Passive Network Monitoring
A passive network monitoring protocol is used to understand how an IP network is used. This is done by collecting statistics about the user traffic that is traversing the switches and routers of the network infrastructure. NetFlow is one of the most well-known passive protocols used to analyze network traffic entering and leaving a router’s interface. The first version of this protocol was developed and released by Cisco in 1996. Along with NetFlow, there are both proprietary alternatives, like J-Flow (developed by Juniper Networks), and open ones, like sFlow.
A traffic flow is a sequence of packets from a source computer to a destination one.
RFC 2722 defines a flow as “an artificial logical equivalent to a call or connection”. Since the architecture of a NetFlow tool is similar to other protocols’, let’s describe a NetFlow packet, and what are the components of a NetFlow solution. For each flow, a NetFlow packet records the ingress interface, the source and destination IP addresses, the IP protocol, the source and destination TCP or UDP ports, and the Type of Service.
This information is collected by a flow exporter, running on a router or switch, which aggregates these packets into flows, and then sends this information to a NetFlow collector. The NetFlow collector then stores and pre-processes this data, which can be analyzed by user applications to report network utilization, consumption, and also detect improper behavior or unauthorized access.
NetFlow (or whichever flow-based protocol your network equipment supports) is a must-have tool for a network administrator. Such a tool give you visibility into your network traffic, and tells you who the “top talkers” (the users that are sending the highest amount of traffic) are and which applications are consuming the most bandwidth. This is something that SNMP, by itself, does not offer. In fact, as I explained in my previous blog post, “SNMP vs NetBeez”, SNMP is solely used to the get the status of network devices and their resources.
The protocol relies on a software agent that runs on each monitored device and replies to queries from a network management server (NMS). The NMS, also called SNMP poller, periodically requests each device utilization values of its resources to get a status update and verify that it’s working properly. If the value of one or more resources reported by the agent exceed a threshold set by the administrator, the server will generate an alert for the network administrator.
An SNMP agent uses port UDP 161 to receive requests from a poller. SNMP can also be used to apply configuration changes to devices and, if needed, to send notifications, called traps, to an SNMP trap receiver when an event that requires administrative attention happens on the device itself. An SNMP trap could be generated if, for example, the network interface of a router goes down or if a BGP neighbor becomes unreachable. By default, SNMP traps are sent via UDP to port 162.
So what’s the difference between NetFlow, or comparable protocols, and NetBeez?
These two tools are complementary, let me explain how:
NetBeez performs continuous tests and measurements on network and application performance, verifying that users have connectivity and good performance to intranet or cloud applications. Should NetBeez detect a performance degradation issue in the network, NetFlow data can be analyzed to verify if this degradation is caused by oversubscription of network bandwidth.
Let’s take for example the case where a PING test in NetBeez is alerting that the round trip time to one target has increased, like in the example below:
The network administrator can immediately inspect the traceroute data associated to that target and see on which segment of the network path between the source (the monitoring sensor) and the destination (the target) the performance degradation is occurring:
Network Traffic Analysis
Once the network administrator has individuated the trace-route data, the hop (router) that is introducing the increased round trip time of the PING test, he or she can then verify if the interfaces of that router are oversubscribed by user traffic. In that case, the network administrator could remedy this situation by implementing Quality of Service to prioritize business sensitive applications or decide to increase the link capacity of that specific network segment.
I hope that this article was helpful in explaining the difference between passive and active network monitoring tools. If you would like to learn more about NetBeez, feel free to request a demo with one representative of our team.