Traffic counter useful thing. Especially if you have limited access to the network by time or by the volume of used megabytes. Not everyone has unlimited, right? Many people have unlimited at home, and for a laptop they use a 3G connection or Mobile Internet out of the house, like me, for example. And this kind of communication is usually limited. It is necessary to monitor the consumption of traffic, so as not to get money when overspending.

I propose to use NetWorx free program to account for Internet traffic and monitor the speed of an Internet connection. This small, necessary program will help you monitor the speed (traffic cops don't sleep!) of moving around the network, and will also show how many kilograms of Internet have been downloaded in a certain time.

By using NetWorx You can set a time or megabyte limit. And when this threshold is reached, a notification will appear on the screen that your song has been sung and it's time to turn off. And you can set automatic shutdown from the network or start certain programs. Convenient, helpful, easy.

Download and install NetWorx: 1.7Mb



When you press Right button mouse on the tray icon - this menu will appear ...

Any administrator sooner or later receives an instruction from the management: "calculate who goes to the network and how much he downloads." For providers, it is supplemented by the tasks of "letting anyone in, taking payment, restricting access." What to count? How? Where? There is a lot of fragmentary information, they are not structured. We will save the novice administrator from tedious searches by providing him with general knowledge, and useful links for materiel.
In this article I will try to describe the principles of organizing the collection, accounting and control of traffic on the network. We will consider the problematics of the issue, and list possible ways retrieval of information from network devices.

This is the first theoretical article in a series of articles dedicated to the collection, accounting, management and billing of traffic and IT resources.

Internet access structure

In general, the network access structure looks like this:
  • External resources - the Internet, with all sites, servers, addresses and other things that do not belong to a network that you control.
  • An access device is a router (hardware or PC-based), switch, VPN server or hub.
  • Internal resources - a set of computers, subnets, subscribers, whose work in the network must be taken into account or controlled.
  • Management or accounting server - a device on which a specialized software. It can be functionally combined with a software router.
In this structure, network traffic flows from external resources to internal, and vice versa, through the access device. It sends traffic information to the management server. The control server processes this information, stores it in the database, displays it, issues lock commands. However, not all combinations of access devices (methods) and collection and management methods are compatible. The various options will be discussed below.

Network traffic

To begin with, it is necessary to define what is meant by "network traffic" and what useful statistical information can be extracted from the user data stream.
IP version 4 remains the dominant internetworking protocol so far. The IP protocol corresponds to the 3rd layer of the OSI model (L3). The information (data) between the sender and the recipient is packed into packets - having a header and a "payload". The header defines where the packet comes from and where (sender and destination IP addresses), packet size, payload type. The bulk of network traffic is made up of packets with UDP and TCP payloads - these are Layer 4 (L4) protocols. In addition to addresses, the header of these two protocols contains port numbers that determine the type of service (application) that transmits data.

To transmit an IP packet over wires (or radio), network devices are forced to “wrap” (encapsulate) it into a Layer 2 (L2) protocol packet. The most common protocol of this type is Ethernet. The actual transfer "to the wire" is at the 1st level. Usually, the access device (router) does not analyze packet headers at a level higher than 4th (an exception is intelligent firewalls).
Information from the fields of addresses, ports, protocols and length counters from the L3 and L4 headers of data packets and makes up that " raw material”, which is used for accounting and traffic management. The actual amount of information to be transferred is in the Length field of the IP header (including the length of the header itself). By the way, due to packet fragmentation due to the MTU mechanism, the total amount of data transmitted is always greater than the payload size.

The total length of the IP and TCP/UDP fields of the packet that are of interest to us in this context is 2...10% of the total packet length. If you process and store all this information batch by batch, there will not be enough resources. Fortunately, the vast majority of traffic is structured in such a way that it consists of a set of "dialogues" between external and internal network devices, the so-called "flows". For example, within a single e-mail forwarding operation (SMTP protocol), a TCP session is opened between the client and the server. It is characterized by a constant set of parameters (Source IP address, Source TCP port, Destination IP address Destination TCP port). Instead of processing and storing information per packet, it is much more convenient to store flow parameters (addresses and ports), as well as Additional information– number and sum of lengths of transmitted packets in each direction, optional session duration, router interface indices, ToS field value, etc. This approach is beneficial for connection-oriented protocols (TCP), where it is possible to explicitly intercept the moment the session ends. However, even for non-session-oriented protocols, it is possible to aggregate and logically complete a stream record by, for example, a timeout. Below is an excerpt from the SQL database of our own billing system that logs information about traffic flows:

It should be noted the case when the access device performs address translation (NAT, masquerading) to organize access to the Internet of computers local network using a single, external, public IP address. In this case, a special mechanism performs the substitution of IP addresses and TCP / UDP ports of traffic packets, replacing internal (not routable on the Internet) addresses according to its dynamic translation table. In this configuration, it must be remembered that in order to correctly record data on internal network hosts, statistics must be collected in a way and in the place where the translation result does not yet “anonymize” internal addresses.

Methods for collecting information about traffic / statistics

You can capture and process information about passing traffic directly on the access device itself (PC router, VPN server), transferring it from this device to separate server(NetFlow, SNMP), or "off the wire" (tap, SPAN). Let's analyze all the options in order.
PC router
Consider simplest case– access device (router) based on PC with OS Linux.

How to set up such a server, address translation and routing, much has been written. We are interested in the next logical step - information on how to obtain information about the traffic passing through such a server. There are three common ways:

  • interception (copying) of packets passing through the server network card using the libpcap library
  • capturing packets passing through the built-in firewall
  • use of third-party tools for converting per-packet statistics (obtained by one of the two previous methods) into a stream of aggregated information netflow
libpcap


In the first case, a copy of the packet passing through the interface, after passing the filter (man pcap-filter) can be requested client program on a server written using this library. The packet arrives with a Layer 2 (Ethernet) header. It is possible to limit the length of the captured information (if we are only interested in the information from its header). Examples of such programs are tcpdump and Wireshark. There is a Windows implementation of libpcap. In the case of using address translation on a PC router, such interception can only be performed on its internal interface connected to local users. On the external interface, after translation, IP packets do not contain information about the internal hosts of the network. However, with this method, it is impossible to take into account the traffic generated by the server itself on the Internet (which is important if it runs web or Post service).

The operation of libpcap requires support from the operating system, which currently comes down to installing a single library. In this case, the application (user) program that collects packages must:

  • open required interface
  • specify the filter through which to pass received packets, the size of the captured part (snaplen), the size of the buffer,
  • set the promisc parameter, which puts the network interface into capture mode for all packets passing by in general, and not just those addressed to the MAC address of this interface
  • set a function (callback) to be called on each received packet.

When transmitting a packet through the selected interface, after passing the filter, this function receives a buffer containing Ethernet, (VLAN), IP, etc. headers, total size up to snaplen. Since the libcap library copies packages, it is not possible to block their passage with it. In this case, the traffic collection and processing program will have to use alternative methods, for example, calling a script to place the specified IP address in the traffic blocking rule.

Firewall


Capturing data passing through the firewall allows you to take into account both the traffic of the server itself and the traffic of network users, even when address translation is running. The main thing in this case is to correctly formulate the capture rule, and put it in Right place. This rule activates the transmission of the packet towards the system library, from where the traffic accounting and management application can receive it. For Linux OS, iptables is used as a firewall, and interception tools are ipq, netfliter_queue or ulog . For OC FreeBSD - ipfw with rules like tee or divert . In any case, the firewall mechanism is supplemented by the ability to work with the user program in the following way:
  • A user program - a traffic handler registers itself in the system using a system call, or a library.
  • The user program or an external script sets a rule in the firewall, "wrapping" the selected traffic (according to the rule) inside the handler.
  • For each passing packet, the handler receives its contents in the form of a memory buffer (with IP headers, etc. After processing (accounting), the program must also tell the operating system kernel what to do next with such a packet - discard or pass on. Alternatively, it is possible pass the modified packet to the kernel.

Since the IP packet is not copied, but sent to the analysis software, it becomes possible to "eject" it, and therefore, completely or partially restrict traffic of a certain type (for example, to the selected local network subscriber). However, if the application stops responding to the kernel about its decision (hangs, for example), traffic through the server is simply blocked.
It should be noted that the described mechanisms, with significant amounts of transmitted traffic, create an excessive load on the server, which is associated with constant copying of data from the kernel to the user program. The method of collecting statistics at the level of the OS kernel does not have this drawback, with the issuance of aggregated statistics to the application program using the NetFlow protocol.

Netflow
This protocol was developed by Cisco Systems to export traffic information from routers for the purpose of traffic accounting and analysis. The most popular now version 5 provides the recipient with a structured data stream in the form of UDP packets containing information about the past traffic in the form of so-called flow records:

The volume of information about traffic is several orders of magnitude smaller than the traffic itself, which is especially important in large and distributed networks. Of course, it is impossible to block the transfer of information when collecting statistics on netflow (if you do not use additional mechanisms).
Currently, the further development of this protocol is becoming popular - version 9, based on the flow record template structure, an implementation for devices from other manufacturers (sFlow). Recently, the IPFIX standard has been adopted, which allows statistics to be transmitted over protocols of deeper levels (for example, by application type).
The implementation of netflow sources (agents, probes) is available for PC routers, both in the form of utilities working according to the mechanisms described above (flowprobe, softflowd), and directly built into the OS kernel (FreeBSD: ng_netgraph , Linux: ). For software routers, the netflow statistics stream can be received and processed locally on the router itself, or sent over the network (transmission protocol - over UDP) to the receiving device (collector).


The collector program can collect information from many sources at once, being able to distinguish between their traffic even with overlapping address spaces. With the help of additional tools, such as nprobe, it is also possible to carry out additional data aggregation, stream bifurcation or protocol conversion, which is important when managing a large and distributed network with dozens of routers.

The netflow export functions support routers from Cisco Systems, Mikrotik, and some others. Similar functionality (with other export protocols) is supported by all major network equipment manufacturers.

libpcap "outside"
Let's complicate the task a little. What if your access device is a third party hardware router? For example, D-Link, ASUS, Trendnet, etc. On it, most likely, it is impossible to put an additional software tool data capture. Alternatively, you have an intelligent access device, but it is not possible to configure it (no rights, or it is controlled by your provider). In this case, it is possible to collect information about traffic directly at the junction point of the access device with the internal network, using the "hardware" means of copying packets. In this case, you will certainly need a separate server with a dedicated network card to receive copies of Ethernet packets.
The server must use the packet collection mechanism according to the libpcap method described above, and our task is to submit a data stream identical to the output from the access server to the input of the network card allocated for this. For this you can use:
  • Ethernet hub: A device that simply forwards packets between all of its ports indiscriminately. In modern realities, it can be found somewhere in a dusty warehouse, and this method is not recommended: it is unreliable, low speed(there are no hubs at a speed of 1 Gbps)
  • Ethernet - a switch with the ability to mirror (mirroring, SPAN ports. Modern intelligent (and expensive) switches allow you to copy all traffic (incoming, outgoing, both) to the specified port of another physical interface, VLAN, including remote (RSPAN)
  • A hardware splitter that may require installation to collect two network cards instead of one - and this is in addition to the main, systemic one.


Naturally, you can configure the SPAN port on the access device itself (router), if it allows it - Cisco Catalyst 6500, Cisco ASA. Here is an example of such a configuration for a Cisco switch:
monitor session 1 source vlan 100 ! where do we get packages from
monitor session 1 destination interface Gi6/3! where do we ship packages?

SNMP
What if there is no router under our control, there is no desire to contact netflow, we are not interested in the details of the traffic of our users. They are simply connected to the network through a managed switch, and we just need to roughly estimate the amount of traffic that falls on each of its ports. As you know, network devices with the ability remote control support, and can display counters of packets (bytes) passing through network interfaces. To poll them, it would be correct to use the standardized SNMP remote management protocol. Using it, you can quite simply get not only the values ​​of the specified counters, but also other parameters, such as the name and description of the interface, MAC addresses visible through it, and other useful information. This is done as utilities command line(snmpwalk), graphical SNMP browsers, and more sophisticated network monitoring programs (rrdtools , cacti , zabbix , whats up gold, etc.). However, this method has two significant drawbacks:
  • traffic blocking can only be done by completely disabling the interface, using the same SNMP
  • traffic counters taken via SNMP refer to the sum of the lengths of Ethernet packets (with unicast, broadcast and multicast separately), while the rest of the tools described earlier give values ​​relative to IP packets. This creates a noticeable discrepancy (especially on short packets) due to the overhead caused by the length of the Ethernet header (however, this can be approximately dealt with: L3_bytes = L2_bytes - L2_packets*38).
VPN
Separately, it is worth considering the case of user access to the network by explicitly establishing a connection to the access server. A classic example is the good old dial-up, whose analogue in modern world are VPN remote access services (PPTP, PPPoE, L2TP, OpenVPN, IPSEC)


The access device not only routes user IP traffic, but also acts as a specialized VPN server and terminates logical tunnels (often encrypted) within which user traffic is transmitted.
To account for such traffic, you can use both all the tools described above (and they are well suited for in-depth analysis by ports / protocols), as well as additional mechanisms that provide VPN access control tools. First of all, we will talk about the RADIUS protocol. His work is a rather complex topic. We will briefly mention that the control (authorization) of access to the VPN server (RADIUS client) is controlled by special application(RADIUS server) that has a base behind it ( text file, SQL, Active Directory) allowed users with their attributes (connection speed limits, assigned IP addresses). In addition to the authorization process, the client periodically sends accounting messages to the server, information about the status of each currently running VPN session, including counters of transmitted bytes and packets.

Conclusion

Let's summarize all the methods of collecting traffic information described above together:

Let's sum up a little. In practice, there are a large number of methods for connecting the network you manage (with clients or office subscribers) to an external network infrastructure using a number of access tools - software and hardware routers, switches, VPN servers. However, in almost any case, you can come up with a scheme when information about the traffic transmitted over the network can be directed to a software or hardware tool for its analysis and control. It is also possible that this tool will allow feedback with the access device, applying intelligent access restriction algorithms for individual clients, protocols, and more.
This concludes the analysis of materiel. Of the unresolved topics remained:

  • how and where the collected traffic data goes
  • traffic accounting software
  • what is the difference between billing and a simple “counter”
  • how to limit traffic
  • recording and limiting visited websites

Tags: Add tags

There are a lot of programs for accounting traffic in the local network: both paid and free, which differ greatly in functionality. One of the most popular Open Source programs is SAMS. It runs on the Linux platform in conjunction with Squid.

SAMS requires PHP5, we will use Ubuntu Server 14.04. We will need Squid, Apache2, PHP5 packages with modules.

Internet traffic accounting in linux local network

Let's try to figure out how it works.

Squid distributes the Internet, accepting requests on port 3128. At the same time, it writes a detailed access.log. All management is done through the squid.conf file. Squid has a wide range of Internet access control capabilities: access control by addresses, bandwidth control for specific addresses, groups of addresses and networks.

SAMS works by analyzing the logs of the Squid proxy server. The traffic accounting system in the local network monitors the statistics of the proxy server and, in accordance with the specified policies, makes a decision to block, unblock or limit the speed for the Squid client.

SAMS Installation

Installing packages.

apt-get install apache2 php5 php5-mysql mysql-server php5-gd squid3

Download and install SAMS

wget https://github.com/inhab-magnus/sams2-deb/archive/master.zip

unzip master.zip

cd sams2-deb-master/

dpkg -i sams2_2.0.0-1.1_amd64.deb

Installing the web interface

dpkg -i apache2/sams2-web_2.0.0-1.1_all.deb

We make changes to the /etc/sams2.conf file.

DB_PASSWORD=/MySql password/

Launch SAMS

service sams2 start

Setting up Squid

Making changes to the /etc/squid3/squid.conf file

http_port 192.168.0.110:3128
cache_dir ufs /var/spool/squid3 2048 16 256

We enable logging and rotation of logs with storage for 31 days.

access_log daemon:/var/log/squid3/access.log squid

logfile_rotate 31

Stop Squid, create cache.

service squid3 stop

service squid3 start

For the purity of the experiment, we configure one of the browsers to work with the proxy 192.168.0.110 through port 3128. Having tried to connect, we get a connection failure - Squid does not have permissions to access the proxy.

SAMS initial setup

In another browser, open the address (192.168.0.110 - server address).

http://192.168.0.110/sams2

He will tell us that he cannot connect to the database and will offer to install.

Specify the database server (127.0.0.1), login and password from MySql.

The initial configuration of the traffic accounting system is completed. It remains only to configure the program.

Monitoring traffic in the local network

Log in to the system as an administrator (admin/qwerty).

It is worth saying right away about user authorization.

In the Squid branch, open the proxy server and click the "Proxy server settings" button below.

The most important thing here is to specify your IP address in the addresses of folders and files, where necessary, otherwise the proxy server will not start.

The essence of all changes in the SAMS settings is that they are written to squid.conf. sams2deamon runs in the background, which monitors changes in settings that require configuration file(you can also set the tracking interval there).

Fill in the "User" and "IP address" fields. As a username, take the same IP (IP of the computer, not the server!). In the "Allowed traffic" field, enter "0", that is, without restrictions. All other fields are omitted.

A new acl will be added for this IP address and permission to work through Squid. If the config was not changed automatically, go to the proxy branch and click the "Reconfigure Squid" button. Changes to the config will be made manually.

We try to open any URL in the browser. We check the access.log and see the requests processed by the proxy. To check the operation of SAMS, open the "Users" page, click the "Recalculate user traffic" button below.

Using the buttons below to manage statistics, you can get detailed information on the statistics of user visits to pages.

Computers are interconnected using external or internal networks. Thanks to this, users can share information with each other, even when they are on different continents.

Office traffic control software

With the help of ICS, you can easily control traffic accounting and its distribution among users, influence the ability to connect to Internet resources at your discretion, and ensure the security of your internal network.

School traffic control software

ICS is a universal Internet gateway with tools for protecting the educational network, traffic accounting, access control and deploying a mail, proxy and file server.

Program to control traffic at home

X Lite is free Internet a gateway that provides all the needs of working with the Internet at home. X Lite is a full-featured version of Internet Control Server, which includes a license for 8 users.


Types of networks

  • Home - combine computers in one apartment or house.
  • Corporate - connect the working machines of the enterprise.
  • Local networks - often have a closed infrastructure.
  • Global - connect entire regions and may include local networks.

The benefits of such a connection are enormous: it saves time for specialists, reduces bills for phone calls. And all these benefits can be reduced to zero if security is not taken care of in time.

Firms that are not familiar with the concept of “traffic control” suffer huge losses or completely restrict access to information. There is an easier way to save safely - a program to control traffic on the local network.

Traffic Tracking

It is important for the manager to know what the company's funds are spent on. Therefore, the system administrator is also involved in controlling network traffic in the office. Statistics are collected not only by volume, but also by the content of the transmitted information.

Why do you need control over the local network? Although the answer to this question is obvious, many system administrators cannot reasonably substantiate the need to control the consumption of Internet traffic.

Benefits for the manager

Traffic Control Program:

  • optimizes the work of the network - by saving the working time of specialists, labor productivity increases;
  • shows the distribution of traffic by users - makes it possible to find out who needs Internet resources;
  • shows for what purposes the traffic was spent - excludes inappropriate access.

Benefits for the system administrator

Monitoring of traffic in the local network allows you to:

  • restrict user access to unwanted information;
  • promptly receive data on the volume of traffic - exclusion of network congestion;
  • prevent viruses from entering the network and detect security violators.

Options for implementing control

Internet traffic control in corporate network can be organized in several ways:

  1. Buy a firewall with the ability to differentiate traffic.
  2. Configure proxy servers with NAT drivers with traffic accounting functions.
  3. Use different kinds add-ons.

Provide the same maximum protection can only be a complex solution. Internet Control Server provides full traffic control and offers all the necessary functionality. ICS is a FreeBSD-based router with a built-in proxy server.

Advantages of ICS

  1. Statistical studies have revealed that employees spend 1/3 of their working time on accessing the Internet for personal purposes. A special Internet gateway ICS will help prevent inappropriate access.
  2. The traffic flow control system keeps records on any operating systems ah users.
  3. ICS offers flexible settings.
  4. Prepares detailed reports in a convenient form.

Free download!

Start right now - download the demo version of the program for monitoring Internet traffic from our website. You will be able to use all the features of our solution without restrictions for 35 days! After the end of the trial period, you just need to purchase full version by placing an order or contacting our managers.

Organization type

Select the type of organization Educational institution Budgetary institution Commercial organization

Prices DO NOT APPLY to private non-state institutions and institutions of postgraduate professional education

Editions of ICS

Not required ICS Standard ICS FSTEC

To calculate the cost of FSTEC, contact the sales department

Delivery type

ICS ICS + SkyDNS ICS + Kaspersky Web Filtering

License type

New license Upgrade license

Premium Upgrade License License Extension

Number of users

License Extension

C before users

05/23/16 45.3K

Many network administrators often face problems that network traffic analysis can help solve. And here we are faced with such a concept as a traffic analyzer. So what is it?


NetFlow analyzers and collectors are tools that help you monitor and analyze network traffic data. Network process analyzers allow you to pinpoint devices that are reducing bandwidth. They know how to find problem areas in your system, and improve the overall efficiency of the network.

The term " NetFlow" refers to a Cisco protocol designed to collect information about traffic over IP and monitor network traffic. NetFlow has been adopted as the standard protocol for streaming technologies.

NetFlow software collects and analyzes flow data generated by routers and presents it in a user-friendly format.

Several other network equipment vendors have their own monitoring and data collection protocols. For example, Juniper, another highly respected network device vendor, calls its protocol " j-flow". HP and Fortinet use the term " s-Flow". Although the protocols are named differently, they all work in a similar way. In this article, we'll take a look at 10 free network traffic analyzers and NetFlow collectors for Windows.

SolarWinds Real-Time NetFlow Traffic Analyzer


Free NetFlow Traffic Analyzer is one of the more popular tools available for free download. It gives you the ability to sort, label and display data different ways. This allows you to conveniently visualize and analyze network traffic. The tool is great for monitoring network traffic by type and time period. As well as running tests to determine how much traffic different applications are consuming.

This free tool limited to one NetFlow monitoring interface and only stores 60 minutes of data. This Netflow Analyzer is a powerful tool that is well worth using.

Colasoft Capsa Free


This free LAN traffic analyzer allows you to identify and monitor over 300 network protocols and allows you to create customizable reports. It includes monitoring Email and sequence diagrams TCP sync, all collected in one customizable panel.

Other features include network security analysis. For example, tracking DoS / DDoS attacks, worm activity and detection of ARP attacks. As well as packet decoding and information display, statistics about each host on the network, packet exchange control and stream reconstruction. Capsa Free supports all 32-bit and 64-bit Windows versions xp.

Minimum system requirements for installation: 2 GB random access memory and a 2.8 GHz processor. You must also have an ethernet connection to the internet ( compatible with NDIS 3 or higher), Fast Ethernet, or Gigabit with a mixed mode driver. It allows you to passively capture all packets transmitted over an Ethernet cable.

Angry IP Scanner


This is a Windows traffic analyzer with an open source code, fast and easy to apply. It does not require installation and can be used on Linux , Windows and Mac OSX . This tool works through a simple ping of each IP address and can determine MAC addresses, scan ports, provide NetBIOS information, determine the authorized user in Windows systems, discover web servers, and more. Its capabilities are extended with Java plugins. Scan data can be saved in CSV, TXT, XML format files.

ManageEngine NetFlow Analyzer Professional


A fully functional version of NetFlow software from ManageEngines. This is a powerful software full set functions for analysis and data collection: monitoring bandwidth channel in real time and alerts when thresholds are reached, which allows you to quickly administer processes. In addition, it provides the output of summary data on the use of resources, monitoring applications and protocols, and much more.

Free version Linux Traffic Analyzer allows unlimited use of the product for 30 days, after which only two interfaces can be monitored. System requirements for NetFlow Analyzer ManageEngine depend on the flow rate. Recommended requirements for a minimum flow rate of 0 to 3000 threads per second: 2.4 GHz dual-core processor, 2 GB of RAM and 250 GB of free hard disk space. As the flow rate to be monitored increases, the requirements also increase.

The Dude


This application is a popular network monitor developed by MikroTik. It automatically scans all devices and recreates the network map. The Dude controls the servers running on various devices, and alerts you if problems occur. Other features include automatic discovery and display of new devices, the ability to create custom maps, access to remote device management tools, and more. It runs on Windows, Linux Wine and MacOS Darwine.

JDSU Network Analyzer Fast Ethernet


This traffic analyzer program allows you to quickly collect and view data over the network. The tool provides the ability to view registered users, determine the level of network bandwidth usage by individual devices, and quickly find and fix errors. As well as capture real-time data and analyze it.

The application supports the creation of highly detailed graphs and tables that allow administrators to monitor traffic anomalies, filter data to sift through large amounts of data, and more. This tool is for professionals entry level, as well as for experienced administrators, allows you to completely take control of the network.

Plixer Scrutinizer


This network traffic analyzer allows you to collect and comprehensively analyze network traffic, and quickly find and fix errors. With Scrutinizer, you can sort data in a variety of ways, including timeslots, hosts, applications, protocols, and more. The free version allows you to control an unlimited number of interfaces and store data for 24 hours of activity.

Wireshark


Wireshark is a powerful network analyzer that can run on Linux, Windows, MacOS X, Solaris and other platforms. Wireshark allows you to view the captured data using GUI, or use the TTY-mode TShark utilities. Its features include VoIP traffic collection and analysis, real-time display of Ethernet data, IEEE 802.11, Bluetooth, USB, Frame Relay, data output to XML, PostScript, CSV, decryption support, and more.

System requirements: Windows XP and above, any modern 64/32-bit processor, 400 Mb of RAM and 300 Mb of free disk space. Wireshark NetFlow Analyzer is a powerful tool that can greatly simplify the work of any network administrator.

Paessler PRTG


This traffic analyzer provides users with many useful functions: support for monitoring LAN, WAN, VPN, applications, virtual server, QoS and environments. Multi-site monitoring is also supported. PRTG uses SNMP , WMI , NetFlow , SFlow , JFlow and packet sniffing as well as uptime/downtime monitoring and IPv6 support.

The free version allows you to use an unlimited number of sensors for 30 days, after which you can only use up to 100 for free.

nProbe


It is a full featured open source NetFlow tracking and analysis application.

nProbe supports IPv4 and IPv6, Cisco NetFlow v9 / IPFIX, NetFlow-Lite, VoIP traffic analysis, stream and packet sampling, logging, MySQL/Oracle and DNS activity, and much more. The application is free if you download and compile the traffic analyzer on Linux or Windows. The setup executable limits the amount of capture to 2000 packages. nProbe is completely free for educational institutions, as well as non-profit and scientific organizations. This tool will work on 64-bit operating systems. Linux systems and Windows.

This list of 10 free NetFlow traffic analyzers and collectors will help you get started monitoring and troubleshooting a small office network or a large multi-site corporate WAN.

Each application presented in this article makes it possible to monitor and analyze network traffic, detect minor failures, identify bandwidth anomalies that may indicate security threats. As well as visualize information about the network, traffic, and more. Network administrators should definitely have such tools in their arsenal.

This publication is a translation of the article " Top 10 Best Free Netflow Analyzers and Collectors for Windows » prepared by a friendly project team

Good bad