Comparison to other monitoring technologies

Comparison to other monitoring technologies
Various monitoring approaches can be used, depending on the network technology and the monitoring objective:

The simplest type of monitoring is logging in to an interesting device and running programs or commands that show performance statistics and other data. This is the cheapest way to monitor a network, and is highly appropriate for small networks. However, it does not scale well to large networks. It can also impact the network being monitored; see observer effect.

Another way to monitor devices is to use a remote management protocol such as SNMP to ask devices about their performance. This scales well, but is not necessarily appropriate for all types of monitoring. The inherent problems with SNMP are the polling effect. Many vendors have alleviated this by using intelligent polling schedulers, but this may still affect the performance of the device being monitored. It also opens up a host of potential security problems.

Network intrusion detection systems require a lot of host resources, so it is desirable to run such software on centralized monitoring systems rather than on individual hosts. Also, politically, sometimes one group runs the network and another group runs the computers, so the group that runs the network wants to have monitoring capabilities independent of the group that runs the computers.

Another method to monitor networks is by enable promiscuous mode on the monitoring host, and connecting it to a shared segment. This works well with older LAN technologies such as 10BASE-T Ethernet networks and FDDI networks. On such networks, any host can automatically see what all other hosts were doing by enabling promiscuous mode. However, modern switched network technologies such as those used on modern Ethernets provide, in effect, point-to-point links between pairs of devices, so it is hard for other devices to see traffic.

Another method to monitor networks is to use port mirroring (called "SPAN", for Switched Port Analyzer, by Cisco, and given other names by some other vendors) on routers and switches. This is a low-cost alternative to network TAPs, and solves many of the same problems. However, not all routers and switches support port mirroring and, on those that do, using port mirroring can affect the performance of the router or switch. These technologies may also be subject to the problem with full-duplex described elsewhere in this article, and there are often limits for the router or switch on how many pass-through sessions can be monitored, or how many monitor ports (generally two) can monitor a given session.