Download pdf - Monitoring and Managing Network Application Performance

www.wildpackets.com © WildPackets, Inc.

The Importance of

Protocol Analyzers

in Today's Networks

Jim Thor – WP Professional Services

WildPackets, Inc.

www.WildPackets.com

(925) 937-3200

© WildPackets, Inc. The Importance of Protocol Analysis

• We used to use Protocol Analyzers for Break/Fix ‒ Meaning we would try to fix the problem every other way before

getting the protocol analyzer out of the cabinet and trying to

figure out how to use it.

• Protocol Analyzers were mostly text based decoders ‒ Good for bit level analysis, but very hard to use when looking for

the needle in the haystack.

• You had to physically be where you wanted to

capture the packets ‒ No such thing back then as remote or distributed analysis

The Early Days of Protocol Analysis

2


Times Have Changed!

• Those shortcomings of early analyzers are gone ‒ Many of today’s analyzers are Graphical, Distributed and Historical

• Networks are larger and faster than ever before ‒ Getting to 40Gbps now and soon to 100Gbps

• Systems are faster and integrated into daily life ‒ There was a day when a computer was a ‘nice to have’.

‒ Most everyone now has a computer in their pocket, and uses it for

daily tasks and communications.

• Today’s networks are the life blood of businesses ‒ Without a well run network, your business may die!

3


Is There a Doctor in the House?

© WildPackets, Inc.

How’s Your Network's Health?

The Importance of Protocol Analysis

• We have doctors to keep us healthy ‒ Businesses have Network Administrators and Engineers

• But a doctor has to have tools ‒ He has his 5 senses and he is very well educated!

‒ His knowledge alone does not make for a good doctor! He has

to be smart and have experience as well.

• You better hope your doctor has the right tools ‒ Simple tools he could have stethoscope, a thermometer, a reflex

hammer, etc

‒ These would be akin to network tools like ping, traceroute,

and logs

5


It’s All in the Details!


• Flow based reporting is nice… ‒ Flow information is a good start, but generally not good for

understanding the details. It’s way too generic and high level.

• Sometimes, you have to have the details, Period. ‒ But not always. There are a lot of available tools. The right tool

depends on the question.

• What is the question you are trying to answer? ‒ ‘Proof is in the Details’. With the details, you can answer

almost ANY question.

‒ Generally, every question from overall utilization to what bit is

set in a packet, can all be answered with a protocol analyzer.

6


The Right Tools Matter!


• The tool should not impact the Network!

• Simple tools are helpful and useful even today ‒ Simple tools like ping, tracert, etc., are still necessary and helpful

• More advanced tools are necessary ‒ Netflow, S-Flow, and SNMP are helpful, but often leave too

many questions unanswered

• With the right tools, there is NO need to guess! ‒ Detail oriented tools (packet analysis) give the answers down to

the bit level

‒ These tools can also answer questions ‘back in time’ using

Network Forensics features 7


Network Forensics


• Knowing what is happening on the network now ‒ Real time information is always important on any network

• Often, it is important to go ‘Back in Time’ ‒ Security breaches happen before you know about them

‒ Replicating an issue is often not possible

‒ Why wait for an intermittent issue? Go ‘Back’ and see it!

• Network Forensics features allow you to go back and

find the packets from the past ‒ It may be that a server was hacked. Who did it, when, and what

else did they do or what systems did they access!

‒ Also allows for Comparative Analysis, which makes the task of

protocol analysis much easier and more accurate

8


The Important Features

of a Good Protocol Analyzer


The Necessary Features

Depend on Your Needs!


• Most important is Ease of Use! ‒ Protocol Analysis can be hard. Having an analyzer that is hard to

use adds unnecessary burden and time to the analysts tasks

• Distributed and Local Capture capabilities

‒ Protocol Analysis is only accurate where you are capturing, so

you usually want to capture at multiple locations to understand

what is happening across the network at various locations

• Software and Hardware Solutions

‒ Since you want to have as many capture points as possible,

having a cost effective solution for deploying at the distribution

and access switches is extremely important

10


• Speeds and Feeds. ‒ Also make sure the devices are capable of captures on multiple

interfaces simultaneously, and aggregating if necessary

• Forensics ‒ Do you need the ability to ‘Go Back in Time?” Most people do.

• Wireless ‒ Do you have any 802.11 networks? If so, make sure the analyzer you

choose supports WLAN captures.

• VoIP ‒ If you have a VoIP environment, or are planning on having one soon,

make sure to choose an analyzer that supports those needs.

Additional Items to Consider

11


How We Have Helped


• Saved lives! ‒ Yes, the results and analysis of 802.11 Wi-Fi traffic in a hospital found

the source of interference that was causing device outages

• Stopped hackers! ‒ The ongoing long term capture in a software company found the source

of the attach, and exactly which systems were compromised

• Made networks faster! ‒ Many examples of fixing network issues that were causing poor

performance. Fixing the issues made the networks much faster.

• Proved it wasn’t the network! ‒ Application vs. Network, we prove constantly who the true culprit is!

• Made the network users more productive! ‒ By fixing network, application and systems issues, all users are more

productive, including network, system, and application administrators!

12


The Feature Presentation


Focusing Blame or Fixing the Issue?


• Now that we know more about protocol analyzers, let’s look at a

common problem

‒ Who is to blame?

• The performance is bad, so…


• The Users are complaining…


• More importantly, where do we focus to find the issue, and fix it!

‒ Stop the Blame Game!

Let’s then now focus on solving this issue and

not focusing the blame!

14

www.wildpackets.com © WildPackets, Inc. © WildPackets, Inc.


The Weigh In Create a baseline…

• Not just, “How much bandwidth am I consuming on

my network or segment?”

• Also, “How much is the X Application consuming?” ‒ What users connect to it?

‒ What outbound connections does the app do?

‒ With what ports? With what nodes? What times? How often?

• It’s impossible to predict the winner if you don’t

know your network and applications…

… and understand their behaviors.

The Importance of Protocol Analysis 16


Scoring the FIGHT What to look for…

• Primary events are anything related to “Slow” ‒ Depending on what events we see, we will know who is at fault

• Application events: ‒ HTTP slow response time

‒ Oracle slow response time

‒ Inefficient client

• Network events: ‒ TCP SLOW segment recovery

‒ Slow retransmissions

‒ Slow acknowledgements

‒ Low throughput


Let the Expert Analysis help be the referee


Did Someone Say, "TKO"? Get Proof…


Network may be at fault

System or Application is at fault


Who Won? The Network?

This shows that there are some slow acknowledgements that could be

network related… but keep in mind factors like distance


Let’s keep looking…


Or is it the System or Application?

This shows slow responses that are system or application related

Let’s go round by round…



Follow Events to See Who is Involved Use the JAB

right-click option and ‘Select Related Packets’ on the event



Get the Flows, Not Just Those Packets


Here we would click on ‘Close’, keeping our 113 packets highlighted!


Do the Winning Combo… ‘Select Related’ We can UPPERCUT (right-click)

on any highlighted packet and do a ‘Select Related’, then ‘By Flow’



All the Packets – All the Flows

We have selected every packet, in every flow, with the expert event of interest



Tale of the Tape "Scoring the Fight"

When we select

‘Slow Server

Response Time’,

two sessions to the

same server are

highlighted.

This looks like a

system or

application issue –

not the network.

But we need proof!



Visual Expert is the Proof! Here is the proof we were looking for!

Two requests for data, two quick TCP Acks, but then a long delay

before the server sent us the data we requested.


Payload

Length = 0

Payload

Length = 1260

Requests

and Acks

Then the Data

gets returned

much later


A Closer Look Looking more granular at the timing, we see that the ACK came

back in 70ms, but the data didn’t get sent back for another 854ms!


ACK fast =

Network fast

Data slow =

System slow


Tune the Expert for your network


Make these times relevant

for your network or the

task at hand!

And use the Import

and Export features

to quickly switch

when necessary


And the winner is…

You!

What we covered…

• Determining whether the application, system, or

network is at fault using TCP

• Tapping the power of ‘Select Related’ using flows to

troubleshoot root causes

• Eliminating false positives by tuning Expert Events



What’s in your network?

• Manage proactively or by exception

‒ Determine top talkers, nodes, and protocols

‒ Receive early warnings of performance problems anywhere in the network and

then quickly drill down for expert analysis

‒ No need to reproduce issues, simply “replay the tape” (network forensics)

• Monitor the entire network

‒ Identify issues and optimize VoIP and Video quality of service

‒ Measure quality of services applications are delivering to end users

‒ Evaluate network utilization for capacity planning and upgrades

• Optimize and secure your Wireless infrastructure

‒ Identify and fill security holes such has weak encryption or rogue access points

‒ Determine gaps in service across access points

• Extend the capabilities for custom applications

‒ Develop plug-ins to integrate with proprietary equipment

‒ Build decodes for proprietary protocols



About WildPackets


Corporate Overview

• Our Company

‒ Founded: 1990

‒ Headquarters: Walnut Creek, CA

‒ Offices throughout US, EMEA, APAC

• Our Customers

‒ Thousands of active mid-market and enterprise customers

‒ 60+ countries / 80% of Fortune 1,000

‒ Financial, government, education, health care, telecom

• Our Products

‒ Patented, awarding-winning hardware and software solutions

that optimize network performance and eliminate downtime


Pioneer and global leader in network and application

performance monitoring, management, and analysis.


Real-World Deployments

Education

Health Care / Retail

Financial

Telecom

Government

Technology


http://www.fbiband.com/

http://www.dea.gov/


OmniPeek Network Analyzer

• Standalone Analysis and Remote Analysis UI

‒ Can be used as a portable analyzer, or standalone

‒ Can also connect and configure distributed OmniEngines/Omnipliances

• Comprehensive dashboards present network traffic in real-time

‒ Vital statistics and graphs display trends on network and application

performance

‒ Visual peer-map shows conversations and protocols

‒ Intuitive drill-down for root-cause analysis of performance bottlenecks

• Visual Expert diagnosis speeds problem resolution

‒ Packet and Payload visualizers provide business-centric views

• Automated analytics and problem detection 24/7

‒ Easily create filters, triggers, scripting, advanced alarms and alerts


© WildPackets, Inc. The Importance of Protocol Analysis 35


Omnipliance Network Recorders

• Captures and analyzes all network traffic at the source 24x7

‒ Runs our OmniEngine intelligent probe software

‒ Generates vital statistics on network and application performance

‒ Intuitive root-cause analysis of performance bottlenecks

• Intelligent data transport

‒ Network data analyzed locally

‒ Detailed analysis passed to OmniPeek on demand

‒ Summary statistics sent to WatchPoint for long term trending and reporting

‒ Efficient use of network bandwidth

• Expert analysis speeds problem resolution

‒ Fault analysis, statistical analysis, and independent notification

• Multiple Issue Digital Forensics

‒ Real-time and post capture data mining for compliance and troubleshooting



Unprecedented Network Visibility

ROOT-CAUSE ANALYSIS

OmniPeek network analyzer performs deep packet inspection

and can reconstruct all network activity, including e-mail and

IM, as well as analyze VoIP and video traffic quality.

PINPOINT NETWORK ISSUES ANYWHERE

Omnipliance Portable can rapidly identify and troubleshoot

issues before they become major problems—wired or

wireless—down the hall or across the globe.

UNDERSTAND END-USER PERFORMANCE TimeLine and Omnipliance network recorders monitor

and analyze performance across critical network

segments, virtual environments, and remote sites.

NETWORK HEALTH

WatchPoint can manage and report on key

devices’ performance and availability across

the entire network, from anywhere on the network.

GLOBAL

DISTRIBUTED

PORTABLE

DPI



WildPackets Product Lines

Software and Hardware Solutions for

Portable and Distributed

Network Monitoring and Analysis


Product Offerings Software and Turnkey Appliances

• Enterprise Monitoring and Reporting

‒ WatchPoint Server

‒ OmniFlow, NetFlow, SNMP, and sFlow Collectors

• Network Probes & Recorders

‒ Omnipliance Network Recorders – Edge, Core

‒ TimeLine Network Recorder

‒ OmniAdapter Analysis Cards

• Portable Hardware Solutions

‒ Omnipliance Portable

• Windows based Software Solutions

‒ OmniPeek software – Enterprise, Professional, Basic, Connect

‒ OmniEngine software – Enterprise, Desktop, OmniVirtual



Omnipliance Network Recorders Price/performance solutions for every application

Portable Edge Core TimeLine Ruggedized

Troubleshooting

Small Networks /

Remote Offices

Regional Offices /

Small Datacenter

Datacenter

Workhorse

Chassis 1U 3U 3U

Memory 24GB 4 GB 6 GB 18 GB

Expansion 2 PCI-E 2 PCI-E 4 PCI-E 4 PCI-E

Storage 6 TB 1 TB 8 TB / 16 TB 8 TB / 16 TB / 32 TB

Max. CTD 4.5Gbps 1Gbps 3.8Gbps 11+Gbps



Comprehensive Support and Services

Standard Support

Maintenance and upgrades

Telephone and email contacts

Knowledgebase

MyPeek Portal

Premier Support

24 x 7 x 365

Dedicated escalation manager

2 customer contacts per site

Plug-in reconfiguration assistance

WildPackets Training Academy

Public, web-based, and on-site classes

Complete curriculum: Technology and product focused

Practical applications and labs covering network analysis,

wireless, VoIP monitoring and advanced troubleshooting

Consulting and Custom Development Services

Deployment, configuration, and assessment engagement

Systems integration and testing

Application integration, driver, decode, interface development



Key Differentiators

• High-level network monitoring to root-cause analysis

• Single solution for today’s converged networks ‒ Wired, Wireless, 1GB, 10GB, VoIP, Video, TelePresence, IPTV

• Reduce and even eliminate network downtime ‒ Automated monitoring 24x7

‒ Speedy resolution of network bottlenecks

• Improve network and application performance

• Uniquely extensible platform – tailored to your needs ‒ Plug-ins and APIs for integration and customization

• Fastest capture to disk performance in the industry



Thank You!

& Questions…

WildPackets, Inc.

www.WildPackets.com

(925) 937-3200

Check out MyPeek! @ mypeek.wildpackets.com

Follow us on SlideShare! Check out today’s slides on SlideShare

www.slideshare.net/wildpackets