Network Infrastructure Management

Network Performance Management

(8 minutes)
Network Management calls for continuous, real-time knowledge of the entire network infrastructure.
Keeping yourself updated on the availability, performance and utilization across the entire breadth of the
network and its various devices, mitigating risks, troubleshooting, and all the while keeping a low TCO can
often prove to be a nightmare. OpManager helps Network Managers by providing capabilities to help
manage the entire network infrastructure:
WAN Links Performance Management
Router Monitoring
Switch Monitoring
Networking Tools
WAN Fault Management

WAN Links Performance Management

OpManager provides precise knowledge of real time performance of each link by drilling into the
availability and utilization across the various network paths and showing the exact hop where failure or
bottleneck has occurred.
Knowledge of exact point of link failure
Utilization on a hop-to-hop basis
Threshold based Round Trip Time monitoring
WAN Service Level Management

Router Monitoring
Balancing throughput and CIR, managing congestions and ensuring optimal network performance could
often drive any figment of romance away from a network manager's life. OpManager makes WAN
management a breeze with its powerful router monitoring capabilities.
Bandwidth Allocation Optimization
Ensuring high network availability
Identifying traffic trends
Capacity Planning for future needs

Switch Monitoring
Even a well maintained WAN environment cannot be optimally utilized if the connecting local network
breaks. Managing switches, the backbone of any LAN, is therefore an important task in network
management. OpManager features a number of intuitive tools for efficient switch management.
http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 1 of 9
Switch Port Availability Management
Logical Mapping into Business Views
Port-wise SLA monitoring
Spanning Tree Protocol Tools

Networking Tools
An unavailable link in the network could mean anything from a harmless downtime that could be fixed in the
morning, to a translation that spells a massive business loss. OpManager offers a number of tools for quick
and effective troubleshooting of network devices.
MIB Browser for SNMP based devices
Switch Port Mapping
Ping, Trace Routes etc.

WAN Fault Management

Managing fault and performance issues in a timely and proactive manner requires a management solution
that brings a higher level of intelligence to the system. OpManager brings multiple levels and methods of
fault and performance monitoring, allowing network managers to rest assured.
Comprehensive Performance Management
Event-Alarm Correlation
Mobile SMS and Email Alerting
Customizable and easy reporting

There are several reasons some of which are as follows:

 Troubleshoot Network Performance:

Network Bandwidth monitoring can help you identify performance issues on a network like in the
example I gave above.For example, by monitoring network bandwidth, you may find out that a
particular computer on the network is consuming (hogging) so much bandwidth which may be
an indication of a worm or virus.

In other cases, you'll find that analyzing Wifi Access Points and connected Clients that are using
it will help you determine who is potentially abusing it.

 Network Capacity Planning:

By monitoring network bandwidth, you are able to plan ahead regarding the bandwidth capacity
that your network requires.For example, when you start out your network, you may have a few
hundred devices and require a hypothetical 100 Mbps of bandwidth. As the network grows in

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 2 of 9
 size, you may find out (through monitoring) that the 100 Mbps is being maxed out at peak
periods and should be upgraded.
 Monitoring Agreed-Upon Bandwidth:
When you purchase bandwidth (e.g. Internet) from Internet Service Providers (ISPs), they
guarantee that the speed will be at a certain level (usually expressed in Megabits per second,
Mbps).By monitoring network bandwidth, you can determine if your ISP is really giving you the
bandwidth that was agreed upon or if they are failing on their Service Level Agreement (SLA).

As the Internet evolves and the rise of faster and larger handheld devices and tablets become the
norm in the workplace, we strongly believe that knowing who and what devices are consuming the
most data and pipeline in your infrastructure in order to better control it and plan for capacity.

As the name implies, a Network Bandwidth Monitoring tool lets you keep an eye on bandwidth and
traffic usage on the network. These tools will usually be able to report on single nodes (e.g. traffic
usage by a single computer) or on interfaces (e.g. FastEthernet0/0 interface on a router).

Some of these tools will be able to present this information in graphs and also sort devices (or IP
addresses) based on top bandwidth “consumers”.

To get this traffic usage information, several methods can be employed including packet
capturing, Simple Network Management Protocol (SNMP) or NetFlow (or some other flow related
technology).

There are several tools that can be used for Network Bandwidth/Traffic Monitoring and the ones we
will be discussing in this article are as follows:

 Solarwinds Network Traffic Analyzer

 Solarwinds Real-Time Bandwidth Monitor
 PRTG Network Monitor
 ManageEngine
 nTop-Ng
 Cacti
 BandwidthD

Here's a List of the Top Network Bandwidth Monitoring

Tools of 2019:
Some of these tools are standalone network bandwidth monitoring tools while others are all-in-one
network monitoring solution that include bandwidth monitoring amongst other features.

1. Solarwinds Real-Time Monitor

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 3 of 9
Solarwinds is a company that provides a lot of IT Management tools. In terms of Network Bandwidth
Monitoring, Solarwinds has two solutions:

– The freeware Real-Time Bandwidth Monitor.

– The more robust (and commercial) NetFlow Traffic Analyzer, which we'll get to further down.

Solarwinds provides a free tool to use to monitor, in real-time, the bandwidth usage of the interfaces of
several devices.

It actually a very simple tool to use: enter the IP address of the device along with the right SNMP
credentials, choose the interface(s) to monitor and that’s it – you get a graph showing the bandwidth
usage in real time.

You can even customize how often you want the tool to poll for bandwidth usage.

While this tool may not offer as much granular information as other tools (e.g. bandwidth usage per
application), it is a very good (and free!) tool for troubleshooting performance issues. It even offers the
capability of setting thresholds for bandwidth e.g. give a warning notification when the bandwidth
usage gets to a certain level. You can download this tool for free here.

FREE Real-Time Bandwidth Monitor Download (Direct Download Link):

http://www.solarwinds.com/free-tools/real-time-bandwidth-
monitor/registration.aspx?program=1643&campaign=70150000000PDzJ

2. Solarwinds NetFlow Traffic Analyzer

The NetFlow Traffic Analyzer (NTA) integrates with the Solarwinds Network Performance Monitor
(NPM) and provides information about the bandwidth and traffic usage on a network at a very granular
level.

It is able to tell you the amount of bandwidth used by an IP address, application or protocol. It also has
the ability to show the “Top Talkers” on a network which is very helpful for troubleshooting purposes.

The Solarwinds NTA has reporting capabilities and can be used for Network Traffic Forensics (comb
through data over several periods to discover issues).

You can try a fully functional Solarwinds Network Traffic Analyzer for 30 days after which you will
require a license starting at $1875 for 100 elements. Keep in mind that since NTA requires Solarwinds
NPM to function, you must also account for the separate license cost of the NPM.

Get Started Now FREE (Direct Download link):

http://www.solarwinds.com/register/registrationb.aspx?program=815&c=70150000000CgeI

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 4 of 9
3. PRTG Network Monitor

PRTG Network Monitor is a full blown, all-in-one monitoring solution with a lot of features including
performance monitoring, server and application monitoring, virtual machine monitoring and also
includes bandwidth monitoring.

To provide information about bandwidth and traffic usage, PRTG Network Monitor can use a variety of
methods including SNMP, in-built Packet Sniffing and NetFlow. This information can be displayed in
graphs and also exported in reports. We written up a thorough and exhaustive PRTG Review and
Setup Guide for those who are interested in a more in-depth look.

PRTG Network Monitor is a Windows-based tool that comes in two editions: Freeware edition (for
monitoring up to 100 sensors) and Commercial Edition (when you want to monitor more than 100
sensors) which starts at $1600 for 500 sensors.

Note: There is also a 30-day free trial that allows you to monitor unlimited sensors after which it falls
back to default 100 sensor limit.

Official Download:

https://www.paessler.com/prtg

4. ManageEngine NetFlow Analyzer

ManageEngine's traffic analysis and monitoring tool for monitoring flow packets, including
Netflow, Sflow, IPFix and others is a great choice finding and determining the cause of your
bottlenecks. You can analyze bandwidth patterns per interface and drill down into which protocol, IP
address and/or application is causing the issues with your network connection or network overhead.

On top of the basic functionality of traffic analysis and monitoring, you'll have the ability to create
detailed reports and precisely estimate for future growth and bill as necessary if you are providing
SLA's or ISP services.

Official Website: https://www.manageengine.com/products/netflow/

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 5 of 9
5. ntopng

My first experience with ntopng was with a client where I had to determine why Internet access was
slow at certain times. The client was using pfSense as their edge device and ntopng was installed as a
default package. Using ntopng, I was able to discover that one of the client’s servers had been hacked
and was consuming so much bandwidth (probably being used as a streaming server) that the client
was even maxing out the bandwidth provided by their ISP.

ntopng has a very simple web interface from which you can view network bandwidth/traffic usage
information. ntopng can sort network traffic based on different options such as IP addresses,
protocols, and ports. I especially like the “Top X talkers/listeners” feature provided by ntopng because
it can let you know what device is currently hogging all the bandwidth on the network. ntopng also has
reporting capability for what it monitors.

ntopng can be installed & used to monitor on both Unix and Windows operating systems. It comes in
two editions: the Community edition which is free and the Professional edition which comes at a cost
(149 Euros).

You can find more information about ntopng here.

6. Cacti

Cacti is an open-source network monitoring tool whose greatest strength lies in its graphing capability.
It works by polling devices (mostly through SNMP) and presenting the polled data in graphs displayed
through a web interface. Since it uses SNMP, one of the things you can graph is the network
bandwidth usage on an interface, thereby making Cacti a valuable tool for Network Bandwidth
Monitoring. If it doesn't suite your needs, you can find a Cacti Alternative here.

Cacti can be installed on either Unix or Windows OS and are available to download for free here.

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 6 of 9
7. BandwidthD

BandwidthD is another open-source solution for monitoring your traffic and network, but be aware, it
has not been updated since 2013. Many admins are still using this software to understand which
protocols and sources are using the highest amount of bandwidth in their networks.

You'll need to understand how to setup some manual configurations and it also requires some
dependencies, including winpcap or libpcap (for linux/unix users) in order to collect data and such.

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 7 of 9
Overall though, its a free utility and has potential, although you should not expect any support of any
kind with this software.

Official Site: http://bandwidthd.sourceforge.net

Conclusion
Being able to monitor bandwidth and traffic usage on a network can be very beneficial because you
can use it to assess network performance issues, plan network capacity and also verify SLAs.

Looking at the tools we have discussed in this article, if you want to quickly set up a bandwidth
monitoring tool, you may want to go for the Solarwinds Real-Time Bandwidth Monitor – It is by far the
easiest and cheapest solution to get you started here and now.

If you are looking for a more robust solution that can give granular information, consider PRTG
Network Monitor or Solarwinds NetFlow Traffic Analyzer (if cost is not a problem). If you are more
interested in graphs, then Cacti may be the best tool to use.

A Summary of Network Traffic Monitoring and Analysis

Techniques

1.0 Importance of Network Monitoring and Analysis

Network monitoring is a difficult and demanding task that is a vital part of a Network Administrators job. Network Administrators
are constantly striving to maintain smooth operation of their networks. If a network were to be down even for a small period of time
productivity within a company would decline, and in the case of public service departments the ability to provide essential services
would be compromised. In order to be proactive rather than reactive, administrators need to monitor traffic movement and
performance throughout the network and verify that security breeches do not occur within the network.

Back to Table of Contents

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 8 of 9
 2.0 Monitoring and Analysis Techniques

Network analysis is the process of capturing network traffic and inspecting it closely to determine what is happening on the
network." -Orebaugh, Angela. Two Monitoring Techniques are discussed in the following sections: Router Based and Non-Router
Based. Monitoring functionalities that are built-into the routers themselves and do not require additional installation of hardware or
software are referred to as Router Based techniques. Non-Router based techniques require additional hardware and software to be
installed and provide greater flexibility. Both techniques are further discussed in the following paragraphs [ UnivPenn02].

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 9 of 9
 2.1 Router Based Monitoring Techniques

Router Based Monitoring Techniques are hard-coded into the routers and therefore offer little flexibility. A brief explanation of the
most commonly used monitoring techniques is given below. Each technique has undergone years of development to become a
standardized model.

2.1.1 Simple Network Monitoring Protocol (SNMP) RFC 1157

SNMP [Cisco5606] is an application layer protocol that is part of the TCP/IP protocol suite. It allows Administrators to manage
network performance, find and solve network problems, and plan for network growth. It gathers traffic statistics through passive
sensors that are implemented from router to end host. While two versions exist, SNMPv1 and SNMPv2, this section deals with
SNMPv1. SNMPv2 builds upon SNMPv1 and offers enhancements, such as additional protocol operations. Standardization of yet
another version of SNMP. SNMP Version 3 - (SNMPv3)is pending.

There are 3 key components to SNMP: Managed Devices, Agents, and Network Management Systems (NMSs). These are shown
in Figure 1 below.

Figure 1: SNMP Components [Cisco5606]

The Managed Devices contain the SNMP Agent and can consist of routers, switches, hubs, pcs, printers, and items such as these.
They are responsible for collecting information and making it available to the NMSs.

The Agents contain software that have knowledge of management information and translates this information into a form
compatible with SNMP. They are located on a managed device.

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 10 of
 The NMSs execute applications that monitor and control the managed devices. Processing and memory resources that are needed
for network management are provided by the NMSs. A minimum of one NMS must exist on any managed network. SNMP can act
solely as a NMS or an agent, or can perform the duties of both. There are four basic commands used by SNMP NMS to monitor

and control the managed devices: read, write, trap, and traversal operations. The read command examines the variables that are kept
by the managed devices. The write command changes the values of the variables stored by the managed devices. Traversal
operations look to find out what variables a managed devices supports and gathers information from the supported variable
tables.The trap command is used by the managed devices to report the occurrence of certain events to the NMS.

SNMP uses four protocol operations in order to operate: Get, GetNext, Set, and Trap. The Get command is used when the NMS
issues a request for information to managed devices. The SNMPv1 message (request) that is sent consists of a message header and
a Protocol Data Unit (PDU). The PDU of the message contains the information that is needed to successfully complete a request

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 11 of
 that will either retrieve information from the agent or set a value within the agent. The managed devices use the SNMP agents
located on them to retrieve the needed information, and then respond to the NMS with an answer to the request. If the agent does
not have any information in regards to the request, it does not return anything. The GetNext command will then retrieve the value
of the next object instance. It is also possible for the NMS to send a request (Set operation) that sets the values of items within the
agents. When an agent needs to inform the NMS of an event, it will use the Trap operation.

As discussed, SNMP is an Application Layer protocol that uses passive sensors to help administrators monitor network traffic and
performance. Although SNMP can be a helpful tool to Network Administrators it does create a vulnerability to security threats
because it lacks any authentication capabilities. It is unlike Remote Monitoring (RMON) that is discussed in the following section
in that RMON monitors at the Network Layer and below, rather than at the Application Layer.

2.1.2 Remote Monitoring (RMON) RFC 1757

RMON [Cisco5506] enables various network monitors and console systems to exchange network-monitoring data. It is an
extension of the SNMP Management Information Database (MIB). Unlike SNMP that must send out a request for information,
RMON is able to set alarms that will monitor the network based on certain criteria. RMON allows Administrators to manage local
networks as well as remote sites from one central location. It monitors at the Network Layer and below. RMON has 2 versions
RMON and RMON2 this paper only deals with RMON. RMON2 allows for monitoring of packets on all network layers. It focuses
on IP traffic and application level traffic.

While there are 3 key components to the SNMP monitoring environment there are only 2 in the RMON environment. They are
shown in Figure 2 below.

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 12 of
 Figure 2: RMON Components [Cisco5506]

The 2 components of RMON are the probe also known as the agent or monitor, and the client also know as the management station.
Not unlike SNMP the RMON probe or agent gathers and stores the network information. The probe is embedded software on the
network hardware, such as routers and switches. The probe can also run on a pc. The probes must be put on each different LAN or
WAN segment as they only are able to see traffic that flows through only their link, and are unaware of outside links. The Client is
usually a management station that communicates with the probe using SNMP to obtain and correlate the RMON Data.

RMON [RMON] uses 9 different monitoring groups to obtain information about the network.

Statistics - stats measured by the probe for each monitored interface on this device

History - records periodic statistical samples from a network and store for retrieval

Alarm - periodically takes statistic samples and compares them with a set of thresholds for event generation

Host - contains statistics associated with each host discovered on the network

HostTopN - prepares tables that describe top hosts

Filters - enable packets to be matched by a filter equation for capturing events

Packet capture - captures packets after they flow through the channel

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 13 of
 Events - controls generation and notification of events from a device

Token ring - supports token ring

As stated above RMON, builds upon the SNMP protocol. Although traffic monitoring can be performed with these techniques,
analysis of the information provided by SNMP and RMON takes a little extra work. Netflow, which is discussed in the next
section, works well with many analysis software packages to help make the job of administrators a little easier.

2.1.3 Netflow RFC 3954

Netflow [Cisco06] is a feature that was introduced on Cisco routers that give the ability to collect IP network traffic as it enters an
interface. By analyzing the data that is provided by Netflow a network administrator can determine things such as the source and
destination of the traffic, class of service, and the cause of congestion. Netflow consists of three components: flow caching,
FlowCollector, and Data Analyzer. Figure 3 shows the Netflow Infrastructure. Each component shown in the figure is explained in
the following paragraphs.

Figure 3: Netflow Infrastructure [Cisco06]

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 14 of
 The flow caching analyzes [NetFlow06]and collects the IP data flows that enter an interface and prepares the data for exportation.

The following information can be obtained from Netflow packets: [NetflowAbout06]

Source and Destination addresses

Input and Output interface numbers
Source and Destination port numbers
Layer 4 protocol

Number of packets in the flow

Total Bytes in the flow

Time stamp in the flow

Source and Destination autonomous system (AS) number

TCP_Flag and Type of Service (ToS)

The first packet of a flow through the standard switching path is processed to create the cache. Packets with similar flow
characteristics are used to create a flow record which is kept in the cache for all active flows. The flow record tracks the packets
and bytes per flow. The cache information is then periodically exported to the Flow Collector.

The Flow Collector [NetFlow06] is responsible for the data collection, filtering, and storage. It contains a history of the flow
information that was switched within the interface. Data volume reduction is also done by the Flow Collector through selective
filtering and aggregation.

Data Analyzer [NetFlow06] is then responsible for presentation of the data. As shown in the figure the data collected can be used
for various purposes other than network monitoring such as network planning and accounting and billing.

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 15 of
 The advantage of Netflow over other monitoring methods such as SNMP and RMON is that there are numerous traffic analysis
software packages (data analyzers) that exist to pull the data from Netflow packets and present it in a more user friendly way.

By using a tool such as Netflow Analyzer [NetflowWhitePaper05] (just one tool that is available for analyzing Netflow packets) the
information above can be pulled out of the Netflow packets to create charts and usage graphs that an Administrator can study to
maintain an understanding of their network. The biggest benefit of using Netflow in combination with one of the available Analysis
packages is that numerous different graphs detailing network activity can be created on the spur of the moment.

2.2 Non-Router Based Techniques

Although non-router based techniques are still limited in there abilities they do offer more flexibility than the router based
techniques. These techniques are classified as either active or passive.

2.2.1 Active Monitoring

Active monitoring [Active06] transmits probes into the network to collect measurements between at least two endpoints in the
network. Active measurement systems deal with metrics such as:

Availability

Routes

Packet Delay
Packet Reordering
Packet Loss

Packet Inter-arrival Jitter

Bandwidth Measurements (Capacity, Achievable Throughputs)

Commonly used tools such as ping, which measures delay and loss of packets, and traceroute which helps determine topology of
the network, are examples of basic active measurement tools. They both send ICMP packets (probes) to a designated host and wait
for the host to respond back to the sender. Figure 4 is an example of the ping command that uses active measurements by sending
an Echo Request from the source host through the network to a specified destination. The destination then sends an Echo Response
back to the source it received the request from.

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 16 of
 Figure 4: ICMP ping command (Active Measurement)

Not only can a person collect the metrics above from active measurements, one can also determine the network topology. Another
common example of an active measurement tool is iperf. Iperf is a tool that measures TCP and UDP bandwidth performance. It
reports bandwidth, delay jitter, and loss.

The problem that exists with active monitoring is that introducing probes into the network can be an interference to the normal
traffic on the network. [UnivPenn02] Often times the active probes are treated differently than normal traffic as well, which causes
the validity of the information provided from these probes to be questioned.

As a result of the information detailed above, active monitoring is very rarely implemented as a stand-alone method of monitoring
as a good deal of overhead is introduced. On the other hand passive monitoring does not introduce much if any overhead into the
network.

2.2.2 Passive Monitoring

Passive monitoring [Curtis00] unlike active monitoring does not inject traffic into the network or modify the traffic that is already
on the network. Also unlike active monitoring, passive monitoring collects information about only one point in the network that is

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 17 of
 being measured rather than between two endpoints as active monitoring measures. Figure 5 shows the setup of a passive
monitoring system where the monitor is placed on a single link between two endpoints and monitors traffic as it passes along the
link.

Figure 5: Passive Monitoring Setup

Passive measurements deal with information such as: Traffic and protocol mixes Accurate bit or packet rates Packet timing and
inter-arrival timing

Passive monitoring can be achieved with the assistance of any packet sniffing program.

Although passive monitoring does not have the overhead that active monitoring has, it has its own set of downfalls. [ UnivPenn02]
With passive monitoring, measurements can only be analyzed off-line and not as they are collected. This creates another problem
with processing the huge data sets that are collected.

As one can see passive monitoring my be better than active monitoring in that overhead data is not added into the network but
post-processing time can take a large amount of time. This is why a combination of the two monitoring methods seems to be the
route to go.

2.2.3 Combinational Monitoring

After reading the sections above one can safely come to the conclusion that a combination of active and passive monitoring is
better than using one or the other. Combinational techniques utilize the best aspects of both passive and active monitoring
environments. Two newly introduced combinational monitoring techniques are described below. Watching Resources from the
Edge of the Network (WREN) and Self-Configuring Network Monitor (SCNM).

2.2.3.1 Watching Resources from the Edge of the Network (WREN)

WREN [LowekampZangrilli04] uses a combination of active and passive monitoring techniques by actively monitoring when
traffic is low and passively monitoring during high traffic times. It monitors traffic at both the source and destination end host
which allows for more accurate measurements. WREN uses packet traces from existing application traffic to measure the available
bandwidth. WREN is split into two levels, the kernel level packet trace facility and the user level trace analyzer.

The kernel level packet trace facility is responsible for capturing the information associated with incoming and outgoing packet.
Figure 6 lists the information that is gathered for each packet. A buffer was added to the Web100 kernel to collect these

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 18 of
 characteristics. Access to the buffer is through 2 system calls. One call starts the trace and provides the information needed to
conduct it while another call retrieves the trace from the kernel.

Figure 6: Information collected by WREN kernel level packet trace [LowekampZangrilli04]

The packet trace facility is able to coordinate measurements between the different machines. One machine will trigger the other
machine by setting a flag in the header of outgoing packets to start tracing the same range of packets that it is tracing. The other
machine will in turn trace all packets that it sees with the same header flag set. This coordination ensures that the information about
the same packets is stored at each end of the connection regardless of what happens in between.

The user level trace analyzer is the other level in the WREN environment. It is the component that begins any packet traces and
collects and processes the data returned from the kernel level trace facility. By design the user-level components are not required to
read the information from the packet trace facility at all times. It can be analyzed immediately after the trace is completed to make
runtime decisions or stored for future analysis.

When traffic is low, WREN will actively introduce traffic into the network in order to maintain a continuous flow of measurements.
After numerous studies, it was found that WREN produced the same measurements in congested and un-congested environments.

In the current implementation of WREN users are not constrained to capturing only the traces that were initiated by them. Although

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 19 of
 any user is able to trace another users application traffic they are restricted to the information that can be obtained from
another users trace. They are only able to get the sequence and acknowledgement numbers but not the actual data segments of
the packets.

In summary, WREN is a very useful tool that utilizes the benefits of both active and passive monitoring. Although it is in its
early stages WREN can provide Administrators with a valuable resource in the monitoring and analyzing their network. Self
Configuring Network Monitor (SCNM) is another tool that uses both active and passive monitoring techniques.

2.2.3.2 Self Configuring Network Monitor (SCNM)

SCNM [Agarwal03] is a monitoring tool that uses a combination of active and passive measurements to collect information at layer

3 ingress and egress routers and at other significant points within the network being monitored. The SCNM environment
consists of both hardware and software components.

The hardware is installed at critical points in the network. It is responsible for passively collecting the packet headers. The
software runs on the endpoints of the network. Figure 7 below shows the software components of the SCNM environment.

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 20
9
 Figure 7: SCNM Software Components
[Agarwal03]

The software is responsible for creating and sending the activation packets that are used to start the monitoring of the network.
A user will send an activation packet out into the network containing the details about the packets they want to monitor and
gather. The user does not need to know the location of the SCNM hosts due to the fact that all hosts listen for packets. Based on
the information that is within the activation packet a filter is set up within a data collection daemon that is also running on an
endpoint. The network and transport layer headers of packets that correspond to the filter are collected. The filter will
automatically time out after a specified amount of time unless it receives another application packet. The packet capture
daemon which runs on the SCNM host uses a tcpdump like packet capture program in order to receive requests and to record
the traffic that corresponds to the requests.

When a problem is detected by the passive monitoring tools, traffic can be generated using the active tools, allowing one to
collect additional data to further study the problem. By having these monitors deployed at every router along the path, we can
study only the section of network that seems to be having the problem. [Tierney04].

SCNM [Agarwal03] is intended to be installed and used mainly by network administrators; however average users can use a
subset of its functionality. Although average users are capable of using part of the SCNM monitoring environment they are
only allowed to monitor their own data.

In conclusion, SCNM is another combinational monitoring tool that utilizes both active and passive monitoring to
help administrators monitor and analyze their networks.

http://www.cse.wustl.edu/~jain/cse567-06/ftp/net_monitoring/index.html 21
9