Configuring a network monitoring system

How do you configure your network monitoring system for optimal performance? In this tip, learn how to optimize network performance monitoring settings so that the monitoring system conserves bandwidth and takes into account the optimal performance of the network.

Networking monitoring systems can use a lot of bandwidth to accomplish their task of monitoring the network. The more devices you monitor and the more up-to-date you want that monitoring to be, the more bandwidth your monitoring system will eat away from valid traffic on your network. So how do you configure your network monitoring system for optimal performance? Let's find out.

Configuring a network monitoring tool for optimal performance -- the basics

The ping program is the most basic form of a network monitoring system. Most of us are used to typing "ping host1" and getting the results back. You probably don't even think about what ping is doing in the background to tell you whether the host is there or not.

By default, in Windows, ping sends four 32-byte packets to the host you specified and waits for a return after each one. In the end, it calculates the percentage that was lost, the maximum return time, minimum return time, and average return time, like this:

 Z:\> ping corerouter Pinging corerouter [] with 32 bytes of data: Reply from bytes=32 time=1ms TTL=255 Reply from bytes=32 time<1ms TTL=255 Reply from bytes=32 time<1ms TTL=255 Reply from bytes=32 time<1ms TTL=255 Ping statistics for Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milliseconds: Minimum = 0ms, Maximum = 1ms, Average = 0ms Z:\>

That seems pretty elementary -- and probably even a little boring -- but I am getting to a point here (I promise).

If you want to tweak ping and customise it, you can use some switches. For example:

  • Ping -n {count} ? tells ping how many times to send a ping packet. The default is four.
  • Ping -w {milliseconds} ? tells ping how long to wait, after each packet, for a reply.
  • Ping -l {bytes} ? tells ping how many bytes each ping packet should be.

Thus, I could send a ton of traffic to a host by doing this:

Ping -l65500 -t killtherouter

This would send 65,500 byte packets to this host, until someone told ping to stop.

What do network monitoring systems do?

While ping is the most basic type of network monitoring application available, it is similar to all the others in the sense that it has settings that can be optimised so that you get the network information you need without slowing down the network.

Let's now talk about some other network monitoring tools that are available today. Here are some of the more popular ones:

Keep in mind that when people think of "network monitoring" in the strictest sense, they think of pure network node UP/DOWN information. However, most network monitoring systems today monitor not only for node UP/DOWN status but also for node or network performance. All of this data is brought back to a database of some kind so it can be analysed, reported and graphed.

There are many facets to network monitoring. Some network administrators will lump many types of network monitoring into this category, including device status, device inventory, performance monitoring, alerting, trending, and intrusion detection.

All of the tools mentioned above fit the bill of not only network monitoring tools but, more than likely, network performance monitoring tools as well.

What types of things can I tweak on my network monitoring system?

With today's modern network monitoring systems, just about anything can be tweaked. But what is going to get you the best performance for your time spent? Most network monitoring systems today use SNMP to collect more than just "are you there" information. With SNMP, these systems can collect performance information and be alerted when a network interface goes down or up.

In general, in any network monitoring application, you should be able to tweak the following things:

  • What network node is being monitored (for example, your core router or "apps-server")?
  • What interfaces on that network node are being monitored (for example, on a router, it could be the GigE0/0 interface; on a server, it could be CPU 1)?
  • How often is that device being polled (for example, every 10 seconds or every 60 minutes)?
  • How much information is being polled each time that network node is polled by the host system?
  • How is the collected data calculated and stored (or not stored)? For example, will your NMS calculate the average response time over the last five minutes and keep only that number instead of keeping all numbers calculated over the last five minutes? This is a significant improvement.

How do I configure my network monitoring system for optional performance?

I have used all of the network monitoring and performance monitoring applications listed above (and liked them), but there is one that I keep coming back to and which has, over time, become my favourite. That program is Paessler's PRTG, which is free if you are monitoring only a single network node (say, a single router or a single server) and a single interface on that node (a single interface on a single router). Beyond that, PRTG is pretty inexpensive and easy to use. Yes, there are completely free network monitoring and performance applications (e.g., Nagios and Cacti) but none of them is as simple, easy and comparatively inexpensive as PRTG.

How much bandwidth you choose to use for monitoring your network can be determined by how much bandwidth you have available and how important real-time network updates are to you. Will you configure an application like PRTG to poll your core router every 10 seconds or every 43,200 seconds? If you are monitoring only a single router on the LAN, there is no problem with polling it for connectivity and performance data every 10 seconds. On the other hand, if you are monitoring 10,000 devices and decide to poll them over already busy network links, you are creating a ton of unneeded traffic, probably causing network performance problems, and hurting yourself more than you are helping.

Here is what this looks like in PRTG:

You also want to know enough to tweak the graph averages. As you can see above, the default graph average is five minutes. By changing the graph average from five minutes to 20 seconds, the look of your graph will change significantly.

Also, what graphs do you want to see, with what averages of the data? Here are the settings I am looking at:

What I recommend is this:

  • Find a balance between polling your network devices infrequently and frequently, in order to reduce bandwidth demands.
  • Use a network protocol analyser like Wireshark (formerly Ethereal) to understand how much traffic is really being created by your monitoring, and adjust polling accordingly.
  • Devices on the LAN can usually be polled much more frequently than devices on the WAN.
  • Keep in mind that the longer the average of data is set to, the less likely it is that you will see peaks of data that were short enough to fall in between the averages.

About the author: David Davis (CCIE #9369, CWNA, VCP, MCSE, CISSP, Linux+, CEH) has been in the IT industry for 15 years. Currently, he manages a group of systems/network administrators for a privately owned retail company and authors IT-related material in his spare time. He has written more than 100 articles, eight practice tests and four video courses and has co-authored one book. His Web site is

Read more on Network monitoring and analysis