If your company provides vital information, services, and products over public or private networks, it is crucial that you ensure traffic traveling via systems you control is safe and flowing at acceptable speeds. Lapses in network connectivity, slow speeds, and potential exposure to threats can all translate to real-world costs for companies of all kinds.
Network traffic analysis is perfect for discovering malicious activity and refining congestion alleviation strategies. By leveraging the right analysis tools, you can quickly determine whether or not bottlenecks exist and where they are happening in your network. This makes diagnosing problems at specific endpoints significantly easier and eliminates the need for guesswork when it comes time to plan network improvements.
There are many different tools for network traffic analysis, and network administrators have to choose the best options for their organizations' unique needs. Selecting the right combination of passive and active analysis tools can be tricky, requiring careful consideration of the network's underlying hardware as well as its intended capacity.
In this article, we'll go over types of analysis techniques, individual analysis tools worth considering, and best practices for those looking to perfect their network traffic analysis processes.
What is Network Traffic Analysis?
Network traffic analysis is an activity that leverages various tools and techniques to measure network communication, making improvements to network security, speed, and reliability possible.
Here, we'll address the differences between analysis techniques and tools that are available. We’ll also go over a few of the drawbacks each technique presents.
Network Traffic Analysis Techniques
Network traffic analysis techniques come in two general forms. The first involves the use of routers and switches, specifically. These router-based techniques are not especially flexible, but they are incorporated into the physical routers themselves either via dedicated hardware or hard-coded software. This makes real-time monitoring possible even if full analysis requires additional processing later.
Non-router-based network traffic analysis tools leverage either passive or active processes to monitor network activity. They are normally more flexible to work with than their router-based counterparts, as they are not tied to specific devices on the network, but they may be limited in terms of effectiveness at times of high network load. Non-router traffic analysis techniques may also force portions of the analysis process to be handled offline as well, which might not work for all use cases.
Simple Network Monitoring Protocol (SNMP)
The Simple Network Monitoring Protocol (SNMP) makes it possible to manage your network's performance by collecting traffic stats via passive sensors embedded in the network, from routers to end hosts. This monitoring of traffic takes place on the application layer of the network.
Devices that can be integrated into this network management protocol include switches, PCs, and printers, each containing an SNMP agent that collects information for a network management system (NMS).
Network management systems act as the main interface by which administrators interact with and monitor the entire network under this traffic analysis paradigm. Unfortunately, the first major version of this protocol lacks proper security features and allows for unauthenticated access. This has been rectified in version 3, which now includes measures for guarding against packet modification, network eavesdropping, and more.
Netflow RFC 3954
Netflow was implemented by Cisco on its routers as a means of collecting network data automatically and analyzing it as it comes in. This approach places Netflow firmly within the realm of router-based traffic analysis tools.
Netflow differentiates itself from SNMP by leveraging three unique components:
- Flow Caching - This is a mechanism by which flowing data is collected and prepared for further analysis.
- Flow Collector - This tool collects and then filters data, eliminating whatever has been deemed unnecessary in order to reduce the amount of data needed for analysis.
- Data Analyzer - Here, data is actually analyzed to discover useful insights into network performance. This is also the main differentiator between Netflow and SNMP as there are many different data analyzers to choose from, each capable of contributing a unique perspective to an admin's overall understanding of their network's status.
Active Monitoring
This traffic analysis technique relies on probes sent over the network between endpoints to assess factors like throughput and packet loss. As a non-router-based form of network analysis, there is no direct use of embedded router technology to grab relevant connection data. The downside to this approach is that the probes that are used (like traceroute and ping operations) can disrupt typical traffic, skewing assessments. The probes themselves can also be treated differently by network hardware, leading to less reliable results.
Passive Monitoring
Where active monitoring can change network traffic enough to invalidate analytics, passive monitoring has no such issues. No additional traffic is created through this approach, and packet sniffing is typically the preferred means of gathering network traffic intel. The main issue with this technique is simply that the data gathered must be processed offline instead of in real time.
Network traffic analysis makes it possible to maintain network security and performance without risking major downtime or leaking critical information. Choosing the appropriate approach to engaging in this form of network analysis should always come down to picking what works best for your own network's unique constraints.
