Network traffic analysis serves many purposes. It’s used for general network monitoring, security reasons, as well as the debugging of network issues. It can be helpful not only to network administrators but also to application developers. In this post, you’ll learn what network traffic analysis tools actually are and what are the top five you should know about.
What Is a Network Traffic Analysis Tool?
It may sound obvious what a network traffic analysis tool is, but let’s dive into that a bit deeper. Traffic analysis can be done in multiple different ways. You can do it actively or passively, for example. You can monitor network traffic in your whole company or narrow it down to a specific connection. Network packets can be analyzed, including the actual data, or you can focus only on metadata. In general, the concept of traffic analysis is pretty straightforward but there are significant differences in implementation and specific use cases. Therefore, one network traffic analysis tool can work completely different from another.
Why Do You Need an NTA Tool?
Since NTA tools differ so much from each other, there is no single answer for why you would want an NTA tool. But there are many different reasons.
One of the main reasons is security. By analyzing traffic you can detect suspicious activity and react in time. Advanced NTA tools offer features like anomaly detection. Modern malware is hard to detect by traditional antivirus software. Firewalls are good, but there are ways to bypass them. An NTA tool is your last resort. Even if a hacker manages to break through your security with good traffic analysis, you’ll be able to detect them.
Another common reason for a network traffic analysis tool is to find bottlenecks in your network. A general network monitoring tool may tell you that something is wrong, but you’ll need an NTA tool to understand what’s the problem. Advanced NTA tools can tell you not only which device is consuming a lot of network bandwidth but even which exact application or user is doing that. With NTA, you can also spot faulty devices easily. When network devices start to fail, they sometimes won’t just stop working but will behave unexpectedly. With an NTA tool, you’ll be able to see that a particular device is starting to miss packets, for example.
Monitoring and Observability
For basic network monitoring, you don’t need NTA—a general network monitoring tool will do the job. But NTA can take that monitoring to the next level. If you need more than just a simple “network is OK” type of monitoring, you should go for an NTA. By analyzing all the packets flowing through the network, you can get a lot of insights and really understand what’s going on. You’ll be able to see which parts of your network consume most of your bandwidth, which protocols are used the most, what type of traffic usually fails, etc. On top of that, you’ll be able to see exactly which applications are consuming too much traffic, and you’ll be able to use anomaly detection to spot anything that’s odd.
Key Features of a Modern NTA
Now that you know why would you want a network traffic analysis tool, let’s talk about some features you should look out for. As mentioned previously, picking an NTA tool is usually very specific to your use case, but there are some generic features that are useful in most cases. Some of these features were already mentioned in the previous section, but you should know that not all NTA tools have them.
Portability and Ease of Use
It’s not true that advanced and feature-rich NTA tools need to be difficult to install and start with. How easy the installation is and how difficult it is to learn the NTA tool are important factors. Especially in the modern world where infrastructure becomes more and more complicated, you don’t want a tool that is complicated on its own. The easier the tool, the quicker you’ll be able to react to infrastructure changes.
Anomaly detection was already mentioned before, but not many NTA tools actually come with it. It is, however, an extremely useful feature to have. Nowadays there is a lot of network traffic flowing even on networks without that many servers. Manual traffic analysis is really time consuming. With anomaly detection built in, you drastically decrease the time it takes to get the information you are after.
Reporting and Statistics
Similarly, as with anomaly detection, rich reporting capabilities are a huge time saver. Basic NTA tools will let you analyze the traffic, but you’ll end up with a lot of data that you’ll have to export to some reporting tool yourself. You’ll then need to build formulas and graphs to get all the data in a nice and understandable form. Good NTA tools will have rich reporting and statistics built in.
Traditionally, working with an NTA tool means recording a lot of raw data and then spending hours, if not days, on analysis. Advanced traceability is another feature that helps you save some time. What this means is that the NTA tool will do most of the job for you when it comes to answering common questions, such as which exact application on which device is consuming more than X amount of bandwidth, or even which user was using specific protocols.
5 Top Network Traffic Analysis Tools
So, what are the five network traffic analysis tools you should know about?
First on our list is the most well-known tool—Wireshark. It’s open-source and very advanced. Wireshark can be used for any type of traffic and any interface. It’s a real powerhouse when it comes to traffic analysis. It can show all the traffic in real time, but you can also apply filters if you know what you are looking for. It also offers offline analysis from previously saved files and comes with a few options for generating interesting statistics about the traffic. Wireshark can run on Windows, Linux, and macOS systems. Disadvantages? It’s quite complicated, so you need to spend some time learning it. It’s also a great tool for ad-hoc analysis, but it’s not a tool that you would use for company-wide implementation.
The next tool on our list, Ettercap, shares a few similarities with Wireshark. It’s also open-source and can run on Windows, Linux, and macOS. However, while Wireshark works passively, Ettercap can not only analyze traffic but also manipulate it. Overall, Ettercap is more advanced than Wireshark. It’s often used as a testing tool, but it has advanced network traffic capabilities too. It can identify malicious users and record their actions or block them from the network. Disadvantages? Similar to Wireshark, it requires quite some learning to understand all of its capabilities. Also, it’s a command-line-only tool.
Yet another popular traffic analysis tool is Kismet. For this one, let’s start with its disadvantages. The biggest one is the fact that it can only work with WiFi networks, so you won’t be able to use it on wired networks. This is quite a limitation, but if WiFi traffic analysis is what you need the most, that could be a good option for you. Bu default, Kismet only looks for packets of metadata, which is not a disadvantage on its own but something you should be aware of. It can, however, be switched to a full-packet data capture.
SolarWinds NetFlow Traffic Analyzer
One commonly used non-open-source NTA tool is the SolarWinds NetFlow Traffic Analyzer. It comes with many features, like identifying which endpoints generate heavy traffic on the network, generating reports, and alerting. Unlike the previous tools listed, the NetFlow Traffic Analyzer comes with a web interface so it can be installed once and used by the whole team.
Netreo Traffic Monitor
Last but definitely not least is Netreo Traffic Monitor, one of the most complete NTA solutions. It can gather data from many different devices, as it supports Netflow, sFlow, and IPFIX protocols. It can handle over a million connections per second, It’s a real powerhouse when it comes to traffic analysis. Yet, at the same time, it’s really easy to install and get started with. Configuration and maintenance are minimal.
For that reason, Netreo’s Traffic Monitor is a really good option for pretty much any size company. It can automatically detect and instantly visualize new devices found on the network. So, unlike with other tools, you don’t need to spend days or weeks crafting special filters and configuring alerts to get the visibility you need. Moreover, Netreo’s NTA is suitable for modern environments. It gives you a unified analysis of all your networks, no matter if they are on-prem or in the cloud—something that’s really important these days.
Network traffic analysis can’t be easily summarized in one sentence because it’s a broad topic. It can mean very different things. Therefore, picking the right NTA tool is also not so easy because some of them are specialized or dedicated for specific use cases. So you need to know exactly what you need from such a tool to pick the right one.
Alternatively, you can try to find a tool that covers as many use cases as possible and does the job well no matter what kind of network traffic you want to analyze. But if you think such a tool would be extremely complicated and heavy, you’d be wrong. Take a look at Netreo Traffic Monitor, which checks almost all boxes for a perfect NTA tool but is also easy to install and requires little configuration. And if you want to learn more about network management, take a look at this blog post.
Dawid Ziolkowski is the author of this post. Dawid has 10 years of experience as a Network/System Engineer at the beginning, DevOps in between, Cloud Native Engineer recently. He’s worked for an IT outsourcing company, a research institute, telco, a hosting company, and a consultancy company, so he’s gathered a lot of knowledge from different perspectives. Nowadays he’s helping companies move to cloud and/or redesign their infrastructure for a more Cloud Native approach.