NetworkingNetwork+

Network Monitoring for CompTIA Network+ N10-009

Network monitoring provides ongoing visibility into network health, performance, and security. CompTIA Network+ N10-009 tests monitoring protocols (SNMP, NetFlow, sFlow), monitoring tools (PRTG, Nagios, Zabbix), and proactive vs reactive monitoring approaches. Understanding how monitoring integrates with alerting, log management, and performance baselines is essential for the Network Operations domain.

8 min

3 sections · 7 exam key points

1 practice questions

SNMP Monitoring

SNMP (Simple Network Management Protocol) is the most widely used network device monitoring protocol. SNMP manager: the monitoring server (NMS — Network Management System). SNMP agent: software running on network devices (routers, switches, servers). MIB (Management Information Base): a database of variables (OIDs) that can be queried or set on a device — CPU usage, interface counters, error rates.

SNMP versions: v1 and v2c use community strings (plain-text shared secret) — no encryption. v2c adds bulk transfers and 64-bit counters. v3 adds user authentication (MD5/SHA) and encryption (DES/AES) — the only secure version. Always use SNMPv3 on production networks.

SNMP polling: the NMS periodically queries (GET) devices for metrics. SNMP traps: devices proactively send alerts to the NMS when significant events occur (interface down, high CPU, authentication failure) — uses UDP 162. Informs: like traps but with acknowledgment — the NMS acknowledges receipt. Traps are fire-and-forget; informs are reliable.

Flow-Based Monitoring

NetFlow (Cisco) / IPFIX (open standard) / sFlow: capture summary information about traffic flows rather than full packet content. A flow = traffic between the same source IP, destination IP, source port, destination port, and protocol. Flow data shows: who is talking to whom, how much traffic, which applications. Used for bandwidth analysis, capacity planning, and security (detecting anomalous traffic patterns).

NetFlow collector: receives and stores flow records from routers/switches. Flow analyzer: processes records for reports and alerts. sFlow is a sampling-based technology (samples 1 in N packets) — lower overhead than NetFlow on high-speed links. IPFIX is the IETF standard based on NetFlow v9.

Monitoring Tools and Alerting

Common monitoring platforms: PRTG Network Monitor (Windows, GUI-driven, sensor-based), Nagios (Linux/Windows, open source, highly extensible), Zabbix (open source, enterprise features), SolarWinds NPM (enterprise, expensive), Datadog (cloud-based SaaS), Grafana + Prometheus (open source metrics stack).

Alerting thresholds: configure alerts when metrics exceed normal ranges. Examples: CPU > 80% for 5 minutes, interface utilization > 90%, ping RTT > 100ms. Alerts should be actionable — too many false positives leads to alert fatigue where real problems are ignored. Base thresholds on established baselines.

Key exam facts — Network+

SNMP: manager polls agents (GET); devices send traps (UDP 162) for events
SNMPv3 = authentication + encryption; v1/v2c = community strings only (insecure)
MIB = database of OIDs (variables) that SNMP can query on a device
NetFlow/IPFIX captures flow summaries — who talks to whom and how much
sFlow = sampled flow data, lower overhead than full NetFlow
SNMP traps = fire-and-forget; SNMP informs = acknowledged delivery
Alert thresholds based on baselines; avoid false positives to prevent alert fatigue

Common exam traps

SNMPv2c is secure because it uses community strings

SNMP community strings are transmitted in plaintext and easily intercepted. v1 and v2c have no encryption — use SNMPv3 with authentication and encryption for all production monitoring

NetFlow captures full packet content

NetFlow captures only flow metadata (source/destination IP, ports, byte count, packet count, protocol) — not the actual packet payload. For full packet capture, use Wireshark or a packet broker/tap

Practice questions — Network Monitoring

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.A network administrator wants routers to proactively alert the monitoring server when an interface goes down, without waiting for the next polling cycle. Which SNMP feature provides this?

A.SNMP GET

B.SNMP SET

C.SNMP trap

D.SNMP MIB walk

Explanation: SNMP traps are unsolicited messages sent proactively from a network device to the SNMP manager when a significant event occurs (interface down, temperature threshold, authentication failure). This eliminates the wait until the next polling cycle. SNMP GET is a manager-initiated query. SNMP SET changes a device configuration value. MIB walk queries all OIDs.

Frequently asked questions — Network Monitoring

What is the difference between SNMP polling and SNMP traps?

SNMP polling (GET): the NMS periodically queries each device for metric values — typically every 5 minutes. Detection of a problem is delayed until the next poll. SNMP traps: the device immediately notifies the NMS when an event occurs — interface down, CPU spike, config change. Traps provide real-time alerting; polling provides ongoing metric collection. Both are used together in comprehensive monitoring.

Practice this topic

Network+practice questions

Test yourself on Network Monitoring

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime