Back to How To Guides
How To Guide

How to Monitor Network Traffic for Anomalies

Network monitoring lets you see what is happening on your network in real-time. You can detect intruders, identify bandwidth hogs, and troubleshoot connectivity issues before they cause downtime.

Overview

You cannot protect what you cannot see. Network monitoring provides visibility into traffic patterns, device health, and potential security incidents across your entire infrastructure.

Step 1: Choose and Deploy Monitoring Tools

Select the right tools for your network size and budget.

1

Free Monitoring Tools

  • PRTG Free: Up to 100 sensors, excellent web dashboard, email alerts — great starting point
  • Wireshark: Deep packet capture and protocol analysis for troubleshooting specific issues
  • Nagios Core: Open source, extremely powerful but requires Linux and configuration effort
  • ntopng: Real-time network traffic analysis with flow visibility
  • GlassWire: Simple visual firewall and monitor for individual Windows PCs
  • LibreNMS: Full-featured open source monitoring with auto-discovery
2

Set Up Basic Monitoring

  • Install monitoring software on a dedicated PC or virtual machine
  • Add your core devices: router, firewall, switches, servers, access points
  • Configure SNMP v3 (encrypted) on all network devices for data collection
  • Set up ping monitoring for all critical devices and services
  • Configure bandwidth monitoring on WAN link and inter-VLAN connections
  • Monitor CPU, memory, and disk usage on all servers
  • Set up uptime monitoring for critical services: email, file shares, databases
3

Network Flow Analysis

  • Enable NetFlow, sFlow, or IPFIX on your router/firewall
  • Flow data shows WHO is talking to WHOM and HOW MUCH data is transferred
  • Identify top bandwidth consumers by device and application
  • Detect unusual traffic patterns that may indicate compromise
  • Use flow data to plan bandwidth upgrades based on actual usage
  • Free flow analysers: ntopng, Scrutinizer (limited free), PRTG

Step 2: Configure Alerts and Thresholds

Get notified about problems automatically before users complain.

1

Essential Alerts

  • Bandwidth utilisation exceeding 80% of capacity (approaching saturation)
  • Any monitored device going offline (switch, server, access point)
  • Server CPU above 90% for more than 5 minutes (performance issue)
  • Disk space below 10% free on any server (impending failure)
  • WAN link packet loss above 1% (internet quality degradation)
  • Failed login attempts exceeding threshold (potential brute force)
2

Alert Configuration

  • Set up email notifications for all critical alerts
  • Configure SMS/push notifications for after-hours critical events
  • Use escalation: alert IT admin first, then manager if unresolved in 30 minutes
  • Avoid alert fatigue — only alert on truly actionable conditions
  • Group related alerts to prevent notification storms during outages
  • Create an on-call rotation if you have multiple IT staff

Step 3: Traffic Analysis and Threat Detection

Identify suspicious activity and security threats.

1

What to Look For

  • Unusual data transfers to external IP addresses (potential data exfiltration)
  • Network traffic at unusual hours: 2-5am activity on office workstations
  • Devices communicating with known malicious IP addresses or domains
  • Excessive DNS queries from a single device (may indicate malware beaconing)
  • Large internal data transfers between unexpected devices (lateral movement)
  • New devices appearing on the network that nobody authorised
  • Port scanning activity: sequential connection attempts across many ports
Pro Tip:

Establish a baseline of normal network activity first. Monitor for 2-4 weeks before setting anomaly alerts. Without a baseline, everything looks unusual and you will drown in false positives.

2

Regular Review Process

  • Review network dashboards daily for anomalies (5-10 minute check)
  • Generate weekly traffic reports comparing to previous weeks
  • Investigate any devices with significantly changed traffic patterns
  • Cross-reference monitoring alerts with security logs
  • Review top external destinations monthly — investigate unfamiliar ones
  • Document all investigated anomalies, even false positives, for pattern tracking
3

Responding to Anomalies

  • Isolate suspicious devices from the network pending investigation
  • Capture packet data (Wireshark) before the evidence disappears
  • Check the device for malware using endpoint protection
  • Review user activity logs on the affected device
  • If compromise is confirmed, follow your incident response plan
  • Report confirmed security incidents to management and document thoroughly

Need Professional Help?

Our engineers provide expert assistance with setup, troubleshooting, and ongoing support for businesses and individuals across Cornwall.

Get in Touch Call 01726 76999

Related Guides

How to Design a Secure Business Network Layout

Step-by-step guide with expert tips.

Learn more →

How to Implement Firewall Rules for Office Security

Step-by-step guide with expert tips.

Learn more →

Professional IT Support

Need hands-on help? Our engineers are ready.

Learn more →