Network Monitoring Basics - cover image

Network Monitoring Basics

Table of Contents

Why Monitoring Matters

Most home networks operate as black boxes. Traffic flows in and out, devices connect and disconnect, and nobody sees any of it. The router's blinking lights confirm something is happening, but not what. This lack of visibility means that compromised devices, data exfiltration, unauthorized access, and performance problems all go undetected until symptoms become obvious.

Network monitoring changes this. At its simplest, monitoring means collecting data about what is happening on your network and making that data visible. Who is talking to whom, how much data is moving, what protocols are in use, and which devices are active. Once you can see your network, you can defend it.

Flow Monitoring

Flow monitoring tracks conversations between devices without capturing the actual content. Think of it as reading the envelope of every letter without opening it. You see the source address, destination address, how much data was sent, and when - but not the payload.

The two main flow protocols are NetFlow (Cisco's standard, also used by many other vendors) and sFlow (an industry standard that samples packets). Both produce flow records that answer: which internal device talked to which external server, on which port, and how much data was exchanged.

For home networks, flow monitoring is valuable because it reveals patterns. Your smart TV sending 2 GB of data to a server in a country you have never visited is suspicious. A security camera uploading data at 3 AM when nobody is home is suspicious. You only see these patterns with flow data.

graph TD
    subgraph "Network Devices"
        PC[Desktop PC]
        IOT[Smart TV]
        CAM[IP Camera]
        PHONE[Smartphone]
    end
    subgraph "Router/Switch with Flow Export"
        FLOW_EXP[Flow Exporter]
    end
    subgraph "Flow Collector"
        NTOP[ntopng]
        DB[Flow Database]
        DASH[Dashboard and Alerts]
    end
    PC -->|Traffic| FLOW_EXP
    IOT -->|Traffic| FLOW_EXP
    CAM -->|Traffic| FLOW_EXP
    PHONE -->|Traffic| FLOW_EXP
    FLOW_EXP -->|Flow Records| NTOP
    NTOP --> DB
    DB --> DASH
    DASH -->|Alert: Unusual traffic pattern| DASH

Flow monitoring pipeline - network traffic is summarized into flow records and analyzed for patterns and anomalies

Packet Capture

Packet capture records the full content of network traffic. Where flow monitoring sees envelopes, packet capture reads the letters. This gives you complete visibility but at a cost: storage requirements are enormous, and much modern traffic is encrypted (HTTPS), limiting what you can actually read.

Wireshark is the standard tool for packet analysis. It runs on Windows, macOS, and Linux, captures traffic from your local network interface, and provides protocol-level decoding that shows exactly what is happening in each packet. For home use, you typically capture traffic selectively - during a troubleshooting session or when investigating a specific device - rather than recording everything continuously.

To capture traffic from devices other than your own computer, you need a mirror/span port on your switch (managed switches support this) or a network tap. Without one of these, your computer only sees its own traffic and broadcast/multicast packets.

SNMP and Device Health

Simple Network Management Protocol (SNMP) is how network devices report their health. Switches report port utilization and error counts. Routers report CPU usage, memory, and interface throughput. Access points report connected clients and channel utilization.

SNMP monitoring is more relevant for small business networks than typical homes, because consumer routers and switches rarely support SNMP. But if you run a managed switch (UniFi, TP-Link Omada, Netgear ProSafe) or a pfSense/OPNsense firewall, SNMP gives you metrics like interface utilization over time, packet error rates that indicate cable or hardware problems, and CPU/memory trends that reveal overloaded hardware.

Log Aggregation

Every network device generates logs. Your router logs DHCP leases, firewall blocks, and connection events. Your access point logs client associations and disassociations. Your firewall logs every rule match. Individually, each log is hard to search and correlate. Aggregated into a central system, they become powerful.

Syslog is the standard protocol for forwarding logs. Most network devices can send their logs to a syslog server. On the receiving end, tools like Graylog or a simple rsyslog setup on a Linux box collect, index, and let you search logs across all devices.

The security value is in correlation. A firewall block from an external IP at 2:14 AM, followed by a new device appearing on your network at 2:15 AM, followed by unusual outbound traffic at 2:16 AM - these individual events look innocuous alone but together paint a clear picture of intrusion.

Tools for Home Users

Enterprise monitoring tools are complex and expensive. Fortunately, several tools are accessible for home users.

ntopng is a flow monitoring tool with a web interface. It runs on Linux (including Raspberry Pi) and shows real-time and historical flow data. You can see which devices are the heaviest users, what external servers they connect to, and what protocols they use. The community edition is free.

Wireshark is the definitive packet analyzer. It handles every protocol you will encounter on a home network and many you will not. The learning curve is moderate - understanding TCP/IP fundamentals helps significantly - but even basic use (filtering by IP, looking at DNS queries) provides valuable insight.

Grafana with Prometheus creates dashboards for SNMP and other metrics. The setup requires some Linux knowledge, but the result is a visual monitoring dashboard that shows network health over time.

graph LR
    subgraph "Data Sources"
        ROUTER[Router/Firewall Logs]
        SWITCH[Switch SNMP Data]
        FLOWS[NetFlow/sFlow Records]
        WIFI_MON[WiFi Environment Scans]
    end
    subgraph "Collection Layer"
        SYSLOG[Syslog Server]
        FLOW_COL[ntopng]
        SNMP_COL[Prometheus SNMP Exporter]
        NANO[BLEShark Nano]
    end
    subgraph "Visualization"
        GRAFANA[Grafana Dashboards]
        NTOP_UI[ntopng Web Interface]
        NANO_UI[Nano Display]
    end
    ROUTER --> SYSLOG
    SWITCH --> SNMP_COL
    FLOWS --> FLOW_COL
    WIFI_MON --> NANO
    SYSLOG --> GRAFANA
    SNMP_COL --> GRAFANA
    FLOW_COL --> NTOP_UI
    NANO --> NANO_UI

A practical home monitoring stack - combining flow analysis, SNMP metrics, log aggregation, and wireless scanning

What to Watch For

Once your monitoring is running, knowing what matters is the next challenge. Not every anomaly is an attack, and not every normal-looking pattern is safe. Focus on these indicators.

Unexpected outbound connections. Devices connecting to servers they should not need to reach. An IoT camera connecting to servers in unexpected countries. A smart thermostat making connections on non-standard ports. These are potential indicators of compromised devices phoning home to command-and-control infrastructure.

DNS queries to suspicious domains. Malware frequently uses DNS for command-and-control communication. Domain names with random-looking strings of characters, recently registered domains, and domains resolving to known malicious IPs are all red flags. DNS query logging (available in pfSense, Pi-hole, or any local DNS resolver) captures this data.

New devices appearing. Your DHCP server logs reveal every device that joins your network. A device you do not recognize could be a neighbor on your WiFi, an attacker who has compromised your wireless password, or a forgotten IoT device. Investigate unknowns promptly.

Traffic volume anomalies. A device that normally uses 50 MB per day suddenly pushing 5 GB is worth investigating. Data exfiltration, cryptocurrency mining, and participation in botnets all produce traffic volume changes.

Wireless Environment Monitoring

Wired network monitoring tools like ntopng and Wireshark see traffic after it reaches the wired network. They are blind to what happens on the wireless medium itself. Rogue access points, deauthentication attacks, and unauthorized wireless clients operate in a space that wired tools cannot observe.

The BLEShark Nano fills this gap. Its WiFi scanner identifies every access point in range, including any that should not be there. On the BLE side, it detects Bluetooth devices in your environment - useful for identifying unknown BLE-enabled devices that might be trackers or surveillance equipment. This wireless-layer visibility complements the wired-layer monitoring from your other tools.

For continuous wireless monitoring, dedicated WIDS (Wireless Intrusion Detection Systems) like Kismet run on Linux with a compatible WiFi adapter. For periodic checks and quick surveys, the Nano's portability makes it practical to scan different areas without setting up permanent infrastructure.

Building a Monitoring Stack

Start small. You do not need every tool on day one. A practical progression for home network monitoring goes like this.

Week 1: Enable logging on your router or firewall. Review DHCP leases to build an inventory of devices on your network. Identify anything you do not recognize.

Week 2: Set up DNS query logging (Pi-hole is the easiest path). Review the query log for a few days to understand your network's DNS patterns. Block known malicious domains.

Week 3: Install ntopng or enable flow monitoring on pfSense. Start tracking which devices generate the most traffic and where that traffic goes.

Week 4: Scan your wireless environment with the BLEShark Nano. Document legitimate access points and their BSSIDs. Flag anything unexpected.

Each layer adds visibility. After a month, you will understand your network better than most IT professionals understand their corporate networks. That understanding is the foundation of effective defense.

Get the BLEShark Nano - $36.99+
Back to blog

Leave a comment