sFlow is a stateless packet sampling protocol that’s aimed at monitoring high-speed networks. The “s” in the name is significant: sampling. However, the “Flow” part may be misleading: sFlow works in terms of packets only, it has no notion of aggregating packets into higher-level “flows”.
The sFlow standard was created by InMon Corporation and was made public in 2001 through the publication of RFC 3176. InMon handed over the management of the standard to an industry consortium, called sFlow.org in 2003. Today, many vendors support sFlow in their devices. sFlow provides general purpose packet sampling, spanning Layers 2 through 7, and is designed to be built into any network device. An sFlow exporter simply collects the prefixes of a subset of the packets passing through the device. The exporter samples one out of every n packets, where “n” is the chosen sampling rate; it also selects some random packets to include. It gathers the initial bytes of all sampled packet into sFlow datagrams, along with device counters, and sends the resulting UDP datagrams to the collector. There is thus no flow cache at the device. A key characteristic of sFlow is that the strategy of sampling is scalable to high-speed networks; more on that below.
Using sFlow for network traffic monitoring
When your organization’s network is behaving strangely, how do you know what’s going on inside it? If you have just a few segments connected by a handful of switches or routers – like a simple small-office/home-office (SOHO) network – you might be fine with basic network monitoring tools, such as the simpler ones from among our lists of the best packet sniffers and network analyzers and best free bandwidth monitoring software. When your organization relies on and develops a complex high-performance network, you need more powerful help.
How is sFlow different to NetFlow?
The sFlow network messaging standard is managed and developed by an independent not-for-profit organization that is overseen by a number of network equipment and software producers. The ethos behind this administration aims to break the dominance of one network equipment supplier and create a universal standard — NetFlow is owned by Cisco Systems. The sFlow messaging system is similar to NetFlow in that it creates a format for notifications that are generated by networking equipment and can be picked up by monitoring software.
Why use an sFlow tool?
When you’re responsible for keeping the network up and performing well, it can’t be a black box to you. You need visibility. If your network is growing larger or more complex, you may need network monitoring and traffic analysis tools. Monitoring and analysis tools assist you with diagnosing and troubleshooting problems. They give you early warnings of problems and provide the visibility and historical insight you need for network planning. Business-grade network devices, as well as many host operating systems, have built-in network monitoring facilities that gather key metrics for you and forward them to analysis tools. The most common protocols for this are NetFlow and sFlow. We look at the best free NetFlow analyzers and collectors in another post. In this post, we will look at the best free sFlow collectors and analyzers. Related: NetFlow – Ultimate Guide to NetFlow and NetFlow Analyzers
What does an sFlow analyzer do?
The monitoring component of sFlow focuses on sampling network packets rather than collecting all passing traffic for a period. The logic behind this strategy is that any excessive traffic will be just as visible at regular intervals as it is in a continuous copy of network traffic. The administrator selects the sampling frequency. If one application is generating 50 percent of all network traffic, that statistic will still be derived if you only pick up every tenth or every hundredth packet. The data collected by sFlow takes up less storage, uses less memory, and is quicker to sort through than the data dumps used for NetFlow. The sFlow technique is preferable for high-speed networks. As well as copying truncated versions of packets travelling on the network, an sFlow analyzer collects counters and statistical data generated by network equipment.
sFlow Types and Extensions
sFlow v5 adds the ability to export host and application related data along with the packet prefixes and counters. All extensions depend on having hardware that supports them, the correct system software, and analyzer consoles that will work with them.
Here’s our list of the best sFlow collectors and analyzers:
- SolarWinds sFlow Collector and Analyzer (FREE TRIAL)
- Paessler PRTG Network Monitor (FREE TRIAL)
- inMon sFlowTrend
- ManageEngine NetFlow Analyzer
- ntopng and nProbe
- Plixer Scrutinizer
SolarWinds produces a suite of products for comprehensive network monitoring and management. For NetFlow they offer a free tool, the Real-Time NetFlow Traffic Analyzer, which we looked at as part of Best free NetFlow analyzers. SolarWinds does not offer a parallel free sFlow tool. The SolarWinds sFlow Collector and Analyzer is a feature of the NetFlow Traffic Analyzer (NTA) which is a module in the Network Performance Monitor (NPM). NTA and NPM are not free, but both are available in a 30-day fully-functional trial. LINK: SOLARWINDS NETWORK PERFORMANCE MONITOR FREE TRIAL Once installed, NPM and NTA offer you a wide range of sophisticated facilities for managing multi-vendor networks: bandwidth monitoring, network traffic analysis, performance analysis, alerts, customizable reports, policy optimization, etc. The NetFlow Traffic Analyzer’s displays are listed under Dashboards. Despite the name, the NetFlow Traffic Analyzer can handle both NetFlow and sFlow. As an sFlow collector, it gathers flow data exported by the sFlow-enabled devices tracked by the SolarWinds network monitoring software.
The default NetFlow Traffic Analyzer Summary has multiple sections like Top 5 Applications, Top 5 Endpoints, Top 5 Conversations, Top 10 Sources by % Utilization, etc.
As sFlow analyzer, NTA identifies the users, applications, and protocols consuming the most bandwidth. You can sort by ports, source, destination, and protocols, and view network traffic patterns over minutes, days or months. NTA and NPM are enterprise-grade packages, so even the free trial will consume considerable resources on your system. If you have a sophisticated network with sFlow-enabled devices, NTA’s sFlow capabilities are worth exploring. MORE INFORMATION ON THE OFFICIAL SOLARWINDS SITE: www.solarwinds.com/netflow-traffic-analyzer/
The Paessler PRTG Network Monitor is a “batteries included” solution that monitors network traffic, bandwidth utilization, the availability and health of devices on your network, and more. The free version provides unlimited sensors for a month, and thereafter is limited to 100 sensors; a sensor is an individual data stream, so each device on your network will typically require several sensors.
In PRTG’s user interface, a primary view is the device tree showing all devices and the sensors monitoring each. Devices include firewalls, routers, access points, servers, workstations, virtual servers, storage, etc. The device tree is supplemented by table views of sensors, logs, and alarms, as well as various charts and graphs for bandwidth, etc. Tables can be sorted and filtered. Drilling down through the tree view reveals indicators and metrics at every level. Alerts can be set at every level, so you can arrange to be notified about events and threshold transitions of a particular critical device, or rolled up from an overall aspect of your network. Alerts can be transmitted in multiple ways, including SMTP email and SMS text messaging. sFlow sensorTraffic analysis facilities include built-in NetFlow support. For flow protocols, PRTG supports NetFlow, sFlow, and J-Flow. Other protocols/mechanisms used include SNMP, WMI, and packet sniffing.
The devices-and-sensors abstraction shapes the dashboards and reports too. Custom dashboards can be created, including interactive maps. There is a range of predefined reports, and facilities for designing custom reports; reports can also be scheduled. Installation is straightforward. There is a setup wizard, as well as a video providing step-by-step guidance. At installation, the core server’s local probe does auto-discovery to identify devices and set up sensors. Though PRTG is all-in-one so you don’t need multiple products and licenses to gain comprehensive monitoring, a key question to evaluate is how many sensors your network needs, and what will be the long-term cost of the sensor-based licensing model as you grow.
3. inMon sFlowTrend
sFlowTrend is a basic but capable network and server monitoring tool from inMon, the originators of sFlow. The free version of sFlowTrend accepts sFlow data from up to five switches/routers or hosts and maintains only one hour of history in RAM. The pro version does not limit the number of hosts and switches monitored, and stores history to disk. The tool is implemented in Java and provides a Java-based or web-based user interface. Online help gives you step-by-step instructions for configuring the tool.
The Dashboard tab gives an overview of the current state of the monitored network and hosts, including top-level thresholds and interfaces with potential errors. On the Network tab, sflowTrend shows performance statistics as summaries and details of traffic at the network or device level. You can define Thresholds to receive alerts when abnormal levels of network traffic or errors occur. On the Network > Root cause tab you can explore the cause of a traffic anomaly such as a threshold violation. The Hosts tab provides tabular and graphical performance data on network, CPU, disk, etc, for servers – including virtual servers – that are exporting sFlow data. The Services tab provides performance metrics for applications (including various webservers) that export sFlow data.
The Events tab provides a log of events such as thresholds crossed or errors detected. The Reports tab provides access to canned reports, supports defining custom reports, and lets you run reports and view the results. sFlowTrend is a straightforward tool that offers a lot to smaller organizations whose network devices, hosts, and services are sFlow enabled.
4. ManageEngine NetFlow Analyzer
We’ve looked in detail at the features of ManageEngine’s NetFlow Analyzer before. NetFlow Analyzer gives you visibility into network traffic and bandwidth by application, conversation, protocol, etc; it lets you set alerts based on network traffic thresholds; and it has a variety of useful canned reports, ranging from troubleshooting support to capacity planning and billing, as well as facilities for creating custom reports. The ManageEngine NetFlow Analyzer can also handle sFlow. You can enable sFlow on the interfaces of sFlow-enabled devices and the NetFlow Analyzer will collect and analyze sFlow information. The web-based default dashboard includes a heat map showing the status of monitored interfaces and several real-time pie charts summarizing top applications, top protocols, top conversations, recent alarms, top QoS, and more. There are specific displays of security anomalies detected.
The free version allows unlimited monitoring for 30 days but then reverts to monitoring only two interfaces. You can graduate to a variety of related products to expand beyond traffic analysis into a full network management suite.
5. ntopng and nProbe
The open-source network traffic analysis tool ntopng does passive network monitoring based on flow data and packet capture; it uses nProbe for collecting flow data from devices and hosts that export it. We’ve examined the capabilities of ntopng and nProbe for NetFlow monitoring and analysis before. They can also handle sFlow. ntopng’s web-based user interface rolls up data into network traffic (eg, top talkers), flows, hosts, devices, and interfaces. The flow display shows application protocols (eg Facebook, YouTube), and can list latencies and TCP statistics (eg packet loss). You can set alerts based on many criteria.
nProbe can be test-driven for free but is limited to 25000 exported flows. You can get the less-restricted versions of ntopng and nProbe by buying licenses. Educational and nonprofit organizations can qualify for free licenses.
6. Plixer Scrutinizer
Plixer Scrutinizer(R) is a sophisticated flow-oriented network traffic analysis system with particular focus on security forensics (it’s called the “Scrutinizer Incident Response System”). It supports both NetFlow and sFlow. Scrutinizer can be installed as a dedicated physical appliance, as a virtual machine running on a server, or as a SaaS solution running in the cloud (public or hybrid). It’s a sophisticated system, so even the free trial on a virtual machine demands considerable resources (eg, a dedicated 16GB of RAM).
Scrutinizer is designed for high performance and scalability from small to very large environments. It provides a rich range of analysis and reporting features. The trial includes full access for 30 days. After that, the free version has a limit of 10K flows collected per second, five hours of raw flows kept, and one week of historical summaries maintained. The paid version includes notifications, dashboard customization, custom reports, scheduled email reports, and support. License pricing depends on the platform chosen and the number of flow exporters to be supported.
If your installed devices primarily support sFlow, there are multiple excellent tools for network monitoring and traffic analysis, including free options. As usual, your final choice depends on the size and complexity of your network, and how you expect it to evolve in the future.