MOME Tools Categories

Packet Capturing

Tools for packet capturing are used to observe data packets on the network, capture the raw packet data (or part thereof, e.g. only headers) and store this information into memory, or dump packet data to a text console, or store it to local hard disk.

The goal is to record the datagrams which actually passed the network at a specific attachment point in the network. Other tools can then later be used to analyze those traces and compute traffic metrics based on them.

Traffic Flow Measurement

Tools for traffic flow measurement observe packet datagrams passing a measurement point (interface or link) and classify those packets into traffic flows. For IP traffic such classification is usually done based on the source and destination IP address, source and destination port numbers (in case of TCP or UDP over IP), protocol, and class of service, or a subset of these attributes. For each flow specific metrics such as volume and duration can be obtained. Across flows such tools may report number of distinct flows, addresses, or networks which have been observed over a period of time.

Packet Monitoring

Tools for packet monitoring Tools for packet monitoring passively collect IP packets on one or more links recording IP, TCP/UDP or application layer traces in order to obtain fine-grain information about user behaviour. With these tools the applications/services utilizing the network, the users generating the most network traffic, the types of information being transferred in and out of the network, as well as the source and destination of that information can be identified.

On the market: NetEnforcer from Allot Communications; Acess Point 450 from Xedia Corporation (now owned by Lucent Technologies); FloodGate-1 from Check Point Technologies; and PacketShaper from Packeteer Inc.

Connection Monitoring

Tools for connection monitoring are used to test the basic end-to-end IP connectivity between two systems, which are either directly connected or reachable via multiple routing hops. Such tools often display some performance indicators as well.

Application Level Monitoring

Tools for application level monitoring analyze traffic up to the application layer and compute results which are specific to a given application protocol (e.g. URLs of web pages observed). For most applications there exist specialized tools which can be used to assess the availability and/or performance of a service or server running that protocol (e.g. HTTP, FTP, SOAP).

There exist three kinds of application level monitoring tools with respect to the point of attachment: server-side, client-side, and in-path. Server-side tools are used to observe the behavior of a service by monitoring the server program or its output (e.g. apache log file). Client-Side tools do emulate a user that accesses the service and record the server's reply and performance data. Tools which measure application level characteristics in-path can be used to reassemble and observe communication if access to neither client or server side is possible.

Service Monitoring

Tools for Tools for service monitoring observe the availability of a service or server application. For this purpose they either emulate a client of the observed service or implement a separate communication interface to check the service directly. Such tools are used in combination with signaling and alarming solutions in order to display the service status (e.g. updated regularly on a web page) or send a notification instantly via eMail, or SMS, when an incident happens.


Tools for accounting count packets and packet volume at an access router or dedicated link. Those tools can perform traffic classification into traffic flows with a pre-defined granularity and record packet counters and packet volume for each detected flow. Often they also do perform flow end (i.e. flow timeout) detection. Many accounting tools support standardized protocols for data export to attached charging and billing solutions.

Intrusion Detection

Tools for intrusion detection allow their users to identify unwanted or even malicious traffic in the network or to assess the level of probability of such events. These tools are often highly specialized and as diverse in their nature as the attacks they assess, such as: SYN flooding, UDP and TCP port scans, DDos attacks, and connection attempts by worm or virus-like programs.


Tools for sniffing are targeted at obtaining vital information by observing datagrams on the network, for the purpose of finding out available services, open ports at connected hosts, host configuration information, or user information, such as unencrypted passwords. Some of those tools can clearly become misused, but on the positive side they can clearly help finding security leaks, e.g. ports opened by backdoor software or users still making use of unsafe telnet logins.

Performance Monitoring

Tools for performance monitoring compute a time series of quality of service (QoS) traffic characteristics on the network level based on the traffic under observation or based on trace files. The most common traffic metrics are: round trip transmission time, one-way delay, one-way jitter, packet loss. Some of those tools are geared especially to the measurement of one metric, while others support a set of metrics.

Connectivity Checking

See Cconnection Monitoring section.

Route Detection

Tools for route detection allow to find out information about the way datagrams travel from one host to another across the network. This includes data such as number and location of intermediate routers and often additional metrics, such as loss and/or round trip time.

Topology Detection

Tools for topology detection go one step further than route detection and aggregate information from multiple routes into an overall dataset. This joint information can be used to depict global connectivity, end-to-end transmission parameters, or even to infer routes which have now shown up in point-to-point measured routes.

Traffic Visualization

Tools for traffic visualization generate graphical images from numeric results obtained by other tools. Some of them can be used on any kind of numerical data rows, while other tools implement graph types specialized to network related datasets (e.g. route data). These tools make trends and outliers in the datasets visible and allow interpretation and evaluation of numeric data by a human observer. Often they do inspire the direction for a more detailed numerical analysis.

Traffic Generation

Tools for traffic generation inject traffic into the network in order to measure network characteristics, such as loss, jitter, and delay. Many traffic generation tools provide a sender as well as a receiver part which need to be installed at the two endpoints of the measurement. Often traffic generation tools are also used for stress testing equipment such as routers or firewalls. Configuration of sending schedules and patterns enable users to generate realistic background traffic for laboratory tests of novel algorithms, e.g. for differentiated services in the network or measurement-based admission control.

Bandwidth Measurement

Tools for bandwidth measurement are used to assess the amount of free resources along a link or path in terms of unused or available packets/bytes per second. Bandwidth measurement is performed in an active way, injecting packet streams in bursts, special patterns or simply by flooding the link under observation. Different kinds of available bandwidth can be measured, either assessing the amount if unused link capacity, xxx, or the amount of traffic which a single TCP flow could use on the link or path (bulk transfer capacity, BTC)