How to Monitor Network Traffic: 7 Tips and Tricks for Network Admins and Analysts

All network pros know that monitoring network traffic is essential to keep your network running efficiently and securely. With the right network management system, you should have a network traffic monitoring tool that will allow you to troubleshoot network issues, analyze the impact of applications, and potentially identify security vulnerabilities.

While monitoring network traffic should involve as much automation as possible where appropriate, it still isn’t as simple as “setting and forgetting.” Especially as technology changes, network admins and analysts alike should be armed with the best tips and tricks for keeping an eye on network traffic. We asked our best and brightest network traffic whizzes for their thoughts on what to keep in mind when you set out to improve resource management, optimize network performance, and enhance security.

 Tip #1: Know what’s on your network and when it changes.

 “Visibility into all components of devices, ports and traffic circuits that are actually transporting data is paramount. You can monitor your water heater, but that doesn’t tell you how well your sink is clogged.” – John Diamond, Senior Solutions Architect, Park Place Technologies

 Always consider the ever-changing nature of networks when monitoring your network traffic. It’s imperative to know what you’ve got and whether it’s different from yesterday to today. In other words, visibility is critical. Consequently, the monitoring system you’re using must reflect an accurate, current picture of the network and include the necessary automation functions to keep it up to date.

Traffic visibility comes down to connected devices. If you don’t know which devices and ports are carrying traffic on your network and how they’re configured, including aspects such as line speeds (which can all change), you can’t build a traffic model with a firm foundation.

 Tip #2: People are always the weakest link. Choose your network traffic monitoring tool accordingly.

Use a reliable network management platform that updates automatically. The reality is that us mere mortals just aren’t that great at keeping things up to date when we’re left to our own devices, which eventually results in a blind spot…followed by a problem. Therefore, your network management system should eliminate the need for manual maintenance. Changes such as adding a new line card to a multi-slot switch shouldn’t require manual intervention to add it to the management system, as that will likely be overlooked, leaving the new ports unmonitored.

Basically, there must be an automatically updated foundation upon which functions like traffic monitoring and analysis can be built. Without a strong foundation, you’re pretty much building on sand, which means unreliable results.

 Tip #3: Recognize “Murphy’s First Law of Network Monitoring:” inevitably, the problem will be in the component you’re not monitoring.

Don’t cherry pick what to monitor based on your own preconceived notion of what matters and what doesn’t. Monitoring only a few ports on a switch, for example, builds blind spots into your approach to management. Monitor everything you can. Choose a tool that’s capable of monitoring all the ports on your devices, will keep itself up to date automatically and won’t break the bank in the process.

Tip # 4: Apply both the elemental approach to monitoring traffic and flow reporting simultaneously. One method on its own won’t tell you everything you need to know.

 “Traffic is ‘how many cars are in the lane?’ Flow is ‘how many red cars versus blue cars and bicycles?’” -Pete Bartz, Senior Solutions Architect, Park Place Technologies

There’s more than one approach to monitoring traffic. The two approaches that are most relevant are:

1. Elemental approach – the elemental approach focuses on looking at individual ports on individual devices to determine the level of traffic, volume of traffic, and network bandwidth utilization percentage of traffic on those ports. While it provides a great deal of insight, it’s not comprehensive. For example, it will tell you it’s busy, but busy doesn’t tell you anything about the nature of the traffic except whether there’s room for more.

2. Flow reporting (NetFlow, sFlow, etc.) – flow reporting and monitoring uncover the nature of traffic passing through, which nodes and systems are talking to each other over that circuit and at what volume, and approximately what general class of application they’re using. Also, if your monitoring system allows for it, don’t overlook the value of monitoring via Cisco’s NBAR technology, which can be significantly easier in terms of instrumentation overhead than flow monitoring.

You might think “Well, from that you could work out how busy the port is, so we could just use flow on its own. Why do we need the elemental type of management?” Because flow only tells you about traffic that has successfully traveled on that circuit. It tells you nothing about the failures, corrupt packets, or bad traffic because only good traffic is instrumented. If a circuit has problems and the traffic itself has been corrupted, flow won’t tell you so. A combination of flow and elemental management is necessary for a complete picture of network issues.

Tip #5: Monitor the right things.

Traffic monitoring allows you to understand the network elements and traffic profiles assuming that administrators are monitoring the right things, and in an automated fashion.

Identify the conditions that are important in the environment, particularly where there might be a congestion. You need to know about the level of performance and traffic volume, as well as things like errors occurring across circuits.

Tip #6: Never equate the level of circuit utilization with the happiness of users.

Performance isn’t as simple as circuit utilization. You can easily have a nearly full circuit running high utilization with happy users and another circuit of the same specification running low utilization with unhappy users submitting tickets galore. Unpredictability and slow responses have a diverse range of root causes, and the utilization rate isn’t necessarily the key. When it comes to evaluating network performance, remember the following pearls of wisdom:

• Each network route has its own timing implications – network path monitoring is critical.
• Most connections involve many hops through different equipment and connections. The problem could be way downstream.
• Understanding network dependencies and topology is key to avoiding blind spots and failure.
• Your connection to the Internet alone, no matter how busy, is not an indicator of root cause. Awareness of the complete traffic path, and not just one part of it, is necessary.

Tip #7: Don’t ignore the complexity of network topology.

 Often, something of a “big fluffy cloud of connectivity” misconception arises when thinking about the network, usually among those focused on the care and feeding of servers and applications. The problem is that if the network is considered an amorphous contrivance that connects all compute hosts, the complexity of topology (interconnection, circuitry, bottlenecks) is ignored.

When it comes to traffic analysis, understanding network topology helps identify where paths might be busier and why. The reality is that the network is always subject to weaknesses and limitations, no matter how up-to-date and well configured. When those weaknesses and limitations are overlooked, technological peril ensues.

“Whenever there’s a problem, it’s the network’s fault until admins or analysts can prove otherwise. What they should strive for is to reduce the mean time to innocence.” – John Diamond, Senior Solutions Architect, Entuity