Question

As a network manager, you are responsible for the operation of a network. You notice heavy traffic in a host that is on a TCP/IP network and want to find out the details. Propose a solution by explaining how you apply necessary network monitoring tool(s) and the related results?

Answer 1

Network monitoring is a difficult and demanding task that is a vital part of a Network Administrators job. Network Administrators are constantly striving to maintain smooth operation of their networks. If a network were to be down even for a small period of time productivity within a company would decline, and in the case of public service departments the ability to provide essential services would be compromised. In order to be proactive rather than reactive, administrators need to monitor traffic movement and performance throughout the network and verify that security breeches do not occur within the network.

Network analysis is the process of capturing network traffic and inspecting it closely to determine what is happening on the network." -Orebaugh, Angela. Two Monitoring Techniques are discussed in the following sections: Router Based and Non-Router Based. Monitoring functionalities that are built-into the routers themselves and do not require additional installation of hardware or software are referred to as Router Based techniques. Non-Router based techniques require additional hardware and software to be installed and provide greater flexibility. Both techniques are further discussed in the following paragraphs.

Router Based Monitoring Techniques

Router Based Monitoring Techniques are hard-coded into the routers and therefore offer little flexibility. A brief explanation of the most commonly used monitoring techniques is given below. Each technique has undergone years of development to become a standardized model.

Simple Network Monitoring Protocol (SNMP) RFC 1157

SNMP [Cisco5606] is an application layer protocol that is part of the TCP/IP protocol suite. It allows Administrators to manage network performance, find and solve network problems, and plan for network growth. It gathers traffic statistics through passive sensors that are implemented from router to end host. While two versions exist, SNMPv1 and SNMPv2, this section deals with SNMPv1. SNMPv2 builds upon SNMPv1 and offers enhancements, such as additional protocol operations. Standardization of yet another version of SNMP. SNMP Version 3 - (SNMPv3)is pending.

There are 3 key components to SNMP: Managed Devices, Agents, and Network Management Systems (NMSs).

Remote Monitoring (RMON) RFC 1757

RMON [Cisco5506] enables various network monitors and console systems to exchange network-monitoring data. It is an extension of the SNMP Management Information Database (MIB). Unlike SNMP that must send out a request for information, RMON is able to set alarms that will monitor the network based on certain criteria. RMON allows Administrators to manage local networks as well as remote sites from one central location. It monitors at the Network Layer and below. RMON has 2 versions RMON and RMON2 this paper only deals with RMON. RMON2 allows for monitoring of packets on all network layers. It focuses on IP traffic and application level traffic.

While there are 3 key components to the SNMP monitoring environment there are only 2 in the RMON environment.

Netflow RFC 3954

Netflow [Cisco06] is a feature that was introduced on Cisco routers that give the ability to collect IP network traffic as it enters an interface. By analyzing the data that is provided by Netflow a network administrator can determine things such as the source and destination of the traffic, class of service, and the cause of congestion. Netflow consists of three components: flow caching, FlowCollector, and Data Analyzer. Figure 3 shows the Netflow Infrastructure.

The following information can be obtained from Netflow packets: [NetflowAbout06]

• Source and Destination addresses
• Input and Output interface numbers
• Source and Destination port numbers
• Layer 4 protocol
• Number of packets in the flow
• Total Bytes in the flow
• Time stamp in the flow
• Source and Destination autonomous system (AS) number
• TCP_Flag and Type of Service (ToS)

Non-Router Based Techniques

Active Monitoring

Active monitoring [Active06] transmits probes into the network to collect measurements between at least two endpoints in the network. Active measurement systems deal with metrics such as:

• Availability
• Routes
• Packet Delay
• Packet Reordering
• Packet Loss
• Packet Inter-arrival Jitter
• Bandwidth Measurements (Capacity, Achievable Throughputs)

Commonly used tools such as ping, which measures delay and loss of packets, and traceroute which helps determine topology of the network, are examples of basic active measurement tools. They both send ICMP packets (probes) to a designated host and wait for the host to respond back to the sender. Figure 4 is an example of the ping command that uses active measurements by sending an Echo Request from the source host through the network to a specified destination. The destination then sends an Echo Response back to the source it received the request from.

Not only can a person collect the metrics above from active measurements, one can also determine the network topology. Another common example of an active measurement tool is iperf. Iperf is a tool that measures TCP and UDP bandwidth performance. It reports bandwidth, delay jitter, and loss.

The problem that exists with active monitoring is that introducing probes into the network can be an interference to the normal traffic on the network. [UnivPenn02] Often times the active probes are treated differently than normal traffic as well, which causes the validity of the information provided from these probes to be questioned.

As a result of the information detailed above, active monitoring is very rarely implemented as a stand-alone method of monitoring as a good deal of overhead is introduced. On the other hand passive monitoring does not introduce much if any overhead into the network.

Passive Monitoring

Passive monitoring [Curtis00] unlike active monitoring does not inject traffic into the network or modify the traffic that is already on the network. Also unlike active monitoring, passive monitoring collects information about only one point in the network that is being measured rather than between two endpoints as active monitoring measures. The setup of a passive monitoring system where the monitor is placed on a single link between two endpoints and monitors traffic as it passes along the link.

Passive measurements deal with information such as: Traffic and protocol mixes Accurate bit or packet rates Packet timing and inter-arrival timing

Passive monitoring can be achieved with the assistance of any packet sniffing program.

Although passive monitoring does not have the overhead that active monitoring has, it has its own set of downfalls. [UnivPenn02] With passive monitoring, measurements can only be analyzed off-line and not as they are collected. This creates another problem with processing the huge data sets that are collected.

As one can see passive monitoring my be better than active monitoring in that overhead data is not added into the network but post-processing time can take a large amount of time. This is why a combination of the two monitoring methods seems to be the route to go.