Here’s our list of the best sFlow collectors and analyzers:
- SolarWinds sFlow Collector and Analyzer EDITOR’S CHOICE This sFlow analysis package is part of the SolarWinds NetFlow Traffic Analyzer, which also offers NetFlow, IPFIX, J-Flow, and NetStream collectors to extra data from any brand of network device. Runs on Windows Server. Get a 30-day free trial.
- Site24x7 sFlow Traffic Monitoring (FREE TRIAL) Cloud-based system monitoring tool that includes sFlow communication capabilities.
- Paessler PRTG Network Monitor (FREE TRIAL) A traffic analysis tool that is part of a much wider network monitoring system. Runs on Windows Server.
- Noction Flow Analyzer This is an on-premises package that implements network monitoring both for device performance and for bandwidth utilization. The system uses sFlow in its traffic monitoring processes. Runs on Linux.
- inMon sFlowTrend – In free and paid versions, this network monitoring tools is produced by the creators of the sFlow standard.
- ManageEngine NetFlow Analyzer A traffic monitoring system that covers NetFlow and IPFIX standards. Runs on Windows Server and Linux.
- ntopng and nProbe Two network traffic analysis tools that use both NetFlow and sFlow standards.
- Plixer Scrutinizer A traffic flow analyzer that focuses on security issues. Available for online access or on-premises installation.
The sFlow standard was created by InMon Corporation and was made public in 2001 through the publication of RFC 3176. InMon handed over the management of the standard to an industry consortium, called sFlow.org in 2003. Today, many vendors support sFlow in their devices. sFlow provides general-purpose packet sampling, spanning Layers 2 through 7, and is designed to be built into any network device. An sFlow exporter simply collects the prefixes of a subset of the packets passing through the device. The exporter samples one out of every n packets, where “n” is the chosen sampling rate; it also selects some random packets to include. It gathers the initial bytes of all sampled packet into sFlow datagrams, along with device counters, and sends the resulting UDP datagrams to the collector. There is thus no flow cache at the device. A key characteristic of sFlow is that the strategy of sampling is scalable to high-speed networks; more on that below.
Using sFlow for network traffic monitoring
When your organization’s network is behaving strangely, how do you know what’s going on inside it? If you have just a few segments connected by a handful of switches or routers – like a simple small-office/home-office (SOHO) network – you might be fine with basic network monitoring tools, such as the simpler ones from among our lists of the best packet sniffers and network analyzers and best free bandwidth monitoring software. When your organization relies on and develops a complex high-performance network, you need more powerful help.
How is sFlow different to NetFlow?
The sFlow network messaging standard is managed and developed by an independent not-for-profit organization that is overseen by a number of network equipment and software producers. The ethos behind this administration aims to break the dominance of one network equipment supplier and create a universal standard — NetFlow is owned by Cisco Systems. The sFlow messaging system is similar to NetFlow in that it creates a format for notifications that are generated by networking equipment and can be picked up by monitoring software.
Why use an sFlow tool?
What does an sFlow analyzer do?
The monitoring component of sFlow focuses on sampling network packets rather than collecting all passing traffic for a period. The logic behind this strategy is that any excessive traffic will be just as visible at regular intervals as it is in a continuous copy of network traffic. The administrator selects the sampling frequency. If one application is generating 50 percent of all network traffic, that statistic will still be derived if you only pick up every tenth or every hundredth packet. The data collected by sFlow takes up less storage, uses less memory, and is quicker to sort through than the data dumps used for NetFlow. The sFlow technique is preferable for high-speed networks. As well as copying truncated versions of packets traveling on the network, an sFlow analyzer collects counters and statistical data generated by network equipment.
sFlow Types and Extensions
sFlow v5 adds the ability to export host and application related data along with the packet prefixes and counters. All extensions depend on having hardware that supports them, the correct system software, and analyzer consoles that will work with them.
The best sFlow collectors and analyzers
1. SolarWinds sFlow Collector and Analyzer (FREE TRIAL)
SolarWinds produces a suite of products for comprehensive network monitoring and management. The SolarWinds sFlow Collector and Analyzer is a feature of the NetFlow Traffic Analyzer (NTA) which is a separate purchase that needs to be added on to the Network Performance Monitor (NPM). NTA and NPM are not free, but both are available in a 30-day fully-functional trial.
Our methodology for selecting sFlow analyzers
We reviewed the market for sFlow collectors that analyze network traffic and assessed the options based on the following criteria:
- An sFlow collector that is easy to set up
- Options to change the sampling rate
- A setting to specify the data retention period
- Interpretation of sFlow data by attributes, such as IP address or protocol
- A data analyzer for manual searches and sorting
- A free trial or a demo version that provides an opportunity to try before you buy
- Value for money from an sFlow analyzer that is packaged in with traffic shaping systems so that you can address the problems that analysis discovers
Key Features:
- Collects sFlow records for analysis
- Can also collect NetFlow, IPFIX, J-Flow, and NetStream
- Instant categorization of data
- Option for manual analysis
- Support to implement traffic shaping
LINK: SOLARWINDS NETWORK PERFORMANCE MONITOR FREE TRIAL
Once installed, NPM and NTA offer you a wide range of sophisticated facilities for managing multi-vendor networks: bandwidth monitoring, network traffic analysis, performance analysis, alerts, customizable reports, policy optimization, etc. The NetFlow Traffic Analyzer’s displays are listed under Dashboards. Despite the name, the NetFlow Traffic Analyzer can handle both NetFlow and sFlow. As an sFlow collector, it gathers flow data exported by the sFlow-enabled devices tracked by the SolarWinds network monitoring software.
The default NetFlow Traffic Analyzer Summary has multiple sections like Top 5 Applications, Top 5 Endpoints, Top 5 Conversations, Top 10 Sources by % Utilization, etc.
As sFlow analyzer, NTA identifies the users, applications, and protocols consuming the most bandwidth. You can sort by ports, source, destination, and protocols, and view network traffic patterns over minutes, days or months. NTA and NPM are enterprise-grade packages, so even the free trial will consume considerable resources on your system. If you have a sophisticated network with sFlow-enabled devices, NTA’s sFlow capabilities are worth exploring.
Pros:
- Supports multiple protocols like NetFlow, great for monitoring Cisco equipment
- Both tools work well alongside each other to help view traffic patterns and bandwidth usage
- Easy-to-use interface automatically highlights bandwidth hogs and other network traffic outliers
- Scales well, designed for large enterprise networks
- Can view traffic on a per-hop basis, allowing for granular traffic analysis
Cons:
- Built for enterprise use, not designed for small home networks
MORE INFORMATION ON THE OFFICIAL SOLARWINDS SITE: www.solarwinds.com/netflow-traffic-analyzer/
2. Site24x7 sFlow Traffic Monitoring (FREE TRIAL)
Site24x7 is a system monitoring service that is based in the cloud. Although this is a SaaS system, it is not limited to monitoring cloud resources. With the installation of an agent, the Site24x7 system can monitor any network anywhere.
EDITOR’S CHOICE
The SolarWinds sFlow Collector and Analyzer is our top pick for an sFlow Analyzer because it is part of a suite of network monitoring and management systems that are provided by the NetFlow Traffic Analyzer and the Network Performance Analyzer. This package enables you to identify traffic hogs and unusual traffic patterns, while also identifying traffic bottlenecks. Using other tools in the package you can identify whether that overwhelmed device is experiencing status issues or whether it needs to be replaced with a device of larger capacity. Save money by implementing queuing or adding on multiple paths if you don’t have the budget for a new switch or router.
Download: Get a 30-day free trial
Official Site: https://www.solarwinds.com/netflow-traffic-analyzer/registration
OS: Windows Server
- Automated sFlow analysis
- Also NetFlow, J-Flow, IPFIX, NetStream, AppFlow, and CFlow
- Spots bottlenecks
- Full stack monitoring
One of the tools that is included in all of the Site24x7 packages is its sFlow Traffic Monitoring service. The monitor samples traffic data from network switches and shows the information that it reaps live in the dashboard for the service.
The sFlow system is an independent protocol and is not proprietary to any manufacturer of network devices. The network traffic monitoring service in Site24x7 is able to communicate with the devices produced by more than 200 vendors. As well as using sFlow, the Site24x7 system can communicate with NetFlow, J-Flow, IPFIX, NetStream, AppFlow, and CFlow. It is capable of handling multi-vendor sites and can also integrate the monitoring of multiple sites in one location. The tool can blend the monitoring of on-premises and cloud resources as well.
The traffic monitor presents overall traffic statistics for a network and is able to examine each link’s throughput. It can segment traffic data by application and by source and destination. It also has the ability to isolate a conversation, detailing all of the communications that occur between two devices by address.
Time-series traffic graphs show peaks and troughs in network demand and highlight periods of each day where the network regularly comes under strain.
The system allows network managers to set performance thresholds. When these levels are crossed, the service will generate alerts. These warnings can also be sent out to technicians as emails, SMS texts, or voice calls. That mechanism allows the operation team to leave regular monitoring to Site24x7 because they can be sure that they will be drawn back to the system console if problems arise.
Site24x7 offers monitoring packages and all of them include sFlow monitoring. Those plans are Website Monitoring, Infrastructure, the Application Performance Monitor, and an All-in-One plan. There is also a multi-tenanted version for managed service providers, called MSP. You can get any of these bundles on a 30-day free trial.
Has one of the best user interfaces among similar NetFlow analyzers
Features a mobile app for both Android and iOS
Can measure can detect latency, jitter, and performance over time, making it a viable long-term solution for ping monitoring
Can integrate and monitor up to 200 different vendor devices
The free version can support up to hosts, making it a great introductory option for smaller businesses
Site24x7 is a feature dense platform that can take time to fully learn all of its features and customization options
Site24x7 sFlow Monitoring Start 30-day FREE Trial
3. Paessler PRTG Network Monitor (FREE TRIAL)
The Paessler PRTG Network Monitor is a “batteries included” solution that monitors network traffic, bandwidth utilization, the availability and health of devices on your network, and more. The free version provides unlimited sensors for a month, and thereafter is limited to 100 sensors; a sensor is an individual data stream, so each device on your network will typically require several sensors.
- Automated and manual sFlow analysis utilities
- Can also collect NetFlow, IPFIX, and J-Flow
- Support customized graph creation
In PRTG’s user interface, a primary view is the device tree showing all devices and the sensors monitoring each. Devices include firewalls, routers, access points, servers, workstations, virtual servers, storage, etc. The device tree is supplemented by table views of sensors, logs, and alarms, as well as various charts and graphs for bandwidth, etc. Tables can be sorted and filtered. Drilling down through the tree view reveals indicators and metrics at every level. Alerts can be set at every level, so you can arrange to be notified about events and threshold transitions of a particular critical device, or rolled up from an overall aspect of your network. Alerts can be transmitted in multiple ways, including SMTP email and SMS text messaging. sFlow sensorTraffic analysis facilities include built-in NetFlow support. For flow protocols, PRTG supports NetFlow, sFlow, and J-Flow. Other protocols/mechanisms used include SNMP, WMI, and packet sniffing.
The devices-and-sensors abstraction shapes the dashboards and reports too. Custom dashboards can be created, including interactive maps. There is a range of predefined reports, and facilities for designing custom reports; reports can also be scheduled. Installation is straightforward. There is a setup wizard, as well as a video providing step-by-step guidance.
At installation, the core server’s local probe does auto-discovery to identify devices and set up sensors. Though PRTG is all-in-one so you don’t need multiple products and licenses to gain comprehensive monitoring, a key question to evaluate is how many sensors your network needs, and what will be the long-term cost of the sensor-based licensing model as you grow. You can download 30-day free trial.
Designed to be an infrastructure monitoring tool that supports multiple sensors types such as NetFlow, sFlow, and J-Flow
Offers additional monitoring on the same platform, supporting infrastructure, network, and application performance monitoring
Captures packet headers only, helps speed up analysis and keep storage costs down for long term collection
Uses simple yet intuitive graphing for traffic visualization
Very detailed platform, takes time to learn and fully utilize all of the features available
Paessler’s PRTG Network Monitor Download FREE 30-day Trial at Paessler.com
4. Noction Flow Analyzer
Noction Flow Analyzer is a network traffic monitoring and planning package that is delivered as software for installation on premises.
- Analyzes sFlow records for capacity planning
- Can also collect NetFlow, IPFIX, J-Flow, and NetStream
- Traffic stress alerts
The system extracts traffic information from switches and routers through the use of the sFlow, IPFIX, NetFlow, J-Flow, and NetStream protocols. The package consolidates data drawn through these different protocols, converting records into a common format. The live monitoring system shows those records in text and graphical formats in the dashboard for the Flow Analyzer.
The traffic monitor also stores the data that it assembles and that information can be read back into the dashboard section of the console. This service allows for data periods to be selected and there are data query facilities, which allows analysis to be performed. This enables the user to project the future bandwidth capacity requirements of the network.
There is an alert system in NFA, which can notify you when the preset conditions are detected in your network traffic data. You can configure alerts based on different parameters of your network traffic: volume changes, frequency, specific traffic type existence, duration, baseline or a combination of such characteristics.
Alerts are shown in the dashboard and they are also forwarded to technicians by email or SMS.
The dashboard for the system is implemented as a website for the company intranet. The screens in the package can be customized by association presentation widgets with data stores. So, the layouts shown here are not the definitive system that you could be using – you can change it.
Noction Flow Analyzer can be installed on three distros of Linux: Ubuntu, CentOS, and RHEL. The system is charged for by subscription with a rate per month or per year. You can get a free trial of the monitoring system.
The system provides live network traffic monitoring
A module in the package provides performance monitoring for network devices
The service includes a network capacity planning module
The system can communicate with sFlow, NetFlow, IPFIX, NetStream, and J-Flow
The dashboard is delivered as a website and can be customized
There is no version for Windows Server
5. inMon sFlowTrend
sFlowTrend is a basic but capable network and server monitoring tool from inMon, the originators of sFlow. The free version of sFlowTrend accepts sFlow data from up to five switches/routers or hosts and maintains only one hour of history in RAM. The pro version does not limit the number of hosts and switches monitored, and stores history to disk. The tool is implemented in Java and provides a Java-based or web-based user interface. Online help gives you step-by-step instructions for configuring the tool.
- sFlow summaries and detail
- Customized alert thresholds
- Free version available
The Dashboard tab gives an overview of the current state of the monitored network and hosts, including top-level thresholds and interfaces with potential errors. On the Network tab, sflowTrend shows performance statistics as summaries and details of traffic at the network or device level. You can define Thresholds to receive alerts when abnormal levels of network traffic or errors occur. On the Network > Root cause tab you can explore the cause of a traffic anomaly such as a threshold violation. The Hosts tab provides tabular and graphical performance data on network, CPU, disk, etc, for servers – including virtual servers – that are exporting sFlow data. The Services tab provides performance metrics for applications (including various webservers) that export sFlow data.
The Events tab provides a log of events such as thresholds crossed or errors detected. The Reports tab provides access to canned reports, supports defining custom reports, and lets you run reports and view the results. sFlowTrend is a straightforward tool that offers a lot to smaller organizations whose network devices, hosts, and services are sFlow enabled.
6. ManageEngine NetFlow Analyzer
We’ve looked in detail at the features of ManageEngine’s NetFlow Analyzer before. NetFlow Analyzer gives you visibility into network traffic and bandwidth by application, conversation, protocol, etc; it lets you set alerts based on network traffic thresholds; and it has a variety of useful canned reports, ranging from troubleshooting support to capacity planning and billing, as well as facilities for creating custom reports. The ManageEngine NetFlow Analyzer can also handle sFlow. You can enable sFlow on the interfaces of sFlow-enabled devices and the NetFlow Analyzer will collect and analyze sFlow information. The web-based default dashboard includes a heat map showing the status of monitored interfaces and several real-time pie charts summarizing top applications, top protocols, top conversations, recent alarms, top QoS, and more. There are specific displays of security anomalies detected.
Offers a freemium version, great for small businesses
Easy to configure threshold-based alerts
Visuals are customizable and easy to read, good for NOC environments
Reporting is fairly limited
Would like to see more alert integrations into other messaging platforms
On-premises package
Can also collect NetFlow, IPFIX, J-Flow, NetStream, and AppFlow
Traffic shaping measures
The free version allows unlimited monitoring for 30 days but then reverts to monitoring only two interfaces. You can graduate to a variety of related products to expand beyond traffic analysis into a full network management suite.
- Supports multiple protocols like NetFlow, great for monitoring Cisco equipment
- Both tools work well alongside each other to help view traffic patterns and bandwidth usage
- Easy-to-use interface automatically highlights bandwidth hogs and other network traffic outliers
- Scale well, designed for large enterprise networks
- Can view traffic on a per-hop basis, allowing for granular traffic analysis
7. ntopng and nProbe
The open-source network traffic analysis tool ntopng does passive network monitoring based on flow data and packet capture; it uses nProbe for collecting flow data from devices and hosts that export it. We’ve examined the capabilities of ntopng and nProbe for NetFlow monitoring and analysis before. They can also handle sFlow. ntopng’s web-based user interface rolls up data into network traffic (eg, top talkers), flows, hosts, devices, and interfaces. The flow display shows application protocols (eg Facebook, YouTube), and can list latencies and TCP statistics (eg packet loss). You can set alerts based on many criteria.
- Packet sniffer
- Post-collection NetFlow and sFlow analysis
- Technician tool
nProbe can be test-driven for free but is limited to 25000 exported flows. You can get the less-restricted versions of ntopng and nProbe by buying licenses. Educational and nonprofit organizations can qualify for free licenses.
Open-source tool, highly customizable
Supports multiple flow protocols
A great option for Unix and MacOS
Free options for education and non-profit organizations
Has a steep learning curve, especially for non-technical users
Fully functional version is behind a paywall
8. Plixer Scrutinizer
Plixer Scrutinizer(R) is a sophisticated flow-oriented network traffic analysis system with a particular focus on security forensics (it’s called the “Scrutinizer Incident Response System”). It supports both NetFlow and sFlow. Scrutinizer can be installed as a dedicated physical appliance, as a virtual machine running on a server, or as a SaaS solution running in the cloud (public or hybrid). It’s a sophisticated system, so even the free trial on a virtual machine demands considerable resources (eg, a dedicated 16GB of RAM).
- Network security analyzer
- Uses NetFlow and sFlow
- Physical or virtual appliance
Scrutinizer is designed for high performance and scalability from small to very large environments. It provides a rich range of analysis and reporting features. The trial includes full access for 30 days. After that, the free version has a limit of 10K flows collected per second, five hours of raw flows kept, and one week of historical summaries maintained. The paid version includes notifications, dashboard customization, custom reports, scheduled email reports, and support. License pricing depends on the platform chosen and the number of flow exporters to be supported.
Offers multiple deployment options
Designed to support large enterprise networks
Offers additional security-related traffic analysis features
Uses a considerable amount of system resources
Must reach out to sales for pricing
Steeper learning curve than similar tools on the market
Conclusion
If your installed devices primarily support sFlow, there are multiple excellent tools for network monitoring and traffic analysis, including free options. As usual, your final choice depends on the size and complexity of your network, and how you expect it to evolve in the future.