Network Monitoring: Active & Passive

Questions and Answers

Which statement accurately describes network monitoring?

• It primary function is to manage user access rights.
• It involves continuously observing a network for slow or failing components, and notifying administrators. (correct)
• It is solely concerned with hardware maintenance schedules.
• It exclusively focuses on resolving network outages.

In what context is 'utilization' used in network performance?

• Amount of time a LAN spends receiving data.
• Amount of time a LAN spends successfully transmitting data. (correct)
• The measure of time a LAN spends attempting to transmit data, regardless of success.
• Amount of time a LAN spends requesting data.

If delays occur 45% of the time on a network due to increased collisions, what is a reasonable expectation for network utilization?

• 30% to 35%
• 40% to 50%
• 15% to 25% (correct)
• 5% to 10%

What does monitoring 'peak utilization' help a network administrator determine?

When the highest percentage of the LAN's capacity is in use. (A)

What does the five-minute average utilization metric show about a LAN?

Percentage of LAN capacity used over 10 hours. (C)

In the context of network monitoring, what does 'current utilization' measure?

Moving average utilization calculated over a small time period. (C)

What is the primary concern regarding excessive amounts of broadcast or multicast traffic on a network?

Slowdowns in network performance. (D)

What percentage should broadcasts normally not exceed in network traffic?

5-10% (A)

What is the key characteristic of multicast communication?

Transmission to a select group of devices. (D)

If two network frames are transmitted simultaneously, leading to signal corruption, what is this event known as?

Collision (B)

In Ethernet networks, why can collisions be considered normal?

Due to the nature of CSMA/CD. (A)

What is a primary characteristic of a 'short frame' error in Ethernet?

Is smaller than the minimum legal size of 64 bytes. (D)

What is a defining characteristic of a frame with a 'bad FCS (Frame Check Sequence)'?

Checksum differs from original transmission by at least one bit. (D)

What characterizes a 'long frame' error in network communications?

Larger than maximum legal size of 1518 bytes. (C)

What defines a 'ghost' in the context of Ethernet errors?

Energy (noise) detected appearing as a frame lacking a valid SFD. (C)

Why might a network administrator monitor the number of nodes/users on a network?

To optimize bandwidth allocation. (A)

What is the essential function of the Address Resolution Protocol (ARP) in network communication?

Find the physical address for a given logical address. (D)

What is a common use case for the Internet Control Message Protocol (ICMP)?

Sending error messages. (B)

What distinguishes an application server from a file and print server in terms of request frequency?

Application servers typically have smaller, more frequent requests. (D)

What is the main role of a logon server?

Authenticating domain users. (D)

What is a key feature provided by logon servers for user convenience?

Single Sign-On (SSO). (D)

In server workload characterization, what does the term 'workload' refer to?

Amount of work assigned, or done by, a client. (A)

Which of the following is a critical consideration in determining server workload characterization?

The type of server. (A)

Under what condition does a web server need to fulfill requests from a cache?

To achieve maximum performance. (C)

From the listed options, which is least likely to cause network errors?

Network administrator's password. (C)

What percentage of network errors approximately occur in the first three layers of the OSI model?

65% to 75% (A)

In relation to server issues and performance, which areas are most likely to result in performance degradation?

Disk Subsystem, Memory, CPU, & Network (B)

What is an active process of moving entire processes to disk called to reclaim memory?

Swapping (B)

What is the active process called of moving individual pages of a process to the disk to reclaim memory?

Paging (D)

Why should excessive active network monitoring be avoided?

It can slow down the network. (B)

Which of the following is associated with Disk Subsystem?

Disk Reads/sec (D)

Which of the following is associated with CPU?

Interrupts/sec (C)

Which of the following is associated with memory?

Pages/sec (C)

Which of the following is associated with network card?

Bytes Total/sec (A)

When referring to File and Print servers, number of accessing user's and _____ become the most important when determining metrics.

Amount of resources (C)

True or False: "Physical disk - used for the analysis of the overall disk, despite the partitions that may be on the disk"?

True (A)

True or False: "Logical disk - analyzes information for a multiple partitions"?

False (B)

When an FCS error occurs in the network, what can be said about the header?

The header is probably correct. (A)

Flashcards

Network Monitoring

The use of a system that constantly monitors a computer network for slow or failing components, notifying the network administrator of outages.

Active Monitoring

A method of network monitoring that involves actively sending traffic to test network performance and availability.

Passive Monitoring

A method of network monitoring that involves observing existing network traffic without generating additional traffic.

Monitoring Categories

Categories to monitor, including network specifications, network traffic and protocols, and platforms and operating systems.

Ethernet Utilization

A network performance metric that indicates the percentage of time a LAN spends successfully transmitting data.

Peak Utilization

The percentage of the LAN's capacity utilized during periods of highest activity.

Average Utilization

The percentage of LAN's capacity utilized, calculated over a longer period, providing a broader view of network usage.

Current Utilization

LAN's capacity utilized, which is the moving average calculated over a small time period.

Broadcast

a message that is sent to all devices on a network segment.

Multicast

A message that is sent to a select group of devices on a network.

Collision

Occurs when two frames are transmitted simultaneously, resulting in a garbled signal.

Short Frame

An Ethernet frame that is smaller than the minimum legal size of 64 bytes, but has a good frame check sequence.

Bad FCS

A checksum error, means the frame's original transmission differs by at least one bit.

Long Frame

Ethernet frame that is larger than the maximum legal size of 1518 bytes.

Ghosts

Energy (noise) detected on the cable that appears to be a frame but is lacking a valid SFD. It must be at least 72 bytes long.

ARP

A core protocol in the Internet Protocol Suite that finds the physical address for a given logical address.

DNS

A core protocol in the Internet Protocol Suite that helps to find the IP address by asking for a given domain name.

ICMP

A protocol from the Internet Protocol Suite used primarily for sending error messages.

LDAP

A protocol used for accessing and maintaining distributed directory information services.

Workload

The amount of work assigned to or done by a client, workgroup, server, or internetwork in a given time period.

Physical Disk

Analyzing a disk based on overall setup, despite partitions on the disk in NT windows server environments.

Logical Disk

Analyzes information for a single partition in NT based windows server environments.

Paging

Moving individual pages of process to the disk to reclaim memory.

Swapping

Moving an entire process to disk to reclaim memory.

Page Faults/sec

The count of how often a program tries accessing data not in memory, slowing program.

% Disk Time

Indicates common hard disk measurements like how long the disk takes to operate.

Avg. Disk Bytes

Measure the average amount of hard disk access as well as access bytes.

% Processor Time

The total processor usage consumed by a process.

Interrupts/sec

The count of how often the CPU is interrupted.

Network Card Measurements

Measures the amount of CPU use for bytes sent, received and their total.

Processor Queue Length

Occurs when the number of requests is larger than what a resource can handle which may lead to a slow computer.

Application Server

Server that handles all application operations between users and an organization's backend business applications or databases.

Logon Server

Used for the purpose of authenticating users to the domain.

Study Notes

• Covers Network Monitoring
• Active monitoring
• Passive monitoring
• Monitoring categories:
• Network specifications (Ethernet),
• Network traffic and protocols,
• Platforms and operating systems

Network Montoring Definition

• Describes the use of a system that constantly monitors a computer network for slow or failing components
• Sends notifications to the network administrator via email, SMS or other alarms in case of outages
• It is a subset of the functions involved in network management
• Also includes monitoring an active communications network to diagnose problems and gather statistics for administration and fine tuning

Types of Network Monitoring

• Active Monitoring
• Passive Monitoring

Monitoring Categories

• Network Specifications
• Network Traffic and Protocols
• Platforms and Operating Systems

Establishing an Ethernet Baseline

• Things to monitor:
• Network utilization
• Collision rate
• Errors

Ethernet Utilization

• A network performance measure that specifies the amount of time a LAN spends successfully transmitting data
• Performance monitoring tools provide average and peak utilization times, reported as a percentage
• Delays occur 40% to 50% due to increased collisions
• Should achieve 15% to 25%

Peak Utilization

• Means that a certain percentage of the LAN's capacity was utilized
• Need to look at Protocols, Devices, and Users
• Determine when peaks occur

Average Utilization

• Means that, on average (e.g., 10 hours), a certain percentage of the LAN's capacity is used for successfully transmitting data
• Calculated level over longer time

Additional Resources for Utilization Monitoring

• PDFs include:
• Extracted_from_Networking_Explained_Part_1.pdf (2 pages)
• Extracted_from_Networking_Explained_Part_2.pdf (2 pages)
• Understanding_the_bits_per_second.pdf (3 pages)

Broadcasts

• Rate should not exceed 5-10%
• Excessive amounts of broadcast or multicast traffic is a concern

Multicasts

• Communication between small groups of devices
• Same rules as broadcast

Examining Ethernet Errors

• Collisions
• Short frames
• Bad FCS
• Long frames
• Ghosts

Collisions

• If two frames are transmitted simultaneously by two stations, they overlap in time, resulting in a garbled signal
• Collisions are normal
• Use CSMA/CD and Jam signal
• Captured in the output 1790 collisions

Short Frames

• Are smaller than the minimum legal size of 64 bytes, with a good frame check sequence

Bad FCS (Frame Check Sequence)

• Also referred to as a checksum or CRC error
• Differs from the original transmission by at least one bit
• The header information is probably correct and the frame may also have a valid size
• The checksum calculated by the receiving station does not match the checksum appended to the end of the frame by the sending station
• The frame is then discarded

Long Frames

• Larger than the maximum legal size of 1518 bytes
• Does not consider whether frame had a valid FCS checksum

Ghosts

• Classified as energy (noise) detected on the cable that appears to be a frame, but lacks a valid SFD
• The frame must be at least 72 bytes long, including the preamble
• Slows network but doesn't increase utilization

Network Traffic

• Measure the amount and type
• Need hardware tools

Possible Types to Monitor

• Number of Nodes/Users
• Protocols
• Broadcast/Multicast/Unicast
• Conversations
• Errors

Number of Nodes/Users

• Workstations
• Servers
• Peripherals
• Routers and switches
• Who is on the network
• Physical access

Protocols

• Device-dependent
• Segment dependent

How Much Traffic Is Overhead Protocols

• ARP (Address Resolution Protocol): Find the physical address for a given logical address
• DNS (Domain Name Service): Find the IP address for a given domain name
• ICMP (Internet Control Message Protocol): Core protocol of the Internet Protocol Suite used primarily for sending error messages
• LDAP (Lightweight Directory Access Protocol): Access and maintain distributed directory information services
• RIP, EIGRP, OSPF: Managing network devices

Connections

• Used to determine who is talking to who
• What is the flow of data (how much?)
• Assess if traffic is from routers or servers
• Applications - know what is on the network
• Which protocols are used and by whom

Error Locations

• 65% to 75% of network errors occur in the first three layers
• Causes: Duplicate addresses, Host/Station/Network unreachable, Time-To-Live (TTL) exceeded

Server Workload Characterization

• In a network, workload is the amount of work assigned to or done by a client, workgroup, server, or internetwork in a given time period
• Workload characterization observes, identifies, and explains phenomena in a way that simplifies understanding the client, workgroup, server, or internetwork's usage
• Things to consider: Server type, Workload characterization, Isolate components that restrict data flow, and Set expectations

Common Server Problems

• Disk Subsystem
• CPU
• Memory
• Network Adapters

Common Server Problems: Disk Subsystem

• Is more than the disk itself
• Problems can occur with any components in the subsystem
• In NT based Windows server environments it has two parts: physical and logical
• physical disk for high-level overall analytics
• logical disk for individual partition analysis

Common Server Problems: CPU

• Most server machines support 1-4, 1-8, or up to 1-16 processors
• Each processor can have up to 18 CPU cores
• Common problems: Overheating due to incorrect thermal bonding with heat sink, Mismatches between CPU and memory speeds, Different CPUs populated with different numbers and sizes of memory modules

Common Server Problems: Memory

• Server machines have one or more memory modules per processor
• Some stations support up to 96 memory modules
• Common problems include: different module sizes for all CPUs, improperly seated memory modules, modules with different speeds, unsupported memory modules for the particular server model

Common Server Problems: Network Adapters

• Stations support a large number of NIC ports, up to 16 ports
• Larger port numbers increase complexity of troubleshooting
• Common problems include: incorrect firmware for adapters, improper configuration/restrictions on supported combinations

File and Print Servers

• Manage the storage of data and printers on the network (e.g., Windows Server 2008, Mac OS X Server, Red Hat Linux Server, Ubuntu Server Edition)
• Key concern is Disk I/O or the number of user's attempting access to the server
• Focus on the number/type of users accessing the server concurrently

Web Servers

• Allow internet users to attach to your server to view and maintain web pages
• Primary problem areas to focus - Memory >> Network
• Must fulfill requests from cache for maximum performance

Application Server

• Handles all application operations between users and backend business applications or databases, also known as an appserver
• Features include built-in redundancy, monitoring for high-availability, high-performance distributed application services, and support for complex database access
• Primary problem areas to focus - Memory >> Other
• Smaller, more frequent requests than file and print server environments

Logon Server/System Services

• Authenticates users to the domain
• Can provide convenient authentication features such as Single Sign-On (SSO). This enables users to access multiple applications/services using the same username and password
• Primary problem areas to focus - Processor >> Disk
• Monitor - Activity generated between Servers and user peak activity

Factors Affecting Performance

• Performance degradation is proportional to the problems
• Problems occur in ares that affect performance
• Disk Subsystem
• Memory
• CPU
• Network

Common Hard Disk Measurements

• Current Disk Queue Length
• % Disk Time
• Avg. Disk Queue Length
• Disk Reads/sec
• Disk Reads Bytes/sec
• Avg. Disk Bytes/Transfer
• Avg. Disk sec/Transfer

Paging

• Moves individual pages of a process to the disk to reclaim memory. The paging algorithm tracks when each page was last used and tries to keep recently used pages in memory.

Swapping

• Moves an entire process to disk to reclaim memory
• When the system runs the process, it must copy it from the disk swap space back into memory

Paging and Swapping

• Paging moves individual process pages to disk, the paging algorithm tracks used pages in memory
• Swapping moves the whole process to the disk

Common Memory Measurements

• Page Faults/sec
• Pages Input/sec
• Pages Output/sec
• Pages/sec
• Page Reads/sec
• Page Writes/sec
• Available Memory
• Nonpageable memory pool bytes
• Pageable memory pool bytes
• Committed Bytes
• Pool Paged Bytes
• Pool NonPaged Bytes
• Working Set
• Paging File, %pagefile in use

Common Processor (CPU) Measurements

• % Processor Time
• Interrupts/sec
• % Interrupt Time
• % User Time
• % Privilege Time
• % DPC Time
• % Processor Time
• Processor Queue Length
• System Calls/sec
• % Total Processor Time
• % Total User Time
• % Total Privilege Time
• % Total Interrupt Time

Common Network Card Measurements

• Bytes Sent/sec
• Bytes Received/sec
• Bytes Total/sec
• % DPC Time
• DPCs queued/sec
• % Broadcasts
• % Multicasts
• Segments Sent/sec
• Segments Received/sec
• Segments/sec
• Segments Retransmitted/sec
• Connection Failures
• Connections Reset
• Connections Established
• Server Sessions
• Output Queue Length