Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

What Is Network Analytics?

Network analytics is any process where network data is collected and analyzed to improve the performance, reliability, visibility, or security of the network.

Today, network analytics processes can be automated, so IT staff no longer need to manually look for and troubleshoot problems or perform other, increasingly complex tasks.

A renewed focus on business resilience

Our world is facing an acceleration in the frequency, diversity, and impact of disruptions. Planning your network to help your organization respond to the unexpected is now more important than ever.

How does network analytics work?

In network analytics, a software engine analyzes and extracts intelligence from data collected from various sources, such as network devices (switches, routers, and wireless), servers (syslog, DHCP, AAA, configuration database, etc.), and traffic-flow details (wireless congestion, data speeds, latency, etc.).

Network analytics processes are automated and so are more wide-ranging than what can be achieved by manual analysis. Network analysis can scale to many devices, clients, users, and applications, while improving overall user experience and not substantially increasing operating costs.

How can I benefit from network analytics?

  • The intelligence gathered by network analytics can be used for several tasks, such as spotting bottlenecks, evaluating health of devices, issue remediation, identifying connected endpoints, and probing for potential security lapses.
  • For improving operations, network analytics compares incoming data with preprogrammed models and makes appropriate decisions. The data is fed into a model of ideal network performance. When a data source detects less-than-ideal performance, the analytics engine recommends adjustments that can enhance performance.
  • Network analytics may recommend corrective actions for identified issues in the network. These actions can involve guided remediation, where the engine specifies steps for a network administrator to perform, or closed-loop remediation, where it sends instructions to the automation portion of the network controller for changes to be made automatically.
  • For identifying an endpoint, network analytics peers inside the traffic to and from the endpoint, recognizes protocols, correlates it with data from other sources, and builds a profile for the endpoint.
  • For detecting potential security issues, network analytics monitors endpoint behavior and traffic (even encrypted) to detect anomalies that might indicate that the endpoint may be compromised, such as by a malware infection.

How does network analytics collect data?

Network analytics collects data from a variety of sources, including from servers such as DHCP, Active Directory, RADIUS, DNS, and syslog, and from network traffic such as NetFlow, traceroute, and SNMP. It does so by using techniques such as telemetry and deep packet inspection (DPI) to build a rich database from which contextual information can be derived.

Deep packet inspection (DPI)

DPI of select traffic flows is a rich data source for network analytics. An analysis of such traffic using techniques such as Network Based Application Recognition (NBAR) and Software-Defined Application Visibility and Control (SD-AVC) can discern the communication protocols being used.

Analytics engines can use this information in a variety of ways, such as setting of quality-of-service (QoS) parameters automatically or profiling endpoints.

Streaming telemetry

Streaming telemetry reduces delays in data collection. Telemetry provides information on anything from simple packet-flow numbers to complex, application-specific performance parameters. Systems that can stream more telemetry, from more sources and about more network variables, give the analytics engine better context in which to make decisions.


Another important factor an analytics engine considers is context. The context is the specific circumstances in which a network anomaly occurs. The same anomaly in different conditions can require very different remediation, so the analytics engine must be programmed with the many variables for contexts, such as network type, service, and application.

Other contexts can include wireless interference, network congestion, service duplication, and device limitations.

How does network analytics scrutinize collected data?

Network analytics derives intelligence and insights from data it aggregates from the network, hosts, and devices. Data from many sources allows network analytics to correlate and view issues from many different angles and contexts and to form a complete, accurate picture of the state of the network itself and endpoints in the network.

Analytics engine

The analytics engine, the software program that analyzes data and makes decisions, collects data from around the network and performs the desired analysis. This analysis may compare the current state with a model of optimal performance. Whenever the program identifies a deviation from optimal, it may suggest remediations or present its findings to a higher-level program or to the IT staff.

The analytics engine may also scrutinize endpoint traffic to help identify the endpoint itself or traffic behavior that may signal malware infection.

Cloud versus local analytics

Networking engineers often debate whether network analytics should be performed remotely, in the cloud, or locally, at the customer premises.

Placing the analytics engine in the cloud offers access to much more processing power, scale, and communication with other networks. Cloud-hosted analytics also benefits from up-to-the-minute algorithms and crowdsourced data. Placing the analytics engine on-premises offers better insights and remediation performance, and it reduces the amount of data required to backhaul to the cloud. Both of those advantages are particularly important in larger enterprise networks.

Should you use cloud or local analytics? The answer is, both. Machine learning (ML) and machine reasoning (MR) modules can be placed in the cloud to benefit from larger computing resources. But having the analytics engine on site can offer large gains in performance and save big on WAN costs.


The analytics engine considers the relationship among variables in the network before offering insights or remediation. The correlation among devices, applications, and services can mean that correcting one problem can lead to problems elsewhere. While correlation greatly increases the number of variables in the decision tree and adds complexity to the system, it's essential so that all variables can be evaluated for accurate decisions.

Decision trees

Most analytics engines offer guidance on performance improvement through decision trees. When an analytics engine receives network data indicating subpar performance, the decision tree calculates the best network-device adjustment or reconfiguration to improve performance of that parameter.

The decision tree grows based on the number of sources for streaming telemetry and the number of options for optimizing performance in each point. Because of the complexity of processing these very large data sets in real time, analytics was previously performed only on supercomputers.


The analytics engine spots network anomalies, faults, and performance degradations by comparing the incoming streaming telemetry with a model of optimal network performance for each data source. That process produces insights into ways network performance and user experience can be improved.

How does network analytics benefit from AI/ML techniques?

Network analytics uses a combination of local and cloud-based AI-driven analytics engines to make sense of all collected data. Using AI and ML, network analytics customizes the network baseline for alerts, reducing noise and false positives while enabling IT teams to identify issues, trends, anomalies, and root causes accurately. AI/ML techniques along with crowdsourced data are also used to reduce unknowns and improve the level of certainty in decision making.

Artificial intelligence (AI)

Artificial intelligence simulates intelligent decision making in computers. Many sources confuse artificial intelligence with machine learning (ML); machine learning is a subset of the many types of applications that result from the field of artificial intelligence.

Get details

Machine learning (ML)

Use of ML can improve analytics engines. With ML, the parameters in the decision tree can be improved based on experience (cognitive learning), peer comparison (prescriptive learning), or complex mathematical regressions (baselining).

ML offers large increases in the accuracy of insights and remediation, because with it the decision trees are modified to meet the specific conditions of a network's configuration, its installed hardware and software, and its services and applications.

In cases when an analytics engine may not have enough information to unequivocally identify endpoints, it may use ML to group together endpoints with similar characteristics. These clustering algorithms consider the distance between cluster members, density areas of the data space, and other factors when clustering objects, much like a human would. In many cases, the algorithms cluster more consistently and across many more dimensions than would be feasible for a human. Such clusters may be used by administrators to remove ambiguity and profile endpoints accurately.

ML is a subset of AI, since it gives analytics engines the ability to automatically learn and improve from experience without being explicitly programmed.

Blog: Beyond the Buzzword

Machine reasoning (MR)

When analytics engines are programmed to reason through logical steps, MR is achieved. This capability can enable an analytics engine to navigate through a number of complex decisions to solve a problem or a complex query.

With MR, analytics can compare multiple possible outcomes and solve for an optimal result, using the same process that a human would. This is an important complement to ML.