Before I get into what a NetFlow Analyzer is, lets go back and understand a bit of history regarding network traffic analysis. Almost since the inception of setting up LANs and WANs, business managers alike have wanted to know who was using the network and what the top applications were on the connections.  Almost immediately packet analyzers immerged to provide some of the insight needed but, historical detail was lacking and the cost to maintain them every place they were needed on the network was and still is cost prohibitive. 

Distributed NetFlow Collection

Although SNMP was developed to provide a standardized way to manage network devices, it also provided the historical insight needed to understand high level trends over time. The problem was and still is that it lacked forensic insight. RMON was released to extend the traffic details missing from early versions of SNMP but, it didn’t scale, lacked vendor support and was expensive. Along came NetFlow.

What is NetFlow

What is a NetFlow Analyzer

NetFlow is a push technology. In other words, when it is enabled on a router, switch or server, it sends a steady stream of flow information to the destination which is typically one or more NetFlow collectors.  In contrast, packet analysis is a passive technology where the device listens on a spanned port and slurps in the packets for real time capture and observation.  SNMP on the other hand is a polling technology where the poller asks for information from the devices every few minutes or seconds. The efficiency of one technology over another is debatable and not going to be broached in this post. However, the skillset needed to trend and report on the data for network traffic analysis is where we need to focus.

  • Packet capture and analysis at scale requires expert knowledge on how to ingest hundreds of millions of packets per second, saving them and making them available for reporting in a timely manner.  It is one thing to collect the data but, allowing the user to query it and mine for what they are looking for quickly requires specialization and serious database forethought.
  • SNMP polling and analysis at scale requires expert knowledge on how to query tens of thousands of devices for both similar and unique object identifiers (OIDs).  Fast retrieval is generally easier than packet capture but, managing the sheer volume of devices in a scalable way takes considerable time to engineer.
  • NetFlow collection and analysis at scale requires a very well thought out database architecture which can shard the data to multiple servers, allow for distributed collector queries and provide the stitching and deduplication that is often requested across the entire architecture.  Reporting speed for most vendors is a major problem.

A NetFlow Analyzer is a solution that collects flows, monitors them for unwanted traffic patterns and provides fast reporting with very flexible filtering.  Ultimately, the customer needs to be made aware of a problem fast and be given the ability to narrow in on the source of the enigma without delay.  BUYER BEWARE: most vendors claim these capabilities and only a good stress test with a heavy prolonged volume of flows will separate the NetFlow add-on module vendors from the truly dedicated to the flow industry specialists.

Comparing NetFlow Analyzers

When comparing systems, it is best to use a UDP forwarder which receives flows from one or more sources and forwards them onto multiple collectors.  This is done by replicating the UDP flow packets, changing the destination IP addresses all while leaving the original source IP address in tact as it was received.  This ensures that each NetFlow Analyzer being compared receives exactly the same flows.  These UDP forwarding systems allow for a side by side comparison of features and functions.  Download our NetFlow Analyzer and put it to the test.

Michael

Michael

Michael is one of the Co-founders and the former product manager for Scrutinizer. He enjoys many outdoor winter sports and often takes videos when he is snowmobiling, ice fishing or sledding with his kids. Cold weather and lots of snow make the best winters as far as he is concerned. Prior to starting Somix and Plixer, Mike worked in technical support at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix which later became Plixer.

Related

Big Data

Sankey Flow Graph

One of the greatest benefits of NetFlow collection for traffic analysis, is we’re provided with the ability to visualize the…