I've talked with hundreds of companies across all business sectors who have deployed, or are thinking of deploying, a network/system monitoring solution of some kind. The majority of the teams I've spoken with have very similar requirements, which typically boil down to one or more of the following:

* A system to monitor specific performance indicators, as well as the ability to be notified when those metrics get out of hand. The most popular request here is bandwidth measurement, but there are thousands of other possibilities here too. Perhaps it's the status of a critical service, or the amount of free space left on a disk drive, or the temperature in a rack enclosure.

* A tool to assist in diagnostics and troubleshooting. Once a specific performance indicator has crossed a threshold, or some other issue arises, administrators need tools to rapidly determine the source of the problem. And time is money: as the scope of a problem grows, so does the cost - sometimes exponentially.

* The ability to create historical reports to analyze performance trends, perform forensic audits, or to comply with regulatory requirements. Once again, specific requirements here vary considerably from business to business. Some companies want to track uptime/downtime, some want to see bandwidth usage trends, and others simply want to comply with specific laws and regulations such as Sarbanes-Oxley (SOX).

The Arsenal at Hand

The vast majority of today's network monitoring and management tools use Simple Network Management Protocol (SNMP) as the primary means of gathering and relaying performance metrics and management information for network-connected devices. And for good reason: SNMP is a very mature, widely adopted standard which is already used by thousands of manufacturers around the world.

In fact, any monitoring solution which doesn't leverage SNMP is probably going to leave administrators with significant gaps in their understanding of the status / health of their critical infrastructure.

Unfortunately, SNMP alone is not a silver bullet that can provide an administrator with all the information he/she needs in a problem situation. First off, SNMP is a device-oriented protocol, which means that the most you'll be able to learn about your network's actual state is going to be entirely dependant on each device's perspective of it. (This is a lot like asking a bunch of individual voters how well the country is running - all you're going to end up with is a set of individual opinions, which may or may not be accurate reflections of reality on a larger scale.)

Worse still, poor SNMP implementations by some manufacturers can report entirely invalid or incorrect data, leaving administrators with conflicting information that can't necessarily be trusted. In problem situations, knowing which information to rely upon is critical in formulating an appropriate response.

Introducing Packet Analysis

There are many situations where it helps to understand what is happening on the network itself. Or, you may need to examine a particular device's network behaviour. The only way to accomplish these is by analyzing the actual traffic moving across (or around) a particular segment. This is done using a packet analyzer.

Packet analyzers go by all sorts of names: sniffers, protocol analyzers, packet capture utilities, etc. but they all work essentially the same way: capture actual network traffic (or a duplicate copy of it) coming off the wire. The best solutions (like Netmon Professional Edition and Enterprise Edition) are able to visually reconstruct this data in real-time to give you a perspective of your network that no single SNMP device can.

How is this accomplished? In order to analyze a packet, you have to be able to see it, and on most modern switched networks packets are routed to and from various destinations using multiple paths, which means there's no central location where you can see all of these packets at once.

Fortunately, there are several ways to accomplish this:

PORT MIRRORING - Sometimes called PORT SPANNING, this technique uses a management feature on your core switch which forwards a duplicate copy of network traffic to a designated "monitoring port". Since it tends to scale relatively well, and does not require new hardware to be purchased in most cases, this is the most common method used to analyze network traffic. Most switch manufacturers support this feature.

NETWORK TAP - By far the most robust, fault-tolerant solution for monitoring network activity. TAPs are dedicated hardware devices which sit between two network segments, and copy frames from the wire to a secondary monitoring port. Your monitoring system can plug silently into the secondary interface. A TAP will never interfere with normal traffic flow, and is also virtually undetectable from a security standpoint. Most importantly, TAPs are designed to fail gracefully - in the event of a problem with the TAP itself, traffic still passes through unhindered.

HUB - By placing a hub between two network segments (such as your corporate LAN and the Internet) you can sniff network traffic going between each segment. This is a low cost solution which is best used in small environments where Internet connectivity is not critical. As traffic scales up, hubs can suffer from performance problems such as packet loss.

NetFlow - This Cisco-invented protocol is gaining more support amongst other vendors, and is an excellent way to analyze packets for remote WAN sites. Your routing or switching devices must support NetFlow in order to use this method, and your monitoring solution must also support NetFlow. (Netmon Professional Edition and Enterprise Edition systems support NetFlow v1, v5 and v7)
The Analysis-Ready Network

Even if you don't have a packet analysis solution today, you should still ensure that your network is analyzer-ready. Configure mirroring/spanning on your core switch, and pre-designate a monitoring port, or use one of the other methods described above. In the event of an unexpected network issue, network technicians and engineers can use this port. You'll be glad you made these provisions ahead of time.