NetFlow vs sFlow: Which One is Better For Traffic Analysis?

Cisco’s NetFlow and inMon’s sFlow are two similar yet different monitoring technologies that can provide you with a qualitative view of your network’s traffic. While bandwidth monitoring tools only tell you how much traffic passes by a specific point, flow analysis tools will tell you what that data is, where it’s coming from and going to, and a few other useful bits of information. Today, we’ll be comparing the two technologies and we’ll have a look at some of the best tools available for each. We’ll review some of the best NetFlow and sFlow analyzers and collectors we could find.

We’ll start off by describing NetFlow. We’ll do our best to explain what it is and how it works while keeping our discussion as non-technical as possible. We’ll then do the same exercise with sFlow and do our best to explain the technology. After that, we’ll have a look at how the two technologies differ. Just like before, we’ll stay away from the hard-core technical details. Next, we’ll try to answer the burning question: Which one should I use? As you’ll see there isn’t a clear and definitive answer. Finally, we’ll review some of the best flow analysis tools we could find.

NetFlow – The Original Flow Analysis Technology

Developed by Cisco Systems the NetFlow technology was introduced on their routers to provide the ability to collect data about network traffic as it enters or exits an interface. This data can be analyzed by specialized applications to extract the source and destination of the traffic, its class of service, and, by extension, the causes of congestion.

A typical NetFlow monitoring setup consists of three main components:

• The flow exporter aggregates packets into flows and exports flow records towards one or more flow collectors.
• The flow collector is responsible for reception, storage and pre-processing of flow data received from a flow exporter.
• The flow analyzer, or flow analysis application, is used to analyze received flow data. Analysis can be used for traffic profiling, or for network troubleshooting.

How NetFlow Works

Networking devices that support NetFlow generate flow records and send them to a NetFlow collector. A flow, in this context, is a complete conversation in the IP sense. The device preparing flow records normally sends them to the collector when it determines that the flow is finished either through aging–when there has not been any traffic within a specific timeout–or when it sees a TCP session termination.

The flow record information about the flow such as the input and output interfaces, the start and finish time stamps of the flow, the number of bytes and packets it contains, the layer 3 headers, the source and destination IP address and port number, the IP protocol, and the TOS value. Flow records don’t contain the actual data that made up the flow, they only contain information about the flow. This is an important security feature of this technology.

Except in huge multi-site environment, the flow collectors where the records are sent are also the flow analyzers. They use the information contained in flow records to present data about network traffic in a way that is useful to network administrators. Different NetFlow collectors and analyzers will have different ways of presenting data.

sFlow – A Distant Relative

The “s” in sFlow stands for “sampling”. This is crucial to its operation and it is where it differs from other flow analysis systems. This technology only works with sFlow-enabled devices, just like NetFlow. Fortunately, there these devices are quite common among the major networking equipment manufacturers.

The sFlow standard is maintained by the sFlow.org consortium but it is the brainchild of inMon corporation who still exercises almost absolute control over its evolution and development. Major equipment manufacturers such as Alcatel-Lucent, Aruba, Brocade, Cisco, Dell, Hewlett Packard, IBM, and many more—over 300—include sFlow support in many of their products.

sFlow is a stateless packet sampling protocol. The “Flow” part of the protocol’s name might be misleading as sFlow actually has no notion of aggregating data packets into high-level flows as NetFlow does. It only works in terms of packets.

sFlow’s general packet sampling spans layers through 7. Running within the networking device, the sFlow exporter collects prefixes from a subset of all the packet passing through the monitored interface. Administrators can choose to sample one packet every N packet but the exporter also picks random packets and includes them in its record. The exporter than assembles the initial bytes of each sampled packet together with device counters and send it out to the sFlow collector. The device does not cache any of the data or sampled packet, reducing resource usage and making it easy to scale up to high-speed networks.

NetFlow And sFlow – What’s The Difference?

Despite having similar names, purposes and goals, NetFlow and sFlow are actually quite different, particularly in the way each accomplishes its task.

Avi Freedman, co-founder and CEO of Kentik, summarizes the difference between NetFlow and sFlow with an analogy: “… while NetFlow can be described as observing traffic patterns (‘How many buses went from here to there?’), with sFlow you’re just taking snapshots of whatever cars or buses happen to be going by at that particular moment.” Don’t let this simplistic analogy blindly lead you into believing that NetFlow provides more information than sFlow and is, therefore, a better technology.

Although you probably get more information from NetFlow than from sFlow, it doesn’t necessarily make it a better protocol. For instance, NetFlow’s resource usage is much higher than sFlow’s. This would tend to make sFlow a more interesting option for lower-end devices. And while NetFlow might collect more information, do you really need it and is your analyzer even capable of using it?

Which One Should I Use?

Most collectors and analyzers will handle both NetFlow and sFlow information and many networking devices also support both. The main deciding factor should probably be what your equipment supports. If some of your equipment supports one but not the other, this is the one you should choose. If you mostly have Cisco equipment, why not go with NetFlow as it is Cisco’s own protocol?

You don’t have to pick sides, though. Both NetFlow and sFlow are excellent technologies. Why not use both with a collector and analyzer that can support either? You’ll be able to get flow data from your sFlow-enabled as well as your Netflow-enabled devices.

Some of the Best NetFlow Monitoring Tools

Here are some of the best NetFlow collector and analyzer tools that we could find. We’ve included a mix of tools to give you a better idea of the variety of tools available. They all support NetFlow monitoring and all its variants such as J-flow or IPFIX, just to name a few.

1- SolarWinds NetFlow Traffic Analyzer (Free Trial)

SolarWinds is one of the best-known makers of network and system administration tools. Its flagship product, called the Network Performance monitor is viewed by many as the best network bandwidth monitoring tools. Likewise, the SolarWinds NetFlow Traffic Analyzer—which installs on top of the Network Performance Monitor—is one of the best IPFIX collector and analyzer you can find.

Some of the SolarWinds NetFlow Traffic Analyzer’s best features include:

• Monitoring Bandwidth use by application, by protocol, and by IP address group.
• Monitoring IPFIX, Cisco NetFlow, Juniper J-Flow, sFlow, and Huawei NetStream flow data allowing it to identify which devices, applications, and protocols are the highest bandwidth consumers.
• Collecting traffic data, correlating it into a usable format, and presenting it to the user through a web-based interface for monitoring network traffic.
• Identifying which applications and categories consume the most bandwidth for better network traffic visibility (including Cisco NBAR2 support).

The SolarWinds NetFlow Traffic Analyzer is an add-on to the Network Bandwidth monitor. You can save by acquiring both at the same time as the SolarWinds Network Bandwidth Analyzer Pack. Prices for the bundle start at $4 910 for monitoring up to 100 elements and vary according to the number of monitored devices. While this may seem a bit expensive, keep in mind that you’re getting not one but two of the best monitoring tools available. If you’d prefer to try the product before purchasing it, a free 30-day trial can be downloaded from SolarWinds.

2- PRTG Network Monitor

The PRTG Network Monitor from Paessler AG is an all-in-one solution whose primary purpose is monitoring bandwidth utilization. It’s also used to monitor the availability and health of different network resources. These features make it a useful tool for network administrators. The tool can monitor devices over multiple sites and it can monitor LAN, WAN, VPN and Cloud Services.

Installing this product is quick and easy. After running the installer, the auto-discovery process discovers devices and sets up sensors. Paessler claims you could start monitoring within two minutes os starting the installation. While this might be a slight overstatement, we were impressed by the ease and speed of installation. Although the server runs on Windows only, the user interface is web-based and can be accessed from any browser. In addition, there’s a mobile app that you can install on your smartphone or tablet.

The PRTG Network Monitor can monitor pretty much anything, thanks to its sensor-based architecture. You can think of sensors as add-ons that are built right into the product, each having a specific purpose. There are sensors for HTTP and SMTP/POP3 (e-mail). There are also hardware-specific sensors for switches, routers, and servers. In all, the tool has over 200 different predefined sensors.

The PRTG Network Monitor offers a selection of user interfaces. You have the choice of an Ajax-based web interface or a Windows enterprise console as well as mobile apps for Android and iOS. A nice feature of the mobile apps is that they can get alerts through push notification. Standard SMS or email notifications are also available.

The PRTG Network Monitor is offered in two versions. There’s a free version which is full-featured but will limit your monitoring ability to 100 sensors with each monitored parameter counting as one sensor. For example, to monitor each port of a 48-port switch, you’ll need 48 sensors. For more than 100 sensors, you need to purchase a license. They start at $1 600 for 500 sensors. You can also get a free, sensor-unlimited and full-featured 30-day trial version.

3- Scrutinizer

Scrutinizer from Plixer is another great NetFlow Analyzer. In fact, it’s even more than that and many view it as a full incident response system. With its ability to monitor different flow types such as NetFlow, J-flow, NetStream, sFlow, and IPFIX, you’re not limited to monitoring only Cisco devices.

With its hierarchical design, Scrutinizer offers streamlined and efficient data collection and allows you to start small and easily scale way up to many million flows per second. The network is often first blamed whenever something goes wrong, With Scrutinizer, you can quickly find the real cause of most any network issues. Scrutinizer works in both physical and virtual environments and comes with advanced reporting features.

Scrutinizer comes in four license tiers that go from the basic free version to the full-fledged SCR level which can scale up to over 10 million flows per second. The free version is limited to 10 thousand flows per second and it will only keep raw flow data for 5 hours but it should be more than enough to troubleshoot network issues. You can also try any license tier for 30 days after which it will revert back to the free version.

4- ManageEngine NetFlow Analyser

The ManageEngine NetFlow Analyzer gives the network administrator a detailed view of network bandwidth utilization as well as traffic patterns. The product is controlled by a web-based interface and offers an impressive number of different views on your network.

You can, for instance, view traffic by application, by conversation, by protocol, and several more options. You can also set alerts to warn you of potential issues. For example, you can set a traffic threshold on a specific interface and be alerted whenever traffic exceeds it.

But most of the strength of the product comes from its reports and dashboard. The tool comes with several very useful pre-built reports that are specifically tailored for specific purposes such as troubleshooting, capacity planning or billing. But you’re not stuck with built-in reports as the tool also allows administrators to create custom reports to their liking.

As for the tool’s dashboard we mentioned, it is just as impressive as its reports. It includes several pie charts with things such as top applications, top protocols or top conversations. It can also display a heat map with the status of the monitored interfaces. And as you might have guessed, dashboards can be customized to include only the information you find useful. The dashboard is also where alerts are displayed in the form of pop-ups. And for the on-the-go network administrator, there’s a smartphone app that will let you access the dashboard and reports.

The ManageEngine NetFlow Analyzer supports most flow technologies including NetFlow (of course), IPFIX, J-flow, NetStream and a few others. As a bonus, the too has excellent integration with Cisco devices, with support for adjusting traffic shaping and/or QoS policies right from the tool.

Like many competing products, the ManageEngine NetFlow Analyzer comes in two versions. The free version will be identical to the paid one for the first 30 days but it will then revert to monitoring only two interfaces of flows. While this is not much, it could be all that you need. If you want the paid version, licenses are available in several sizes from 100 to 2500 interfaces or flows with prices varying between about $600 to over $50K plus annual maintenance fees.

How About S-Flow Monitoring Tools?

All the products we just reviewed will collect and analyze sFlow data in addition to NetFlow. For hybrid environments, they would all be great picks. But if you only have sFLow equipment perhaps you’d rather opt for a tool that only supports that technology.

5-  inMon sFlowTrend

sFlowTrend is a free monitoring tool from inMon, the company behind the sFlow technology. This free version of the software lets you gather data from up to five sFlow-enabled devices and will only keep history data in RAM for up to an hour. And if you want to step things up, you can upgrade to the pro version–at a cost, of course–which removes the number of devices limit and stores unlimited history data to disk.

The sFlowTrend Dashboard provides a quick view of the current state of the monitored devices and networks, it includes top-level thresholds and interfaces with potential errors. When one clicks the Network tab, sflowTrend reveals summarized performance statistics and detailed traffic at the network or device level. Alerting thresholds can be defined. It lets you receive alerts when higher-than-usual bandwidth usage or network error happen. There’s even a root cause tab where you can drill down on the cause of an issue such as a threshold violation.

The Hosts tab is where you’ll find more detailed information about each device. It provides performance data on network, CPU, disk, etc, for sFlow-enabled servers–including virtual ones. Under the Services tab, you’ll find performance data for applications (including various web servers) that export sFlow data. On the Events tab, you’ll find a log of events like exceeded thresholds or detected errors. And finally, the Reports tab provides several predefined reports but it also supports creating custom reports. This is where you’ll go to run reports and then view their results.

sFlowTrend is written in Java and comes with both a Java-based or web-based user interface. It is available for Windows, Macintosh, and Linux. There’s also online help that’s available to assist you in configuring and using the tool. It is a great tool, especially for smaller organizations with sFlow-enabled equipment. And the upgrade path to the pro version makes it an equally valid choice for larger networks.