In all types of monitoring, and communication network monitoring is no exception, a tradeoff exists between the monitoring cost in money, time, memory or other resources, and the effectivity of the collected data, e.g., how accurate or useful the collected data is. Higher sampling rate, sampling more information or the like generally provides for more accurate estimation and more useful data, but require additional s resources.
In particular, in networks, monitoring interfaces and/or switch-port level is typically statistical in nature and may thus be very resource efficient, but is not fully accurate. On the other hand, software packet level capturing solutions are highly informative but very demanding and create significant system overhead.
Overheads are generally of three types: CPU, storage, and networking. CPU overhead relates to the amount of CPU required to operate the monitoring system. Storage overhead relates to the amount of storage required to retain the collected information until it is analyzed and deleted. Networking overhead is the amount of network traffic used for the monitoring itself. The overheads themselves may affect the communication flow within the network, by reducing the effective bandwidth and/or increasing latency. As a result, the monitored network behaves differently when it is being monitored as opposed to its normal operation. So, the monitored data may not provide insight into the operation of the network in a non-monitored state.
Monitoring each packet is expensive in CPU resources, storage resources and networking resources. Thus, without, it is impractical without assistance from hardware resources. Statistical monitoring, however, is less informative and may not be accurate enough, therefore it is also of limited practicality for purposes such as network level troubleshooting.