Network monitoring and analyis

or whos buggered it up now!

While the concepts of networking are very simple trying to identify why a network is not behaving as you expect can be very frustrating. As can trying to document how the network has been configured.

Network Maping

One of the most usefull places to start is with a set of well drawn network diagrams and a record of the kit used.

Except for the simplest networks trying to diagram the entire netwok in one drawing usualy results in an uninteligiable mess. It is a big advantage if diagrams can be laired and linked.

The following list makes a resonable starting point when trying to decide what diagrams are wanted. Where VPN's are in use the question of wether to diagram the Virtual or the physical network or posibly both.

  • Workgroup diagram. Showing say all devices run off a single hub or patchpanel
  • Local network view showing all the hubs/switches linking workgroups.
  • Router view showing how networks are linked together.
  • WAN views showing links between sites/countries
  • Client views Showing how the network looks from a particular client.

In addition to being able to create/maintain diagrams it is an advantage if a package can.

  • Discover network devices automaticaly
  • Map network routers from SNMP
  • Export diagrams to WEB severs.
  • Inport network data from other collection tools
  • Provide comprehensive reporting
  • Provide ODBC or SQL access to the data aquiered.


  • Clicknet

Network services

While the majority of the devices attached to the network run mainly as clients, often with similar trafic patterns. Most networks also include a number of server machines that provide specific services to the network. How thease are distributed around the network can have a big impact on overall network performance.

A package with the ability to produce traffic flow webs, showing requesters and servers. Greatly simplifies the process of identifying servers that have been located in the wrong place Or clients that are not configured to use the closest server!


  • LANDecoder32
  • RMONster32
  • LANTracer

Traffic monitoring

Traffic monitoring at its simplest consists of counting the amount of data transfered across a network segment. If you can build up a historical record of how busy a segment has been in proportion to its available bandwidth.

This sort of record can be used either to estimate growth and future requierments or for detecting unusual events.

The sort of data requiered is available via SNMP/RMON from most routers and network switches. Note routers generaly report data received from a network segment and data transmited to a network segment.

Switches within a network often reord three values data transmited on a port, data receved on port, and data that was receved and forwarded.

  • MRTG

ISDN/PSTN call Monitoring.

Where links are pay per call/usage such as FrameRelay on ISDN circuits it may be especialy useful if you can monitor such items as call duration, Teliphone number blacklists, and Number of calls.

An added bonus is if you can set alarm thresholds. based on calls per hour, or minutes uptime per hour or per day.

Packet Capture and analysis

Where network performance seems to be a problem, or problems are encontered with an application. It may be necesery to capture the packets transmited and analyse them in order to establish the cause of the problem.

There are a number of programs or custom diagnosic instraments that can capture packets. These vary greatly in both there flexibility as to which packets they capture and in wether they can analys them to determin the application that created them an what is was doing.



Network administrators toolkit, runs on Windows95, Windows98, and WindowsNT. Provides tools for diagraming and documenting an office network. Also includes a servlet that may be loaded on PC's on the network to return additional information. To the administrators PC.

Diagrams may be exported as HTML,GIF,JPG files for a web server or as PostScript files.

The data collected is madeavailable to other programs via an ODBC intreface.


  • PC Win95/98 or NT


AIX system program gives basic packet capture. iptrace


AIX system program gives report based on the packets captured by iptrace. ipreport The report is adequate for identifying what packets are being sent but is not upto tracing performance problems as packets are only timed to the nearest second.


Comercial Network analysis program from Triticom

LANdecoder SNMP Manager

Comercial SNMP network management program from Triticom. Integrates with LANDecoder32. Link


MRTG{Multi Router Traffic Grapher

Tool for collecting Router traffic data via SNMP calls and producing HTML files containing summery traffic data and traffic graphs as GIF files.

It is very good at watching the traffic on devices such as switches with a fixed number of interfaces. However it is not so good at watching ISDN based routers such as the Bay Networks Nautica range where what you realy want to track is data/phone calls to a remote site not how much each ISDN interface was used!

Used for baseline monitoring it gives a very good picture of the traffic flow around the network, in a very easily distributed format.


  • Webserver
  • Perl
  • gd
  • zlib


Remote RMON probe from Triticom


This is an extention module for tcl/tk to faccilitate the writing of network management applications.

  • send and receive ICMP packets
  • query the Domain Name System (DNS)
  • access UDP sockets from Tcl
  • probe and use some selected SUN RPCs
  • retrieve and serve documents via HTTP
  • send and reveice SNMP messages (SNMPv1, SNMPv2USEC, SNMPv2C)
  • write special purpose SNMP agents in Tcl
  • parse and access SNMP MIB definitions
  • schedule jobs that are to be done regularly
and for some OSI-folks there is some optional code to
  • parse and access GDMO MIB definitions
  • invoke CMIP operations based on the osimis/isode toolkit



  • tk
  • tcl
  • GNU flex



  • Kernel support for bpf
  • ncurses


AIX 4.x comes with a copy of tcpdump. The resulting logfile describes its self in the header as version 2.2 record format 6 but the current public domain version of tcptrace does not support this format.

Shiped as part of



tcptrace is a TCP connection analysis tool. It can tell you detailed information about TCP connections by sifting through dump files. The dump file formats supported are:

  • Sun's snoop format
  • Standard tcpdump format (you need pcap library)
  • Macintosh Etherpeek format
  • HP/NetMetrix protocol analysis format



  • xplot {Reqiered for graphical output}
  • pcap library {Requiered for tcpdump}
  • GNU bison
  • GNU flex


A Network digram editor

Shiped as part of the Scotty ditribution


  • Mailing list


  • Scotty
  • tk
  • tcl


See also...

  • Tcl/Tk Mirror sites
  • Network Associates Sniffer TNV White paper Library