Security Basics mailing list archives

Re: Any good method to check network overload?

From: Sean Knox <sean.knox () sbcglobal net>
Date: Thu, 06 Mar 2003 17:24:08 -0800

Maybe I'm missing something, but what's wrong with using MRTG?

http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

I mean, why reinvent the wheel?

The problem is that MRTG is too limited in its scope to be an effectivemeasurement tool

Mark Reardon post summed up the problems of network load testing. I'dlike to add a couple points.

1. What element of network traffic do you want to measure? In regards toTCP, jitter, rtt, and latency are just some of a dozen or so metrics tomeasure. Couple that with varying packet sizes, port numbers, etc., andyou have a good deal of testing ahead of you. Just because you measureone element (ICMP ping for example) doesn't mean that is indicative ofother types of traffic. As Mark mentioned, on a congested network, Imight be able to download a linux distribution at a good rate, butinteractive traffic via SSH or some other means will lag or time out.

2. ICMP Ping, and in turn MRTG, rrdtool, etc, is a poor assessment ofnetwork load. It's basically a 10,000-foot view of a problem. Whenyou're pings start timing out and/or latency increases, you know thereis a problem, but nothing beyond that. All you're actually measuring isyour 64-byte ICMP pings-- not web traffic, smtp, or anything else. Isuppose it's like driving a Volvo to see how fast your mustang runs.What is really needed is the ability to test specific aspects of thenetwork- be it TCP, IP, UDP or otherwise. Some vendors do make such aproduct, hardware and software. Cisco and Brix are a couple I know of.

3. Additional monitoring software on a host adds further delay, as nowthe host has to process monitoring data as well as normal routedtraffic. The best way around this problem I've seen is to establish avector of some kind between two monitoring hosts on different ends of alink. i.e.


Monitor A -----> router ------> Monitor B

Specialized hardware is best suited for this task, although I haven'tused any of the software packages, so I can't say. Also, as is obvioushere, it's difficult to test the load on a server (as opposed to arouter) because you run into problem #3.

Network metric testing is a complicated subject with no clear-cutsolution yet.


-Sean

Current thread:

RE: Any good method to check network overload?, (continued)
- RE: Any good method to check network overload? David Gillett (Mar 04)
- RE: Any good method to check network overload? swin (Mar 05)
  - RE: Any good method to check network overload? David Gillett (Mar 05)
- RE: Any good method to check network overload? Mark Reardon (Mar 06)
  - Re: Any good method to check network overload? stefmit (Mar 07)
- RE: Any good method to check network overload? Trevor Cushen (Mar 06)
- RE: Any good method to check network overload? Chris Berry (Mar 06)
  - RE: Any good method to check network overload? David Gillett (Mar 07)
    - RE: Any good method to check network overload? Mike Dresser (Mar 07)
    - Re: Any good method to check network overload? gene yoo (Mar 07)
  - Re: Any good method to check network overload? Sean Knox (Mar 07)
  - Re: Any good method to check network overload? Nuzman (Mar 07)
- RE: Any good method to check network overload? swin (Mar 08)
  - RE: Any good method to check network overload? Burton M. Strauss III (Mar 10)
- RE: Any good method to check network overload? Chris Berry (Mar 08)
- RE: Any good method to check network overload? Trevor Cushen (Mar 11)
- Re: RE: Any good method to check network overload? Mark Reardon (Mar 11)
- RE: Any good method to check network overload? crawford charles (Mar 12)
- RE: Any good method to check network overload? JAVIER OTERO (Mar 12)