Recently, we’ve encountered users with high monitoring requirements. Some users need to monitor 1,000 routers and want to know who are the top talkers or top protocols. Others have a network with 200 branches, each with a NetFlow-enabled router. They need to know from a central location who are the top bandwidth users and ports on selected branches.
Essentially, these users don’t need fine-grained network traffic monitoring. They just need a rough idea of who the top network users are (IP and ports). Often, users who ask us these questions are familiar with SNMP bytes/packets charts and need some insight into the traffic, especially when a peak occurs. In essence, they want to complement SNMP-based analysis with very limited context to the monitored data.
However, collecting traffic flows, storing them on a database, and analyzing them is challenging (or expensive) because the number of monitored devices is often large. This is because in flow-based analysis, the number of flows is influenced by both traffic rate (i.e., the more traffic, doesn’t always mean more flows) and distribution (i.e., the number of different 5-tuple you can find on your traffic patterns). This means that a small router can emit a large number of flows per second (from hundreds to thousands) based on traffic conditions, putting a lot of pressure on the monitoring, collection, and flow storage infrastructure just to compute top talkers.
To position these requirements, it’s essential to clarify their purposes, capabilities, and use cases.
1. ntop Tookit (ntopng and nProbe)
- Purpose: Deep network traffic analysis, real-time monitoring, and security insights.
- Strengths:
- Flow Analysis: Supports sFlow, NetFlow, IPFIX, and deep packet inspection (DPI).
- Security: Detects anomalies, DDoS attacks, malware traffic, and suspicious behavior.
- Granularity: Per-protocol, per-IP, per-application visibility.
- Scalability: Handles large enterprise networks efficiently.
- Open-Source & Pro Versions: Flexible deployment options.
- Limitations:
- Storage and processing power to analyze network traffic.
- Best For: IT security teams, ISPs, enterprises needing detailed traffic insights.
2. SNMP+ Tookits
- Purpose: Basic flow-based bandwidth monitoring (NetFlow, sFlow, IPFIX).
- Strengths:
- Ease of Use: Simple GUI, quick setup.
- Integration: Works with basic monitoring suite (SNMP, Ping, etc.) as it can show limited context at every polling cycle (e.g. top X every 5 minutes)
- Alerts: Basic threshold-based notifications.
- Limitations:
- Lacks deep packet inspection (DPI).
- Limited security analysis compared to ntopng.
- Reduced visibility (only top-X analysis).
- Best For: Small to medium businesses needing very basic traffic visibility.
Comparison Table
| Feature | ntop Toolkit | SNMP+ |
|---|---|---|
| Traffic Analysis | Deep (DPI, flows, L7) | Basic (NetFlow/sFlow) Top Talkers/Protocols |
| Network Metrics | Delay, QoE, Retransmissions, etc. | None |
| Security Focus | High (IDS-like) | Low (Basic alerts) |
| Scalability | Enterprise-grade | Small Business Friendly |
| Encrypted Traffic Analysis | Yes via nDPI | None |
| Use Case | Security, ISPs, large networks | Basic bandwidth monitoring |
Conclusion
Network observability tools have been designed to provide you with rich monitoring capabilities based on open-source ground. These tools are efficient on small devices and scalable for enterprises. We believe in providing you with the best network observability platform, but we also acknowledge that for some users, the extensive features of our tools might be overwhelming if their primary need is simply bandwidth monitoring. Therefore, we are considering creating a “reduced” version of our tools that can answer basic monitoring needs with limited resources.
We would love to hear your thoughts on this idea. Please let us know if you think it’s a good idea!