Easy Steps to Analyze Behavior of Network Users with Compass Live

One of the most common network performance problems is latency with users being a prevalent catalyst to this issue. At WildPackets, we created Compass Live, which gives you a top level view of the network, to help you determine if it is a user or users causing the network pain.

If you are using Compass Live or interested in giving it a test run, check out our quick tips below on how to determine latency through user behavior.

Determining Latency with Top Talker View
With the growing popularity of voice and video over IP, latency is a common network issue that can be difficult to diagnose. Finding the right information can be daunting without the right tools, but Compass Live lets you interactively drill down into the network users’ activities to find out when and where the issue occurred. If your network is consistently experiencing high instances of latency, finding out which users were accessing the network at those times and what they were doing may give you the insight needed to solve the problem.

From the Compass Live dashboard you can see the high-level view of who the top users are on your network in real-time and capture the data in Bits, Bytes, Mbits, Gbits, Packets, or signal strength. In order to drill down into a particular user, select an entry from the “Top Nodes” graph to drill down into the unique statistics. Choose the filter option to see the specific for protocols in real-time or a particular period in network history.

Is the Users Behavior the Problem?
Compass Live offers the option to graph and report on users behavior, showing what was happening on your wired and wireless networks at any period of time. Users rely on the network for business critical tasks, but their behavior can impact the overall performance as well. A user who is complaining about slow network response may also be the same user who is downloading a large file via BitTorrent, which creates lots of peer-to-peer connections and has historically caused slow network response due to overwhelming the upstream bandwidth. Compass Live can help you focus on these users to see what they’re doing.

After you have opened a packet capture file, use the Top Nodes or Top Protocols window to select the basis for your filter. In the example of a user complaining about slow network response, select just that user. Next, at the bottom of the page, click the binoculars icon to apply that filter. If you have only selected a single user, the view excludes all other traffic, showing only what that user has been doing. Now you can find out if your users are causing their own problems, and problems for other users too!

From here, there are additional options to help you track down what’s happening. If the information from the filter shows that the users aren’t to blame, simply right-click the main graph and select “Undo Last Filter” to return to the previous view. However, if there’s significant traffic, or lots of protocols, you can select additional nodes or protocols and apply those filters for iterative drill-down. If you find the “smoking gun” proving that the user behavior has been causing problems, you can save the filtered packets to an OmniPeek packet file by clicking the blue floppy disk icon on the top bar. Additionally, you can demonstrate the problem to others by clicking the “Save Report” icon, which will create an HTML report of your visualization, suitable for inclusion in a document or slide for the post-mortem meeting.

Finding a Noisy Application
Any large enough organization will have internally-developed applications, which are often created by developers using high-level frameworks and toolkits for rapid development and deployment. While these applications help the business, they are occasionally deployed in ways the development team never intended. Compass Live is a great tool to debug how the application should be retuned for the new environment.

A few months ago, one of our customers received reports from a remote office that a core in-house application was slow. Using Compass Live, they were able to observe that a significant amount of the traffic across the WAN link was to/from the application server. That insight let the network analysts focus on those connections, and they discovered that the application was sending large amounts of data to each client for each transaction. The developers had found during testing that client-side filtering made the server run faster: if the server didn’t have to filter the data, it ran faster, and the application responded faster to users on a high-speed local LAN. However, the developers didn’t have a WAN link in their lab, so didn’t have a test case to show that client-side filtering would flood the slow link. Changing the application to server-side filtering slowed responses slightly for local LAN users, but greatly reduced the amount of data across the WAN, resulting in much faster response times for the remote office.

Compass Live is designed to be easy to use, focusing on intuitive visualizations for packet-level analysis. The differential visualizations make it quick to determine what nodes and protocols are causing congestion, greatly speeding the time it takes to figure out how to speed up the network.

How to Solve the Mobile Users Latency Issues
Compass Live is also able to access performance issues faced by mobile users when capturing with a WiFi adapter compatible with the WildPackets driver. With a single adapter, Compass Live allows for traditional walk-around troubleshooting: carry the laptop while capturing with Compass Live to get a real-time view of signal strength. If the signal goes down at a particular location, you now know that there are problems of either interference or signal strength. For additional troubleshooting detail, save the packets by clicking the blue floppy disk Save icon, and open the file with OmniPeek.

For Enterprise-class Wi-Fi troubleshooting, analyzing and aggregating files from multiple wireless channels to comparing signal strengths across APs. Compass Live can capture from multiple adapters at the same time, so insert 3 Wi-Fi adapters, set them to different channels, and perform true multi-channel aggregation.  If a node abruptly changes signal strength, that generally correlates with wireless roaming between APs with the same ESSID. Given that nodes only roam between APs when they detect a problem, large amounts of wireless roaming are also a clear indication of a source of external noise or something similar causing Wi-Fi problems. More granular analysis (including roaming latency) is available in OmniPeek by saving the packets, but even on its own, Compass Live is an excellent and inexpensive tool for this kind of information gathering and portable diagnosis.

Getting More Visibility Across the Network
Compass Live can perform aggregation on wired interfaces, just as it can with wireless. To get increased visibility across the network, install multiple NICs into a server running Compass Live, with each NIC on a different VLAN or segment. Compass Live gathers its information in a completely passive manner, so it’s even possible to connect it to multiple span or mirrored ports and monitor critical and core traffic.

As a network administrator, it is necessary to be able to see network activity at a high-level view before diving into the specifics. Compass Live provides the ability to aggregate traffic from multiple segments, both wired and wireless, for real-time latency troubleshooting to help you find where the problems are stemming from, whether latency, application, or user.

One thought on “Easy Steps to Analyze Behavior of Network Users with Compass Live

Leave a Reply