Why you need to monitor network traffic on your network
As many of our customers say “because packets don’t lie”. Network traffic is an excellent data source if you want to identify security and operational issues. You can find out what users are doing on your network without the need for client or agent software.
- Troubleshoot bandwidth problems
- Get an audit trail of file and folder activity
- See what is happening on your Internet gateways
- Get a real-time and historical record of what is happening on your network
Implementing a solution which can monitor network traffic gives you the insight you need to optimize network performance, enhance security and improve the management of your resources. However, knowing how to monitor network traffic is not enough. You need to select a tool to give you the detail that you require.
For example, flow analysis tools to “monitor” network activity only provide top-level information such as the source and destination of traffic and its volume, and are inefficient at monitoring applications using multiple TCP or UDP ports and conversations with CDNs. Similarly, agent-based software is impractical for networks with multiple sites and organizations providing BYOD or public access wireless networks.
There is a big difference between network traffic measuring and network traffic monitoring – one that can make a crucial difference in the performance, security and management of your network. Traffic measuring applications typically display graphs or gauges which show metrics such as total traffic on a WAN link.
This is why tools for network traffic monitoring should be capable of deep packet analysis – and agent-free – in order to drill down into all a network´s traffic and inspect every conversation in depth. If you have a problem you have the information you need to see what it happened.
Network Traffic Monitoring with Deep Packet Inspection
Network traffic monitoring solutions which include deep packet inspection use wire data analytics to capture metadata from network packets and look within the metadata to see what payloads the packets contain. Real-time information is provided about user activity, application activity, web activity, etc., in a format administrators can drill down into in order to monitor all network traffic in phenomenal detail.
The deep packet inspection process effectively provides a continuous health check on network and user activity. Administrators can set up alerts to warn of any suspicious activity or issues on the network, and conduct network forensics via a central management portal – in real time or using historical data – in order to optimize network performance, enhance security and improve resource management.
The difference between traffic based analysis systems and flow-based tools has been likened to a letter going through the mail. Flow analysis tools count the letter, see where it has come from and where it is going. Deep packet inspection opens the letter, reads its content, raises an alert if an anomaly exists, and files a copy of the letter for later reference.
How to Monitor All Network Traffic Agent-Free
Network traffic monitoring tools that use agents require software to be installed on every device that connects to the network. Although this may be an acceptable maintenance overhead for IT teams that support small LANs, it is impractical for large networks and WAN networks with multiple or remote sites. Agent-based tools are also ineffective on BYOD or public access wireless networks because agents cannot be installed on end users´ devices and therefore activity by these devices cannot be monitored.
In order to monitor all network activity agent-free, a network traffic monitoring tool connects to the network via the core switch and a SPAN or mirror port. Without interacting with other devices on the network or impacting network performance, the tool captures all network traffic metadata for analysis and viewing on the central management portal. This includes data relating to applications that “port hop”, conversations with CDNs, and activity conducted by users connecting wirelessly to the network.
In order to monitor all WAN network activity at multiple sites, sensors are deployed on the remote physical or virtual platforms. The network traffic metadata is capture by the sensors and sent for analysis at the central location. Administrators have visibility across the organization´s entire network, and can monitor all network traffic from a single reference point with the same degree of depth as if the traffic had traversed the local network.
Monitor All Your Network Traffic Free for Thirty Days
LANGuardian is an industry leading network traffic monitoring tool that, unlike other packet capture and deep inspection tools, runs on industry standard hardware and virtualized environments. Quick to download and easy to deploy, LANGuardian generates and stores metadata in rich detail to help administrators improve network performance, security, and management, by providing total visibility across an organization´s entire network.
LANGuardian is trusted by users all over the world to monitor – rather than measure – all network traffic and, if you would like the opportunity to evaluate our network traffic monitoring tool in your own environment, we invite you to download the free trial now. With it you can find out what is really happening on your network – with competitive pricing options available if you choose to continue using our service.
If you have any questions about how to monitor traffic on your network using LANGuardian, or would like to know more about how our network traffic monitoring tool can meet your organization´s requirements, do not hesitate to contact us and speak with one of our helpful technical support team. Please note that by downloading the free trial of LANGuardian or by contacting us for any other purpose, you are under no obligation to subscribe to our service at any time.
Further reading: 5 Tips if you are looking to monitor network traffic
1. Choose the right data source
Whatever your motive for monitoring network traffic, you have two main data sources to choose from:
- Flow data can be acquired from layer 3 devices like routers
- Packet data can be sourced from SPAN, mirror ports or via TAPs
Flow data is fine if you are looking for traffic volumes and mapping the journey of a network packet from its origin to its destination. This level of information can help detect unauthorized WAN traffic, the utilization of network resources and network performance. However, flow-based tools for monitoring network traffic lack the detailed data to perform true root cause analysis.
Packet data extracted from network packets can help network managers understand how users are using applications, track usage on WAN links, and monitor for suspicious malware or other security incidents. By transforming the raw metadata into a readable format and enabling network managers drill down to the minutest detail, deep packet inspection tools provide 100% visibility over the network.
2. Pick the correct points on the network to monitor
Naturally with agent-based software, you have to install software on each device you want to monitor. This is not only an expensive way of monitoring network traffic but it creates a significant maintenance overhead for IT teams. Furthermore, if your objective is to monitor activity on a BYOD or publicly-accessible network, agent-based software will not give you the full picture of user activity because it is impractical (and in some states illegal) to monitor activity on users´ personal devices.
Even with agent-free software, a common mistake many people make when deploying tools to monitor network traffic is that they try and monitor too many data sources at the start. There is no need to monitor every network point. Instead you need to pick points where data converges. Examples of this would be Internet gateways, Ethernet ports on WAN routers or VLANs associated with critical servers.
If you are new to getting tools in place to monitor network traffic, I would suggest you should start by monitoring your Internet gateway(s). This can be an excellent source of security and operational data. This short video below explains how you can do this with Cisco switches – a similar approach can be applied to other switch vendors.
3. Sometimes real-time data is not enough
The ability to monitor network traffic in real-time is sufficient to achieve many objectives of network traffic monitoring, but sometimes real-time data is not enough. Historical data is just as important if you want to analyze past events, identify trends or compare current network activity to maybe a week previous. For these objectives it is best to use tools for monitoring network traffic with deep packet inspection.
Some tools for monitoring network traffic choose to age data. This means the further back you go historically, the less detail you can get. While this can save on disk space, it is not an ideal solution if you are trying to determine how an intruder managed to overcome your defenses to plant malware on the network. Without accurate and complete data relating to the event, you can be left looking for answers that no longer exist.
It is also a good idea to be aware that some SIEM and network traffic monitoring systems base their pricing on the amount of data you want to store. Keep a watchful eye out for this when you are evaluating solutions. Other appliance-based tools are limited based on the specifications of the system you buy, and an upgrade becomes a replacement appliance which can be expensive. The most flexible options are network traffic monitoring tools that are software-based and allow you to allocate whatever disk space you think is appropriate.
4. Associate the data with usernames
Traditional network traffic monitoring tools usually report on activity using IP or MAC addresses. While this is useful information, it can be problematic in DHCP environments if you are trying to find a problematic device. One piece of information that can bring together network activity and devices is usernames. Username association will let you know who is doing what on the network.
5. Check the flows and packet payloads for suspicious content
Many networks have intrusion detection systems at the network edge but very few networks have this type of technology monitoring traffic inside the network. All it takes is for one rogue mobile or IoT device for a network to be compromised. Another issue, I often see is firewalls allowing suspicious traffic through where a rule was misconfigured.
The image below shows an example of this: someone created a rule to allow traffic inbound on TCP 5901 (VLC remote desktop sharing), but they did not limit it to one source and destination. The source addresses in this case appear to be registered in China and connections from this country would not be expected to be connecting to this network.
My 5 tips if you are looking to monitor network traffic are flexible depending on your motives for monitoring network traffic, the depth of visibility you need over the network to achieve your objectives, and the resources you have available to address potentially high maintenance overheads.
Nonetheless they should help you determine the most appropriate tool for network traffic monitoring, and the features it should have in order to monitor network traffic effectively. There are a huge amount of solutions available if you want to monitor network traffic. The key is to pick one to match your requirements.
- Choose flow based analysis tools if you want to get traffic volumes and IP addresses associated with WAN or other layer 3 links
- Choose packet analysis tools if you need traffic volumes, IP addresses and more detail to investigate security or operational issues.
There are many good reasons to monitor network traffic. The information obtained by network traffic monitoring tools can be used in multiple security and IT operational use cases to (for example) identify security vulnerabilities, troubleshoot network issues and analyze the impact new applications will have on the network.
However, not all tools for monitoring network traffic are the same. Generally they can be broken down into two types – flow-based tools and deep packet inspection tools. Within these two types you have the choice of tools that use/don´t use software agents, tools that store/don´t store historical data, and tools with intrusion detection systems that monitor network traffic within the network as well as along the network edge.
If you would like to discuss any of the points raised in this article, do not hesitate to contact us.