Remote Network Monitoring (RMON)

Last Edited




Remote Network Monitoring, or RMON, is an extension of the Simple Network Management Protocol (SNMP) that allows detailed monitoring of network statistics for Ethernet networks. Read the full article to fully understand this concept.

What is RMON (Remote Network Monitoring)?

An extension of the Simple Network Management Protocol (SNMP) that allows detailed monitoring of network statistics for Ethernet networks. Remote Network Monitoring (RMON) is defined in Request for Comments (RFC) 1757.

RMON lets you monitor network traffic on a remote Ethernet segment from a central location on the network to detect problem conditions such as traffic congestion, dropped packets, and excessive collisions. You can use RMON to set network traffic thresholds that trigger alarms so that you can correct network problems before they occur. Embedded RMON support for Ethernet switches lets network administrators monitor switched Ethernet networks that cannot easily be monitored using traditional packet-sniffing network analyzers.

RMON - Remote Network Monitoring
If you want to see the latest products related to network monitoring on Amazon please click here.

How Does It work?

Like SNMP, RMON is implemented as a standard Management Information Base (MIB) on RMON-enabled devices. These RMON-enabled devices include the following:

  • Stand-alone devices called dedicated RMON probes that can be temporarily or permanently installed where desired on the network
  • Existing network devices such as repeaters, bridges, hubs, routers, or Ethernet switches that have an RMON probe embedded into their circuitry

An RMON probe consists of an SNMP agent for collecting information and communicating it to an SNMP management application, and one or more RMON MIBs defining the network objects to be managed. Typically, an SNMP-manageable device such as a hub or router needs additional software installed on it only to provide RMON functionality and turn it into a probe. Other devices called hosted probes are implemented as add-on hardware modules with built-in processing power and memory.

RMON is usually implemented on only one device or interface per TCP/IP subnet. RMON agent software runs on the port of the router or switch, which monitors and collects Ethernet networking statistics for the attached subnet. These statistics relate to the physical layer (layer 1) and the data-link layer (layer 2) of the 7 layer OSI model for networking. An SNMP management console contacts the RMON agent when it wants to collect the statistics in order to analyze them and present them to the network administrator, or network traffic conditions on the device can trigger the agent to notify the management station of an alarm condition using SNMP traps. RMON agents can also collect and store statistics for monitoring trends in network traffic.

The RMON MIB defined in RFC 1757 contains nine groups of manageable objects (RMON monitoring elements) for various aspects of Ethernet traffic monitoring, totaling 204 objects and 2 events. These groups of objects, usually referred to as the RMON1 groups, are as follows:

  • Statistics (1): Records statistics for Ethernet network interfaces (ports), including packets sent and received, bytes sent and received, the number of each type of packet, packets dropped, errors, and collisions 
  • History (2): Specifies the types of data being sampled and the frequency at which data is sampled, and records the sampled data for later analysis 
  • Alarm (3): Lets you set thresholds and sampling periods to trigger alarms when specified network conditions arise 
  • Host (4): Records MAC addresses; the number of packets sent and received for broadcast, unicast, and multicast packets; the number of bytes sent and received; and the number of error packets for all hosts on the subnet 
  • HostTopN (5): Lets you list hosts according to ranking parameters such as amount of traffic generated or number of errors generated 
  • Matrix (6): Records statistics for communication between pairs of hosts, such as their source and destination addresses and the number of bytes and packets sent and received 
  • Filter (7): Controls which kinds of packets the agent should capture, such as all packets larger than a certain size, all packets that match a specific bit mask, or logical combinations of individual expressions 
  • Capture (8): Lets you capture packets for collecting network statistics and configure capture buffer sizes 
  • Events (9): Lets you generate SNMP traps and log entries


RFC 1513 extends the original RMON specification by adding a MIB group to RMON called Token Ring, which extends RMON functionality to Token Ring local area networks (LANs) by allowing sampling and collection of statistics specific to this networking environment.

RMON2, defined by RFC 2021, extends the original RMON specification with nine more MIB groups that specify the collection of statistics at the network layer (layer 3) and application layer (layer 7). Network administrators can remotely collect information about the flow of data in client/server applications in an enterprise environment. For example, with RMON2-enabled routers and switches, you can determine which workstations are accessing a specific client/server application on a specific server from a remote SNMP management console. RMON2 includes the original RMON MIB groups and extends them with an additional 268 manageable objects.

RMON 1 (layer 1 and 2), RMON 2 (Layer 3 to 7)

RMON-enabled devices

Make sure that your RMON-enabled device or probe supports at least groups 1, 2, 3, and 9 from the previous list. Probes that support only these four groups are said to support mini-RMON. Many network hardware vendors provide RMON-enabled devices that support only mini-RMON because these are generally considered the most useful RMON groups.


See also:

External references: