Passive vs. Active Monitoring

Les Cottrell, Last Update: March 11, 2001.

Work partially funded by a DOE/MICS Field Work Grant for Internet End-to-end Performance Monitoring (IEPM).

Introduction

There are various approaches to monitoring the network. The two common approaches are the passive and active approaches. Both have their values and should be regarded as complementary, in fact they can be used in conjunction with one another.

Passive Monitoring

The passive approach uses devices to watch the traffic as it passes by. These devices can be special purpose devices such as a Sniffer, or OCxMon, or they can be built into other devices such as routers, switches or end node hosts. Examples of such built in techniques include Remote Monitoring (RMON), Simple Network Monitoring Protocol (SNMP) and netflow capable devices. The passive monitoring devices are polled periodically and information is collected (in the case of SNMP devices the data is extract from Management Information Bases (MIB)) to assess network performance and status.

The passive approach does not increase the traffic on the network for the measurements. It also measures real traffic. However, the polling required to collect the data and the traps and alarms all generate network traffic, which can be substantial. Further the amount of data gathered can be substantial especially if one is doing flow analysis or trying to capture information on all packets.

The passive approach is extremely valuable in network trouble-shooting, however they are limited in their ability emulate error scenarios or isolating the exact fault location.

Since the passive approach may require viewing all packets on the network, there can be privacy or security issues about how to access/protect the data gathered.

Active Monitoring

The active approach relies on the capability to inject test packets into the network or send packets to servers and applications, following them and measuring service obtained from the network. As such it does create extra traffic, and the traffic or its parameters are artificial. The volume and other parameters of the introduced traffic is fully adjustable and small traffic volumes are enough to obtain meaningful measurements. See a Comparison of some Internet Active End-to-end Performance Measurement projects for some active measurement projects.

On the other hand, the active approach provides explicit control on the generation of packets for measurement scenarios. This includes control on the nature of traffic generation, the sampling techniques, the timing, frequency, scheduling, packet sizes and types (to emulate various applications), statistical quality, the path and function chosen to be monitored. Being active implies testing what you want, when you need it. Emulation of scenarios is easy and checking if Quality of Service (QoS) or Service Level Agreements (SLAs) are met is relatively straightforward.

Both

Given the complementarity of the two mechanisms, we need to explore ways to get the best of both worlds. A possibility is for the active measurement probe to schedule passive measurements of appropriate metrics at appropriate points along the path, while the active measurements are being made. When the active measurement is completed then the appropriate passive measurements can be paused thus reducing the gathering of unnecessary data. By comparing and contrasting the active and passive measurements, the co-validity of the different measurements can be verified, and much more detailed information on carefully specified/scheduled phenomena are made available.