Professional Documents
Culture Documents
(CIT4035)&
MAINTENANCE
LECTURE 2 – NETWORK MONITORING AND
MAINTENANCE
There are several benefits to implementing a good monitoring system for your network
Network budget and resources are justified.
o Good monitoring systems can demonstrate that the network infrastructure (bandwidth, hardware,
and software) is suitable and able to handle the requirements of network users.
Malicious network users can be detected and handled.
o By watching your network traffic, you can detect attackers and prevent access to critical internal
servers and services.
Network Malware can be easily detected.
o You can be alerted to the presence of network viruses, and take appropriate action before they
consume Internet bandwidth and destabilise your network
BENEFITS OF NETWORK MONITORING CONT’D
Troubleshooting of network problems can be simplified.
o Rather than attempting "trial and error" to debug network problems, you can be instantly notified
of specific problems. Some kinds of problems can even be repaired automatically.
Network performance can be highly optimised.
o Without effective monitoring, it is impossible to fine tune your devices and protocols to
achieve the best possible performance.
Capacity planning is much easier.
o With solid historical performance records, you do not have to "guess" how much
bandwidth you will need as your network grows.
Proper network usage can be enforced.
o When bandwidth is a scarce resource, the only way to be fair to all users is to ensure that
the network is being used for its intended purpose.
TYPES OF NETWORK MONITORING
The International Standards Organization (ISO) defines five basic network monitoring goals
F-C-A-P-S
Fault Monitoring
Configuration Monitoring
Accounting Monitoring
Performance Monitoring
Security Monitoring
Fault Monitoring– The efficient management of network faults such as high CPU/Memory
utilization, Quality of Services (QoS) issues, hardware related issues.
Fault Systems Functions
Check devices availability by using Ping Command
Use SNMP to check device(s) status
Send fault alerts
Display network issues on a graph
Fault Monitoring Tools
HP Ovenview
GOALS
Zenoss
IpMonitor
OF NETWORK
MONITORING CONT’D
CONFIGURATION MONITORING
Configuration Monitoring – Management of network device configuration
and changes.
Configuration System Functions
System configuration monitoring or management can be done locally
or remotely
Software is used to track changes made to system such as updating the
OS of a computer, adding a new hardware device.
Errors and incompatibilities in system configuration can be readily
identified and remedied.
Configuration Management Tools
GOALS OF NETWORK
HP Network Automation
Solarwinds
MONITORING CONT’D
ACCOUNTING MONITORING
Accounting Monitoring- Managing network resources and utilization such that
departments, individual users can be charged/billed.
Accounting Monitoring Functions
Monitoring software is used to keep track of utilization of network resources
such as disk usage, printing etc.
Software produces a graph of the utilization which can then be analyzed to
determine billing information.
Accounting Management Tools
RADIUS – Remote Authentication Dial-In User Service
TACACS – Terminal Access Controller Access Control System
GOALS OF NETWORK
Diameter
MONITORING CONT’D
PERFORMANCE MONITORING
Performance Monitoring – Management of the efficiency and utilization of network
such as capacity, bandwidth and response time etc.
Performance Monitoring Functions
Network Performance information is usually provided by SNMP which alerts
administrators of the status of utilization of a resource. (Ex. Network Traffic)
Performance thresholds can be set so that the monitoring system sends a
notification in the event a critical resource specified limit is reached.
Performance Monitoring Tools
Solarwinds
GOALS OF NETWORK
SNMP
MONITORING CONT’D
SECURITY MONITORING
Security Monitor – Management of network and its resources by controlling access
using a predefined policy.
Security Monitoring Functions
Protection of company data is often achieved through encryption and
authentication.
Software provide features that facilitates the protection of network data through
access control mechanisms
Security Monitoring Tools
Solarwind
GOALS OF NETWORK
GFI LanGuard
MONITORING CONT’D
BASELINE CONFIGURATION
Network Performance Baselining
o In the simplest terms, a network performance baseline is a set of metrics used
in network performance monitoring to define the normal working conditions of an
enterprise network infrastructure.
o Engineers use network performance baselines for comparison to catch changes in
traffic that could indicate a problem.
o Because SNMP is a very popular industry monitoring protocol many vendors
provide recommendations or best practices for monitoring and defining thresholds
for their products using this protocol.
Example
Cisco, for example, recommends not exceeding 60% of CPU utilization on its
routers and has published an SNMP message to monitor that statistic.
BASELINE CONFIGURATION
BASELINE CONFIGURATION
CONT’D
NEED FOR BASELINE CONFIGURATION
Understand Healthy network pattern and traffic trends
Evaluate network management policies compliance
Understand how the network resources are allocated
Accelerate to troubleshoot network issues i.e. spike in network traffic
Provide data on network and security management to support decision making
Provide history statistics on network upgrade
NETWORK BASELINING STEPS
Things to Baseline
CPU / Memory Utilization
Server Utilization
Application Performance
Network Congestion
User Reported Issues
SNMP Manager:
SNMP PROTOCOL
SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP)
SNMP MANAGED DEVICES
Managed Devices:
A managed device or the network element is a part of the network that requires
some form of monitoring and management
Examples
o Routers
o Switches
o Servers
o Workstations
o Printers
o UPSs
SNMP PROTOCOL
SNMP AGENT
The agent is a program that is packaged within the network element. Enabling the agent
allows it to collect the management information database from the device locally and
makes it available to the SNMP manager, when it is queried for. These agents could be
standard (e.g. Net-SNMP) or specific to a vendor (e.g. HP insight agent)
SNMP agent’s key functions
Collects management information about its local environment
Stores & retrieves management information as defined in the MIB.
Signals an event to the manager.
Acts as a proxy for some non–SNMP manageable network node.
SNMP PROTOCOL
MANAGEMENT INFORMATION BASE (MIB)
A MIB is a formatted text file that lists all of the data objects used by a particular piece
of equipment.
How the MIB works in 3 steps: (i.e. Case of a new device being added to
network)
o The manufacturer of your device will supply you with a MIB file.
o You'll load the MIB into your SNMP manager.
o Your SNMP manager will use the MIB to interpret the incoming messages from your
new device
SNMP VERSIONS
SNMP versions
Since the inception SNMP, has gone through significant upgrades. However SNMP
v1 and v2c are the most implemented versions of SNMP. Support to SNMP v3 has
recently started catching up as it is more secured when compare to its older
versions, but still it has not reached considerable market share.
SNMPv1:
This is the first version of the protocol, which is defined in RFCs 1155 and 1157
SNMP PROTOCOL
SNMP VERSIONS CONT’D
SNMPv2c:
This is the revised protocol, which includes enhancements of SNMPv1 in the areas
of protocol packet types, transport mappings, MIB structure elements but using the
existing SNMPv1 administration structure ("community based" and hence
SNMPv2c).
SNMPv3:
SNMPv3 defines the secure version of the SNMP. SNMPv3 also facilitates remote
configuration of the SNMP entities.
SNMP PROTOCOL
SNMP VERSIONS SUMMARY
SNMP PROTOCOL
SNMP TRAPS
SNMP Manager - Polls the management information base (MIB) of network devices to obtain performance
statistics.
An SNMP trap allows a network device to notify a network management system of an event by sending a
message i.e. an error is sent to alert administrator of an error.
What are SNMP "Trap" messages?
SNMP Traps are alert messages sent from a remote SNMP-enabled device to a central collector, the "SNMP
manager".
A Trap might tell you that a device is overheating, for example. Trap messages are the main form of
communication between an SNMP Agent and an SNMP Manager. They are used to inform an SNMP manager
when an important event happens at the Agent level. A benefit of using Traps for reporting alarms is that they
trigger instantaniously, rather than waiting for a status request from the manager.
SNMP PROTOCOL
NETWORK MONITORING APPLICATIONS
Nagios
Monitors servers, switches, devices, services & anything that can take IP and/or SNMP
NETWORK MONITORING APPLICATIONS CONT’D
WireShark
Is an open source tool for profiling network traffic and analyzing packets
NETWORK MONITORING APPLICATIONS CONT’D
Smokeping
connections, quality, ping rtt, latency, jitter
NETWORK MONITORING APPLICATIONS CONT’D
Cacti
resources, traffic, interfaces, transactions, ..almost anything that is accessible via SNMP, e.g.
temperature, power, ... Sensor data
Monitoring network traffic
WIRESHARK – PROTOCOL ANALYSER
Wireshark is a network packet/protocol analyser and is the main tool used in the
capturing and analysis of network traffic
The packets of data captured are displayed in sections of the application in great detail
to assist administrators in their analysis and troubleshooting of their systems
Wireshark requires WinPcap to be installed on the machine in which it will be used.
[Note. WinPcap is a program that allows Wireshark to capture network traffic on the
communication medium]
Wireshark is not a Malware. It does not inject code unto the network.
It is a tool to capture and analyse what is happening on the network
WIRESHARK DASHBOARD
SHARK ATTACK – WIRESHARK ANALYSIS
Apply Filters
ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or
dest]
ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the
two defined IP addresses]
http or dns [sets a filter to display all http and dns]
tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]
tcp.flags.reset==1 [displays all TCP resets]
http.request [displays all HTTP GET requests]
tcp contains rviews [displays all TCP packets that contain the word ‘rviews’. Excellent
when searching on a specific string or user ID]
!(arp or icmp or dns) [masks out arp, icmp, dns, or whatever other protocols may be
background noise. Allowing you to focus on the trafficof interest]