You cannot fix what you cannot see. Monitoring is your network's nervous system.
Users report "the network is slow" at 10 AM every Monday. Without monitoring, you start guessing.
With SNMP, syslog, NetFlow, and a SIEM, you pull up the data and see a backup job saturating the WAN link at exactly 10 AM.
You reschedule the backup. Problem solved in five minutes.
The standard for querying device health, interface stats, and configuration data.
How It Works
An SNMP manager (monitoring server) sends GET requests to agents running on network devices. Agents respond with data from their MIB (Management Information Base) -- a structured database of device metrics.
SNMP Traps (Port 162)
Instead of waiting to be polled, the device proactively sends an alert to the manager. Used for critical events: interface down, high CPU, fan failure. Faster than polling intervals.
MIB (Management Information Base)
Hierarchical tree of OIDs (Object Identifiers). Each OID maps to a specific metric. Example: 1.3.6.1.2.1.1.5.0 = sysName. Vendors extend the MIB tree with proprietary branches.
SNMPv2c -- Insecure
Uses community strings (like passwords) sent in plaintext. Default strings: "public" (read-only), "private" (read-write). Anyone sniffing the network captures the string. Do not use on untrusted networks.
SNMPv3 -- Secure
Adds authentication (SHA/MD5), encryption (AES/DES), and message integrity. No more community strings. Three security levels: noAuthNoPriv, authNoPriv, authPriv. Always use v3 when possible.
SNMP uses UDP port 161 for queries and UDP port 162 for traps. Both are in the well-known range and commonly tested.
Slide 3 of 8
Syslog: Centralized Logging
Every device generates logs. Syslog collects them in one place for analysis.
How It Works
Devices send log messages over UDP port 514 to a central syslog server. The server timestamps, categorizes, and stores every message. Without centralized logging, you must SSH into each device individually to read logs.
Why Centralize?
Correlation: see events across devices in a single timeline. Retention: logs persist even if a device is compromised or wiped. Compliance: many regulations require centralized log retention (PCI-DSS, HIPAA).
Syslog Severity Levels (0-7)
Level
Keyword
Description
Example
0
Emergency
System is unusable
Kernel panic, total hardware failure
1
Alert
Immediate action needed
Database corruption detected
2
Critical
Critical conditions
Disk failure in RAID array
3
Error
Error conditions
Interface CRC errors
4
Warning
Warning conditions
CPU temperature high
5
Notice
Normal but significant
Interface up/down transition
6
Informational
Informational messages
User login successful
7
Debug
Debug-level messages
Packet trace output
Exam tip: Lower number = more severe. "Every Alley Cat Eats Watery Noodle In Darkness" or just remember 0 = Emergency, 7 = Debug.
Slide 4 of 8
SIEM: Security Information & Event Management
Syslog collects logs. A SIEM makes them actionable.
Log Aggregation
Ingests logs from syslog servers, firewalls, IDS/IPS, endpoints, cloud services, and applications into a single searchable platform.
Correlation & Rules
Connects related events across systems. Example: 50 failed logins on the firewall + successful login + privilege escalation = possible compromise. A single log source would miss the pattern.
Alerting & Response
Triggers alerts based on rules or anomaly detection. Integrates with ticketing, email, Slack, or automated response playbooks (SOAR). Reduces mean time to detect (MTTD).
Common SIEM products: Splunk, Microsoft Sentinel, IBM QRadar, Elastic SIEM. The exam does not test specific products, but you should know what a SIEM does and why it matters.
Without a SIEM, your firewall logs show 50 failed logins. Your AD logs show a successful login. Your endpoint logs show a new admin account. Three separate consoles, three separate analysts, three separate tickets. The SIEM correlates all three into one alert: "Account takeover in progress."
Slide 5 of 8
Flow Data: NetFlow, sFlow, IPFIX
See WHO is talking to WHOM, on WHAT ports, and HOW MUCH data is moving.
NetFlow (Cisco)
Exports flow records from routers and switches. A flow = unique combination of source IP, destination IP, source port, destination port, protocol. Shows traffic patterns without capturing full packets.
sFlow (Sampling)
Samples 1-in-N packets rather than tracking every flow. Lower overhead, works at very high speeds. Multi-vendor. Good for high-level traffic analysis but less detail than NetFlow.
IPFIX (Standard)
IETF standard based on NetFlow v9. Vendor-neutral. Flexible templates allow custom fields. The "official" version of NetFlow for non-Cisco environments.
Flow vs Packet Capture
Flow data tells you metadata: who talked, when, how much, what ports. Like a phone bill -- you see the calls but not the conversation.
Packet capture records the actual content. Like wiretapping -- full payload. Far more storage, far more detail.
Monday 10 AM slowness? NetFlow shows 800 Mbps from the backup server to the cloud storage endpoint. That is your answer. No packet capture needed -- flow data identified the culprit in seconds.
Slide 6 of 8
Packet Capture & Port Mirroring
When flow data is not enough, you go deeper.
Packet Capture
Captures full packet payloads using tools like Wireshark or tcpdump. Provides complete visibility into what is being transmitted. Essential for troubleshooting application-layer issues, malware analysis, and forensics.
Port Mirroring (SPAN)
Switch copies all traffic from one or more source ports to a destination port where your capture tool is connected. No inline device needed. Cisco calls it SPAN (Switched Port Analyzer). Other vendors use "mirror port."
Network TAP
Physical device inserted inline on a cable. Passively copies all traffic to a monitoring port. Does not affect the network -- even if the TAP loses power, traffic still flows. More reliable than SPAN for high-throughput capture.
Capture Considerations
Storage grows fast -- a 1 Gbps link generates ~450 GB/hour of raw capture. Encrypted traffic (TLS) is opaque without the decryption keys. Legal and privacy policies may restrict what you can capture.
Exam tip: Port mirroring = copies traffic to an analyzer. Network TAP = physical inline copy device. Both feed packet capture tools. Know the difference.
Slide 7 of 8
Baselines, Anomalies, & API Integration
Know what "normal" looks like so you can spot what is not.
Baseline Metrics
Document normal performance: bandwidth utilization, latency, error rates, CPU/memory on network devices. Measure over time (weeks) to account for daily and weekly patterns. Without a baseline, every alert is guesswork.
Anomaly Detection
Compare current metrics against the baseline. Deviations trigger alerts. Example: if WAN utilization is normally 30% at 2 PM and suddenly spikes to 95%, that is an anomaly worth investigating -- even if no device is technically "down."
API Integration
Modern monitoring tools expose REST APIs. Automate device provisioning, pull metrics into dashboards, trigger remediation scripts. Cloud-managed networks (Meraki, Mist) are API-first -- the dashboard is just a client.
Exam tip: Establishing a baseline is a prerequisite for anomaly-based monitoring. You must know what normal is before you can define abnormal.
Slide 8 of 8 | N10-009 Obj 3.1
Network Monitoring -- Key Takeaways
Monday 10 AM slowness hits again. You open NetFlow -- backup job saturating the WAN. You check SNMP -- router CPU at 94%. Syslog shows interface flapping. The SIEM correlates it: the backup job triggers congestion, which causes packet loss, which causes retransmissions, which spikes CPU. You reschedule the backup to 2 AM. Five minutes of diagnosis, permanent fix.
5 Facts to Carry Out of This Presentation
1SNMP polls devices (UDP 161) and receives traps (UDP 162). v2c uses plaintext community strings. v3 adds encryption and authentication.
2Syslog (UDP 514) centralizes logs. Severity 0 (Emergency) to 7 (Debug). Lower number = more severe.
3A SIEM aggregates, correlates, and alerts on data from multiple sources. It turns raw logs into actionable intelligence.
4NetFlow/sFlow/IPFIX = traffic metadata (who, what, when, how much). Packet capture = full payload. Port mirroring (SPAN) or a TAP feeds capture tools.
5Baselines define normal. Anomaly detection flags deviations. Without a baseline, you cannot distinguish a problem from a pattern.