Monitoring Basics: How to Check Network Traffic

There's a reason that monitoring network traffic is one of the first things you learn as a sysadmin. Well, after provisioning infrastructure and putting stuff in air-gapped slices of course. But network performance monitoring matters because it gives you the ability to actually prove what's wrong (or not wrong), rather than relying on second-hand tech intuition or amateur diagnostics.

Chances are the next time someone skips into your office saying 'it's really slow today,' you won't be able to replicate the exact error message that popped up in Windows. What you will hear is one of the above theories or perhaps that the X app takes a really long time to load, Teams is wonky, or things are just "slow." Your job is to have the data you need to know whether it's the application that's misconfigured and using up all the bandwidth, whether it's a security scan, someone using peer-to-peer file sharing, or Chris in accounting has actually been streaming 4K movies all day. You need visibility into network activity in order to troubleshoot and you need to know how to check network traffic.

In this guide, we'll cover the basics of monitoring network traffic, then dive into how to do it properly. We'll start with simple approaches and tools like Wireshark (don't leave home without it), then work our way up to PRTG sensors that show exactly how much bandwidth is being used, where it's coming from, and other diagnostic data to help you solve real problems.

Getting Started with Network Traffic Monitoring

Network traffic measurement: the basics

First, let's cover what we mean when we say 'check network traffic. At the most basic level, monitoring network traffic involves capturing and inspecting data packets that travel across your network. This could be in a number of different ways and at varying levels of detail. When it comes to identifying bandwidth hogs, seeing how many gigabytes are flowing over any given network interface, or which applications are using the most network connections, traffic data is your friend.

There are also different types of network traffic data that are useful in different situations. Flow-based protocols such as NetFlow, sFlow, and IPFIX collect metadata about traffic flows or 'conversations' between IP addresses, ports, and protocols (TCP, UDP, ICMP, etc.). Flow data gives you an overview of who is talking to who and how much bandwidth each conversation is using. Packet sniffing and analysis tools, on the other hand, capture the actual data packets as they pass across a network adapter. You'll typically use flow data for bandwidth analysis or traffic pattern visibility, and packet capture for troubleshooting specific protocol behaviors or investigating potential security threats.

Checking Network Traffic: The Three Main Approaches

So now we know why you want check network traffic, let's take a look at how. There are a few ways to accomplish network traffic monitoring, from a quick check with basic tools like the command line to deep packet inspection with sniffers. Let's look at the main approaches.

SNMP Traffic Monitoring

SNMP stands for Simple Network Management Protocol and you can use it to retrieve information from most managed devices, including routers, switches, and firewalls, across a network. SNMP queries can be used to poll devices and retrieve interface statistics and device status information. The main way that SNMP is used for network traffic monitoring is to determine what the network utilization is at the time when the SNMP query was run, or across a longer period of time if the data was recorded.

One of the big advantages of SNMP traffic monitoring (over something like WMI for example) is that it's really light-weight. SNMP is also everywhere and most network devices support it. The main disadvantage is that it tells you nothing about the application-level data being transmitted. You get the numbers, but not the content - so it's great for a general overview, but if you need more traffic details, you might want to consider…

Flow-Based Traffic Monitoring

Flow data is the next step up from SNMP and provides information about network conversations rather than just how much traffic is flowing on a network interface. This includes source and destination IP addresses, source and destination port numbers, application/protocol used (TCP, UDP, ICMP), and the amount of data sent over each flow. NetFlow, sFlow, and IPFIX are all types of flow data that network engineers use to track and troubleshoot network activity across routers, firewalls, and core switches. Flow analysis can provide the root cause diagnostics you need to really get to the bottom of performance problems, identify which apps are consuming the most bandwidth, spot unusual TCP connections to suspicious IP addresses, and improve your overall network visibility.

Flow data takes a little more processing than SNMP data and there's more data involved, so there's higher overhead on your PRTG core server. BUT, you do get more details and granularity about what is consuming network resources and generating network traffic. PRTG flow sensors work by ingesting flow data from network devices and then breaking down traffic by network protocol, source/destination IPs, data usage per flow, and other fields that your network equipment might use. But what if you want to get more specific, and summon your inner Sherlock? Then you'll want to consider…

Packet Sniffing

Packet sniffing and analysis involves capturing the actual data packets being transmitted across a network adapter and then analyzing the data inside the packets. Network engineers use packet sniffers to perform a wide variety of tasks from detailed diagnostics and troubleshooting of specific network issues to general monitoring and security monitoring.

Wireshark (seriously, don't forget it - this tool has settled more network-finger-pointing arguments than I can remember) is the de facto open-source standard for command line packet analysis tools and is available for FREE for both Linux and Microsoft Windows platforms. There are also sensor options for flow and packet sniffing in Paessler PRTG Network Monitor. The Packet Sniffer sensor is PRTG's native packet capture solution and provides a more approachable and user-friendly interface with widget-based visualization for examining network packets and TCP connections.

Packet sniffing is generally only used in specific troubleshooting scenarios since it can be quite resource-intensive. You want to limit packet capture to just those ports or IP addresses that are relevant to the problem. There's significant load involved with inspecting packets (far more than SNMP or even flow sensors) so packet sniffing is generally limited to lower bandwidth (sub 50Mbit/s) connections and deployments on isolated probe devices or SPAN ports. But if you need that level of diagnostic detail to examine network protocols at the packet level, packet sniffing is the best option.

Monitoring Network Traffic in Real-Time: Getting started with traffic monitoring in PRTG

All three of the above techniques and tools for monitoring network traffic work great when you want to spot-check activity. But what if you need visibility into activity all the time rather than just when you think there's a problem? This is where you want to be using sensors in a real-time network monitoring solution. PRTG has a number of different types of sensors that help you check network traffic using the methods we've covered above.

If you're starting network traffic monitoring from scratch in PRTG, here are some practical steps to get started:

1. List the most critical links. The very first thing you should measure is your most critical network links: your internet connection, the links between major network segments, ethernet uplinks, WiFi controllers, switches, and known bottlenecks. These should be the highest priority targets for network usage monitoring.

2. Use SNMP Traffic sensors to get visibility. Add SNMP Traffic sensors to those high-priority network interfaces. Configure SNMP on your router, firewall and switches, and add the proper authentication (community strings with no special characters - or SNMPv3) to PRTG. SNMP sensors will then contact the target device over the SNMP protocol, retrieve SNMP interface counters, and report and graph the number of bits or packets being transmitted on the network ports that you're monitoring.

3. Add flow sensors for application visibility. Next, add NetFlow, sFlow, jFlow, or IPFIX sensors to your primary router or firewall. This will give you visibility into applications, and you can see the top applications, network protocols (TCP, UDP, ICMP), and flows that are consuming bandwidth. Flow-based monitoring can help you see who the biggest bandwidth hogs are on your network (watch out Chris, we're coming for you!), track down unexpected or suspicious network connections, and proactively find security issues. PRTG can even be configured to automatically notify you if suspicious traffic patterns occur, saving you a whole bunch of time and avoiding stressful network meltdowns.

4. Observe and set baselines. Let your sensors gather data for at least a week before you do any heavy analysis, to get a sense of what's normal (getting a baseline). Then, refer to the bandwidth utilization graphs for various times of day, to determine when your peak periods are.

5. Configure actionable alerts. Set up thresholds for the important network links based on your established baseline, such as when your internet connection goes above 80% or when a specific network connection suddenly jumps. PRTG can automate actions and send alerts by email, push notifications, or even run scripts to automatically react.

6. Consider packet sniffing for troubleshooting. The Packet Sniffer sensor in PRTG is the most detailed way to inspect network traffic. Packet sniffing is different than flow data, as it enables you to capture and inspect individual packet headers and view TCP connections at the packet level. A key difference between PRTG's SNMP and packet sniffing sensors is that the SNMP sensors gather data by querying a device, while the Packet Sniffer sensor monitors traffic directly on the probe device's network card. Packet sniffing will have much more impact on a system than SNMP and flow-based monitoring, so it's generally only used for troubleshooting in low bandwidth connections (<50Mbit/s) or on dedicated monitoring probes. But when you need to see every packet and troubleshoot low-level protocol issues, packet sniffing is the best approach.

7. Download and learn to use Wireshark. OK, that's the last time I'll mention it. Promise.

Final Words

Monitoring and checking network traffic doesn't have to be a guessing game. When you know how to monitor network traffic and have the right tools, you have the power to stop playing whack-a-mole with network issues and actually find and fix the root cause of network performance issues—even when that root cause turns out to be Chris in accounting's 'critical business application' that's definitely not a crypto mining rig hidden under his desk.

Want to get started? Download a free trial of PRTG and try it for yourself.