Add a Comment Now - We Want to Hear From You
By Nathan Bragaw
Everyone’s heard from IT at some point: “I can’t recreate the problem, let me know if it happens again.”
Network engineers have always had tools like packet sniffers, so they could go and put devices on the network, and begin capturing statistics about what’s going on in the network.
But one of the main problems with using these tools to diagnose problems is that you spend a lot of time waiting instead of working. The end user typically calls the help desk, and if they validate it as a network issue, the network engineers take the sniffer out, plug it in and start to watch the traffic, waiting until the problem presents itself again.
That’s not only extremely annoying for end users, it’s also extremely expensive for IT organizations. You don’t spend your time in analysis and optimization or error correction; instead you spend it just waiting for the error to repeat itself.
(Continued...)
NetQoS launched the GigaStor product at the end of last year. It is an appliance that can capture and store network traffic. The key is the ‘and store’. Most protocol analyzers will monitor network traffic and keep statistics for tracking and reporting. Most also include the ability to launch a packet capture when told to do so. With GigaStor, the traffic is continuously stored so that when a network engineer needs to troubleshoot an issue the packets are there for inspection. No more waiting to recreate the problem.
This type of analysis is often referred to as “Retrospective Network Analysis” (RNA for short). By capturing everything to disk, when network engineers hear about the problem, they can essentially go back in time and replay the packet stream from that time and perform normal network analysis but do it after the fact – or “retrospectively.”
RNA allows you to solve problems faster by eliminating problem recreation and reducing the mean time to repair. From talking to our customers, removing problem recreation from the troubleshooting process is huge.
It also reduces risk. In IT, as soon as you start making changes in your network environment – whatever kind of changes they are - that’s when the network is most likely to get disrupted. So, instead of waiting for disruption to occur, you can begin monitoring and keep a catalogue of what the network was like before and after the change. If problems present themselves you will have the ability to see changes at the packet level from when the change was implemented.
And there are other side benefits to RNA with GigaStor – sometimes minor things but still very important in industry specific areas. For example, in order to comply with the Freedom of Information Act, government entities have to archive IM chats, and it’s very difficult to do that. If you operate your own IM server, suddenly you’ve got a ton of security risks. However, with a device like GigaStor, you could write a filter, and if the traffic goes through that link, you can capture the IM conversations – and only the IM conversations – and write that to disk and eventually to tape archive.
GigaStor allows you to do web page reconstruction – network engineers and analysts see a web page exactly how the end user saw it, looking at the error directly instead of relying on the end user to provide a useful and accurate translation.
It also helps with keeping track of communications. You can “play back” lost e-mails, and if you have VoIP, voice calls can be replayed without tapping into the phone system.
In designing an RNA system, there are a number of elements to consider.
First, you’ve got to capture the data coming off the wire, and you have to be able to do it at line speed even when network traffic is bursting, otherwise you end up dropping packets. GigaStor allows you to monitor up to 8 ports (4 full duplex links). The flexibility of the solution means that you can monitor WAN links, Gbps span ports, or fibre channel traffic all with the same appliance.
Second, the your disk write speed must be able to keep up with the traffic you are capturing off of the wire. Being able to capture the traffic doesn’t help if you lose the packets before you get them written to disk. Monitoring 8 Gbps span ports that each average 37% utilization means that you have to be able to write at 370 MB/sec or you will not be able to keep up. With GigaStor, you would be able to do this.
Third, the amount of storage you have determines how long you can keep data. You’re either using internal disks or you’re writing it to a SAN someplace. And the amount of traffic that goes through a network is just massive. What starts out as “I’m going to keep months and months of data” often becomes: “I’m going to keep a few days of data and archive the rest.”
And finally, there’s the capture buffer – if you start capturing off the wire faster than you can write to disk (think burstiness), your choices are to buffer the data, or to drop packets. And while you’re likely to be able to write faster than your average load – it’s the atypical loads – bursts of traffic – that present problems. In a high speed environment, that may only be a few seconds, but many times with traffic bursts, a few seconds may be all you need to buffer for. Besides, when traffic bursts, that’s usually a sign that something went wrong and for that reason, capturing that particular traffic is very important.
All these components determine exactly how retrospective you can be in your analysis.
GigaStor customers have told us that they selected the product because they discovered the importance of all four of these RNA elements – it doesn’t matter how much disk space you have if you can’t read it off the wire fast enough, or if you have too small a buffer to handle peak loads resulting in loss of critical data for analysis.
Nathan Bragaw is a Business Development Manager at NetQoS
