Looking for a Free Open Source NetFlow Analyzers for Windows, Linux or Unix?
Look no further, we've compiled the ultimate list of Open Source tools to help with your network monitoring tasks.
As many of you already know, NetFlow is a protocol/standard developed by Cisco for collecting/transferring/analyzing network data using software packages to get a better understanding of what is happening on your network, along with further analysis of bandwidth usage, etc.
Netflow allows administrators to take the processing of network data away from switches and routers and send the flow packets and information to a collector that further analyzes that data to free up resources on the network device itself.
Here is our list of the 13 best free NetFlow analyzers and collectors for Windows and Linux.
- NTop – EDITOR’S CHOICE Famed for its key product, called ntopng (Next Generation), this open source project has produced a list of free tools that are all centered on traffic analysis. This toolset uses an impressive range of networking protocols to extract traffic data and device status information. Runs on Linux, Unix, macOS, and Windows.
- Flow-tools A package of tools to collect NetFlow data and generate analysis reports. Installs on Linux.
- FlowScan This neat package analyzes NetFlow data collected by other tools, such as Flow-tools or cflowd. Runs on Linux and Unix.
- EHNT Extreme Happy Netflow Tools is a free interpreter for NetFlow data but can’t go past NetFlow version 5. Runs on Linux and Unix.
- BPFT Berkekey Packet Filter Traffic uses libpcap procedures to capture traffic packets. Runs on Unix.
- Maji This tool extracts IPFIX data from a network and that is Cisco’s newer re-write of NetFlow. Runs on Linux.
- cflowd A much-liked free NetFlow data extraction tool that has gone out of productions so you should use Flow-tools instead. Runs on Linux.
- AnonTool An open-source anonymization tool that can be used on NetFlow data but the code is no longer maintained. Runs on Linux and Unix.
- Panoptis A DDoS blocker that collects and analyzes NetFlow data, looking for indicators of attack. No longer maintained but still works and runs on Linux.
- Pmgraph A network traffic graphing tool that extracts flow information from a network through NetFlow and sFlow. Will run on Windows, Linux, macOS, or Unix.
- InMon sFlow Toolkit This sFlow analyzer relies on other systems for data collection and can also work with NetFlow data. Available for Windows and Linux.
- NDSAD Traffic Collector This service only works with NetFlow v5 but it will interpret data to show network activity. Available for Windows, Linux, and Unix.
- NFsen/NFDump Netflow Sensor interprets data collected by NFDump to create graphical displays of traffic flows. Runs on Linux, Unix, and macOS.
There are many commercial Netflow (or sflow, jflow, rflow, cflow, or netstream) that are Available for Free Download and use that we've recently detailed in this post that are also Free of charge too.
These Software packages are great if you are just getting into network analysis using Netflow, as they are designed to be Very user friendly and can be setup in relatively little time.
Check them out HERE if you want to see what they're all about.
On the other hand, if your looking for an Open-Source alternative, you're in luck – We've put together a large list of Free Open Source Netflow Analyzers/Collectors to help you collect, analyze and scrutinize traffic and bandwidth to help you keep track of whats going on in your network.
Using a open source network analyzer/collector allows you the flexibility of customizing the software packages and reports as you wish if necessary.
These software packages can be used on a wide variety of operating systems including Windows and Linux/Unix.
Open Source Netflow Tools/Analyzers
NTop (or Ntopng)
Probably the most well-known open source traffic analyzers, Ntop, is a web-based tool that runs on Ubuntu x64 versions, CentOS/Redhat x64 Linux flavors, Windows x64 Operating systems, BeagleBoard ARM, Ubiquity networks EdgeRouter and even Mac OSX per their github site. nTopng also includes suuport for sFlow and IPFIX (through nProbe add-on), as its becoming a new standard that many manufacturers are using for flow analysis. RRD is used for databases and storing of data on a per-host level.
- Open-source project with full transparency
- Free version available alongside the enterprise version
- Special licensing options for nonprofits and educational institutions
- User interface is easy to use, but could be improved upon
Ntop is our first choice for a free NetFlow analyzer and collector because of the project’s star product ntopng. This widely-used workhorse has been around for a long time, so its extensive use has allowed all the major defects in the code to be spotted and fixed. This service will run on any operating system and also on Docker. Its use of a very long list of network protocols to extract network data makes it more than just a collector, it can fulfill the functions of a free network monitor.
Official Site: https://www.ntop.org/get-started/download/
OS: Windows, Linux, Unix, macOS
Flow-tools is a toolset that can be used to Collect, Send, Process and generate Reports for Netflow data flows and provides an API for developing custom features and applications. Flow Tools is hosted at http://flow-tools.googlecode.com.
- A complete toolset for Netflow data collection and processing
- Allows users to create custom reports based on collected data
- The project maintains a small but active team around it
- Steeper learning curve than similar tools
Flowscan is more of a visualization tool that analyzes and reports Netflow data and can produce visual graphs that are in “near” real-time to see whats going on in your network. Flowscan can be deployed on a GNU/Linux or BSD system and uses some of the following packages in order to correctly collect and process flows: “cflowd” to as the flow collector, “flowscan” which is a perl script that makes up the software package itself (“FlowScan”) and is responsible for loading and executing reports and the last major component is “RRDtool” which is used to store all flow information in its database.
- Provides detailed visualization options for Netflow data
- Users can build reports from collected data
- Supports live monitoring
- Outdated when compared to similar tools available
- Not as easy to use as competing tools
- Live monitoring is delayed
EHNT (which is pronounced “ent”) is an acronym for Extreme Happy NetFlow Tool. This is a commandline tool that supports Netflow Version 5 only and provides reports for intervals between 1 min to 24 hrs and provides information about Ip Protocols, TCP/UDP ports and more.
- Syntax is easy to learn
- Can provide scheduled reports as often as every 60 seconds
- Is easier to use than other command line Netflow analyzers
- Solely a command-line tool, no GUI available
- Only supports Netflow 5
(which stands for Berlekey Packet Filter Traffic collector) is a built on top of the BPF “pseudo-device” and libpcap for capturing IP traffic, including Source/Destination IP's & Ports, number of transmitted/received bytes which are all stored in one compact form binary file.
- Tested specifically for Free/Open BSD
- Supports saving backups to local disk
- Detailed tool, logs and stores all network information by default
- Only runs on Unix systems
Maji is an implementation of an IPFIX meter which is based on libtrace, a packet capturing and processing library. Maji seems to have an array of information per their website and the latest release was from 07/2011. One of the major benefits to maji is the custom templates you can develop with as many elements included into them as you want, and can be exported via Network over SCTP/TCP/UDP, SQLite database or the terminal.
- Supports custom templates with over 50 IPFIX data elements
- Collects data through libtrace, PCAP, or DAG capture cards
- Supports numerous data export options, including SQLite database
- Rarely updated, latest version was released in 2011
cflowd is a tool that is made for analyzing Netflow enabled devices and includes modules for collecting, storing and analyzing netflow data. Apparently cflowd is no longer being supported per their website, and is directing users to use flow-tools with FlowScan in order to take advantage of cflowd and its modules.
- Features tools to aid in capacity planning and trend analysis
- Simple install requirements
- Leverages flow dump for faster data filtering
- Is considered abandonware – no longer supported as of 2004
AnonTool is more of an anonymization tool for netflow v5 & v9 traces.
According to the sourceforge page, this project is no longer being developed or supported and was an open-source project that used NetFlow data to help detect and stop (Distributed) Denial of Service attacks. It is no longer support or being updated, so use at your own risk. Check out their Sourceforge page for more information and a download link.
- Leverages Netflow data to detect and prevent DDoS attacks
- Built to provide data for Network Intrusion Detection Systems (NIDS)
- Well documented, easy to deploy
- Is no longer being supported – the last update was in 2014
pmGraph is a great open source tool for graphing and monitoring bandwidth using pmacct, which is a network monitoring and auditing tool. pmacct collects and monitors traffic using Netflow or Sflow on network devices (including firewalls, routers and switches) into a database and allows for analysis of that data using pmGraph. The software was developed by Aptivate staff and volunteers and looks to still be active.
- Ideal for tracking bandwidth usage through Netflow and Sflow
- Supports native graphic displays
- Maintains a small but active group of developers
- Cannot classify hosts into groups
- Database will grow indefinitely unless pruned
- Proxy servers skew network monitoring data
sFlow toolkit is an open source software package the is used for analyzing sFlow data and can be used with other utilities including tcpdump, ntop and Snort for further analysis. “sflowtool” is the main component of the sFlow toolkit software and is a command-line utility that gives you the ability to view network traffic devices in real-time and interface with other software packages for mapping out graphical images of IP flow. sflowtool is also available for windows as well per their website.
- Offers a freemium version, great for small businesses
- Easy to configure threshold-based alerts
- Visuals are customizable and easy to read, good for NOC environments
- Reporting is fairly limited
- Would like to see more alert integrations into other messaging platforms
NDSAD, which stands for NetUP's Data Stream Accounting Daemon, was developed by NetUP as a tool to capture packets and generate Netflow v5 data streams and was specifically used for ISP billing purposes. The software still seems to be supported as well.
- Designed for ISP billing – MSPs may find this useful
- Is still maintained and updated periodically
- Supports up to Netflow v5
- Documentation is limited
NFsen, which is short for Netflow Sensor, is a web-based front-end tool for nfdump to present the user a nice graphical image of all the data nfdump pumps out. You have the ability to generate reports of your netflow data with information including Flows, Packets and bytes using RRD database tool, as well as setup alerts and view historical data. nfsen project is still very active and can be downloaded from its Sourceforge page here and runs on any Unix/Linux systems. You'll need PHP, PERL (along with Perl Mail::Header and Mail::Internet modules), RRD Tools module and Nfdump tools installed on your system in order to use it correctly.
- Web-based GUI tool – better suited for beginners
- Supports data collection and historical data search
- Users can set up alerts based on thresholds or conditions
- Requires PHP and PERL to run
- Only available for Unix and Linux
If your not convinced that you've found any Open Source Netflow Analyzers that will suite your needs, due to either your skill level or understanding of Unix/Linux systems, you can always try one of these Free netflow software packages that we've recently reviewed that will work for Windows systems.
Most, if not all those downloads are free and can be setup and used very quickly – some of them also offer pro versions of the software that can be had for very little investment. Check them out and let us know what you think.