NetFlow - Ultimate Guide to NetFlow and NetFlow Analyzers

NetFlow is a network protocol developed by Cisco that notes and reports on all IP conversations passing through an interface. NetFlow is stateful and works in terms of the abstraction called a flow: that is, a sequence of packets that constitutes a conversation between a source and a destination, analogous to a call or connection.

A NetFlow exporter device collects data on the IP traffic entering/exiting the device; it inspects packets and groups them into flows by inspecting particular fields: the source and destination addresses, protocols, ports, etc.

Data on observed flows is rolled up from the packets and cached locally (in the flow cache), then it’s periodically exported to the collector based on active and inactive timeouts. NetFlow thus only handles IP, focusing on OSI model Layers 3 and 4. Its knowledge of the IP protocols enables it to interpret packets and work in terms of flows.

Here’s our list of the best NetFlow analyzers & collectors:

  1. SolarWinds NetFlow Traffic Analyzer EDITOR’S CHOICE The leading network traffic analyzer. Runs on Windows Server. Start a 30-day free trial.
  2. ManageEngine NetFlow Analyzer (FREE TRIAL) A traffic analyzer that installs on Windows Server and Linux and deploys the NetFlow, IPFIX, J-Flow, NetStream standards.
  3. Site24x7 Network Traffic Monitoring (FREE TRIAL) A cloud service that tracks live network traffic data and offers capacity planning support.
  4. Paessler PRTG Network Monitor (FREE TRIAL) NetFlow, sFlow, and J-Flow sensors that form part of a network, server, and application monitor. Installs on Windows Server.
  5. Nprobe and ntopng A straightforward network monitoring system in both free and paid versions.
  6. Plixer Scrutinizer A cybersecurity activity monitor that is available for installation, as a cloud-based service, or as an appliance.
  7. Noction Flow Analyzer Watches over live network performance as well as offering network traffic analysis. Runs on Linux.
  8. Nagios XI and Core An extensive network monitoring system in both free (Nagios Core) and paid (Nagios XI) versions.
  9. Kentik Detect A cloud-based service that can analyze your on-premises traffic.
  10. Splunk A well-known and highly respected packet sniffer that can collect data by analysis through more sophisticated tools.
  11. Elastic Stack Log file collection and analysis tools that can be adapted to work with NetFlow.
  12. Influxdata’s TICK Stack Telegraf, Influxdb, Chronograf, and Kapacitor are network data collection and analysis tools that can use sFlow and SNMP.

The differences between NetFlow and sFlow

Avi Freedman makes an apt analogy to monitoring vehicular traffic: “… while NetFlow can be described as observing traffic patterns (‘How many buses went from here to there?’), with sFlow you’re just taking snapshots of whatever cars or buses happen to be going by at that particular moment”.

Here are the main differences between the two technologies.

Accuracy and scalability

NetFlow’s partisans have long argued that NetFlow can be more accurate than sFlow. NetFlow aggregates data about all packets into flows locally at the device; thus it can’t by happenstance miss a conversation by failing to sample the relevant packets. This granularity of NetFlow is attractive for examining traffic with an individual host. It’s easy to see per-host details, notice localized anomalies, and investigate particular flows. But as traffic volume mushrooms, it becomes less and less feasible to collect every flow. If you’re not doing sampling, scalability becomes an issue.

sFlow is thus more scalable than traditional NetFlow. However, sampling has the downside that there may be gaps in visibility. The packets sampled may not reflect every flow (for instance, short bursts). For detecting and drilling down to investigate security issues, this can be significant.

Device performance at high volumes

As noted above, sFlow does minimal work on the network device, versus NetFlow which uses the device’s CPU and RAM to implement the flow cache. This can become a problem with high-speed devices where many conversations are concentrated onto a link. The additional CPU load on top of the “real work” the device is doing increases based on the number of flows per second, and can consume a significant fraction of the CPU per a Cisco whitepaper (PDF). In contrast, sFlow generally does its packet sampling in the switching/routing ASIC, letting the network device’s CPU concentrate on its core job.

At volumes of hundreds of gigabits per second, such as in edge routing and large data centers, traffic engineering becomes the central concern; the focus is on large-scale patterns and abrupt shifts in volume. Fine-grained visibility into individual hosts becomes less significant. Now sampling starts to become the clear winner. Because of this, NetFlow has added the option of Sampled NetFlow, which makes NetFlow scalable — but loses that accurate high granularity of traditional NetFlow.

Protocol coverage

NetFlow is IP only (with some Layer 2 support added recently). Thus legacy protocols (e.g., Appletalk, IPX) and other non-Internet protocols do not show up. In contrast, sFlow can cover Layers 2 through 7.


sFlow can have lower latency than NetFlow. A device collecting NetFlow metrics in its flow cache exports them periodically based on active and inactive timeouts. Thus reports on recent and ongoing conversations may be delayed, depending on the timeouts. In contrast, sFlow sends collected packet prefixes and counters in real-time. If sub-minute latency is a concern — and your monitoring/analysis tooling supports it — sFlow may be the better choice.

NetFlow Types and Extensions

Flexible NetFlow and IPFIX provide the ability to have vendor-extensible templates for tweaking the set of packet fields of interest. NetFlow v9 and IPFIX also add the ability to monitor Layer 2 fields. Random Sampled NetFlow adds the option of doing sampling to NetFlow (sampling is mandatory in sFlow).

See also: sFlow – Ultimate Guide to sFlow and sFlow Analyzers

The Best NetFlow Analyzers & Collectors

When your network grows to the point that seeing what’s going on has become tricky, tools leveraging NetFlow may be the solution.

Our methodology for selecting NetFlow analyzers and collectors

We reviewed the market for NetFlow analyzers and collectors and analyzed the options based on the following criteria:

  • A system that can sample, capture, or summarize passing packets
  • The ability to communicate with other packet capture systems such as sFlow and J-Flow, not just NetFlow
  • Bandwidth capacity threshold alerting
  • Live statistics reporting with graphical data interpretations
  • Capacity planning and bottleneck investigation tools
  • A free trial for a risk-free assessment or a free tool
  • A good set of utilities that are with paying for or a free tool that is worth installing

Below, we look at several popular NetFlow-based network monitoring and analysis tools for Windows. All are sophisticated, having a considerable learning curve; so online training and good support are essential.

1. SolarWinds NetFlow Traffic Analyzer (FREE TRIAL)

The SolarWinds NetFlow Traffic Analyzer (NTA) is a bandwidth monitor that handles not just the original Cisco Netflow but many of its variants from other manufacturers, as well as NetFlow’s primary alternative, sFlow.

Once installed, NTA offers you a wide range of sophisticated facilities for managing multi-vendor networks. It features bandwidth monitoring, traffic analysis, performance analysis, alerts, customizable reports, policy optimization, and more.

Screenshot showing main dashboard of SolarWinds Orion, with the Dashboard menu displayed
The NetFlow Traffic Analyzer’s displays are listed under Dashboards

The NetFlow Traffic Analyzer gathers flow data exported by the flow-enabled devices tracked by the SolarWinds network monitoring software.

Key Features:

  • Bandwidth capacity tracking
  • Traffic pattern monitor
  • NetFlow, IPFIX, J-Flow, sFlow, NetStream, CFlow, and RFlow
  • Quality of Service tracking
  • NBAR protocol analyzer
Screenshot showing the default summary of the NetFlow Traffic Analyzer
NTA default summary

The default NetFlow Traffic Analyzer Summary has multiple sections like Top 5 Applications, Top 5 Endpoints, Top 5 Conversations, Top 10 Sources by % Utilization, etc.

Screenshot of NetFlow Traffic Analyzer graphically showing top applications' traffic over recent hours
Looking at traffic patterns over time

As a flow analyzer, NTA identifies the users, applications, and protocols consuming the most bandwidth. You can sort by ports, source, destination, and protocols, and view traffic patterns over minutes, days, or months.


  • Excellent user interface, easy to navigate, and remains uncluttered even when used on high volume networks
  • Supports multiple networking technologies such as Cisco Netflow, Juniper Networks J-Flow, and Huawei Netstream, making it a hardware-agnostic solution
  • Pre-built templates allow you to pull insights from packet capture right away
  • Installs on Windows as well as on multiple flavors of Linux
  • Built for the enterprise, offers SLA tracking and monitoring features


  • Built for enterprise companies who process a lot of data, not the best fit for small LANs or home users

If you have a sophisticated network with NetFlow-enabled devices, NTA’s capabilities are worth exploring. For details on NTA, see our SolarWinds NetFlow Traffic Analyzer review. You can also start a 30-day free trial.


SolarWinds NetFlow Traffic Analyzer is our top pick for a NetFlow Analyzer and collector because it is also able to collect traffic data with the protocols used by other manufacturers, such as J-Flow from Juniper Networks and NetStream from Huawei. This tool can track the performance of wireless networks and VMWare vSphere virtualizations. The facilities within the NTA allow you to implement traffic shaping measures and get the best value out of your existing network resources, without compromising on service quality.

Official Site:

OS: Windows Server

2. ManageEngine NetFlow Analyzer (FREE TRIAL)

The ManageEngine NetFlow Analyzer provides real-time visibility into network bandwidth and traffic patterns. The tool visualizes traffic by applications, conversations, protocols, etc. Alerts can be set based on traffic thresholds. There are a variety of useful predefined reports, ranging from troubleshooting oriented to capacity planning and billing. Custom search reports can be created.

screenshot of the dashboard of ManageEngine's NetFlow Analyzer
ManageEngine NetFlow Analyzer dashboard

The NetFlow Analyzer has a suite of NetFlow-oriented tools for managing complex networks. The web-based user interface has a default dashboard with several real-time pie charts, including a heat map showing the status of monitored interfaces, top applications, top protocols, top conversations, recent alarms, top QoS, and more.

Key Features:

  • Traffic analysis
  • Problem alerts
  • Quality of Service tracking

Hovering over a graphic usually provides an explanatory pop-up, and clicking on any graphic drills down to more details on the selected element. There are specific displays for detecting security issues. Dashboards are customizable.

screenshot of ManageEngine NetFlow Analyzer showing current alerts and security status messages
ManageEngine Alerts and security status

Alerts show up as pop-ups on the user interface. Multi-site traffic can be analyzed; there is a smartphone app for mobile monitoring and alerting.

Flow technologies supported include NetFlow, IPFIX, J-Flow, NetStream, and several others. The tool leverages advanced features of Cisco devices, including support for adjusting the traffic shaping and QoS policies on your network.


  • Supports multiple protocols like NetFlow, great for monitoring Cisco equipment
  • Both tools work well alongside each other to help view traffic patterns and bandwidth usage
  • Easy to use interface automatically highlights bandwidth hogs and other network traffic outliers
  • Scale well, designed for large enterprise networks
  • Can view traffic on a per-hop basis, allowing for granular traffic analysis


  • Built for enterprise use, not designed for small home networks

The ManageEngine NetFlow Analyzer provides a range of capabilities for managing complex networks making heavy use of NetFlow. The free version allows unlimited monitoring for 30 days but then reverts to monitoring only two interfaces. ManageEngine has various related products to expand beyond NetFlow traffic-oriented data analysis into a full network management suite. Download the 30-day free trial.

ManageEngine NetFlow Analyzer Download 30-day FREE Trial

3. Site24x7 Network Traffic Monitoring (FREE TRIAL)

Site24x7 Network Traffic Monitoring is a cloud-based traffic analyzer that forms part of several system management packages. Site24x7 offers infrastructure monitoring, website management, and an application performance monitor, and a system for managed service providers.

This tool provides live network traffic monitoring and also stores data for capacity planning and trend analysis. As a cloud service, the dashboard is accessed through any standard web browser. All of the processing for the service is performed on the Site24x7 servers but there also needs to be an agent installed on site.

Site24x7 NetFlow Monitoring Status

Key Features:

  • Cloud-based service
  • Packaged with other system monitors
  • Alerts for system problems

The monitor communicates with network switches through a number of protocols. These include NetFlow, sFlow, J-Flow, IPFIX, CFlow, NetStream, and AppFlow. The system extracts traffic statistics and it can also sample packet headers. The information taken from traffic enables the traffic monitor to identify traffic per application, per source and destination, and per user account. The system can communicate with the network devices supplied by more than 200 vendors.

As well as spotting traffic hogs, the analyzer shows time-series graphs and can identify peak hours. This information allows network managers to squeeze extra value out of existing resources by moving non-urgent tasks such as batch administration processes to less busy periods of the day.

Site24x7 NetFlow Device Conversion

The information shown by the network monitoring system is able to plot traffic loads link by link and also end to end across the network. It is able to spot bottlenecks and assist in traffic-shaping measures, such as queuing and prioritization.

The monitor imposes performance thresholds that are set at levels that allow time to fix problems. If a threshold gets tripped, the service generates an alert. This is shown on the system console and can also be sent out to key personnel as an email, SMS, or voice-calls.


  • Has one of the best user interfaces among similar NetFlow analyzers
  • Features a mobile app for both Android and iOS
  • Can measure can detect latency, jitter, and performance over time, making it a viable long-term solution for ping monitoring
  • Can be integrated and monitor up to 200 different vendor devices
  • Free version can support up to hosts, making it a great introductory option for smaller businesses


  • Site24x7 is a feature dense platform that can take time to fully learn all of its features and customization options

The network traffic monitoring service is included in the Website Monitoring plan, which is offered in four editions with the cheapest starting at $9 per month. It is also included in the Infrastructure package, which also starts at $9 per month. Site24x7 offers an Application Performance Monitor (APM), which includes the network traffic monitor and starts at $35 per month.

An All-in-One package from Site24x7 offers all of the services included with all of its other bundles and that includes the traffic monitoring system. That plan is available in four editions, with the cheapest costing $35 per month. An MSP plan, which is a multi-tenanted version of the All-in-One plan, includes the network traffic monitor and its price starts at $45 per month. All of the plans and editions of Site24x7 are available for 30-day free trials.

Site24x7 Network Traffic Monitoring Start 30-day FREE Trial

4. Paessler PRTG Network Monitor (FREE TRIAL)

The Paessler PRTG Network Monitor is a “batteries included” solution that monitors bandwidth utilization, the availability and health of devices on your network, and more. PRTG can monitor multiple sites, WAN, VPN, and cloud services. The free version provides unlimited sensors for a month, and thereafter is limited to 100 sensors; a sensor is an individual data stream, so each device will typically require several sensors.

Screenshot of PRTG showing device tree and sensors associated with each device
PRTG device tree

In PRTG’s user interface, a primary view is the device tree showing all devices on your network and the sensors monitoring each. Devices include firewalls, routers, access points, servers, workstations, virtual servers, storage, etc. The device tree is supplemented by table views of sensors, logs, and alarms, as well as various charts and graphs for bandwidth, etc. Tables can be sorted and filtered.

Key Features:

  • Customizable monitoring package
  • NetFlow, IPFIX, sFlow, and J-Flow
  • Alerts

Drilling down through the tree view reveals indicators and metrics at every level. Settings, like scan interval, are inherited and can be overridden at lower levels in the device tree. Alerts can similarly be set at every level, so you can arrange to be notified about events and threshold transitions of a particular critical device, or rolled up from an overall aspect of your network. Alerts can be transmitted in multiple ways, including SMTP email and SMS text messaging.

The devices-and-sensors abstraction shapes the dashboards and reports too. Custom dashboards can be created, including interactive maps. There is a range of predefined reports, and facilities for designing custom reports; reports can also be scheduled.

Screenshot of PRTG showing the display for the NetFlow sensor -- top talkers, top connections, etc.
PRTG NetFlow sensor

Traffic analysis facilities include built-in NetFlow support. For flow protocols, PRTG supports NetFlow, sFlow, and J-Flow. Other protocols/mechanisms used include SNMP, WMI, and packet sniffing. Paessler calls these detection systems, such as the NetFlow collector, “sensors.”

Installation is straightforward. There is a setup wizard, as well as a video providing step-by-step guidance. At installation, the core server’s local probe does auto-discovery to identify devices and set up sensors. Additional sensors (including NetFlow collectors) can be added manually; a video provides instructions.

The core server is Windows only. Monitoring of a single site can be done via the web application, but the simultaneous view of multiple core servers requires using the enterprise app on Windows. A mobile app is also provided. One clever addition is that PRTG provides QR codes that can be pasted on particular devices for a quick look-up and status in the mobile app. PRTG supports clustering for fault tolerance: you can set up failover instances of the monitor.


  • Designed to be an infrastructure monitoring tool that supports multiple sensors types such as NetFlow, sFlow, and J-Flow
  • Offers additional monitoring on the same platform, supporting infrastructure, network, and application performance monitoring
  • Captures packet headers only, helps speed up analysis and keep storage costs down for long term collection
  • Uses simple yet intuitive graphing for traffic visualization


  • Very detailed platform – takes time to learn and fully utilize all of the features available

Though PRTG is all-in-one so you don’t need multiple products and licenses to gain comprehensive monitoring, a key question to evaluate is how many sensors your network needs, and what will be the long-term cost of the sensor-based licensing model as you grow. To evaluate, you can download a 30-day free trial.

Paessler PRTG Network Monitor Download 30-day FREE Trial

Related post: Best Juniper Networks J-Flow Monitoring Tools

5. Nprobe and ntopng

ntopng is an open-source web-based traffic analysis tool that does passive network monitoring based on flow data and statistics extracted from observed traffic. ntopng does the packet capture itself; to receive flow data it depends on nProbe, a NetFlow/IPFIX exporter/collector. Flow protocols include NetFlow v9, IPFIX, and NetFlow-lite.

The community version of ntopng is free. The professional (small business) and enterprise versions require a paid license, but are free to educational and nonprofit organizations. nProbe can be test-driven for free but a fully functioning version requires a paid license. So the use of NetFlow data is limited (unless you qualify for a free license).

Screenshot of ntopng showing list of flows and their characteristics
ntopng flows

Key Features:

  • Free version
  • NetFlow and IPFIX
  • Network mapping

ntopng’s web-based user interface rolls up data into traffic (e.g., top talkers), flows, hosts, devices, and interfaces. Most categories have multiple views, a mix of charts, tables, and graphs; and in each you can drill down to explore in depth and cross-reference. Tables can be sorted – so for instance, selecting the throughput column on the flows table shows the current top bandwidth users.

Screenshot of ntopng showing geolocation of hosts on a map
ntopng host geolocation

The flow display shows application protocols (e.g. Facebook, YouTube). Latencies and TCP statistics (e.g. packet loss) are displayed. Observed hosts/IP addresses can be displayed on a map via geolocation. Alerts can be set on hosts based on many criteria, and will show up as an icon in the user interface.

The professional version can save and display historical application usage statistics, do active monitoring via SNMP, generate custom traffic reports, and several other additional features.

The installation package for both ntopng and nProbe is a zip file containing a standard Windows setup wizard. The installer will install winpcap (for packet sniffing) if needed.


  • Open-source tool, highly customizable
  • Supports multiple flow protocols
  • Great option for Unix/macOS
  • Free options for education and non-profit organizations


  • Has a steep learning curve, especially for non-technical users
  • Fully functional version is behind a paywall

Since ntopng is open source, there is considerable scope for extending it. Data can be exported to MySQL, ElasticSearch, and LogStash, where it can be merged into the reports stored by your Syslog server.

6. Plixer Scrutinizer

Plixer Scrutinizer is a sophisticated flow-oriented traffic analysis system with particular focus on security forensics (it’s called the “Scrutinizer Incident Response System”). It supports both NetFlow and sFlow.

Scrutinizer can be installed as a dedicated physical appliance, as a virtual machine running on a server, or as a SaaS solution running in the cloud (public or hybrid). It’s a sophisticated system, so even the free trial on a virtual machine demands considerable resources (e.g., a dedicated 16GB of RAM).

Screenshot of Scrutinizer's main dashboard
Scrutinizer dashboard

Key Features:

  • Performance and security monitoring
  • NetFlow and sFlow
  • SaaS or on-site

Scrutinizer is designed for high network performance and scalability from small to very large environments. It provides a rich range of analysis and reporting features.

The trial includes full access for 30 days. After that, the free version has a limit of 10K flows collected per second, five hours of raw flows kept, and one week of historical summaries maintained. The paid version includes notifications, dashboard customization, custom reports, scheduled email reports, and support.


  • Offers multiple deployment options
  • Designed to support large enterprise networks
  • Offers additional security-related traffic analysis features


  • Uses a considerable amount of system resources
  • Must reach out to sales for pricing
  • Steeper learning curve than similar tools on the market

License pricing depends on the platform chosen and the number of flow exporters to be supported.

7. Noction Flow Analyzer

Noction Flow Analyzer offers three main strategies to network managers. These are to monitor and control bandwidth utilization, to implement capacity planning, and to detect and prevent network performance problems.

The system has a striking front-end. You are free to choose between the Light, Dark, or Auto theme options. Here, below, you can see the Data Explorer screen, which provides detailed network traffic stats in both graphs and report forms. “Group by”, “Filters” and “Devices” functions are available to focus or broaden attention to the desired aspects of network traffic or specific network nodes. You can look at network traffic details and filter by protocol, source and destination addresses, ports, VLANs, L2 MAC addresses, TOS, MPLS labels, AS paths, etc. All data queries can be subsequently saved as widgets and placed on dashboards.

Noction Flow Analyzer Dashboard

Multiple dashboards can be set up in NFA. These are the collections of graphs that are typically grouped by a specific purpose, e.g capacity planning, enabling you to see trends and cycles in traffic patterns and giving you the choice over which capacity strategy to adopt.

Noction Flow Analyzer Alerts
Noction Flow Analyzer Alerts

Key Features:

  • Monitoring and capacity planning
  • Path analysis
  • Summaries for bandwidth utilization

The network monitoring system lets you see live traffic data with the facility to examine traffic at each node or look at ends-to-end traffic between two given points.

You can set up alerts on any of the metrics that the Flow Analyzer collects. These are thresholds that will activate alerts when they are crossed. These alerts can be sent to technicians via email or Slack, so staff does not need to watch the network monitor unless a problem is developing.


  • An attractive, Web-based interface
  • Live traffic monitoring
  • Historical analysis of traffic patterns for capacity planning
  • Data querying utilities
  • Bandwidth tracking


  • Needs to be hosted on your site and isn’t available for Windows

Noction Flow Analyzer is a software package for installation on Ubuntu, CentOS, or RHEL Linux. The system creates a Web server so the screens for the system are accessed through any standard Web browser. Despite hosting the service yourself, you do not buy the software outright. Instead, you pay a subscription, with a rate per month or per year. There is one add-on service, which is to collect Border Gateway Protocol internet routing data from the network gateway. You can try the Noction system on a free trial.

8. Nagios XI and Nagios Core

Nagios XI screenshot

Nagios is an enduring standard in network monitoring. Nagios Core is the open-source free version, and Nagios XI is the commercial for-cost variant with additional features and automated assistance for configuration. Nagios has a reputation for being powerful, reliable, scalable, and extremely customizable – and being complex to configure.

Key Features:

  • Free and paid versions
  • Extensible with free plug-ins
  • Measures traffic through SNMP

The free version has a learning curve but also an active community. It monitors servers, services, and applications, just like the commercial version. It includes reporting by email and SMS, a basic user interface (including the network map), and basic reports.

Nagios Core

Nagios Core lacks auto-discovery, and you must learn to set up and maintain complex configurations. On the plus side, it does give you a lot of flexibility to customize and extend the tool. Community-developed addons can perform discovery and help you get started with configuration.

You can use the free 60-day trial to evaluate the for-cost version. If you elect to go with the free version when the trial is done, you can save the auto-generated config files from /usr/local/nagios/etc before uninstalling your eval copy. You can then use those files as your starting point for your new installation’s configuration.

The commercial version Nagios XI has a richer range of features, including automated support for discovering your devices and hosts, automatically configuring the tool, and commercially-supported addons. It has a much more sophisticated user interface and more advanced reporting that covers trends, capacity planning assistance, etc.

Nagios XI is built to run on Red Hat Linux and CentOS. For Windows, use a VM appliance with Hyper-V or VMware. It includes an auto-discovery tool and a configuration wizard for adding a new device, host, or application.

Screenshot showing the Operations Dashboard, which could be displayed in an operations center
Nagios Operations Dashboard

Once Nagios XI is installed and monitoring, the Operations Screen gives you a high-level view of the current state of the network, and the Operations Center lets you drill down to the items mentioned.

Screenshot showing the Nagios host status screen summarizing statuses of hosts
Nagios host status

The Host Status page shows a summary of metrics for the monitored hosts. You can drill down to an individual host to see details including performance graphs, capacity planning info, alarms, etc.

Screenshot of Nagios showing status of services being monitored
Nagios service status

The Service Status page summarizes the state of the monitored services.


  • Offers a free open source version alongside a paid version
  • Pricing is based on the number of flow exports, making it a flexible option
  • Detailed reports and alerting options


  • Setup can be confusing, less intuitive than other tools
  • The interface can be challenging to work with, especially when first installing the tool

Nagios is a well-regarded solution for network monitoring. As with other tools that offer a fully-free vs commercial version tradeoff, you must decide whether you have (or will develop) the expertise and time to use the free tool, or whether it would be more cost-effective to pay for the automation and support of the commercial version.

9. Kentik Detect

Kentik Detect, in contrast to the traffic analyzer tools above, is a pure Software-as-a-Service (SaaS) system. As such, it offers the scalability of the cloud.

Networks are growing, and off-premises network resources are more vital to success. Thus, traffic data is becoming big data, and cloud-based big data solutions start to make sense.

Kentik aims to capture the details of multiple types of data, provide a unified view of all of it, and provide interfaces for accessing the data and integrating with other systems. Kentik Detect is composed of a custom high-availability time-series datastore (Kentik Data Engine) and a UI (Kentik Portal). Protocols include Netflow, IPFIX, sFlow, SNMP, and BGP.

Screenshot of a dashboard in Kentik Detect's web-based user interface
A Kentik Detect dashboard

Key Features:

  • SaaS package
  • NetFlow, sFlow, IPFIX, and SNMP
  • Data explorer

Kentik Portal is a web-based interface (of course) and provides a growing range of configurable dashboards.

Screenshot showing a traffic overview dashboard of Kentik Detect
Kentik traffic overview dashboard

The Data Explorer permits ad-hoc exploration of the collected network data. You can quickly drill down and filter on potentially billions of records, obtaining views in the form of tables and graphs.

Screenshot showing the Kentik Detect dashboard to set a policy which can trigger an alert.
Setting policies to configure alerts

Alerting to notify you of unusual conditions can be set up by creating policies that define when an alert will enter the alarm state. Alerts can be sent by various media, including email, Slack, paging, etc.


  • Uses a mix of live reporting and simple graphics to display NetFlow metrics
  • Filters are intuitive and allow you to quickly view historical data collected
  • Supports multiple NetFlow protocols


  • Only available in SaaS form
  • Kentik Portal user interface would be made easier to use

Roll Your Own

Perhaps none of the above pre-packaged NetFlow analyzers are customizable enough or powerful enough to meet your needs. Maybe you’re sure you can do better, or you just want to experiment with analyzing the data yourself. There are multiple packages for time-series data capture and analytics available that make this quite doable. Several are free open-source software; some are not. Some can be integrated with prepackaged analyzers, such as Plixer and ntopng.

Here are a few possibilities to check out.


Splunk Enterprise 8.0 Screenshot

Splunk is a for-cost package for searching, monitoring, and analyzing/visualizing big data. Splunk captures real-time data and provides web-based facilities for analyzing and visualization. Splunk has an add-on for NetFlow, and one for IPFIX.

Key Features:

  • Flexible data processor
  • NetFlow and IPFIX feeds
  • Build your own analyzer

The ELK / Elastic Stack

The ELK Stack – Elasticsearch, Logstash, and Kibana – is an open-source analytics toolset typically used with data that resembles log messages. Elasticsearch is a popular distributed search and analytics engine. Logstash is a data collection and log-parsing engine. Kibana is a browser-based data visualization dashboard for analytics and search. Logstash includes a codec for processing multiple versions of NetFlow data.

Key Features:

  • Free version
  • A suite of data collectors and analyzers
  • No pre-written searches

Several groups have used the ELK Stack with NetFlow. Cisco has a guide for doing it, and there are several other articles online. People have built systems using the ELK Stack with other popular components, such as the Riemann distributed system monitoring and alerting tool. An alternative to logstash is fluentd.

Telegraf, Influxdb, Chronograf, Kapacitor

Influxdata‘s TICK Stack – Telegraf, Influxdb, Chronograf, and Kapacitor – is a set of Go-based open-source tools for capturing, monitoring, and analyzing/visualizing time-series metrics data. Telegraf collects performance metrics; InfluxDB is a time series database; Chronograf performs real-time visualization of InfluxDB data, and Kapacitor is a streaming/batch data-processing engine that can do monitoring and alerting of views of InfluxDB data. The TICK Stack has been used with network statistics from sFlow and SNMP.

Key Features:

  • Data manager
  • Can search sFlow data
  • Free to use

Another powerful tool, sometimes used with Influxdb is Grafana, an open-source package for time-series analytics and visualization. Grafana is analogous to Kibana, but where Kibana is log-message oriented, Grafana is metrics-oriented.

Choosing a NetFlow Analyzer or Collector

The table below shows a summary of each of these options.

1. SolarWinds Real-Time NetFlow Analyzer
Free DownloadWindowsSOHO
2. SolarWinds NetFlow Traffic Analyzer
Free TrialWindowsSMB to large enterprises
3. Paessler PRTGFree Trial

For-cost tool with free starter edition for small shops
WindowsSMB to large enterprises
4. ManageEngine NetFlow AnalyzerFree Trial

For-cost tool with free starter edition for small shops
Windows, LinuxSMB to large enterprises
5. Nprobe and ntopngFor-cost (unless non-profit)Windows, LinuxSMB to large enterprises
6. Plixer ScrutinizerFor-cost tool with free starter edition for small shopsHardware appliance, Windows or Linux VM, SaaSSMB to large enterprises
7. Nagios XI and CoreFree open-source tool, or for-cost tool with support/enhancementsLinux, or on Windows in a VM applianceSMB to large enterprises
8. Kentik DetectFor-cost toolSaaSSMB to large enterprises
9. WhatsUp Gold
For-cost tool with free starter edition for small shops
WindowsSMB to large enterprises
10. Roll your ownComponents, paid or free open sourceVariesSMB to large enterprises

Multiple excellent tools for network monitoring and traffic analysis are available. Small organizations have an array of free choices, and large or growing organizations have many for-cost options.

In recent years, open-source solutions have become widely implemented for many types of networking software and also for business and network security applications. A benefit of open source projects is that anyone can read the code that drives the software. By that inquiry, you can be sure that there is no malicious code hidden inside the program.

Usually, open-source projects are maintained by volunteers. The benefit of enthusiast-developed software is that it can be given away for free. The downside of this setup is that the free tools aren’t professionally managed and can contain bugs. The lack of income of free software means that the organizations that maintain it don’t have the funds to keep up with security standards or fix problems with the code.

When you consider using open source software for network monitoring and analysis, check out the packages that interest you and test them thoroughly before you commit the network to it. Consider paying for network analysis tools in order to get guaranteed performance and also support from the commercial organizations that provide that paid software.

Anyone who wants to contribute the effort to learn has a toolbox of powerful components that you can use to roll your own solution. Your final choice depends on the size and complexity of your network, the expertise you bring (or want to develop), and how you expect your network to evolve in the future.

Netflow Collector & Analyzer Tools FAQs

What is the difference between SNMP and NetFlow?

The Simple Network Management Protocol (SNMP) and NetFlow are two standards for querying network equipment.

SNMP is more usually used to check on the performance of network equipment, while NetFlow enables the gathering of information about the network traffic that passes through the device.

What is the best ntopng alternative?

The free ntopng is a packet capture tool that enables header data to be sorted and grouped in order to gain statistics on network traffic. Wireshark is a good alternative that is free to use and has basic packet sorting and header analysis capabilities in its data viewer.

How do I change the MySQL port in NetFlow Analyzer from 13310?

NetFlow Analyzer is a tool provided by ManageEngine. In order to change the MySQL port used by the tool from 13310 to another port, you need to edit the mysql-ds.xml file, which is found in the /server/default/deploy directory. Look for the line jdbc:mysql://localhost:13310/netflow and change that 13310 to the number of the port that you want to use.