Back to Blog

Gathering, Understanding, and Using Traffic Telemetry for Network Observability

Phil Gervasi
Phil GervasiDirector of Tech Evangelism
Streaming Telemetry
featured-telemetry-observation-deck
Table of Contents
How to gather traffic telemetryNetwork tapsPort mirroringSoftware probesTools for analyzing and understanding traffic telemetryHow to leverage traffic telemetry for network observabilityIdentifying bottlenecksDetecting malware and DDoS attacksCapacity planningIdentifying devices using a lot of network resourcesConclusion

Summary

Traffic telemetry is the foundation of network observability. Learn from Phil Gervasi on how to gather, analyze, and understand the data that is key to your organization’s success.

Traffic telemetry is the data collected from network devices and used for analysis. With traffic telemetry, engineers can gain real-time visibility into traffic patterns, correlate events, and make predictions of future traffic patterns. As a critical input to a network observability platform, this data can help monitor and optimize network performance, troubleshoot issues, and detect security threats.

However, traffic telemetry can be difficult to understand. While some enterprises might gather the data, many don’t know what to do with it—or they don’t have the tools to make the most of it.

In this article, we’ll look at:

  • How to effectively gather traffic telemetry
  • Tools for analyzing and understanding the collected data
  • How to leverage traffic telemetry for network observability

Let’s start by looking at data collection.

How to gather traffic telemetry

Gathering traffic telemetry involves monitoring and collecting data on the flow of network traffic. This can be done through a variety of techniques, such as using network taps, port mirroring, or software probes.

Network taps

One common method of gathering traffic telemetry is by using a network tap. A network tap is a hardware device that enables the passive monitoring of network traffic by copying all data passing through a network connection. This data can then be analyzed and used to monitor network performance, detect issues, and troubleshoot problems.

Port mirroring

Another method for gathering traffic telemetry is port mirroring, which replicates (mirrors) the network traffic on a switch or router to a monitoring device. With port mirroring, an engineer can monitor the traffic on specific ports or VLANs, which is especially useful for identifying issues with specific devices or applications.

Software probes

Software probes are programs that can be installed on servers or network devices to collect data on network traffic. They can provide detailed information on traffic patterns and usage. Envoy is a popular network proxy used by many service meshes that can also operate as a software probe.

Many cloud providers already have capabilities in place for collecting traffic telemetry. Azure has the Azure Network Watcher, AWS has CloudWatch, and GCP has Cloud Monitoring.

Monitoring network traffic can be expensive. It’s easy to fall into the trap of capturing every bit that goes through your network, then storing it forever. This may give you perfect knowledge, but unless this amount of information is required for compliance and regulatory reasons, this approach is undoubtedly overkill. You should think carefully about how much traffic telemetry you collect, balancing the value you derive from the data against the cost of capturing and storing it.

Tools for analyzing and understanding traffic telemetry

The raw data of traffic telemetry is too massive and low-level to understand directly and utilize. You’ll need to process this data, normalizing and aggregating it. Then, you’ll correlate it with other data sources. Finally, you can start the analysis after storing the processed data to identify trends and patterns.

Popular open-source projects for storage and visualization of traffic telemetry data (and other types of data) include:

  • Prometheus and Grafana: This is a powerful combination of the Prometheus time series database (that focuses on metrics collection) and the Grafana dashboarding-and-alerting platform.
  • Elasticsearch and Kibana: Geared primarily towards log data, this combination is often used along with Logstash or Fluentd to form the ELK (Elasticsearch + Logstash + Kibana) or EFK (Elasticsearch + Fluentd + Kibana) stacks.

Kentik has several open-source projects in the area of network observability. Check out Kentik Labs for more information.

In the commercial space, Kentik’s network observability platform offers a streamlined, turnkey solution that can integrate with your existing infrastructure and open-source observability solutions.

How to leverage traffic telemetry for network observability

Gathering and analyzing data might be fun, but at the end of the day, the goal is to leverage your data and gain value from it. Let’s consider simple use cases for leveraging traffic telemetry to troubleshoot network issues and improve performance.

Identifying bottlenecks

You can identify bottlenecks by looking for high utilization on specific network segments, large numbers of dropped packets, or retransmissions.

Detecting malware and DDoS attacks

You can detect malware and DDoS attacks by looking for unusual traffic volumes, unexpected traffic destinations or sources, or abnormal protocol usage. Correlate the data with other information, such as firewall logs, threat intelligence feeds, and endpoint security data.

DDoS defense in the Kentik platform

Your network observability solution can help you detect security incidents or malicious threats by analyzing network telemetry for unusual traffic spikes or patterns.

Capacity planning

Traffic telemetry can assist you with capacity planning as you look for daily and weekly traffic patterns, seasonal variations, and traffic spikes. With these insights in hand, you can use statistical techniques such as trend analysis, time series analysis, or forecasting algorithms to predict future traffic patterns. The forecast will allow you to determine future resource needs.

Identifying devices using a lot of network resources

Look for patterns such as high utilization on specific network segments, large numbers of packets sent or received, or high numbers of retransmissions. Then, correlate that data with information such as IP addresses, MAC addresses, and device names. In doing so, you’ll identify specific devices that are using a lot of network resources.

Kentik dashboard with network telemetry data
Dashboards from Kentik’s Network Observability Platform provide visualizations to help you make sense of your network telemetry data.

As you take concrete action on your traffic telemetry, consider these best practices:

  • Regularly review network configurations to identify and correct misconfigurations.
  • Regularly update and patch servers and devices for security and performance.
  • Identify and isolate malicious traffic and attackers.
  • Detect and alert on non-encrypted traffic.
  • Implement continuous monitoring over time.

Conclusion

Traffic telemetry is the foundation of your network observability, providing several benefits that include improved visibility, faster troubleshooting, network optimization, better security, tighter compliance, and response automation. However, putting in place a full-fledged network observability solution is not for the faint of heart. You’ll need good tools and a robust network observability platform. To learn more about Kentik, sign up for a demo.

Explore more from Kentik

Telemetry Now
Podcast
The Network Also Needs to be Observable, Part 2: Network Telemetry Sources
Blog Post
Best Practices for Enriching Network Telemetry to Support Network Observability
Blog Post
Kentik is the network observability company.
Get a Demo
844-356-3278

Platform

Solutions

Technology

New and Notable

Learn

Company

Copyright © 2024 Kentik. All rights reserved.
View in Prod
We use cookies to deliver our services.
By using our website, you agree to the use of cookies as described in our Privacy Policy.