How Network Monitoring System measure Network Traffic

Question

I'm going to develop a network monitoring system for my final year project in college. Before the development, I've gone through some research about how a network monitoring system works. From my understanding, network monitoring system used ICMP packet (Ping) to make sure the devices is "alive" in the network. Here is the problem I had:

1. If network monitoring system need to ping each and every device in the network, then the network traffic will become heavy, is that good approach to use this method? Or is there any other possible alternative?

2. Network monitoring system provide set of data of the network traffic, is that possible for the network monitoring system to get the traffic level for all the connection? Assume there are 3 PCs, PC X, PC Y, and PC Z. PC X connected to PC Y, and PC Y connected to both of the PCs, PC X used for monitor the network, when PC Y sending packets to PC Z, is that possible that PC X get the information that PC Y is sending packets to PC Z?

Thanks

Answer 1

1. The network traffic load of monitoring is negligible compared to normal network traffic. Typically, you would poll devices eveny minute or every 5min, with a single packet getting a single packet in return.

2. Network traffic monitoring is typically done using SNMP to poll the ifInOctets and ifOutOctets counters for each interface. This will allow you to calculate total traffic and transmission rate (bandwidth utilisation) on a per-interface basis. However, it does not allow you to break this down by traffic type or destination.

I would suggest you take a look at software such as MRTG which do this sort of monitoring very neatly.

If you are wanting to monitor the health of the entire network, not just traffic on links, you may want to look into catching SNMP traps from devices to hear about problems, and also monitoring other things such as reachability (via ping packets), routes (to detect flapping routes), and even check services on hosts (such as DNS, HTTP, SMTP and so on). To do this, you might like to investigate the Nagios software and its check plugins that do the various tests.

Answer 2

1. No, the network traffic will not become heavy. You seem to have greatly underestimated the network capacity, or greatly overestimated the amount of traffic caused by ping (or both). Increase in network load caused by periodic pings from the network monitoring server to all hosts in the network will be minuscule unless your network is some sort of a slow ancient half duplex network. I would be more worried about the required CPU usage on the network monitoring server to be able to process all the pings and do useful stuff with them.

2. It is only possible if you are running a specialized software on the PCs to be able to grab and send this data off to the network monitoring server. sflow is a good example. Do you have any control over what can be configured on the PCs? If so, sky is your limit. If we treat the PCs as a blackbox, there really isn't that much that you can do other than pinging and possibly port scanning.

3. Monitoring individual hosts is only part of the picture. It is also very important for the network monitoring system to monitor the routers and switches that form the network. The amount of information that you can gather will depend hugely on what these network equipments support and whether you have the access to configure them. If SNMP is enabled, that would be a great start.