- Device-based – review the packet traffic registered at the critical ports of a suspected switch or router, either manually or using a network management system. Determine over the periods of concern the coarse-grained flows and compare against the rated capacities. Depending on the technology used, it may also be able to calculate utilization levels based the packet counts at each devices and even project end-to-end utilization on certain paths.
HP's OpenView would be a high-end example and What's Up Gold would be a cheaper but effective alternative.
- Passive – "sniff" packets at a point on a critical path such as a firewall, router or switch. Determine over the periods of concern the coarse-grained flows and compare against the rated capacities. If the sniffing technology provides performance analysis capabilities, it may also be able to calculate projected utilization levels based on the behaviors of certain flows that it has detected. Certain passive approach technologies can be very effective at defining utilization relative a particular point on the network.
Sniffer would be an example of a point traffic measurement technology. It also supports a distributed view that is more end-to-end when multiple sniffer units
- are implemented.
- Flooding – using a flooding type technology, determine how heavy a flow (i.e. the available bandwidth) can be applied before saturation (loss) takes place. The available bandwidth, compared with the rated bandwidth, indicates the overall utilization.
This has several drawbacks though – it typically "clobbers" the existing traffic. And as a consequence it may give measures that are unrealistic. So it can't be used in most active networks. It really is better at stressing networks to identify weaknesses.
SmartBits or AdTech hardware units represent such a technology. There are also software versions, including the open source iPerf application. A unit is required at both ends of the path to be measured.
- Active probing – use a performance analysis technology that sends non-intrusive sampling probes across critical paths. It measures the effective utilization as perceived by an application based on how the probes are affected by the traffic that is present. Some systems are two-ended (meaning agents are deployed at both ends) and measures one-way; other approaches assume that you don't have access to the far end and/or you can't support the overhead of instrumenting your entire network with agents and do two-way measures that do not require agents.
This approach measures anything that is congestion-like. That is, other effects than cross-traffic are included in the measure. To the application, this is the effective utilization level but it is important not to assume that you are only looking at traffic effects. For example, some routers that have been given filtering duties (against virus attacks for instance) introduce traffic-like effects by slowing packets down. If you are just trying to calculate the number of packets on the wire, this may not be helpful – but if you are interested in resolving problems of any sort related to congestion, then this a good way to go.
Our own AppareNet is an example of the two-way/agentless type of performance analysis approach.
NOTE: I am NOT unbiased – I tend to use AppareNet-style technologies for this kind of problem since I work on them and prefer the end-to-end, application-view approach.
As mentioned, how you approach the problem depends on what you have access to. You use what you have on hand usually. And less sophisticated technologies mean more time spend on the problem.
Here's a Q&A where I discuss several approaches to identify unexplained bandwidth utilization:
Chief Scientist for Apparent Networks, Loki Jorgenson, PhD, has been active in computation, physics and mathematics, scientific visualization, and simulation for over 18 years. Trained in computational physics at Queen's and McGill universities, he has published in areas as diverse as philosophy, graphics, educational technologies, statistical mechanics, logic and number theory. Also, he acts as Adjunct Professor of Mathematics at Simon Fraser University where he co-founded the Center for Experimental and Constructive Mathematics (CECM). He has headed research in numerous academic projects from high-performance computing to digital publishing, working closely with private sector partners and government. At Apparent Networks Inc., Jorgenson leads network research in high performance, wireless, VoIP and other application performance, typically through practical collaboration with academic organizations and other thought leaders such as BCnet, Texas A&M, CANARIE, and Internet2. www.apparentnetworks.com
This was first published in May 2006