Download pdf - Just two clicks away - from monitoring and reporting to root-cause analysis

www.wildpackets.com © WildPackets, Inc.

Jay Botelho

Director of Product Management

WildPackets

[email protected]

Follow me @jaybotelho

Just Two Clicks Away

Monitoring and Recording to Root-Cause

Analysis

Show us your tweets! Use today’s webinar hashtag:

#wp_visibility with any questions, comments, or feedback.

Follow us @wildpackets

© WildPackets, Inc. 2 Just Two Clicks Away – Monitoring and Recording to Root-Cause Analysis

There’s no debate about the need for

centralized network monitoring and

reporting …

HOW?

The question is …


Agenda

• Choices and Compromises

• SNMP

• Flow-based

• Packet-based

• Company Overview

• Product Line Overview


Choices and Comprises

Overhead???

Cost???

Data

Gra

nula

rity

Data Accuracy

SNMP

Flow-based

Packet-based


SNMP


SNMP

• Best used to identify and describe system

configuration

• Monitor network-attached devices for high-level

conditions ‒ Up/Down

‒ Total traffic (bytes, packets)

‒ Number of users

• Typically polling-based – heavy bandwidth impact

• Typically 5 minute granularity

• Trouble-shooting/root cause analysis not possible


Flow-based


"Go With the Flow"

• Flows, or flow records, have become the default element used in centralized network monitoring

• A “flow” is a sequence of packets that has the following seven identical characteristics:

‒ Source IP address

‒ Destination IP address

‒ Source port

‒ Destination port

‒ Layer 3 protocol type

‒ TOS byte

‒ Input logical interface

• By implication, a flow is unidirectional


Basic Flow Analysis

• Packets enter the switch or router

• Packets sampled and flows determined

• Flow records compiled and exported to flow collector

• Flow records stored and subsequently analyzed by flow analysis software

Source: Wikipedia

http://en.wikipedia.org/wiki/File:Netflow_architecture_en.svg


Flows vs. Flow Records

• Flows are a defined element

• Flow Records are analytical results that vary

by overall standard, vendor and

configuration

• The most common standards for flow

records include: ‒ NetFlow

‒ IPFIX

‒ sFlow

‒ JFlow


Focus on NetFlow

• Packets typically 1500 Bytes each

• Packets come in spurts – up to several Mbytes

• 20 – 50 flow records per packet

• Typically 1 minute reporting granularity

• Used for “accounting”

• Overhead (bandwidth usage - # of packets in reporting period) linearly proportional to the # of flows

• Remember the prime directive – a switch MUST perform its primary function – forwarding packets!

• UDP-based: lost reporting packets can seriously impact data reliability


On Your Network …


The Details


Common Flow-based Technologies

Netflow IPFIX sFlow Jflow

•Developed by

Cisco

•Proprietary

•Transit traffic &

terminated traffic

•Detailed info for

each flow

•NO payloads

•Sampling option

not 100%

accurate

• Internet Protocol

Flow Information

eXchange

• IETF standard

•Based on

NetFlow


each flow

•NO payloads

•RFC 3176

•Statistical time-

based sampling

•Higher speed

networks

•Less common

than NetFlow

•NO payloads

•Sampled – not

always 100%

accurate

•Developed by

Juniper

•Proprietary

•Similar to

NetFlow


each flow

•NO payloads

•Sampled per

global rate – not

100% accurate

Limited Troubleshooting/Root-cause Analysis


Packet-based

OmniFlow


Packet-based - OmniFlow

• Developed by WildPackets

• Analysis of every packet AND payload

• Unrivaled info for each flow

• Layer 3 - 7

• 100% accurate

• Minimal network impact – 10’s of Kbps

• Monitor AND troubleshoot


OmniFlow Data


Why Are Payloads Important?


OmniFlow and WatchPoint

• High-level, aggregated view

of all network segments

‒ Monitor per campus, per

region, per country

• Wide range of network data

‒ NetFlow, sFlow, OmniFlow

• Web-based, customizable

network dashboards

• Flexible and detailed

reports


Sample WatchPoint Dashboard


Monitoring AND Detailed Analysis


Not All Flows Are Created Equal

Netflow IPFIX sFlow Jflow OmniFlow

•Developed by

Cisco

•Proprietary

•Transit traffic

& terminated

traffic

•Detailed info

for each flow

•NO payloads

•Sampled

option not

100%

accurate

• Internet

Protocol Flow

Information

eXchange

• IETF standard

•Based on

NetFlow

•Detailed info

for each flow

•NO payloads

•RFC 3176

•Statistical

time-based

sampling

•Higher speed

networks

•Less common

than NetFlow

•NO payloads

•Sampled – not

100%

accurate

•Developed by

Juniper

•Proprietary

•Similar to

NetFlow

•Detailed info

for each flow

•NO payloads

•Sampled per

global rate –

not 100%

accurate

•Developed by

WildPackets

•Proprietary

•Analysis of

every packet

AND payload

•Unrivaled info

for each flow

•Layer 3 - 7

•100%

accurate

•Monitor AND

troubleshoot


Choices and Comprises

Overhead

Cost

Data

Gra

nula

rity

Data Accuracy

SNMP

Flow-based

Packet-based


Summary

• Flow records are NOT created equal

• OmniFlow analyzes packet headers AND payloads

• OmniFlow is NOT statistical - 100% accurate

• OmniFlow provides analysis for all network layers

• WatchPoint aggregates data from multiple OmniFlow data streams

• When OmniFlow data isn’t available, WatchPoint also aggregates both NetFlow and sFlow data for a comprehensive network monitoring solution


Company Overview


Corporate Background

• Experts in network monitoring, analysis, and troubleshooting

‒ Founded: 1990 / Headquarters: Walnut Creek, CA

‒ Offices throughout the US, EMEA, and APAC

• Our customers are leading edge organizations

‒ Mid-market, and enterprise lines of business

‒ Financial, manufacturing, ISPs, major federal agencies,

state and local governments, and universities

‒ Over 7,000 customers / 60+ countries / 80% of Fortune 1,000

• Award-winning solutions that improve network performance

‒ Internet Telephony, Network Magazine, Network Computing Awards

‒ United States Patent 5,787,253 issued July 28, 1998 • Different approach to maintaining availability of network services


Real-World Deployments

Education

Health Care / Retail

Financial

Telecom

Government

Technology

http://www.fbiband.com/

http://www.dea.gov/


Product Line Overview


OmniPeek/Compass Enterprise Packet Capture, Decode and Analysis

• 10/100/1000 Ethernet, Wireless, WAN, 10G

• Portable capture and OmniEngine console

• VoIP analysis and call playback

Omnipliance / TimeLine Distributed Enterprise Network Forensics

• Packet capture and real-time analysis

• Stream-to-disk for forensics analysis

• Integrated OmniAdapter network analysis cards

WatchPoint Centralized Enterprise Network Monitoring Appliance

• Aggregation and graphical display of network data

• WildPackets OmniEngines

• NetFlow and sFlow

Product Line Overview


OmniPeek Network Analyzer

• OmniEngine Manager

– Connect and configure distributed OmniEngines/Omnipliances

• Comprehensive dashboards present network traffic in real-time

– Vital statistics and graphs display trends on network and application

performance

– Visual peer-map shows conversations and protocols

– Intuitive drill-down for root-cause analysis of performance bottlenecks

• Visual Expert diagnosis speeds problem resolution

– Packet and Payload visualizers provide business-centric views

• Automated analytics and problem detection 24/7

– Easily create filters, triggers, scripting, advanced alarms and alerts


Omnipliance Network Recorders

• Captures and analyzes all network traffic 24x7

– Runs our OmniEngine software probe

– Generates vital statistics on network and application performance

– Intuitive root-cause analysis of performance bottlenecks

• Expert analysis speeds problem resolution

– Fault analysis, statistical analysis, and independent notification

• Multiple Issue Digital Forensics

– Real-time and post capture data mining for compliance and troubleshooting

• Intelligent data transport

– Network data analyzed locally

– Detailed analysis passed to OmniPeek on demand

– Summary statistics sent to WatchPoint for long term trending and reporting

– Efficient use of network bandwidth

• User-Extensible Platform

– Plug-in architecture and SDK


Omnipliance Network Recorders Price/performance solutions for every application

Portable Edge Core

Ruggedized

Troubleshooting

Small Networks

Remote Offices

Datacenter Workhorse

Easily Expandable

Aluminum chassis / 17” LCD 1U rack mountable chassis 3U rack mountable chassis

Quad-Core Xeon 2.5GHz Quad-Core Intel Xeon

X3460 2.80Ghz

Two Quad-Core Intel Xeon

E5530 2.4Ghz

4GB RAM 4GB RAM 6GB RAM

2 PCI-E Slots 2 PCI-E Slots 4 PCI-E Slots

2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports

500GB and 2.5TB SATA

storage capacity

1TB SATA storage capacity 2TB SATA storage capacity


TimeLine

• Fastest network recording and real-time statistical

display — simultaneously ‒ 11.7Gbps sustained capture with zero packet loss

‒ Network statistics display in TimeLine visualization format

• Rapid, intuitive forensics search and retrieval ‒ Historical network traffic analysis and quick data rewinding

‒ Several pre-defined forensics search templates making

searches easy and fast

• A natural extension to the WildPackets product line

• Turnkey bundled solution ‒ Appliance + OmniEngine, OmniAdapter, OmniPeek Connect


TimeLine For the most demanding network analysis tasks

TimeLine

10g Network Forensics

3U rack mountable chassis

Two Quad-Core Intel Xeon 5560 2.8Ghz

18GB RAM

4 PCI-E Slots

2 Built-in Ethernet Ports

8/16/32TB SATA storage capacity


WatchPoint Centralized Monitoring for Distributed Enterprise Networks

• High-level, aggregated

view of all network

segments

– Monitor per campus, per

region, per country

• Wide range of network

data

– NetFlow, sFlow, OmniFlow

• Web-based, customizable

network dashboards

• Flexible detailed reports

• Omnipliances must be

configured for continuous

capture


WildPackets Key Differentiators

• Visual Expert Intelligence with Intuitive Drill-down

– Let computer do the hard work, and return results, real-time

– Packet / Payload Visualizers are faster than packet-per-packet diagnostics

– Experts and analytics can be memorized and automated

• Automated Capture Analytics

– Filters, triggers, scripting and advanced alarming system combine to provide

automated network problem detection 24x7

• Multiple Issue Network Forensics

– Can be tracked by one or more people simultaneously

– Real-time or post capture

• User-Extensible Platform

– Plug-in architecture and SDK

• Aggregated Network Views and Reporting

– NetFlow, sFlow, and OmniFlow


Q&A

Show us your tweets! Use today’s webinar hashtag:

#wp_visibility with any questions, comments, or feedback.

Follow us @wildpackets

Follow us on SlideShare! Check out today’s slides on SlideShare

www.slideshare.net/wildpackets


Thank You!

WildPackets, Inc.

1340 Treat Boulevard, Suite 500

Walnut Creek, CA 94597

(925) 937-3200