Network Security Management Software
  • ManageEngine Network Defender Plus
Network Defender Plus is free security management tool powered by NetFlow Analyzer. NetFlow Analyzer is a flow-based bandwidth monitoring software which includes all features provided by NDP. If you wish to use full - fledged features, download NetFlow Analyzer.

What is Network Defender Plus?

Several businesses fall targets to hackers in spite of deploying firewalls and intrusion detection systems (IDS). This is because both these systems read packet header and do signature matching, and are oblivious to advanced security attacks such as DDoS and zero-day attack. Today, businesses need advanced security analysis and protection measures that helps them to safeguard their network and data centers against such sophisticated attacks.

Network Defender Plus is flow-based network behavior anomaly detection (NBAD) software that analyzes the packet flows to detect malicious traffic hitting the network. The flow technologies supported by NDP are Cisco NetFlow version 5, version 7 & version 9 exports, sFlow, cFlow, J-Flow, IPFIX and NetStream. This exported flow data is collected & analyzed to identify intrusions or attacks by applying advanced rules and patterns on the malicious traffic.

Network Defender Plus helps you:

  • Monitor network security in real-time
  • Monitor internal and external threats
  • Classify threats into Bad Src-Dst, DDoS, Scan/Probe, and Suspect Flows problem classes
  • Find anonymous traffic hitting your network
  • Carry out detailed forensic investigation
  • Send alert notification via Email or SMS


How It Works
Step 1
Download and install Network Defender Plus EXE file in a dedicated server
Step 2
Configure to enable flow export for all the interfaces with configuration steps for the above supported flows.
Step 3
Connect to web client to view dashboard and graphs.



Entire security snapshot of your network
Identify advanced attacks in real-time

Identify advanced attacks in real-time

Network Defender plus continuously analyses the packet flow using its Continuous Stream Mining Engine to find out malicious traffic hitting your network. It does pattern matching and find outs attacks and classifies them under appropriate problem classes namely DDoS, Bad Src-Dst, Scan/Probes, and Suspect Flows.

View event details in-depth & carry out forensics

Event details gives a thorough detail about the problem. The details include problem name, offender IPs, target IPs, unique connections, port, protocol and much more. Clicking on the router name gives details with mapped destination- source IP and the application, port, protocol etc. Dials provides information on Source & Destination Occupancy as well as Span to trace patterns based on how end point are distributed (dense) and nature of scan (host/port).

View event details in-depth & carry out forensics
At-a-glance view on all events

At-a-glance view on all events

Event list Dashboard gives a list of all the events along with details, such as problem name, offenders, target, hits, severity, and time of the attack. From this view, you can ignore certain events by giving criteria. You can also discard trusted flows to be harmless and that will not be taken into account.

Filter events and generate Reports

Generate Reports for a specific time period based on requirement to view suspicious flow and set criteria to view the path of flow and trace the exact location of the fault. It saves time to analyze the generated data easily with the help of advanced reports.

Filter events and generate Reports
Send alert notification via Email or SMS

Send alert notification via Email or SMSNEW

Alert profile configuration is possible to create email and SMS notifications for attacks. Add alert configuration from settings and generate alerts which satisfy defined criteria, thus notifying users about attacks in real time. Thus, save your datacenter from outage by taking suitable actions against the attack.

Problem Class



DDoS is an attack, which disrupts the services delivered by an enterprise, flooding junk traffic from multiple sources simultaneously. The most common method of this attack involves sending multiple communication requests to the router (target device) so that it fails to respond to legitimate requests. Network Defender Plus identifies such junk traffic hitting the network from unwanted sources and raises as a DDoS event.

Bad Src-Dst

Some attacks are caused due by bad source or destination IP addresses. Some examples for Bad Src-Dst are invalid source or destination IP, excess multicast flows for a source IP, excess broadcast traffic sent to a destination IP, and much more. Network Defender Plus keeps a tab on all such malicious activities happening at the source and destination IPs and pinpoints such problems for immediate action.

Bad Src-Dst
Suspect Flows

Suspect Flows

In a flow, if any of the field other than source and destination looks suspicious, it is called as suspect flows. In this attack either pack size is abnormal (below the legitimate size of IP or TCP packets) or wrong priority is set. Malformed IP and TCP packets and invalid ToS flows are some example of suspect flows. Malformed IP and TCP packets do not have the legitimate packet size (IP - 20 bytes and TCP - 40 bytes). Invalid ToS flows will have invalid ToS values (other than 0-255). Network Defender Plus identifies such suspicious flows and raises an event.


Scan or a probe is a technique used by attackers to scan a network for identifying vulnerable systems so that they can get into the network and cause major problems. Attackers scan the network for systems running remote desktop services, open ports, network mapping etc. They carryout such actions by sending ICMP sweeps, executing DNS commands, spoofing IP address, and much more techniques are followed. Network Defender Plus detects such scanning and probing activities and brings them to the notice of admins in real-time.


Contact Us