What are your daily duties as a network administrator? You must keep your network up and running. You have to answer calls such as “X location is down” or “Y location is too slow.” You must monitor your network as described below to fulfill your tasks.
- You should monitor your network and respond to device and line failures.
- You should analyze data lines utilization, errors on the line, and ensure network performance.
- You should be aware of who is talking to whom? How much bandwidth is required for each application?
- And sometimes, you need to see precise data flow over the network.
If you have all this information, people will think twice before blaming the network for each problem. How can you achieve this?
We need a layered approach to understanding network monitoring. I am not talking about network layers but network monitoring layers? We need to understand monitoring layers before deciding on network monitoring software needs. A simple summary can be as follows.
- Preconditions of network monitoring.
- Up/Down monitoring
- Performance Monitoring / SNMP monitoring
- Who talks with whom / Netflow monitoring
- Data capture / Data sniffing
Preconditions of Network Monitoring
Network documentation is essential to monitor a network. How can you be sure that your network monitoring is complete without documentation? You will see everything green on the screen, perhaps some of the redundant lines were down. And you will sit there unknowingly without any alerts.
Documentation comes first.
Suggested tools: Powerpoint/Visio, NetViz
You have a map and some red and green lights on it. Green means up. Red means down. Simple yet powerful. You may immediately notice something went down.
This is based on ping. Almost every IP device supports echo/echo reply. So you can monitor all IP devices on your network using the ping command. To go one step further, you can watch an application on a device instead of the entire device. All network applications use TCP/UDP ports. You can monitor applications by telneting TCP/UDP ports, and if the port is open, it means that the application is running.
Suggested tools: WhatsupGold, nmap
Performance monitoring / SNMP monitoring
The lines are up, the devices are up, but life is not perfect. People complain about the performance of data lines. Are they saturated? Are there package losses in the lines? Are routers running out of memory? We need SNMP to monitor the network’s heartbeat.
Suggested tools: MRTG, Solarwinds Orion, PRTG
Who talks with whom / Netflow monitoring
You realized that the line was full. Someone / some applications create a heavy traffic load. Who are they? Is it a necessary traffic? On Cisco devices, we can have an idea for current traffic sources and destinations by using the “ip accounting” command. Nevertheless, we need flow monitoring to analyze and optimize traffic. We need to know the source and destination IP addresses and TCP/UDP ports and the number of packages/bytes.
Everyone blames the network for slowness until you publish the network usage report, which shows only 15% of the traffic is ERP traffic, and the rest is Internet access.
You should be aware that flow monitoring tools require more server resources for the huge data they collect.
Suggested tools: Fluke Netflow monitor, Paasler
Data capture / RMON – Sniffer tools
Sometimes you need to observe the entire data flow on the line instead of information about it. Let’s take a look at this sample scenario. After you find out the web service cause inappropriately high network traffic, the owner of the application can easily say, “No, we are not transferring that much of data to the network. We just respond Yes or No in this web service, and it is only 100 bytes”.Here you should sniff the data stream on the line. Maybe you will find that web service responds yes or no (100 bytes) with the definition of web service (6 kilobytes).
Suggested tools: Wireshark,Gigamon