There are several types of network monitoring available. One of them, possibly the most common, is SNMP monitoring. It can be used to give administrators a rather clear picture of how much data is carried over the networks they manage. But when they want a more detailed picture—such as learning WHAT the traffic is rather than just HOW MUCH there is—they have to turn to a different technology.
NetFlow, a monitoring technology developed by Cisco and introduced a while back on the manufacturer’s devices has become the de facto standard when it comes to qualitative network monitoring. NetFlow monitoring tools can be expensive and out of the reach of many smaller businesses. Fortunately, several open-source NetFlow software packages are available and we’re about to review them.
We’ll begin our journey by having a look at network monitoring in general. We’ll follow with a discussion on the different types of monitoring, specifically concentrating on bandwidth monitoring and traffic analysis. Next, without going too technical, we’ll have an in-depth look at the NetFlow technology, what it is and how it works.
We’ll discuss some similar technologies that are also available before we get to the core of our subject, the actual open-source NetFlow tools which are available. While some of the tools are relatively limited in terms of what they can accomplish or can be harder to configure than some paid packages, all provide some genuinely interesting functionality.
About Network Monitoring
Network traffic is very similar to road traffic. Just like network circuits can be thought of as highways, data transported on networks are like vehicles travelling on that highway. But as opposed to vehicular traffic where you just have to look to see if and what is wrong, seeing what’s happening on a network can be tricky. For starters, everything is happening very fast and data transported on a network is invisible to the naked eye.
Network monitoring tools let you “see” exactly what is going on in your network. With them, you’ll be able to measure each circuit’s utilization, analyze who and what is consuming bandwidth and drill down deep into network “conversations” to verify that everything is operating normally.
Different Types Of Monitoring Tools
There are basically three major types of network monitoring tools. Each one goes a little deeper than the previous and provides more details about the traffic. First, there are bandwidth utilization monitors. These tools will tell you how much data is transported on your network but that’s about it.
To get more information about the network, you need another type of tool, network analyzers. Those are tools that can give you some information on what exactly is going on. They won’t just tell you how much traffic is passing by. They can also tell you what type of traffic and between what hosts it is moving.
And for the most detail, you have packet sniffers. They do an in-depth analysis by capturing and decoding traffic. The information they provide will let you see exactly what’s going on and pinpoint issues with the greatest accuracy. As useful as they are, they are beyond the scope of this post.
Bandwidth Usage Monitoring Tools
Most bandwidth utilization monitors rely on the Simple Network Management Protocol, or SNMP, to poll devices and get the amount of traffic on all–or some–of their interfaces. Using that data, they will often build graphs that depict the bandwidth utilization over time. Typically, they’ll allow one to zoom into a narrower time span where graph resolution is high and shows, for instance, 1-minute average traffic or zoom out to a longer time span–often up to a month or even a year–where it shows daily or weekly averages.
Network Traffic Analysis Tools
If you need to know more than the amount of traffic passing by, you need a more advanced monitoring system. What you need is what we refer to as a network analysis system. These systems rely on software that’s built into networking equipment to send them detailed usage data. These systems can typically display top talkers and listeners, usage by source or destination address, usage by protocol or by application and several other useful information about what is going on.
While some systems use software agents that you must install on target systems, most of them rely instead on standard protocols such as NetFlow, IPFIX, or sFlow. These are usually built into equipment and ready to use as soon as they are configured.
NetFlow In A Nutshell
NetFlow was developed by Cisco Systems and was introduced on their routers to provide the ability to collect IP network traffic as it enters or exits an interface. The collected data is then analyzed by network administrators to help determine the source and destination of traffic, the class of service, and the causes of congestion. There are three main components to the NetFlow technology:
- The flow exporter aggregates packets into flows and exports flow records towards one or more flow collectors. This is the component that is running on the monitored devices.
- As for the flow collector, it is responsible for reception, storage and pre-processing of flow data received from a flow exporter.
- Last but not least, the flow analyzer is an application that is used to analyze received flow data. Analysis can be used for traffic profiling, or for network troubleshooting.
How It Works
Routers, switches and any other device that supports NetFlow can be configured to output flow data in the form of flow records and send them to a NetFlow collector. A flow is a complete conversation in the IP sense. The device preparing flow records normally sends them to the collector when it determines that the flow is finished either through ageing–there has not been any traffic within a specific timeout–or when it sees a TCP session termination.
The flow record contains a lot of information about the flow. It includes the input and output interfaces, the start and finish timestamps of the flow, the number of bytes and packets it contains, the layer 3 headers, the source and destination IP address and port number, the IP protocol, and the TOS value. Flow records don’t contain the actual data that made up the flow. The only contain information about the flow. This is important from a security standpoint.
Except in huge multi-site environments, the flow collectors where the records are sent are often also the flow analyzers. They use the information contained in flow records to present data about network traffic in a way that is useful to network administrators. Different NetFlow collectors and analyzers will have different ways of presenting data. This is where our list of the best NetFlow collectors and analyzers will come in handy.
Other Similar Technologies
Various versions and adaptations of NetFlow do exist and some are known under a different name. In fact, many of those are used under license from Cisco. There are also true alternatives to NetFlow, the two best-known are sFlow and IPFIX. The latter is heavily based on the latest version of NetFlow except that it is an IETF standard. In fact, there are many reasons to believe that Cisco might even eventually replace NetFlow with IPFIX. As for sFlow, it is a different, competing system. Its goal and general principles of operation are similar but different. Some NetFlow analyzers will also work with sFlow but, generally speaking, users of one don’t use the other.
The Top Open-Source NetFlow Software
SolarWinds is one of the best-known players in the network administration tools field. The company has been around for some 20 years, bringing us some of the best network administration tools. It has also acquired a solid reputation for making great free tools that, even though they are sometimes feature-limited, are still excellent tools. One such tool is the free Real-Time NetFlow Analyzer. Although this is not an open-source tool, it is completely free and is well worth looking into. This tool might not be quite as complete and full-featured as its big brother, the SolarWinds NetFlow Traffic Analyzer, this product gives you the same basic functionality.
- FREE DOWNLOAD: SolarWinds Real-time NetFlow Analyzer
- Official Download Link: https://www.solarwinds.com/free-tools/real-time-netflow-analyzer/registration
The tool can capture and analyze Appflow, NetFlow, JFlow, and sFlow data in real-time. And it will show you exactly the types of traffic on your network, where it’s is coming from, and where it’s going to. You can also use it to diagnose traffic spikes and troubleshoot bandwidth issues.
Here are some of the Real-time NetFlow Analyzer’s primary features:
- Identify which users, devices, and applications are consuming the most bandwidth
- Isolate network traffic by conversation, app, domain, endpoint, and protocol
- View network traffic by type and specified time periods
The tool, like most other SolarWinds tools, installs easily via a standard Windows setup wizard. And once installed, a NetFlow Configurator is included to help you with the configuration of devices that support various NetFlow variants.
This free software has some limitations when compared to its bigger brother, though. For instance, its primary focus is the current and recent state of your network. As such, it can only collect data from one NetFlow interface and will only keep and analyze the last 60 minutes of data.
FlowScan is a sort of visualization tool that you typically use to analyze NetFlow data and report on it. It can produce visual graphs that are generated in near-real-time and that show you the current state of your network. FlowScan can be deployed on most GNU/Linux or BSD systems. It relies on several other packages in order to correctly collect and process flows. For example, Cflowd is used as the flow collector. FlowScan is mainly composed of a Perl script that makes up the bulk of the software package. This component is responsible for loading and executing reports. Another major component of the software is RRDtool, a popular tool used for storing data in round-robin databases and plotting that data on graphs. FlowSanc uses it to store flow information and produce useful graphs.
Network administrators often realize that they have either collected too little or too much data. Flow profiling, as available in FlowScan, offers an interesting compromise between these extremes in data collection. Because flows aggregate data collected as packets travel across a given port or interface, they can be used as a sort of summary for series of packets travelling between endpoints of interest. However, this feature alone is insufficient for reliable continuous use. Additional software tools are needed to define, parse, and analyze these flows. Those additional tools are included with FlowScan.
3. nProbe and ntopng
nProbe and ntopng are somewhat advanced–and therefore somewhat complicated–open-source tools. Ntopng is a web-based traffic analysis tool for monitoring networks based on flow data while nProbe is a NetFlow and IPFIX exporter and collector. Together, they make for a very flexible analysis package. If you’ve administered Linux networks before, you might already be familiar with ntop. In that case, you’ll be glad to know that ntopng is a next-generation GUI version of this ageless tool.
There’s a free community version of ntopng however, you can also purchase an enterprise version of the product. It can be expensive but it is free to educational and non-profit organizations. As for nProbe, you can try it for free but it is limited to a total of 25 000 exported flows. To go beyond that, you’ll need to purchase a license.
Like most modern network analysis tools, ntopng features a web-based user interface which can present data by traffic-such as top talkers, flows, hosts, devices, and interfaces. It has a mix of charts, tables, and graphs, most of them featuring drill-down options that let you explore them in greater depth. The user interface is very flexible and allows for a lot of customization.
Flow-tools is a toolset for working with NetFlow data. More precisely, it is a library combined with a collection of programs used to collect, send, process, and generate reports from NetFlow data. The tools can be used together on a single server or distributed to multiple servers for larger deployments. The Flow-Tools library also provides an API for the development of custom applications for NetFlow export versions 1, 5, 6, and the 14 currently defined version 8 sub-versions.
This project is a fork of the old and mostly defunct OSU flow-tools project. this is not the most active project out there and the latest version dates back to some nine years ago. However, if you’re looking for a simple tool and are willing to put the efforts required to set it up, this may be a great tool to consider.
NFsen, which is short for Netflow Sensor, is a web-based front-end tool for nfdump. It is typically used to display a nice and user-friendly graphical image of the data that nfdump generates, including NetFlow data. You have the ability to generate reports of your NetFlow data with all sorts of information including—but not limited to—flows, packets and bytes using RRD database tool. Furthermore, you can also set up alerts and view historical data.
The NFsen project is still very active and the software can be downloaded from its Sourceforge page. It will run on any Unix/Linux systems. You’ll need to previously set up PHP, PERL (along with Perl Mail::Header and Mail::Internet modules), RRD Tools module and NFDump tools installed on your system in order to use it correctly.
pmGraph is yet another excellent open-source tool for graphing and monitoring bandwidth. It is designed to complement pmacct, a network monitoring and auditing tool. The two tools are supplied together as a Debian package, and instructions for installing pmGraph cover the installation of both tools. pmacct collects and monitors traffic using Netflow or Sflow on networking devices (including firewalls, routers and switches) into a database and allows for analysis of the collected data using pmGraph.
pmGraph was developed by staff and volunteers from Aptivate, the digital agency for international development, to be a flexible and powerful tool for network and systems administrators, with advanced user-friendly graphing capabilities. Here’s a rundown of the product’s primary features:
- User-friendly and simple interface
- Displays information about the connections between remote and local machines, and ports used
- Hostname resolution using DNS and DHCP servers
- Shows usage for a specific IP address or port
- Configurable number of results
pmGraph is a platform-independent software which has been developed in Java and is designed to work in a servlet container such as Tomcat, which is available for all common platforms. pmGraph is very lightweight and requires only 8 MB of disk space. However, it relies on external, bulkier programs. If you don’t already have Tomcat, Java, and MySQL server, you will have to install them as well, taking up to around 300 MB of disk space, still not a lot of space. These components will be installed for you if you use the package installation and you can install pmGraph without learning much about them.