In this guide, I review the 5 bests tools to monitor application network traffic.
As a network administrator there is nothing more frustrating than a slow network and not having the tools to help you troubleshoot the problem. I’ve been in this situation plenty of times and thankfully management let me purchase a traffic analyzer and life has been so much easier.
Benefits of Application Traffic Analysis
A network traffic analyzer is designed to capture or log traffic as it flows across the network. At a glance this helps with the following:
- Identify what applications/protocols are running on the network
- Identify bandwidth hogs down to a user, application or device level
- Monitor client to server network traffic
- Troubleshoot network & application performance issues
List of the best Application Network Traffic Analyzers
Netflow Analyzer is a flow based traffic monitoring and reporting tool. It used flow technologies such as Netflow, J-Flow, sFlow, Appflow, IPFIX, and Netstream to provide real time visibility into the network bandwidth and performance. It is a web based solution that can identify top talkers, and monitor interface traffic in real time.
- Provides detailed visibility into your network traffic and bandwidth usage
- Identify traffic patterns and anomalies
- Set real time threshold alerts
- Helps predict and plan future network growth
SolarWinds NTA allows you to capture netflow data and converts that into easy to read charts and tables. The visual display of data allows you to quickly understand how the corporate network is being used, by whom, and what applications are running.
- Quickly spot bandwidth hogs
- Flow Based Monitoring and Reporting
- Network Traffic Monitoring and Forensics
- Bandwidth Usage by Application
- Integrates with other SolarWind products to provide a single console for all network management
SolarWinds NTA can be combined with their Network Performance Monitor to provide comprehensive monitoring and analysis solutions. These two products integrate and provide a single console.
WireShark is a very popular packet analyzer. It is used for network troubleshooting, analysis, and protocol development. WireShark is a great tool for capturing traffic on a single interface or system but it is not designed to handle large volumes of traffic. If you need to troubleshoot a single application or system then this is a great choice. If you want to continuously monitor and capture all network then you need a tool such as SolarWinds NTA.
- Deep packet inspection of the most commonly used protocols
- Live capture and offline analysis
- Works on multiple platforms
- Command line version
- Lots of documentation and tutorials
- Filter packet capture to further analyze the data
PRTG is well known for providing various tools for monitoring the network. Their Packet Sniffing tool is another great tool in their collection. It provides similar features to that of NetFort and SolarWinds NTA with the addition of using supporting different technologies to monitor data packets. To collect and monitor network traffic PRTG supports SNMP, Netflow, WMI, Rest APIs, and network sniffing.
PRTG only captures headers of the packets traveling across the network. This helps with speed and storage but can limit deep packet analysis.
The message Analyzer allows you to capture and analyze data from multiple sources. Its network capture features are similar to Wireshark but lacks a wide range of protocol support. What makes this tool different from WireShark is its ability to analyze data from other sources such as log files, PowerShell, and more.
Another feature is the ability to identify what processes are running on the network.
Like Wireshark, this tool is not designed to capture all network traffic at once. It does have the ability to remotely capture traffic with the proper configuration in place. This is a nifty tool for application and network traffic analysis in Windows environments.
10 Key Features of Application Network Traffic Analyzers
Network Analyzers can perform many functions, here are some of the key features you should be familiar with.
1. Network Traffic Analysis Using Packet Captures
A packet capture can log traffic that passes over the network. Having a tool that can capture packets on the network can give you every detail of what’s going across the wire. You can analyze the values of various fields in the packet, analyze its content, and more. Not all analyzer programs capture the full packet, depending on your needs it may not be needed.
I will discuss Netflow below but I find packet capturing far superior to NetFlow in terms of network traffic analysis. I find it’s more accurate, easier to set up, and allows for full packet inspection.
2. Monitoring The Flow of Application Traffic With Netflow
Netflow is a feature that can be enabled on routers and switches to collect IP traffic statistics. Netflow is not a packet capture, it’s basically a flow log. When traffic flows across an interface on a router or switch it records information from that traffic that can be collected by a netflow analyzer. Netflow works for basic statistics like tracking source IP, destination IP, protocols, and bandwidth.
Netflow was developed by Cisco if you want to learn more about this technology I recommend reading this article, Introduction to Cisco IOS Netflow
3. Detect Applications and Protocols in Use
To really know what’s going on in your network you need a tool that can identify applications and protocols in use. HTTP, SMB, RDP, SSL, DNS, SMTP, and LDAP are just a few of the protocols that can be detected by a network analyzer.
Here is a screenshot of Netfort detecting applications in use by the user. You can also see how much network traffic each protocol/user has generated.
4. Track Bandwidth Usage to Find Bandwidth Hogs
This is often the main reason to invest in a network analyzer….to find those bandwidth hogs. Most network monitoring programs will show you real-time network usage but provide no details on what or who is consuming the bandwidth. It’s frustrating to see your internet utilization at 99% with no clue what’s consuming it all. A network analyzer should help pinpoint those bandwidth hogs. At the very least you should be able to find top bandwidth usage based on IP address, user, device, and protocol.
5. Track User Network Activity
You want to integrate Active Directory Users with your analyzer tool. This will help in troubleshooting and network forensics. Need to know who is streaming youtube videos? Need to know who is using an unsecured protocol like telnet? Integrating with Active Directory you can run those types of reports. Below I did a search for top users who accessed youtube.
7. Create Custom Reports
Most tools come with pre built dashboard and reports. That is great but every network is different and you need the ability to create very customized reports. In medium to large networks capturing all traffic for analysis can be overwhelming. I like to narrow traffic down at times to a single subnet, protocol, location, user, website, IP address, and so on. This really makes troubleshooting easier.
8. Top Talkers (Internal & External)
Being able to quickly spot top talkers on the network is a must have feature. When bandwidth utilization is high or application performance is slow this feature comes in very handy. You should be able to track top talkers by application, IP address, websites, and host name.
9. Baseline Network Traffic
This can be difficult to do with a busy network but a good analyzer should make this easier. You can baseline traffic on a single system with Wireshark but to baseline all traffic you need a tool like Netfort or SolarWinds NTA. Over time you should have an idea of what normal bandwidth is, applications/protocols in use, and what are the top talkers on your network.
10. Network Forensics & Security Monitoring
Advanced security threats are difficult to detect. Monitoring and capturing the flow of the network is one of the best ways to identify security threats. Common use cases include:
- Identify Ransomware on the network
- Detect insecure protocols such as SMBv1
- Monitor unusual outgoing traffic
- Spot users or devices downloading large volumes of data
- Detect MAC addresses
Application Network Traffic Analyzer vs Network Monitoring Tool
Most premium network monitoring tools also provide traffic analysis features, this can be a little confusing as there is a big difference.
- Networking Monitoring tools monitor bandwidth, availability, uptime and track the resources of network equipment.
- Network Traffic Analyzer tools will analyze the traffic going through the equipment to identify what type of traffic is in use.
It’s pretty common for an enterprise solution to include both of these features but there are many that do not.
Let me walk through an example to help explain the difference.
Matt manages a network of 50 switches and 5 routers. He is using SolarWinds NPM to track the resources on his network equipment.
He noticed in the dashboard that an interface had really high utilization.
This was from a switch in one of the campus buildings. The users start calling helpdesk and complaining that email and the internet are slow.
Matt knows it’s due to high bandwidth utilization but he can’t tell what is consuming all of the bandwidth.
With a tool such as SolarWinds Traffic Analyzer, you can click on an interface and quickly see the top bandwidth users.
You can then see what applications and protocols they are using.
So the network monitoring tool monitors the resources on your network equipment and the traffic analyzer monitors the traffic going through the devices.
As someone who has managed a large network, it can be very frustrating to see high bandwidth usage on your router but have no visibility into what is causing it.
What protocols are used by Application Traffic Analysis Tools?
There are several technologies used by traffic analyzers to monitor network traffic. Over the years various vendors have created their own flow protocols to work with their equipment. This is why analyzer tools support various flow technologies.
List of flow technologies:
- Netflow – This protocol was developed by Cisco to collect IP network traffic
- sFlow – This is an industry standard technology used for exporting packets from an interface
- j-flow – Jflow is a technology created by Juniper networks.
- IPFIX – This is an IETF protocol. It was created to try and standardize on flow technologies.
- Netstream – Another vendor developed flow technology by Hueawei
When looking at a traffic analysis tool make sure it supports the flow technology used by your equipment.
If you’re looking for an application and network traffic analyzer you can’t go wrong with any on this list. Wireshark and the Microsoft Message Analyzer work well in small networks and specific use cases. Netfort, SolarWinds, and Paessler can all be used for small to large environments.
Personally, I use multiple traffic analyzers. I use Netfort for continuous monitoring and Wireshark for specific issues.
To find what best fits your needs I suggest you download and try them out for yourself.
If you have a suggestion leave a comment below.