Page 426 - Handbook of Modern Telecommunications
P. 426
Network Management and Administration 3-217
3.8.7.3.2 Software versus Hardware Probes
Not only in this case, but in general: software is more flexible with some overhead, but hardware is faster
without overhead. If software is the choice, the consequences are:
• Easier to reconfigure and to add new capabilities such as
• Extraction of content intercept information
• Decoding of tunnels
• New protocol metadata
• Potential for recycling
• If hardware is preferred, the consequences are:
• Can the probe scale much more cost effectively?
• Has very limited upgrade path
• Potential for better availability/reliability
• The only viable solution for active probes
Service MONitoring (SMON) is just a simple way of standardizing the controlling of port-mirroring
sessions in a switched environment. In the hub environment, port-mirroring is not necessary because
every LAN connection receives all the data. In a switched environment, however, switch vendors have
been implementing port-mirroring, which allows the switch to copy all the data from specific ports
to a monitoring device in addition to forwarding to the real targeted destination. The way to control
port-mirroring is mostly vendor specific. SMON allows a standard, SNMP-based method for setting up
and clearing port-mirroring sessions. While this has been implemented by various vendors to support
SNMP-based port-mirroring on the switch and SMON-based port-mirroring control from the manage-
ment station, the generic monitoring market did not change significantly.
3.8.7.3.3 Dedicated versus Shared Probes
Dedicated probes with single functionality are great performers. They will definitively fulfill the lawful
intercept job, but cost justification remains very problematic.
When shared among multiple functionalities toward a “mediation” probe, the consequences are:
• Investment can be leveraged
• High risk of impact across application boundary
• Security risk
But ISS requires sharing up to a certain extent. The priorities must be set by telecommunications
service providers.
3.8.7.3.4 Flow-Based Analysis Probes
Flow-based analysis is a rather interesting alternative or complementary solution to probe-based net-
work analysis. While typically flow-based analysis lacks the granularity of the potential deep packet
analysis in probe-based solutions, it can cover a much larger infrastructure at a lower cost.
One would argue that in a highly meshed networking environment, probe-based traffic analysis is
very expensive, and flow-based analysis can scale much better at reasonable costs. Networking hard-
ware vendors can present the statistics in any way they prefer, while the probe vendor can offer vendor-
independent traffic statistics.
Probe vendors try to integrate flow-based solutions into their products to provide a combined solution
instead of being forced out of the monitoring market. Some vendors go as far as claiming that a large num-
ber of probes are necessary to be able to efficiently process a large amount of traffic flow information.
It is proven that flow-based statistics result in large amounts of data—approximately 20 gigabytes per
month on a 100,000-port network—which is still less than the amount of data that NetFlow generates for
the same environment. The ratio is expected to be 50 to 1. Collection of flow statistics for large network-
ing infrastructures may require a distributed management architecture. Non-probe vendors have proved
