Why aren’t all network monitors categorized as network analyzers?
There are four types of network monitors:
- Performance monitors that use SNMP queries to get statistics from network devices
- Network testing tools, such as Ping and Traceroute
- Packet sniffers that capture packets
- Network analyzers that examine passing packets
Some network monitoring tools include a blend of these tools and some offer a bundle of network monitoring methodologies from which the user can choose.
The advantage of network analyzers is that they derive statistics from passing traffic without needing to store that traffic. Letting packets pass by doesn’t necessarily mean that all chances for historical analysis are lost.
Here is our list of the six best traffic analyzers:
- SolarWinds Network Performance Monitor EDITOR’S CHOICE While the main technique used by this network monitor is based on SNMP, the system also includes a deep packet inspection function. It runs on Windows Server. Start a 30-day free trial.
- ManageEngine Network Topology Tool with OpManager (FREE TRIAL) A network monitoring system that uses Ping sweeps and SNMP processes to watch performance. Available for Windows Server and Linux.
- Paessler PRTG This monitoring package is a bundle of monitors, which are called sensors. One sensor, called a packet sniffer, notes packet header contents but does not capture them. It installs on Windows Server.
- Splunk Stream for Splunk An add-on for a well-known network data processor. Splunk Stream can perform a full packet capture or generate metadata by reading passing packet headers. It runs on Windows, Linux, macOS, FreeBSD, Solaris 11, and AIX.
- Omnipeek A neat network monitor with some great data visualizations that sources data with a network analyzer. It runs on Windows.
- NetSpot An impressive wireless network analyzer with a signal footprint mapper.
By definition, the best network analyzers only work on live data. Once the packets have passed they cannot be recovered. If you want to store and replay packets or load older packets into a viewer for analysis then you really need a packet sniffer.
Why use a network analyzer?
The most common method of network monitoring used today is through the Simple Network Management Protocol (SNMP). This system queries network devices, such as switches and routers, for network traffic information.
Centralizing the data
The reason that SNMP is so popular is that all network device manufacturers include an SNMP agent in the firmware of their equipment. All the system lacks is a central SNMP manager to demand reports from device agents and interpret them. So, the producers of network monitoring tools just need to write that central manager in order to access a rich source of network information. This includes the make and model of each device and how they link together, which immediately creates a network inventory and a network topology map.
Many network monitoring tools include SNMP, testing tools, such as Ping and Traceroute, and a network analyzer. SNMP is a great source of information on device statuses and throughput statistics. However, it doesn’t provide actual information about the packets that pass through the devices.
Reducing packet sniffing waste
Packet sniffers are useful for examining passing traffic because the user can actually read each packet in a viewer and examine it. The problem with packet capture systems is that they can get out of hand very quickly. If the capture function is left on for more than a couple of minutes, the storage file for those packets gets enormous. It isn’t feasible to get a day’s worth of packets to look at traffic patterns around the clock.
Most data payloads nowadays are encrypted for security, so packet sniffers that copy all of every packet just manage to store a large number of undecipherable characters. A more efficient option is to copy the header of each packet and that cuts down a lot of the volume of data that needs to be stored.
Reducing storage and DPI
Even that more efficient strategy of reaping only packet headers is a little wasteful. Very little in a header is of any interest. Rather than storing a header, the packet analyzer just notes down the values of those useful fields, reducing storage to a fraction of that needed for a packet sniffer.
You might end up using a network analyzer without realizing it. Security software, including firewalls, use network analyzer techniques. With security systems, the examination of packet headers is called “Deep Packet Inspection” (DPI). While network analyzers note down data from passing packets, firewalls will search for specific identifiers and block packets that match or, in some cases, block packets that don’t match.
The best network analyzers
In this guide, we look at network monitoring tools that only use network analysis techniques such as deep packet inspection. We also look at those that offer packet analysis as an extra function.
Our methodology for selecting a network analyzer
We reviewed the network analyzer market and analyzed tools based on the following criteria:
- The capability to communicate with switches through NetFlow, sFlow, J-Flow, IPFIX, NetStream, and AppFlow
- The option to capture packet streams, just headers, or sample periodic packets
- Alerts on traffic surges
- Network path analysis to spot bottlenecks
- Protocol analysis
- Support to implement traffic shaping measures
- The offer of a free usage period for assessment
- A reasonable price that reflects the quality of the product
There is more detail about each of these network analyzers in the following sections of this guide.
SolarWinds includes a network analyzer tool in its Network Performance Monitor even though the main monitoring mechanism of this service is through SNMP. While SNMP provides constant live network checks, a network analyzer, called Deep Packet Inspection is provided as Quality of Experience statistics.
- Focuses on quality of experience
- Demonstrates response times
- Drills down to application statistics
- Attractive graphs
- 30-day free trial
The DPI service is what is often called “protocol analysis”. It examines traffic per application, which is information that can be derived by looking at the destination port number written into each packet header. The network analyzer demonstrates response times per application and the user can set delivery time targets and create custom alerts for these goals.
As well as showing the traffic for each individual application, the screens aggregate data by application category. It creates grouped statistics that indicate business or social use. However, it is difficult to work out how accurate that information can be – “social” doesn’t necessarily mean personal use. For example, menu businesses use social media for platforms and many business applications can also be used for personal use.
- Deep packet inspection
- Quality of Experience measurements
- Response time monitor
- Usage categorization
- SNMP-based device monitoring
- No SaaS version
The software for the Network Performance Monitor installs on Windows Server. The tool is available on a 30-day free trial.
The SolarWinds Network Performance Monitor is our top choice as a network analyzer because it offers many forms of network examination techniques as well as packet inspection. The availability of SNMP monitoring and network performance testing tools as well as deep packet inspection functions makes the NPM a very powerful tool, enabling network administrators to get a deep understanding of network activity.
Start 30-day Free Trial: solarwinds.com/network-performance-monitor
OS: Windows Server 2016 or later
ManageEngine OpManager uses an autodiscovery feature and network topology mapping to analyze a network in real-time and make all of its elements available for status checks. The system constantly revises its network exploration so any changes to the network get immediately registered in the network inventory and appear as automated alterations to the network topology map.
- Constant status checks
- Live network map
- Virtualization monitoring
- Performance impairment alerts
- Additional server monitoring
The OpManager system uses Ping and the Simple Network Management Protocol (SNMP) to poll all network devices for availability, response times, and status reports. The service is able to detect when traffic surges are overloading network devices and includes reports on CPU, memory, and storage space availability that show the device’s ability to cope with extra load.
All monitored metrics have performance thresholds placed on them and these will trigger alerts if systems face problems. Each device can also report to the OpManager module if they face status errors. These alerts appear in the dashboard for the service and they can also be sent out as notifications by email or SMS to It technicians.
- Performance detection with Ping and SNMP
- Self-hosted cloud option
- Autodiscovery and network mapping
- Capacity alerts
- Cloud installation is not a SaaS package
OpManager is implemented as on-premises software that runs on Windows Server or Linux. The package also includes monitoring for virtualizations, servers, and applications, such as VoIP, email, and Web services. You can try out this monitoring system on a 30-day free trial.
Paessler PRTG is a three-in-one system monitor that monitors networks, servers, and applications. The package is a bundle of monitors, each called a sensor. The price of the service depends on how many sensors the user wants to turn on.
- Segments traffic statistics
- Data represented as dials
- Drill-down detail access
- Doesn’t store packets
- 30-day free trial
One of the sensors in PRTG is the Packet Sniffer. A packet sniffer saves packets while a network analyzer just records packet header data. Paessler states that its packet sniffer does not record packets. Therefore, it is actually a network analyzer.
The packet sniffer sensor has its own screens in the PRTG dashboard. This shows statistics about live traffic as dials, with the speed of each category of traffic indicated. Traffic categories include mail, infrastructure, and file transfer activities.
The screens of PRTG are very attractive with colorful graphs and charts and drill-down details accessible by clicking on a feature in an overview screen. The screens for the packet sniffer can be customized and it is even possible to create entirely new screens that contain data panels from different standard screens.
- Traffic analysis protocols
- Packet capture and protocol analysis
- SNMP-based network device monitoring
- No packet viewer
The PRTG system installs on Windows Server and can be experienced on a 30-day free trial which includes unlimited sensors.
Splunk is a very widely-used network monitor. The Splunk methodology involves deriving network performance statistics and then saving them to a file. Those records are then interpreted for view by the user in the system dashboard.
- Records packet header statistics
- Doesn’t store packets
- 60-day free trial
The Splunk system is very flexible and can be expanded by add-ons, which are called apps. One of the apps available for Splunk is called Splunk Stream, which is free. Splunk Stream is a network analyzer that gathers detailed stats about network traffic.
- Interfaces with libpcap and WinPcap for packet capture
- Free add-on to Splunk
- NetFlow, jFlow, sFlow, and IPFIX
- Free Splunk is now only for a trial period
Splunk is available in both free and paid versions. The paid version of the service is called Splunk Enterprise. The software for Splunk can be installed on Windows, Linux, macOS, FreeBSD, Solaris 11, and AIX and there is also a cloud-based SaaS version, called Splunk Cloud. Splunk offers free trials of Splunk Enterprise for 60 days or Splunk Cloud for 15 days.
While the previous three tools on this list offer a network analyzer as an extra feature to their network monitoring system, Omnipeek is a pure network analyzer. The full description of this system is a network protocol analyzer. This is because the main advantage that network analyzers have over SNMP network performance monitors is that they can see the port information in the packet header and port numbers can easily be interpreted into protocols and, therefore, applications.
- Live traffic data
- Analytical tools
- 30-day free trial
Omnipeek is a very impressive network traffic monitor with excellent visualizations of live data and additional analytics screens. Traffic data is presented as an overview with statistics available per application. A live data flow graph also shows traffic response times as they adjust with each packet sample. Each application element in the overview is an active link through to a details screen that shows more statistics for the chosen protocol. The main concern of Omnipeek is response times per protocol and traffic volumes.
The system can be extended by plugins that include topology maps and actual world map views of WANs. The service is available as software or as an appliance. There is also a USB device available for Omnipeek that will scan wireless networks for protocol data.
Remote networks can be monitored centrally with the installation of an agent program. This facility also makes Omnipeek a suitable tool for Managed Service Providers (MSPs). The system also includes a remote control mechanism that gives support center technicians direct access to remote endpoints for troubleshooting – another facility that makes Omnipeek attractive to MSPs.
- A network protocol analyzer
- Live traffic graphs
- Appliance-based option
- No packet viewer
Omnipeek installs on Windows and Windows Server and it is offered on a 30-day free trial.
NetSpot is one of many wireless network analyzers available on the market but it is arguably the most appealing because it is available in free and paid versions and it is suitable for both home and business use.
- Wireless network activity
- Floorplan overlay
- Free version
The console of the service has two main views. One is a table showing all of the nearby wireless devices and the second is a plan view of the property. The plan view is a very attractive feature. However, it needs to be set up. The user needs to get a floorplan of the property into the system that is difficult to match up with the way that NetSpot sees its surroundings. Without a custom floor plan, NetSpot shows a default location layout, which, of course, will have no relation to the actual floorplan of the premises.
NetSpot installs on Windows and macOS. As well as the free version, there are three paid editions, with progressively more expensive versions including more features. There is no free trial offer of the paid versions because potential customers can just download the free edition for that purpose.
- Wireless network analyzer
- Signal footprint maps
- Signal channel details
- Although the plan feature looks good it takes a lot of work to set up
Choosing a Network Analyzer
If the statistics are gathered in a well-indexed way with lots of detail added to each metric, then time segments can be reassembled to create very insightful graphs of traffic. This can occur without having to search through the actual traffic all over again.
Network Analyzer FAQs
What is the best free network analyzer?
Nmap is a widely used free network analyzer, which you can read about here. For a great free wireless network analyzer, look at NetSpot on our list.
What benefit does network analysis provide over other types of tools that enhance connectivity?
Network analysis usually involves examining the packet headers of traffic samples. This is a time-consuming task and should only be used as a last resort after the use of automated traffic analysis tools. If standard traffic monitoring doesn’t solve your network’s problems, Network analysis can show you where your big traffic generators are.