What activities a network administrator needs to monitor depend on the goal of such monitoring. If one is trying to analyze performance problems or triage an outage then Kurose and Ross's (2004) example of reactive control applies. However if one is attempting to plan new capacity, predict hardware failures before they occur or implement changes in an error free fashion then their (Ibid.) examples of proactive management apply. But even as apparently exhaustive and all-encompassing as these tactics may be they are not. A network manager could also be asked to participate in a forensic analysis, the creation and monitoring of honey nets or systems or password security analysis, for example. The limits of what can and should be monitored may first be defined by the smooth functioning and growth of the network but they may extend far beyond that depending on the capabilities of a system and the necessities of a situation.
Network monitoring is an extensive and still growing field. From RMON to SNMP, from NOCs to lights out data centers, administrators might be called upon to perform hundreds of different types of analyses in hundreds of significantly different environments. With the reporting and polling available from remote network equipment it may be possible to repair or enhance performance of almost any location on-net from almost any other location short of an actual outage. This might be referred to as either proactive or reactive management.
As the resident experts in a network's topology and potentially security network administrators may be crucial parts of any forensic investigation that involves their equipment. Because they probably have the best idea where any interesting traffic flowed and likely possess necessary passwords and reporting/logging systems it is likely that in such a situation their contributions would be invaluable (Casey et al, 2004).
A slightly similar activity in which one might find themselves involved is the design, implementation and/or monitoring of honeypot systems or networks. Whether one has a specific perpetrator in mind for investigation or just wants to do research on possible methodologies of intruders, the expertise of a network admin will be important for knowing a safe yet appealing location for such (a) system(s) as well as the proper understanding of the monitored reports and alerts to differentiate between normal usage and the activities of interest.
Intrusive security analysis is one of the more dangerous activities in which a network administrator might become involved (Chan et al, 2003). It is important that the organization makes a clear commitment to such an investigator and that they are perfectly clear with the organization as to limits and procedures. But, taking password analysis as an example, the admin is well qualified and quite possibly necessary because of their knowledge of what systems are reachable from which and how important security of authentication and authorization would be to specific equipment. While it might be argued that this sort of activity isn't monitoring I would say that while it is more than monitoring, monitoring is still a significant part of it.
Network administrators can perform any sort of monitoring we can imagine. The bulk of it will probably be along the lines of Kurose and Ross's reactive and proactive paradigms but there are as many other possibilities as we can envision, design and implement.
Casey, E., Dunne, R., Ferraro, M., Larson, T., McGrath, M., Palmer, G., Robinson, T. & Turvey, B. (2004) Chapter 15, 'Applying Forensic Science to Networks', Digital Evidence and Computer Crime – Forensic Science, Computers and the Internet, 2nd ed. Tokyo, Elsevier
Chan, N., Coronelo, S. & Ong, Y. (2003) The Threat of the Cybercrime Act 2001 to Australian IT Professionals [Online]. Available from: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.4.3391&rep=rep1&type=pdf (Accessed: 28 November, 2010)
Kurose, J. & Ross, K. Computer Networking – A Top Down Approach Featuring the Internet, 4th Ed. Pearson Education