Making Business Sense of Your Network Traffic

by Warren Jones

September 16, 2008

Benefits and Examples

Knowing the characteristics of the network traffic can yield a good indication of its business purpose. Now, extend that thinking to what you might be able to determine based on knowing two or more of these characteristics. Let’s do this by considering some simple examples.

In Figure 1 (at the bottom of the page), you know the application names and remote network addresses. The CICS regions are production regions used for insurance policy processing. Remote addresses are all associated with a remote sub-network in New York City. You can now identify this traffic as a business application called CICS NYC.

In Figure 2 (at the bottom of the page), you know the application name, local ports, and remote network address. The application is FTP, and based on the ports used, it can be identified as non-secured FTP. The remote address is associated with a remote sub-network used by an important business partner. You now can identify this traffic as a business application called FTP Partner X.

Now, let’s assume you can measure network performance in this way. So, where’s the meat? It’s nice to know what business application or services are generating IP network traffic, but how can you use this information to better manage your network and IP infrastructure? Consider what you can do given a better understanding of network utilization:

Real-time performance monitoring based on business application: At any point, you would be able to understand the activity level the business application is generating. In particular, you could examine throughput (bytes in and out, number of active connections, number of total connections over a set sample period). If you had a particularly busy application, you would be able to see at a glance whether it was generating an acceptable amount of activity. For example, you get a call from your colleagues in NYC (referring back to Figure 1) saying they’re experiencing problems with their connections to CICS regions. Under normal circumstances, you would check to see if there are active connections to CICS and that there’s some level of IP activity to the stack and maybe even CICS, but have no real way of easily knowing whether this specific business service is experiencing acceptable performance. Having the granularity of data to see network traffic at a business application level let’s you quickly determine whether a significant issue exists.

Let’s get a bit more proactive in your management. You know this business application typically generates considerable traffic, so why don’t you alert based on a significant deviation from normal? No activity, or minimal activity, for what’s normally a busy business service should be immediately alerted on and investigated. Conversely, an overly high reading for something such as the number of active connections may suggest a problem, such as connections not being successfully closed. If you can determine baseline performance data, this can provide extremely meaningful values to use for your alert thresholds.




More info about the author:

Warren Jones