Beyond Network Monitoring - Root-Cause Analysis

Many network monitoring tools are available. All will give you the health of the network, and most will alert you when a problem occurs. However, not all network monitor products provide enough actionable information to really drill down to the root cause of network bottlenecks - that is, network monitoring and root-cause analysis in the same product.

The ability to quickly pinpoint the origin of a problem, thus reducing mean-time-to-recovery (MTTR), is an important business benefit for an increasingly mobile workforce. Additionally, by speeding up the identification of rogue wireless devices - whether a rogue access point or rogue peer (end user computer that has bridging and wireless enabled) - root-cause analysis serves to protect confidential data and critical assets.  Overall, it simply improves the user experience.

To do root-cause analysis, you first need to choose a network monitoring approach that collects the appropriate data. As WildPackets' Jay Botelho wrote in October, there are three primary data sources for network monitoring solutions: Simple Network Management Protocol (SNMP), Flow Records, and the Packet themselves. Regardless of which approach you chose, you're going to have to make compromises. Two metrics that are useful when making those compromises are data granularity and data accuracy.  The compromises you make here determine whether or not you're able to do root-cause analysis.

For example, a help desk may receive a call where a particular user is having a problem with a particular application. This might go unnoticed with a flow record-based approach, as the high-level alerts that have been configured may not flag this for attention. In this circumstance, having the packets and the payload can be important. As all packets are captured (unlike flow records, which rely on statistical sampling), packet-based network monitoring provides information that is 100 percent accurate for each flow. As Botelho notes in his article,

"Generally speaking, you want to use the appropriate monitoring technology for the appropriate need. If you just need to check the status of a device, then SNMP may be all you need...If you are interested in sampled high-level information about who is talking to whom, approximately how much traffic they are generating or receiving, then flow-based analysis may be fine...Lastly, if you need all the detail about what is happening on the network, as well as possibly being able to go back in time to prove what happened on the network, then a packet-based solution would be best."

By planning appropriately and considering issues like data granularity and data accuracy, organizations can move beyond network monitoring and set themselves up for root cause analysis with an approach and solution that best fits their needs.