Best Free NetFlow Collector

Michael Patterson : Advanced NetFlow Traffic Analysis
Michael Patterson
Founder and Product manager for Plixer's Scrutinizer NetFlow and sFlow Analyzer as well as Flow Analytics.

Best Free NetFlow Collector

I thought it was high time for me to write a post on how to go about selecting the best free NetFlow collector for your environment.  Before you make a decision, it is important to list out the features your team is going to need from the solutions you evaluate. Some of the features and functions might seem very obvious but, I’m sure I can list just a few that you may not have realized. 

  1. Easy to use interface: this doesn’t just mean an intuitive interface.  The focus here is on speed to incident response. How quickly can you drill down and add filters.  Is it drag and drop or move your mouse and type? 
  2. Can you filter on anything exported in the flows? Some solutions are limited to certain fields like IP address, port, protocol, subnet, etc.  Truly flexible solutions allow users to filter on anything that is exported in the NetFlow/IPFIX template.  Examples include DNS lookup, URL, URI, latency threshold, TCP window size, VoIP caller ID, excessive packet loss, etc.  Often people don’t realize that these values are exported by many flow exporting vendors. 
  3. Indexes: indexes can move the searching process from minutes to seconds.  Often times we start the investigative process with an IP address. When the system is receiving flows from 1000+ routers, switches and servers, NetFlow can turn into big data.  How fast can the free NetFlow collector find an IP address and tell you which routers or switches it has been seen on?  Figuring out where to look at the very beginning of the process saves you lots of time.
  4. 3rd party integration: this is an important feature because often times flow collection is filling a void in the overall larger network incident response system.  The ability to pivot from one application to another is very important because it allows us to shave minutes off of each incident response effort.  When dozens of incidences are being investigated every day, this can add up to hours every week.  The faster it is to work with a solution to thoroughly investigate an event, the more likely, the investigator will follow through with the exercise of drilling down to a definitive reason for a given event.  An example of a pivot is jumping from flows to splunk logs by passing an IP address and timestamps in a URL or to a script that makes use of an API.
  5. Support for all Flow technologies: Don’t be limited to NetFlow, sFlow or IPFIX.  Many vendors such as Juniper call their export NetFlow when it is actually a modified version called JFlow. Netstream, Cascade flow, nvzFlow, appFlow, zFlow and many others are slight variations of NetFlow or IPFIX.  Not all collectors can handle these unique exports.  Make sure you test.
  6. Licensing: Several vendors offer a free version of their commercial NetFlow collector.  Make sure you know what the limitations are.  Ideally, a feature matrix is available which outlines what is and isn’t free compared to the commercial solutions.

best free netflow collector

Need more information? Visit the Free NetFlow web site to learn more about what to expect from the best free NetFlow collector.  

Feedback for Best Free NetFlow Collector

Leave a comment

Featured Events