Affordable IT: Network Monitoring Systems
We tested nine SNMP monitors that cost less than a grand. Our top pick lit up our world with its Layer 2 mapping and advanced toolset.
September 27, 2004
When we decided to review network-monitoring applications for our first regular Affordable IT feature, we were nervous. These network-management bad boys can be expensive, and we weren't at all sure whether the products that met our $1,000 price cap would be worthy. We dared to dream but kept our hopes in check, so we wouldn't be crushed if we found limited availability and products that offer response monitoring for just a few devices.
Silly us. We were blown away by the quantity and quality of the responses. We expected these tools to perform simple monitoring using ping and traceroute, and we got that for less than $100. We also found advanced features for less than $500.
We began with 10 entries: AdRem Software's NetCruch 3, Breakout Technologies' MonitorIT 6.0, Castle Rock Computing's SNMPc, ipMonitor Corp.'s eponymous product, Ipswitch's WhatsUp Small Business 2004, Neon Software's CyberGauge 6.0 and LANsurveyor 8.5, Nessoft's MultiPing 1.0 and PingPlotter 2.5 bundle, Quest Software's Big Brother and SolarWinds.Net's Engineer's Edition Toolset 7. But at the last minute, Castle Rock had to withdraw SNMPc when it raised the product's price to just above our $1,000 cap.
Our monitoring plan was simple: Track the uptime and response time of a few switches, routers, servers and maybe some IP services. We didn't expect the products to perform application or systems management, or deep SNMP tracking. After putting these products through their paces in our Syracuse University Real-World Labs (see "How We Tested Network Monitors,"), we found simple-to-configure, slam-bam, monitor it ma'am from the MultiPing 1.0 and PingPlotter 2.5 bundle, WhatsUp Small Business and CyberGauge, all of which cost from a few dollars to a few hundred dollars. But the product that really tickles our cheapskate bone is Quest's Big Brother, priced at the grand total of free!
If you need automatic discovery, ipMonitor and MonitorIT have it. Need help with managing adds, removes and changes in the network? NetCrunch and LANsurveyor provide periodic, schedulable network rediscovery, like much more expensive suites. All the products we tested have the expected status mechanisms, including notifications through e-mail, color statuses, triggered executables and audio cues. MonitorIT and ipMonitor did the best job keeping us informed.
To help organize large networks, some entries, including MonitorIT and Big Brother, let us group devices by service, geography and type. Engineer's Toolset, ipMonitor and LANsurveyor provide even more advanced features, such as grouping monitored devices dynamically based on a parameter (IP address, for instance).
Features Click to Enlarge |
Incredibly, LANsurveyor also performs Layer 2 mapping and IDS scanning. This helped it earn our Editor's Choice award. Coming in a close second was SolarWinds.Net's SolarWinds Engineer's Edition Toolset: It monitors, it configures, it calculates IP address, it does TFTP ... if we asked, it probably would have mowed the lawn. Honorable mention goes to ipMonitor, which provides extensive systems management from a logically designed, snappy Web interface. Our analysis of our nine entries follows. Note that all pricing is MSRP.
Neon got a good score for pricing (see Report Card) due in part to its included support and upgrades, and because at just less than $800, LANsurveyor's systems agents support software distribution and IDS scanning. If you don't need IDS scanning--a $295 option--you can get LANsurveyor for less than $500, with 20 systems agents included. Great value.
During setup, LANsurveyor took us for a stroll through the discovery process. You'll need to know your SNMP community strings and the network to which they apply, but in return you'll get quick discovery of local subnets. Discovery options include using Active Directory as well as the usual subnet ranges. LANsurveyor gave us some status feedback during discovery, showing the number of nodes, routers and switches found, for example. This information is helpful when discovery is taking longer than expected, and it's a useful diagnostic tool if you're getting oddball results.
LANsurveyor made a valiant attempt to map our Layer 2 port numbers for devices attached to SNMP-managed devices. It worked satisfactorily, but because SNMP MIBs aren't perfect, LANsurveyor, like any management product attempting Layer 2 mapping, isn't perfect either. Still, this is a worthwhile feature that can help document the network and diagnose problems. Just expect to spend time auditing results. LANsurveyor does provide a report listing the MAC addresses seen on managed devices; this was helpful for unraveling some mismapped devices we encountered.
Part of the LANsurveyor's discovery process looks for "Neon Responders," proprietary performance agents for Windows and Mac boxes. When none was found, the process asked us to install them. So we did. The responders gather system-management information, such as the memory, CPUs and applications on our desktops and servers. Managing these systems is limited to getting inventory information passively, though you could remotely shut down, reboot, change passwords, launch applications and take control of those systems using Timbuktu or VNC (neither is included with the product).
The process to install the responders selected, by default, every device discovered. We said sure and let it run. Our bad--we wanted to remove the agents after testing, and removal isn't automated. Neon says automation to uninstall agents will be in the next release.
LANsurveyor let us create various polling configurations, thus mitigating polling traffic, which eats bandwidth, and more important, spending our management server cycles wisely. Each configuration can have unique targets culled from the discovered inventory, and different alerts specified for failed and recovered devices. Each poll configuration displayed a list that showed our minimum/maximum/average response times. This let us poll critical devices more aggressively.
LANsurveyor 8.5, $495 plus $249 for continuous-scan IDS option; support and upgrades included. Neon Software, (800) 334-6366. www.neon.com
This network-management extravaganza made us feel like kids in a candy store. It has oodles of tools to design IP addresses, hack security, diagnose connectivity, break down SNMP MIBs, block e-mail and manage Cisco configurations. But we passed on all these treats and headed straight for the network discovery, monitoring and performance goodies that most closely fed this review's management craving.
The Engineer's Toolset is, as its name implies, a handy collection of applications. However, the collection doesn't include or create a common database with inventories of all the devices in a network. We had to specify the IP addresses for each of the tools. For this reason, our features chart (page 88) indicates no automated discovery. But don't take that to mean that there's no discovery, period. In fact, the Toolset's discovery options are extensive. Beginning with ping scans, progressing to a DNS audit, jumping to a deep SNMP sweep, and finishing with a MAC address and Layer 2 switch port mapper, this product has the most varied and deep network and system discovery of all those we tested.
And discovery is fast. All the devices on our subnet were found in less than 30 seconds. The results screen popped response time, DNS name and system MIB information in a flash.
The product's network monitoring and performance tools don't limit the number of watched devices. After adding our chosen devices, we selected which interfaces to monitor. Instead of showing us a MIB table with an option to choose ifInOctets or inOutOctets, our choices were to see traffic or errors. Although somewhat limited, this setup gets to the heart of what most will monitor.
After specifying interfaces, drives and CPU metrics for systems, routers and switches, we were off and monitoring. The data displays are too numerous to list, but minimum/maximum/average for utilization and availability across network, disk and CPU are preconfigured.
It was easy to set up alerting thanks to sensible descriptions of categories, like: "Page me when a node goes down." We also liked the single check-box selection needed to get alerts going. By default, 10 canned alerts can be cloned and edited if the specifics aren't quite right.
The Engineer's Toolset includes data-management capabilities, such as database backup and compression, and a host of other administrative controls. Its report customization, publishing and administration of the data store, for example, are on par with a standalone performance-management application, so it wasn't a surprise that the included performance-management tool is similar to SolarWinds.Net's Orion performance-management app, with the exception that the former is limited to the server on which the Toolkit is installed.
SolarWinds Engineer's Edition Toolset 7, $995. SolarWinds.Net, (918) 307-8100. www.solarwinds.net
The capital "M" for monitoring is well-placed in this excellent product. From the snappy response of its Web console to the incredible array of built-in monitors, ipMonitor belongs on our shortlist. In addition to monitoring common TCP/IP services, ipMonitor monitors enterprise applications, including Active Directory, RADIUS and Lotus Notes.
When we set out to check for service availability, ipMonitor's QA Monitor agents ran transaction checking for expected results. We set up an HTTP QA Monitor to check for static content on a Web page so we'd know not only that the server could respond to the HTML request but also that the Web site (or at least part of it) was running. The list of QA Monitors includes Active Directory, DNS, FTP, IMAP4, POP3, RADIUS, SNMP, SNPP (Simple Network Paging Protocol), telnet and whois. As long and strong as this roster is, we'd like to see SQL added (some people are never satisfied).
Alerting in ipMonitor is strong as well, with 15 types of flexible alerts combined with good alert management. In addition, we liked how it can restart Windows services and mail a recent report, which provides some context of what was going on prior to the alert. We could combine alert notifications and applicable time schedules, then apply them to any number of events generated when ipMonitor recognized a violated threshold or log entry.
Getting started with ipMonitor was a breeze; its setup is well-documented, and the configuration program guided us along. The Web console stressed, politely, that the first thing new users should do is open the to-do list. We obeyed and found that each page has good contextual help, understandable descriptions and examples. Although ipMonitor doesn't give a graphic map, it groups devices at Layer 3, which is practical for day-to-day use.
ipMonitor 7.1, starts at $995 for 500 monitors; annual service included. ipMonitor Corp., (819) 772-4772. www.ipmonitor.com
AdRem Software NetCrunch 3
Standard Granular monitoring is all well and good, but not for newbies to the world of network and systems management. SNMP variables, for example, are widely available to monitor for long-term trends, such as bytes or errors in and out, but we were lucky we knew where to look and understood why MIB instances don't yield results, because NetCrunch let us make as many mistakes as we cared to.
Autodiscovery is tied to starting up the product, after which we went on a wizard walk targeting specific networks. Adding new networks is simple--just a right click away. Like ipMonitor, NetCrunch let us set dependencies between devices for suppression of secondary events.
NetCrunch also includes advanced threshold mechanisms to delay and reset controls. Setting a delay means that the thresholds we set had to persist for a certain, settable amount of time to violate the threshold. However, the measurement (in minutes) is longer than we would like. The reset control let us clear the violation condition once the reset value occurred.
We liked the product's step-by-step instructions for monitoring small or large networks. Also included with NetCrunch is a handy guide that provides an overview of network monitoring, including what metrics can be monitored and general info about monitoring techniques. A must-read for those with little or no experience.
NetCrunch 3 Standard, $795; annual service included. AdRem Software, (212) 319-4114. www.adremsoft.com
It's unusual for an enterprise-management vendor to give anything good away, but Quest Software does. Quest bought the venerable and free Big Brother network-monitoring application and now offers an enterprise version of Big Brother that adds support and advanced features.
Statistics collection in Big Brother is good, and we felt like we didn't even scratch the surface of all the available scripts. We could monitor availability and utilization of CPUs, memory, disks, logs, systems processes, services and, of course, SNMP MIB variables. SNMP integration can leverage MRTG (Multiroute Traffic Grapher).
Configuration files control which processes the server runs, what devices are monitored and e-mail notification for alerts. We created static groups of network and system devices. Server processes include polling, displaying status and notification of alerts.
The product's HTML interface is snappy about loading current device and IP service status. The well-organized display uses the typical red for bad, green for good, yellow for banana or warning, so understanding what's going on didn't take much gray matter.
Creating reports is simple and quick, with two views showing all the devices and services or a condensed view of just the aggregate status. Help files are also brief and to the point, and there are plenty of active user forums.
Big Brother 1.9e (Unix), 2.30 (Windows Server), 1.08d (Windows Client), free. Quest Software, (949) 754-8000. www.quest.com Neon Software CyberGauge 6.0 Basic, useful and requiring almost zero work to get going, CyberGauge is a good little monitoring application. One area where it differs from rivals is its presentation, which is direct, showing, initially, a single device from which interfaces are chosen and then monitored using line graphs. The usual map of devices populated from most autodiscovery processes is dispensed with in favor of straightforward "Here's your network device, and the utilized bandwidth on interfaces X, Y and Z are right there on the screen."
Of course, this means that after we pulled up a dozen or so monitored interfaces, our screen was full. CyberGauge handles this by exporting a JPEG snapshot of each monitored interface on a user-defined schedule. Time stamps let us sort out multiple images. Not something we'd want to do every five minutes, but as an hourly task it gave us something to peruse over coffee.
CyberGauge supports CSV file imports, and setting up a bandwidth threshold is easy thanks to the product's intelligent design. We chose an interface, then set up values, colors and even specifics about the duplex (half or full) of the particular interface. When we saved our configuration changes, CyberGauge asked if we'd like to have the changes applied to our other interfaces, with the exception of bandwidth and duplicity specifics.
Just because the product is simple to use doesn't mean you'll sacrifice alerts. Its notification is basic but sufficient, including e-mail, network broadcast, pager and SNMP traps.
CyberGauge 6.0, starts at $295 for five-device version; upgrades and support included. Neon Software, (800) 334-6366. http://www.neon.com/
Simplicity is the theme here. We didn't need much knob turning to start tracking availability, and WhatsUp has a good blend of ease of use, low price and basic monitoring. It sat there happily in our system tray, monitoring our network.
Although WhatsUp isn't big on drawing complex Layer 2 maps, its straightforward display of our monitored systems made it easy for us to see device status. Instead of lots of custom views, WhatsUp streamlines device-status reporting with network, health, availability and performance views.
WhatsUp is intentionally limited to 10 monitored devices. This makes autodiscovery less important, but the process was easy to understand and launch anyway. Although many more than 10 devices can be discovered, we had to choose the lucky 10 we wanted to monitor. We did so and were up and tracking in less than five minutes.
A couple of limitations go along with this ease of use, however. For example, we had to delete a device prior to running a new autodiscovery whenever we wanted to add new devices to our group. This is an issue only on subsequent discoveries and when the number of possible devices is more than 10, but still, we wish we'd had the option to select from the original results list.
Once we'd settled on the devices to monitor, we went looking for some SNMP communities (noticeably absent as a parameter during autodiscovery) and poll frequency tweaks. Alas, WhatsUp doesn't support SNMP, and polling is predefined at five-minute intervals. Well, this does keep it simple--two fewer knobs to turn.
The alert wizard made it simple to specify notifications; options include playing a tune, sending an e-mail and popping up a notification window. A status icon lives in the system tray and automatically pops up the worst-case device, providing quick insight into problems.
Reports are straightforward as well. The health report shows all the services being monitored for a device; availability pegs the time in which a device or service is up; and the performance report shows a graph indicating if a service or device is moving slow or fast. All the reports are easy to understand, and because they are predefined, work without any setup.
WhatsUp Small Business 2004, $295; annual service included. Ipswitch, (781) 676-5700. www.ipswitch.com
MonitorIT's welcome screen gave us a 15-minute quick-start guide, including a useful summary of steps. This would have had us up and running in 15 minutes ... except that it took about an hour to discover a single class-C subnet, rather than the five to 15 minutes most rivals needed for this task. The disconnect was likely because of MonitorIT running through every discovery for every address in the range; in contrast, other products normally look for SNMP, for example, only if an address responds to ping.
MonitorIT let us select IP-range checking for SNMP and ping, and we could define whether to look for well-known TCP and UDP ports as well as user-defined services. We could target Windows servers using NT and AD domain queries. The process went through each device in the range, displaying success and failure when looking for the selected monitors. This provided an easy audit of devices and services we expected--and didn't expect.
Once our devices were selected for monitoring, the process flowed directly into choosing what and how to monitor. MonitorIT has a proprietary agent for Windows as one monitoring option, so we went ahead and installed it on a couple of machines. We were disappointed, however, that device grouping was static. We did push the proprietary agent out to other Windows machines from the central console, defining access and authentication credentials.
MonitorIT throws up unnecessary barriers when defining rate thresholds, like the monitoring of SNMP interfaces. The process expands the MIB object to display the devices for which a known SNMP device is available in the products inventory. This solves the issue of setting up threshold monitoring for devices that don't support the specifically chosen MIB object; however, MonitorIT limits threshold watches to like MIB objects.
A variety of reports can be distributed on a preset basis. Creating new reports wasn't as difficult as setting them up to run on schedule, however. Interactive reports displayed real-time statistics in graph and table form, and MonitorIT provides a wizard for formatting displays of the graphs.
We didn't think much of MonitorIT's help files. For example, we tried to figure out how to add devices to groups. The context help file about groups explains how to create a group, a completely obvious task, but doesn't link to related topics about how groups are populated.
MonitorIT 6.0, price based on number of monitored devices: starts at $125 for one; 90 days support & updates included; annual service extra. Breakout Technologies, (908) 561-5210. www.breakoutsoft.com
The MultiPing app tracks--you guessed it--device responses to ping. This is a real-time display of traffic, not designed for historical performance plotting. Thresholds are set to measure packet loss, error rates and response times, and minimum/maximum/average and current values are presented in a compact display showing a configurable number of samples over time.
We changed the rate of pinging as well as the size of the ping packet. Alerting is based on simple response times and packet loss percentages. Warning (yellow) and critical (red) graphed responses notified us of threshold violations, corresponding to user-defined thresholds for each. We could run multiple instances of MultiPing to monitor different sets of devices, and we could save monitoring attributes, which was handy.
PingPlotter, a companion product, can be contextually launched from MultiPing or run separately. Also simple in design, PingPlotter runs a traceroute to a target, plotting the minimum/maximum/average results over a configurable number of samples at a user-selected rate. Additional knobs let us save results over time in incremented files, so historical trends can be captured. We could set multiple alerts to be sent by e-mail, system tray icon change, logging and executable notifications.
MultiPing 1.0 and PingPlotter 2.5 bundle, $44.90 per single user license. Nessoft, (888) 810-1255.
Bruce Boardman, executive editor of Network Computing, tests and writes about network management and systems. He has 12 years' experience managing networks and distributed computing for a financial service provider.
You May Also Like