Network Monitoring: A Reference Guide

Whether you’re looking to monitor an enterprise infrastructure or reduce troubleshooting time, this article will equip you with the knowledge needed to make informed decisions about network monitoring tools. In this article, we’ll review the importance of network monitoring, the different types of tools, and what are the benefits of network monitoring. We will also provide a brief overview of NetBeez, an active network performance monitoring tool we developed to help network teams be proactive and cut troubleshooting time.

Table of Contents

What is network monitoring?

Network monitoring is the process of verifying the availability and performance of a computer’s network. This task involves the periodic check of the operational status of network equipment like routers and switches, along with the functionality of services and applications. The goals of network monitoring are to ensure that a network infrastructure functions as designed, reduce troubleshooting efforts, and minimize service downtime. Ultimately, by detecting problems as soon as they occur, network monitoring tools enables organizations to reduce the time to detect and resolve network incidents and performance degradation issues.

Why is network monitoring important?

Network monitoring has several advantages for organizations that operate and support a network infrastructure:

Fault Detection: Network monitoring tools detect and alert administrators about network faults, anomalies, or outages as soon as they happen. This proactive approach allows quick troubleshooting and minimizes downtime. For instance, NetBeez is a network monitoring tool that helps developing an historical baseline that can be used to detect changes in the network performance.
Network troubleshooting: Network monitoring tools provide the necessary performance and diagnostic data required to identify the root cause of network issues. NetBeez for example provides information about how many remote network locations are experiencing an outage, helping isolate the root cause.
Performance Optimization: Network performance monitoring helps identify bottlenecks, congestion, and other issues that can degrade the end-user experience. By tracking network traffic and resource utilization, administrators can optimize network configurations to maximize uptime and performance.
Resource Planning: Network monitoring assists in resource planning by providing insights into current usage trends. This information helps organizations forecast when the network and its systems require upgrades, how to manage capacity, and when to replace the hardware.
Security Enforcement: Monitoring tools are vital to detect unusual network activity or security breaches. By tracking network traffic, network monitoring tools log and report unauthorized access attempts. Security teams can respond promptly to potential threats and vulnerabilities.
Compliance and Reporting: Many industries and organizations have specific regulatory requirements for network security and data protection such as PCI and HIPAA. Network monitoring tools generate reports and logs that can be used to demonstrate compliance with these standards.
Quality of Service (QoS) Management: Most organizations support real-time communication services such as VoIP or video conferencing. Network monitoring helps ensure that the network has low latency, jitter, and packet loss.

Types of network monitoring tools

There are three main types of network monitoring tools:

SNMP-based tools
Passive network monitoring
Active network monitoring

Each type has a specific function, set of functionalities, and vendors. Some vendors offer solutions that incorporate all three types of network monitoring, while some vendors specialize in one specific type. Small companies that have simple requirements tend to select all-in-one solutions, as they may reduce Total Cost of Ownership and reduce complexity. Medium to large organizations tend to have more complex requirements thus generally select specialized solutions for each cateotory. The following table lists the main function and limitations of each type of network monitoring solution.

Type	Function	Limits
SNMP	Report the status and performance of network devices.	Doesn’t capture the end-user experience, but only the status and performance of network devices.
Passive	Capture traffic to identify network activity, application performance, and security incidents.	Reactive network performance monitoring as it relies on real network traffic.
Active	Continuous synthetic monitoring to measure end-to-end performance and proactive alert of network issues.	Requires installation of a dedicated hardware or software monitoring agent.

SNMP-based tools

The Simple Network Management Protocol (SNMP) is an Internet standard used to request information from a device like a router, switch, or server, about the status of its resources, such as CPU, memory, and network interfaces. This class of tools is the first one to be developed and introduced in the 1980s. As a result, SNMP tools tend to be the common denominator of network monitoring for most network infrastructures. SNMP is mostly used for IT infrastructure monitoring.

The following diagram represents the different SNMP components of a typical installation.

SNMP components

Managed devices – Any network device that needs to be monitored for availability and performance or managed by pusing configuration requests. Managed devices can be routers, switches, servers, and any appliance that can run an SNMP agent.

SNMP agents – This is the client software that runs on the managed devices to reports the status and perforamnce data to the SNMP manager. By default, SNMP agents use port UDP 161 to receive requests from SNMP managers. Agents can also send traps to SNMP managers when a certain event happens, such as a failure or a resource crosses a certain threshold. Traps are sent, by default, to port UDP 162 to the SNMP maanger.

SNMP managers – These are the servers that manage and periodically query the SNMP agents running on managed devices. They request data from SNMP agents, process it, and can send commands to alter device settings.

SNMP MIB and protocol

SNMP MIB – A MIB (Management Information Base) describes the data, and defines its structure, that can be queried to an SNMP agent. MIBs organize in a heriarchical way object identifiers (OIDs). Vendors publish their MIBs so that network administrators can import them the SNMP manager so they can integrate it with a specific device. Most vendors typically supports a set of standard MIBs for its nodes. Each vendor can also develop custom MIBs for specific, proprietary functionality. The SNMP MIB provides a method for registering a company’s OID that is inserted into the master MIB tree. For instance, NetBeez’s root OID is 1.3.6.1.4.1.44523.

SNMP protocol – The SNMP protocol has a set of well defined queries that can be exchanged between SNMP agents and managers. For instance, the function snmpget is used to request information on a network entity with one or more OIDs that may be given as arguments to the command. The function snmpset is used to set a parameter on a network entity.

snmpget

The following image shows an SNMP poller (synonym for manager) that executes an snmpget against an SNMP agent to request the managed device’s hostname, which is returned as a string (gonzo). In this case, the MIB named SNMPv2-MIB translates the OID 1.3.6.1.2.1.1.5 with the resource sysName.0 so human can understand what’s the resource queried (this is quite similar to the DNS resolution system).

snmptrap

On this image, we see a different functionality of SNMP. Here, an SNMP agent generates an trap to an SNMP manager (in this case also called receiver) to alert about a failure. The OID of the trap is 1.3.6.1.4.1.44523.1.12.3 which is associated with the NetBeez BeezKeeper MIB. As mentioned before, SNMP traps enable network devices to report that something is wrong to an SNMP server, so it can alert the network administrator. In this case the SNMP agent is the NetBeez server reporting an alert.

Passive network monitoring

Passive network monitoring is a technique that relies on intercepting network traffic to identify network activity, links utilization, and application performance. By doing so, a passive monitoring tool can reveal what users, applications, and protocols are generating network traffic. This methodology has also application in security and forensics analysis, as it provides a method to incerpt traffic. There are three ways to passively monitor a network: network TAP, SPAN port, and flow-based protocols. Let’s briefly introduce each one of them.

Passive network monitoring components

Passive network monitoring tools generally have two main components:

One or more devices that capture the network traffic or generate flow statistics. As we’ll see in the next section, there are three main types of capture devices: Network tap, SPAN ports, and flow protocols.
A collector server that stores the data for historical analysis and runs the management and reporting dashboard. In the case of large deployments, collectors may scale into multiple hosts with hyerarchical architecture where a master node orchestrate one or more child nodes.

There are three main types of devices that collect passive monitoring data:

Network TAPs are dedicated devices that are installed in-line where the traffic has to be analyzed. A network TAP replicates the entire content of the frames (layer 2) flowing across. For this reason, network TAPs are generally preferred for deep packet inspection. Many SIEM (Security Information and Event Management) tools adopt this technology to proactively identify and mitigate potential security breaches or attacks.

SPAN (Switch Port for ANalysis) ports, which are created on a switch by instructing it to send a copy of the traffic from a specific port or VLAN to another port on the switch itself or on another switch that has been connected to a network collector. SPAN ports are able to copy the entire packet, including its payload.

Network devices that generate flow data and analysis. Flow data is generated by sampling network traffic and extracting certain information from it. This type of passive analysis doesn’t capture the full content of a packet, but just its header, so it’s mostly appropriate for protocol and traffic statistics.

The following picture represents the three different types of passive monitoring implementations just explained: Network tap (top), SPAN port (middle), and flow protocol (bottom).

Common flow protocols

The first version of a flow protocol was released by Cisco in 1996 with NetFlow. Since then, several proprietary and open protocols have been developed. The most important ones are:

NetFlow – This proprietary protocol by Cisco is currently on version 9. Netflow provides different statistics about the traffic captured, mostly at the network (layer 3) and transport (layer 4) level. By default, NetFlow records are sent to a collector via UDP port 2055.
SFlow – This industry standard protocol stands for “sampled Flow” and allows network routers to send flow statistics from the data link (layer 2) to the application (layer 7) level. For this reason, SFlow has applications in MPLS and other “layer 2.5” networks. SFlow is supported by many networking vendors, such as Alcatel-Lucent, Arista, Brocade, Cisco, Dell, Extreme Networks, etc.
IPFIX – IPFIX, which stands for “IP Flow Information Export”, is a standard-based protocol (RFC 3917) that was created to export IP flow data from network devices like routers and probes. IPFIX integrates with accounting and billing systems as well ass network management systems.
Jflow – Proprietary protocol developed by Juniper Networks.
CflowD – Proprietary protocol developed by Nokia.

Active network monitoring

Active network monitoring is a technique that works by generating synthetic traffic and applications transactions to verify the correct functioning of a computers’ network, including its services and applications. Unlike passive monitoring, which captures network traffic as it flows, active monitoring continuously injects test traffic in the network to assess its performance. For this reason, by continuously testing the network, its services, and applications, this method provides quick detection. In many situations, active network monitoring helps identify potential issues before they impact users or services.

Active network monitoring architecture

Active network monitoring tools are composed by a set of distributed agents managed by a central server. The central server hosts the database and the dashboard. The remote agents runs the performance tests, collect the tests’ results, and send the data to the central server. The central server analyzes the metrics, computes baselines, generates alerts, visualizations, and notifications. Differently from SNMP tools, in which monitoring is performed by the server, active tools monitor the network, its services and applications, from the several locations where the agents are installed. For this reason, active network monitoring is a type of distributed network monitoring as it relies on several vantage points.

Active network testing

As we mentioned, real-time network testing is performed by software agents or hardware sensors installed in key strategic points of the network, including users’ laptops and desktops. Active tests report real-time data such as end-to-end connection, packet loss, jitter, bandwidth, DNS and HTTP response time. Specialized wireless sensors retrieve even more data about enterprise WLANs, such as WiFi connection timing, association, and authentication failures. The following table reports some of the performance tests run by NetBeez, an active network monitoring solution.

Test Name	Performance metrics
Ping	Round-trip time, packet loss, jitter, MOS
DNS	Resolution time, failure rate
HTTP	HTTP response time, failure rate
Traceroute	Per hop: Round-trip time, MTU
Path Analysis	Per hop: Round-trip time, ASN, geolocation
Iperf	Bandwidth, packet loss, jitter
Network speed	Download, upload, and latency
VoIP	MOS, packet loss, jitter, latency

Benefits of network monitoring tools

SNMP benefits

Benefits of SNMP-based tools include:

Simplicity: SNMP has a simple client-server architecture that is easy to understand and straightforward to implement. That doesn’t necessarily mean that all SNMP tools are easy. Considering the ease of setup should be evaluated during the trial phase.
Device Monitoring: SNMP provides visibility into network device status and performance, enabling quick alerting upon failure or performance issues.
Scalability: In general, SNMP can scale to accommodate networks of varying sizes, from small local networks to large enterprise infrastructures. Scalability may also be a function of the number of servers required to monitor an infrastructure (horizontal scaling).
Interoperability: SNMP is vendor-agnostic, allowing it to work with a wide range of network devices and manufacturers.

Passive monitoring benefits

The benefits of passive monitoring are:

Diagnostics: Since passive monitoring captures real network traffic, it can be used as a microscope to diagnosign network issues. In fact, network administrators can capture any packet that flows through a link, and that gives full visibility. This makes it very helpfup to troubleshoot problems with applications’ transactions, wireless drivers, and specialized hardware that has a network interface and custom TCP/IP stack. To conclude, we consider this network troubleshooting method more a reactive one than a proactive one.
Capacity Planning: Passive monitoring tools analyze traffic patterns over time, allowing to identify the top traffic originators in terms of hosts, network locations, and applications or protocols. This information helps organizations plan for future network capacity needs. By understanding current usage trends, administrators can make informed decisions about scaling the network infrastructure to accommodate growing demands.
Threats detections: By observing normal network behavior, passive monitoring can easily detect anomalies or deviations from the baseline. Unusual patterns in traffic, unexpected data flows, or irregular protocol usage can indicate security threats, such as Distributed Denial-of-Service (DDoS). This visibility enables timely responses to potential breaches. In the event of a security incident, passive monitoring data can also serve as a valuable resource for forensic analysis.

Active network monitoring benefits

Benefits of active network monitoring include:

Quick detection of network problems – By constantly running tests that verify network availability and applications performance, active network monitoring is able to detect problems as soon as they occur. This monitoring technique is highly complementary to SNMP monitoring and passive analysis, as it provides the first way to get alerted about network outages that are not necessarily caused by device failures or bandwidth saturation.
Continuous performance measurement – Since active network monitoring keeps generating network traffic, it continuously computes network performance metrics such as bandwidth available, response time, and packet loss. Differently from passive analsys, which only measures performance when there’s actual user traffic, active network monitoring provides a better baselineas as the measurements are 24x7x365.
Service assurance – Active monitoring helps organizations track and meet SLA (Service Level Agreements) commitments by continuously assessing network performance against agreed-upon benchmarks. Deviations are detected in real-time, allowing for swift corrective actions.
Monitoring of third party networks and services – This is a key benefit of active network monitoring. SNMP and passive tools can only monitor internal networks because they either require access to the network devices or the installation of a physical probe. Differently from those tools, active ones can also monitor third-party networks and services. Take the example of measurements like traceroute or path analysis.
Digital experience monitoring – Active tools provide a way to analyze the end-user experience with digital services, SaaS applications, websites, and other online assets. By monitoring various metrics such as page load times, transaction success rates, and error rates, organizations can optimize their digital services, enhance user satisfaction, and troubleshoot user complaints.

Network monitoring tools best practices

The network monitoring tools market is one of the most competitive in IT. The Stanford Linear Accelerator estimates that exist more than 700 network monitoring tools. For this reason, when shopping for a tool, it’s important to have a good idea on what are the requirements that needs to be prioritized. The following functionalities are some things to consider when evaluating a network monitoring tool.

Polling frequency

Polling frequency determines how often the data is fed into the network monitoring server for alert processing and real-time visualization. The shorter the polling interval and the faster the detection of incidents or potential network issues.

Data Granularity

This determines how fine grained is the availability and performance data that is available on the monitoring dashboard. When troubleshooting performance anomalies, raw data is better suited than sampled data as it provides better visibility into performance changes. Granularity helps cutting troubleshooting time.

Data retention

Data retention is another important factor for historical performance analysis. Generally, data retention is a function of the type of data that needs to be stored and the amount of storage available. For instance, SNMP data and performance metrics obtained with active network monitoring require less space per data point than a full packet capture. As a result, passive tools typically have a shorter data retention span due to the amount of data collected. Another factor to consider is whether the tool is hosted by the vendor (e.g. SaaS) or self hosted. In SaaS tools, there’s less flexibility in the configuration of the data retention period because it’s hosted by the provider. For this reason, it’s important to pay attention to what’s included in a plan.

Alerting profiles

It’s important to consider what type of failures are detected by the alert profiles. Most of tools can customize alert rules and send notifications about certain problems occurring within the network, applications, or services monitored. The alerts can be displayed in the dashboard or propagated via email or other mean to the appropriate recipients or systems.

Scalability

For medium and large network environments, scalability is a mandatory requirement. If a tool doesn’t scale, it will cause issues from the get go or down the line. For example, when evaluating an SNMP tool, it’s very important to factor what’s the maximum number of devices that can be monitored. In the case of a passive network monitoring solution, it should be evaluated what’s the data rate that the collector can ingest. Lastly, for active network monitoring tools, review the number of agents that can be managed, as well as the number of tests results that can be processed every second.

Interoperability and integrations

A monitoring tool is an essential network management component that is integrated with other systems and applications to exchange or correlate relevant data. This include ticketing systems, other types of monitoring tools, logs processors, accounting tools, etc. For this reason, tools should not only support standard protocols such as SMTP, SNMP, and syslog, but also integrations with third-party tools.

Deployment options

Some network monitoring tools can be hosted on-premises, others are purely SaaS based, others support either on-prem or SaaS. When thinking about where a monitoring tool should be hosted, it’s important to consider the price, ease of management, security, and regulatory requirements (in the case some of some industries where data location is enforced).

Complexity

Usability and amount of training required will impact the effectiveness of the tool. Adopting a solution that requires long extensive training and that few users have the ability to manage and use, will diminish the value of this tool. When other features are equal, pick the tool that has the simplest and easiest interface.

Other factors left out in this analysis include the technical support model, the licensing terms, and the platforms supported.

Network performance monitoring with Netbeez

NetBeez is a network performance monitoring and performance testing solution designed to help organizations ensure the reliability and efficiency of their computer networks. It provides real-time insights into network performance by actively monitoring the network from the end-users’ perspective. This is done by deploying distributed agents that run end-to-end continuous tests to other hosts, NetBeez agents, or applications. Setting up monitoring with NetBeez requires few simple steps.

If you don’t have a dashboard, go to the NetBeez homepage and request a demo or free trial. Once you get your dashboard, follow the onboarding process.

Deploy network monitoring sensors

Install the NetBeez agents at the network locations and on the end-user devices you want to monitor. Follow the installation instructions from the online documentation. NetBeez provides two types of complimentary monitoring options:

Network agents are hardware, virtual or software appliances that get installed on-premise at remote branch offices, public clouds, and data centers. The data collected by these units will help you understand what is the overall zoom performance globally or locally speaking. For instance, if all the agents find a performance issue with Zoom, that means it’s a problem within the Zoom cloud and network. On the other hand, if only one or a subset of these agents report issues, then it’s more a localized problem within the network where these agents are deployed.
Remote worker agents are software clients for Windows or Mac operating systems. The data collected by these units will help you understand what is the Zoom experience of the user where the agent runs. Complementing this data with that from network agents will help you compare the end-user performance, and identify the root cause of end-user experience issues. Bottom line, these agents are vital to monitor the network of work from home and remote employees.

Select what targets to monitor

Go to the Targets tab and create targets. NetBeez provides three types of targets to monitor:

SaaS, which is a third-party hosted application such as MS Office, Zoom, or Salesforce.
Target template, such as a website, a VPN connection, a local gateway, and a DNS service.
Custom target, where the user select the destination host, the tests to run, and the alert profiles.

Setup alerts, emails, and notifications

Check on the Anomaly Detection section what type of alerts you want to enable. Configure the alert settings, such as the threshold and notification method. By default, NetBeez generates alerts when a target is not reachable or when there’s a performance degradation. Notifications enable network administrators and support teams to get an email or a page when this happens.

NetBeez supports sending notifications via SMTP, SNMP, Syslog, webhooks as well as integrations with third-party systems such as ServiceNow, MS Teams, Slack, and PagerDuty.

Key features

Active Monitoring: NetBeez actively tests network connectivity, application performance, and end-user experience by simulating user interactions with applications and services.
Distributed Agents: NetBeez uses distributed agents placed strategically within a network. These agents continuously monitor network performance from different locations, providing a comprehensive view of the network’s health.
Real-Time Alerts: The platform generates real-time alerts when it detects network problems, allowing IT teams to respond quickly to minimize downtime and user disruptions. The user can define alert profiles based on up-down detection, performance baseline, or threshold based.
Historical Reporting: NetBeez offers historical reporting and analytics, with data retention up to 2 years. As a result, the extended data retention enables IT administrators to analyze network performance trends over time. This data helps in making informed decisions for network optimization and capacity planning.
Multi-Platform Support: NetBeez supports various platforms and devices, allowing businesses to monitor network performance across different environments and operating systems. The network monitoring agents can be Ethernet, Wi-Fi, virtual, and Docker-based appliances or Windows, Mac, and Linux software clients. The server can run on-prem or hosted in the cloud.
User Experience Monitoring: NetBeez focuses on monitoring user experience, providing insights into how end-users are experiencing network services and applications. This user-centric approach helps in identifying and addressing issues that directly impact users.

Use cases

Digital Experience Monitoring: Analyze the performance of digital systems and services by tracking the digital experience from the end-user perspective.
Network Performance Monitoring: Run continuous, end-to-end tests to ensure the network infrastructure well performs, proactively identifying and resolving issues.
Remote Worker Network Monitoring: Extend network performance monitoring to the home office with Windows and Mac endpoints.
WiFi Monitoring and Assurance: Monitor Wi-Fi from the client perspective to deliver reliable and secure wireless connectivity to mobile users.
Hybrid Cloud Network Monitoring: Ensure connectivity, performance, and reliability of your private and public cloud networks.
SaaS and Application Performance: Verify the end-user experience and performance of SaaS and hosted applications.

Conclusion

Network monitoring is a vast topic that requires proper attention and consideration. As mentioned, it has many benefits, but different ways to achieve them. Network administrators responsible for operating and supporting an infrastructure needs to understand all the facets of network monitoring. NetBeez is a network monitoring tool that offers a simple way to verify performance and availability of enterprise networks, including corporate WLANs, cloud networks, and work-from-home users. Sign-up for a free trial, or request a demo.