Chapter 9: Network Management & Monitoring
Module 3: Advanced Networking
Introduction
Effective network management and monitoring are critical skills for any network professional. This chapter explores essential tools and techniques for maintaining, troubleshooting, and optimizing computer networks.
By the end of this chapter, you will be able to:
- Use Wireshark for packet analysis and troubleshooting
- Employ ping and traceroute to diagnose connectivity issues
- Resolve common network errors using diagnostic commands
- Analyze logs and monitor network health with various tools
- Understand and implement SNMP for device management
- Utilize NetFlow for traffic analysis
- Measure and interpret key network performance metrics
Network Troubleshooting Tools
Wireshark: Packet Analysis
Wireshark is the most widely used network protocol analyzer. It captures packets in real-time and displays them in human-readable format, allowing for detailed network analysis.
Key Wireshark Features:
- Packet Capture: Records all traffic on a network interface
- Protocol Decoding: Supports over 2,000 network protocols
-
Filtering: Powerful display filters (e.g.,
tcp.port == 80,http) - Statistics: Provides network performance metrics and conversation analysis
Ping: Testing Reachability
Ping uses ICMP (Internet Control Message Protocol) to test reachability and measure round-trip time between hosts.
# Basic ping (Windows/Linux)
ping example.com
# Continuous ping (Windows)
ping -t example.com
# Ping with specific count (Linux/Windows)
ping -n 5 example.com # Windows
ping -c 5 example.com # Linux
# Ping with packet size
ping -l 1500 example.com # Windows
ping -s 1500 example.com # LinuxTraceroute: Path Mapping
Traceroute (tracert on Windows) maps the path packets take to reach a destination, identifying each hop (router) along the way.
# Windows tracert example.com # Linux/macOS traceroute example.com # Using ICMP instead of UDP (Linux) traceroute -I example.com
How Traceroute Works:
Traceroute sends packets with incrementally increasing TTL (Time To Live) values. Each router along the path decrements the TTL and sends back an ICMP "Time Exceeded" message when TTL reaches 0, revealing its address.
Common Errors & Fixes
1. Connectivity Loss
Symptoms: Cannot reach any network resources
Solutions:
- Check physical connections
-
Verify IP configuration with
ipconfig/ifconfig - Test with ping to gateway and external hosts
2. DNS Resolution Failures
Symptoms: Can ping by IP but not by hostname
Solutions:
- Flush DNS cache:
ipconfig /flushdns - Verify DNS server settings
- Test with
nslookupordig
3. Duplicate IP Addresses
Symptoms: Intermittent connectivity, IP conflict warnings
Solutions:
- Check ARP tables:
arp -a - Use DHCP properly or implement IPAM
- Implement DHCP snooping on switches
4. High Latency/Packet Loss
Symptoms: Slow response times, choppy VoIP/video
Solutions:
- Use ping and traceroute to identify problematic hops
- Check for bandwidth saturation
- Inspect QoS configurations
Diagnostic Commands
ipconfig/ifconfig
Displays and manages network interface configuration.
# Windows: Display all configuration ipconfig /all # Windows: Release and renew DHCP lease ipconfig /release ipconfig /renew # Linux/macOS: Display interface info ifconfig -a ip addr show # Modern alternative
netstat
Displays network connections, routing tables, and interface statistics.
# Show all active connections netstat -an # Show routing table netstat -r # Show listening ports netstat -ln # Show statistics by protocol netstat -s
Log Analysis and Monitoring Tools
Syslog and Router Logs
Syslog is a standard for message logging that allows separation of the software generating messages from the system storing them.
Common Syslog Facilities:
- kern: Kernel messages
- user: User-level messages
- mail: Mail system
- auth: Security/authentication messages
- local0-7: Locally defined messages
Monitoring Tools
SolarWinds
Comprehensive network monitoring with performance analysis, alerting, and reporting.
Nagios
Open-source monitoring system for network services, host resources, and more.
PRTG
Easy-to-use monitoring solution with sensors for various network aspects.
SNMP (Simple Network Management Protocol)
SNMP is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks.
SNMP Components
- Manager: The monitoring system
- Agent: Software running on managed devices
- MIB (Management Information Base): Database of managed objects
- OID (Object Identifier): Unique identifier for each managed object
SNMP Versions
- SNMPv1: Original version (not secure)
- SNMPv2c: Improved performance with community strings
- SNMPv3: Adds encryption and authentication
# Basic SNMP walk command (Linux) snmpwalk -v 2c -c public 192.168.1.1 # Secure SNMPv3 query snmpget -v 3 -u myuser -l authPriv -a SHA -A myauthpass -x AES -X myprivpass 192.168.1.1 sysName.0
NetFlow Analysis
NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network traffic.
NetFlow Components:
- Exporter: Device that generates NetFlow records (usually a router)
- Collector: Receives and stores flow records
- Analyzer: Processes and presents the data
NetFlow Use Cases
- Bandwidth monitoring and capacity planning
- Network anomaly detection
- Application performance monitoring
- Security analysis and intrusion detection
Network Performance Metrics
Latency
Time taken for a packet to travel from source to destination. Measured in milliseconds (ms).
Typical values: <100ms (good), 100-300ms (fair), >300ms (poor)
Jitter
Variation in packet delay. Critical for real-time applications like VoIP.
Acceptable: <30ms for VoIP
Packet Loss
Percentage of packets that fail to reach their destination.
Acceptable: <1% for most applications, <0.1% for VoIP
Throughput
Actual rate of successful message delivery over a channel.
Measurement: bits per second (bps), packets per second (pps)
Practical Example: Wireshark Packet Capture
Follow these steps to capture and analyze HTTP traffic with Wireshark:
Step-by-Step Guide:
- Launch Wireshark and select the appropriate network interface
- Start capturing packets by clicking the shark fin icon
-
In the filter bar, enter
httpto only show HTTP traffic - Open a web browser and visit any HTTP (not HTTPS) website
- Stop the capture after loading the page
-
Examine the HTTP request/response packets:
- Look for GET requests and 200 OK responses
- Examine headers in the packet details pane
- Right-click a packet and select "Follow TCP Stream" to see the complete conversation
Troubleshooting Tip:
If you're not seeing any HTTP traffic, ensure you're using HTTP (not HTTPS) websites, as Wireshark can't decrypt HTTPS traffic without the private key.
Visualizing Traceroute with HTML Canvas
This interactive diagram shows how traceroute works, with packets traveling through multiple hops to reach a destination:
Diagram Description:
The visualization shows a source computer on the left sending packets through three routers (hops) to reach a destination server on the right. Each hop is represented by a router icon with its IP address. The animation demonstrates how packets with increasing TTL values reach further into the network, with each router responding when the TTL expires.
Summary
In this chapter, we've explored essential network management and monitoring techniques:
- Mastered packet analysis with Wireshark and basic troubleshooting with ping and traceroute
- Learned to diagnose and resolve common network issues
- Utilized key diagnostic commands like ipconfig and netstat
- Explored log analysis and monitoring tools for network health
- Implemented SNMP for device management and NetFlow for traffic analysis
- Measured and interpreted critical network performance metrics
These skills form the foundation for effective network administration and troubleshooting in professional environments.
Further Reading
- Kurose, J. F., & Ross, K. W. (2021). Computer Networking: A Top-Down Approach. Pearson.
- Wireshark User Guide: https://www.wireshark.org/docs/
- RFC 3411 - Architecture for SNMP Frameworks
- RFC 3954 - Cisco Systems NetFlow Services Export Version 9
- Cisco Networking Academy: https://www.netacad.com/