|
Passive vs. Active Monitoring
Les Cottrell,
Last Update: March 11, 2001.
|
|
There are various approaches to monitoring the network. The two
common approaches are the passive and active approaches.
Both have their values and should be regarded as complementary, in fact
they can be used in conjunction with one another.
Passive Monitoring
The passive approach uses devices to watch the traffic as it passes by.
These devices can be special purpose devices such as a Sniffer, or
OCxMon,
or they can be built into other devices such as routers, switches or end
node hosts. Examples of such built in techniques include
Remote Monitoring (RMON),
Simple Network Monitoring Protocol
(SNMP) and
netflow
capable devices. The passive monitoring devices are polled periodically
and information is collected (in the case of
SNMP devices the data is
extract from Management Information Bases (MIB))
to assess network performance and status.
The passive approach does not increase the traffic on the network for
the measurements. It also measures real traffic. However,
the polling required to collect the data
and the traps and alarms all generate network traffic, which can be
substantial. Further the amount of data gathered can be substantial
especially if one is doing flow analysis or trying to capture information
on all packets.
The passive approach is extremely valuable in network
trouble-shooting, however they are limited in their ability emulate error
scenarios or isolating the exact fault location.
Since the passive approach may require viewing all packets on the network,
there can be privacy or security issues about how to access/protect the
data gathered.
Active Monitoring
The active approach relies on the capability to inject test packets
into the network or send packets to servers and applications, following
them and measuring service obtained from the network. As such it
does create extra traffic, and the traffic or its parameters are artificial.
The volume and
other parameters of the introduced traffic is fully adjustable
and small traffic volumes are enough to obtain meaningful measurements.
See a
Comparison of some Internet Active End-to-end Performance Measurement projects
for some active measurement projects.
On the other hand, the active approach provides
explicit control on the generation of packets
for measurement scenarios. This includes control on the nature
of traffic generation, the sampling techniques, the timing,
frequency, scheduling, packet sizes and types (to emulate various
applications),
statistical quality, the path
and function chosen to be monitored. Being active
implies
testing what you want, when you need it.
Emulation of scenarios is easy and checking if
Quality of Service (QoS) or Service Level Agreements (SLAs)
are met is relatively straightforward.
Both
Given the complementarity of the two mechanisms, we need to explore ways to
get the best of both worlds. A possibility is for the active measurement
probe to schedule passive measurements of appropriate metrics
at appropriate points along the path, while the active measurements
are being made. When the active measurement is completed then
the appropriate passive measurements can be paused thus reducing the gathering
of unnecessary data. By comparing and contrasting the active and passive
measurements, the co-validity of the different measurements can be verified,
and much more detailed information on carefully specified/scheduled phenomena
are made available.