The topic of network monitoring types is often a focal point in discussions on ICT management. Various dimensions can be used to categorize monitoring methods. In this post, we'll explore different classifications, outlining their key characteristics, applications, and briefly touching on monitoring for other ICT systems.
What is Network monitoring?
Before we discuss different types of network monitoring, it's essential to understand the fundamental concepts of network monitoring. While it's challenging to explain what is network monitoring in just a few paragraphs, make sure to check out our previous blog that serves as an introduction to the topic.
If you're still hungry for more information, we also recommend that you download our ebook: Introduction to Network and IT Monitoring for Rookies.
Types of Network Monitoring:
There are various ways or dimensions you can use to define types of monitoring. The following sections analyze possible dimensions and categorizations, acknowledging that new ones can be easily defined.
Categorization based on the quality aspects
Engineers are generally interested in understanding various quality aspects of the network. Therefore, one can determine types of monitoring based on the qualities being observed. In that regard, one can distinguish availability monitoring, fault monitoring, performance monitoring, traffic flow monitoring, configuration monitoring, application performance monitoring, security monitoring, and others.
Categorization based on data acquisition methods
The method by which data is acquired from the network also determines the types of network monitoring. In that regard, one defines active polling monitoring, passive (data reception) monitoring, as well as streaming network telemetry – the method of real-time continuous monitoring from streams of data generated by network devices.
Categorization based on sources of network data
As already mentioned in one of our blog posts, there are multiple network monitoring protocols and data acquisition methods available for network monitoring. In terms of protocols, there are SNMP, Syslog, and Flow monitoring, as well as monitoring based on direct access to log files, specialized software and hardware probes, WMI, and also through the use of some APIs (REST, SOAP, CORBA, etc.), as for many element managers and cloud infrastructure services platforms used today.
Categorization based on network traffic interaction
Yet another categorization is the one that takes into account how the monitoring process interacts with the network traffic itself. In that regard, we can start with passive network monitoring, which is a method that does not actively participate in the network's traffic at all. It is based on passive taps and active elements that deliver network data to the monitoring system using a separate communication network infrastructure. Active network monitoring (with synonyms being proactive and synthetic network monitoring) is the other extreme. This method involves generating synthetic network traffic or sending a few test packets to measure different network characteristics such as delay, packet drop rate, etc. One must understand that there is always an interaction on the network itself, but the level of interaction differs.
Categorization based on network monitoring tools
The last categorization we describe in this post is the one based on tools and their intended purposes. For example, there are tools primarily focused on detecting faults in the network, others focused on performance monitoring, tools utilizing passive or active probes to acquire network monitoring data, flow monitoring tools, packet analyzers, end-to-end performance/experience monitoring tools, application performance management (APM) tools, and umbrella monitoring tools that aim to create a holistic view of network health and performance.
Quality aspect types of network monitoring
In the following section, we delve into each type of network monitoring in greater detail. Given the close relationship between these methods and network monitoring protocols, we suggest reading our blog post on the topic.
Availability monitoring
The fundamental approach to understanding the network's status involves identifying which devices and/or their functions or interfaces are operational and responsive, and which ones are not. This is typically achieved through the use of the Ping method (utilizing ICMP), as well as SNMP polls, syslog, and other protocols and methods. The ultimate objective is to utilize the data to calculate the monthly or annual availability of the device/function/interface, to ascertain whether it has met the predetermined availability goals.
Network fault monitoring
Network fault monitoring is focused on alerting engineers to faults or faulty conditions within the network. Monitoring systems typically employ a passive monitoring method that revolves around receiving SNMP traps or syslog messages conveying information about faulty conditions from devices. However, in many cases, it is necessary to employ active polling of devices using SNMP. With this method, devices are inspected and tested against criteria that signify a faulty condition, which, if detected, is represented by an alarm.
Network performance monitoring
While availability and network fault monitoring focus on the current health of the network, the purpose of network performance monitoring is to gauge how well the network behaves. Of course, many performance issues can indicate a faulty condition in the network, making performance monitoring a valuable source of alarms for event and fault management. For example, if the temperature of a device exceeds a certain threshold, the device is considered to be in an irregular state and therefore faulty.
Network performance management relies on SNMP active polling, alongside other methods like fetching device logs, retrieving data from NMSs and element management systems, and gathering network traffic flow data. Probes in the network measure metrics like end-to-end delays and jitters, collected by monitoring systems. Methods for measuring user experience include monitoring existing traffic or using synthetic traffic.
Configuration monitoring
Configuration monitoring involves overseeing how device configurations (configuration files) change and ensuring they comply with specific requirements.
This network monitoring best practices focuses on identifying what changes were made in the configuration, when they occurred, and who (which engineer or process) initiated the change. It is often used in conjunction with other types of monitoring to pinpoint the root cause of network issues.
Types of network monitoring based on data acquisition methods
Active polling
Active polling, or active monitoring, is one of the two traditional monitoring types, alongside passive monitoring. It was conceived with the definition of SNMP and is an essential SNMP monitoring method.
Active polling is utilized for availability, fault, and performance management purposes.
Ping is also an active polling method utilized as the fundamental mechanism for availability monitoring.
The purpose of polling is to proactively check the status or fetch values of parameters from target devices, functions, or platforms. Its advantage lies in its ability to detect unavailability and faulty conditions of a device regardless of the device's reported status; it does not rely on the device reporting its faulty condition. However, this advantage comes with an obvious drawback. Each active check (poll) activates the internal processes of the device and increases its load (CPU, memory, etc.). In some cases, this may lead to a situation where the monitoring itself can render a device unresponsive—an outcome engineers aim to avoid.
Passive monitoring
Passive monitoring is a method wherein the monitoring system awaits events using SNMP traps, SNMP informs, and Syslog messages, generating alarms from events representing faulty conditions. Consequently, it stands in contrast to active monitoring and comes with its own set of advantages and disadvantages. One advantage is that it doesn't pose the risk of overloading the device, as in the case of active polling. However, a significant flaw of this monitoring type arises when a device is down—it will never send an SNMP trap/inform or Syslog message to the monitoring system simply because it is "dead."
Streaming telemetry
Streaming network telemetry is a relatively new form of monitoring, popularized by CISCO in the early 2010s. It entails continuous monitoring, analysis, and collection of network health and performance data in real-time. Streaming telemetry appears to address drawbacks of both active and passive monitoring, as data is continually transmitted to the network monitoring system in real-time, and monitoring data can be displayed with minimal delay. The granularity of data is high, containing much more information than typically obtained with active and passive monitoring.
Telemetry data is sent from devices to the central monitoring system in a structured manner. Their structure is defined by data formats that are part of many industry projects such as Google Protocol Buffers, Apache Avro, Apache Thrift, and Message Pack, among others. The formatted telemetry data is transmitted using streaming platforms like Apache Kafka and gRPC.
NETCONF (Network Configuration Protocol) and YANG (Yet Another Next Generation), network management protocols by IETF, are also utilized for streaming telemetry, among many other applications.
Types of network monitoring based on data sources
SNMP, Syslog and Flow monitoring
SNMP, Syslog, and Flow monitoring rely on the utilization of network management protocols for both active and passive monitoring. These protocols are well-known in network management, and we encourage you to learn more about them in our blog post titled Understanding Network Monitoring Protocols.
Network monitoring probes
A network monitoring probe encompasses both software and hardware components designed to 'probe' the network, providing insights into its health and performance. Thus, SNMP active monitoring (poller) also falls under the category of a probe. However, when discussing probes, one typically refers to software or hardware systems physically installed closer to the network devices being monitored. These probes conduct deeper inspections than conventional SNMP, Syslog, or flow monitoring methods. Probes can take various forms, such as passively tapped devices within the network, specialized probe software running on a virtual machine, or specialized services running on network devices' software themselves.
Probes typically provide important measurements of key aspects of the network, such as jitter, latency, packet loss and delay.
The data from the probe is collected by the monitoring system and used for generating alarms and performing data analysis. The method of collecting data can be via SNMP or any other method.
Direct access to data
When traditional data acquisition methods are unavailable, monitoring data can be obtained through direct access to a system. There are numerous examples, but one illustrative instance is accessing the Microsoft Windows OS Event log, which contains messages about system, security, and application events. A specific combination of EventID, category, and so on, may indicate a faulty situation, prompting the monitoring system to raise an alarm.
Another example involves using WMI (Windows Management Instrumentation), a built-in component of the Windows OS that facilitates remote management of Windows-based systems. This capability allows administrators to query and manage systems across a network. Additionally, WMI can monitor system events and triggers, enabling responses to specific events. Data is accessed using scripting languages like PowerShell.
Cloud infrastructure monitoring
Hybrid data center scenarios, in which IT services of a company run in both their own private cloud and data center, as well as in public or other private clouds, pose significant challenges in terms of monitoring. Monitoring in such environments requires combining data from the company's own infrastructure with that from cloud providers such as Amazon Elastic Compute Cloud (EC2) and Microsoft Azure Cloud Services.
Cloud providers offer robust APIs or telemetry streams that furnish monitoring data, and this is precisely how central monitoring accesses the data. It is crucial to emphasize the importance of monitoring the network infrastructure required to connect to both external (public) and private clouds. Combining the monitoring data from the cloud infrastructure with the network monitoring data provides a comprehensive insight into the operational status of the cloud infrastructure.
Monitoring of element management systems and service platforms
Element management systems provide valuable standardized and vendor-specific monitoring data. Retrieval methods vary. Some systems send SNMP traps or are polled directly, while others offer APIs like REST, SOAP, or files such as log files. Plug-ins are needed to connect to APIs, often retrieving inventory data as well.
Numerous element managers exist, such as Nokia AMS, Ericsson NetOp, and Huawei iManager U2000. The interaction between monitoring systems and managers varies, requiring specialized pollers.
Similarly, service platforms like VMware vCenter Server and Microsoft Hyper-V require monitoring, each with its own API for accessing fault and performance data.
Types of network monitoring based on interaction with network traffic
Passive monitoring
The purpose of passive monitoring is to completely avoid any interference with the regular traffic flow of the network or network devices and still receive crucial information about the health and performance of the network. Therefore, the crucial challenge is unobstructed traffic capturing (packet capture), which can generally be achieved by:
- Passive network taps – usually implemented by tapping into optical fibers connecting devices by splitting the optical signal.
- Use of span or mirror ports – the feature of network devices to duplicate the traffic of one port to another (mirror) port with no significant impact on the device’s operation.
In either case, the traffic is received by a specialized network probe that ingests and analyzes the traffic. The probe can work wonders with it. It can execute deep packet inspection, store the traffic data for historical analysis, categorize traffic data, analyze protocols and application data, measure traffic performance, detect security threats, and many other things.
The central monitoring system needs to receive key data from probes for engineers to utilize. To ensure fully passive monitoring, an isolated monitoring network is necessary for transmitting data from all probes to the central system. This network is typically implemented as a virtually isolated network within the existing infrastructure to avoid high costs. Alternatively, in many cases, using a third-party mobile or fixed network for data transmission can be beneficial, reducing the likelihood of network issues coinciding with those on the primary network.
Active monitoring (Synthetic Network Monitoring)
Active monitoring assumes two things:
- classic SNMP, Syslog and Netflow monitoring and
- Synthetic Network Monitoring
Traditional monitoring involves interacting with network devices, potentially causing minimal interference with regular traffic. While classic monitoring may be considered passive due to its negligible impact, polling devices can significantly affect CPU load, blurring the lines between active and passive monitoring. It resides in a gray area.
Synthetic traffic (i.e., active or proactive) monitoring generates synthetic traffic, like test packets or streams, to intentionally interact with normal network traffic and assess key performance characteristics such as delay, jitter, and packet loss. This synthetic traffic often simulates specific applications and user activities, ranging from basic protocols like Ping/ICMP, traceroute, HTTP/HTTPS, and DNS, to tailored traffic patterns resembling video streams or voice calls.
Specialized probes generate, receive, and measure synthetic traffic. Managed by a dedicated application, these probes initiate tests, gather measurements, and analyze results.
Types of Network Monitoring Tools
Network fault and performance monitoring
Network fault and performance monitoring fall into this categorization. A brief introduction has already been presented in the chapter on types related to quality aspects (see above).
Network Flow monitoring
Network flow monitoring tools specialize in monitoring network traffic flow and provide means to visualize flows, retrieve traffic flow and performance graphs, and implement a wide set of methods to detect anomalies in traffic flow. These tools aim to identify performance degradation and security risks.
Packet analyzers
Packet analyzers are software or hardware tools that utilize deep packet analysis to detect issues and monitor the performance of network traffic at the packet level. These tools are capable of understanding all network and application protocols and provide the means to analyze traffic at its most essential and granular level.
Probe-based monitoring
Probe-based monitoring is related to monitoring network traffic by utilizing probes deployed in the network. It aims to provide engineers with specific performance parameters, including jitter, latency, packet loss, and others.
Other than network monitoring
There is a whole array of monitoring techniques and tools utilized that are not strictly related to the network itself. An important one is Application Performance Management (APM), which monitors and manages the performance and health of software applications. APM aims to ensure applications meet their users' expectations in terms of responsiveness, processing time, availability, etc. For that purpose, APMs often utilize network monitoring data as well as server and storage monitoring data (such as CPU load and memory usage), as these represent key elements that impact application performance.
Umbrella type of monitoring - UMBOSS
The umbrella approach is a key strategy in network monitoring and management, offering a comprehensive solution that integrates various techniques discussed. Umbrella monitoring consolidates data from multiple tools across the network, providing a unified view of alarms and performance. Read more about the benefits of network monitoring.
UMBOSS is an example of this approach, offering not only umbrella monitoring but also tools for managing alarms and network performance. It includes resource management functions such as network discovery and configuration management, contextualizing network data for efficient issue resolution.
Have any questions? Want to learn more? Get in touch and let us know how we can help. Send us a message or book a demo today.
