Network monitoring, explained.
Network monitoring is the continuous observation of devices, traffic, and performance across a network so issues are caught early and infrastructure stays reliable. For MSPs and IT teams, it means real-time visibility into routers, switches, firewalls, and access points — paired with alerting and remote access when something breaks. The terms below define the concepts, protocols, and capabilities that come up when teams evaluate, deploy, and operate network monitoring at scale.
No credit card required · Deploy a site in ~15 minutes
Glossary terms
-
Agent vs agentless
Agent and agentless are two architectures for collecting monitoring data — agent-based installs software on each managed device, while agentless polls devices remotely using standard protocols.
Agent-based monitoring captures rich telemetry (CPU, memory, process state) but requires deploying and maintaining software on every endpoint. Agentless monitoring uses SNMP, WMI, SSH, and ICMP to gather data from network infrastructure without installing anything on the device — lighter to deploy and run, and the dominant model for network monitoring at scale.
-
AIOps
AIOps (Artificial Intelligence for IT Operations) is the use of AI and machine learning to analyze IT operations data, correlate alerts, predict failures, and automate routine response.
AIOps systems ingest telemetry from monitoring tools, logs, and event streams, then use pattern recognition to reduce alert noise, surface root causes, and trigger automated remediation. The more accurate the underlying inventory and telemetry feeding an AIOps system, the more useful its outputs — which is why agent-native operations and clean Layer-2 device data matter for AI-driven workflows.
-
Alert fatigue
Alert fatigue is the desensitization that happens when monitoring systems generate so many notifications — many of them false positives or low-priority — that operators stop responding to them effectively.
It's one of the most-cited operational problems in IT, with surveys consistently showing the majority of MSPs hit it monthly. The root cause is usually noisy data: devices that appear and disappear with IP changes, alerts without context, or duplicate notifications. Accurate device identification and well-tuned alert rules are the durable fix.
-
Configuration backup
Configuration backup is the scheduled capture and versioning of device configuration files — switch, router, firewall, and access-point configs — so a known-good state can be restored after a change, failure, or breach.
Good practice keeps backups in a central, searchable history with change-detection between versions, so unauthorized or unexpected changes surface quickly. Configuration backup is closely tied to compliance (SOC 2, ISO 27001, PCI) and disaster recovery — without it, restoring a complex device after a failure means rebuilding the config by hand.
-
DHCP
DHCP (Dynamic Host Configuration Protocol) is the network protocol that automatically assigns IP addresses and related network settings to devices when they join a network.
Without DHCP, every device would need a manually configured IP. With it, addresses are leased dynamically — but device IPs change over time, which is why network monitoring tools that identify devices by IP rather than MAC address can lose track of devices across DHCP churn or subnet changes.
-
DNS
DNS (Domain Name System) is the hierarchical naming system that translates human-readable domain names like domotz.com into the IP addresses computers use to communicate.
DNS resolution is one of the most common failure points in network operations — slow or failed lookups cause symptoms that look like application or connectivity problems but are really name-resolution problems. Network monitoring tools track DNS server availability and response time alongside ICMP and TCP checks so the underlying cause is visible.
-
IP address
An IP address is a numeric label assigned to every device on a TCP/IP network, used to identify the device and route traffic to and from it.
IPv4 addresses use the familiar four-number format (192.168.1.1); IPv6 uses a longer hexadecimal form. Addresses can be public (routable on the internet) or private (RFC 1918 ranges used inside networks), and static (manually fixed) or dynamic (DHCP-assigned). Because dynamic IPs change, monitoring tools that anchor identity to IP rather than MAC address generate false positives when leases turn over.
-
Latency
Latency is the time delay between a network request being sent and a response being received, usually measured in milliseconds.
Low, consistent latency matters more than peak bandwidth for most real-world workloads — video calls, remote desktop, SaaS applications, and VoIP all degrade noticeably at 100ms+ round-trip. Network monitoring tools measure latency continuously across paths and surface trends, so degradation is caught before users start calling the help desk.
-
Layer-2 discovery
Layer-2 discovery is the technique of identifying devices on a network using MAC addresses — the hardware identifiers assigned at the OSI data-link layer — rather than IP addresses.
Because MAC addresses are tied to the physical network interface and stay stable across IP changes, Layer-2 discovery keeps device identity accurate when DHCP leases turn over, devices move subnets, or networks reorganize. This is the foundation of accurate device inventory: without it, a single physical device can appear as multiple "new" devices each time its IP changes.
-
MAC address
A MAC (Media Access Control) address is a unique hardware identifier assigned to every network interface, typically expressed as six pairs of hexadecimal digits like 00:1A:2B:3C:4D:5E.
MAC addresses operate at OSI Layer 2 and stay tied to the physical interface across reboots, IP changes, and subnet moves. The first three octets identify the manufacturer (the OUI), which lets discovery tools infer device type — Cisco, HP, Ubiquiti — before any deeper protocol query.
-
MCP server
An MCP server is a software endpoint that exposes a platform's capabilities to AI agents over the open Model Context Protocol, so agents can query data and take actions through the same governance controls as the web interface.
MCP is the open standard that lets AI clients — Claude, ChatGPT, Perplexity, others — operate third-party platforms in plain language. A vendor-built MCP server gives operators rich, native tooling with OAuth-scoped consent and full audit logging. Community-built wrappers exist for some platforms, but only vendor-built MCPs ship with proper governance and support.
-
MSP
An MSP (Managed Service Provider) is a company that delivers IT services — monitoring, support, security, infrastructure — to client businesses on an ongoing contractual basis, typically priced per device, per user, or per site.
MSPs run multi-tenant operations: one team supporting many client networks, often hundreds of sites. The tools they use have to scale across that footprint — multi-tenant dashboards, role-based access, per-site automation, and predictable per-device economics so deploying monitoring everywhere doesn't break margins.
-
MTTR
MTTR (Mean Time to Resolution) is the average time it takes to resolve an incident from the moment it's detected to the moment service is restored.
It's one of the most-tracked operational KPIs in IT and MSP work. Lowering MTTR requires the full chain to be fast: detection (good monitoring), triage (accurate inventory, no false positives), context (topology, dependencies, configuration history), and remediation (remote access, ability to restart or reconfigure without dispatching an engineer).
-
Multi-tenant monitoring
Multi-tenant monitoring is a network monitoring architecture where one platform serves many separate organizations or sites — each isolated, each with its own users, devices, and access controls — from a single shared dashboard.
It's the core requirement for MSPs and distributed IT teams: a technician should be able to switch between client A, client B, and client C without logging in three times, while client A still can't see client B's data. Native multi-tenancy is different from running multiple single-tenant installations — far less to operate, and central reporting works.
-
Network discovery
Network discovery is the automated process of identifying every device connected to a network — what it is, how it's reachable, and how it relates to other devices — without manual inventory work.
Discovery happens through a mix of techniques: ARP table scanning, SNMP queries, LLDP/CDP neighbor checks, ICMP sweeps, and OUI lookups from MAC addresses. The quality of discovery determines the quality of everything downstream — accurate inventory is what makes monitoring, alerting, topology mapping, and AI-driven workflows trustworthy.
-
Network monitoring
Network monitoring is the continuous observation of devices, traffic, and performance across a network, used to detect problems, measure performance, and maintain reliability.
It typically combines real-time status checks (is the device up, are the ports healthy), telemetry collection (bandwidth, errors, latency), configuration tracking, and alerting. Modern network monitoring platforms add remote access, topology mapping, and multi-site management so distributed teams can operate networks they don't physically visit.
-
Network topology
Network topology is the structural map of how devices on a network connect to each other — which switch links to which router, which access point covers which segment.
Topology can be physical (cabling) or logical (Layer 2 and Layer 3 relationships). Modern monitoring tools build it automatically by combining LLDP/CDP neighbor data, MAC tables, and routing information. A current, accurate topology map is what lets a technician see why a problem on one device is causing symptoms three hops away.
-
Observability
Observability is the ability to understand a system's internal state by examining the data it emits — metrics, logs, traces, and events — so unknown problems can be diagnosed without changing the system.
It evolved from monitoring (which answers "is the system up?") to something broader (which answers "why is it behaving the way it is?"). Network observability adds the underlying connectivity layer to application and infrastructure observability — without it, distributed-system incidents often stall when the symptom is in the app but the cause is in the network.
-
RMM
RMM (Remote Monitoring and Management) is a category of software that monitors and manages endpoints — workstations, laptops, servers — through an agent installed on each device.
RMM platforms typically include patch management, remote control, scripting, and software deployment to managed endpoints. They're not the same as network monitoring tools: an RMM sees what's on the desktops; network monitoring sees the switches, routers, firewalls, and access points connecting them. Most MSPs run both because each covers what the other doesn't.
-
SNMP
SNMP (Simple Network Management Protocol) is the widely-deployed protocol for collecting metrics and status information from network devices like switches, routers, firewalls, and printers.
SNMP organizes device data into a hierarchy called the MIB (Management Information Base), addressable by OID — every interface count, error rate, CPU stat, or temperature reading is a queryable OID. Monitoring tools poll devices on intervals (commonly every minute or five) for current values, then trend the results.
-
Subnet
A subnet is a logical subdivision of an IP network — a contiguous range of IP addresses sharing the same network prefix — used to organize devices and control routing and traffic flow.
Subnets are defined by a CIDR notation like 192.168.1.0/24, where the prefix length determines how many addresses are in the subnet. Larger networks are split into subnets by location, department, function, or VLAN, so traffic stays local where it can and broadcast scope is contained.
-
VLAN
A VLAN (Virtual Local Area Network) is a logical network segment configured inside a physical switch infrastructure, used to separate broadcast domains and isolate traffic between groups of devices.
VLANs let one physical switch carry multiple isolated networks — guest WiFi traffic stays separate from corporate traffic on the same hardware, IoT devices stay isolated from servers. They're identified by a numeric VLAN ID (1–4094), tagged on trunk ports per the 802.1Q standard, and used heavily in segmentation for security and performance.
Ask any AI about Domotz
Use these terms to investigate what your network monitoring should actually do.
