A network packet analyzer breaks down network traffic by IP address, protocol, and connection pair. That gives you a ranked view of who's using bandwidth and how. Two methods cover most environments: header-based packet sniffing, which reads packet headers from a local adapter directly, and flow-based collection, which receives traffic records pushed by routers and switches. Both produce Toplists, trend graphs, and historical records you can pull up whenever you need them. Header-level analysis only, not payload. This is network protocol analysis at the header level, not deep packet inspection or forensic capture.
Paessler PRTG supports both methods in one platform. Supported flow protocols: NetFlow v5/v9, IPFIX, sFlow v5, and jFlow. Packet Sniffer traffic categories include TCP, UDP, ICMP, DHCP, DNS, SNMP, FTP/P2P, SMTP, IMAP, POP3, RDP, SSH, Telnet, VNC, and Citrix-related traffic (port-based classification).
When users report slow response times, the total utilization graph tells you something is happening, but not where. Tracking down network issues manually, device by device, takes time that's usually not there when tickets are already open.
PRTG collects granular traffic breakdowns continuously, so the data exists when you need it. Top Talkers, Top Connections, and Top Protocols rank network traffic in one place: by IP, by connection pair, by protocol. That's typically enough to pinpoint where a bottleneck is coming from without the manual legwork.
PRTG sensors run continuously. That's the practical foundation for everything else in this section: when an intermittent issue surfaces, the traffic data from before the incident already exists. Nobody had to start a capture session first.
Intermittent performance issues are hard to chase precisely because the spike is usually gone by the time someone files a ticket. PRTG stores traffic data and Toplists over time within your configured retention window, so you can go back and see which IPs and protocols were active, with timestamps. The investigation starts from real data, not from memory.

Live graphs, real-time performance data

Network switches monitored across vendors

Ping response and packet loss
A backup job, a misconfigured device, and unauthorized traffic can look identical in an aggregate graph. Total utilization goes up; that's all the number tells you. The breakdown is what you need to act on it.
With PRTG’s traffic sensors (Packet Sniffer and Flow), you can continuously break down traffic by IPs, protocols, and - depending on the sensor and channel definitions - ports. When something appears in the Toplists that doesn't belong, an unfamiliar IP or a protocol that shouldn't be active on that segment, it's visible. Your team defines the alert thresholds; PRTG sends a notification when they're crossed. Also worth noting: the Toplists surface unexpected activity even below alerting thresholds, which is useful during routine traffic checks.
Traffic breakdown by IP, port, and protocol, always visible
Threshold alerts on traffic volume configured by your team
Unexpected endpoints and protocol activity visible in Toplists
Header-level protocol classification across predefined traffic categories
Start monitoring your infrastructure in minutes. No professional services, no complex configuration, no risk.
Most teams run traffic analysis in one tool and infrastructure monitoring in another. That works until something breaks and you need to know whether the problem is the network, the device, or a combination. Troubleshooting under pressure while cross-referencing two systems takes longer than it should.
PRTG puts packet sniffing, flow-based traffic sensors, SNMP device monitoring, server health checks, and availability sensors together. One dashboard, one alert system, one database. When bandwidth spikes, you can check whether the affected device is also showing stress without switching tools. The metrics sit side by side.

Full device list, instant overview

Scheduled reports, always on time

Your entire network, visualized instantly
PRTG uses two methods for network monitoring and packet analysis: header-based packet sniffing and flow protocol collection. Each has specific requirements and trade-offs worth understanding before you decide which fits your environment.
FEATURE | Ad-hoc capture Ad-hoc capture | With PRTG With PRTG |
|---|---|---|
Investigating past incidents | Ad-hoc capture No capture = no data (and someone had to remember to start one) | With PRTG Historical Toplists and traffic graphs within your retention window |
Finding bandwidth hogs | Ad-hoc capture Manual filter and analysis every time. Not practical for daily visibility. | With PRTG Top Talkers by IP, immediately visible |
Infrastructure correlation | Ad-hoc capture Separate from device/server monitoring | With PRTG Same platform as SNMP, server, and availability data |
Ongoing visibility | Ad-hoc capture Requires someone to start a capture | With PRTG Runs unattended, 24/7 |
Choose the PRTG Network Monitor subscription that's best for you.
| License Name | License description | Price | License Details | Get started | Pricing Details | |
|---|---|---|---|---|---|---|
| PRTG 500 | $200 | per month paid annually | Buy nowBuy now | Enough to monitor multiple aspects of 50 devices | ||
| PRTG 1000 | $358 | per month paid annually | Buy nowBuy now | Enough to monitor multiple aspects of 100 devices | ||
| PRTG 2500 | $742 | per month paid annually | Buy nowBuy now | Enough to monitor multiple aspects of 250 devices | ||
| PRTG 5000 | $1,300 | per month paid annually | Buy nowBuy now | Enough to monitor multiple aspects of 500 devices | ||
| PRTG 10000 | $1,642 | per month paid annually | Buy nowBuy now | Enough to monitor multiple aspects of 1000 devices |
The core difference is where the data comes from. A packet sniffer reads headers from packets physically crossing a local network adapter, so it only sees what passes that adapter. Flow monitoring works the other way: the network device itself generates flow records for all traffic it handles and pushes them to PRTG. That means flow coverage isn't limited by what the probe can see.
PRTG supports both. Which one makes sense depends on your hardware. Packet sniffing is the right choice when devices don't support flow protocols. Flow is generally the better fit for broader coverage, and if your routers and switches already export NetFlow, IPFIX, sFlow, or jFlow, that's usually the easier path anyway.
No. The packet sniffer reads headers only. Payload content isn't inspected, and protocol classification is port-based, so PRTG identifies traffic by port number, not by what's inside the packet. HTTP on port 80 or 443 is classified correctly. HTTP on a non-standard port won't be classified as HTTP.
If your use case requires full payload inspection or pcap-level analysis, Wireshark or a dedicated DPI tool is the right choice. PRTG is built for continuous traffic visibility and network performance monitoring.
In a switched network: yes. Switches only forward traffic to the addressed port, so the PRTG probe only sees its own traffic unless you configure a monitoring port (SPAN/port mirroring) on the switch, which mirrors traffic to the probe's port. The alternative is to position the PRTG probe as the network gateway so all traffic passes through it. Being on the same subnet isn't sufficient in a switched environment.
If SPAN isn't practical, flow-based monitoring is the workable alternative. NetFlow, IPFIX, sFlow, and jFlow don't require SPAN because the device pushes flow data directly to PRTG.
Wireshark captures and decodes individual packets. That's what it's for: protocol-level debugging, inspecting a specific packet exchange, tracing handshake failures. PRTG doesn't do that, and it's not trying to.
What PRTG does is run continuously in the background, collecting traffic data 24/7, building Toplists, storing trend graphs, firing notifications when thresholds are crossed. Nobody has to start a session. For always-on bandwidth visibility and historical records across your network, that's the tool. For decoding a specific exchange or inspecting payload, use Wireshark. They don't really compete for the same use case, which is probably worth knowing before choosing one over the other.
Yes, with threshold configuration. PRTG doesn't detect anomalies automatically. It sends a notification when a value crosses a threshold your team has set. For unexpected traffic sources, you'd configure an alert on the relevant channel: a total bandwidth threshold, a custom channel for a specific port range, or a protocol category. When traffic crosses that threshold, PRTG sends the notification.
Also useful: the Toplists surface unexpected endpoints and protocol activity visually, even below alerting thresholds. Teams doing regular traffic checks often catch things there first.
Historic sensor data (graphs and channel values) is stored in PRTG's internal database with a default retention of 365 days, configurable up to 9,999 days. Older intervals are progressively averaged over time to keep storage manageable.
Toplist records are stored separately and follow their own retention setting. The default is 30 days for both Flow and Packet Sniffer sensors, configurable in PRTG's system settings. Unlike sensor data, Toplist records aren't averaged. They're kept for the full retention period and then removed. One thing to be aware of in high-traffic environments: Toplist data is also pruned automatically when the database reaches 2 GB, which may happen before the configured retention period is up. For long-term archiving or deeper historical analysis, exporting to an external system is the recommended approach.
Network Monitoring Software – Version 26.1.116.1532 (February 9th, 2026)
Download for Windows and cloud-based version PRTG Hosted Monitor available
English, German, Spanish, French, Portuguese, Dutch, Russian, Japanese, and Simplified Chinese
Network devices, bandwidth, servers, applications, virtual environments, remote systems, IoT, and more
Choose the PRTG Network Monitor subscription that's best for you