Skip to content

1.3 Active and Passive Monitoring

Describe active and passive monitoring (RFC 7276 and RFC 7799)

This section covers the principles of active and passive monitoring techniques as defined in RFC 7276 and RFC 7799.

Active Monitoring

Active monitoring involves injecting test traffic into the network to measure performance metrics.

RFC 7276 defines several key terms related to active network monitoring:

  • Active Measurement - A form of measurement that relies on packets or sequences of packets that are transmitted across a network to permit a measurement to be performed.

  • Active Metric - A metric calculated from an active measurement performed across the path between two points, using probe packets.

  • Active Measurement System - A system that performs active measurements.

  • Probe Packet - A packet transmitted across a network to permit an active measurement to be performed.

  • Synthetic Traffic - Traffic generated by an active measurement system and transmitted into a network to perform measurements.

Active Monitoring Characteristics

Active monitoring relies on injecting dedicated measurement packet streams into the network solely for measurement purposes. This approach generates additional test traffic on the network. Active monitoring allows for the measurement of end-to-end or partial path performance and provides the capability to test specific protocols or services by generating appropriate test packets. It offers greater control over the sampling time and frequency of measurements. Some examples of active monitoring protocols include ping, traceroute, OWAMP, and TWAMP.

Passive Monitoring

Passive monitoring relies on observing existing traffic as it passes through the network, without injecting any test packets.

RFC 7799 defines several key terms related to passive network monitoring:

  • Passive Measurement - A form of measurement that does not depend on packets or sequences of packets injected into the network being measured.

  • Observation Point - A location in the network where packets can be observed for passive measurement purposes.

  • Observation Domain - The set of all observation points within a network at which passive measurements are made.

  • Flow - A sequence of packets that have some set of packet header values in common.

  • Flow Record - A data record containing information about a specific flow that was constituted and observed at an observation point.

  • Flow Key - A specific combination of packet header values used to define a flow.

Passive Monitoring Characteristics

Passive monitoring relies on observing existing packet streams as they naturally occur in the network, serving measurement purposes without the need for injected test traffic. This approach monitors real user traffic and behavior, providing insights without disrupting network operations. It allows for the measurement of various metrics such as traffic volume and the mix of applications and protocols in use. However, it requires sufficient levels of real traffic to be effective and cannot test specific protocols on demand. Deployment typically involves tapping into network links or configuring span ports on switches. Passive monitoring can encompass all traffic or use sampling techniques to reduce overhead. Examples of protocols used for passive monitoring include IPFIX, sFlow, and PSAMP.

Hybrid Methods

Instead of being completely separate approaches, active and passive monitoring techniques can be combined as hybrid methods. For example, you could add measurement fields to an existing data stream, or attach measurement traffic onto already existing data streams.

Comparison

This table summarizes the key differences between active and passive monitoring:

Feature Active Monitoring Passive Monitoring
Test traffic Sends out simulated traffic Observes real user traffic
Network impact Adds extra work for the network No impact on existing traffic
Metrics measured Delay, data loss, jitter, reachability Traffic volume, traffic types, network usage
Sampling control Controlled testing frequency Depends on actual traffic levels
Setup requirements Needs dedicated testing endpoints Needs a network tap or span port
Troubleshooting Can test specific problems on demand Provides a broad view but needs enough traffic
Standards RFC 4656 (OWAMP), RFC 5357 (TWAMP) RFC 7011 (IPFIX), RFC 3176 (sFlow)

To get a complete picture of network performance and stability, it's best to use both active and passive monitoring.

Resources

Sample Questions

1.3 Question 1

Which of the following is an example of active monitoring in network performance management?

  • A) Analyzing SNMP data to observe interface utilization on a router
  • B) Capturing packets on a network segment to identify the top talkers
  • C) Sending a continuous ping from one office to another to measure latency
  • D) Collecting NetFlow records to analyze traffic patterns over time

1.3 Question 2

What is a primary advantage of passive monitoring over active monitoring?

  • A) Passive monitoring can measure the network's performance under synthetic conditions.
  • B) Passive monitoring can provide real-time data on network performance without adding traffic to the network.
  • C) Passive monitoring allows for the generation of test traffic to simulate user behavior.
  • D) Passive monitoring can directly measure the performance of specific network services or protocols.