Home » Network Monitoring: SNMP, NetFlow, sFlow, gNMI, Streaming Telemetry และ Observability Stack
Network Monitoring: SNMP, NetFlow, sFlow, gNMI, Streaming Telemetry และ Observability Stack
Network Monitoring: SNMP, NetFlow, sFlow, gNMI, Streaming Telemetry และ Observability Stack
Network Monitoring เป็นพื้นฐานของ network operations ทั้งหมด SNMP เป็น protocol มาตรฐานสำหรับ poll device metrics, NetFlow/sFlow วิเคราะห์ traffic patterns, gNMI เป็น modern protocol สำหรับ streaming telemetry, Streaming Telemetry ส่ง data แบบ real-time push แทน poll และ Observability Stack รวม metrics, logs, traces เข้าด้วยกันสำหรับ full visibility
องค์กรส่วนใหญ่ ยังใช้ SNMP polling ทุก 5 นาที ซึ่งมี blind spots: ถ้ามี traffic spike ที่กินเวลา 30 วินาที → SNMP polling 5 นาทีจะไม่เห็น Streaming telemetry ส่ง data ทุก 1-10 วินาที → เห็นทุก anomaly แต่สร้าง data volume สูงมาก → ต้องมี proper observability stack เพื่อ ingest, store, visualize
Monitoring Evolution
| Generation |
Technology |
Model |
Resolution |
| Gen 1 (1990s) |
SNMP v1/v2c |
Poll (pull) |
5-15 minutes |
| Gen 2 (2000s) |
SNMP v3 + NetFlow v5/v9 |
Poll + flow export |
1-5 minutes |
| Gen 3 (2010s) |
sFlow + IPFIX + REST APIs |
Sampling + API |
Seconds to minutes |
| Gen 4 (2020s) |
gNMI + Streaming Telemetry |
Push (subscribe) |
Sub-second to seconds |
SNMP (Simple Network Management Protocol)
| Feature |
รายละเอียด |
| คืออะไร |
Protocol สำหรับ monitor และ manage network devices — poll OIDs จาก MIB |
| Versions |
v1 (community string, no encryption), v2c (bulk operations), v3 (auth + encryption) |
| Operations |
GET (read single OID), GETNEXT (walk), GETBULK (efficient bulk), SET (write), TRAP (async alert) |
| MIB |
Management Information Base — tree structure ของ OIDs ที่ device expose |
| Polling |
NMS polls device ทุก 1-5 นาที → collect interface counters, CPU, memory |
| Limitations |
Pull model (blind between polls), text-based MIBs (hard to parse), CPU overhead on devices |
| Still Used |
Legacy devices, simple monitoring, broad device support (everything supports SNMP) |
NetFlow / IPFIX
| Feature |
NetFlow |
IPFIX |
| คืออะไร |
Cisco proprietary flow export |
IETF standard (based on NetFlow v9) |
| How |
Router/switch tracks flows (5-tuple) → export flow records to collector |
Same concept, open standard |
| Versions |
v5 (fixed format), v9 (templates, flexible) |
IPFIX (v10, variable length, enterprise fields) |
| Flow Key |
Src IP, Dst IP, Src Port, Dst Port, Protocol |
Same + extensible templates |
| Data |
Bytes, packets, timestamps, TCP flags, ToS |
Same + any field via templates |
| Use Case |
Traffic analysis, capacity planning, security (DDoS detection, anomaly) |
Same + compliance, billing |
| Collectors |
ntopng, Elastiflow, SolarWinds NTA, PRTG |
Same tools (most support both) |
sFlow
| Feature |
รายละเอียด |
| คืออะไร |
Sampling-based flow technology — sample 1 in N packets → export to collector |
| vs NetFlow |
sFlow: packet sampling (stateless, low CPU) | NetFlow: flow tracking (stateful, more CPU) |
| Sampling Rate |
1:1000 to 1:10000 (configurable) — trade accuracy for performance |
| Multi-Vendor |
Open standard — supported by most vendors (not just Cisco) |
| Real-Time |
ส่ง samples ทันที (ไม่ต้องรอ flow expire) → more real-time than NetFlow |
| L2 Support |
Sample at L2 → see MAC addresses, VLANs (NetFlow typically L3+) |
| Collectors |
sFlow-RT (real-time), ntopng, InMon, Elasticsearch |
gNMI and Streaming Telemetry
| Feature |
รายละเอียด |
| gNMI |
gRPC Network Management Interface — modern protocol for config + telemetry |
| gRPC |
High-performance RPC framework (HTTP/2, protobuf) — efficient binary encoding |
| YANG Models |
Data models define what can be monitored/configured (OpenConfig, vendor-specific) |
| Subscribe |
Client subscribes to paths → device pushes updates (on-change or sample interval) |
| On-Change |
Device sends data only when value changes → efficient for config, interface state |
| Sample |
Device sends data at fixed interval (e.g., every 10 seconds) → counters, utilization |
| Advantage |
Push model (no blind spots), efficient encoding, structured data (YANG), sub-second resolution |
Observability Stack
| Component |
Purpose |
Tools |
| Collection |
Ingest telemetry data from devices |
Telegraf, gNMIc, Prometheus exporters, Logstash |
| Message Bus |
Buffer and distribute data streams |
Apache Kafka, NATS, RabbitMQ |
| Time-Series DB |
Store metrics with timestamps |
InfluxDB, Prometheus, TimescaleDB, VictoriaMetrics |
| Log Storage |
Store and search logs |
Elasticsearch, Loki, Splunk |
| Visualization |
Dashboards and graphs |
Grafana, Kibana, Datadog |
| Alerting |
Detect anomalies and trigger notifications |
Grafana Alerts, PagerDuty, Prometheus Alertmanager |
SNMP vs gNMI Comparison
| Feature |
SNMP |
gNMI |
| Model |
Pull (poll) |
Push (subscribe) |
| Encoding |
ASN.1/BER (text-heavy) |
Protobuf (binary, efficient) |
| Transport |
UDP (unreliable) |
gRPC/HTTP2 (reliable, TLS) |
| Data Model |
MIB (flat, vendor-specific) |
YANG (structured, OpenConfig) |
| Resolution |
Minutes |
Sub-second to seconds |
| CPU Impact |
High (device processes each poll) |
Low (push on-change, efficient encoding) |
| Adoption |
Universal (everything supports it) |
Growing (modern devices, NOS) |
ทิ้งท้าย: Network Monitoring = From Polling to Streaming
Network Monitoring SNMP: poll-based (GET/SET/TRAP), MIB/OIDs, v2c (common) / v3 (secure), 1-5 min resolution NetFlow/IPFIX: flow-based (5-tuple), traffic analysis, capacity planning, DDoS detection sFlow: sampling-based (stateless, low CPU), multi-vendor, real-time samples, L2 support gNMI: push-based (subscribe), gRPC/protobuf, YANG models, sub-second resolution, on-change Observability: collection (Telegraf/gNMIc) → bus (Kafka) → TSDB (InfluxDB/Prometheus) → viz (Grafana) Migration: SNMP (legacy, universal) → gNMI (modern, efficient) → both coexist in transition Key: streaming telemetry gives real-time visibility — combine with flow data and logs for complete observability
อ่านเพิ่มเติมเกี่ยวกับ Network Observability Telemetry OpenTelemetry และ Network Automation Ansible Terraform ที่ siamlancard.com หรือจาก icafeforex.com และ siam2r.com
