Note: This post was originally written for the Netreo blog. You can check out the original here.
Network traffic analysis is the method of collecting, storing, and analyzing traffic across your network. Traffic data is collected in or near real time so you can have up-to-the-second information about what’s happening. This allows you to take action immediately if a problem arises. You can also store this data for historical analysis.
Why Network Traffic Analysis Is Valuable
Analyzing network traffic is a valuable part of network monitoring. You can’t manage a network without knowing what’s going across it and what it’s doing.
Uptime and Availability
A network is useless if it’s not available to its users. You need network traffic analysis so that you know your network’s uptime and availability. If network interfaces are down and user traffic can’t pass, uptime is zero. If HTTP requests to certain application services get dropped because their subnet is unreachable, availability is zero. Monitoring and analyzing network traffic can help you quickly identify these types of problems so that you can start troubleshooting and reduce impacts to the user experience.
You also need to know what’s out there. Visibility into the various network components is key to resolving problems. You need to know which devices belong to which network sites and locations before you can properly troubleshoot. Network traffic analysis helps you discover these devices and their locations. It also helps you build topology diagrams that give you the network visibility you need to prevent silos and avoid blind spots.
You need to know how well your network is performing. If traffic is moving slowly, nobody will care that it has great uptime. From a user’s point of view, it might as well be down. And network downtime is an SKA performance killer. Network traffic analysis can help you identify network connections that need upgrading with capacity planning. You can use it to find performance bottlenecks. It can also help you identify network resources that you can decommission, which helps cut IT costs. And making IT less of a cost center is always welcome.
It seems that every day there’s a story about another ransomware attack. IT managers and engineers seem at a complete disadvantage, but network traffic analysis gives you a fighting chance. With real-time network traffic collection, you’ll be able to detect anomalies. Yes, you already have firewalls in place, but they’re not foolproof. Hackers can find ways to mask their traffic to get around firewall rules. If you’re monitoring your firewalls and all the network traffic inside and outside, you have a much better shot at identifying a security threat. Maybe someone fat-fingered an input and enabled an insecure port. Collecting all that network traffic will help you catch that sort of thing before unscrupulous users take advantage of it.
Implementing Network Traffic Analysis
To take advantage of network traffic analysis, you obviously need to implement it. Here are some ways you can do that.
Network traffic data was originally collected and analyzed using the Simple Network Management Protocol (SNMP). This was useful when networks were much less complex and more centralized. While SNMP is still very much in use today, it’s not a standalone solution for proper network traffic analysis. It doesn’t collect enough detail for today’s complex network implementations, such as TCP/UDP ports and higher-level protocol data. But because of its ubiquitous vendor device support, it’s relatively easy to implement. This makes SNMP an easy choice to start with.
Since SNMP doesn’t collect higher-level protocol details, packet data is often used to help supplement it. You can collect packet data with hardware appliances like network probes and packet sniffers. The level of detail from each packet tells you not only the IP conversations but also the TCP/UDP ports in use. Collecting this much detail has its own drawbacks, however, because it makes analysis overwhelming. You can use monitoring tools to help, but they’re usually on the expensive side due to the storage requirements. So there goes your opportunity to make IT less of a cost center.
You can also collect network traffic data by using a flow collector. The network device with a flow protocol enabled can export network traffic data for analysis by the collector. This data is much more than what SNMP can provide but not as much as what packet data provides. So flow collection can be a good middle ground. Flow-based protocols include those such as Cisco Netflow, its IETF standard equivalent, IP Flow Information Export (IPFIX), and others like Jflow and Cflow. These provide flow records that include IP addresses, subnets, ports, and traffic bytes. And you won’t collect so much packet data detail that it bloats your storage space.
Whatever method you choose, the key is collecting and monitoring in or near real time with historical data. You need to know what’s happening now if the impact is due to a security breach, for example. But you also need to be able to go back in time to identify how past performance can affect future performance. Anything less is useless, and it isn’t network traffic analysis.
Network Traffic Analysis Best Practices
Collecting the data you need to properly analyze your network traffic can be daunting because you need to store so much of it, but there are some best practices you can follow to make it a little bit easier.
- Know what’s yours. Make sure you know what devices you expect to see on your network. If you’re a Cisco and Microsoft shop, expect to see Cisco routers, access points, and firewalls and Microsoft desktops and servers. Make sure you have some sort of naming convention in place for them. Anything showing up in a different format should be a red flag. When things change, if you know what’s yours, you’ll know if you need to remove something.
- Know the norm. Make sure you understand how your network normally operates and performs. What’s a typical latency between two office locations? What does network capacity usually look like? The tools can help, but they need time to collect enough data for you to know what’s typical and what isn’t so you can quickly identify any anomalies.
- Always be evaluating. Complex networks are constantly changing. In the early days, SNMP was enough for on-premises infrastructure. But SNMP, packet data, or flow alone aren’t enough for today’s hybrid cloud infrastructure. You should always evaluate what will work best. That includes looking at new network traffic analysis methods and tools. If current methods and tools aren’t getting you the data you need to provide a good user experience, you need to reevaluate your solutions.
Stay In the Know
As you’ve seen, network traffic analysis can help you know what’s happening on your network. And knowing is the key to properly managing it.
So stay in the know. And a monitoring solution from Netreo can help you get there by knowing what you need on your network. The platform is an option to consider if you need a new monitoring tool. Its ability to collect network traffic from flow-based and other protocols like SNMP will make your job easier. You can use it to configure the collection, storage, and analysis of your network traffic without deploying probes everywhere. It can also help you and your team make the right decisions. You can request a demo and see for yourself.