Two views of network monitoring
- By Earl Greer, Vincil Bishop
- Sep 16, 2002
One of the toughest jobs in a network analyst's life is monitoring what's going on inside the wires, the optical fiber and now the radio waves that make up a network. The stakes are significant: If traffic is becoming too heavy within a segment, then that part of the network will soon become sluggish. And if unusual traffic is taking place, it may indicate a security problem.
Here we look at two products with radically different solutions to network monitoring. VisualProfile, developed by Turlock, Calif.-based Visualware Inc., is a Java-based network performance monitor that runs on Microsoft Corp. Windows, Linux, Sun Microsystems Inc. Solaris and FreeBSD. It relies on the Internet and Simple Network Management Protocol (SNMP) to reach the furthest ends of the network. VisualProfile's most obvious strong points are platform- independence and extensibility.
Observer, developed by Network Instruments LLC of Minneapolis, is a Windows-based protocol analyzer that has taken the next logical step on the ladder of evolution and included substantial performance-monitoring capabilities. It, too, uses SNMP as well as RMON, the remote monitoring standard, to view traffic data sent from probes that reach beyond the routers and switches to monitor parts of the network that are normally dark to the keen eyes of a protocol analyzer.
VisualProfile and Observer are both enabled and limited by the standards they have chosen. For example, VisualProfile has no packet capture and no RMON support. For its part, Observer cannot decode data on the fly from its probes because this is not possible with the RMON standard.
When used to monitor large, complex enterprise networks, VisualProfile will take fewer staff hours to set up and administer, because the product's developers made no assumptions about the design of customers' networks or the devices they might wish to monitor.
If your networks are geographically dispersed or include multiple platforms, VisualProfile is your only choice for performance monitoring, and it is a good one. We recommend that you also purchase Observer as a protocol analyzer.
Observer's low cost and good features make it our first choice as a performance monitor in small organizations running Windows-based networks. The fact that it is a first-class protocol analyzer is a bonus. Although Observer can be deployed in larger organizations with a few thousand workstations, administrative costs can quickly add up.
VisualProfile consists of a server module and at least one client module. We installed the server module as a Java process on a nondedicated Windows 2000 workstation. The main job of the server is to collect data from monitored devices on the network. The server also runs a Web service to provide access to the data from other computers.
We installed the client module on another Windows 2000 workstation and launched Microsoft's Internet Explorer to access the data from the server. The job of the client, another Java application, is to receive a live data feed from the VisualProfile server via HTTP. This thoughtful design enables administrators to run reports, monitor network performance or check thresholds from any computer without the headache of installing and maintaining a client that is linked to a specific operating system. Instead, it is possible to get reports from any PC using a Web browser, even when the VisualProfile client is not installed on that machine.
From the Web browser, we had to manually enter the devices to be monitored. For our tests, we chose a stack of six Cisco Systems Inc. switches and two routers. VisualProfile has no network discovery component, but a "bulk edit" feature makes it easier to enter large lists of devices. In minutes, we were monitoring our network.
Once monitoring has begun, the server retrieves and stores data in its database. VisualProfile uses Java plug-in agents on the server to collect data for each type of device. One of the plug-ins on the client workstation can consolidate other server databases into a central database for master data gathering, which means that VisualProfile can span thousands of devices without eating all of your network's bandwidth.
Nonetheless, there is a performance cost to running Java, and the VisualProfile server engine is a resource hog. We do not recommend loading it on a machine with less than 128M of RAM and a processor slower than 400 MHz. We also found VisualProfile's Java interface a bit cumbersome, and this was compounded significantly when we moved our client PC just two router hops away from the server, but still in the same building.
However, the VisualProfile reports are highly useful and do a good job of color-coding data to highlight information needing immediate attention.
On the whole, it was much easier to create custom reports with VisualProfile than with Observer. And VisualProfile can report on all of its data, while there are some limitations in Observer. For example, VisualProfile can generate a report detailing how often a particular group of devices reaches a certain alarm threshold, but Observer cannot do that.
Overall, we found VisualProfile to be very easy to use. Most network analysts should be able to install it and begin generating usable reports in one day, with no special training.
Observer Suite 8.1
If you are primarily dealing with Windows-based networks, Network Instruments' Observer Suite offers a low-cost but powerful solution for monitoring performance.
Although Observer uses SNMP, just as VisualProfile does, it also has the ability to gather data from probes installed on remote segments of the network. These are nothing more than small programs run in silent mode on nondedicated workstations. We placed one of these probes on a remote segment and began capturing packets for later analysis on the workstation running Observer.
Say goodbye to laptop protocol analyzers and off-site firefighting. In times of trouble, a tool such as Novell Inc.'s Zenworks or Microsoft's Systems Management Server can easily place a probe on a remote workstation to collect data packets. We were especially impressed by the ability of Observer to view such packets as they came across the local network segment.
Because protocol analysis is Observer's primary function, we were eager to test its features. When we installed Observer on a laptop, we were pleased to find that Network Instruments' proprietary drivers for wireless Network Interface Cards made it possible to operate in normal mode or promiscuous mode, which allows a device to intercept and read any network packet, without uninstalling and reinstalling the drives. That meant that we could use the laptop for normal office activities without bothering to change the drivers.
Then we installed Observer on a Windows 2000 workstation and began using it as a performance monitor. Configuring SNMP devices was quick and easy. However, unlike VisualProfile, Observer does not include a bulk input feature for listing SNMP devices. Typing in the list can be inconvenient if you monitor hundreds of devices.
Our advice for configuring SNMP monitoring with either product is to start with a detailed and accurate inventory of the devices you want to monitor. VisualProfile requires only that you have a vendor name, such as "Cisco switch," to go with an IP address. But Observer needs a fairly specific device description, such as "Cisco 24-port switch."
Observer does not have classifications for devices, such as routers and switches. Although this is not important for a small network, administrators of large networks will appreciate VisualProfile's ability to group devices.
Monitoring our SNMP test bed of six switches and two routers was a snap with Observer. The only trouble was an overabundance of information. It was difficult even with our small network to construct useful statistics. The software's canned reports are suitable only for the technical staff. However, Observer can output raw data in Extensible Markup Language and comma-delimited formats that can be used by other programs to construct reports.
The Observer Suite version comes with a built-in Web server. Out of the box, this Web-reporting tool doesn't report on information from SNMP devices, but with technical support from Network Instruments, we were able to make it work. In order to view the SNMP information online, you must configure Observer device by device to include the data you want to report via the Web.
Bear in mind that to get real-time expert analysis and SNMP functionality you have to purchase Observer and Observer Expert. So for performance monitoring, you must get the Observer Suite, which is the version we tested.
Bishop and Greer are network analysts at a large state agency. They can be reached at email@example.com.
* Simple Network Management Protocol (SNMP) facilitates the exchange of management information, such as network error rates, between network devices.
* Remote Monitoring (RMON) extensions enhance SNMP to provide comprehensive network-monitoring capabilities. Unlike standard SNMP, RMON is proactive and can send alarms on a variety of traffic conditions, including specific types of errors.