Bandwidth monitoring is a critical skill for network engineers and a frequent topic on the N10-009 exam. This chapter covers the tools and protocols used to measure and analyze network traffic utilization, including SNMP, NetFlow/sFlow, packet sniffers, and bandwidth testers. Expect 5-7% of exam questions to touch on monitoring concepts, tool selection, and interpretation of metrics. You will learn the differences between polling-based and flow-based monitoring, how to interpret key performance indicators, and how to choose the right tool for specific scenarios.
Jump to a section
Imagine a large office building's water system. The building has a main water pipe (the internet connection) that supplies all floors. Bandwidth monitoring tools are like installing flow meters on the main pipe and on each floor's branch pipes. A Simple Network Management Protocol (SNMP) poller is like a building manager who reads the meters every 5 minutes. NetFlow/sFlow is like a detailed log of every time a faucet is turned on, recording which floor, how long, and how much water flowed. A packet sniffer (like Wireshark) is like looking at individual water droplets—overwhelming for daily management but crucial for leak detection. Just as the manager uses flow data to identify a floor using excessive water (bandwidth hog) or a dripping faucet (malicious traffic), a network engineer uses these tools to find congestion sources, plan upgrades, and detect anomalies. The key is that no single tool gives the full picture; flow meters (SNMP) show total usage, logs (NetFlow) show conversations, and droplet inspection (packet capture) shows content.
What is Bandwidth Monitoring?
Bandwidth monitoring is the process of measuring the amount of data transmitted over a network interface over a given period. It answers the fundamental question: 'How much of our capacity is being used, and by what?' On the N10-009 exam, you must understand the tools and protocols that enable this monitoring, not just the concept. The exam tests your ability to select the appropriate tool for a given scenario, interpret output, and understand the underlying mechanisms.
Why Bandwidth Monitoring Exists
Networks have finite capacity. Without monitoring, you cannot:
Identify congestion points before users complain.
Plan capacity upgrades based on data, not guesses.
Detect bandwidth abuse (e.g., peer-to-peer, video streaming).
Troubleshoot performance issues (e.g., is it the link or the server?).
Validate SLAs with providers.
The Core Monitoring Protocols and Tools
#### SNMP (Simple Network Management Protocol)
SNMP is the grandfather of network monitoring. Defined in RFC 1157, it uses a manager-agent model. The SNMP manager (monitoring server) polls SNMP agents (routers, switches, firewalls) for data stored in a Management Information Base (MIB). For bandwidth monitoring, the key MIB objects are:
- ifInOctets (OID 1.3.6.1.2.1.2.2.1.10): Total bytes received on an interface.
- ifOutOctets (OID 1.3.6.1.2.1.2.2.1.16): Total bytes transmitted.
- ifInErrors, ifOutErrors: Error counts.
To calculate bandwidth utilization, a monitoring system polls these counters at regular intervals (e.g., every 5 minutes), subtracts the previous value, and divides by the time interval. The formula:
Utilization (%) = ( (CurrentOctets - PreviousOctets) * 8 * 100 ) / (TimeInterval * InterfaceSpeed)
For example, if a 100 Mbps interface receives 50,000,000 bytes in 300 seconds, utilization = (50,000,000 * 8 * 100) / (300 * 100,000,000) = 13.33%.
SNMP Versions: - SNMPv1: Community strings in plaintext. No authentication. Rarely used today. - SNMPv2c: Enhanced error handling, but still plaintext community strings. - SNMPv3: Authentication and encryption. Required for secure monitoring.
Default SNMP Ports: - UDP 161: Polling (manager to agent). - UDP 162: Traps (agent to manager).
Trap vs. Poll: - Poll: Manager requests data. Provides regular, consistent snapshots. - Trap: Agent sends unsolicited alerts (e.g., interface down). More immediate but unreliable if the manager is down.
Common SNMP Tools:
- snmpwalk: Retrieves entire MIB tree.
- snmpget: Gets a single OID.
- MRTG (Multi Router Traffic Grapher): Classic tool that uses SNMP to generate graphs.
- Cacti, PRTG, SolarWinds: Modern pollers.
Exam Trap: The exam often tests that SNMP polls are pull-based (manager initiates) and traps are push-based (agent initiates). Candidates confuse the direction. Also, remember SNMP uses UDP, not TCP.
#### NetFlow and sFlow NetFlow and sFlow are flow-based monitoring protocols that provide granular data about traffic flows — not just interface counters. They are essential for identifying who is using bandwidth and for what application.
NetFlow (Cisco proprietary, now IETF IPFIX): NetFlow records conversations. A flow is defined by:
Source IP address
Destination IP address
Source port
Destination port
Layer 3 protocol type
Type of Service (ToS)
Input interface
When a router or switch sees packets matching these parameters, it aggregates them into a flow record. Once the flow ends (e.g., TCP FIN/RST, or idle timeout of 15 seconds default), the device exports the record to a NetFlow collector.
NetFlow Export Format: - Version 5: Fixed format, widely supported. - Version 9: Template-based, allows flexible fields. - IPFIX (Version 10): Standardized version (RFC 7011-7015).
Default NetFlow Timers: - Active flow timeout: 30 minutes (Cisco default). A flow that lasts longer is exported anyway. - Inactive flow timeout: 15 seconds. If no packets seen for 15 seconds, the flow is considered ended. - Sampling rate: Often 1 in N packets (e.g., 1:1000) to reduce CPU load.
sFlow (IETF RFC 3176): sFlow is a sampling technology. It uses a sampling rate (e.g., 1 in 10,000 packets) to capture a subset of packets and export their headers to a collector. sFlow does not maintain flow state on the device; it sends packet samples immediately. This makes it very lightweight but less accurate for low-rate flows.
NetFlow vs. sFlow: - NetFlow: Stateful, tracks every flow (or sampled), provides exact byte/packet counts for each flow. Higher CPU/memory overhead. - sFlow: Stateless, samples packets, provides statistical representation. Lower overhead, but not exact.
Exam Focus: The exam expects you to know that NetFlow is used for detailed traffic analysis (who, what, when) and sFlow for high-speed environments where CPU is limited. Both export to a collector using UDP (default port 2055 for NetFlow, 6343 for sFlow).
#### Packet Sniffers (Wireshark, tcpdump) Packet sniffers capture and decode individual packets. They are not primarily bandwidth monitoring tools (they don't give you utilization graphs), but they are essential for deep-dive troubleshooting when you need to see the actual data.
How Packet Capture Works: - The network interface is placed in promiscuous mode to capture all frames, not just those destined to its MAC address. - On switched networks, you need either a port mirror (SPAN) on the switch or a network TAP (Test Access Point) to see traffic between other devices.
Key Metrics from Packet Capture: - Throughput: Total bytes per second. - Packet rate: Packets per second (pps). - Conversation pairs: Top talkers. - Application breakdown: Protocol distribution.
Common Packet Sniffers: - Wireshark: GUI-based, powerful filters, protocol dissectors. - tcpdump: Command-line, lightweight, scriptable. - TShark: Command-line version of Wireshark.
Exam Tip: The exam may ask when to use a packet sniffer vs. NetFlow. Answer: Use a sniffer when you need to see the actual payload (e.g., malware analysis, decrypting SSL, verifying application behavior). Use NetFlow for ongoing traffic accounting and trend analysis.
#### Bandwidth Speed Testers (iPerf, iPerf3) iPerf is a tool that generates traffic to test maximum achievable bandwidth between two hosts. It is not a monitoring tool per se, but it is used to verify that the network can deliver the expected throughput.
How iPerf Works:
- One host runs in server mode (-s), the other in client mode (-c <server IP>).
- The client sends TCP or UDP data to the server.
- The server reports the received throughput.
- Common options: -t (duration), -P (parallel streams), -i (interval reporting).
Example:
iperf3 -c 10.0.0.1 -t 30 -P 4 -i 5This sends 4 parallel TCP streams for 30 seconds, reporting every 5 seconds.
Exam Focus: iPerf is used for active testing (generates traffic), whereas SNMP and NetFlow are passive (observe existing traffic). The exam may ask which tool to use to 'verify bandwidth capacity' — answer: iPerf.
How These Tools Interact
In a typical enterprise, you use all of them: - SNMP for long-term interface utilization graphs (e.g., MRTG/Cacti). - NetFlow for top talkers, application breakdown, and security analysis. - Packet sniffers for specific troubleshooting. - iPerf for baseline testing and SLA validation.
Key Metrics to Understand
Bandwidth: Maximum data rate of an interface (e.g., 1 Gbps).
Throughput: Actual data transferred over time (e.g., 500 Mbps).
Goodput: Application-level data rate (excluding headers and retransmissions).
Utilization: Percentage of bandwidth used.
Packet loss: Percentage of packets not delivered.
Jitter: Variation in latency (critical for VoIP).
Latency: Round-trip time (RTT).
Configuration Examples
SNMP on a Cisco device:
snmp-server community public RO
snmp-server community private RW
snmp-server location "Data Center"
snmp-server contact "admin@example.com"NetFlow on a Cisco device:
interface GigabitEthernet0/1
ip flow ingress
ip flow egress
!
ip flow-export source Loopback0
ip flow-export version 9
ip flow-export destination 10.0.0.100 2055sFlow on a switch:
sflow agent-ip 10.0.0.2
sflow collector 10.0.0.100 6343
sflow polling-interval 30
sflow sample-rate 10000How It Interacts with Other Technologies
QoS: Monitoring tools verify if QoS policies are working (e.g., traffic class utilization).
SNMP traps can trigger automated actions (e.g., increase bandwidth, alert admin).
NetFlow data can be fed into security information and event management (SIEM) systems for anomaly detection.
Identify monitoring objectives
Before deploying tools, define what you need to monitor. For capacity planning, you need long-term SNMP utilization graphs. For troubleshooting a slow application, you need NetFlow to identify the top talker or packet capture to see retransmissions. The N10-009 exam tests your ability to match the tool to the scenario. For example, if the question says 'determine which user is consuming the most bandwidth,' the answer is NetFlow (not SNMP, because SNMP only shows interface totals, not per-user data).
Deploy SNMP polling infrastructure
Set up an SNMP manager (e.g., PRTG, SolarWinds, or open-source like LibreNMS). Configure SNMP agents on all routers, switches, firewalls, and servers. Use SNMPv3 for security. Define polling intervals: 5 minutes for utilization graphs, 1 minute for critical interfaces. The manager polls ifInOctets and ifOutOctets (or ifHCInOctets for interfaces > 100 Mbps) and calculates utilization. Store data in a round-robin database (RRD) to archive trends. Verify that SNMP community strings match between manager and agent.
Enable flow export on network devices
For NetFlow or sFlow, configure export on devices. On Cisco routers, enable ip flow ingress/egress on interfaces. Set up a flow collector (e.g., ntopng, SolarWinds NetFlow Traffic Analyzer). Choose export version (v9 or IPFIX). Set appropriate timers: active timeout 30 minutes, inactive timeout 15 seconds. For sFlow, configure sampling rate (e.g., 1:1000) and polling interval (e.g., 30 seconds). Ensure firewall rules allow UDP traffic to the collector (port 2055 for NetFlow, 6343 for sFlow).
Analyze collected data
Once data flows, use the collector's dashboards to identify top talkers, application usage, and bandwidth hogs. For SNMP, look at utilization graphs to spot congestion patterns (e.g., daily peak at 10 AM). For NetFlow, sort by bytes to find the heaviest conversation. Use filters to isolate traffic to a specific server or protocol. Export reports for management. Common metrics: average utilization, 95th percentile (used for billing), and peak utilization.
Perform active testing with iPerf
To validate bandwidth capacity, use iPerf3 between two endpoints. Run a TCP test for 30 seconds with 4 parallel streams to saturate the link. Observe the reported throughput. If it is significantly lower than the interface speed, investigate: check duplex mismatches, CPU utilization on routers, or QoS policies. For UDP tests, measure jitter and packet loss. This step confirms that the network can deliver the expected performance.
Scenario 1: Capacity Planning at a University A university with 10,000 students and staff experiences slow internet during peak hours (8-10 AM). The network team deploys SNMP polling on the border router using LibreNMS. They poll every 5 minutes and graph utilization over months. They discover the 95th percentile utilization is 800 Mbps on a 1 Gbps link. The peak is 950 Mbps. Based on this data, they upgrade to a 10 Gbps link. Without SNMP, they would have guessed the link was fine. The key lesson: SNMP provides hard data for budget justifications.
Scenario 2: Identifying a Bandwidth Hog in an Enterprise A company's WAN link is saturated. The IT manager suspects an employee is streaming video. They enable NetFlow on the branch router and send exports to a SolarWinds collector. Within minutes, they see a single IP address generating 50% of the traffic to a streaming service. They block the service at the firewall. Without NetFlow, they would have had to manually check each user's PC. The key lesson: NetFlow identifies the 'who' and 'what' of bandwidth usage.
Scenario 3: Troubleshooting VoIP Quality A call center reports choppy voice calls. The network team uses a packet sniffer (Wireshark) on a SPAN port of the voice VLAN. They capture RTP streams and analyze jitter (target < 30 ms) and packet loss (target < 1%). They find jitter spikes coinciding with large file transfers. They implement QoS to prioritize voice traffic. Without packet capture, they would not have pinpointed the cause. The key lesson: packet sniffers are essential for real-time protocol analysis.
Common Pitfalls: - Using SNMPv1/v2c with default community 'public' — a security risk. - Setting SNMP polling interval too high (e.g., 30 minutes) — you miss short bursts. - Not sampling NetFlow in high-speed environments — CPU overload on routers. - Forgetting to allow UDP ports in firewalls — no data reaches collector. - Confusing SNMP traps with polling — traps are unsolicited, polling is request-response.
The N10-009 exam tests bandwidth monitoring tools under Objective 3.3: 'Given a scenario, use appropriate network monitoring tools.' The exam expects you to:
Distinguish between SNMP, NetFlow, sFlow, packet sniffers, and bandwidth testers.
Know the default ports: SNMP 161/162 UDP, NetFlow 2055 UDP, sFlow 6343 UDP.
Understand that SNMP is for interface utilization, NetFlow for flow analysis, sFlow for sampled flow, packet sniffer for deep packet inspection, iPerf for active throughput testing.
Common Wrong Answers: 1. 'Use SNMP to find which user is using the most bandwidth.' Wrong — SNMP only gives interface totals, not per-user. Correct: NetFlow. 2. 'Use a packet sniffer to monitor long-term bandwidth trends.' Wrong — packet captures are too large and not aggregated. Correct: SNMP or NetFlow. 3. 'NetFlow uses TCP port 2055.' Wrong — it uses UDP. TCP would add overhead and is not used. 4. 'sFlow provides exact byte counts.' Wrong — sFlow is sampling; it provides statistical estimates, not exact.
Numbers to Memorize: - SNMP: UDP 161 (poll), UDP 162 (trap). - NetFlow: UDP 2055 (common), but can be configured. - sFlow: UDP 6343. - Default NetFlow active timeout: 30 minutes. - Default NetFlow inactive timeout: 15 seconds.
Edge Cases: - For interfaces > 100 Mbps, SNMP uses ifHCInOctets (64-bit counter) instead of ifInOctets (32-bit) to avoid counter wrap. - NetFlow version 5 is fixed; version 9 is template-based; IPFIX is version 10. - sFlow samples both packets and counters; it can provide interface statistics without polling.
Elimination Strategy: - If the scenario requires historical trends of interface usage → SNMP. - If it requires identifying top talkers or applications → NetFlow or sFlow. - If it requires real-time packet content → packet sniffer. - If it requires testing maximum throughput → iPerf.
Remember: The exam loves to ask 'which tool would you use to...' and give two plausible options. Always match the tool's strength to the need.
SNMP uses UDP ports 161 (poll) and 162 (trap); poll is pull-based, trap is push-based.
NetFlow exports flow records to a collector; default active timeout 30 min, inactive 15 sec.
sFlow is stateless sampling; uses UDP 6343; lower overhead than NetFlow.
Packet sniffers (Wireshark, tcpdump) capture full packets; require SPAN port or TAP.
iPerf3 is an active bandwidth testing tool; use -t for duration, -P for parallel streams.
For interface utilization, use SNMP; for top talkers, use NetFlow or sFlow.
Always use SNMPv3 for secure monitoring; avoid default community strings.
These come up on the exam all the time. Here's how to tell them apart.
SNMP
Polls counters (pull-based) using UDP 161.
Provides interface utilization (bytes in/out).
Does not identify individual flows or applications.
Low overhead on devices; suitable for all devices.
Best for long-term capacity planning graphs.
NetFlow
Exports flow records (push-based) using UDP 2055.
Provides per-flow data: source/dest IP, ports, protocol.
Identifies top talkers and application usage.
Higher overhead; may require sampling on high-speed links.
Best for traffic analysis and security investigations.
Mistake
SNMP provides real-time monitoring with sub-second granularity.
Correct
SNMP polling is typically done every 5 minutes. Sub-second polling would overwhelm the device and network. For real-time, use packet sniffers or flow exports with short timeouts.
Mistake
NetFlow and sFlow are interchangeable; both provide the same data.
Correct
NetFlow tracks every flow (or every sampled flow) and provides exact byte/packet counts. sFlow samples packets and provides statistical estimates. sFlow has lower overhead but less accuracy, especially for low-rate flows.
Mistake
A packet sniffer can be used to monitor bandwidth utilization on a 10 Gbps link.
Correct
Capturing all packets on a 10 Gbps link requires massive storage and processing. Packet sniffers are used for targeted troubleshooting, not continuous monitoring. Use SNMP or NetFlow for utilization.
Mistake
iPerf measures the actual bandwidth being used on the network.
Correct
iPerf generates its own traffic to test the maximum throughput. It does not measure existing traffic. Use SNMP or NetFlow for actual usage.
Mistake
SNMP traps are the same as polling.
Correct
Traps are unsolicited messages from agent to manager (push). Polling is manager requesting data (pull). They serve different purposes: traps for alerts, polling for regular data collection.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
SNMP polls interface counters (bytes in/out) to calculate utilization. It tells you how much bandwidth is used but not by whom. NetFlow exports flow records that include source/destination IP, ports, and protocol, allowing you to identify which applications and users are consuming bandwidth. Use SNMP for capacity planning and NetFlow for traffic analysis.
NetFlow typically uses UDP port 2055 for export. However, this is configurable. Some vendors use other ports (e.g., 9995 for Cisco NBAR). The exam expects 2055 as the default. sFlow uses UDP 6343.
Technically yes, but it is impractical for continuous monitoring. Wireshark captures every packet and requires significant storage. It is better suited for short-term deep-dive troubleshooting. For ongoing bandwidth monitoring, use SNMP or NetFlow.
NetFlow v5 has a fixed format with predefined fields. NetFlow v9 is template-based, allowing flexible field definitions and support for new technologies like MPLS and IPv6. v9 is more extensible but requires the collector to understand templates. IPFIX (v10) is the standard version.
Utilization = ((CurrentOctets - PreviousOctets) * 8 * 100) / (TimeInterval * InterfaceSpeed). For example, if you poll ifInOctets every 300 seconds on a 100 Mbps interface, and the difference is 50,000,000 bytes, utilization = (50,000,000 * 8 * 100) / (300 * 100,000,000) = 13.33%.
SNMPv2c uses community strings in plaintext for authentication. SNMPv3 adds user-based authentication (MD5/SHA) and encryption (DES/AES). For security, always use SNMPv3. The exam may test that v2c is insecure.
Use sFlow on very high-speed links (e.g., 10 Gbps and above) where maintaining flow state would be too CPU-intensive. sFlow samples packets and provides statistical data with lower overhead. However, it is less accurate for low-rate flows. NetFlow is better for detailed per-flow analysis on lower-speed links.
You've just covered Bandwidth Monitoring Tools — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?