As networks are getting bigger and as corporations are more and more relying on them for their day-to-day operations, network monitoring is consequently more important than ever. Network outages and slowdowns can have major impacts on organizations. Network administrators must, therefore, use the proper tools to monitor networks and troubleshoot issues they find. Among all the available tools, several are released in the open-source model and can generally be obtained for free. Today, we’re having a look at some of the best open-source network monitoring tools.
We’ll start our discussion by talking about the need for network monitoring tools and the different types of tools that are available. We’ll see how bandwidth utilization monitors, network analysis systems and packet sniffers work and how they can be used to our benefit. Next, we’ll review the best open source tools in each of the three categories.
About Network Monitoring Tools
Network traffic is very similar to road traffic. Just like network circuits can be thought of as highways, data transported on networks are like vehicles travelling on that highway. But as opposed to vehicular traffic where you just have to look to see if and what is wrong, seeing what’s going on on a network can be tricky. For starters, everything is happening very fast and data transported on a network is invisible to the naked eye.
Network monitoring tools let you “see” exactly what is going on on your network. With them, you’ll be able to measure each circuit’s utilization, analyze who and what is consuming bandwidth and drill down deep into network “conversations” to verify that everything is operating normally.
Different Types Of Monitoring Tools
There are basically three major types of network monitoring tools. Each one goes a little deeper than the previous and provides more details about the traffic. First, there are bandwidth utilization monitors. These tools will tell you how much data is transported on your network but that’s about it.
For more information, you need another type of tool, network analyzers. Those are tools that can give you some information on what exactly is going on. They won’t just tell you how much traffic is passing by. They can also tell you what type of traffic and between what hosts it is moving.
And for the most detail, you have packet sniffers. They do an in-depth analysis by capturing and decoding traffic. The information they provide will let you see exactly what’s going on and pinpoint issues with the greatest accuracy.
Bandwidth Usage Monitoring Tools
Most bandwidth utilization monitors rely on the Simple Network Management Protocol or SNMP to poll devices and get the amount of traffic on all–or some–of their interfaces. Using that data, they will often build graphs that depict the bandwidth utilization over time. Typically, they’ll allow one to zoom into a narrower time span where graph resolution is high and shows, for instance, 1-minute average traffic or zoom out to a longer time span–often up to a month or even a year–where it shows daily or weekly averages.
SNMP in a Nutshell
The Simple Network Management Protocol–or SNMP–can be used to remotely monitor and configure networking equipment. Despite its name, it’s not exactly simple, though, and implementing it can prove to be a daunting task. SNMP-enabled devices make a certain number of parameters–called OIDs–available. Some are modifiable configuration parameters, allowing one to change them while others are read-only counters.
When it comes to bandwidth monitoring, we’re specifically interested in two OIDs. They are called bytes in and bytes out. By reading these values at precisely timed intervals, The number of bytes per unit of time–which is exactly what bandwidth is–can be computed. Most networking devices, like switches and routers, have one such set of OIDs for each of their interfaces.
Typically, a network bandwidth utilization monitoring system will poll each device at 5 minutes intervals. It will then subtract the previous value of the counter from the current one to get the number of bytes transferred in five minutes. It will multiply that number by 8 to get the number of bits. And finally, it will divide it by 300 to get the bandwidth in bits per second.
In addition to the bits in and bits out counters, some bandwidth monitoring system will allow one to monitor other parameters. For instance, there are interface input errors and interface output errors OIDs that can be polled to compute the error rate.
Network Traffic Analysis Tools
If you need to know more than the amount of traffic passing by, you need a more advanced monitoring system. What you need is what we refer to as a network analysis system. These systems rely on software that’s built into networking equipment to send them detailed usage data. These systems can typically display top talkers and listeners, usage by source or destination address, usage by protocol or by application and several other useful information about what is going on.
While some systems use software agents that you must install on target systems, most of them rely instead on standard protocols such as NetFlow, IPFIX, or sFlow. These are usually built into equipment and ready to use as soon as they are configured.
About Flow Analysis
Originally created as a way of simplifying the creation of access control lists, NetFlow was developed by Cisco Systems. Engineers quickly realized that the collected data could be put to a different use by exporting it to a device that can analyze that information.
NetFlow uses a three-component architecture. The exporter which runs on the monitored device aggregates packets into flows and exports flow records to a flow collector. The flow collector handles the reception, storage and pre-processing of the flow data. Finally, the flow analyzer is used to analyze received flow data. Many systems combine the collector and analyzer in one device.
Once exclusive to Cisco devices NetFlow is now commonly found on equipment from other manufacturers. It can go by other names such as Jflow on Juniper equipment. The latest version was even made as an IETF standard called IPFIX. There is also a competing system called sFlow from inMon which is also present on several brands of networking equipment. And although NetFlow and sFlow are considerably different in the way they operate, many monitoring systems can handle both protocols.
For more information about network analysis systems, read our recent article: Best NetFlow Collectors and Analyzers For Windows: Reviewed in 2018.
How About Packet Sniffing?
If you need even more information about the traffic on your network, packet sniffers offer as much detail as can possibly be gathered. They work by capturing each and every packet and decoding it. They’ll allow you to see every detail of a specific conversation. They can be very helpful to pinpoint the exact source of a network issue.
For example, let’s say that users have been complaining that this application is much slower than usual. Since networks are often plagued with congestion, the user’s first reflex will be to blame the network. You use bandwidth monitors or network analyzers and find no trace of congestion anywhere. That’s when you get your packet sniffer and by examining traffic, you see that for each request the client sends to the server, the response only comes back 10 seconds later. Now, to rule out any networking issue, you repeat the test by capturing traffic at the server’s network interface and see the same behaviour. This confirms that it is the server that is slow to respond and that there is nothing wrong with the network.
The Best Open-Source Bandwidth Monitoring Tools
Because they are the most basic network monitoring tools and they should be the first one you deploy, let’s start with a quick review of the top open-source bandwidth monitoring tools. All of them use SNMP to periodically poll your network devices and create bandwidth utilization graphs, giving you some visibility on your network’s usage.
The Multi Router Traffic Grapher, or MRTG, is kind of the granddaddy of all network bandwidth monitoring systems. It is an open-source project that’s been around since 1995. it is still in widespread usage, despite the fact that the latest version is already some five years old. It is available for Linux and Windows. Initial setup and configuration are somewhat more complicated than what you’d experience with other monitoring systems but excellent documentation is readily available.
Installing MRTG is a multi-step process and you need to carefully follow the setup instructions. Once installed, you configure the software by editing its configuration file. MRTG can be downloaded directly from the developer’s website. It is available as a .zip file for windows or a tarball for Linux. As of this writing, the latest stable release is 2.17.4.
What MRTG lacks in user-friendliness, it gains in flexibility. Mostly written in Perl it can easily be modified and adapted to one’s exact needs. And the fact that it’s the first monitoring system and that it is still around is a testament to its value.
You may think of Cacti as MRTG on steroids. Flexible and versatile like its distant cousin, it is a more polished product and boasts a web-based user interface that makes configuring it very simple and intuitive. Cacti features a fast poller, advanced graph templates, several acquisition methods, and user management. It can scale up to networks of virtually any size, including multiple sites.
Cacti is actually a frontend to RRDTool, an open-source, high-performance data logging and graphing system for time series data. RRDTool is a direct descendant of MRTG. The tool stores the data to create and populate graphs in a MySQL database and it is entirely written in PHP.
Configuring Cati is easy. For example, adding a device requires you to enter its IP address or hostname and SNMP community. The software will then discover the device’s interface and let you select which one(s) you want to grate usage graphs for.
Visit the Cacti website for more information about this product or to download it. It is completely free for any usage.
Zabbix is a free and open-source product which can be used to monitor anything. The tools can run on a handful of Linux distributions—including Rapsbian, the Raspberry Pi version on Linux—and it will monitor networks, servers, applications and services, and cloud-based environments. It features a highly professional look and feel, much like you’d expect from a commercial product. Good looks are not enough to be on our list, though. Fortunately, this product also boasts a broad feature set, unlimited scalability, distributed monitoring, strong security, and high availability. It is a true enterprise-grade product.
Zabbix uses a combination of monitoring technologies. It supports SNMP monitoring as well as the Intelligent Platform Monitoring Interface (IMPI). It can also do agent-based monitoring with agents available for most platforms. For easy setup, there’s auto-discovery as well as out-of-the-box templates for many devices. The tool’s web-based user interface has several advanced features such as widget-based dashboards, graphs, network maps, slideshows, and drill-down reports.
The product also features a highly customizable alerting system which will not only send out notification messages which contain runtime and inventory information but can also be customized based on the recipient’s role. It can as well escalate problems according to flexible user-defined Service Levels. You can even let Zabbix fix some issues automatically.
4. Zenoss Core
Zenoss Core is probably not as popular as some of the other monitoring tools on this list but it truly deserves its spot mainly because of its feature set and professional look. The tool can monitor many things such as bandwidth utilization, traffic flows, or services like HTTP and FTP. It has a clean and simple user interface and its alerting system is excellent. One thing we particularly loved about it its rather unique multiple alerting system. It allows a second person to be alerted if the first one does not respond within a predefined delay.
Not all is perfect though. Zenoss Core is one of the most complicated monitoring systems to install and set up. Installation is an entirely command-line driven process. Today’s network administrators are used to GUI installers, configuration wizards and auto-discovery engines. This could make the product’s installation seem a bit archaic. However, there is ample documentation available and the end result makes it worth the installation efforts.
The Best Open-Source Flow Analysis Tool
While bandwidth monitoring systems will show you how much your network is used, it still leaves you in the dark as to how it is used. For that kind of visibility, you need to deploy the next level of monitoring systems, flow analysis tools. These tools use NetFlow and its variants or sFlow to gather detailed information about what traffic is being transported on your network. Let’s have a look at one of the best open-source flow analysis tools one can find.
nProbe and ntopng
nProbe and ntopng are two open-source tools. Ntopng is a web-based traffic analysis tool for monitoring networks based on flow data while nProbe is a NetFlow and IPFIX exporter and collector. Together, they make for a very flexible analysis package. If you’re familiar with the Unix command ntop, ntopng is the next-generation GUI version of this ageless tool.
There’s a free community version of ntopng but you can also purchase the enterprise version. And while it can be expensive, it’s free to educational and non-profit organizations. As for nProbe, you can try it for free but it is limited to a total of 25 000 exported flows. Once you reach that–which can be sooner than you think–you’ll need to purchase a license.
ntopng boasts a web-based user interface which can present data in different ways such as top talkers, flows, hosts, devices, and interfaces. There are charts, tables, and graphs. many featuring drill-down options. The interface is very flexible and allows for a lot of customization.
The Best Open-Source Packet Sniffers
For the most details on what’s happening on your network, packet sniffers are what you need. They work by capturing all data at a specific point on your network and will let you decode each packet and follow the details of each “conversation”. The placement of a packet sniffer is in itself a complicated matter as it will have a direct incidence into what you can see. Entire books have been written about that. Typically, a packet sniffer will be set up to capture a server’s traffic by mirroring that server’s switch port to a free port on the same device where the sniffer will be connected. Taps also exist that can be inserted between two devices and capture all traffic going by. Let’s briefly discuss what the best five packet sniffers are.
Wireshark has been around for ages. It started in the last century. And today, it is still “the world’s foremost and widely-used network protocol analyzer”. It is the de facto standard for many enterprises, government agencies, and educational institutions.
Among the product’s main features you’ll find the possibility to do live capture and offline analysis. Wireshark also supports the deep inspection of hundreds of protocols, with more being added all the time. It also has the most powerful display filters in the industry. The product will run on Windows, Linux, macOS, Solaris, FreeBSD, NetBSD, and many others.
EtherApe is another open-source project, like Wireshark and tcpdump. However, it uses a more graphical representation of traffic and can most efficiently be used to pinpoint the source of heavy traffic causing network congestion. Actually, EtherApe is not really a packet sniffer in that it won’t decode packets or even let you capture them in a table.
Instead, EtherApe has a more graphic approach. It will depict your network as a circle with each host at its border. Within the circle, there’s a line between any two hosts communicating. The lines are colour-coded by type of traffic and their thickness shows the amount of traffic. It is a very different tool to learn and use but still, it provides a different way of viewing traffic which has proven to be useful more than once.