What is network monitoring?

Network monitoring is a complex and vital topic for any company. Knowing its benefits and sub-areas is crucial.

Network monitoring is one of the processes that makes up the larger topic of network management. Network monitoring is a multifaceted endeavor that deals with keeping track of what is happening within a network in order to discover issues, act upon problems, optimize performance, and maintain network efficiency. This is done through a network monitoring software that takes care of collecting metrics, analyzing and presenting them to network administrators so action can be taken, whenever necessary.

What was once a simple task for the limited extensions of networks of old has become staggeringly complex as networks have grown ever larger and more varied. Different network monitoring protocols have been created along with the tools to effectively monitor a network in order to help administrators wade through the numerous hosts and devices in need of monitoring. Network monitoring metrics collected through these protocols and network monitoring services that make use of them are at the core of what is network monitoring.

Network monitoring does not only include monitoring the health and performance of a network. It also includes subtopics like network performance monitoring, network security monitoring and plenty of others. All or most of these are supported by a network monitoring system, that grants the administrator an holistic view of the infrastructure.

A high performance network is at the core of all companies’ IT. It consists of ensuring that the network infrastructure is operating to the best of its capabilities, without bottlenecks, hiccups, or errors. It is of vital importance for the whole company. To offer its products or services, and for its employees to work effectively, an efficient network is crucial. Regardless of the company’s industry, maintaining business operations necessitates a fully functioning network. A slow or unreliable network causes disruptions and loss of millions in image and disgruntled customers.

Network monitoring is there to prevent all this. Or, at the very least, to quickly act when network issues arise. Without any monitoring system at work that can do network performance monitoring and in general monitor the network, it is impossible to identify potential problems in advance. Administrators are left to react after problems have occurred, lacking any way to identify them in time and to effectively know their causes. Even worse, without accurate monitoring it becomes guesswork as to where and why the issue occurred, with no guarantee of prevention.

The benefits of network monitoring are easy to imagine. A network monitoring service can firstly give the administrator a view, hopefully the most comprehensive possible, of the whole network. Knowing where components are, how they are working, and when they are not is a clear benefit that needs no explanation.

A correlated benefit of network monitoring is in creating a topology of your infrastructure. By monitoring all your hosts it is possible to create a map of all the hardware and software present in your network. This, along with monitoring the performance of each component, can tell you where more powerful hardware is necessary, where it is not scaling properly, where there are traffic congestions and so on. This gives you the important benefit of knowing where the infrastructure needs to be updated or upgraded without actively having to check it, piece by piece.

A more subtle benefit of network monitoring is the increased security. By having a complete view of the hardware and software running, it is easy to notice all the changes as they occur. When using a real time monitoring-capable tool these changes can be immediately seen, and measures taken in cases of compliance or security violations. Network monitoring is therefore important not only on a practical level but on a legal and security one.

Monitoring networks is done with the use of various network protocols and a suite of monitoring tools that commonly include at least a couple consisting of a service and a manager. More often, multiple services and managers. The service is also known as an agent, which may be pre-installed on network devices or has to be installed and configured manually. The manager is the software that collects data from across the network and analyzes it, creating reports, dashboards, and handling alerts. This manager is the central monitoring software, usually installed on a network monitoring server. Agents are often present but not anytime, as monitoring through vendor APIs is a recent development of network monitoring that does without the need of an agent.

The job of monitoring the network comprises collecting metrics and sending them to the manager, which takes care of configuring the whole network monitoring system. The data to be analyzed, how to present them, under what conditions to trigger an alert, set up actions to automatically act on events and more is done at configuring time by the network administrators. How to do it all depends on the network monitoring tool of choice.

Not only is monitoring the hosts and relative services possible through a monitoring solution but managing them is usually possible as well. This includes, among other possibilities, configuration capabilities that allow the administrator to remotely set up and modify the configuration of network devices. Managing your network is therefore often done through the use of a monitoring manager.

It is easy to think for too long about what needs to be monitored when setting up a solution. Given that every device has to be set up, usually, for monitoring, and that the more monitored devices, the more collected data, it is understandable to try to skip some devices. Every new set of data is a burden in terms of both computing and human time, and some administrators may find it reasonable to try to minimize the monitoring to only what matters to them most. However this means excluding important pieces of your infrastructure, that can be both the cause and the explanation of future issues.

Therefore the answer to what network components need to be monitored is: all of them. You should always attempt to monitor your entire IT infrastructure – and preferably with an all-in-one approach. Only by taking a holistic approach to network monitoring is it possible to have a complete, and consequently more accurate, view of what is happening on a network. Ignoring part of the infrastructure creates the risk of having tiny, apparently innocuous, blind spots in your monitoring. Yet, as all it is interconnected, these ignored spots will sooner or later be the cause of problems and disruptions, which could have been avoided if they were monitored from the beginning.

Considering specifically what components to monitor, network monitoring is generally about checking devices like routers, switches, access points, firewalls, sensors, UPSs, network printers, etc. These are only the bare minimum though. All hosts, regardless of whether they are running Windows, Linux, Unix or anything else, will have to be included in network monitoring, along with virtual and cloud servers. A modern network monitoring service is naturally capable of monitoring all these types of devices, real or virtual.

The most obvious parameters to monitor are those that directly indicate a not so healthy network: packet drop rates, error rates, bandwidth. Along with these, the state of the ports of your network devices through appropriate port monitoring. These metrics give you the basics of if and how the network itself is working.

In coordination with the above, knowing hardware-specific metrics like CPU temperature and usage, occupied and free RAM, fan speeds, power supply’s voltages are vital for knowing the overall health of network devices. Along with the traffic metrics cited before, these give a mostly complete idea of what is or could cause problems.

Next, more service-related metrics are useful to collect. For firewalls, their general status, the number and type of open ports, and the active connections. In VPN monitoring, be aware of the status of the tunnels, and the level of availability as a minimum. For software in general, their version, their status (running, installed, stopped etc.), and eventual error messages are the first metrics to take into consideration.

Modern infrastructures have both wired and wireless network connections. WLAN monitoring means monitoring the status of all access points, their signal strength, the noise levels, and full list of connected devices. Since a functioning WLAN is highly dependent on external influences, it is essential for a company to include the infrastructure components for the wireless environment in the monitoring.

Network performance monitoring is preoccupied with the actual performances of the network, on how efficiently it operates, and in identifying bottlenecks. It aids network administrators and analysts in gathering network data, allowing them to measure performance variables and identify potential issues or risks. A monitoring tool analyzes the performance metrics, identifying where bottlenecks and congestions are, and helps to increase the throughput of the network once these are fixed.

Network performance monitoring is not only focused on fixing problems, but also on ensuring that the flow of information in your infrastructure is moving the speediest possible, with no interruptions. Otherwise, performance issues can cause anything from minor inconveniences, like intermittent disconnections, up to a network slowing down to a crawl, effectively making it unusable. By implementing performance monitoring in your larger network monitoring efforts it is possible to know where the network is struggling and why, and take action.

Network traffic is the sum of data moving across a network on a given moment. All packets going through a network constitute the overall traffic.

Monitoring the traffic is a key element of both network security and performance monitoring. Performance because knowing the origin and type of the packets will better inform you about the network’s requirements and shortcomings. Security because it is an important indication of possible malware, intrusions, and unauthorized usage of the network.

Network traffic monitoring is often, but not necessarily, network real-time monitoring as well. With a constant visualization of the flow of traffic it is easier to see where traffic originates and where it goes, which is basically what traffic monitoring is all about. While simple packet capturing is sufficient to understand how traffic behaves on a network, network flow monitoring is specifically designed to inform you of this. Specifically designed protocols like NetFlow have been developed to provide a clear and immediate view of network traffic trends. By extracting samples from the overall traffic, these allow you to monitor network traffic more efficiently compared to a general capture of every packet going through all your hosts, a rather expensive effort.

With all the benefits and importance of network monitoring, it is clear that the question should not be why monitoring but how. There are countless network monitoring services, with plenty of different features and focuses. To choose one, it is important to be aware of what they can monitor, what network monitoring protocols are supported, and how they monitor the network. Technical differences, like an agentless or agent-based monitoring solution or using vendor APIs to collect metrics, are to be considered as well before deciding on a particular network monitoring software solution.

These are the fundamental, technical, deciding aspects for getting started with network monitoring. We will discuss them one by one in the following sections.

While the absolute best network monitoring tool is an imaginary concept, a few features have to be present to even consider a monitoring system as the “best” one.

Often network monitoring’s necessities fall into five main parameters. The first, monitoring the health and performance of your network, means having at least SNMP support in your monitoring service. This is a fundamental protocol in monitoring that is specifically designed to check the overall health of network devices, and can also manage them.
The second is monitoring the flow of your network traffic. A tool that supports protocols like NetFlow, IPFIX, and sFlow is optimal here, as these protocols are all about tracking the general directions of network traffic. These protocols are insightful for upgrade planning, performance monitoring, and disruption-prevention.

The third is an active tool that can monitor your network for issues, in as close to real time as possible, and generate alerts on events. This is often one of the most sought after features, and with good reasons. Being able to continuously monitor an infrastructure and be at ease knowing that an alert will be generated when problems are found is a key parameter in network device and service monitoring.

Fourth, a monitoring tool that can present the collected data in an easy-to-read manner is an often underrated feature. Visual dashboards, a network topology map, and only a few clicks to highlight an issue are important aspects of a modern monitoring system that are not always supported. By accessing collected information more rapidly,  it becomes quicker to understand issues and to take a decision on them.

The fifth and last parameter, a network monitoring service that can do IP monitoring and scanning is important to automate the discovery step in monitoring new and existing infrastructure. It is helpful to keep the topology of your network updated, in a semi-automatic way.

The exchange of metrics for network monitoring is done through the use of a network monitoring protocol. There are many of them, not all of which are supported by all network monitoring systems, and some are also not in use anymore.

The major one is still SNMP (Simple Network Management Protocol). It includes not only monitoring capabilities but also the managing of the supported devices. It is a widespread protocol that is already pre-installed on many network routers, switches and more. SNMP monitoring is a vast topic, with its dedicated page.

After SNMP, in order of usage if not importance, are the family of flow-based protocols: NetFlow, sFlow, IPFIX. These are designed to analyze the network traffic “flows” and are thus especially useful in network performance monitoring and security monitoring. When referencing to Network flow monitoring usually one of these protocols has been implemented.

All these protocols are OS-agnostic. They work equally well in Linux network monitoring and Windows network monitoring. A specific protocol for Windows network monitoring protocol is WMI, with capabilities that mimic those of SNMP in addition to adding a few more features. Under Linux, log analysis through an implementation of the Syslog protocol or accessing each device with SSH are very rudimentary methods of monitoring.

For network traffic monitoring, RMON is often implemented as a traffic sniffer and analyzer. Being an extension of SNMP, RMON is found wherever SNMP is too, and comes pre-installed on many network devices.

The Simple Network Management Protocol (SNMP) does make use of agents in its monitoring. It may therefore seem counterintuitive to talk of agentless monitoring with SNMP. The reason is one of semantics. While usually a SNMP agent is pre-installed on many network devices nowadays, it is often configurationless, without required steps to start monitoring with it (other than perhaps activating it). The SNMP manager can poll it effortlessly, without the network administrator having to do anything.

In this specific situation, SNMP monitoring is considered agentless as the agent is transparent to the human by not requiring any tinkering, or pre-configuration. It makes SNMP act like the agent does not exist at all, as with a proper agentless monitoring solution. Thus, while technically being an agent-based monitoring protocol, SNMP may also be considered agentless.

How to monitor a network depends on the specifics of a network and hardly is identical on two different networks. Still, a few best practices for effective network monitoring apply to any situation and company.

Port monitoring consists of checking the status and health of the physical ports on network devices. This means monitoring your router and switch ports, but is not limited to these. Port monitoring adds a further layer of protection against disruptions and intrusions that generic network monitoring cannot offer.

This is because by monitoring your hardware ports it is possible to discover faulty ones, and replace or disconnect them before they cause an interruption on your network traffic. Duplex mismatches and configuration problems can be identified through a port showing a high rate of packet loss and errors. Without port monitoring this would have eluded the attention of any network administrator.

Problems related to cables, like a failing or a poorly connected one, can be detected through port monitoring. Corrupted packets and connection being intermittently up and down can be caused by the cables, not necessarily the port itself. Yet through port monitoring these problems can be inferred.

Security-wise, a rogue user connected to one of your devices can be discovered through accurate port monitoring. Knowing the status of each of your network ports means identifying those that are in use, those that are not, and those that should not be. Security audit may require a port scan, which a network monitoring system that includes port monitoring can comply with. Thus port monitoring is also a component of network security monitoring.

IP monitoring scans IP addresses to identify and include devices to monitor. This means that after installation, the monitoring tool automatically starts a scan of the entire network, or of a specific IP range or subnet, and then automatically integrates the devices found into the monitoring process. In the ideal case, during the scanning process the monitoring software recognizes the type of device and  manufacturer and, based on this knowledge, automatically includes the relevant metrics into the monitoring.

But that is not all. IP monitoring, once the first scan is done, helps in monitoring changes relative to IP addresses in your network. Registered domains that point, or not, to the correct address, can be caught by monitoring software that supports IP monitoring. Any change that regards IP addresses is within the sphere of IP monitoring.

As a consequence of proper IP monitoring, monitoring software can take care of setting meaningful threshold values as standard. Exceeding or falling below these values will trigger an alarm or notification. Rules can be applied to edge cases or specific, perhaps temporary, necessities of a particular host.

IP monitoring helps in many cases but especially in two. For inexperienced administrators, it provides a layer of automation that can greatly ease the burden of monitoring and the worries related to it. By leaving the identification step to the network monitoring system through accurate IP scanning, errors and shadow IT are more easily avoided. When monitoring large networks, with hundreds or thousands of hosts, IP monitoring can set up the monitoring quickly and efficiently, allowing administrators to start monitoring the infrastructure in just a short time.

Large networks have an order of magnitude of complexity that makes them a separate category in the world of network monitoring. Network device monitoring may take a long time on a thousands hosts large network, and an excess of alerts is definitely a common problem. While it may be tempting to skip parts of the infrastructure, foregoing a holistic view of it, it is a poor choice. Ignoring some parts may be convenient initially but it leads to all sorts of future risks that a company is in no position to accept.

For monitoring large and complex networks with different locations and differently connected components, a monitoring software that works with a rule-based configuration is quite suitable. With a few simple steps, administrators can use rules to define a policy, such as monitoring only the error rate of all access ports, for monitoring a large number of similar devices. Using rules it is possible to apply the same setting to a large number of hosts, which immensely reduces the workload in configuring your monitoring setup. Alerts can be more focused, and useful, using rules: for instance, a terminal that is regularly switched off will be set to not trigger an alert, as it is not an exceptional case but routine behavior.

A policy can be applied to a large network with a handful of well-crafted rules. A rule-based monitoring solution then handles the monitored systems based on this policy. Changing the policy can be done anytime, with a few steps, and applied to a large number of devices all at once. Exceptions are also possible at any time and are documented via rules. Automation via rules makes it easier and less error-prone including new hosts in the monitoring.

Rules-based monitoring isn’t strictly necessary when dealing with a moderate amount of hosts. Small companies may operate without such a solution by using a standard network monitoring service instead. But for large infrastructures, rules can be the best solution to monitor the network.

A monitoring software that is able to detect all components in a network or in a specific IP range, and retrieve the data required for the monitored metrics, enables the administrator to obtain a holistic view of even complex network infrastructures. Via IP monitoring a complete view of the network can be presented in an easy to read dashboard, facilitating the identification of errors.

Often the network topology is given as an overview map, showing how the network is connected, virtually and physically. Network managers can navigate this network map, by clicking on the specific host that needs immediate attention. Other network monitoring tools display the network in a tree structure or as a table. The table display has the advantage that several pieces of information in a condensed form can be viewed at a glance.

It is not only the network topology that can be visualized in a holistic view. Some network monitoring tools support viewing performance parameters graphically as well. The current bandwidth, the status of individual ports, abnormal error rates can all be shown in a graphical map, which enables the network administrator to quickly identify patterns, such as expected or unexpected performance peaks.

All this is possible by implementing your network monitoring solution holistically, considering all the hardware and software, without exceptions.