Beyond Network Monitoring – Root-Cause Analysis

Many network
monitoring tools are available. All will give you the health of the network,
and most will alert you when a problem occurs. However, not all network monitor products provide enough actionable information
to really drill down to the root cause of network bottlenecks – that is,
network monitoring and root-cause analysis in the same

The ability to quickly pinpoint the origin of a problem,
thus reducing mean-time-to-recovery (MTTR), is an important business benefit
for an increasingly mobile workforce. Additionally, by speeding up the
identification of rogue wireless devices – whether a rogue access point or
rogue peer (end user computer that has bridging and wireless enabled) -
root-cause analysis serves to protect confidential data and critical assets. 
Overall, it simply improves the user experience.

To do root-cause
analysis, you first need to choose a network monitoring approach that collects
the appropriate data. As WildPackets’ Jay Botelho wrote in October,
there are three primary data sources for network monitoring solutions: Simple
Network Management Protocol (SNMP), Flow Records, and the Packet themselves.
Regardless of which approach you chose, you’re going to have to make compromises.
Two metrics that are useful when making those compromises are data granularity
and data accuracy.  The compromises you make here determine whether or not
you’re able to do root-cause analysis.

For example, a help desk may receive a call where a particular
user is having a problem with a particular application. This might go unnoticed
with a flow record-based approach, as the high-level alerts that have been
configured may not flag this for attention. In this circumstance, having the
packets and the payload can be important. As all packets are captured (unlike
flow records, which rely on statistical sampling), packet-based network
monitoring provides information that is 100 percent accurate for each flow. As
Botelho notes in his article,

speaking, you want to use the appropriate monitoring technology for the
appropriate need. If you just need to check the status of a device, then SNMP
may be all you need…If you are interested in sampled high-level information
about who is talking to whom, approximately how much traffic they are
generating or receiving, then flow-based analysis may be fine…Lastly, if you
need all the detail about what is happening on the network, as well as possibly
being able to go back in time to prove what happened on the network, then a
packet-based solution would be best.”

By planning appropriately and considering issues like data
granularity and data accuracy, organizations can move beyond network monitoring
and set themselves up for root cause analysis with an approach and solution
that best fits their needs.

Leave a Reply