-
In this section, the popular tools for network traffic flow monitoring and analysis are described. The tools generate the graph or function as the visualization tools, which provide the summarization and classification of network flow information. These tools generally use captured flow information from other flow collectors such as “FlowScan” (uses data from “cflowd”) and “PRTG” (supports all three data acquisition methods). In table 2.3, it also shows other free NetFlow-like grapher tools with the main features, operating system compatibility, and input/ output. “AutoFocus” and “Fluxoscope” are other two popular tools for network traffic flow monitoring and analysis.
We also listed other free network traffic flow monitoring and analysis tools in table 2.4 with their main features, operating system compatibility, input AND output, and primary functionalities for flow collector. Some tools also include the report generator features. Since there are a lot of free NetFlow monitoring and analysis tools, a list of available tools with the brief definition and the software link information are made in Appendix 7 (Table 7.1).
For commercial network traffic flow monitoring and analysis tools, table 2.5 shows commercial NetFlow reporting products by [Cisco, NetFlow06a]. Most products are used primarily for traffic and security analysis. All companies’ targets are enterprise users. “AdventNet” and “Crannog Software” are considered to be in lower price range and both of them support only Windows. Only “Cisco NetFlow Collector” and “HP” support Solaris and Linux. The rest of them support either Linux or Windows except “Arbor Networks” for BSD only and “Micromuse” for Solaris. One more observation is that if the operating system is Solaris, only NetFlow data can be used.
“FlowScan” [D. Plonka, 2000] is visualization tool used to generate a report in HTML format. “FlowScan” is a pack of Perl script modules, which bind a flow collection engine, high performance database, and visualization tool together. Instead of cflowd’s “arts++” data aggregation features, “FlowScan” uses RRDtool to store numerical time-series data. RRDtool and RRGrapher modules are used to create an output such as graphs of IP traffic in GIF (Graphic Interchange Format) or PNG (Portable Network Graphics) format.
“FlowScan” uses “cflowd” as a flow collector and “cflowd” components used by “FlowScan” are the “cflowdmux” and “cflowd” programs. “cflowdmux” receives UDP NetFlow data from routers and passes them to “cflowd”, which writes them to storage disks. Another module called “flowscan” (not “FlowScan”) does the central processing in the system such as loading and executing report modules. The report module is a Perl module derived from the “FlowScan” class (FlowScan.pm). Another module called “flowdumper” is the utility module used to examine the raw flows manually.
“FlowScan” provides an extra feature dealing with buffer management due to the very high traffic and flood-based DOS attack. It also supports a stateful inspection by the use of heuristics. By analyzing flow information, “FlowScan” can track the state of application session or series of sessions. As a result, “FlowScan” can classify the stateful traffic such as Napster application or passive mode of FTP file transfers. [D. Plonka, 2000]
-
Figure 2.2: Screen snapshot of FlowScan [D. Plonka, 2000]
Next, Paessler Router Traffic Grapher (PRTG) [PRTG06] is a very powerful and low cost tool (starting from $100) for monitoring and bandwidth use for Windows. PRTG provides both free (with three sensors and academic and personal use) and commercial versions. This tool supports all three data acquisition methods: NetFlow-like, SNMP (Not only the bandwidth usage but also CPU usage, disk usage, and temperatures can be monitored.) and packet sniffer (running on promiscuous mode). The administrators can use either Window interface or web interface to configure and monitor the sensors and create reports.
-
Figure 2.3: Screen snapshot of PRTG
“AutoFocus” is a traffic analysis and visualization tool. “AutoFocus” analyzes the traffic pattern and provides both textual reports (measured in bytes, packets and flows) and time series plots. The extra feature is that it generates the report with traffic cluster aggregation of the mix of traffic. The traffic mix is defined using the source and destination IP address, source and destination ports and protocol field. RRDtool is used to produce time series plots of the traffic mix. “AutoFocus” can produce reports and plots for various time periods ranging from weeks to half hour intervals. It also supports the user filter. “AutoFocus” supports two types of input: packet header traces and NetFlow data. The flow sampled with both inputs can be applied, but “AutoFocus” only compensates for the sampling in the reports that measure the traffic in bytes and packets, and not for the traffic in flows. [Cristian Estan et all., 2003]
-
Figure 2.4: Screen snapshot of Autofocus [http://ial.ucsd.edu/AutoFocus/]
“Fluxoscope” (formerly NetFlow listener) is an aggregation and analysis software written in Common Lisp. The main feature provides not only the various types of graphical and textual reports, an interactive Web-based tool, but also the NetFlow accounting processor with an SNMP agent, which can be used to access statistics on the processing of accounting data. It can support multiple NetFlow accounting streams.
A “Listener” module in “Fluxoscope” is used to collect accounting data sent. It provides an aggregation functions to all flows and splits them into time slices, and finally periodically writes data out to files. Like general NetFlow collector, “listener” is better placed near the routers to reduce load and to avoid the data loss. “Data collection and maintenance module” periodically accesses the files that are generated by the “Listener”. It also makes a copy of them to the central storage. It supports the data compression and the data over the long period can be summed up. Finally, “Data analysis module” analyzes the data from the central storage in order to generate several kinds of reports, such as tabular data and graphical representations for network monitoring and long-term traffic analysis purpose. [S. Leinen, 2000]
-
Figure 2.5:Screen snapshot of Fluxoscope [S. Leinen, 2000]
Table 2.3: Free NetFlow Grapher tools
Tool
Software/ OS
Requirements
Functions/ Features
F.L.A.V.I.O.
UNIX-liked
Web/ Perl, MySQL
A data grapher for NetFlow data export compatible devices
Flow Viewer
N/A
Web/ Perl, GD, RRDTool
Web-interface to Flow-tools
JKFlow (XML based)
Linux/ Solaris
Web/ RRDTool
WAN-traffic monitoring
NfSen
BSD-liked
Web/ PHP, Perl, RRDTool
a graphical web based front end for the nfdump tools
nfstat
UNIX-liked
Web/ Perl
Weekly human-readable reports from raw NetFlow v5 data
Ntop
UNIX-liked, Linux, BSD-liked, Solaris, MacOS, Windows
Web
Network traffic probe that shows the network usage, similar to what the popular top Unix command. Support NetFlow V9
ng_NetFlow
Apple Mac OS X, Linux, BSD-liked, UNIX-liked
N/A
A netgraph kernel module.
Stager
Unix-liked
Web/ PostgreSQL
A system for aggregation and presentation of network statistics from the Flow-tools package.
Table 2.4: Free NetFlow monitoring and analysis tools
Tool
Hardware(H)/ Software(S)
Input
Output
Monitor(M)/ Capture(C)/ Analysis(A)
Real Time(R)/ Offline(O)
Argus
(S) Linux, Solaris, FreeBSD, MAC, OpenBSD, NetBSD
packet capture files, data from a live interface
Text (log files)
M, C, A: report/ audit
R, O
Autofocus(Cluster)
(S) N/A
packet header traces, NetFlow
GUI (Web*) visualization
A
O
Aflow
N/A
NetFlow
GUI (Web*)
M, C, A
R, O
AsItHappens
(S) Java
SNMP and NetFlow
GUI
M, C
R
CAIDA cflowd
(S) Unix-liked, FreeBSD
flow-export data from one or more Cisco routers
Tabular summaries
M,C, A
R
CoMo
(S) Linux, FreeBSD
NetFlow and other traffic capture sources
N/A
M, C
R
CUFlow
(S) Unix-liked, Debian
NetFlow
Text
M, C
R
CANINE
(S) Linux, MAC, Solaris, Windows
NetFlow
GUI
M, C
R
CoralReef(optical net)
(S) Unix-liked, Linux, FreeBSD
ATM Traffic live
GUI
M, C
O
Cricket
(S) BSD-liked, Linux, FreeBSD, HP-UX
SNMP
GUI (Web*)
A (time-series data)
O
dbFlowc
(S) BSD-liked, Linux, FreeBSD, Solaris, Unix-liked
NetFlow
Text
C (collect flow and store it)
R
EHNT
(S) BSD-liked, Linux, FreeBSD, UNIX-liked
NetFlow
Text
M
R
FlowScan
(S) UNIX-liked
cflowd-format raw
GUI (Web*)
A: report
O
Flow-tools (like cflowd)
(S)Linux
NetFlow
Text
M, C, A: report (Scalable)
R, O
Fluxoscope
(S) N/A
NetFlow
GUI, 3D visualization
M, C, A
R, O
Flamingo
(S) N/A
NetFlow
GUI, 3D visualization
M, C, A
R, O
Flowc
(S) Linux, FreeBSD
NetFlow
SQL, GUI (Web)
M, C, A: report
R, O
Java NetFlow Collect-Analyzer
(S) Java
NetFlow or nProbe data
Raw, JDBC
M, C, A
R, O
JNFA
(S) Java
NetFlow
SQL
M, C, A
R, O
NetFlow Monitor
(S) Linux
NetFlow
GUI (Web)
M, C, A
R, O
NeTraMet (link is no longer valid
(S) Unix-liked, DOS
NetFlow, SNMP
GUI
M, C, A
R, O
Netpy
(S) Linux
NetFlow
GUI (python)
M, C, A
R, O
*based on RRDtool files
Table 2.5: Commercial NetFlow Reporting Products [Cisco, NetFlow06b]
Product Name
Primary Use
Primary User
Operating System
Starting Price Range
Cisco NetFlow Collector
Traffic Analysis
Enterprise, Service Provider
Linux, Solaris
Medium
Cisco CS-Mars
Security Monitoring
Enterprise, SMB
Linux
Medium
AdventNet
Traffic Analysis
Enterprise, SMB
Windows
Low
Apoapsis
Traffic Analysis
Enterprise
Linux
Medium
Arbor Networks
Security/Traffic Analysis
Enterprise, Service Provider
BSD
High
Caligare
Traffic/Security Analysis
Enterprise, Service Provider
Linux
Medium
Crannog Software
Traffic Analysis
Enterprise, SMB
Windows
Low
*CA Software
Traffic Analysis
Enterprise, Service Provider
Windows
High
*Evident Software
Traffic Analysis, Billing
Enterprise
Linux
High
*HP
Traffic Analysis
Enterprise, Service Provider
Linux, Solaris
High
IBM Aurora
Traffic Analysis/Security
Enterprise, Service Provider
Linux
Medium
InfoVista (Crannog)
Traffic Analysis
Enterprise, Service Provider
Windows
High
IsarNet
Traffic Analysis
Enterprise, Service Provider
Linux
Medium
*Micromuse
Traffic Analysis
Enterprise, Service Provider
Solaris
High
NetQoS
Traffic/Security Analysis
Enterprise
Windows
High
Valencia Systems
Traffic Analysis
Enterprise
Windows
High
Wired City
Traffic Analysis
Enterprise
Windows
High
Leave a Reply
You must be logged in to post a comment.