Flow analysis is the new wave in network monitoring. It allows administrators and managers to have a clearer view of not only how much traffic is going on but also what kind of traffic. And when debugging bottlenecks, slowdowns or all sorts of networking issues, having such visibility is essential. And it’s not just for debugging, having a clear visibility is also important for capacity planning. Today, we’re having a look at the best free sFlow collectors and analyzers on the market. Similar to Cisco’s NetFlow or its open descendant IPFIX but at the same time very different, sFlow–an (almost) vendor-independent protocol–can give network admins a detailed view of what’s going on on their networks.
There are several ways you can get some degree of visibility over what’s happening on your network. The Simple Network Management Protocol or SNMP can be used to read counter on devices and calculate each interface’s bandwidth utilization. This can be sufficient for smaller networks. Ping, traceroute (or tracert), nmap, and netstat can help with basic troubleshooting but, for the complete picture, nothing beats flow analysis.
In this article, we’ll begin by discussing what sFlow is, how it works and how it can be useful. We’ll also compare it to NetFlow which is kind of a distant cousin of sFlow’s. Although sFlow and NetFlow collectors and analyzers are often one and the same, you’ll see that they are actually very different. We’ll then proceed with our top five best free sFlow collectors and analyzers.
What Is sFlow
The “S” in sFlow stands for “sampling”. This is crucial to its operation and, as we shall soon see, is how it differs from other flow analysis systems. Most of the magic of sFlow happens within the monitored devices themselves. This is why it will only work on sFlow-enabled devices. Fortunately, there are many such devices, especially amongst the major networking equipment manufacturers.
Although the sFlow.org consortium now maintains the standard, sFlow is the brainchild of inMon corporation who still exercises an almost absolute control over the evolution of the system. Major equipment manufacturers such as Alcatel-Lucent, Brocade, Aruba, Cisco, Dell, Hewlett Packard, IBM, and many more include sFlow support is many of their switching equipment. In fact, over 300 manufacturers include sFlow in their products.
sFlow’s primary goal is to monitor high-speed networks. it is a stateless packet sampling protocol. the “Flow” part of the protocol’s name might be misleading as sFlow actually has no notion of aggregating data packets into high-level flows. It only works in terms of packets.
At its root, sFlow does general packet sampling which spans layers through 7. Running within the networking device, the sFlow exporter collects prefixes from a subset of all the packet passing through an interface. The sampling rate setting lets managers choose to sample one packet every N packet. The exporter also picks random packets and includes them. The exporter than assembles the initial bytes of each sampled packet together with device counters and send it out to the sFlow collector as an sFlow datagram using UDP. The device does not cache any of the data or sampled packet, thereby reducing resource usage and making it easy to scale up to high-speed networks.
sFlow vs Netflow, What’s The Difference?
Despite their similar names and despite the fact that many collectors and analyzers can work with both NetFlow and sFlow, the two are actually very different, especially in the way each accomplishes its task.
Avi Freedman, co-founder and CEO of Kentik, makes the following analogy to monitoring road traffic which summarizes quite well the difference between NetFlow and sFlow: “… while NetFlow can be described as observing traffic patterns (‘How many buses went from here to there?’), with sFlow you’re just taking snapshots of whatever cars or buses happen to be going by at that particular moment.” While this is a great analogy, it is also somewhat misleading in that it can lead one to believe that NetFlow provides more information than sFlow and is therefore better.
While it is probably true that you get more information from NetFlow than you get from sFlow, that doesn’t necessarily make it a better protocol. For starters, NetFlow’s resource–memory and CPU–usage is much higher than sFlow’s. This would tend to make sFlow a more interesting option for lower-end devices. There’s also the whole aspect of how much information is too much information. Yes, NetFlow might collect more information but do you need it? And is your analyzer even capable of using it?
The Big Question: Should I Use NetFlow or sFlow?
Asking the question is easy but providing a good answer is next to impossible. As we said earlier, many collectors and analyzers will handle both NetFlow and sFlow information. And there’s a good number of networking devices that will also support both protocols, making the selection of one over the other even harder. The main deciding factor should probably be what your equipment supports.
But do you really have to pick sides? Both NetFlow and sFlow are excellent systems. Why not, then, use both with a collector and analyzer that supports either? You’ll be able to have detailed flow data from your sFlow-enabled devices and your Netflow-enabled devices.
What about devices that have both protocols built-it? Many Cisco devices, for instance, can use either. In these situations, I’d be tempted to recommend using sFlow as its resource usage is lower. Unless, of course, you have some use for the extra information that NetFlow can provide.
The Best Free sFlow Collectors And Analyzers
We’ve searched the Internet for the best free sFlow collectors and Analyzers. Amongst those we found, a few are truly free packages. Others are commercial software that either offer a free trial or a scaled-down free version. Also, some will only support sFlow while others will also work with both sFlow and NetFlow, making them even more versatile. We’ve reviewed each of the top five packages and we’re presenting our findings. Here’s the list of our top 5 packages.
- SolarWinds sFlow Collector and Analyzer
- inMon sFlowTrend
- ManageEngine NetFlow Analyzer
- ntopng and nProbe
- Plixer Scrutinizer
SolarWinds is a well-known name in the network management arena. The company makes some of the best software for helping net admins get a better visibility over what’s happening with their equipment. Their flagship product is called the Network Performance Monitor.
SolarWinds is also known for making a wide range of free and useful products. They range from IP address calculators to help beginners figure subnets and host addresses to complete albeit limited monitoring systems of different kinds. One such product, the SolarWinds Real-Time Netflow Analyzer was featured in a previous article. You might want to read it for all the details.
But today’s article is about sFlow rather than NetFlow. And while SolarWinds doesn’t have a free sFlow equivalent to their Real-Time NetFlow Analyzer, it has the sFlow Collector and Analyzer as a feature of its NetFlow Traffic Analyzer or NTA. The latter is a module of the Network Performance Monitor or NPM. And while both NTA or NPM are not free products, a free 3–day trial version is available. In fact SolarWinds as a 30-day trial version of most of its products. You can, therefore, try any one of them risk-free.
Download link: https://www.solarwinds.com/netflow-traffic-analyzer
So, despite its somewhat misleading name, the SolarWinds NetFlow Traffic Analyzer will handle both NetFlow and sFlow data. This makes it an ideal choice in a diversified environment where some devices support one protocol whereas others support a different one. And as an sFlow collector, NTA will gather any sFlow data from devices it monitors.
Combined together, NPM and NTA feature an impressive array of functionalities to assist any administrator in managing multi-vendor networks. You get bandwidth monitoring using SNMP, traffic analysis, performance analysis, alerting, reporting, policy optimization and much more.
By default, the NetFlow Traffic Analyzer’s summary page will display several sections such as the top 5 applications, the top 5 endpoints, the top 5 conversations, or the top 10 sources by percentage of bandwidth utilization. And as a flow analyzer, it can identify users, applications, and protocols that consume the most bandwidth, allowing administrators to quickly find the source of any observed congestion. And you can sort the displayed results according to several criteria such as port, source, destination, protocol, etc. It also allows one to view traffic patterns over minutes, days, or months.
Both NTA and NPM are enterprise-grade software, designed to scale up to very large networks with hundreds–if not thousands–of devices. They will, therefore, consume considerable resources on your system and should be installed on dedicated hardware. But if you’re managing such a network with numerous sFlow-enabled devices, NTA’s sFlow collection and analysis are worth trying. You’ll need some efforts to put it in place but they will be well-rewarded.
2. inMon sFlowTrend
inMon, the company behind sFlow, has its own free monitoring tool in the form of its sFlowTrend software. It is a basic and somewhat limited but very capable tool. The free version of the software lets you gather data from up to five sFlow-enabled switches, routers, or hosts and will only keep history data in RAM for up to an hour. It should be enough to troubleshoot most networking issues. And if you want to step thing up, you can upgrade to the pro version–at a cost, of course–which removes the number of devices limit and stores history data to disk.
The sFlowTrend Dashboard tab provides a quick view of the current state of the monitored devices and networks, it includes top-level thresholds and interfaces with potential errors. When one clicks the Network tab, sflowTrend reveals summarized performance statistics and detailed traffic at the network or device level. Alerting thresholds can be defined. It lets you receive alerts when higher-than-usual bandwidth usage or network error happen. There’s even a root cause tab where you can drill down on the cause of an issue such as a threshold violation.
The Hosts tab is where you’ll find more detailed information about each device. It provides performance data on network, CPU, disk, etc, for sFlow-enabled servers–including virtual ones. Under the Services tab, you’ll find performance data for applications (including various web servers) that export sFlow data. On the Events tab, you’ll find a log of events like exceeded thresholds or detected errors. And finally, the Reports tab provides several predefined reports but it also supports creating custom reports. This is where you’ll go to run reports and then view their results.
sFlowTrend is written in Java and comes with both a Java-based or web-based user interface. It is available for Windows, Macintosh, and Linux. There’s also online help that’s available to assist you in configuring and using the tool. It is a great tool, especially for smaller organizations with sFlow-enabled equipment. And the upgrade path to the pro version makes it an equally valid choice for larger networks.
3. ManageEngine NetFlow Analyzer
While primarily a NetFlow collector and analyzer, the ManageEngine NetFlow Analyzer will also handle sFlow datagrams that your sFlow-enabled devices will throw at it. It is another great piece of software from a company that’s been known to provide high-quality management tools. The tool gives you visibility over traffic and bandwidth by application, conversation, or protocol. You can also set alerts based on traffic thresholds.
The ManageEngine NetFlow Analyzer comes with a great variety of useful predefined reports. Some will help with troubleshooting issues, other with capacity planning and some can be used for billing purposes, for those organizations that are reselling their infrastructures. And of course, there is also the possibility of creating custom reports.
One unique feature of the web-based dashboard is a heat map that shows at a glance the status of monitored interfaces as well as real-time pie charts that show top applications, protocols, and conversations, recent alarms, and more.
The free version comes with important limitations. For instance, while it will allow unlimited monitoring for 30 days, it will then revert to monitoring only two interfaces. It’s not much but it could be enough for a quick troubleshooting session, provided you know exactly where to look. Of course, you can upgrade to the paid version to remove the two-interface limitation. And ManageEngine also offers several related products that work together to expand basic traffic analysis into a full network management suite.
4. ntopng and nProbe
ntopng is a true open-source traffic analysis tool. It passively monitors networks based on flow data and packet capture. Just an analyzer, ntopng relies on nProbe–a collector–for collecting flow data from devices and hosts that export it. nProbe supports several different types of flow data, including both NetFlow and sFlow. Together, they form a very potent monitoring and troubleshooting duo.
ntopng comes with a web-based user interface where information is presented in several different ways such as traffic (eg, top talkers), flows, hosts, devices, and interfaces. The flow display is probably one of the most interesting as it presents application protocols and can display latency or other TCP statistics such as packet loss. You can also use ntopng to set alerts based on several different thresholds and criteria.
ntopng is available in three versions, Community, Professional, and Enterprise. The Community version is free to use. The Professional and Enterprise offer some extra features and are available for purchase
As for nProbe, it can be used for free but it is limited to 25000 exported flows. While it may seem like much, you’ll quickly reach that number. You can, of course, remove restrictions by buying licenses.
5. Plixer Scrutinizer
Scrutinizer from Plixer is very sophisticated “Incident Response System” as stated on Plixer’s web site. Don’t let the fancy name fool you, though. More than anything Scrutinizer is an excellent network monitoring system. It is very thorough and complete and, of particular interest in the context of this article, it will handle sFlow as well as NetFlow data.
Scrutinizer offers one of the most scalable solutions on the market. It is said to have the fastest reporting and to provide the richest data context available anywhere. It has role-based access to present different teams with only the data they need. Designed for high performance and scalability from small to very large environments. It provides a rich range of analysis and reporting features.
There are several ways Scrutinizer can be set up. You can install it as a dedicated appliance. You may also as a virtual server. And it can also be run in a software as a service fashion where it would run in the cloud. In that mode, you can opt to either use Plixer’s public cloud or a private one. This is a big system and it is resource hungry. You’ll need to set it up on a beefy server–with, for instance, 16 GB of RAM.
Scrutinizer is available on four different licensing tiers. There is the free version–which is not a trial but a real free version–that will support up to 10 thousand flows per second, will keep flow data for 5 hours and historical roll-ups for a week. Then you have three levels of paid versions that vary on the number of flows per second they support and the history they keep. Furthermore, each higher tier adds a few extra features to an already rich feature set.
If your network is primarily made of sFlow-enabled devices, there are some excellent tools available that will give you an invaluable insight into your network’s behavior. And if you have both sFlow- and NetFlow-enabled devices, a few of them will support either protocol. Your final choice will depend, more than anything, on the current size of your network, what protocol your devices support and your network’s expected evolution. These tools take a while to set up and you want to pick the right one right from the start. It could save you from a complicated replacement down the line.