When your organization’s network is behaving strangely, how do you know what’s going on inside it?
If you have just a few segments connected by a handful of switches or routers – like a simple small-office/home-office (SOHO) network – you might be fine with basic network monitoring tools, such as the simpler ones from among our lists of the best packet sniffers and network analyzers and best free bandwidth monitoring software.
But when you grow to be a larger organization that relies on a complex high-performance network, you need more powerful help. Monitoring and analysis tools assist you with diagnosing and troubleshooting problems with reliability, performance, and security; they give you early warnings of problems; and they provide the visibility and historical insight you need for network planning.
Happily, business-grade network devices, as well as many host operating systems, have built-in network monitoring facilities that gather key metrics for you and forward them to analysis tools. The most common protocols for this are NetFlow and sFlow. Previously we discussed the Best free NetFlow analyzers and collectors (including an Intro to traffic monitoring and analysis). Now we will look at the best free sFlow collectors and analyzers.
1. SolarWinds sFlow Collector and Analyzer
SolarWinds produces a suite of products for comprehensive network monitoring and management. For NetFlow they offer a free tool, the Real-Time NetFlow Traffic Analyzer, which we looked at as part of Best free NetFlow analyzers. SolarWinds does not offer a parallel free sFlow tool. The SolarWinds sFlow Collector and Analyzer is a feature of the NetFlow Traffic Analyzer (NTA) which is a module in the Network Performance Monitor (NPM). NTA and NPM are not free, but both are available in a 30-day fully-functional trial.
Once installed, NPM and NTA offer you a wide range of sophisticated facilities for managing multi-vendor networks: bandwidth monitoring, traffic analysis, performance analysis, alerts, customizable reports, policy optimization, etc.
Despite the name, the NetFlow Traffic Analyzer can handle both NetFlow and sFlow. As an sFlow collector, it gathers flow data exported by the sFlow-enabled devices tracked by the SolarWinds network monitoring software.
The default NetFlow Traffic Analyzer Summary has multiple sections like Top 5 Applications, Top 5 Endpoints, Top 5 Conversations, Top 10 Sources by % Utilization, etc.
As an sFlow analyzer, NTA identifies the users, applications, and protocols consuming the most bandwidth. You can sort by ports, source, destination, and protocols, and view traffic patterns over minutes, days or months.
NTA and NPM are enterprise-grade packages, so even the free trial will consume considerable resources on your system. If you have a sophisticated network with sFlow-enabled devices, NTA’s sFlow capabilities are worth exploring.
2. inMon sFlowTrend
sFlowTrend is a basic but capable network and server monitoring tool from inMon, the originators of sFlow.
The free version of sFlowTrend accepts sFlow data from up to five switches/routers or hosts and maintains only one hour of history in RAM. The pro version does not limit the number of hosts and switches monitored, and stores history to disk.
The tool is implemented in Java and provides a Java-based or web-based user interface. Online help gives you step-by-step instructions for configuring the tool.
The Dashboard tab gives an overview of the current state of the monitored network and hosts, including top-level thresholds and interfaces with potential errors. On the Network tab, sflowTrend shows performance statistics as summaries and details of traffic at the network or device level. You can define Thresholds to receive alerts when abnormal levels of traffic or errors occur. On the Network > Root cause tab you can explore the cause of a traffic anomaly such as a threshold violation.
The Hosts tab provides tabular and graphical performance data on network, CPU, disk, etc, for servers – including virtual servers – that are exporting sFlow data. The Services tab provides performance metrics for applications (including various webservers) that export sFlow data.
The Events tab provides a log of events such as thresholds crossed or errors detected. The Reports tab provides access to canned reports, supports defining custom reports, and lets you run reports and view the results.
sFlowTrend is a straightforward tool that offers a lot to smaller organizations whose network devices, hosts, and services are sFlow enabled.
3. ManageEngine NetFlow Analyzer
We’ve looked in detail at the features of ManageEngine’s NetFlow Analyzer before. NetFlow Analyzer gives you visibility into traffic and bandwidth by application, conversation, protocol, etc; it lets you set alerts based on traffic thresholds; and it has a variety of useful canned reports, ranging from troubleshooting support to capacity planning and billing, as well as facilities for creating custom reports.
The ManageEngine NetFlow Analyzer can also handle sFlow. You can enable sFlow on the interfaces of sFlow-enabled devices and the NetFlow Analyzer will collect and analyze sFlow information.
The web-based default dashboard includes a heat map showing the status of monitored interfaces and several real-time pie charts summarizing top applications, top protocols, top conversations, recent alarms, top QoS, and more. There are specific displays of security anomalies detected.
The free version allows unlimited monitoring for 30 days but then reverts to monitoring only two interfaces. You can graduate to a variety of related products to expand beyond traffic analysis into a full network management suite.
4. ntopng and nProbe
The open-source traffic analysis tool ntopng does passive network monitoring based on flow data and packet capture; it uses nProbe for collecting flow data from devices and hosts that export it. We’ve examined the capabilities of ntopng and nProbe for NetFlow monitoring and analysis before. They can also handle sFlow.
ntopng’s web-based user interface rolls up data into traffic (eg, top talkers), flows, hosts, devices, and interfaces. The flow display shows application protocols (eg Facebook, YouTube), and can list latencies and TCP statistics (eg packet loss). You can set alerts based on many criteria.
nProbe can be test-driven for free but is limited to 25000 exported flows. You can get the less-restricted versions of ntopng and nProbe by buying licenses. Educational and nonprofit organizations can qualify for free licenses.
5. Plixer Scrutinizer
Plixer Scrutinizer(R) is a sophisticated flow-oriented traffic analysis system with particular focus on security forensics (it’s called the “Scrutinizer Incident Response System”). It supports both NetFlow and sFlow.
Scrutinizer can be installed as a dedicated physical appliance, as a virtual machine running on a server, or as a SaaS solution running in the cloud (public or hybrid). It’s a sophisticated system, so even the free trial on a virtual machine demands considerable resources (eg, a dedicated 16GB of RAM).
Scrutinizer is designed for high performance and scalability from small to very large environments. It provides a rich range of analysis and reporting features.
The trial includes full access for 30 days. After that, the free version has a limit of 10K flows collected per second, five hours of raw flows kept, and one week of historical summaries maintained. The paid version includes notifications, dashboard customization, custom reports, scheduled email reports, and support. License pricing depends on the platform chosen and the number of flow exporters to be supported.
If your installed devices primarily support sFlow, there are multiple excellent tools for network monitoring and traffic analysis, including free options. As usual, your final choice depends on the size and complexity of your network, and how you expect it to evolve in the future.
“Network cobweb” by geralt, licensed under CC0.