Networks are a tough thing to manage and monitor. It’s understandable, network traffic happens inside copper cabling or optical fibers and it can’t be seen. This makes it a bit complicated for any administrator to have a clear and definite picture of what is going on with the networks they manage. This is where network monitoring comes in. And when it comes to network monitoring, several levels of it are available, each providing more information about the traffic. Deep packet inspection is the top level of monitoring which provides the most information about network traffic. To perform deep packet inspection, you need proper tools — and today, we’re reviewing some of the best tools for deep packet inspection.
Before we start, we’ll try to explain deep packet inspection. It seems like everyone has a conflicting idea of what it is and what it should be. The deep packet inspection of interest to us today has to do with network monitoring, another vague term. To try to shed some light on the subject, we’ll discuss monitoring in general and flow analysis in particular as it constitutes a form of deep packet inspection. And since Cisco’s NetFlow technology seems to be the most prevalent, we’ll have a deeper look at it. Only then will we be ready to reveal what the best tools for deep packet inspection are and to offer you a brief review of each.
Deep Packet Inspection Explained
Deep packet inspection is defined as the act, for a network infrastructure component, of analyzing the content of data packets beyond simply looking at the packet header to gather statistics about network traffic or for filtering, prioritization or intrusion detection purposes. While this definition is relatively accurate, it is a bit generic. Furthermore, what deep packet inspection is can vary based on what you’re trying to accomplish. The deep packet inspection done for statistics gathering purposes, for instance, is different from deep packet inspection done for filtering out some traffic. In the context of this article, what we’re interested in is mostly statistics gathering. The tools we’ll be reviewing momentarily are essentially advanced monitoring tools.
About Monitoring Tools
Network monitoring, just like deep packet inspection, is not a clearly defined term. The most basic form of network monitoring is bandwidth monitoring. It’s typically done using the Simple Network Management Protocol. This type of monitoring is very useful to get a clear picture of your network’s utilization but it has limitations. While it will give you the average bandwidth utilization at a specific point of the network, it won’t provide details as to what is using up the bandwidth.
For a clearer picture of what traffic is transported on a network, you need to use flow analysis. Flow analysis goes way deeper than bandwidth monitoring and can provide detailed information. It relies on the networking devices themselves to send traffic information to monitoring systems called collectors and/or analyzers which can interpret flow data and present it in meaningful ways. Flow analysis will, for example, let you view how network traffic is distributed among all the sources and destination. It will tell you about what protocols and what types of traffic are used.
Flow analysis can be considered as deep packet inspection in that it goes beyond just looking at the header to find qualitative information about the actual data that is being transported on a network. The most common of all flow analysis technologies is certainly Cisco’s NetFlow. Let’s have a deeper look at it.
More About NetFlow
NetFlow was originally developed by Cisco Systems and introduced on their routers with the goal of providing the ability to collect IP network traffic information as it enters or exits an interface. Its original intent was to be used to build better Access Control Lists (ACL). It has since expanded into a true monitoring scheme and the flow data collected by devices is now exported dia.
The NetFlow technology is comprised of essentially three components. The first one is the flow exporter which aggregates packets into flows and exports flow records towards one or more flow collectors. The next component, the flow collector, is responsible for the reception, storage and pre-processing of the flow data received from the previous component. Finally, the flow analyzer is used to analyze the received flow data. This analysis can be used for traffic profiling or network troubleshooting, among other uses. Many modern setups combine the flow collector and analyzer into a single, integrated component.
How NetFlow Works
Any other device that supports NetFlow can be configured to output flow data in the form of flow records and send them to a NetFlow collector. A flow is a complete conversation in the IP sense. And there could be many flows going through one interface at any given time. The networking device preparing flow records sends them to the collector when it determines, either through aging or seeing a TCP session termination, that the flow has finished.
A typical flow record packs quite a bit of information. This includes the input and output interfaces, the start and finish time stamps of the flow, the number of bytes and packets it contains, the layer 3 headers, the source and destination IP address and port number, the IP protocol, and the TOS (Type Of Service) value. Flow records don’t contain the actual data that made up the flow. They only contain information about the flow. This is important from a security standpoint.
In most environments, the flow collectors where the records are sent are often also the flow analyzers. Only very large, multi-site networks will benefit from having separate collectors distributed throughout the various sites. The collectors and analyzers use the information contained in flow records to present data about network traffic in a way that is useful to network administrators. In fact, the main distinguishing factors between the different tools is the way they can make sense of and present data in a meaningful way.
The Best Tools For Deep Packet Inspection
From a monitoring standpoint, flow analysis is a form deep packet inspection so the tools we’re reviewing today are indeed NetFlow analyzers. Many of them will do more than that, though and some are part of a complete monitoring solution.
SolarWinds, in the improbable case that you’ve never heard of the company, makes some of the best software for network and system administration. One of its flagship product, the SolarWinds Network Performance Monitor, is considered by many to be one of the best network bandwidth monitoring tool. And SolarWinds also makes some excellent free tools, each addressing a specific task of network administrators. Two examples of those free tools are a free advanced subnet calculator and a free syslog server. And when it comes to NetFlow traffic analysis, the SolarWinds NetFlow Traffic Analyzer (NTA) is definitely one of the best NetFlow collector and Analyzer you can find.
Among the product’s best features, the SolarWinds NetFlow Traffic Analyzer can monitor Bandwidth use by application, protocol, and IP address group. It can not only monitor Cisco NetFlow but also Juniper J-Flow, sFlow, Huawei NetStream, and IPFIX—a few other flow analysis technologies based on NetFlow—to identify which applications and protocols are the top bandwidth consumers. The tool collects traffic data, correlates it into a usable format, and presents it to the user on a web-based dashboard. The product supports Cisco NBAR2 to identify which applications and categories consume the most bandwidth, giving you an even better network traffic visibility.
The SolarWinds NetFlow Traffic Analyzer is an add-on to the Network Performance Monitor (NPM). If you don’t already own an NPM license, you’ll have to factor it that cost. They start at $2 955 for up to 100 elements. As for the NTA add-on, its license must match the number of nodes of your NPN license and prices start at $1 915. If you’d rather try the product before committing to a purchase, a free trial is available from SolarWinds.
If you need a smaller-scale solution the SolarWinds Real-Time NetFlow Analyzer might be just what you need. This is one of SolarWind’s famous free tools and, although not quite as complete as the NetFlow Traffic Analyzer, it gives you some of the same basic functionality.
It can capture and analyze flow data in real time. And it will show you the type of traffic transported on your network, where it’s is coming from, and where it’s going to. You can also use it—to a certain extent—to diagnose traffic spikes and troubleshoot bandwidth issues.
The product will let you identify which users, devices, and applications are consuming the most bandwidth; isolate network traffic by conversation, app, domain, endpoint, and protocol; and view network traffic by type and specified time periods
Of course, you can’t expect this free software to do everything its big brother does. It has some severe limitations and its primary focus is the current and very recent state of your network. It will only collect data from one NetFlow interface and will only keep and analyze the last 60 minutes of data.
If you need a quick and dirty view of your bandwidth usage, the SolarWinds free Real-Time NetFlow Analyzer will provide it but not much more.
3. ManageEngine NetFlow Analyzer
ManageEngine is another well-known name in the field of network management tools. Its ManageEngine NetFlow Analyzer gives network administrators a detailed view of network bandwidth utilization as well as traffic patterns. The product is controlled by a web-based interface and offers an impressive number of different views on your network.
For example, the product will let you view traffic by application, by conversation, by protocol, and several more options. You also have the possibility of setting alerts to warn you of potential issues. You could, for instance, set a traffic threshold on a specific interface and be alerted whenever it is exceeded.
But the biggest strengths of this tool are its reports and dashboard. It does come with several very useful pre-built reports that are custom-tailored for specific purposes such as troubleshooting, capacity planning or billing. And as good as its built-in reports are, the tool also allows administrators to create custom reports to their liking.
The product’s dashboard is just as impressive as its reports. It includes several pie charts with things such as top applications, top protocols or top conversations. It can also display a sort of heat map with the status of the monitored interfaces. And just like the reports, the dashboard can also be customized to include only the information you find useful. The dashboard is also where alerts are displayed in the form of pop-ups. On-the-go network administrator won’t feel left out as a smartphone app is available and it will give you access to both the dashboard and reports.
The ManageEngine NetFlow Analyzer supports most flow technologies including NetFlow, IPFIX, J-flow, NetStream, and a few others. This tool also boasts an excellent integration with Cisco devices, with the possibility of adjusting traffic shaping and/or QoS policies right from within the tool.
The ManageEngine NetFlow Analyzer comes in two versions. There’s a free version that is limited to monitoring only two interfaces of flows. While this is not much, it could be all that you need. And that free version will allow unlimited devices for the first 30 days, giving you a chance to give a thorough test run. Once the trial is over, licenses are available in several sizes from 100 to 2500 interfaces or flows with prices starting at about $600 plus annual maintenance fees.
4. Paessler Router Traffic Grapher (PRTG)
PRTG from Paessler is another well-known, all-in-one solution whose primary purpose is monitoring bandwidth utilization. It’s also used to monitor the availability and health of different network resources. As such, it’s another very useful tool for network administrators. But thanks to a NetFlow sensor that is available for the product, PRTG can also serve as a NetFlow collector and analyzer.
In fact, PRTG is not just a bandwidth monitoring tool or a NetFlow collector and analyzer. It uses several technologies to monitor systems, devices, traffic, and applications. Among them the product will use SNMP with ready to use and custom options, WMI and Windows performance counters, SSH for Linux/Unix and MacOS systems, flows—such as NetFlow or sFlow—and packet sniffing, HTTP requests, REST APIs returning XML or JSON, Ping, SQL and many more.
Installing PRTG is easy. You simply run the installer, then the auto-discovery process will discover devices and set up sensors. You are then free to add additional sensors—such as NetFlow collectors—manually. There’s even a detailed video on Paessler’s website that will show you how it’s done.
The server runs on Windows only but its user interface is web-based and can be accessed from any browser. There’s also a mobile client app that you can install on your smartphone. The mobile client app has a unique feature in the form of QR labels that you can print and affix on your devices. Then, a scan of the code from the mobile app will quickly open that device’s sensor data.
Two versions of PRTG are available. There’s a free version which is limited to 100 sensors. Be aware that a sensor in PRTG parlance is not a device. It is, instead, the most basic element that can be monitored. For example, monitoring each port of a 48-port switch requires 48 sensors and NetFlow collection and analysis requires one sensor per flow exporter. At that pace, it’s obvious that 100 sensors might not be as much as it first appeared. If you need more than 100 sensors, you’ll need to purchase a license. They are available in 500, 1000, 2500, or 5000 sensors and there’s also an unlimited license. Prices vary from around $1 600 to just under $15 000. The free version will allow unlimited sensors for the first 30 days so you can benefit from a thorough test-drive of the product.
Last on our list is Scrutinizer from Plixer, another excellent NetFlow Analyzer. It is actually much more than that and some view it as a full incident response system. The product has the ability to monitor different flow types such as NetFlow, J-flow, NetStream, and IPFIX so you’re not limited to monitoring only Cisco devices.
Scrutinizer boasts a hierarchical design which offers streamlined and efficient data collection and allows you to start small and then scale way up to many million flows per second. The network is often first blamed whenever something goes wrong, With this tool, you can quickly find the real cause of almost every network issues. The product works with both physical and virtual environments and comes with advanced reporting features.
Scrutinizer is available in four license tiers. They range from the basic free version to the full-fledged SCR level which can scale up to over 10 million flows per second. The free version is limited to 10 thousand flows per second and it will only keep raw flow data for 5 hours but it should be more than enough to troubleshoot network issues. You can also try any license tier for 30 days after which it will revert back to the free version.