Passive vs Active

From GEANT2-JRA1 Wiki

The reason why we do network monitoring at the first place is to find answers to questions about what is hapenning with user data in the network and in what shape is the network. Examples of such questions follow (feel free to add more questions that you stumbled upon in your network):

• How long it takes to transport user data?
• How many packets get lost?
• What is available bandwidth and how it fluctuates?
• Why is my TCP connection slow on this fast network?
• What applications are people using most? (is our academic network loaded by sharing movies?)
• What is the performance of the DNS system?
• Are there viruses or worms being spread in the network?
• Is somebody doing some computer network attack?

There are two general approaches to network monitoring:

• active monitoring - we send test packets in the network and observe what happens with them

• passive monitoring - we observe existing user traffic

In principle, active monitoring is a probe into the network, whereas passive monitoring is a watch on the network. The problem with the probe is that we only know what is hapenning with our probe, but we do not know what is happening with user traffic, which in most cases has completely different volume and dynamics than our probe. Moreover, we do not what user traffic is out there. Nevertheless, a probe is an efficient and precise method to measure certain properties of the network, such as one-way or round-trip delay. However, if we go over the list of questions above and, we can see that many of them can only be answered by observing user traffic. Therefore, we need to use both approaches to get complete view what is happening in our network.

Return to Passive monitoring