Network monitoring provides ongoing visibility into network health, performance, and security. CompTIA Network+ N10-009 tests monitoring protocols (SNMP, NetFlow, sFlow), monitoring tools (PRTG, Nagios, Zabbix), and proactive vs reactive monitoring approaches. Understanding how monitoring integrates with alerting, log management, and performance baselines is essential for the Network Operations domain.
Practice this topic
SNMP (Simple Network Management Protocol) is the most widely used network device monitoring protocol. SNMP manager: the monitoring server (NMS — Network Management System). SNMP agent: software running on network devices (routers, switches, servers). MIB (Management Information Base): a database of variables (OIDs) that can be queried or set on a device — CPU usage, interface counters, error rates.
SNMP versions: v1 and v2c use community strings (plain-text shared secret) — no encryption. v2c adds bulk transfers and 64-bit counters. v3 adds user authentication (MD5/SHA) and encryption (DES/AES) — the only secure version. Always use SNMPv3 on production networks.
SNMP polling: the NMS periodically queries (GET) devices for metrics. SNMP traps: devices proactively send alerts to the NMS when significant events occur (interface down, high CPU, authentication failure) — uses UDP 162. Informs: like traps but with acknowledgment — the NMS acknowledges receipt. Traps are fire-and-forget; informs are reliable.
NetFlow (Cisco) / IPFIX (open standard) / sFlow: capture summary information about traffic flows rather than full packet content. A flow = traffic between the same source IP, destination IP, source port, destination port, and protocol. Flow data shows: who is talking to whom, how much traffic, which applications. Used for bandwidth analysis, capacity planning, and security (detecting anomalous traffic patterns).
NetFlow collector: receives and stores flow records from routers/switches. Flow analyzer: processes records for reports and alerts. sFlow is a sampling-based technology (samples 1 in N packets) — lower overhead than NetFlow on high-speed links. IPFIX is the IETF standard based on NetFlow v9.
Common monitoring platforms: PRTG Network Monitor (Windows, GUI-driven, sensor-based), Nagios (Linux/Windows, open source, highly extensible), Zabbix (open source, enterprise features), SolarWinds NPM (enterprise, expensive), Datadog (cloud-based SaaS), Grafana + Prometheus (open source metrics stack).
Alerting thresholds: configure alerts when metrics exceed normal ranges. Examples: CPU > 80% for 5 minutes, interface utilization > 90%, ping RTT > 100ms. Alerts should be actionable — too many false positives leads to alert fatigue where real problems are ignored. Base thresholds on established baselines.
SNMPv2c is secure because it uses community strings
SNMP community strings are transmitted in plaintext and easily intercepted. v1 and v2c have no encryption — use SNMPv3 with authentication and encryption for all production monitoring
NetFlow captures full packet content
NetFlow captures only flow metadata (source/destination IP, ports, byte count, packet count, protocol) — not the actual packet payload. For full packet capture, use Wireshark or a packet broker/tap
These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.
A network administrator wants routers to proactively alert the monitoring server when an interface goes down, without waiting for the next polling cycle. Which SNMP feature provides this?
Explanation: SNMP traps are unsolicited messages sent proactively from a network device to the SNMP manager when a significant event occurs (interface down, temperature threshold, authentication failure). This eliminates the wait until the next polling cycle. SNMP GET is a manager-initiated query. SNMP SET changes a device configuration value. MIB walk queries all OIDs.
SNMP polling (GET): the NMS periodically queries each device for metric values — typically every 5 minutes. Detection of a problem is delayed until the next poll. SNMP traps: the device immediately notifies the NMS when an event occurs — interface down, CPU spike, config change. Traps provide real-time alerting; polling provides ongoing metric collection. Both are used together in comprehensive monitoring.
Try free Network Monitoring practice questions with explanations, topic links and progress tracking.