Blog post

Application Aware Network Performance Monitoring (NPM) and Network Packet Broker (NPB) research

By Jonah Kowall | April 21, 2012 | 21 Comments

NPMMonitoringIT Operations

Vendor Landscape for Application-Aware Network Performance Monitoring and Network Packet Brokers –

Deb Curtis and I have recently published a note which is something which I started several months ago to highlight some of the innovative solutions and players in the Network Performance Monitoring (NPM) market which fit a specific set of criteria. We needed to artificially put a boundary on this market definition in order to avoid having to write on each of the 100+ players in the NPM market who handle polling, flow, and packet based data analysis. We still managed to cover 18 vendors in this market who met criteria we outlined:

Application-Aware NPM

These solutions allow passive packet capture of network traffic and must include the following features, in addition to packet capture technology:

  • Receive and process one or more of these flow-based data sources: NetFlow, sFlow and Internet Protocol Flow Information Export (IPFIX).
  • Provide roll-ups and dashboards of collected data into business-relevant views, consisting of application-centric performance displays.
  • Monitor performance in an always-on state, and generate alarms based on manual or automatically generated thresholds.
  • Offer protocol analysis capabilities to decode and understand multiple applications, including voice, video, HTTP and database protocols. The tool must provide end-user experience information for these applications.
  • Have the ability to decrypt encrypted traffic if the proper keys are provided to the solution.

Optionally, the features of market leaders include:

  • High-capacity storage of captured packet data, but this is not required as a core feature, although it can be useful from a diagnostic perspective. Products that do not store the data must provide packet capture on demand and reported in real time.
  • Operation in WAN-optimized and virtualized environments through support for popular WAN optimization controllers (WOCs; e.g., Riverbed, Cisco and F5), as well as virtual network tagging, such as Cisco’s virtual network tag (VNTag), VMware’s ESX and Citrix’s Xen.

These products are what we would call AA-NPM due to their ability to not only fit the needs for network engineers needing to debug and diagnose issues, but also the elevation of that data into business relevant application views. Many Gartner clients speak to me asking for APM products, but when confronted with the task of agent deployments often find themselves wanting AA-NPM functionality versus APM functionality. Based on the maturity, complexity, and overall design of the applications different product types will be the best fit to allow visibility and troubleshooting of problems.

Additionally, I am excited that we have started really covering the Network Packet Broker (NPB) market, which consists of devices that facilitate monitoring and security technologies to see the traffic which is required for those solutions to work more effectively. They could be called “monitoring switches” “matrix switches” or other terms, but we felt this term fit the best as far as what they do and what they do not do. These products are often required once you start dealing with more complex networks. Here are the criteria we used for these products:


  • Many-to-many port mapping, with a configuration interface (graphical user interface [GUI] or command line interface [CLI]) for real-time adjustments of packet flow, including port mapping and paths.
  • Filtering of packet data based on the characteristics found in the packet headers, allowing filtering of Open Systems Interconnection (OSI) Layers 2 through 4.
  • Packet slicing and deduplication, which allows a subset of the full packet data to be passed to the monitoring device, thus allowing monitoring tools to scale more efficiently.
  • Aggregating multiple packet stream inputs into one larger stream, for example five 1Gb links into a single 10Gb link. Alternately, the reverse also will work, where a single 10Gb link would be fed into multiple 1Gb connections. The destination would be a monitoring tool with the proper interface.
  • Distributing traffic load per device by sending it to different probes or appliances in order to scale the monitoring, or to provide redundancy in the monitoring technology.
  • Insertion of hardware-based time stamps that can be used by the monitoring tools to provide more accurate measurements. These hardware-based features can change the accuracy of the packet time stamp from milliseconds to microseconds, enabling more granular time measurement.

Optionally, the features of market leaders include:

  • Deep packet inspection, allowing for the filtering and routing of packets based on data characteristics in the header or payload, and support for filtering on OSI Layers 2 through 7.
  • The ability to capture ingress port identification data, enabling unique identification of traffic from multiple ingress ports.
  • The capability to mask specific data in the packets, which could be applied in compliance use cases, which contain confidential regular-format fields (e.g., Social Security numbers, credit card numbers, etc.).

We included 9 NPB vendors in the research. I realize it’s been almost 2 months since my last post, I will try not to let that happen again.

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Leave a Comment


  • Mark Weiner says:

    Am personally glad to see this several year — but now growing rapidly — market has formally been defined by Gartner.

    Customers can now define their market requirements with a common label, and evaluate vendors under the same umbrella. Looking forward to seeing customer awareness, and mutual benefit, grow in the coming years!

  • Kirk OConnor says:

    Riddle me this Batman….Where does the application aware NPM solutions offered as a managed services sit?

    XO has an managed service offer called APM. Level 3 also has a managed service offer called APM. Verizon offers AAS as a managed service. AT&T offers Enhanced Reporting.

    All these are available as a monthly recurring charge as an operations cost that can be rolled into a 3 year WAN MPLS RFP.

    Why would an enterprise go spend capital dollars when they can get aaNPM from a managed service? This allows the enterprise WAN managment team to concentrate on migration to the cloud, BYOD, VoIP, and Video, and data center consolidation without having to own the infrastructure of an aaNPM solution.

  • Jonah Kowall says:

    The delivery of solutions doesn’t change the segment, only the delivery model. There are several service offerings on the market.

    Most service providers tie the NPM to the network services, hence you cannot see within your environment. Other VARs and SIs will do fully managed offerings, which can sit anywhere.

    The delivery models vary, but NPM is far behind APM in terms of true SaaS, which is the way of the future for management technologies.

  • Kirk OConnor says:

    So the segmentation is really about technology…Pinging/Polling (NPM) versus NetFlow (aaNPM).

    Fair enough, as mentioned the 100+ players that know how to ping and poll in NPM is not really helpful in identifying aaNPM issues. If NPM is defined as pinging/polling for up/down and utilization then that is typically given away or a very cheap offer. It definitely is not always on. But it is a good start in isolating an event. but the assumption is that the device is up and on. (The cloud is always “available.”) Yes, I would not want to write about 100+ pinging/polling solutions or 100+ NetFlow solutions…

    So, the delivery of future management technologies as a true SaaS has some issues with the actual “technical delivery” of the features listed for this market segment for both NPM and APM.

    For example:
    • NetFlow must be encrypted, or a VPN tunnel created, to send data into the cloud. No enterprise is going to send their IP addresses into a collector in the cloud if it is not encrypted.
    • If NetFlow stops transmitting, than the always on scenario falls apart. If the collector needs to be upgraded, than the NetFlow data will not be collected. A lot of inbound and outbound streaming data is blocked by firewalls.
    • Active testing/pinging and polling does not allow for the always on scenario, but active testing can simulate end user response time measurements, when testing is enabled. (from where? Which location? How often?) How is NetFlow going to provide end user experience? Oh, right…Through IPFIX once the enterprise buys more routers and upgrade the IOS…
    • An APM solution requires proximity to the data, but the “cloud” scatters data to the wind and different service arenas. Back to active testing or agents.
    • Flow based technology that does not support port hopping protocols requires NBAR to be turned on in order to decode applications, otherwise application traffic is identified as a single port for every flow…Does the collector save every flow or just top N?

    The services offered have removed the network as the issue and are concentrating on the applications. They are the premier US service providers who have a service titled “APM” which has similarities in SaaS: web access, reduction of IT support costs, expert support of the service offered, monthly recurring charge, etc. The delivery of these aaNPM solution is available now and not far behind…They provide real time and historical network, application, VoIP (with MoS scores) all time synchronized with Layer 1 visibility, SLAs, on demand packet capture, server connect and server response time and summarized dashboards all offered and available on the next WAN RFP and in some cases even tomorrow.

  • I have to add that agent based APM mostly, not all, but definitely the leaders in Gartners M Quadant are human resource intensive to the extreme. This goes seriously against the need to reduce costs in the MSP space. MSP’s are looking for solutions that are the simplest to install and simplest to maintain.

    Note that more & more APM is being offered through MSP’s. Yes it is just another “delivery model” but the needs of these entities are substantially different to to the standard enterprise. A glaring point is the typical lack of multi-tenancy.

    My opinion is that essentially APM needs to be divided into:
    1. Agent based APM split into synthetic & real transaction analysis
    2. Passive probe based APM which can include transactional analysis, I think you are lumping this under aaNPM.
    3. Simple polling based APM which under no circumstance you can confuse with (2).

    After these are defined then Gartners 5 criteria for APM apply but still ease of installation and ease of maintaining the solution should be carefully considered as some of the leaders can put a tick next to every feature but they need just as many support engineers to run the solution. Not ideal for MSP’s!

  • Jonah Kowall says:

    Not surprising considering you guys are a network VAR, but honestly you cannot pinpoint an issue with an application without an agent. Network approaches are valid and can be of great help with much less time to turn up, but the agents have become much more intelligent and self configuring. You should have a lot at some of the full SaaS capable APM products, they are all very simple to get up and running.

    Network approaches can handle 3 of the 5 dimensions of APM, hence they are limited. We are working on a slew of new research around AA-NPM and NPM shortly.

    “Polling” is another topic we will be publishing research on, specifically the synthetic transactions often used to try to determine end user experience.

  • Do me a favor. Please apply this simple filter from a MSP perspective to your MQ. Find which vendors don’t have a working multi-tenancy solution and remove them. Also take careful note that some of your vendors have partial product matches through their offerings so a portion of their solution is not multi- tenanted.

    Then the MSP I speak to is not allowed to add any agents onto customer servers. So please remove all vendors using agent based APM, also take into account which ones have a partial match. Your MQ will now look very different.  How can this ever apply to an MSP?

    Delivery model is very important and the type of APM; agent based, passive or polling is just as important to define correctly. Your definition is flawed in that it is leaving out a big chunk of the market (MSP).

    The intelligence of agent based vs passive monitoring was not part of the debate. Trust me I know a lot more can be achieved with agent based APM. I will be marketing them soon. However you are not considering the MSP environment where clients flat refuse to accept the use of agent based APM.

    Sorry ,I don’t see the APM market the way do.

  • This is a really good tip particularly to those fresh to the blogosphere.
    Simple but very precise information… Appreciate your sharing this
    one. A must read post!

  • Ksl coupons says:

    This is really interesting, You are a very skilled blogger.
    I have joined your feed and look forward to seeking more of
    your great post. Also, I have shared your site in my social networks!

  • I just like the helpful info you provide in your articles.
    I will bookmark your weblog and test once more here regularly.
    I’m reasonably sure I will be informed many new stuff proper here! Best of luck for the following!

  • Pretty part of content. I simply stumbled
    upon your weblog and in accession capital to claim that I acquire in fact enjoyed account your weblog posts.
    Any way I will be subscribing on your augment or
    even I success you get right of entry to consistently quickly.

  • I’m extremely impressed with your writing skills as well as with the layout on your weblog. Is this a paid theme or did you modify it yourself? Either way keep up the excellent quality writing, it’s rare to
    see a great blog like this one nowadays.

  • coupon says:

    Simply wish to say your article is as astounding. The clearness in your
    post is just spectacular and i can assume you’re an expert on this subject. Fine with your permission let me to grab your RSS feed to keep updated with forthcoming post. Thanks a million and please carry on the rewarding work.

  • Hi, I do believe this is an excellent site.
    I stumbledupon it 😉 I may return once again since i have book-marked it.
    Money and freedom is the best way to change, may you be rich and
    continue to help others.

  • pradeep says:

    Great Article, as mentioned there are lot of players in the market but when it comes to Application Aware Network Performance Monitoring as a cloud based SaaS offering there are none .At APPanalyz we offer real time packet analysis as service (SaaS) to provide complete visibility into how the network and applications are performing.

  • erformance Monitoring and Network Packet Brokers

  • erformance Monitoring and Network

  • Great Content. Really Informative and Helpful. Thanks for sharing it with us. Appreciate it.

  • Ragina says:

    This is the perfect site for anybody who wants to understand this topic. You realize so much its almost tough to argue with you (not that I really would want to…HaHa). You definitely put a new spin on a topic that’s been written about for a long time. Great stuff, just excellent!

  • Look at our offering and compare !