SNMP vs. Streaming Telemetry: How They Work, How They Differ, and When to Use Each
Reviewed for technical accuracy by: Eric Hian-Cheong, Senior Product Marketing Manager at Kentik, specializing in network monitoring, AI-assisted operations, and flow analytics.
SNMP and streaming telemetry are the two principal methods for collecting metrics from network devices, and they represent two different philosophies. SNMP is pull-based: a monitoring system polls each device on an interval and receives the current value of each requested counter. Streaming telemetry is push-based: devices export structured metrics continuously, at high frequency, to any system that subscribes. The practical differences — granularity, device impact, data structure, timestamp accuracy, and vendor support — determine which method fits which job, and why most production networks need both.
This guide explains how each protocol actually works, where they genuinely differ, the normalization problem nobody warns you about, and how to adopt streaming telemetry without abandoning the SNMP estate you already have.
SNMP vs. Streaming Telemetry at a Glance
- SNMP (Simple Network Management Protocol, 1988) is poll-based: collectors request metric values identified by OIDs organized in MIBs, typically every 30–300 seconds; SNMP traps add event notifications.
- Streaming telemetry is push-based: devices export metrics continuously over gRPC (most commonly via gNMI), structured by YANG models, at intervals measured in seconds — with timestamps applied at the source.
- The core trade-off: SNMP runs on virtually everything but can’t see between polls; streaming telemetry delivers the granularity modern operations require but is supported unevenly across vendors and platforms.
- The hidden cost: SNMP MIBs and streaming telemetry models name and structure the same metrics differently, with no out-of-the-box unification — normalization is where real engineering effort goes.
- The realistic strategy: run both. Stream from the platforms that support it (data center fabrics, modern routers); poll everything else; normalize into one data model so dashboards and alerts don’t care how a metric arrived.
How SNMP works
SNMP has been the backbone of device monitoring since 1988, and its mechanics are worth understanding precisely because they explain both its universality and its limits.
Every monitorable element on a device — CPU utilization, an interface’s byte counter, a fan’s status — is assigned a numeric object identifier (OID), organized hierarchically in a Management Information Base (MIB). An SNMP agent runs on the device, tracking current values for each OID. Collection happens two ways: a monitoring system sends a GET request to poll a value on demand (typically on a fixed schedule), or the device proactively sends a trap to a configured destination when a threshold is crossed. Three protocol versions matter in practice: SNMPv1 and v2c authenticate with plaintext community strings (v2c adding bulk retrieval), while SNMPv3 adds real authentication, encryption, and access control at the cost of meaningfully more complex configuration.
Two mechanical details shape what SNMP data means. First, most SNMP values are counters, not rates — the device reports total bytes since the counter started, and the monitoring system computes bits per second by differencing two polls over the time between them. Older 32-bit counters can roll over to zero mid-interval at modern traffic rates, producing nonsense rates unless the collector handles rollover (or uses the 64-bit high-capacity counters). Second, SNMP data is not timestamped at the source: the collector stamps values on receipt, and variable polling and transit delay means the timestamps are approximations — a subtle source of artifacts in SNMP-derived graphs.
SNMP’s defining strength is reach. Essentially every network device made in the last three decades speaks it — the brand-new data center chassis and the twenty-year-old branch router alike — which is why no realistic monitoring strategy can simply drop it.
Kentik in brief: Kentik is the network intelligence platform that treats SNMP and streaming telemetry as one problem rather than two. Kentik NMS supports gNMI streaming telemetry alongside traditional SNMP polling for supported platforms (Cisco, Juniper, Arista), with default streaming collection at 30-second intervals, CPU metrics at 2-second resolution, and custom intervals configurable per Monitoring Template where vendor support allows. Critically, all device telemetry is normalized into an OpenConfig-aligned schema, so dashboards, queries, and alerts work identically whether a metric arrived by poll or by stream — and device metrics correlate directly with the flow, routing, and synthetic telemetry in the same platform.
Learn everything you need to know about network telemetry in this new O'Reilly guide.
How streaming telemetry works
Streaming telemetry inverts the model. Instead of a collector repeatedly asking every device the same questions, the device publishes answers continuously to whoever subscribes. Most modern implementations ride on gRPC, with gNMI (gRPC Network Management Interface) as the dominant standard interface, though vendor-specific transports persist. The data itself is structured by YANG models — formal schemas describing what each metric is and how it’s organized — with the OpenConfig project providing vendor-neutral models intended to make a Cisco interface counter and a Juniper interface counter look the same on the wire.
Three design choices distinguish streaming telemetry operationally:
- Subscription direction: in dial-in telemetry the collector initiates the connection to the device and subscribes; in dial-out, the device initiates the connection to a configured collector — a distinction that matters enormously for firewall policy and which side holds configuration.
- Export mode: cadence-based subscriptions deliver values at a fixed interval (every few seconds, or faster for select metrics), while event-driven subscriptions export only when something happens — a value crosses a threshold, a link state changes — keeping volume proportional to interest rather than to time.
- Where the work happens: telemetry export is engineered to be cheap for the device, often handled close to the forwarding hardware, with one export stream serving many consumers — versus SNMP’s model of every monitoring tool independently polling every device for the same values.
The result is data that’s higher-frequency, source-timestamped, consistently structured, and lighter on device CPUs. The cost is maturity: support varies widely by vendor and platform, implementations differ in transport and model coverage, and configuring subscriptions demands skills that classic SNMP shops haven’t needed before.
SNMP vs. streaming telemetry: the key differences
| Dimension | SNMP | Streaming telemetry |
|---|---|---|
| Collection model | Pull (collector polls) + traps for events | Push (device exports to subscribers) |
| Typical granularity | 30 seconds to 5 minutes per poll | Seconds; select metrics faster |
| Timestamps | Applied at the collector on receipt | Applied at the source device |
| Data structure | MIBs/OIDs; vendor-inconsistent | YANG models; OpenConfig where adopted |
| Device impact | Grows with pollers × interfaces × metrics × frequency | Designed for low overhead; one stream, many consumers |
| Event handling | Traps (threshold-based, MIB-defined) | Event-driven subscriptions |
| Transport security | Plaintext in v1/v2c; encrypted in v3 only | gRPC over TLS |
| Vendor support | Effectively universal, decades deep | Modern platforms from major vendors; uneven elsewhere |
| Operational maturity | Thoroughly understood; vast tooling | Newer; per-vendor differences; steeper learning curve |
The single most consequential row is granularity. A device polled every minute reports averages that smooth away everything shorter — which is precisely why sub-second events like microbursts are invisible to SNMP in any practical sense, and why streaming telemetry has become a hard requirement for data center fabrics, AI infrastructure, and anywhere short-lived congestion has long-lived consequences.
The second most consequential is structure. SNMP’s vendor inconsistency is legendary — the same metric exposed differently across vendors, across device models, sometimes across interfaces on the same device. YANG models and OpenConfig were created to fix exactly this, and where they’re adopted, they largely do. But that fix creates a new problem the next section covers.
For a complementary practitioner’s take framed around the strengths and weaknesses of each protocol, see our blog post The Benefits and Drawbacks of SNMP and Streaming Telemetry.
The unification problem nobody warns you about
Here is the operational reality that surprises teams mid-migration: SNMP MIBs and streaming telemetry models describe the same device, but there is no out-of-the-box mapping between them. The interface byte counter you’ve graphed from an SNMP MIB for a decade arrives from gNMI under a different name, in a different structure, governed by a different model — and nothing in either standard reconciles them.
This matters because no real network migrates all at once. For years, a fleet will contain devices that only speak SNMP, devices streaming via gNMI, and devices doing both — and the same dashboard needs to show interface utilization across all of them. Without a normalization layer that maps MIB-sourced and model-sourced metrics into one schema, teams end up with parallel dashboards, parallel alerts, and the operational fiction that one network is two. (This is a specific instance of the broader normalization challenge covered in our network telemetry pipelines guide.)
The practical test for any monitoring platform claiming to support both protocols is therefore not “can you ingest gNMI?” but “when a device migrates from polling to streaming, do my dashboards, baselines, and alerts keep working unchanged?” Normalization into a common schema — not protocol support — is the feature that determines the answer.
Should I use SNMP, streaming telemetry, or both?
The honest answer for nearly every production network in 2026 is both, and the interesting question is where to draw the line.
Streaming telemetry earns its setup cost wherever granularity changes outcomes: data center and AI fabric switches where queue behavior at second-scale matters, core and aggregation routers whose counters move fast enough that minute-averages mislead, and any device feeding alerting where detection speed is the point. It also wins wherever device CPU is precious and many tools want the same data — one export stream replaces a crowd of pollers.
SNMP remains the right tool for the long tail: the access switches, branch routers, power systems, and legacy gear that will never stream, the platforms where vendor streaming support is partial or proprietary, and the environments where simplicity and staff familiarity outweigh granularity. SNMP traps also remain a perfectly serviceable event channel where event-driven streaming isn’t available.
A sensible adoption sequence for streaming telemetry vs SNMP
Inventory which platforms in your fleet support gNMI and which models they expose. Enable streaming first on the devices where sub-minute visibility has operational value. Keep SNMP running in parallel during transition and validate that streamed and polled values agree. And insist on a collection layer that normalizes both into one schema, so the migration is invisible to everyone downstream. Running streaming telemetry and SNMP simultaneously is common during such transitions.
How Kentik unifies SNMP and streaming telemetry
Kentik NMS was designed for today’s dual-protocol reality rather than treating it as a migration phase. It polls SNMP and ingests gNMI streaming telemetry side by side — for supported platforms from Cisco, Juniper, and Arista — with default streaming collection at 30-second intervals, CPU metrics at 2-second resolution visible as live updates, and per-template control of collection methods and intervals where vendor support allows. Everything is normalized into an OpenConfig-aligned schema on ingest, which is the property that makes the rest work: one dashboard, one query language, one alert policy, regardless of how each device’s metrics arrived.
Because NMS is part of the broader Kentik platform, device metrics from either protocol correlate directly with flow telemetry, BGP routing data, and synthetic tests in the Kentik Data Engine — so an interface anomaly caught by a 2-second stream can be attributed to the traffic that caused it in the same workflow. And Kentik AI Advisor investigates across all of it with natural-language questions, regardless of which protocol produced the underlying metric.
Related Reading on SNMP and Streaming Telemetry
- The Benefits and Drawbacks of SNMP and Streaming Telemetry — Phil Gervasi’s practitioner take on the strengths and weaknesses of each approach.
- No, You Haven’t Missed the Streaming Telemetry Bandwagon — why it’s not too late to start with streaming telemetry.
- Network Device Monitoring — the full device-monitoring picture both protocols serve.
- What Is Network Telemetry? Types, Sources, and How to Use It — where device metrics fit among all the telemetry types.
- Network Telemetry Pipelines — the normalization and enrichment layer that makes dual-protocol collection coherent.
- Microburst Detection — the canonical example of why telemetry granularity matters.
- Practical Guide to Modern Networking Telemetry (O’Reilly ebook) — the free book-length guide covering both protocols in the context of full telemetry strategy.
FAQs about SNMP and Streaming Telemetry
What is the difference between SNMP and streaming telemetry?
SNMP is pull-based: a monitoring system polls devices on an interval — typically 30 seconds to 5 minutes — for counter values organized in MIBs, with timestamps applied at the collector. Streaming telemetry is push-based: devices continuously export metrics structured by YANG models over gRPC (most commonly gNMI), at second-scale intervals, with timestamps applied at the source. The practical differences are granularity, device overhead, data structure consistency, and vendor support — SNMP runs on virtually everything, while streaming telemetry delivers far finer resolution on the platforms that support it.
Is SNMP obsolete?
No. SNMP remains supported by essentially every network device in production, and for the long tail of access switches, branch gear, and legacy platforms, it is often the only option — which means it will be operationally relevant for years to come. What has changed is that SNMP alone is no longer sufficient: modern operations needs like sub-minute visibility, source-accurate timestamps, and low-overhead collection at scale require streaming telemetry where it’s available. The realistic posture is both protocols, normalized into one view.
Does streaming telemetry replace SNMP?
Not in practice, and not for years. Streaming telemetry support remains uneven across vendors and platforms, many devices will never receive it, and SNMP’s universality makes it irreplaceable for fleet-wide baseline coverage. The migration pattern that works is additive: stream from the platforms where granularity matters and support exists, keep polling everything else, and rely on a collection layer that normalizes both so the difference is invisible to dashboards and alerts.
What is gNMI?
gNMI (gRPC Network Management Interface) is the dominant standard interface for streaming telemetry: a specification built on gRPC that lets a collector subscribe to structured metric streams from network devices, as well as retrieve and set configuration. Subscriptions can be cadence-based (values delivered on a fixed interval) or event-driven (delivered on change or threshold), and the data is organized by YANG models — ideally the vendor-neutral OpenConfig models — so that metrics are consistently structured across platforms that implement them.
What are YANG and OpenConfig?
YANG is a data modeling language that formally defines the structure and meaning of configuration and operational data on network devices — the streaming-telemetry-era answer to what MIBs did for SNMP. OpenConfig is an industry project that publishes vendor-neutral YANG models, so that the same metric (an interface counter, a BGP session state) is named and structured identically across vendors that implement the models. Adoption is meaningful but incomplete, which is why normalization layers remain necessary in mixed fleets.
What is the difference between dial-in and dial-out streaming telemetry?
The terms describe who initiates the connection. In dial-in telemetry, the collector connects to the device and subscribes to the metrics it wants — subscription control lives at the collector, and the device must be reachable. In dial-out, the device initiates the connection to one or more configured collectors and pushes its subscribed data — friendlier to firewall policy (outbound-only from the device) but requiring per-device configuration of destinations. Vendor support differs by platform, and the choice has real consequences for network security policy and configuration management.
What is the difference between cadence-based and event-driven telemetry?
Cadence-based telemetry exports metric values at a fixed, configured interval — every few seconds, for example — providing a continuous record regardless of whether anything changed. Event-driven telemetry exports only when a defined condition occurs: a value crosses a threshold, an interface changes state, a queue exceeds a watermark. Cadence provides the baseline and trend data; event-driven keeps volume proportional to interesting activity and captures the precise moments that matter. Mature deployments use both, often on the same device.
Why does SNMP miss short-lived events like microbursts?
Because polling averages. A counter polled every 60 seconds yields one rate for the whole minute, so a traffic spike lasting 50 milliseconds — even one that saturated a queue and dropped packets — contributes a rounding error to the average and vanishes. SNMP also timestamps at the collector rather than the source, adding uncertainty about exactly when values were true. Catching sub-second events requires streaming telemetry at second-scale cadence plus hardware queue metrics from the switch itself; see our microburst detection guide for the full workflow.
How do you migrate from SNMP to streaming telemetry?
Treat it as an addition, not a cutover. Inventory which platforms support gNMI and which YANG/OpenConfig models they expose; enable streaming first where granularity has operational value (data center fabrics, core routers, alert-critical devices); run SNMP in parallel and validate that streamed and polled values agree before retiring polls; and require normalization into a single schema so dashboards, baselines, and alerts survive the transition unchanged. Plan for dual-protocol operation as a steady state measured in years, not a brief transition. Kentik NMS supports this directly, collecting both protocols per device via Monitoring Templates and normalizing everything into one OpenConfig-aligned schema.
Which network devices support streaming telemetry?
Modern platforms from major vendors — including Cisco, Juniper, and Arista — support gNMI-based streaming telemetry on many current operating systems and hardware lines, though coverage varies by platform, OS version, and which models are implemented. Older hardware, much of the access layer, and many specialty devices do not support it and realistically never will. The practical first step is an inventory: check vendor documentation for gNMI support and model coverage per platform in your fleet, and assume SNMP remains necessary for whatever falls outside it.
Kentik gives one view of every device, however it reports
Kentik NMS collects SNMP and gNMI streaming telemetry side by side and normalizes both into one schema — so your dashboards and alerts don’t care how the metric arrived.
- Request a demo — see SNMP and streaming telemetry unified, and correlated with flow and synthetic data.
- Start a free trial — point your devices at Kentik NMS and compare poll against stream yourself.
- Explore Kentik NMS — the modern network monitoring system built for the dual-protocol reality.
- Get the O’Reilly ebook — the free Practical Guide to Modern Networking Telemetry, by Kentik co-founder Avi Freedman and Leon Adato.
