The

New Generation
of Network
Monitoring
Systems

ATG’s Communications &

Networking Technology
Guide Series

This guide has been sponsored by

 Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Networks are Critical Assets . . . . . . . . . . . . . . . . . 4
Operational Analysis and Monitoring
Management . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Techniques for Network Monitoring. . . . . . . . . . . 9
Users of a Monitoring System . . . . . . . . . . . . . . 11
Monitoring Systems Architecture . . . . . . . . . . . . 15
Development Systems for Analysis and
Monitoring Networks. . . . . . . . . . . . . . . . . . . 17
What needs to be monitored? . . . . . . . . . . . . . . . 19
The True Cost of a Network Monitoring
System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Monitoring System Requirements . . . . . . . . . . . 25
Summary and Conclusions. . . . . . . . . . . . . . . . . 28
Acronyms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Glossary of Terms . . . . . . . . . . . . . . . . . . . . . . . 30
About the Editor…
Gerald P. Ryan is the founder of Connections Telecommunications Inc., a
Massachusetts-based company specializing in consulting, education and soft-
ware tools which address Wide Area Network issues. Mr. Ryan has developed
and taught numerous courses in network analysis and design for carriers, gov-
ernment agencies and private industry. Connections has provided consulting
support in the areas of WAN network design, negotiation with carriers for
contract pricing and services, technology acquisition, customized software
development for network administration, billing and auditing of telecommuni-
cations expenses, project management, and RFP generation. Mr. Ryan is a
member of the Networld+Interop program committee.

This book is the property of The Applied Technologies Group and is made
available upon these terms and conditions. The Applied Technologies
Group reserves all rights herein. Reproduction in whole or in part of this
book is only permitted with the written consent of The Applied Tech-
nologies Group. This report shall be treated at all times as a proprietary
document for internal use only. This book may not be duplicated in any way,
except in the form of brief excerpts or quotations for the purpose of review.
In addition, the information contained herein may not be duplicated in
other books, databases or any other medium. Making copies of this book, or
any portion for any purpose other than your own, is a violation of United
States Copyright Laws. The information contained in this report is believed
to be reliable but cannot be guaranteed to be complete or correct.
Copyright © 1997 by The Applied Technologies Group, One Apple Hill,
Suite 216, Natick, MA 01760, Tel: (508) 651-1155, Fax: (508) 651-1171
E-mail: [email protected] Web Site: http://www.techguide.com
 It is clear that the speed of network change is accelerating.
Networks have become more complex, more interactive, signifi-
cantly more costly and certainly more mission-critical. There is
much more at stake than ever before for network managers, and
almost everyone is experiencing an increased level of tension and
uncertainty as new systems, applications, and services are
deployed. Vendors proposing complex solutions are equally
concerned that their solutions meet the needs of all their
customers. The need to deliver analyses and monitor the functions
of new technologies such as Frame Relay, ATM, Fast Ethernet,
and the Internet has never been greater. There is also a need to
justify deployment costs and to validate assumptions before
systems become operational. Maintaining the value of all
resources throughout the network’s life cycle has also become an
objective. This Technology Guide looks at the changing network
environment in terms of today's greater need to provide precise,
highly-accurate analysis and monitoring of both test-bed and
operational network components and services. The deployment of
fully functional, integrated network analysis and monitoring
systems is shown to be the best solution for examining contempo-
rary networks.
2 • The New Generation of Network Analysis and Monitoring Systems
Introduction
Corporate networks are core assets for almost any
company in the fast-paced, globally-oriented world we
live in today. Data network technologies have evolved
very rapidly; the low-speed circuits of a SNA network
are transforming into multiservice distributed informa-
tion systems. There is even a move towards the conver-
gence of traditionally distinct facilities such as
telephony and data networks. Instant access to high-
quality voice, data, image, and video transport services
is available almost anywhere and yet the ability to
analyze and monitor network operations has not kept
pace with its importance. The desire to keep track of
what is happening on the network and understand how
well it is performing has never been greater.
The components of a modern network are often
provided by more than one supplier and may need to
be installed and maintained anywhere in the world.
Testing the quality and compatibility of these compo-
nents, both before and after purchase, is an important
part of the overall network planning, design, and
deployment life cycle. Providing the tools for analysis
and monitoring of these networks has become critical
to the success of network-dependent businesses.
Furthermore, as new protocols are deployed with
complex interactions with other protocol sets, there is a
need to simulate and test these environments, with load
generation stress testing and real-time monitoring.
This Technical Guide examines the requirements
for network analysis and monitoring that justifies the
overhead of implementing analysis and monitoring
systems, especially for high-speed multi-protocol
networks. We take a fresh look at the growing need for
comprehensive network analysis and monitoring and
how it can be used effectively. We discuss the benefits
of deploying analysis tools and monitoring capabilities
and suggest an architecture for describing what must
Technology Guide • 3
be provided. With the help of this Guide, the network
planner can assess the impact of network analysis and
monitoring systems, define the overall benefits and
make the case for an up-front investment in the tools.
Networks are Critical Assets
Most companies know intuitively that their tele-
phone networks are mission-critical. Many do not yet
realize the significant business cost of data network
outages. Banks, for example, would be severely
restricted if their teller networks were unreliable.
Virtually everyone depends on “the network” in one
form or another, and this dependency means that
networks have become critical corporate assets. They
are expected to be available anytime, to be accessible
anywhere, and to operate flawlessly, and their
managers are expected to know when these expecta-
tions aren’t going to be met.
It is becoming more and more difficult to keep
track of what network elements are installed, what
protocols are operating , how they are interacting with
multiple technologies, and what changes are occurring.
It has been claimed that more than 30% of network
users move every year in a typical corporation – a good
reason alone for continuous analysis and monitoring of
network assets and configuration. The rate of change is
accelerating as the technologies improve and more
users demand both internal and external network
bandwidth and reliable access (e.g., Internet).
Information system technologies are being devel-
oped faster than ever before, resulting in high rates of
change both within the network and around it. Greater
4 • The New Generation of Network Analysis and Monitoring Systems
levels of complexity and interactivity are involved,
much greater speeds are achieved, and immature
protocols are being deployed, such as the various stan-
dards for integrating ATM with legacy protocols (e.g.
Multiple Protocols Over ATM MPOA) all of which
make functional outages and quality degradation much
more likely. Various network technologies are also
being combined in new ways - frame relay overlaid
onto ATM, IP tunneling over the Internet, video over
ATM, and voice and video over an Ethernet LAN are
examples – and these are often incompatible across
vendors. Recently, quality of service has been the
subject of hot debate in the industry, especially as the
business use of the Internet and Intranets expand.
Frame Relay, ATM, very high speed routers and
switches, 100Mbps and pending gigabit LANs,
SONET, and TCP/IP-based intranets are examples of
advanced technologies that all share a common trait –
high speeds with lots of traffic flowing. These, when
combined with legacy networks that range from plain
old telephone service to SNA display terminal
networks, lead to complex integration, interoperability
between applications, and management challenges.
Many of the traditional network providers no longer
provide end-to-end service and support, leaving users
to develop their own monitoring, analysis, diagnostic,
and maintenance capabilities.
A variety of network middleware solutions have
also been developed. Virtual LANs, on-line transaction
processing, message handling, World Wide Web
serving, and client/server computing are a few exam-
ples. These are overlaid onto the physical network,
thereby creating a logical networking environment that
also needs to be monitored and controlled.
Technology Guide • 5
 A highly simplified modern networking environ-
ment is illustrated below.
The
Internet
Wide Area Legacy
Networks Networks
Intranet
(Frame Relay, (SNA, IPX,
ATM) XNS, etc.)
Mission-critical applications are routinely using
these networks, often with little confidence that the
“state of the net” is well known or trustworthy. Since
the network has a direct impact on the achievement of
business goals and contributes to maintaining corpo-
rate profitability, network analysis and monitoring is a
necessity.
The Need for Network Analysis and Monitoring
Network analysis and monitoring can be defined
as the capture, filtering, decoding, and organization of
observations about the functioning of a network
service, the facilities that provide the network services
or any of the components that make up a communica-
tions facility. Monitoring and analysis provides
feedback concerning the “health” of the network and
allows corrective actions to be initiated when and
where necessary.
In a laboratory testing environment, it assumes
new dimensions in which it provides the ability to build
various protocol models and to simulate protocol inter-
actions, while providing real-time monitoring capture
and analysis of data streams.
6 • The New Generation of Network Analysis and Monitoring Systems
Operational Analysis and
Monitoring Management
A network analysis and monitoring system is
successful when it provides the owners and managers
with the information they need to plan, organize,
implement, operate, administer, and control the
network. Today’s networks are challenging to monitor
effectively and even harder to manage, and the degree
of difficulty increases with size and capacity (i.e., the
shear volume of data involved is daunting).
Effective and appropriately placed monitoring of
an operational network can contribute to the solution
of a wide range of network-related problems. The
overall goal is to detect service-threatening conditions
before they become visible to the end user (thereby
avoiding the loss of business productivity). Some
typical uses for an on-line network analysis and moni-
toring system include:
• detecting changes in user accesses, node activities,
topology, status and performance ratings, and
debugging network problems;
• tracking who is using the most bandwidth on the
network and whether they are authorized;
• identifying and alerting management of service
outages, degrading performance and component
faults;
• monitoring of network interfaces for communica-
tion problems;
• maintaining event histories, trends, and loading
statistics; and
• on-line simulation and capture of live traffic
analysis.
Technology Guide • 7
 Analysis and monitoring can also be used in a
laboratory environment for simulation and load gener-
ation testing and in an inoperative network to perform
diagnostics, analysis, and load tests. Some typical off-
line uses for an analysis and monitoring system are:
• providing industry standards, benchmark data
testing for product specifications and service level
agreements;
• developing conformance tests for the multiple
technologies being used;
• simulating traffic profiles and performance tests;
and
• integration and compatibility testing.
Multi-layer Analysis and Monitoring
Although analysis and monitoring is most often
introduced at the network element level (e.g., a hub,
router or switch) it also applies to the end-to-end
service being offered and to the end user’s traffic.
Monitoring of the network, the business applications
and the analysis of system platforms may or may not
be combined. Often it will be found that events are
correlated across the entire distributed system. For
example, failure of an application gateway between an
internal and an external network can disrupt a service
just as thoroughly as would the failure of a carrier’s
data link. By simulating hypothetical network configu-
rations with typical traffic patterns, most network fail-
ures can be isolated prior to mission critical applica-
tions being implemented onto the new network.
Various signaling and control systems are impor-
tant network elements that also need to be analyzed
and monitored. The ability to observe the operation of
the entire network and all of its OSI layers is a funda-
mental prerequisite for any viable Network. The key is
to provide the network manager or field operator with
precise, highly accurate information concerning all the
8 • The New Generation of Network Analysis and Monitoring Systems
relevant network analyses and to do it in a timely
manner.
If a network analysis and monitoring capability
were not embedded into the system, it would be
impractical to do many important network evaluation
tasks. In general, moreover, without monitoring and
analysis, the role of the network manager would at best
be a labor-intensive, reactive process that would seldom
meet user requirements. Traffic capacity planning
would be almost impossible, quality of service could
not be regulated, security breaches might go
undetected, and unplanned service disruptions would
occur.
Techniques for Network
Monitoring
A fundamental division among network
monitoring systems related to whether the monitoring
is done off-line (while only test messages are flowing) or
on-line (while user traffic is on the network), or both.
Techniques for monitoring networks when they are
out of service involve the generation of test sequences
and the monitoring and analysis of the results, to
determine measurable levels of performance and
protocol conformance. Such tests can be in a test
bench environment, manufacturing floor, network
operations center or may be during an outage in an
operational network.
The process of on-line monitoring and analysis
may be performed on a continuous basis, scheduled at
various times of day, or invoked only when
circumstances (such as load changes or quality
concerns) demand a closer scrutiny.
Continuous monitoring (intrusive testing) is the
most costly alternative in terms of resources and time,
Technology Guide • 9
but is also the most beneficial from a user’s viewpoint.
A very large number of access points may be required,
and they would usually be dedicated to the monitoring
system. The amount of data that needs to be collected
and possibly transported to a remote database can also
be very high. The benefit, however, is that proactive
management and dynamic recovery can be a reality.
The key cost-benefit trade-off is completeness: the
number of points of observation, the frequency of
polling, and the degree of summarization performed at
the source.
Scheduled monitoring and filtering reduces the
cost by executing the monitoring functions only at
certain times (e.g., only monitor during peak times) or
at a specific subset of locations at set times. This
reduces the volume of data collected and the
processing required. A variety of scheduling strategies
is possible: random testing, regular polling, and
responding to user requests are three examples. There
is a greater chance of missing an important event,
however, and some uncertainty occurs when the test
points are not event driven. By engaging filtering prior
to monitoring the network, you can selectively trap
events and errors. The filtering technique can be
utilized during test bed stages, implementation turn-up,
and operational maintenance.
Reactive monitoring is performed in reaction to
an outage or performance failure, in which monitoring
is turned on only when a trouble ticket is opened. The
end user most often provides the initial alarm mecha-
nism. The number of simultaneous test points would
be relatively low, but geographic coordination and
correlation of the tests would be more difficult. By
implementing a remote diagnostic monitoring system
such as a protocol analyzer, reactive monitoring can be
activated prior to performance failures . This would
minimize system cost, reduce the expense of people
costs, and would likely decrease the outage times due
10 • The New Generation of Network Analysis and Monitoring Systems
to the added difficulties of problem determination.
This approach could be completely acceptable for
medium to large networks, priority networks, and
would scale up to larger, or shared networks.
Data Collection (Capture and Analysis)
The data collected by the network monitoring
system can be capture directly to hard disk, floppy disk,
or transferred to a central database management
system immediately. It can be filtered, edited, and
chained together for subsequent uploading, or it can be
analyzed at the point of capture and only the results
forwarded to the control center. If the monitoring
function directly controls a dynamic, adaptive network,
much of the data need not be transferred at all since it
is used proactively at the control point. All data
collected must, as a minimum, be uniformly defined
and understood so that correlation of data across
multiple protocols, events or locations, can be achieved.
Users of a Monitoring System
Users of network analysis and monitoring systems
can be divided into four major categories:
a) Original Equipment Manufacturers and
Laboratories: The development of any
network device - a bridge, a router, or a gateway,
for example - involves complex hardware and
software, using network protocols that are existing
or relatively new and untried. A network analysis
and monitoring system serves as a verification tool
by providing a traffic generator, simulating a desti-
nation node or multiple nodes, or detecting and
reporting upon protocol violations. This can
considerably reduce the time it would take to “get
Technology Guide • 11
 it right” in the rush to bring products to market.
Compliance verification also provides a level of
confidence for the buyer.
Monitoring is also essential for performance
testing and benchmarking of network components.
This is helpful both to the supplier who wishes to
sell a product based on superior performance and
also to the purchaser who needs to know what to
expect from the product. Test tools that do not
impose a processing overhead on the node being
tested are most suitable for this type of application.
Monitoring and analysis systems would also be
needed for stress testing under fault conditions
(i.e., create faulty traffic and invalid protocol
sequences) and for life cycle testing to determine
the MTBF ratings of the device.
b) Suppliers and system integrators: A new
network design or a new equipment proposal is
much more credible when the existing network is
clearly understood and when bottlenecks, conges-
tion, or other performance problems are identi-
fied. A portable monitoring and analysis system
would be an important tool for anyone trying to
document an existing network or audit its actual
performance. The ability to see what is
happening in a live environment is essential both
for gathering design data and also for discovering
integration issues. It is also critical when perfor-
mance benchmarks are part of the acceptance
cycle. This is usually done through a process of
monitoring the operation in conjunction with the
customer and capturing protocol errors . Good
monitoring and analysis systems allow both the
customer and supplier to measure acceptance
12 • The New Generation of Network Analysis and Monitoring Systems
goals with efficiency and precision. Isolating
points of congestion, locating sources of transient
faults, and generally proving out a design are
important for long term stability.
c) Carriers and Internet Service Providers:
Carriers, ,network providers, and Internet Service
Providers have very large, complex networks to
implement, operate, and manage. Carrier-based
networks may be shared among thousands of
corporate users whose needs can vary widely.
These same carrier networks usually span wide
geographic areas where reliability and maintain-
ability become a more important issue and are
almost always interconnected with other carrier
networks. Internal monitoring and analysis
systems are essential if a carrier is to provide high
quality services, and these must work with the
user’s own systems if end-to-end service testing is
to be achieved.
In a large carrier’s network, the cost of
OAM&P (operations, administration, maintenance
and provisioning) can escalate very rapidly, making
manual methods of monitoring and control
impractical. The network monitoring and analysis
system must be standardized, scalable, and reliable
if it is to be combined across multiple administra-
tions and interconnected with customer network
management performance tools.
Monitoring of network usage is also a critical
requirement for carrier billing systems. Unless a
facility is dedicated to a single user, the costs of
the resources must be allocated according to their
use. Monitoring must be done at wire-line speeds
when QoS limits are involved or when usage has
Technology Guide • 13
 to be recorded for billing. Automation of the
monitoring function in high-speed networks such
as Frame Relay and ATM is especially important.
d) End Users: Any corporate network has two
types of user: the organization’s typical employee
who simply uses the network as a transparent
utility and who reacts to problems or
performance impairments with complaints, and
the network operator who is responsible for main-
taining the end-to-end service. For the network
operator, network monitoring and analysis
provides the means to become proactive (i.e., to
detect faults prior to receiving a user’s complaint).
It also allows them to manage service level
Monitoring Systems
Architecture
A network monitoring and analysis system can be
structured in a number of ways, depending on the
intended use, with many variations and combinations
also being possible. However, a number of basic func-
tions must be included in any monitoring and analysis
systems architecture, as is illustrated below:
Network Analysis &
Monitoring System
Network Test Points

contracts, to be assured of day-to-day operations Configuration Fast Ethernet

Database ATM, Frame Relay
and to validate system changes. and History Routers, Severs, Switches

The organization’s typical end users and the Triggers

success of the business applications that live on

Graphical User
the network are the ultimate beneficiaries of all Interface
the various network monitoring activities that are Applications
Traffic Load Generation
performed within the network. However, the end Definable Configurations Full Rate Capture and Decode
Simulation & Emulation Automatic Filtering, Statistics
users are least aware of the infrastructure behind Realtime Monitoring
the service. They simply need a quality of service
that meets their business needs and which, by its
very quality and predictability achieves a certain The network monitoring and analysis system is a
invisibility. It is the goal of achieving this “invisi- flexible application in its own right, and shares many of
bility” of consistently good service that makes the requirements of any distributed system. It can be
the added cost of monitoring and analysis tools based on a separate set of processing resources or it
justifiable. may be integrated into the network. The following
functions, however, are common to any approach:
• Network access test points,
• Network capture and filtering processing,

14 • The New Generation of Network Analysis and Monitoring Systems Technology Guide • 15
 • Data repository Histograms and statistical reports
(and consolidation),
• Operator interface (Intuitive user interface for
quick response), and
• Traffic generator (wire-line speed for load
generation).
The architecture of the monitoring and analysis
system can vary considerably, most often depending on
what needs to be monitored, filtered, and captured.
The specific needs of the network operators and of the
associated network management system will dictate the
type of instrumentation that is necessary. One of the
most critical areas for network monitoring and analysis
today is the quality of service (QoS) provided to the
user. This includes testing for utilization, error rates,
delays, etc.
Major architectural decisions to be made during
network planning include:
• Centralized versus distributed processing (network
test points are, by definition, distributed),
• Portable versus embedded applications for
performing monitoring and analysis tasks,
• Continuous versus “connect and look” modes of
data collection,
• Wire-line speed versus “store and process” modes
of operation,
• Larger buffer capacity for report generation,
• Proactive versus reactive management techniques,
• Protocol (wireline) versus component (node hard-
ware and software) monitoring,
• Functional versus performance monitoring,
16 • The New Generation of Network Analysis and Monitoring Systems
• Monitoring of user versus test traffic in live or test
bed situations, and
• Standards-based versus product-specific
monitoring.
Hardware vs. Software
Hardware test tools tend to be reactive. When a
problem occurs, the tool is plugged into a node or a
circuit and monitoring is turned on. This provides
limited access to the network and works best in shared
networks where the basic problems relate to the inter-
ference among users (such as congestion or protocol
errors). Software-based monitoring tools, on the other
hand, can observe a large number of points in the
network either continuously or on command, without
the need for manual intervention. As networks move
towards switched approaches and dedicated LAN
segments, a combination of both hardware and soft-
ware monitoring may be the most effective, allowing
proactive monitoring to be combined with in-depth
diagnosis and testing.
Development Systems for
Analysis and Monitoring
Networks
The use of integrated development systems as part
of a monitoring and analysis software suite is crucial to
validating the operation of new network arrangements.
Often, developers are confronted with the need to work
with and perhaps integrate legacy and new, immature,
protocols.
Technology Guide • 17
 For example, TEKELEC uses integrated develop-
ment capabilities to customize applications; to create
What needs to be monitored?
and test proprietary protocols; and to validate the oper-
ational parameters of various immature protocols. In any layered network architecture the services of
These capabilities are also used to customize user one layer support the needs of the layer above (see the
definable interfaces for multiple applications. The illustration of the OSI seven-layer model below). Each
TEKELEC system includes the Protocol Monitoring layer represents one or more functions and protocols
Development System (PMDS), and Tool Command that are logically, if not also physically, separated from
Language/Tool Kit (tcl/tk). With these flexible devel- the others. A network monitoring and analysis system
opment tools, the network manager can predict traffic must have access to and understand the protocol
patterns, node failures, potential congestion points, and messages at each level. In a multiprotocol environment
bandwidth characteristics throughout the network. this can be an onerous task, especially if proprietary
protocols are included. With PMDS and PASM simu-
lation , monitoring and analysis can be used to validate
Multi-Protocol Support and confirm application connectivity, protocol interac-
One of the fundamental architectural tions, addressing, priorities setting mechanisms,
requirements of analysis and monitoring systems is the throughput, end-to-end delay, network overhead,
ability, at wire-line speeds, to capture and decode routing table exchanges, etc. – literally anything that is
multiple types of protocols at multiple levels of the needed to establish, initiate, operate, and regulate the
network, as is illustrated to the right using the OSI network and its connections.
Reference Model. A system should allow protocols to
be individually designed and implemented for a partic- User Applications Gateways
Application Support Application
ular test sequence, or to support a general implementa- Analysis &
Presentation Distributed Systems Protocols
tion that models the interaction of multiple protocols. Middleware
Monitoring
Systems
Session
TEKELEC’s Protocol Monitoring Development Code Converters
Transport Security and Control
System (PMDS) provides the capability of creating new
Routers Switches
protocols and testing them with capture and analysis Network
Routing Protocols
Bridges Switches
tools. The Protocol Adaptable State Machine (PASM) Data Link
LANs VLANs

has been used successfully by TEKELEC to speed Physical Wiring

Hubs Patch Panels Switches

protocol testing and support. PASM allows users to

develop generic tools for ad-hoc protocol evaluation
and testing thereby allowing the immediate creation of Monitoring can be divided into three categories
new and proprietary protocols. Once the laboratory according to the layers involved:
has created a simulated protocol using PASM, it can
• Monitoring and analysis of the underlying trans-
generate and apply traffic loads to actual or test bed
port network and of the services it provides to its
networks. This can be used in conjunction with test
users;
sequences for any defined protocol-based technologies.
It creates, edits, and views user-defined messages that • Monitoring and analysis of the end-to-end traffic
are protocol compliant. among user and system applications; and

18 • The New Generation of Network Analysis and Monitoring Systems Technology Guide • 19
 • Monitoring and analysis of the hardware
platforms and operating systems that support the
operation and management of the network and its
users.
This translates into different sets of monitoring
and analysis tasks.
a) Protocol testing: Manufacturers of new silicon
with new or proprietary protocols need to test
their products against some known system and
determine performance benchmarks. Compliance
to standards, adherence to functional specifica-
tions , and operating conditions and limits are
other reasons for a priority testing. This implies a
laboratory environment with load generation,
production simulation , monitoring and analysis
to effectively produce quality results.
Analysis and Monitoring is an essential part of
any test environment but the requirements may
be quite different from a “live’ operation where
protecting user data may be paramount. In a
laboratory environment, much of the surrounding
network can be simulated, many more points of
attachment for test points may be available, and
much more powerful testing applications may be
available through flexible test tools such as PASM
or PMDS.
Of particular importance is the assurance that
the protocols can meet speed and quality of
service requirements even when stressed.
b) Operational network monitoring: A moni-
toring and analysis system for an operational
network must collect information about the
network itself (e.g., changes in the network’s
protocols); about the state of the network services
being offered (including both protocol errors and
20 • The New Generation of Network Analysis and Monitoring Systems
changes to the quality of service); about the users
and applications; and about the environment.
Without at least basic monitoring and analysis,
there can be no feedback to a Network Operation
Center (NOC) and no control by managers.
c) Trend monitoring: Network monitoring and
analysis systems can provide more than simply
collection of raw data. Alarms for exception
conditions and faults are also a natural function of
the system. In more advanced systems, thresholds
and limits can be set for trends as well instanta-
neous events.
Hubs as Monitoring Centers
The intelligent wiring hub is a key element from a
monitoring perspective. Hubs provide the “first point of
contact” for an end system attached to a network, and
serve as an observation point at which data flowing to
and from the end user can be examined. Virtually all
hubs can allow monitoring and analysis of both the
functioning of the hub itself and the traffic flowing
through the hub. In a TCP/IP environment, the SNMP
and RMON protocols are used for this purpose.
The current state and port configuration of a hub
provides much information concerning topology and
physical configuration schemes, an indication of the
health of the network and, more importantly, it allows
the capture of traffic arriving from an end user’s node.
Bridges and switches that operate at Layer 2 are
also important network elements. The protocols of
Layer 2 (the Ethernet MAC, the TCP/IP PPP protocol
and so on) are designed for moving frames within a
single network domain. It is this layer that most
network monitors would examine to determine the
quality of operation of a network.
Technology Guide • 21
Routers as Monitoring Points
Another network element of critical importance is
the router, which operates at Layer 3 of the OSI
Model. Routers are used to interconnect logically sepa-
rate networks (forming an internetwork). Monitoring
and analysis of the operation of routers and the
routing process provides considerable information
about the network. By detecting trends and events as
seen by the routers, it is possible to take preventive
actions, to isolate problem components, and to gener-
ally minimize the impact of faults. The Internet IP
protocol, which is the key to internetworking, operates
at this level. New IP switching on Layer 3 will require
protocol analysis to capture performance and quality of
service parameters.
Monitoring at Other Points
Monitoring the operation of applications and plat-
forms is also highly desirable. Gateways provide for the
interconnection of applications that are not directly
compatible and for the conversion between different
protocol suites. Middleware and platform applications
provide services for distribution, for security, and for
identification.
In any of these components there will be a trade-
off between the processing load of the monitoring
functions, the memory required for buffering the obser-
vations, and the amount of data collected. Spot
checking, continuous monitoring, and targeted analysis
change the amount of data collected and therefore the
cost of performing the monitoring. The higher the
speeds involved the more data that will need handling
and the more important it is to operate at least at the
wire-line speeds.
22 • The New Generation of Network Analysis and Monitoring Systems
The True Cost of a Network
Monitoring System
While network monitoring increases the overall
cost of the hardware and software facilities, it signifi-
cantly reduces the total cost of ownership for a distrib-
uted network-based system. Cost of ownership drops
dramatically with remote access on network points that
handle the majority of the traffic. With today’s
networks supporting increasingly mission critical busi-
ness applications, it is imperative that they keep
running with efficiency and resiliency. Justifying up-
front costs in order to get downstream benefits in this
environment is not difficult, since technology is
advancing quickly and more of the corporate asset is
on the network. It is, therefore, important to justify the
initial integration of a network monitoring and analysis
system as new technologies and applications are
deployed, rather than simply adding it after-the-fact in
response to serious network problems or failures.
Every business manager believes a key part of his
or her job is to monitor and control the assets for
which they are responsible. The network
operator/manager is no exception, given that the
ability to monitor the network is a prerequisite to
controlling it. The cost of a monitoring and analysis
system can be balanced against the cost of decreased
availability and increased operator involvement. A
necessary, ideal model in this network milieu is
dynamic operations, high reliability design, and contin-
uous analysis of all parts of the network at all times,
thereby allowing detection and correction of events
prior to an outage occurring.
The relative cost of the monitoring system, the
cost and number of personnel, and the business impact
of the networked applications will determine the actual
Technology Guide • 23
“return on investment” of any investment in • less timely work, greater difficulties in global
monitoring systems. These costs are highly dependent operation,
on the specific circumstances of each network with the • slower products to market
lack of a mission critical network service sometimes
being very costly indeed. • lower quality performance, and
The following chart highlights key costs and bene- • network stability with multiple protocols.
fits related to the deployment of a network monitoring
system. Using a monitoring and analysis system in a devel-
opment environment is almost essential, since few
Costs and Benefits of a Monitoring System customers would buy products whose specifications are
not available.
Costs Benefits
In an operational environment the goal is to estab-
• More hardware and software • Lower people costs due to automation
required lish a balance between investing in monitoring and
• Uses network capacity • Reduces downtime (mean time to analysis systems versus the cost of people and the relia-
repair)
• Development and deployment • Allows proactive management bility needed for the applications served.
required
• Potential compatibility problems • Permits trend analysis
Without some level of monitoring and analysis,
there would be virtually no reasonable way to detect
• Standardization required for • Reduces cost of product
information development
and correct faults, and certainly no way to identify
• Lower testing costs and shorten test trends and directions that could be impacting service.
cycles
• Proactive analysis and monitoring with
multiple test tools
Remote access to multiple technolo-
gies and applications
New products get to market quicker Monitoring System
• Reliability and quality of new products Requirements
• More rigorous data collection

A full-featured network monitoring and analysis

Another way of judging the value of a monitoring system would require most, if not all, of the following:
and analysis system is to examine the impact of
• test points that are either portable or are located
allowing poor quality networking facilities. Some of the
at defined network observation points;
results are:
• common definitions for data elements, events, and
• higher total cost of ownership (more people
actions;
devoted to problem resolution),
• data collection mechanisms that either make use
• reduced productivity of individuals,
of the network or are totally separate;
• poorer collaboration among groups and even
• data management tools for data reduction, organi-
companies,
zation, storage, and analysis;

24 • The New Generation of Network Analysis and Monitoring Systems Technology Guide • 25
 • presentation tools for viewing the consolidated
data; modeling tools to validate protocols and
network performance; and
• a traffic generation facility for testing under simu-
lated loads.
Any monitoring and analysis system may be
portable or rack-mounted. It should be capable of
interfacing with a wide variety of networks and be
scaleable from small to large networks. It must be able
to generate and receive a variety of protocols and be
able to deliver simulation and real-time decodes on all
layers of the protocol suite. The monitoring should be
capable of full-rate data capture to support accurate
performance but must also be able to poll the test
points to allow either sampling or continuous
monitoring on a per access basis.
Ideally, monitoring and analysis systems can
operate with both software and hardware interfaces. A
software interface copies and forwards the data passing
a certain point of observation, which allows observa-
tions at locations that would not normally be accessible
to a test system. Software monitoring, however,
requires suitable features to be built into the device
(filtering) and also consumes resources that might
distort the real situation. Hardware interfaces can be
less intrusive but are limited to physically accessible
points, and typically operate on a per segment basis.
Network monitoring and analysis system require-
ments differ according to the intended purpose of the
system. The three major categories of the system are:
• Network component capability and performance
monitoring that is used during development;
• Event and usage monitoring that is performed
during normal operation of the network; and,
26 • The New Generation of Network Analysis and Monitoring Systems
• Monitoring of longer term trends and changes in
configuration that is usually accomplished in an
off-line mode.
What are the Elements of a Superior Network
Monitoring System
The various operational elements of a good moni-
toring and analysis system are illustrated in the
previous diagram. They include:
• an intuitive graphical user interface,
• automated processes, detection and
measurements,
• comprehensive operations and management
analyses,
• a common and consistent operational command
language,
• simultaneous support for multiple technologies on
a single platform,
• remote access to test points via network connec-
tions,
• customizable user interfaces incorporating
powerful GUI features,
• extensibility to accommodate new technologies
and scalability to large networks,
• open system platform, and
• real-time (wire-line speed) operation for multiple
points of attachment and a wide range of network
speeds.
Technology Guide • 27
Summary and Conclusions Acronyms
The ability to communicate digitally as well as
ATM Asynchronous Transfer Mode
using voice has become critical to business success,
(network)
resulting in greater dependency on complex global
networks and their component suppliers. Management IP Internet Protocol
of the internal corporate network and of the intercon- LAN Local Area Network
nection of multiple corporation’s networks has become
a very visible task, one that would be impossible SONET Synchronous Optical Network
without the tools for monitoring of activities, events, SNA Systems Network Architecture
performance, and usage. There is a highly magnified
need for testing and monitoring systems to support TCP Transport Control Protocol
contemporary applications and technologies. PASM Protocol Adaptable State Machine
Every network involves multiple stages in its devel-
PMDS Protocol Monitoring Development
opment life cycle: component development, carrier
System
service production, integration testing, operational
monitoring, and application usage control. The ability MAN Metropolitan Area Network
to monitor the network is fundamental to success at all
GAN Global Area Network
times from the product test labs to application load
control.
The need for, and benefits of, accurate monitoring
of all the different technologies currently being used is
clear. In the past, the up-front costs needed for imple-
menting and integrating a comprehensive monitoring
and analysis system had occasionally been difficult to
justify. However, with the dramatic increase in business
costs of network failures and the increasing complexi-
ties of the technologies, it has become evident that
automation of the monitoring and management func-
tions has considerable payback for everyone involved:
producers, carriers, integrators, and end users.
Since it is the monitoring capability that provides
the basis for most forms of network management, any
investment in monitoring and analysis tools and tech-
niques is bound to be re-paid many times over.

28 • The New Generation of Network Analysis and Monitoring Systems Technology Guide • 29
Glossary
10BaseT—The IEEE 802.3 specification for ethernet
over unshielded twisted pair (UTP).
100BaseFX—100 (Mbps) Ethernet implementation
over fiber.
100Base-T Fast Ethernet—A 100 Mbps technology
based on the Ethernet/CD network access method.
802.3—CSMA/CD (Ethernet) standards, which apply
at the physical layer and the media access control
(MAC) sublayer.
802.5—Token ring standards.
802.6—MAN standards. IEEE 802 standards become
ANSI standards and are usually accepted as interna-
tional standards. A MAU is referred to as a transceiver
in the Ethernet specification.
Access Rate—The transmission speed, in bits per
second, of the physical access circuit between the end
user and the network.
Add/Drop Multiplexer (ADM)—A multiplexer
capable of extracting or inserting lower-rate signals
from a higher-rate multiplexed signal without
completely demultiplexing the signal.
Advanced Intelligent Network (AIN)—Carrier
offering more than ‘pipes’ to users.
Application Layer—Layer 7 of the OSI Reference
Model; implemented by various network applications
including file transfer, electronic mail, and terminal
emulation.
Asymmetrical Digital Subscriber Line
(ASDL)—A new standard for transmitting at speeds up
to 7 Mbps over a single copper pair.
30 • The New Generation of Network Analysis and Monitoring Systems
Asynchronous Transfer Mode (ATM)—(1) The
CCITT standard for cell relay wherein information for
multiple types of services (voice, video, data) is conveyed
in small, fixed-size cells. ATM is a connection oriented
technology used in both LAN and WAN environments.
(2) A fast-packet switching technology allowing free allo-
cation of capacity to each channel. The-SONET
synchronous payload envelope is a variation of ATM.
(3) ATM is an international ISDN high speed, high-
volume, packet switching transmission protocol
standard. ATM currently accommodates transmission
speeds from 64 Kbps to 622 Mbps.
ATM Adaptation Layer (AAL)—Each AAL consists
of two sublayers: the segmentation and reassembly
(SAR) sublayer and the convergence sublayer. AAL is a
set of four standard protocols that translate user traffic
from higher layers of the protocol stack into a standard
size and format contained in the payload of an ATM
cell and return it to its original form at the destination
node.
AAL 2 is used with time-sensitive, variable bit rate
traffic such as packetized voice.
ATM Data/Channel Service Unit (ATM
DSU/CSU)—Segments ATM-compatible information
into ATM cells and then reassembles them at their
destination.
Available Bit Rate (ABR)—A class of service in
which the ATM network makes its “best effort” to meet
traffic bit rate requirements.
Bandwidth on Demand (BoD)—Dynamic alloca-
tion of line capacity to active users, inherent in
FastComm FRADs.
Bit Stuffing—The insertion of extra bits into a data
stream to avoid the appearance of unintended control
sequences.
Glossary • 31
Bit Synchronous—A way of mapping payload into
virtual tributaries that synchronizes all inputs into the
Vts but does not capture any framing information or
allow access to subrate channels carried in each input.
For example, bit synchronous mapping of a channel-
ized DS1 into a VT1.5 does not provide access to the
DSO channels carried by the DS1.
Bridge/Router—A device that can provide the func-
tions of a bridge, router or both concurrently.
Bridge/router can route one or more protocols, such as
TCP/IP and/or XNS, and bridge all other traffic.
Broadband Inter Carrier Interface (BICI)—
A carrier-to-carrier interface like PNNI (private
network-to-network interface) but lacking some of the
information offered by PNNI. Carriers are not likely to
let their switches share routing information or detailed
network maps with their competition’s equipment. BICI
now supports only permanent virtual circuits between
carriers; the ATM Forum’s is currently addressing
switched virtual circuits.
Broadband Inter-Switching System Interface
(B-ISSI)—Between ATM nodes.
Broadcast and Unknown Server (BUS)—ATM
Forum-defined specifications in support of LAN-to-
LAN connectivity, called LAN emulation. BUS defines
that set of functions implemented in an ATM network
that provide LAN-to-LAN transmission support while a
LAN connection is being established. It also supports
LAN broadcast services.
Byte-Interleaved—Bytes from each STS-1 are
placed in sequence in a multiplexed or concatenated
STS-N signal. For example, for an STS-3, the sequence
of bytes from contributing STS-1s is 1,2,3,1,2,3......
32 • The New Generation of Network Analysis and Monitoring Systems
Campus Area Network (CAN)—A network which
encompasses interconnectivity between floors of a
building and/or buildings in a confined geographic
area such as a campus or industrial park. Such networks
would not require public rights-of-way and operate over
fairly short distances.
Carrier Sense Multiple Access/Collision
Detection (CSMA/CD)—A channel access mecha-
nism wherein devices wishing to transmit first check the
channel for a carrier. If no carrier is sensed for some
period of time, devices can transmit. If two devices
transmit simultaneously, a collision occurs and is
detected by all colliding devices, which subsequently
delays their retransmissions for some random length of
time. CSMA/CD access is used by Ethernet and IEEE
802.3.
Channelization—Division of an E1/T1 signal into
multiple data channels, which may or may not follow
time slot boundaries depending on the application.
Circuit Emulation—A connection over a virtual
circuit-based network providing service to the end users
that is indistinguishable from a real, point-to-point,
fixed-bandwidth circuit.
Circuit Switching—(1) Switching system in which a
dedicated physical circuit path must exist between
sender and receiver for the duration of the “call”. Used
heavily in the phone company network, circuit
switching often is contrasted with contention and token
passing as a channel-access method, and with message
switching and packet switching as a switching
technique. (2) Basic switching process whereby a circuit
between two users is opened on demand and
maintained for their exclusive use for the duration of
the transmission.
Glossary • 33
Classless Inter-Domain Routing (CIDR)—
A method for using the existing 32-bit Internet Address
Space more efficiently.
Code Division Multiple Access (CDMA)—Spread
spectrum; broadcast frequency changes rapidly in
pattern known to receiver.
Coding Violation (CV)—A transmission error
detected by the difference between the transmitted and
the locally calculated bit-interleaved parity.
Committed Information Rate (CIR)—The trans-
port speed the frame relay network will maintain
between service locations.
Common Application Service Elements
(CASE)—Application protocol (MAP).
Common Protocol Convergence Sublayer
(CPCS)—Pads PDU to N x 48 bytes, maps control
bits, adds FCS in preparation for SAR.
Conference on European Posts &
Telecommunications (CEPT)—Conference of
European Postal and Telecommunications administra-
tions, a body that sets policy for services and interfaces
in 26 countries.
Connection Admission Control (CAC)—The
function of an ATM network which determines the
acceptability of a virtual circuit connection request and
determines the route through the network for such
connections.
Connectionless—The model of interconnection in
which communication takes place without first estab-
lishing a connection. Sometimes (imprecisely) called
datagram. Examples: Internet IP and OSI CLNP, UDP,
ordinary postcards.
Connectionless Network Protocol (CLNP)—The
OSI protocol for providing the OSI Connectionless
34 • The New Generation of Network Analysis and Monitoring Systems
Network Service (data gram service). CLNP is the OSI
equivalent to Internet IP, and is sometimes called ISO IP.
Constant Bit Rate (CBR)—Delay intensive applica-
tions such as video and voice, that must be digitized and
represented by a continuous bit stream. CBR traffic
requires guaranteed levels of service and throughput.
Continuation of Message (COM)—Type of
segment between BOM and EOM (ATM, SMDS).
Copper Distributed Data Interface (CDDI)—
FDDI over UTP or STP copper media.
Customer Premises Equipment (CPE)—
(1) Telephone terminal devices, such as handsets and
private branch exchanges (PBXs), located on the
customer’s premises. (2) Terminating equipment, such
as terminals, phones, routers and modems, supplied by
the phone company, installed at customer sites, and
connected to the phone company network.
D Channel—Full duplex 16 Kbps (basic rate) or 64
Kbps (primary rate) ISDN channel.
Data Communicating Equipment (DCE)—In
RS232 communications, a device implementing the
interface and handshaking of a data communications
device (such as a modem).
Data Exchange Interface (DXI)—(1) ATM: A vari-
able-length frame-based ATM interface between a
DTE and a special ATM DSU/CSU. The ATM
DSU/CSU converts between the variable-length DXI
frames and the fixed-length ATM cells. (2) Defines the
format for transmitting information that has gone
through the ATM convergence sublayer.
Data Link Connection Identifier (DLCI)—
A value in frame relay that identifies a logical connection.
Data Link Control (DLC)—The SNA layer respon-
sible for transmission of data between two nodes over a
physical link.
Glossary • 35
Data Terminal Equipment (DTE)—The part of a
data station that serves as a data source, destination, or
both, and that provides for the data communications
control function according to protocol. DTE includes
computers, protocol translators, and multiplexers.
Defense Advanced Research Projects Agency
(DARPA)—Agency of the Department of Defense
responsible for managing research projects and coordi-
nating activities among participating agencies, universi-
ties, research institutions, etc.
DNS Spoofing—Assuming the DNS name of another
system by either corrupting the name service cache of a
victim system, or by compromising a domain name
server for a valid domain.
Domain Name Service or Server (DNS)—The
DNS interprets host names into IP addresses. (Also see
IP Address.)
Dynamic Routing—Routing that adjusts automati-
cally to changes in network topology or traffic.
End System to Intermediate System Protocol
(ES-IS)—The OSI protocol by which end systems such
as networks personal computers announce themselves
to intermediate systems such as hubs.
Enterprise Network—A geographically dispersed
network under the auspices of one organization.
Ethernet—(1) A baseband LAN specification invented
by Xerox Corporation and developed jointly by Xerox,
Intel, and Digital Equipment Corporation. Ethernet
networks operate at 10 Mbps using CSMA/CD to run
over coaxial cable. Ethernet is similar to a series of
standards produced by IEEE referred to as IEEE 802.3.
(2) A very common method of networking computers
in a local area network (LAN). Ethernet will handle
about 10,000,000 bits per second and can be used with
almost any kind of computer.
36 • The New Generation of Network Analysis and Monitoring Systems
Far End Receive Failure (FERF)—A message sent
back upstream that the receiving network element has
received a failure condition or alarm indication.
SONET uses the FERF message at the Line Layer.
Fast LAN—Term given to two emerging standards;
IEEE 802.3u (called Fast Ethernet) for Ethernet oper-
ating at 100 Mbps over Cat-3 or 5 UTP, and IEEE
802.12 (called 100VG-AnyLAN) for Ethernet or Token
Ring operating at 100 Mbps over CAT-3/4/5 UTP,
STP or optic fiber.
File Transfer Protocol (FTP)—(1) An IP applica-
tion protocol for transferring files between network
nodes. (2) An Internet protocol that allows a user on
one host to transfer files to and from another host over
a network.
Filter—Generally, a process, or device that screens
incoming information for certain characteristics,
allowing a subset of that information to pass through.
Fractional E3/T3—Fractional E3/T3 refers to the
leasing of portions of E3/T3 bandwidth (a specific
number of time slots) by carriers. FE3 or FT3 allows for
more economical networking in some applications.
Frame—A logical grouping of information sent as a
link-layer unit over a transmission medium. The terms
packet, datagram, segment, and message are also used
to describe logical information groupings at various
layers of the OSI reference model and in various tech-
nology circles.
Frame Relay Forum—A voluntary organization
composed of Frame Relay vendors, manufacturers,
service providers, research organizations, and users.
Similar in purpose to the ATM Forum.
Full Duplex—LAN Technique for transmitting full
duplex between a LAN station and the wiring hub.
Supports 10 Mbps in each direction (20 Mbps) for
Glossary • 37
Ethernet and 16 Mbps in each direction (32 Mbps for
Token Ring. Only support single stations, not LAN
segments.
Gateway—(1) A set of functions intended to facilitate
electronic access by users to remote services and vice
versa. Gateways are intended to provide a single source
through which users can locate and gain access to a
wide variety of service. Gateways typically offer a direc-
tory of services available through them, and provide
billing for these services. (2) Technically, a gateway is a
hardware and/or software connection that translates
information between two dissimilar protocols. The term
has come to be used, however, to describe any mecha-
nism for providing access from one system to another.
Generic Cell Rate Algorithm (GCRA)—An ATM
Forum-developed traffic shaping algorithm that utilizes
the traffic parameters defined on a given virtual circuit
to smooth wide fluctuations in cell traffic volumes and
to enforce the traffic limits defined in those parameters.
Gigabit—One billion bits.
Half-Duplex Transmission—Data transmitted in
either direction, one direction at a time.
Header—The five bytes in an ATM cell containing
address and control information. It includes payload
type, virtual path identifier, virtual circuit identifier,
generic flow control, and cell-loss priority.
High Definition Television (HDTV)—Television
systems which aim to offer approximately twice the
vertical and horizontal resolution of the existing
receivers and to provide quality approaching that of 35
mm film and audio quality equal to that of compact
discs. See Advanced Television.
High Speed Data Link Control (HDLC)—A
protocol defined by the International Standards
Organization and used in X.25 communications. It
38 • The New Generation of Network Analysis and Monitoring Systems
specifies an encapsulation method for data on synchro-
nous serial data links. Various manufacturers have
proprietary versions of HDLC, including IBM’s SDLC.
High-Speed Peripheral Parallel Interface
(HIPPI)—Computer channel simplex interface clocked
at 25 Mhz; 800 Mbit/s when 32 bits wide, 1.6 Gbit/s
when 64 bits.
High Speed Serial Interface (HSSI)—Standard
for a serial interface at high speeds (64 Kbps and higher
up to 52 Mbps) between DTE and DCE equipment
over very short distances. Used for the physical connec-
tion between a router and a DSU.
High-bit-rate Digital Subscriber Line (HDSL)—
A standard defined by the TlE1.4 standards committee,
designed to be a cost-effective method of delivering
T1/E1 line speeds over unconditioned copper cable.
Hyper Text Markup Language (HTML)—(1) The
language used in the World-Wide Web to create web
pages with links to other documents, rich text enhance-
ments (bold, italic, etc.) and so on. The “source” file for
what you see on a web page is written in HTML. (2)
The language with which World Wide Web documents
are formatted. It defines fonts, graphics, hypertext links,
and other details. HTML is an implementation of
SGML.
Integrated IS-IS—Routing protocol based on the
OSI routing protocol IS-IS, but with support for IP or
other networks. Integrated IS-IS implementations send
only one set of routing updates and are more efficient
than two separate implementations.
Interim Local Management Interface (ILMI)—
Defined for ATM by the ATM Forum in the UNI 3.0
specification.
Interior Gateway Protocol (IGP)—The protocol
used to exchange routing information between collabo-
Glossary • 39
rating routers in the Internet. RIP and OSPF are exam-
ples of IGPs.
International Organization for Standardization
(ISO)—Best know for the 7-layer OSI Reference
Model.
Internet Control Message Protocol (ICMP)—
A network-layer Internet protocol that provides message
packets to report errors and other information relevant
to IP packet processing. Documented in RFC 792.
Internet Engineering Task Force (IETF)—
An organization that provides coordination of
standards and specifications development for TCP/IP
networking.
Internet Gateway Protocol (IGRP)—
A proprietary IGP used by Cisco System’s routers.
Internetworking—General term used to refer to the
industry that has arisen around the problem of
connecting networks together. The term can refer to
products, procedures, and technologies.
IP and ARP over ATM—An adaptation of TCP/IP
and its address resolution protocol (ARP) for ATM
defined by the Internet Engineering Task Force in
Requests for Comment 1483 and 1577. It places IP
packets and ARP requests directly into protocol data
units (PDUs) and converts them into ATM cells.
IP Version Six (IPv6)—Also known as Ipng.
Jabber—An error condition in which a network device
continually transmits garbage onto the network. In
IEEE 802.3, a data packet whose length exceeds that
prescribed in the standard.
Japanese Signaling Level 2 (J2)—Japanese stan-
dard for digital transmission at 36.312 Mbps.
Java—(1) A programming language developed by Sun
Microsystems. Applets written in Java include their own
40 • The New Generation of Network Analysis and Monitoring Systems
software players, so you can download and run them on
any computer. (2 An object-oriented language, devel-
oped by Sun Microsystems, for writing distributed Web
applications.
Jitter—Analogue communication line distortion
caused by a variation of signals from its reference
timing positions. Jitter can also cause data loss, particu-
larly at high speeds.
Joint Photographic Experts Group (JPEG)—
Industry organization developing standards and specifica-
tions for the encoding and transmission of photographic
images over various media and network technologies.
LAN Emulation Configuration Server (LECS)—
ATM Forum-defined specification in support of LAN-
to-LAN connectivity called LAN emulation. LECS
defines that set of functions implemented in an ATM
network that provide LAN DTEs with information
regarding the location of other LAN Emulation services.
LAN Emulation Network-to-Network Interface
(LNNI)—Enables each vendors’ implementation of
LAN emulation to interoperate. This is essential for
building multivendor ATM networks.
LAN Emulation Server (LES)—ATM Forum-
defined specifications in support of LAN-to-LAN
connectivity called LAN emulation. LES defines that set
of functions implemented in an ATM network in
support of LAN-to-LAN connection establishment.
LAN emulation User-Network Interface (L-
UNI)—The definition of how legacy LAN protocols
and applications will coexist within an ATM network.
LAN segmentation—Dividing LAN bandwidth into
multiple independent LANs to improve performance.
Latency—The delay between the time a device
receives a frame and the frame is forwarded out of the
destination port.
Glossary • 41
Layer—A level of the OSI Reference Model. Each
layer performs certain tasks to move the information
from sender to receiver. Protocols within the layers
define the tasks for networks, but not how the software
accomplishes the tasks. Interfaces pass information
between the layers they connect.
Leaky Bucket Algorithm—A form of flow control
that checks an arriving data stream against the traffic-
shaping parameters specified by the sending node. Cells
arriving at an ATM network switch are placed in a
memory buffer (“bucket”), which is allowed to reach its
capacity but not overflow. The bucket is “leaky” in that
it allows cells to flow out to their destinations which ulti-
mately allows more cells to be added to the memory
buffer.
Line Overhead (LOH)—18 bytes of overhead
accessed, generated, and processed by line terminating
equipment. This overhead supports functions such as
locating the SPE in the frame, multiplexing or concate-
nating signals, performance monitoring, automatic
protection switching, and line maintenance.
Local Access and Transport Area (LATA)—
(1) A geographic area established for the provision and
administration of communications service. It encom-
passes one or more designated exchanges, which are
grouped to serve common social, economic and other
purposes. (2) Contiguous local exchange areas that
include every point served by a Bell Operating
Company within an existing community of interest and
that serve as the dividing line for the allocation of assets
and liabilities between AT&T and the Bell Operating
Companies. (3) A telephone company term that defines
a geographic area; sometimes corresponds to an area
code.
Multiprotocol encapsulation over ATM—The
process for enabling an ATM device or application to
add a standard protocol identifier to the LAN data
42 • The New Generation of Network Analysis and Monitoring Systems
which allows higher-layer protocols, such as IP, to be
routed over ATM.
Network Analyser—A hardware/software device
offering various network troubleshooting features,
including protocol-specific packet decodes, specific pre-
programmed troubleshooting tests, packet filtering, and
packet transmission.
Network Basic Input Output System
(NetBIOS)—The standard interface to networks on
IBM and PC compatible systems.
Network Information Center (NIC)—Originally
there was only one, located at SRI International and
tasked to serve the ARPANET (and later DDN)
community. Today, there are many NICs, operated by
local, regional, and national networks all over the
worlds. Such centers provide user assistance, document
service, training, and much more.
Network Operations Center (NOC)—Any center
tasked with the operational aspects of a production
network. These tasks include monitoring and control,
trouble-shooting, user assistance, and so on.
Open Shortest Path First (OSPF)—Routing
protocol for TCP/IP networks.
Open Systems Interconnection (OSI)—A 7-layer
architecture model for communications systems devel-
oped by ISO and used as a reference model for most
network architectures.
Operations, Administration and Maintenance
(OAM)—ATM management cells defined by the ATM
Forum in the UNI 3.0 specification for the management
of ATM devices.
Out of Band Signaling—An exchange access
signaling feature which allows customers to exchange
call control and signaling information over a communi-
cations path which is separate from the message path.
Glossary • 43
Out-of-Frame (OOF)—An Out-of-Frame condition
occurs when a specified proportion of consecutive
framing bits are in error.
Packet Switch—The vehicle of the Local Public Data
Network which performs the switching function. For
Local Public Data Network service, this is a Telephone
Company facility Hub.
Path Overhead (POH)—A 9-octet header in the
payload of a SONET or SDH frame that defines the
structure and content of the payload. (2) Overhead
accessed, generated, and processed by path terminating
equipment. This overhead supports Junctions directly
related to assuring reliable end-to-end transport 6f
services, including performance monitoring, access to
virtual tributaries, and / or access to the service carried.
Path overhead includes nine bytes of STS Path
Overhead and, when the frame is VT structured, five
bytes of VT Path Overhead.
Payload Type Indicator (PTI)—A three-bit field
contained in the ATM cell header. The first bit
indicates which AAL to be used to format the data in
the payload; the second provides Explicit Forward
Congestion Indication (EFCI); the third indicates
whether the cell contains data Operations,
Administration and Maintenance (OAM) information.
Permanent Virtual Circuit (PVC)—A defined
virtual link with fixed end-points that are set-up by the
network manager. A single virtual path may support
multiple PVCs.
Physical Medium Dependent (PMD)—A sub
layer of the physical layer that interfaces directly with
the physical medium and performs the most basic bit
transmission functions of the network.
Pleisiochronous Digital Hierarchy (PDH)—
Present multiplexing scheme from T1 to T-3 and
higher; contrast with SDH.
44 • The New Generation of Network Analysis and Monitoring Systems
Point-to-Point Protocol (PPP)—(1) Successor to
SLIP. Provides router-to-router and host-to-network
connections over both synchronous and asynchronous
circuits. (2) A protocol which allows a computer to use a
modem and a regular telephone line to make a TCP/IP
connection directly to the Internet. PPP is gradually
replacing SLIP for this purpose.
Private Network—A leased, private transmission
network that links multiple locations of a company or
other organization, using voice and/or data communi-
cations lines reserved exclusively for that company’s
traffic.
Private Network-to-Network Interface (P-NNI)—
A routing protocol that allows multiple vendors’ ATM
switches to be integrated. It automatically and dynami-
cally distributes routing information, enabling any switch
to determine a path within the network.
Protocol Data Unit (PDU)—A discrete piece of
information like a frame or a packet in the appropriate
format for encapsulation and segmentation in the
payload of a cell.
Pseudo-Random Binary Signal (PRBS)—
A repeating pattern of 2x-1 bits which simulates “live”
data.
Q.2931—ITU-TSS signaling standard for ATM to
support SVCs. Based on the signaling standard for
ISDN.
Q.933—ITU-TSS signaling standard for Frame Relay
to support SVCs. Based on the signaling standard for
ISDN.
Q.93B—Older name for ITU-TSS signaling standard
for ATM to support SVCs.
Quality Of Service (QOS)—Term for the set of
parameters and their values which determine the
performance of a given virtual circuit.
Glossary • 45
Remote Access—The process of allowing remote
workers to access a corporate LAN over analog or
digital telephone lines.
Remote Access Server—Access equipment at a
central site that connects remote users with corporate
LAN resources.
Remote Monitoring (RMON)—Subset of SNMP
MIB II allows flexible and comprehensible monitoring
and management capabilities by addressing up to ten
different groups of information.
Remote Procedure Call (RPC)—A TCP/IP mech-
anism that provides a standard for initiating and
controlling processes on remote or distributed computer
systems.
Request for Comment (FRC)—(1) The document
series, begun in 1969, which describes the Internet suite
of protocols and related experiments. Not all (in fact
very few) RFCs describe Internet standards, but all
Internet standards are written up as RFCs. (2) The
name of the process—as well as the result—of creating
standards on the Internet. New standards are proposed
and published on line, as RFCs.
RJ-45—Standard 8-wire connectors for IEEE 802.3
1BaseT networks.
Robbed Bit Signaling (for T1)—In voice applica-
tions, the use of the least significant bit in each time slot
in every 6th frame for signaling purposes. “Robbing” of
these bits has no significant effect on the quality of
voice transmission.
Router—(1) An OSI Layer 3 device that can decide
which of several paths network traffic will follow based
on some optimality metric. Also called a gateway
(although this definition of gateway is becoming
increasingly outdated), routers forward packets from
one network to another based on network-layer infor-
46 • The New Generation of Network Analysis and Monitoring Systems
mation. (2) A dedicated computer hardware and/or
software package which manages the connection
between two or more networks.
Routing Information Protocol (RIP)—An IGP
supplied with Berkeley UNIX systems. It is the most
common IGP in the Internet. RIP uses hop count as a
routing metric. The largest allowable hop count for RIP
is 16.
S/T Interface (ISDN BRI)—A four-wire interface
between an NT1 device and a terminal adapter. Outside
North America, the local carrier usually provides the NT1
and the end user has the option to buy or lease a TA.
Segmentation And Reassembly (SAR)
sublayer—Converts PDUs into appropriate lengths
and then formats them to fit an ATM cell format. At
the destination end-station, the SAR extracts payloads
from the cells and converts them back into PDUs to be
ultimately used by applications.
Service Advertising Protocol Identifier (SAPI)—
Address between layers in protocol stack; e.g., subfield
in first octet of LAP-D address.
Simple Network Management Protocol
(SNMP)—The Internet network management
protocol. SNMP provides a means to monitor and set
network configuration and runtime parameters.
Single Attachment Station (SAS)—Also known as
Class B station, a SAS is a device attached to FDDI
media through a single PMD connection. Typically, the
PMD connects to a Class A concentrator.
Single Mode—Used to describe optical fiber that
allows only one mode of light signal transmission.
Single-Attached Concentrator (SAC)—An FDDI
(or CDDI) concentrator that connects to the network by
being cascaded from an M (master) port of another
FDDI (or CDDI) concentrator.
Glossary • 47
Single-mode Fiber—Also called monomode. Single-
mode fiber has a narrow core that allows light to enter
only at a single angle. Such fiber has higher bandwidth
than multimode fiber, but requires a light source with a
narrow spectral width (for example, a LASER).
SMDS Network Interface (SNI)—Generic name
for all layers of the interface between an end use and
the SMDS network.
SNA Network Interconnection (SNI)—A facility
that provides cross-network communication between
two or more independent SNA networks.
SNMPv2—SNMP version 2. The “second generation”
SNMP.
Spanning Tree—An algorithm, the original version of
which was invented by Digital Equipment Corporation,
used to prevent bridging loops by creating a spanning
tree. The algorithm is now documented in the IEEE
802.1d specification, although the Digital algorithm and
the IEEE 802.1d algorithm are not the same, nor are
they compatible.
Static Routing—A system in which routing informa-
tion is manually entered into the routing table.
Station Management (SMT)—FDDI X3T9.5 spec-
ification that defines how ring stations are managed.
Switched Ethernet—Configuration supporting an
Ethernet hub with integrated MAC layer bridging or
switching capability to provide each port with 10 or 100
Mbps of bandwidth. Separate transmissions can occur
simultaneously on each port of the switching hub, and
the switch filters traffic based on the destination MAC
address.
Switched FDDI—A technique of transparently
connecting separate FDDI networks at full 100 Mbps
wire speed.
48 • The New Generation of Network Analysis and Monitoring Systems
Switched Virtual Circuit (SVC)—A virtual link,
with variable end-points, established through an ATM
network. With an SVC, the user defines the end-points
when the call is initiated that are subsequently termi-
nated at the end of the call. With a PVC, the end-
points are predefined by the network manager. A single
virtual path may support multiple SVCs.
Switching Hubs—Hubs that use intelligent Ethernet
switching technology which interconnects multiple
Ethernet LANs and higher speed LANs, such as FDDI.
Synchronous Transport Module 1 (STM-1)—
SDH standard for transmission over OC-3 optical fiber
at 155.52 Mbps.
Synchronous Transport Signal 1 (STS-1)—
(1) SONET standard for transmission over OC-1
optical fiber at 51.84 Mbps. (2) A SONET frame
including overhead and payload capacity. The basic
SONET frame is the STS-1. STS-1s can be
multiplexed or concatenated with no additional over-
head.
Telecommunications—Any transmission, emission,
or reception of signs, signals, writings, images, and
sounds or intelligence of any nature by wire, radio,
optical, or other electromagnetic systems.
Telnet—(1) The virtual terminal protocol in the
Internet suite of protocols. Allows users of one host to
log into a remote host and interact as normal terminal
users of that host. (2) A software service packaged with
most operating systems that allows the user to enter a
system via a network just as if he or she were using a
terminal attached directly to the system.
Terminal Emulation—A very popular network
application in which a computer runs software that
makes it appear to a host across the network as a
directly attached dumb terminal.
Glossary • 49
Transmission Control Protocol (TCP)—A reli-
able, full duplex, connection-oriented end to end trans-
port protocol running on top of IP.
Transmission Control Protocol/Internet
Protocol (TCP/IP)—(1) The common name for the
suite of protocols developed by the U.S. Department of
Defense in the 1970s to support the construction of
world-wide internetworks. TCP and IP are the two
best-known protocols in the suite. TCP corresponds to
Layer 4 (the transport layer) of the OSI reference
model. It provides reliable transmission of data. IP
corresponds to layer 3 (the network layer) of the OSI
reference model and provides connectionless datagram
service. (2) The collection of transport and application
protocols used to communicate on the Internet and
other networks
Tunneling Router—A router or system capable of
routing traffic by encrypting it and encapsulating it for
transmission across an untrusted network, for eventual
de-encapsulation and decryption.
U Interface (ISDN BRI)—The two-wire interface
that connects to the NT1 on a user’s premises. In North
America it can be integrated into the customer premises
equipment. In other countries, it is typically supplied by
the local carrier.
Undefined Bit Rate (UBR)—Traffic class defined by
the ATM Forum.
Universal Test & Operation Physical Interface
for ATM (UTOPIA)—A physical layer specification
for local connectivity between ATM devices.
UNIX—An operating system developed by AT&T that
is widely used by universities. UNIX uses TCP/IP as its
standard communications protocol, which makes
UNIX a natural operating system for accessing the
Internet.
50 • The New Generation of Network Analysis and Monitoring Systems
UNIX to UNIX Copy Program (UUCP)—
A protocol used for communication between consenting
UNIX systems.
Unshielded Twisted Pair (UTP)—Four-pair wire
medium used in the transmission of many different
protocols such as Ethernet, 10BaseT, and CDDI.
User—A person who has access to the Staffware
system via a computer workstation.
User Datagram Protocol (UDP)—A connection-
less transport-layer protocol belonging to the Internet
protocol family.
Virtual Channel Connection (VCC)—Virtual
channels in two or more sequential physical circuits can
be concatenated to create an end-to-end connection,
called a VCC. A VCC is a specific instance of a SVC
or PVC. A VCC may traverse one end-to-end VPC or
several sequential VPCs.
Virtual Channel Identifier (VCI)—The 16-bit
number in an ATM cell header identifying the specific
virtual channel on which the cell is traversing on the
current physical circuit.
Virtual Circuit (VC)—(1) A portion of a virtual path
or a virtual channel used to establish a virtual connec-
tion between two end nodes. (2) Logical channels estab-
lished as a result of the call initiation procedure to a
network address that exists for a period of time.
Virtual LAN—Membership to a Virtual LAN is
defined administratively independent of the physical
network topology. A virtual LAN segment is a unique
broadcast domain.
Virtual Path—A group of virtual channels, which can
support multiple virtual circuits.
Glossary • 51
Virtual Path Connection (VPC)—Virtual paths in NOTES
two or more sequential physical circuits can be concate-
nated to create a logical connection, called a VPC.
VPCs must be pre-configured. All cells traversing VCs
in a VPC are routed the same way.
Web—Web, used as a noun, is shorthand for the World
Wide Web.
Wireless—Communication technology that does not
use wire.
Workgroup—A group of workstations and servers
that commonly exchange data. This term is also used to
describe a group of people who work together.
X.21—Recommendations developed by CCITT that
define a protocol for communication between user
devices and a circuit switched network.
X.25 Packet Mode Protocol—An international
standard developed by Consultative Committee for
International Telephone and Telegraph that provides
the foundation for public switched networks.
X.75 Packet Mode Protocol—An international
standard developed by Consultative Committee for
International Telephone and Telegraph that provides
the foundation for interconnection of individual Packet
Switched Networks.

52 • The New Generation of Network Analysis and Monitoring Systems Notes • 53

 NOTES NOTES

54 • The New Generation of Network Analysis and Monitoring Systems Notes • 55

 Visit ATG’s Web Site
to read, download, and print
all the Technology Guides
in this series.

http://www.techguide.com

“The significant problems we face cannot be solved

by the same level of thinking that created them.”

Albert Einstein
 This Technology Guide is one
of a series of guides, published
by ATG, designed to put complex
communications and networking
technology concepts into practical
and understandable terms.
Each guide provides objective,
non-biased information to assist in
the internal education, evaluation
and decision making process.
This Technology Guide, as well
as the other communications and
networking technology guides
in the series, are available
on ATG‘s Web Site.

http://www.techguide.com

Produced and Published by

0497.5000

One Apple Hill, Suite 216, Natick, MA 01760

Tel: (508) 651-1155 Fax: (508) 651-1171 E-mail: [email protected]