Executive Summary:

We drill down into the basics and look at what matters most in a network-monitoring tool, covering data-monitoring products, or packet sniffers, which examine the contents of individual packets, giving you the power to monitor the data traversing your network at a protocol level, and statistical monitoring products, which examine the way data flows through the network. The best network-monitoring tactic combines both approaches. More than fifteen network-monitoring products are laid out in the accompanying table offering a quick overview of features offered and prices.

Perhaps your network performance has become rather sluggish, or maybe you’ve just realized that you have no idea what kind of data is actually traveling through your network. Either way, you need a tool that’ll not only let you peek at network traffic and data but also let you perform analysis and troubleshooting.

In a previous buyer’s guide, we provided a unique approach to the topic by focusing on both network-traffic monitoring and service monitoring (see “Network-Monitoring Tools,” December 2006, Instant- Doc ID 93841). We found that many tools in this space were monitoring email databases, Active Directory (AD), WANs, and even the environment. Now, let’s look at what matters most in a network-monitoring tool: After all, what you really want is to be able to study the content and characteristics of your network traffic, and you need to know which products will best help you achieve that goal.

Packet vs. Flow
Network-monitoring products split into two approaches: data monitoring and statistical monitoring. Data-monitoring products, or packet sniffers, examine the contents of individual packets, giving you the power to monitor the data traversing your network at a protocol level. For example, you can keep an eye on FTP, HTTP, and SNMP packets to reveal inappropriate usage involving those particular protocols. When you’re shopping for a packet sniffer, check out the granularity of the tool’s reach and get a feel for the types of information the tool can discern from the captured data.

Statistical monitoring, by contrast, examines the way data flows through the network. Patterns of network usage can not only show you traffic trends (e.g., peak usage, bottlenecks) and general network functionality but can also expose vulnerabilities and even ongoing attacks. Using statistical monitoring, you might see many packets bombarding your network at once, indicating some kind of internal misconfiguration or even a malicious attack. A packet sniffer might be blind to that kind of problem. With a traffic-flow monitoring solution, you can also identify the source and destination of network traffic. If you have Cisco components in your network, you’re going to need a product that supports Netflow. Watch for the inclusion of other popular embedded technologies, such as sFlow (an industry-standard mechanism for capturing traffic from switches and routers) and SNMP (an application-layer protocol for monitoring network-attached devices).

Perhaps you’ve considered dropping traditional packet capture and network analysis and going instead with a statistical monitoring infrastructure. After all, statistical-monitoring tools offer excellent visibility and perspective. However, they won’t replace the essential ability to capture and analyze the data flowing through your network.

Think of Netflow, sFlow, and SNMP as reporting technologies— not as troubleshooting technologies. Embedded in your monitoring infrastructure, these technologies are best used to get an idea of traffic flow, usage patterns, and highly used applications in the environment. But they don’t let you look at the data itself and perform serious troubleshooting. The best network-monitoring tactic uses both packet sniffing and statistical monitoring approaches.

Other Considerations
Most network-monitoring products offer some kind of network topology map, though some maps are more dynamic or granular than others. You might also require VoIP support (e.g., call quality, call drops) and Multi-Protocol Label Switching (MPLS) support, so that you can see data as it traverses the MPLS mesh and determine whether it’s running correctly and whether your provider is offering what it claims to be offering.

You’ll see increasing support for 10GbE bandwidth. Maybe you don’t need it today, but making the investment in that future 10GbE visibility is worth considering. Finally, retrospective analysis is gaining popularity in the market, letting you funnel data to a disk array and perform retrospective troubleshooting—a new mainstay of the industry.

Tool Evolution
Many problems affect network performance—hardware breakdowns, incorrect network configurations, viruses, users taking advantage of your resources inappropriately—and the monitoring tools that unearth those problems take various approaches. Tools in this space continue to evolve and incorporate existing and changing methodologies so that you can tackle as many causes as possible.

See associated table