The Truth About “Line-Rate” in Network Analysis

They say the truth shall set you free…

There is a common misconception lingering in the networking world. Even though several protocol analysis and troubleshooting solutions claim “line-rate” analysis, the actual network throughput that can be effectively analyzed varies greatly and is highly dependent on a number of factors. One of the most important factors is whether or not the analysis is expected to be real-time, or if all analysis will be performed post-capture. Real- ime analysis is extremely demanding, so much so that “real-time” and “line-rate” should not even be used in the same sentence. The only condition under which line-rate can even be considered is when data is being collected for post-capture analysis, often referred to as forensics analysis. In this scenario all network packets are written directly to disk. The most capable network analysis and troubleshooting solutions available today have a data capture rate of somewhere in the range of 4 – 6 Gbps. Even though these solutions claim 10G “line-rate” captures on fully utilized, half-duplex 10Gigabit links, they begin to lose packets if pushed beyond 4 – 6 Gbps, obviously far short of a fully utilized rate of 10Gbps. A solution that could capture at that high rate and not drop any packets would be beyond the state-of-the-art!

The fact is that today’s networks are actually faster than the available network analysis and troubleshooting solutions, resulting in greatly diminished network visibility. This is significant to network administrators because the 10G technology enterprises are actively deploying can be difficult to troubleshoot, and until now, no vendor has been able to capture at the half-duplex line-rate without packet loss. However, achieving both real-time visibility and historical network traffic storage for post-incident analysis is possible in 10G environments – you just have to add clarity to your analysis by being specific and a bit more selective.

Three tips for being more selective when analyzing 10G Ethernet traffic:

1. Understand the network and the data you need to collect

Do not try to blindly move forward and perform analysis without knowing what data matters most to your organization. It’s important to know exactly what you want to capture and what information is going to  be beneficial for your analysis. Your requirements will likely vary between each network segment and you are likely going to have to capture data at several locations. The key is to use post-capture analysis and only save the data to a disk in real-time. Trying to capture and analyze simultaneously, in real-time, on highly utilized network segments puts too much strain on the system.

2. Capture only what you need

There is a great temptation to try to capture and analyze everything because enterprises fear that the source of the problem is not immediately known. When it comes to 10G Ethernet traffic, analyzing every bit of data is nearly impossible due to the volume of data. However, if you know your network well enough, certain conditions can be immediately ruled out. By using these clues to limit the collection and analysis to only what is necessary, you can dramatically improve network analysis performance.

3. Limits are everything

Even after analysis has been streamlined to only essential areas of the network, data capture for network analysis on 10G networks generates a great deal of data quickly, and managing the data becomes a significant challenge. The data is typically stored for subsequent retrieval and post-capture analysis. The two most common formats are standard packet files and databases. In either case, two metrics to manage closely are file size and frequency of disk writes. If the files are too large they will be unworkable on the computer being used for analysis. Smaller files lead to more frequent disk writes, and this can rob the system of resources for performing the actual packet capture. Optimum performance is achieved with a balance of these two demands, and this is different depending on the hardware resources available. After a few captures, you can determine if either of these parameters can be better optimized for your system.

Until a solution is developed that doesn’t just claim “line-rate” analysis but actually allows packets to be written  to disk without data loss, these tips are helpful for keeping an organization up to speed with 10G traffic. In the end, paying careful attention to detail when configuring network management systems will reward you with the analysis and troubleshooting results you desire.

Leave a Reply