What are your daily duties as the network administrator? You have to keep your network up and running. You have to answer calls, which may relate to situations like “X location is down” or “Y location is slow”. You should monitor your network as described below to fulfill the tasks.
- You should monitor your network and take action with respect to situations like device and link failures.
- You should analyze bandwidth utilization, errors on data lines and be sure about network performance.
- You should be aware of who talks with whom? How much bandwidth is needed for every single application?
- In addition, sometimes, you need to see the exact data flow over the network.
If you have all the information ready, then people will think twice before they point fingers at you. How can you achieve this?
We need a layered approach to understand network monitoring. I am not talking about network layers, but network monitoring layers. We have to involve deeply to monitoring layers before decide about network monitoring software needs. A simple summary could be like below.
- Preconditions of network monitoring.
- Up/Down monitoring
- Performance Monitoring / SNMP monitoring
- Who talks with whom? / Netflow monitoring
- Data capture / Data sniffing
Preconditions of Network Monitoring
Network documentation is essential to monitor a network. Trying to set up network monitoring tools before going through the documentation would be a complete waste of time. You will see everything green on the screen, but this may be due to one of the redundant lines that are down. You will sit staring without knowing what is happening. Always remember, the documentation comes first and everything follows.
Suggested monitoring tools: PowerPoint/Visio, NetViz
You have a map in which you can see some lights glowing red and green. Green means up and red means down. It is simple yet powerful. You will immediately come to know that there is some problem if the light glows red.
This is based on ping. Almost every IP devices support echo/echo reply. Therefore, you can monitor all IP devices in your network by using ping. You go one-step further by monitoring one application at a time present on a device instead of the whole device. All network applications are using TCP/UDP ports. You can monitor the applications by trying to access with Telnet to its TCP/UDP ports. The port is open suggests that the application is running.
Suggested monitoring tools: WhatsupGold, nmap
Performance monitoring / SNMP monitoring
The lines are up, devices are up, but life is not perfect. People complain about performance of data lines. Are they saturated? Do we have package losses in the lines? Are routers running out of memory? We need SNMP to monitor the heartbeats of the network.
Suggested monitoring tools: MRTG, Solarwinds Orion, PRTG
Who talks with whom? / Netflow monitoring
You realized that the line is full. Someone / some applications make increase traffic load enormously. Who are they? Is it necessary traffic? In Cisco devices, by using “ip accounting” command we can get an idea of current traffic sources and destinations. Nevertheless, to analyze and to optimize the traffic we need flow-monitoring. We need to know the source and destination IP addresses and TCP/UDP ports and number of packages/bytes.
Everyone blames the network speed until you publish the network usage report that clearly shows only 15% of the traffic is ERP traffic and the rest comes Internet access.
You should know that flow-monitoring tools require more server resources, since they collect an enormous amount of data.
Suggested monitoring tools: Fluke Netflow monitor, Paasler
Data capture / RMON – Sniffer tools
Sometimes you need to observe the exact data flow on the line and not just information about it. Just have a look at this sample scenario. After you find out, the web service causes inappropriately high network traffic, the owner of the application just can say: “No, we are not pushing this much of data to the network. We just respond as Yes or No in this web service and it is just 100 bytes”. Therefore, you should sniff the data flow of the line. Maybe, you will find that web service responds yes or no (100 bytes) and with the definition of web service (6 kilobytes).
Suggested monitoring tools: Wireshark
You can have a look at Network Monitoring Tools in Stanford University web site for a great list of network monitoring tools.