What’s your network doing right now? Where is traffic flowing to, and where’s it coming from? Are there bottlenecks you don’t know about? Where’s the next problem going to be?
Network traffic pattern analysis answers these questions and more. It’s a way for you to examine how your clients use your networks. You may think you know how heavily your clients utilize each segment and VLAN and where the weak points are. But do you? Traffic analysis shows you what’s really happening with real data.
Let’s talk about the process of network traffic pattern analysis. We’ll discuss how to collect traffic information and how you can use it to analyze your infrastructure. As a result, you’ll know how to improve network performance and customer satisfaction.
Network Traffic Pattern Analysis
Network traffic analysis goes beyond monitoring network hardware for utilization and errors. It consists of collecting data and identifying patterns that help you recognize abnormal usage, sense issues before they become errors, and track changes in utilization. Understanding your network’s underlying traffic patterns is critical to keeping it running, planning its capacity, and protecting it from attacks.
So, network traffic pattern analysis aids in:
- Highlighting and troubleshooting bandwidth issues: New usage patterns, such as increased use in existing applications or the addition of a new one, can change patterns and cause further problems.
- Detect security problems faster: Network traffic pattern analysis finds problems in real-time, so unusual patterns like attacks or breaches surface quickly.
- Improve device visibility: Traffic pattern analysis helps you look at the entire network and improves how you see each endpoint and device.
Before you can gather insights from your network traffic, you need to collect the data. This entails identifying your network gear and where the best collection points are. It also includes ensuring you don’t overwhelm your monitoring system—and yourself—with duplicate data.
Improve Network Visibility
You can’t analyze your network if you don’t know what’s out there. So you need to be sure all of your devices are under management.
First, identify your gear. An automated network management tool can help you with the heavy lifting by scanning and mapping your systems for you. You need to know about all of the systems on your network, what state they’re in, and how they’re connected to each other.
Then, you can follow up with a physical inventory of on-premises gear and an inventory of cloud systems using your cloud provider’s tools.
Keeping a complete inventory and accurate map of your networks is an ongoing process. Performing a periodic inventory is a good idea. But, you should have a process in place for updating your network documentation when you add new gear.
Better network visibility is critical to accurate analysis. If it’s not managed, it’s not analyzed. But better analysis isn’t the only advantage to complete visibility. You may discover systems you don’t have access to or systems that are running out of date software. You may even find some systems that are no longer needed.
NetFlow and SFlow
Now that you have a handle on what your network looks like, you can start to think about capturing network traffic data for analysis.
NetFlow, sFlow, and their relatives like RFlow and Appflow will comprise the bulk of your network traffic data.
You can collect network traffic when entering or exiting an interface with NetFlow. It exports data to a configured collection point so you can analyze where data is flowing to and from, where congestion occurs, and what classes of service you are supporting well. Cisco originally introduced Netflow as a feature on their equipment, but it has since morphed into IPFIX, an industry standard for network data export.
sFlow, (“sampled flow”) is another industry standard for packet export. It exports truncated packets and data about interfaces, like counters, rather than complete network traffic flow. It’s suitable for high-speed networks because of the way it samples data. Trying to export complete traffic information from gigabit networks doesn’t always scale.
These traffic data standards export information where packets enter and exit your devices. So, you need to be careful about how you set up your collections. It’s easy to inadvertently grab the same packets twice. NetFlow, SFlow, and their brethren are not intended to catch physical errors, so there’s no need to capture the same packet as it leaves one device and enters another.
Networking monitoring via agents, logs, and SNMP doesn’t collect network traffic. It accumulates and observes information about load, performance, transactions, and events. But, it does add color and depth to your analysis. You can use the information to collate system events and status with network traffic levels.
Once you’ve established network visibility and collected traffic data and other network information, it’s time to start your analysis.
Real-time Network Traffic
Not all network traffic is created equal.
Real-time traffic carries time-sensitive application data, such as voice, video, market data, and critical transactions. There’s no formal definition regarding what’s real-time and what isn’t—that’s up to your organization and its needs.
Non-real-time, or best-effort, traffic is network activity that is deemed less important than real-time. Like real-time, it’s up to you to decide what falls under this umbrella. It may be logging traffic, batch data transfers, and desktop web browsing. Or, web browsing may be important enough that you treat it as a critical activity and classify it as real-time.
Regardless of how you organize your application data streams, network traffic analysis gives you a way to view your network with an eye toward how well your real-time traffic is doing.
One of the most valuable insights you’ll get from network traffic analysis is finding your bottlenecks. Few things are more valuable than the ability to see the choke points in your infrastructure.
Traffic analysis gives you:
– Visibility into endpoints that are consuming the most bandwidth.
– Alerts when bandwidth rises too quickly
– Insight into changing bandwidth trends.
Dashboards and Reports
Most of the applications we’ve discussed involve using your network traffic analysis data to build reports. These reports can tell you how well your network manages real-time and best-effort traffic or which systems consume the most bandwidth or slow things down. By generating these reports regularly, you’ll be able to track import trends, establish baselines, and improve your capacity planning.
But your traffic analysis can take the form of monitoring via dashboards, too. An effective network traffic analysis system will graph and chart your network traffic. It’ll give you tools to set alerts and let you watch traffic alongside the rest of your system metrics. It should also use network traffic analysis for root cause analysis.
Get Started With Network Traffic Insights
In this post, we looked at how you can gather insights with network traffic pattern analysis. We started by defining network traffic pattern analysis and discussed why it’s a key responsibility for infrastructure managers. Then we saw how to get started collecting the data you need to perform your analysis. Finally, we got to work on finding insights. Network traffic pattern analysis can be done with reports and real-time monitoring via dashboards. Make sure you use both.
Setting up network traffic pattern analysis with the right tool can make the process faster and easier for you. Netreo is one of those tools. It manages NetFlow and sFlow traffic data and has robust network and system management tools. Take a look today!
This post was written by Eric Goebelbecker. Eric has worked in the financial markets in New York City for 25 years, developing infrastructure for market data and financial information exchange (FIX) protocol networks. He loves to talk about what makes teams effective (or not so effective!).