At first glance, nothing beats free. Linux runs on everything from mainframes to mobile phones; Snort is the most widely used Intrusion Detection System (IDS) software and Open Office is taking a bite out of Microsoft's dominance of the office suite market.

There are also numerous free products available for network management. In this article we focus on two that can be used to capture and analyze network traffic data coming from switches and routers - ntop and Scrutinizer - as well as how to get support for both when needed.

Packet Parsing

ntop and Scrutinizer are both tools for accessing and analyzing NetFlow data. NetFlow was developed by Cisco Systems Inc. as a part of its Internetwork Operating System (IOS) that comes with its routers and some of its switches. It helps customers monitor their networks, analyze traffic patterns, track usage and plan for expansion. The most recent release is version 9.

While traditional Simple Network Management Protocol (SNMP) shows bandwidth utilization, it doesn't provide the necessary insight into exactly what is traveling on the network. Further granularity is needed to apply QoS policies, determine bandwidth hogs and identify the affect of new applications installed on the network. To achieve this, NetFlow examines the packets passing through a network interface in reference to seven attributes: IP source address, IP destination address, source port, destination port, Layer 3 protocol type, Class of Service and router or switch interface. All packets with the same attributes are considered part of the same flow, the bits and packets for that flow are tallied, and the data on completed flows is stored in a cache for export.

NetFlow requires two elements: a data generator and a data collector. The data generator is any device that is set up to collect and export NetFlow data. It is a push technology which will bundle the data from about 30 to 50 flows and send it off to the collector. UDP format is generally used to transport the data, however other formats are available.
To activate NetFlow on a router, type in:

#ip flow-export version 5
#ip flow-export destination <ip address> <port number>
#ip flow-export source <interface#>
Then, visit each physical interface and type in:
#ip route-cache flow

The data collector is a workstation or server with a database and analysis software installed which collects the data exported by the network devices and makes it available for analysis by the network administrators. Once the collector is configured to listen to the correct UDP port (default is 2055) it starts receiving the NetFlow data. NetFlow traffic is about 2 percent of the current bandwidth utilization and a 20MB interface generates about 1GB of raw data daily.

NetFlow is a proprietary Cisco format, but the Internet Engineering Task Force (IETF) is developing a standard based on NetFlow v.9 called Internet Protocol Flow Information eXport (IPFIX) which will work with devices using IOS as well as products from many other vendors. For the latest news on IPFIX and drafts of the protocol, go to the working group's website at www.ietf.org/ html.charters/ ipfix-charter.html .

NetFlow is available on nearly all Cisco network devices except for the 3660 Multiservice Platform and the 2900, 3500 and 3750 switches. In addition to Cisco, commercial vendors providing NetFlow reporting applications include AdventNet, Arbor Networks, Fluke Networks, CA, HP, IBM and NetQoS.

No Cost Netflow

For those looking for a freeware NetFlow analyzer, one option is to use ntop (www.ntop.org), an open source network traffic probe developed by Luca Deri at the University of Pisa and released under the GPL. It runs on Unix (including Linux BSD, Solaris and Mac OSX) and 32-bit Windows platforms. In addition to supporting NetFlow and IPFIX, ntop also supports VoIP and sFlow (a hardware-based flow reporting solution) data. Traffic statistics are stored in Round Robin Databases (RRD) for long term analysis, and data is presented via a web interface.

Another free tool for analyzing flow technologies is Scrutinizer (www.plixer.com/ products/ free-netflow.php) from Plixer International, Inc. of Sanford, Maine. Scrutinizer is a collector of NetFlow data as well as the other flow technologies sFlow and IPFIX. It also collects VoIP data from Avaya, Cisco, Nortel, Asterisk and other PBXes. Scrutinizer runs on Windows boxes (2000/XP/2003) with a minimum of 2Gb of RAM and 50 Gb available disk space for trial installations. Production environments have higher recommended hardware specifications. It integrates with products from a number of other network management software products including Ipswitch Inc.'s What'sUp Gold, SolarWinds' Orion and Numara Software's Track-It, as well as Packeteer appliances.

Like ntop, Scrutinizer uses a browser interface. Data is shown covering intervals from five seconds up to a week. When viewing a graph, administrators can drag the cursor over a section to drill down further into that data. A network admin, for example, when looking at a weekly graph of top talkers on a particular connection, might spot a traffic peak on Wednesday morning at 3 A.M. - a time when the office is empty and traffic should be minimal. Dragging the mouse over that peak drills down into that time period and exposes that a particular machine was acting as a zombie, sending out spam.

Seeking Support

Both ntop and Scrutinizer are good ways of getting a quick look at what is traveling on the network. But, as the old adage goes, there is no such thing as a free Linux. Even though the software comes as a no-cost download, there is still the expense of installing, maintaining and hosting the software. Many organizations, therefore, find it cheaper to pay for a supported version: RedHat and SuSE for Linux, Sourcefire for Snort and Sun Microsystems' StarOffice. Similarly, ntop and the free version of Scrutinizer are good up to a point, but they are limited in their usefulness when compared to a commercial product. Just as many companies prefer to go with a commercial release of Linux, so do they want support for their free flow collection software. And both ntop and Scrutinizer have support available for a fee.

For those who need to get more out of ntop, the ntop organization, offers fee-based services from the ntop developers. The ntop website also lists companies in seven countries offering on-site ntop support( www.ntop.org/ consultancy.html ).

With Scrutinizer, one of the main drawbacks of the free software is that it only stores the data for 24 hours. This is still useful for immediate debugging of overloaded connections, but doesn't one the longer range view needed for capacity planning, or to spot the source of recurring, intermittent problems. When one needs support and a more robust feature set, several other versions of Scrutinizer are available for purchase.