Just below the surface of a live network lies a fountain of insights. The average enterprise grade network is packed to the gills with information on service quality. Having the tools to analyze this data can tell you a lot about your network’s performance. You can see everything from which devices are experiencing faults to whether you’ll have enough bandwidth available to support your devices in future.
Conducting NetFlow analysis with a packet sniffer can help you to troubleshoot your network and identify the causes of poor performance. Without a NetFlow analyzer you can’t see what is happening under the hood and then you’re unable to implement long term capacity planning. It also has the advantage of making sure that you don’t exceed your current usage limits and incur hefty fines from your ISP. In this article we’re going to look at what packet sniffers are as well as the best products on the market.
What is a Packet Analyzer or Network Analyzer?
A NetFlow analyzer or packet sniffer is a network monitoring tool that inspects all the data packets being transferred across your network. A packet sniffer will tell you the source port, destination port, destination IP address, and source IP address of a packet travelling across your network. This information reveals a lot about a packet’s purpose and the processes occurring behind the curtain.
A packet sniffer also shows you the quality of the connection you’re experiencing. Many administrators use NetFlow analyzers to find the top talkers on their network. The term top talker is given to devices that consume excessive bandwidth which could indicate a performance issue or fault.
Here is our list of some of the best packet sniffers and NetFlow analyzers available today:
- SolarWinds NetFlow Traffic Analyzer (FREE TRIAL)
- ManageEngine NetFlow Analyzer
- The Dude
- Colasoft Capsa
- Angry IP scanner
- Plixer Scrutinizer
- sFlow Toolkit
- Nprobe and ntopng
First up on our list we have SolarWinds NetFlow Traffic Analyzer which is our top pick on account of its usability and ability to conduct real-time and historic bandwidth usage monitoring. It supports a variety of protocols such as J-Flow, sFLow, NetStream and NBAR2 giving you a balanced perspective of your network activity.
SolarWinds NetFlow Traffic Analyzer also has a very handy alerts system which notifies you when significant network events occur. These alerts are customisable and allow users to use threshold-based alerts based on their unique requirements. This means that the user doesn’t need to remain vigilant 24/7. If anything significant happens an alert is raised for the user to take action.
Perhaps the best feature offered by SolarWinds NetFlow Traffic Analyzer is the Top Talkers feature. Top Talkers highlights the devices and IP addresses that are consuming the most bandwidth. This is essentially a list of the worst offenders in your network and can help you to come up with a plan to improve the overall quality of your service.
We recommend SolarWinds NetFlow Traffic Analyzer for both SMEs and large organizations. The simplicity of the user interface makes it easy to hit the ground running. Likewise features like Top Talkers and alerts drastically reduce the amount of manual monitoring you have to do. This product is available for a free trial and can be downloaded from this link.
Next up on our list we have Wireshark, one of the most famous packet analyzers available. Wireshark allows you to monitor your real-time and historic data usage. This platform has the ability to decrypt IPsec, SNMPv3, IEEE 802.11, WEP, SSL/TLS and WPA/WPA2. This gives you a broad range of tools to cover your monitoring.
Wireshark offers the user an interface that’s a hybrid between a Graphical User Interface (GUI) and a Command Line Interface (CLI). This is an interesting combination as the user can run scripts in the CLI while still being able to use the GUI to navigate easily. Wireshark delivers an exceptional balancing act that is welcoming to new users while giving more experienced users the ability to run scripts.
You can use Wireshark to generate graphs of data you’ve captured. This is useful because it allows you to break down your network data to determine significant trends. Once you’ve finished capturing your network data you can then export it into XML, PostScript, CSV, or plain text. Exporting your captured content makes it easy to pass on usage data to other members of your team. This is particularly handy for larger organizations and passing system flaws down the chain of command.
Wireshark has become a favourite tool of many network administrators because it mixes simplicity and diverse monitoring potential. The graphs make it easy to see what is happening on your network and to take action. Wireshark is available for Windows, Mac OS, Linux, Solaris, NetBSD, and FreeBSD. You can download this free tool here.
tcpdump is another extremely well-known network packet analyzer. tcpdump is a command-line interface that captures packets transferred across your network. This product is available on Windows, Mac OS, Linux, Solaris, FreeBSD, NetBSD, and OpenBSD.
tcpdump’s command-line interface is its biggest asset. This platform uses the C programming language which enables users to run many different scripts to customise their network analysis. It also has the advantage of being reliable. You have complete control over your monitoring when compared to a GUI. Unfortunately, this isn’t a good choice for users who are adverse to using command line systems.
One area that this is particularly true is that of tcpdump filters. For example a proto qualifier restricts matches to a particular protocol. Protocols range from ether, IP and RDP to TCP and UDP. Features like filters make it much easier to monitor your bandwidth usage. This is primarily because you can restrict the data you capture to what is most relevant rather than your entire network data!
Overall tcpdump is worth considering if you’re experienced with command line tools. Users with knowledge of CLIs will be able to get much more out of this program then a GUI. However for users who prefer GUIs, there are easier products to use. The best part about tcpdump is that it is free. tcpdump can be downloaded from this link here.
4. ManageEngine NetFlow Analyzer
ManageEngine NetFlow Analyzer is one of the most well-known NetFlow analyzers available today. With ManageEngine NetFlow Analyzer’s live bandwidth monitoring capabilities, this is a platform that is suitable for SMEs and large enterprises alike. When conducting NetFlow analysis you can customize the dashboard as you see fit. Customizing the dashboard allows you to control the larger network monitoring experience.
As a NetFlow analyzer this product really delivers in terms of its alerts system. The alerts system updates you via email or SMS when certain activity occurs. You can configure your settings to send an alert automatically once a predefined parameter has been met. This is very useful because it means you don’t have to monitor your computer 24/7 to catch everything.
The production value of ManageEngine NetFlow Analyzer is its greatest asset. The user interface is very satisfying to use, and could easily monitor an entire enterprise’s equipment. As a result, NetFlow analyzer is a tool we highly recommend. In order to find out the price of ManageEngine NetFlow Analyzer you will have to contact the sales team. However there is a free trial. The 30-day free trial can be downloaded from this link here.
5. The Dude
When it comes to entry level packet Sniffers, The Dude is one of the best on the market. With The Dude you can monitor your network through the use of SNMP, TCP, ICP, and DNS. While the design looks very outdated it still allows you to conduct NetFlow analysis in line with contemporary requirements. Despite its design, The Dude remains one of the most popular choices for network administrators.
This is partly because it’s free but also because of its autodiscovery abilities. The Dude can scan devices connected to your network and draw a map. With this network map you can view a complete rundown of your connection status without having to manually configure anything.
If you are working within an enterprise environment, The Dude has the strength to handle most monitoring workloads. The Dude can be downloaded for Windows, Mac OS, and Linux (within a Wine environment). The Dude can be downloaded for free from this link here.
6. Colasoft Capsa
Colasoft Capsa is a name that never fails to capture attention. This potent tool is available on Windows 2008, Vista, 7, 8, and 10. With Colasoft Capsa you can launch TCP flow and VOIP analysis alongside over 300 other protocols. This army of protocols provides you with the tools needed to examine your network right down to its core.
One area where Colasoft Capsa performs extremely well is security. This product has a number of very useful security features and it can detect malicious behaviour such as DDoS attacks or TCP port scanning. This is helpful because it allows you to use your monitoring environment proactively and address network threats head on.
As a NetFlow analyzer Colasoft Capsa is a competitive offering. There are three versions of Colasoft Capsa: Capsa Free, Capsa Enterprise and Capsa Standard. The free version is good for providing a taste of the program but times out after four hours. The Standard version is available for $295 (£222) and can be used to monitor for an unlimited amount of time. However if you want to monitor WiFi connections then you will need to purchase the Enterprise version for $995 (£751). Free trials of both paid versions and a download to the freeware version can be found through this link here.
7. Angry IP Scanner
For cross-platform NetFlow analysis, few tools are as convenient and lightweight as Angry IP Scanner. Angry IP Scanner is an open source NetFlow analysis tool that can be used to scan your local network through the use of IP ranges. All you need to do to start monitoring is to enter the IP range at the top of the screen and you will be provided a list of ping results.
The simplicity of this program is its biggest benefit; after all there is a reason it has over 23 million downloads. Once you’ve completed a scan you can save the results as CSV, XML, TXT or IP-Port list files. However this is just the tip of the iceberg as far as Angry IP Scanner is concerned.
Any user who is familiar with Java can use this code to write plugins to add new functions to Angry IP Scanner. This is great because it allows you to customize what the program can do. Angry IP Scanner is available for Windows, Mac, and Linux making it suitable for those working within a cross-OS environment. Angry IP Scanner can be downloaded for free from this link here.
Of all the tools on this list, Caida’s (Center for Applied Internet Data Analysis) FlowScan is perhaps the most simple product available on the market. FlowScan takes flow data from routers across your network and uses it to analyse the network’s overall performance. Once your network data has been recorded it is displayed in graph format in real-time.
FlowScan is also compatible with cflowd, flow-tools and Ifapd. This is useful if you want to mix and match tools. Even though this tool allows you to conduct effective NetFlow analysis the user interface isn’t particularly satisfying to use. Most potential users would be better off going with a program that is less outdated. However if you want to try it out FlowScan can be downloaded for free here.
Scrutinizer is a free network traffic analysis tool that allows you to capture your network traffic for monitoring easily. With Scrutinizer you can conduct NetFlow, IPFIX, and sFLow collection and display your usage data in graph format. The graphs are color coded so that you can easily identify usage trends.
Like Wireshark, Scrutinizer allows you to filter your network analysis however you choose. For example, you can filter by protocol, time frame, host, or application so that you can find what you need. While this isn’t as versatile as Wireshark’s filters it is still useful for limiting the amount of data you’re attempting to monitor.
The free version of Scrutinizer can monitor an unlimited amount of interfaces with 24 hours of data storage. You can also pay for Scrutinizer as a subscription or cloud-hosted SaaS solution. Unfortunately you’ll need to request a quote from the sales team to find out the price. Plixer Scrutinizer can be downloaded for free from this link here.
10. sFlow Toolkit
sFlow Toolkit is an interesting NetFlow analysis tool because it is based around the command line. As such it provides administrators with a range of command options that are unavailable to GUI users. For example the command sflowtool -t | tcpdump -r – will run a decoded packet trace. You can also use sflowtool script to further analyze network traffic as well.
One particularly useful script is ipTopTalkers. This script allows the user to view all of those network elements that are consuming the most bandwidth. This is a simple way to point to problematic applications and take action. While the command line interface may alienate many users, it makes up for it in terms of its versatile configuration possibilities.
Overall sFlow Toolkit is a product that would fit well within most enterprise environments. Its biggest limitation is the command line interface which doubles as its biggest selling point. sFlow Toolkit can be downloaded from this link here.
11. nProbe and ntopng
Finally we have nprobe and ntopng. These tools come together as one of the most comprehensive open source flow and traffic analysis tools. nProbe can be used to collect NetFlow and IPFIX data where as ntopng analyses network traffic. nProbe has developed a name for itself as one of the best NetFlow analysis tools on the market.
One of the best things about ntopng is its excellent GUI. The presentation of the user interface puts most other network analyzers to shame. Your data is displayed in a variety of graphs and charts and there is even a top talkers feature. The top talkers feature allows you to point to the worst offenders in your network and take action.
ntopng is compatible with Windows and Linux. You can purchase ntopng for $582 (£439), nProbe can be purchased for $57 (£43) for the Embedded version and $174 (£131) for the Standard version. A full comparison of features can be seen at this link here.
NetFlow Analysis: A Monitoring Essential
Whether you’re working on a single site or multiple large sites, all of the tools on this list have the ability to support NetFlow analysis. NetFlow analysis is one of the core components of network monitoring and troubleshooting against emerging threats. By finding small faults early you can make sure that they don’t become big problems in the future.
Our top picks for NetFlow analyzers in this article are Wireshark and SolarWinds Real-Time NetFlow Traffic Analyzer. These platforms have simple user interfaces that make the monitoring process as straightforward as possible. SolarWinds Real-Time NetFlow Traffic Analyzer’s graph displays provide you with a clear perspective of your data and WireShark has a range of filters that can be applied to customize your troubleshooting.
If you haven’t implemented a NetFlow analyzer in your organization yet, we strongly recommend you do this ASAP. Scanning your network for the signs of poor performance can help you to take action and improve your connectivity. It can also pay dividends when you avert the disaster of a malicious attack or critical hardware failure.