There are many different ways to monitor network flows and devices. In this video, you’ll learn about port scanning, interface monitoring, NetFlow analysis, and SNMP monitoring.
<< Previous: Using Protocol AnalyzersNext: SIEM >>
Network administrators have many different ways that they can find out what’s happening on their networks and in this video, we’ll look at some of the most popular network monitoring tools.
A port scanner allows you to gather information from a device over the network without you needing any particular username, password, or any other type of authentication to that device. You simply send it some well-crafted queries and by examining the responses you can find out a lot of information about that device.
At its most basic level, a port scanner can tell you if a device is responding to you over the network. It’ll send a ping or an Address Resolution Protocol query to see is that device really alive.
And if it is, it can examine and see are there any open ports on that device? Does that device have services running on it that allow someone to connect over particular port numbers? What are those port numbers? Which ones are open and closed on that particular device?
You can also find out a lot about the operating system running on that device, even without connecting to that device or querying the operating system directly. You can send some very specific queries and depending on what’s returned, you can determine what type of operating system– and in some cases, the exact version of the operating system– that’s running on that device.
To get even more details, you could scan the open ports to find out how do they respond to queries? And depending on the response, you can determine what services might be running and what version of what services might be running on that device.
If you’re managing a network– really, of any size– there’s going to be a need to monitor the devices connected to your network. And an easy way to do that is through interface monitoring. We want to know, at a basic level, is that device alive or is it not alive? Is it on the network, or is it dropped off of the network?
We want to get some lights that tell us is everything green, or is a section of the network gone red? And an interface monitor can provide you with that information.
It can also provide you with alerting of that information. You obviously can’t look at the monitoring screen for 24 hours a day, seven days a week, so we’ll have the software monitor these interfaces. And if the interface turns from green to red, it can send you an email or send you a text message.
Interface monitoring software can often not only give you that short term view of what’s happening, but it can collect information over a longer time frame so you can see how available a particular interface has been.
If you need more detail than just is the device up or is the device down, you may want to look into other monitoring technologies like SNMP. They can give you information about interface utilization, errors, and much more.
It’s often useful to get an understanding of exactly what’s running over the network and there are a number of packet flow monitoring technologies that can do exactly that. A very popular way to do this is with a technology called NetFlow. NetFlow version 5 and NetFlow version 9 are the most common ones that you’ll see, and it’s designed to look at these traffic flows across the network and provide you with detailed metrics about exactly what’s running over your network links.
You’ll generally used two different components to make NetFlow work.
The first component is a probe. You’re going to put a probe on the network at every place where you want to collect data. The probe is going to watch the raw traffic going by, and it’s going to create these summary records. And it’s going to send those summary records back to a single collector. That way you can have multiple probes on the network but all of the summary information is being sent to one central point, and that is the NetFlow Collector.
It’s at this collector where we’re generally going to be able to run a number of reports, because all of the data is contained on that collector. There’s usually a separate application you would run that queries the collector, looks through all of the summary records, and provides you with information about what’s flowing over the network.
Looking at this view of NetFlow statistics, you can see this summary of metadata can actually provide you with a lot of details. Here’s the top 10 nodes by response time. You can see these top three are having loss, and so they’re having some very long response times.
You can see the exact nodes that are having the packet loss. Here’s the devices– the top 10 that are having high utilization, so you can concentrate on trying to find out why those devices see so much traffic going by.
And of course there’s other reporting mechanisms. Here’s a report that shows the top 20 applications. There’s worldwide web, HTTP, SQL Server, Oracle SQL, domain name server. So you can really get a lot of detail about exactly what’s happening, and it’s very common to be able to run the short and long term reports so that you can start doing some troubleshooting of your network flows.
Another technology you can use to gather detailed metrics from your infrastructure devices is SNMP. SNMP stands for Simple Network Management Protocol, and it uses a very standardized database and structure called a MIB– a management information base– to be able to use a standard query and get a standard response from your devices.
As you start working with SNMP software and with SNMP configurations in your infrastructure devices, there may be different versions that are referenced. There’s three major SNMP versions you’ll run into.
SNMP version one was the original. It is the one where we had a device on the network, it would make a request– for instance, how many bytes have gone into a particular interface– and that device would respond back with a number. That’s a very basic SNMP query. It’s all done in the clear. There’s no encryption or special security, and it’s done one query at a time.
SNMP version two was an upgrade to version one. It added some additional data enhancements, and it provided for bulk data transfer, so we could ask for 10 different pieces of information and get a single response with all 10 of those answers. This made for a much more efficient way to query our devices, but it was still in-the-clear data. If you had a packet analyzer, you’d be able to see all of this SNMP information.
So we created SNMP version three. This is really the latest standard for SNMP, and it provides message integrity, authentication, and encryption to verify that the information going across the network is going to be secure.
Whenever you’re querying infrastructure devices, you’re gathering metrics and details that other people could use against you. So it’s important to keep this data as safe as possible. If you are using SNMP, you want to use SNMP version three if at all possible. If it’s not possible, you want to have all of that data contained on a private network.
SNMP can give you a lot of detail about what’s happening on your network. Here’s a query up one of my switches, and you can see every second I’m getting an update of utilization and traffic throughput that’s going through my particular switch.
You can take this and not only get a short term view of what’s happening, you can also expand this out and get a much longer term view so that you can get an idea of how your network is performing throughout the day, the week, or even the month.
Here’s another SNMP tool you might use. This one is not quite as graphical, but it can provide you with a lot of details about what’s happening inside of a device. This is a MIB browser, or a MIB walker, that management information base which uses the standard structure for gathering details from these devices.
You can see the MIBs are here on the left side. There’s a standard interface MIB– we call this a MIB two– and I can see things like the interfaces on this device. This particular software allows me to walk through the MIB to gather details.
I’m going to choose an interface entry here, and I’m simply going to tell my device I would like to perform a SNMP MIB walk. And now it goes through in a very specific format and gathers all of the details from every interface on this particular switch.
And then I can, of course, through SNMP even modify configuration details if I have the rights and permissions on that device. That’s why we mentioned SNMP as being such a powerful management tool, because you’re able to see and modify any of the infrastructure devices on your network.