Implement regular network monitoring

Overview

Overview

This resource will help you to set up tools and processes to assist with network monitoring within an information technology environment.

In this topic you will learn how to:

  • set up logs and produce a management information base (MIB)
  • set benchmarks as reference point for network performance
  • identify activity levels
  • conduct regular reviews to assist with network tuning
  • make recommendations for additional network resources to avoid problems

This topic contains:

  • reading notes
  • activities
  • references
  • topic quiz

As you work through the readingnotes you will be directed to activities that will help you practise what you are learning. The topic also includes references to aid further learning and a topic quiz to check your understanding.

Download a print version of this whole topic: Implement regular network monitoring (1,415 KB 2813.doc)

Reading notes

Image: Reading notes

Introduction

Networkmonitoring is a requirement of modern and well-managed networks. Network Monitoring allows network managers to collect and analyse network activity statistics in order to be better informed so that they can make sound management decisions. Without network monitoring, a network manager lacks critical knowledge of how a network is performing. The readings in this topic will allow you to gain an insight into network monitoring, its importance, sound approaches to monitoring and industry-recognised tools.

The need for network monitoring

Network monitoring is essential to sound network management. Network managers are required to continuously monitor networks in order to have an ongoing view of how network systems, devices and services are performing. Monitoring can include the installation of automated alerts that notify network managers of performance drops and other problems.

Why monitor?

  • Build knowledge – Network managers must build knowledge about their systems, their performance, problems and shortcomings to be in a position to maximise the performance of the network. A network manager who doesn’t know how the network is performing will not be an effective manager. Knowledge will underpin change, problem and configuration management.
  • Proactive management – Proactive management entails taking proactive action (rather than reactive action). A manager who is well-informed and has detailed knowledge of the network will be able to make decisions before problems arise. Clearly, network monitoring will provide managers with valuable hints as to what areas/systems require attention and action, hopefully avoiding downtime.
  • Capacity planning – Capacity planning is one of the main responsibilities of network management. Capacity planning entails estimating the needs of a network in terms of capacity. Capacity generally refers to such things as bandwidth, responsiveness, delays andbottlenecks. Capacity planning is not necessarily simple; it requires skilful managers to interpret network indicators (metrics), user satisfaction, productivity downtime, etc. Network monitoring will assist managers greatly in planning capacity by analysing current performance trends, identifying bottlenecks and problems, etc.
  • Problem management – Network monitoring is useful for problem management as well. Network monitoring can help discover problems before these problems become evident, avoiding reactive problem management. Even once faults have developed, however, network monitoring can assist in identifying the source or reasons for faults.

Image: Reasons for network monitoring: Build knowledge, Proactive management, capacity planning, and problem management.

Figure 1: Some of the most important reasons for Network Monitoring

In summary, network monitoring is highly desirable if not critical for a high performing network. Network systems without a policy for network monitoring will be forced to react to problems instead of being proactive in the management of problems and the planning of network capacity.

Network monitoring technologies

Network monitoring can be implemented in a variety of ways. This reading focuses on industry standard technologies such as SNMP and RMON. This reading will also explore some of the major proprietary solutions available in the marketplace.

The Simple Network Management Protocol – SNMP

The Simple Network Management Protocol(SNMP) is an industry-wide accepted protocol for allowing the flow of network management information between network devices on a TCP/IP network. SNMP is part of the TCP/IP protocol suite. SNMP is regarded as an application layer protocol, as it operates in the upper layers of both the OSI and TCP/IP reference models.

Currently, three versions of SNMP exist:

  • SNMP Version 1
  • SNMP Version 2. In general, both version 1 and version 2 have the same features; however, Version 2 features enhancements.
  • SNMP Version 3. SNMP Version 3 specifications primarily add security and remote configuration capabilities to SNMP.

So why is SNMP so popular? SNMP is very popular due to the fact that is a well-developed standard supported by most quality devices that operate on a TCP/IP network. Devices that support SNMP include:

  • Routers
  • Switches / Hubs
  • Network Operating Systems, including Unix, Linux, Windows, Novell, Mac OSX, etc.
  • And most good quality network devices that support TCP/IP.

Additionally, there are a myriad of products - both commercial and non-commercial - that support SNMP.

The SNMP standard is defined by RFC 1157. You can read this RFC (Request for Comment) at the Internet Engineering Task Force website:

Additional information about SNMP can be found online from the Cisco website as part of their online Internetworking Technologies handbook:

An SNMP-managed network consists of three key components:

  • Managed devices: A managed device is a network node that contains an SNMP agent and that resides on a managed network. Managed devices collect and store management information and make this information available to NMSs using SNMP.
  • Agents: An agent is a network-management software module that resides in a managed device. An agent translates information into a form compatible with SNMP.
  • Network Management Systems (NMS): An NMS executes applications that monitor and control managed devices. NMSs provide the bulk of the processing and memory resources required for network management.

The following is an example of devices being managed and monitored using SNMP:

Image: Illustration of SNMP-managed network. Shows main NMS Management Entity computer networked to three Managed Device SNMP Agent devices.

Figure 2: An SNMP monitored network requires Managed Devices, Agents (with MIB) and an NMS

Activity 1

To practise exploring and researching network monitoring techniques, complete Activity 1 – Explore and research network monitoring technologies, located in the Activities section of the Topic menu.

Remote monitoring – RMON

Effectively, RMON is a remotemonitoringprotocol that extends the capabilities and features of SNMP. RMON contributes 9 additional MIBs (Management Information Bases) for collecting information from remote devices, providing a richer set of data. The nine RMON groups are

  • Statistics
  • History
  • Alarms
  • Hosts
  • Host Top N
  • Traffic Matrix
  • Filters
  • Packet Capture
  • Events.

Each of these groups provides specific sets of data to meet common network-monitoring requirements. Vendor support is optional for each group.

As with SNMP, devices must be designed to support the standard to be able to take advantage of it.Many new enterprise grade devices that support SNMP would normally also support RMON.

Cisco Systems provides information on RMON on their online Internetworking Handbook which can be found at

The RMON standard is also defined as a series of RFCs (Request for Comment). RFC 1757 provides an overview of the RMON protocol. You can read this RFC at the Internet FAQ Archive which can be found at

The following readings will explore some tools that feature network management and monitoring.

Networking monitoring tools

Network managers and system administrators are blessed with an abundance of network monitoring tools. In general terms, network monitoring software and devices can be categorised into two areas:

  • Network monitoring platforms
  • Network monitoring utilities.

Network monitoring platforms are complete solutions that can incorporate configuration management, monitoring, change management, etc. Utilities generally include specialist software that can perform specific tasks such as protocol analysis (sniffing), connectivity tools (ping, tracert), log analysis and reporting, etc.

Fortunately, there are a great number of platforms and utilities to choose from. Product offerings range from commercial tools to public domain or open source tools (offered free of charge). This reading will introduce some well-known tools, with an emphasis on Windows-based network monitoring.

Network monitoring platforms

Network monitoring platforms are integrated solutions that allow the management, configuration, monitoring and troubleshooting of network devices. These products can be based on Open Standards such as SNMP, on proprietarystandards, or a combination of both. Below there are some examples of well-known platforms. You might like to visit the respective web sites to gather further information on these products.

  • Openview:A commercial platform by Hewlett-Packard. See the website at
  • OpenNMS: An Open source network monitoring platform.See the website at
  • IBM – Tivoli Netview:A commercial product from IBM/Tivoli. See the website at
  • CiscoWorks:A suite of products for managing Cisco-based networks, with an emphasis on the management of routing and switching equipment. See the website at

Network Sniffers

NetworkSniffers are fairly specific tools that allow a technician to collect network traffic for online or offline analysis. Generally, sniffers act in ‘promiscuous’mode; this means that the sniffer will listen (sniff) to all ‘conversations’ on the network in order to gather data going around between nodes.

Network Sniffers are generally used for various reasons, including the following:

  • To collect fault data
  • To learn about the traffic on a given network
  • To aid capacity planning by understanding traffic flows, errors due to bottlenecks, etc)
  • To perform security audits.

Generally, sniffers require a highly skilled technician to interpret the results. Some network sniffers will also integrate with sophisticated software that analyses the data and produces simplified reports and charts. The following are examples of ProtocolsAnalysissoftware:

  • Wireshark (previously known as Ethereal): A very popular and open source, available for most platforms: Windows, Unix, etc. See the website at

Image: Screenshot of Wireshark / Ethereal operating screen showing results of protocol analysis.

Figure 3:Popular Protocol Analysis and Sniffer tool Wireshark (AKA Ethereal).

  • Network Monitor: Microsoft Product included with most server versions of Windows. See the website at
  • Optiview Protocol Expert: Commercial Product by Fluke Networks. It integrates with many Fluke testing tools for analysis and reporting and added troubleshooting capability. See the website at

Windows monitoring tools

In the world of Windows Networking, there are several products that are included with Windows, as well as third party products. This section will look into the default products included with Windows Server. Note that these tools are available in both Windows 2000 and Windows Server 2003.

Performance and System Monitor

Performance and system monitor is a valuable tool for measuring performance of network systems over a given period of time. It can measure performance live by taking snapshots of system metrics, or it can also be configured to take samples over time (trending). Trending is explored later in this reading in the section on Benchmarking and Baselining. This is a very valuable tool for most network managers with responsibility for Windows systems.

The systemmonitor can measure the following:

  • CPU performance
  • Memory
  • Input/Ouput (I/O)
  • Network I/O
  • Service Performance
  • Etc.

Image: Screenshot of Windows Performance tools with System Monitoring running. Shows data for pages per second, average disk queue length, percentage processor time and total bytes per second.

Figure 4: The Windows Performance tools with System Monitoring running.

Event Log

The WindowsEventLog is viewed by using the EventViewertool in most Windows systems. There are third party commercial tools that can also read the event log for reporting and charting reasons.

The eventlog is a great way of finding out what has been happening with the monitored systems over time. Windows keeps at least three different logs:

  • System log – used to record all activity regarded as system, such as services starting/closing, software drivers installed, critical errors, etc.
  • Applications log – used to capture all events generated by software applications
  • Security log – used to store security events as the result of an auditing policy. An example of this would be failed login attempts.

In each of these logs, three types of events are maintained:

  • Information – These items are simply information and do not constitute a problem
  • Warning – Not a critical error, but a warning indicates that this event might warrant investigation
  • Error – This indicates an error that needs action.

Image: Screenshot of the Windows event viewer showing three types of events: information, warnings and errors.

Figure 5:The Windows event viewer showing at least three types of events

SNMP – Simple Network Management Protocol

Windows has supported SNMP since Windows NT. This means that Windows hosts can participate in SNMP-managed networks. The SNMP service can be installed in most versions of Windows and configured as part of SNMP communities.

Image: Screenshot of SNMP Service configuration on a Windows system

Figure 6: SNMP Service configuration on a Windows system

Generally, SNMP information is sent to a nominated SNMP management workstation running an SNMP console. For more detail about SNMP, please see the section in this reading on Network Monitoring Technologies

WMI – Windows Management Instrumentation

As part of the .Net initiative, Microsoft also introduced WMI or WindowsManagementInstrumentation. WMI is a proprietary solution that is able to poll and configure most aspects of the Windows operating system. At this stage, full support for WMI only exists in Windows XP and Windows Server 2003; although support exists in Windows 2000, it is limited. It can be expected that there will be a significant number of Microsoft and 3rd party tools for WMI management and monitoring in the not too distant future.

To learn about WMI, visit the Microsoft website at

Benchmarking and baselining

You have probably heard about benchmarking; in fact, most people in the IT industry have heard about benchmarking in relation to new processors, video cards, etc. The concept of benchmarking is not foreign to networking; in fact, benchmarking is very important for capacity planning.

The idea behind benchmarking is to take a ‘snapshot’ of the performance of a system at a point in time. The result is then compared to a reference system. Depending on the result, action will be taken (such asan upgrade, troubleshooting, etc.). Critical activity levels can also be determined and recorded as part of this process.

Baselining is perhaps a more useful tool to network managers than just the occasional benchmark. Baselining still uses benchmarks, but these are taken on a regular basis. Generally, the process of baselining involves the following:

  1. Take an initial benchmark – this becomes the baseline.
  2. Define a period over which benchmarks will be taken.
  3. Take benchmarks.
  4. Compare benchmarks against baseline and draw conclusions.
  5. Make recommendations. This might include recommendations for immediate action or recommendations for capacity and strategic planning.

Many tools (both commercial and non-commercial) are available to assist with baselining. Most versions of Windows include the “Performance Logs and Alerts” tool which extends the capability of the Systems Monitor by allowing the administrator to create ‘Performance Traces’. A performancetrace is none other than the System Monitor scheduled to run a regular intervals, taking snapshots and recording these results, effectively, allowing the network manager/administrator to build historical data for trending and capacity planning.

As you can see, baselining can be greatly beneficial to network management. As already indicated, capacity planning is enhanced by baselining; another great beneficiary of baselining is proactivemanagement. Baselining allows a manager to be proactive rather than reactive. Baselining will hopefully allow a manager to anticipate problems and take remedial action before the issues becomes serious.

The following figure shows a screenshot of the Performance Logs and Alerts tool:

Image: Screenshot from the Windows’ Performance Logs and Alerts, Counter Log. Shows two counters running

Figure 7: Screenshot from the Windows’ Performance Logs and Alerts, Counter Log

Activity 2

To practise implementing network baselining and trending, complete Activity 2 –Implement network baselining and trending, located in the Activities section of the Topic menu.

The importance of system logs and log analysis

I am sure that you have seen (or are aware of) TV series where forensic investigators catch criminals by analysing logs for electronic fingerprints (i.e., IP address) - all within a matter of seconds. Although that scenario is not far from reality, generally, the process is more complicated and takes considerably longer. This reading will look into the logging of network system activities.

You might not be a forensic investigator, but you still need to know what is going on with the network. System logs and event logging system are critical to your knowledge of your systems and your ability to manage the network effectively. Windows does logging by running the EventLogsystem. The event log system keeps at least three logs: system, application and security. (For further information about the Event Log, see section in this reading on Network Monitoring Tools) Additionally, Windows servers - such as Domain Controllers and DNS servers - will attach their own logs to the Event Log system.