What are your daily duties as a network administrator? You have to keep your network up and running. You have to answer calls like “X location is down” or “Y location is so slow”. You should monitor your network as described below to fulfill your tasks.
- You should monitor your network and react to device and line failures.
- You should analyze data lines utilization, errors on the line and be sure about network performance.
- You should be aware of who talks with whom? How much bandwidth needed for every single application?
- And sometimes you need to see exact data flow over the network.
If you have all this information people think twice before blaming the network for every problem. How can you achieve this?
We need a layered approach to understand network monitoring. I am not talking about network layers but network monitoring layers? We have to understand monitoring layers before decide about network monitoring software needs. A simple summary could be like below.
- Preconditions of network monitoring.
- Up/Down monitoring
- Performance Monitoring / SNMP monitoring
- Who talks with whom / Netflow monitoring
- Data capture / Data sniffing
Preconditions of Network Monitoring
Network documentation is essential to monitor a network. Try to set up network monitoring tools before documentation is just wasting time. You will see everything green on the screen but maybe while some of the redundant lines were down. And you will sit there, like a dumb without any alerts.
Documentation comes first.
Suggested tools: Powerpoint/Visio, NetViz
You have a map and some red and green lights on it. Green means up. Red means down. It is simple but powerful. You can immediately become aware of something goes down.
This is based on ping. Almost every IP devices support echo/echo reply. So you can monitor all IP devices in your network by using ping. To go one step further, you can monitor one application on a device instead of the whole device. All network applications use TCP/UDP ports. You can monitor the applications by trying to telnet its TCP/UDP ports and if the port is open it means the application is running.
Suggested tools: WhatsupGold, nmap
Performance monitoring / SNMP monitoring
The lines are up, the devices are up but life is not perfect. People complain about the performance of data lines. Are they saturated? Do we have package losses on the lines? Are routers running out of memory? We need SNMP to monitor the heartbeat of the network.
Suggested tools: MRTG, Solarwinds Orion, PRTG
Who talks with whom / Netflow monitoring
You realized that the line is full. Someone / some applications makes a high load of traffic. Who are they? Is it a necessary traffic? In Cisco devices, by using the “ip accounting” command we can have an idea for current traffic sources and destinations. Nevertheless to analyze and optimize the traffic we need flow monitoring. We need to know the source and destination IP addresses and TCP/UDP ports and the number of packages/bytes.
Everyone blames the network for slowness until you publish the network usage report which shows only 15% of the traffic is ERP traffic and the rest is Internet access.
You should know that flow monitoring tools require more server resources for the huge data they collect.
Suggested tools: Fluke Netflow monitor, Paasler
Data capture / RMON – Sniffer tools
Sometimes you need to see the exact data flow on the line instead of information about it. Just have a look at this sample scenario. After you find out the web service cause inappropriately high network traffic, the owner of the application just can say “No, we are not pushing this much of data to the network. We just respond Yes or No in this web service and it is just 100 bytes”.Here you need to sniff the data flow on the line. Maybe you will find that web service responds yes or no (100 bytes) and the definition of web service (6 kilobytes).
Suggested tools: Wireshark,Gigamon