The Best Free Open Source NetFlow Analyzers for Windows and Linux/Unix

Looking for a Free Open Source NetFlow Analyzer for Windows, Linux, or Unix? Look no further, we've compiled the ultimate list of Open Source tools to help with your network monitoring tasks.

As many of you already know, NetFlow is a protocol/standard developed by Cisco for collecting/transferring/analyzing network data using software packages to get a better understanding of what is happening on your network, along with further analysis of bandwidth usage, etc.

Netflow allows administrators to take the processing of network data away from switches and routers and send the flow packets and information to a collector that further analyzes that data to free up resources on the network device itself.

Here is our list of the best free NetFlow analyzers and collectors for Windows and Linux:

1. NTop – EDITOR’S CHOICE Famed for its key product, called ntopng (Next Generation), this open-source project has produced a list of free tools that are all centered on traffic analysis. This toolset uses an impressive range of networking protocols to extract traffic data and device status information. Runs on Linux, Unix, macOS, and Windows.
2. Flow-tools A package of tools to collect NetFlow data and generate analysis reports. Installs on Linux.
3. FlowScan This neat package analyzes NetFlow data collected by other tools, such as Flow-tools or cflowd. Runs on Linux and Unix.
4. EHNT Extreme Happy Netflow Tools is a free interpreter for NetFlow data but can’t go past NetFlow version 5. Runs on Linux and Unix.
5. BPFT Berkekey Packet Filter Traffic uses libpcap procedures to capture traffic packets. Runs on Unix.
6. Maji This tool extracts IPFIX data from a network and that is Cisco’s newer re-write of NetFlow. Runs on Linux.
7. cflowd A much-liked free NetFlow data extraction tool that has gone out of production so you should use Flow-tools instead. Runs on Linux.
8. AnonTool An open-source anonymization tool that can be used on NetFlow data but the code is no longer maintained. Runs on Linux and Unix.
9. Panoptis A DDoS blocker that collects and analyzes NetFlow data, looking for indicators of attack. No longer maintained but still works and runs on Linux.
10. Pmgraph A network traffic graphing tool that extracts flow information from a network through NetFlow and sFlow. Will run on Windows, Linux, macOS, or Unix.
11. InMon sFlow Toolkit This sFlow analyzer relies on other systems for data collection and can also work with NetFlow data. Available for Windows and Linux.
12. NDSAD Traffic Collector This service only works with NetFlow v5 but it will interpret data to show network activity. Available for Windows, Linux, and Unix.
13. NFsen/NFDump Netflow Sensor interprets data collected by NFDump to create graphical displays of traffic flows. Runs on Linux, Unix, and macOS.

There are many commercial Netflow (or sflow, jflow, rflow, cflow, or netstream) that are Available for Free Download and use that we've recently detailed in this post that are also Free of charge too.

These Software packages are great if you are just getting into network analysis using Netflow, as they are designed to be Very user-friendly and can be set up in relatively little time.

Check them out HERE if you want to see what they're all about.

On the other hand, if you are looking for an Open-Source alternative, you're in luck – We've put together a large list of Free Open Source Netflow Analyzers/Collectors to help you collect, analyze and scrutinize traffic and bandwidth to help you keep track of what's going on in your network.

Using an open-source network analyzer/collector allows you the flexibility of customizing the software packages and reports as you wish if necessary.

These software packages can be used on a wide variety of operating systems including Windows and Linux/Unix.

The Best Open Source Netflow Tools/Analyzers

1. NTop (or Ntopng)

Probably the most well-known open source traffic analyzers, Ntop, is a web-based tool that runs on Ubuntu x64 versions, CentOS/Redhat x64 Linux flavors, Windows x64 Operating systems, BeagleBoard ARM, Ubiquity networks EdgeRouter and even Mac OSX per their github site. nTopng also includes support for sFlow and IPFIX (through nProbe add-on), as its becoming a new standard that many manufacturers are using for flow analysis. RRD is used for databases and storing data on a per-host level.

Why do we recommend it?

We recommend NTop, especially its Next Generation version (nTopng) for its extensive protocol support on traffic data extraction and device status information (via graphical representation). Additionally, this network monitoring tool is pretty versatile; It runs on a variety of platforms (Linux, Unix, macOS, and Windows). It's also pretty powerful, thanks to its ability to utilize sFlow and IPFIX.

Who is it recommended for?

NTop is recommended for network admins and IT pros looking for a robust NetFlow analyzer with powerful traffic analysis capabilities. It's also perfect for people using firewalls like pfSense who need a way to visualize and track bandwidth usage.

2. Flow-tools

Flow-tools is a toolset that can be used to Collect, Send, Process and generate Reports for Netflow data flows and provides an API for developing custom features and applications. Flow Tools is hosted at http://flow-tools.googlecode.com.

Why do we recommend it?

Flow-tools is recommended for its wide range of features, so it would handle just about anything you throw at it. Flow-tools is really versatile when it comes to handling NetFlow data flows. If you're looking for a robust NetFlow data handling tool, Flow-tools is definitely worth checking out.

Who is it recommended for?

Flow-tools is ideal for network administrators and analysts, especially those who manage large networks. It is a perfect tool for anyone who needs to collect, process, and generate reports from NetFlow data.

3. FlowScan

Flowscan is more of a visualization tool that analyzes and reports Netflow data and can produce visual graphs that are in “near” real-time to see whats going on in your network. Flowscan can be deployed on a GNU/Linux or BSD system and uses some of the following packages in order to correctly collect and process flows: “cflowd” to as the flow collector, “flowscan” which is a perl script that makes up the software package itself (“FlowScan”) and is responsible for loading and executing reports and the last major component is “RRDtool” which is used to store all flow information in its database.

Why do we recommend it?

FlowScan is recommended as one of the best open-source NetFlow analyzers because, even though the interface is a bit old-fashioned, the software is simple to use. Plus, the graphical representations are clear and detailed, and the grid formats and extensive graph legends make it easy to interpret the data.

Who is it recommended for?

FlowScan is recommended for those network admins who prefer the command-line interface with a straightforward NetFlow analyzer. It is a tool that focuses on providing essential network activity insights without any bells or whistles. So, if you value functionality over aesthetic design, then FlowScan is totally recommended.

4. EHNT

EHNT (which is pronounced “ent”) is an acronym for Extreme Happy NetFlow Tool. This is a command line tool that supports Netflow Version 5 only and provides reports for intervals between 1 min to 24 hrs and provides information about IP protocols, TCP/UDP ports, and more.

Why do we recommend it?

We recommend EHNT because it is easy to use. It comes with a straightforward terminal interface that makes it quick and easy to process NetFlow version 5 data. In addition, the results are also easy to understand and use.

Who is it recommended for?

EHNT is recommended for network administrators and analysts who prefer a simple terminal-based tool for processing the NetFlow v5 data interface. So, if you care more about getting stuff done than having a pretty interface, then EHNT is totally worth checking out.

5. BPFT

BPFT (which stands for Berlekey Packet Filter Traffic collector) is built on top of the BPF “pseudo-device” and libpcap for capturing IP traffic, including Source/Destination IP's & Ports, number of transmitted/received bytes which are all stored in one compact form binary file.

Why do we recommend it?

We recommend BPFT as one of the best open-source NetFlow analyzers because it excels in capturing and storing detailed network information in a compact binary form (using Berkeley Packet Filter procedures).

Who is it recommended for?

BPFT is an ideal tool for Unix users who need detailed information about IP traffic. It's especially recommended for network administrators who need reliable and extensive data capture.

6. Maji

Maji is an implementation of an IPFIX meter which is based on libtrace, a packet capturing and processing library. Maji seems to have an array of information per their website and the latest release was from 07/2011. One of the major benefits to maji is the custom templates you can develop with as many elements included into them as you want, and can be exported via Network over SCTP/TCP/UDP, SQLite database or the terminal.

Why do we recommend it?

Maji is recommended for its comprehensive open-source implementation of an IPFIX meter (libtrace) which is known for its extensive support for custom templates with over 50 IPFIX data elements. This feature gives users total control over how they collect and export data, making Maji a highly recommended tool for experienced network admins.

Who is it recommended for?

Maji is recommended for network admins and analysts who need a powerful IPFIX meter to get detailed flow-level measurements of network traffic. It's also ideal for users who like the flexibility to create custom measurement templates.

7. cflowd

cflowd is a tool that is made for analyzing Netflow enabled devices and includes modules for collecting, storing and analyzing netflow data. Apparently cflowd is no longer being supported per their website, and is directing users to use flow-tools with FlowScan in order to take advantage of cflowd and its modules.

Why do we recommend it?

Cflowd is recommended for its traffic flow monitoring capabilities, especially for being able to analyze Flexible NetFlow (FNF) traffic data and export flow data to an IPFIX analyzer. It's really good at monitoring traffic flowing through routers, and it provides detailed insights into network activity.

Who is it recommended for?

Cflowd is an ideal open-source NetFlow analyzer for network admins and engineers. It's perfect for anyone who needs to do in-depth traffic sampling and analysis for things like capacity planning, trends analysis, workload characterization, traffic engineering, network planning, and network monitoring.

8. AnonTool

AnonTool is more of an anonymization tool for netflow v5 & v9 traces.

Why do we recommend it?

AnonTool is recommended as a flexible and efficient anonymizer for network data (for NetFlow v5 and v9 traces). It helps keep your network private by hiding your IP addresses and other identifying information. It also has an API so you can integrate it with other tools, and it supports NetFlow and IPFIX, which are two common network monitoring protocols.

Who is it recommended for?

Anontool is a must-have for network analysts, security professionals, and organizations with large networks. It is perfect for those users looking to anonymize network data for sharing, research, and testing.

9. Panoptis

According to the sourceforge page, this project is no longer being developed or supported and was an open-source project that used NetFlow data to help detect and stop (Distributed) Denial of Service attacks. It is no longer support or being updated, so use at your own risk. Check out their Sourceforge page for more information and a download link.

Why do we recommend it?

Panoptis is recommended for its highly effective network security tool (N-IDS), which specializes in detecting and preventing DoS/DDoS attacks. In addition, the tool can process NetFlow data from routers, making it a valuable network security tool.

Who is it recommended for?

Panoptis is recommended for network security pros and administrators who need a tool for detecting and mitigating DoS/DDoS attacks using NetFlow data. It is recommended for advanced users familiar with C++, SNMP access, and Python.

10. pmgraph

pmGraph is a great open-source tool for graphing and monitoring bandwidth using pmacct, which is a network monitoring and auditing tool. pmacct collects and monitors traffic using Netflow or Sflow on network devices (including firewalls, routers and switches) into a database and allows for analysis of that data using pmGraph. The software was developed by Aptivate staff and volunteers and looks to still be active.

Why do we recommend it?

We recommend pmGraph as one of the best free open-source NetFlow analyzers because it is easy to install and configure. This tool is ideal for graphing and monitoring bandwidth usage through NetFlow and sFlow. While it may have some limitations, it provides essential insights into bandwidth usage.

Who is it recommended for?

pmGraph is recommended for network and systems admins who are responsible for monitoring network traffic. It is designed to be user-friendly and to provide graphical representations of traffic flows, so it can be used by anyone, even those without technical background.

11. InMon sFlow Toolkit

sFlow toolkit is an open-source software package the is used for analyzing sFlow data and can be used with other utilities including tcpdump, ntop and Snort for further analysis. “sflowtool” is the main component of the sFlow toolkit software and is a command-line utility that gives you the ability to view network traffic devices in real-time and interface with other software packages for mapping out graphical images of IP flow. sflowtool is also available for windows as well per their website.

Why do we recommend it?

If you are looking for an alternative to Cisco’s NetFlow, then we recommend checking out InMon’s sFlow. The InMon sFlow Toolkit can be used in conjunction with other utilities like tcpdump, ntop, and Snort for further analysis. This toolkit is particularly valuable for businesses looking for a cost-effective solution.

Who is it recommended for?

The InMon sFlow Toolkit is recommended for small businesses and organizations looking for improved network monitoring technology that NetFlow can’t provide. sFlow is more scalable, real-time, and gives you more detail in its reports. This tool is ideal for Network Operations Center (NOC) environments.

12. NDSAD Traffic Collector

NDSAD, which stands for NetUP's Data Stream Accounting Daemon, was developed by NetUP as a tool to capture packets and generate Netflow v5 data streams and was specifically used for ISP billing purposes. The software still seems to be supported as well.

Why do we recommend it?

We recommend NDSAD Traffic Collector because it can translate captured traffic data into the NetFlow v.5 format. This is a really important feature for network administrators and security professionals who need to collect statistics on network traffic for things like security monitoring or usage-based billing.

Who is it recommended for?

The NDSAD Traffic Collector is recommended for Managed Service Providers (MSPs) and ISPs that require a tool for generating NetFlow v5 data streams. It is particularly useful for billing and accounting purposes.

13. NFsen/NFDump

NFsen, which is short for Netflow Sensor, is a web-based front-end tool for nfdump to present the user a nice graphical image of all the data nfdump pumps out. You have the ability to generate reports of your netflow data with information including Flows, Packets and bytes using RRD database tool, as well as setup alerts and view historical data. nfsen project is still very active and can be downloaded from its Sourceforge page here and runs on any Unix/Linux systems. You'll need PHP, PERL (along with Perl Mail::Header and Mail::Internet modules), RRD Tools module and Nfdump tools installed on your system in order to use it correctly.

Why do we recommend it?

NfSen is recommended because it is a comprehensive, user-friendly netflow analyzer with advanced features like alerts and custom plugins. NFsen/NFDump also integrates with nfdump tools for command-line and graphical visualization.

Who is it recommended for?

NfSen is a versatile netflow analyzer for Windows, Linux, and Unix. It's recommended for network admins, security pros, and anyone who needs to monitor network traffic. This tool is suitable for small business network or a large enterprise infrastructure

If you are not convinced that you've found any Open Source Netflow Analyzers that will suit your needs, due to either your skill level or understanding of Unix/Linux systems, you can always try one of these Free netflow software packages that we've recently reviewed that will work for Windows systems.

Most, if not all those downloads are free and can be set up and used very quickly – some of them also offer pro versions of the software that can be had for very little investment. Check them out and let us know what you think.