data received from a flow exporter.
  • The flow analyzer is an application that is used to analyze received flow data. Analysis can be used for traffic profiling, or for network troubleshooting.

Routers, switches and any other device that supports NetFlow can be configured to output flow data in the form of flow records and send them to a NetFlow collector. A flow is a complete conversation in the IP sense. The device preparing flow records normally sends them to the collector when it determines that the flow is finished either through ageing—there has not been any traffic within a specific timeout—or when it sees a TCP session termination.

The flow record contains a lot of information about the flow. It includes the input and output interfaces, the start and finish timestamps of the flow, the number of bytes and packets it contains, the layer 3 headers, the source and destination IP address and port number, the IP protocol, and the TOS value. Flow records don’t contain the actual data that made up the flow. The only contain information about the flow. This is important from a security standpoint.

Except in huge multi-site environments, the flow collectors where the records are sent are often also the flow analyzers. They use the information contained in flow records to present data about network traffic in a way that is useful to network administrators.

While originally only available on Cisco devices, NetFlow is now present on devices from most major network equipment manufacturers. There’s even an IETF standard called IPFIX which is nothing more than a standardized version of NetFlow. sFlow, from InMon is a slightly different technology although it serves a very similar purpose. Many NetFlow collectors and analyzers can also handle sFlow data.

ALSO READ: 5 Best Network Traffic Analyzers

Which One Should I Choose?

If you were hoping that we’d reveal that one is way better than the other, you’re in for a disappointment. Both technologies have merit and each has some advantages and disadvantages. In a nutshell, SNMP is a cruder technology that is very easy to set up and that can provide very useful quantitative information about network utilization.

On the other hand, NetFlow will provide more information. For instance, NetFlow analyzers typically feature reports listing the top talkers and listeners on a network or the top protocols. Contrary to SNMP which will tell you how much data is carried on your network, NetFlow will let you know what data is carried as well as to and from where. While the additional information is certainly useful, it could be overkill. Your best bet when choosing a monitoring technology is to try them both and see which one is the best fit for your needs.

The Best SNMP Monitoring Tools

1. SolarWinds Network Performance Monitor — (FREE TRIAL)

SolarWinds is one of the major players in the network administration tools field. The company has been around for some 20 years and has brought us some of the best network administration tools. It also has a solid reputation for making great free tools that, even though they are sometimes feature-limited, are still excellent tools. SolarWinds’ flagship product is called the Network Performance Monitor, or NPM. It is actually a suite of tools which do include one of the best SNMP network monitoring tool.

SolarWinds NPM - Network Summary

The SolarWinds Network Performance Monitor is a Windows application which, as you’d expect, uses SNMP to poll multiple network devices and gets traffic statistics from their interfaces. The results are shown visually on graphs depicting each interface’s usage statistics. You can add a device to the tool by simply specifying its IP address and SNMP community string. The tool will then query the device and list all the parameters that are available and let you decide which you want to include on your graphs. For example, a network switch will expose each interface traffic and error counters.

There are many more features to the Network Performance Monitor. One of the main ones is its scalability, The tool will work with small networks but will easily scale up to large networks consisting of tens of thousands of hosts spread out in multiple locations. NPM can also build network maps and display a visual representation of the critical path between two devices or services. For more details, you should visit the product’s page on the SolarWinds website.

One last thing: make use of their Fully Functional for 30 Days and test-drive the product before you buy.

2. ManageEngine SNMP Bandwidth Monitor

ManageEngine has complete and easy solutions for even the most difficult IT management problems. This bold statement is how the company self-describe itself, with reason. ManageEngine is known for its high-quality software, including several network monitoring tools.

ManageEngine also has some free tools available. One we particularly like is the SNMP Bandwidth Monitor. It is part of the ManageEngine free OpUtils bundle, which comprises a selection of some 16 network management utilities. The software runs on both Windows and Linux. You can get a free edition which allows monitoring up to 10 devices and their interfaces. ManageEngine also has a paid version with no device limitation. And ManageEngine offers a free 30-day evaluation version of its full OpsUtil software. In fact, the free version is first installed as a 30-day trial which reverts to limited features on the thirty-first day.

ManageEngine SNMP Bandwidth Monitor

As far as configuring the tool goes, you simply specify a subnet to scan as well as the SNMP community string to use. The tool will then auto-discover devices on the specified subnet that are responding to the specified string. Once the devices are discovered, the inventory tab will let you view the status of each device’s interfaces. And of course, you can also display graphs of network bandwidth usage by unit of time.

Reports is another of the tool’s strong suits, You can, for instance, create reports of bandwidth usage over the past 12 hours to one month. And finally, the tool’s alerting features leave nothing to be desired. You have the possibility to set thresholds and be notified by email or SMS text messages when they’re exceeded.

3. PRTG Network Monitor

Paessler—another major player in the field of network monitoring tools—offers an excellent SNMP monitoring solution called PRTG Network Monitor. The main selling point of this product is how easy it is to install. According to Paessler, you can set it up in a couple of minutes. This may be an overstatement, though, and our experience reveals that it can take a bit longer than that to get it fully configured. But still, we have to admit that setting the product up was an exceptionally quick and easy experience.

PRTG Dashboard - Datacenter Monitoring

And when it comes to PRTG’s features, they are impressive. First, you can choose between several different user interfaces. There’s a native Windows enterprise console, an Ajax-based web interface as well as mobile apps for Android and iOS. One feature of the mobile apps we particularly loved is the possibility to scan a QR code label that you can print from the software and affix to your devices to be instantly taken to the device’s graphs.

And talking about graphs, this is another area where PRTG shines. PRTG can not only monitor and graph bandwidth utilization. It can record many more parameters using SNMP, WMI, NetFlow, and sFlow. The tool has some amazing reports which can be run on-demand or be scheduled and then be viewed as HTML or PDF. you can even export them to CSV or XML to be processed externally.

The Paessler website lets choose between two different versions of PRTG. There’s the free version or the free 30-day trial version. The former will limit your monitoring ability to 100 sensors. Paessler counts each parameter that you want to monitor as one sensor. For example, monitoring bandwidth on each port of a 48-port switch will require 48 sensors. And if you also want to monitor the switch’s CPU and memory loads, you’ll need two more sensors.

The Best NetFlow Collectors And Analyzers

1. SolarWinds NetFlow Traffic Analyzer (Free Trial)

First on our list is another great product from SolarWinds called the SolarWinds NetFlow Traffic Analyzer. The product, which installs on top of the Network Performance Monitor reviewed above, is one of the best NetFlow collector and analyzer you can find.

SolarWinds NetFlow Traffic Analyzer Dashboard

Some of the SolarWinds NetFlow Traffic Analyzer’s best features include:

  • Monitoring Bandwidth use by application, by protocol, and by IP address group.
  • Monitoring IPFIX, Cisco NetFlow, Juniper J-Flow, sFlow, and Huawei NetStream flow data allowing it to identify which devices, applications, and protocols are the highest bandwidth consumers.
  • Collecting traffic data, correlating it into a usable format, and presenting it to the user through a web-based interface for monitoring network traffic.
  • Identifying which applications and categories consume the most bandwidth for better network traffic visibility (including Cisco NBAR2 support).

The SolarWinds NetFlow Traffic Analyzer is an add-on to the Network Bandwidth Monitor. You can save by acquiring both at the same time as the SolarWinds Network Bandwidth Analyzer Pack. Prices for the bundle start at $4 910 for monitoring up to 100 elements and vary according to the number of monitored devices. While this may seem a bit expensive, keep in mind that you’re getting not one but two of the best monitoring tools available.

If you’d prefer to try the product before purchasing it, a free 30-day trial can be downloaded from SolarWinds.

2. ManageEngine NetFlow Analyzer

The ManageEngine NetFlow Analyzer gives the network administrator a detailed view of network bandwidth utilization as well as traffic patterns. The product is controlled by a web-based interface and offers an impressive number of different views on your network.

You can, for instance, view traffic by application, by conversation, by protocol, and several more options. You can also set alerts to warn you of potential issues. For example, you can set a traffic threshold on a specific interface and be alerted whenever traffic exceeds it.

ManageEngine Netflow Analyzer

But most of the strength of the product comes from its reports and dashboard. The tool comes with several very useful pre-built reports that are specifically tailored for specific purposes such as troubleshooting, capacity planning or billing. But you’re not stuck with built-in reports as the tool also allows administrators to create custom reports to their liking.

As for the tool’s dashboard we mentioned, it is just as impressive as its reports. It includes several pie charts with things such as top applications, top protocols or top conversations. It can also display a heat map with the status of the monitored interfaces. And as you might have guessed, dashboards can be customized to include only the information you find useful. The dashboard is also where alerts are displayed in the form of pop-ups. And for the on-the-go network administrator, there’s a smartphone app that will let you access the dashboard and reports.

The ManageEngine NetFlow Analyzer supports most flow technologies including NetFlow (of course), IPFIX, J-flow, NetStream and a few others. As a bonus, the too has excellent integration with Cisco devices, with support for adjusting traffic shaping and/or QoS policies right from the tool.

Like many competing products, the ManageEngine NetFlow Analyzer comes in two versions. The free version will be identical to the paid one for the first 30 days but it will then revert to monitoring only two interfaces of flows. While this is not much, it could be all that you need.

If you want the paid version, licenses are available in several sizes from 100 to 2500 interfaces or flows with prices varying between about $600 to over $50K plus annual maintenance fees.

3. Scrutinizer

Scrutinizer from Plixer is another great NetFlow Analyzer. In fact, it’s even more than that and many view it as a full incident response system. With its ability to monitor different flow types such as NetFlow, J-flow, NetStream, and IPFIX, you’re not limited to monitoring only Cisco devices.

Scrutinizer Architecture

With its hierarchical design, Scrutinizer offers streamlined and efficient data collection and allows you to start small and easily scale way up to many million flows per second. The network is often first blamed whenever something goes wrong, With Scrutinizer, you can quickly find the real cause of most any network issues. Scrutinizer works in both physical and virtual environments and comes with advanced reporting features.

Scrutinizer comes in four license tiers that go from the basic free version to the full-fledged SCR level which can scale up to over 10 million flows per second. The free version is limited to 10 thousand flows per second and it will only keep raw flow data for 5 hours but it should be more than enough to troubleshoot network issues. You can also try any license tier for 30 days after which it will revert back to the free version. The tool is available as a hardware appliance or as a virtual appliance which can run on a Linux host through KVM.

Leave a comment