Recently in Network Analysis Category

Top 10 OmniPeek Plug-ins

By WildPackets on March 9, 2010 3:40 PM | No Comments | No TrackBacks

The OmniPeek Plug-ins are flying off the shelves.  And they should, since they are free to customers with maintenance.   There are over 40+ plug-ins available on MyPeek.   Some are more popular than others.   To help you decide which ones to try first, we have taken a look at the stats, and have come up with the top 10 most downloaded plug-ins.


top_10_omnipeek_plugins-1.png

Google Map Plug-in!

The Google Map Plug-in displays a Google Map in the OmniPeek capture window showing the locations of all the public IP addresses of captured packets. This feature is a great way to monitor your Web site at a high level and to see in real time where in the world those hits are coming from.

 

Read more...



top_10_omnipeek_plugins-2.png

The Instant Messenger Plugin

This plugin displays conversations for the AIM, MSN, and Yahoo protocols in real-time, showing the screen names of the people chatting as well as the actual text.   Individual screen names can be selected, showing only the conversations for that screen name.

 

Read more...



top_10_omnipeek_plugins-3.png

Remote TCPDump Adapter

The Remote TCPDump Adapter for OmniPeek is a revolutionary new way to monitor network traffic remotely. With OmniPeek and the Remote TCPDump Adapter you can dramatically extend the reach of your network monitoring capabilities by turning virtually every Linux and Unix based machine on your network into a network probe, and you can do this without installing any new software on those remote machines.

 

Read more...




top_10_omnipeek_plugins-4.png

 SQLFilter Plug-in

The SQLFilter plug-in brings simple, powerful data mining to WildPackets' flagship network analyzers. The plug-in lets you perform Structured Query Language (SQL) searches across very large, user-defined sets of packet files from within OmniPeek.

 

Read more...


top_10_omnipeek_plugins-5.png

NetFlow Analyzer Plug-ins

The NetFlow Analyzer Plug-ins for the OmniPeek Console and OmniEngine collect NetFlow traffic and display NetFlow statistics in OmniPeek.

 

Read more...









top_10_omnipeek_plugins-6.png

Wireless Channel Aggregator

The WildPackets' Wireless Channel Aggregator captures wireless packets from multiple channels simultaneously (without scanning), measures vital statistics on each channel separately, and calculates the latency of devices roaming between access points.

Read more...


top_10_omnipeek_plugins-7.png

Regular Expression Filter Plug-in

The FilterMe Plug-in allows the user to create and maintain a list of regular expressions that can be used as filters during real-time capture and file windows.

 

Read more...


top_10_omnipeek_plugins-8.png

WatchMe Plug-in

The WatchMe and Browser Plug-ins displays web pages.   The WatchMe Plug-in follows links in real-time that network users are surfing to, while the Browser Plug-in reassembles packets back into web pages.

 

Read more...



top_10_omnipeek_plugins-9.png

FindMe Plug-in

The FindMe Plug-in adds a tab to the capture window that contains a list of text strings that are searched for each packet. As packets are being processed, the plug-in searches for each instance of each text entry in each packet and makes log entries when the text is found.

Read more...



top_10_omnipeek_plugins-10.png

Latency Monitor

The Latency Monitor measures network and application latency.   These are graphed together and can be easily compared to determine which one is the culprit.   Alarms can also be set to inform you if latency thresholds are exceeded.

 

Read more...

10 Cool Things You Can Do With OmniPeek

By WildPackets on February 10, 2010 10:12 AM | No Comments | No TrackBacks

By Joe Habib, WildPackets Director of Global Services


OmniPeek is the first protocol analyzer to offer both expert diagnostics and frame decoding in real time, during capture. WildPackets' OmniPeek has been carefully designed to help IT Professionals analyze and diagnose increasingly diverse volumes of network data, providing precise, contemporary analysis of the problems facing today's networks.

 


Here are ten cool things you can do today with OmniPeek!


10_cool_things_OmniPeek-1.png

Main window of OmniPeek, showing the Expert view


1. Capture and view packets


Though you can see global network statistics without capturing packets, for most analysis sessions you'll want to capture packets. One of OmniPeek's many strengths is in its flexibility. This is immediately apparent in the packet list display, where you can easily customize the display.

 

10_cool_things_OmniPeek-2.png

1.    Click the New Capture button on the Start Page, or pull down File...New from the menu bar. Click OK in the Capture Options Dialog, then click the Start Capture button.


2.    OmniPeek provides several ways to customize your view of traffic with a single click.


a. The auto scroll option (Ctrl-K) allows you to see packets as they come in, which is useful if you're looking for particular information in the Summary or Expert columns.

b. The Show Packet List, Show Decode View, and Show Hex View buttons allow you to pick the content you want to see in real-time. Most other analyzers show all three (and not usually in real time) and do not allow you to toggle between the different views.

10_cool_things_OmniPeek-3.png

c. Right-click on one of the columns in the packet list to customize the column display.


2. Capture filtering the easy way


OmniPeek ships with a set of common, pre-defined filters, but its real power is in the ease with which you can create your own filters.

 

1.    As packets are coming in, choose something you might want to filter on, such as a protocol or source IP address. Right click on that packet (stop the scrolling, if necessary, by keying Ctrl-K).


10_cool_things_OmniPeek-4.png


2.    Click on Make Filter - notice that the information on the packet you chose is already set up in the Edit Filter dialog for you.

10_cool_things_OmniPeek-5.png

3.    3.  Name the filter and make modifications. You may wish to restrict the data to only one attribute, for example, source IP address or protocol.

 

4.    4.  Click OK to save the filter.

 

5.    5.  Click on the Filters tab and find your new filter in the list. Check the box next to the filter. You will now be capturing only packets that meet the criteria of that filter. (Alternatively, you can reject only those packets matching the filter criteria by clicking on the Reject Matching button.)


10_cool_things_OmniPeek-6.png


6.   6. Go back to the packet list in the Packets view. You should only be seeing packets that meet your filter criteria. Notice the packet counts differ in the upper left corner (Packets Received vs. Packets Filtered)


3. Advanced filtering

 

      OmniPeek's advanced filtering is easier to use than most analyzers' simple filtering. Filtering on specific protocol decode fields, for example, can be accomplished in just a couple of mouse clicks. Suppose you wanted to view all packets with a Time To Live (TTL) of under 128. A packet with a TTL of less than 128 indicates the packet has most likely traversed a router. When dealing with network slowdowns, it's interesting to understand where the packet came from and where it's going. TTL helps us understand the packet's path. Here's how to build the filter:

 

1.    Click on the Packet List Tab.

 

2.    Choose any IP packet and double-click to open the decode view.

 

3.    Right click on the TTL field under the IP Header section and select k.

 

4.    An advanced filter is already made for you!

 

5.    Double click on the Value box.

 

6.    Change the Operator to '<' (other LAN analyzers do not have this capability).

10_cool_things_OmniPeek-7.png

7.    Name the filter and click OK.

 

8.    Go to the Filters Tab and click on the filter you just created. Packets will then be filtered on the fly!

 

9.    The same filter can be used for post capture analysis, too. OmniPeek doesn't force you to define filters in multiple places.


4. Who are the Top Talkers?

 

Top Talkers is a common troubleshooting statistic. The network is slow, for example, and you may want to see which stations are using the most bandwidth.

 

1.    Click on the Nodes Tab. By default, the View Type is Hierarchical, where logical addresses and symbolic names are nested beneath their physical addresses along with their transmit and receive statistics. However, you can easily change the default view to one showing the Top Talkers.

 

2.    Pull down IP from the View Type, then click on a column to sort on Bytes or Packets sent or received. Right click on the columns to customize the display.

 

3.    To view a subset of the talkers, choose a value in the Display Top drop down.


10_cool_things_OmniPeek-8.png


4.    Note that you can see the top 5 or 10 or 100, etc. Double click on a host to view its protocols in Detail Statistics.


10_cool_things_OmniPeek-9.png


Make a filter, build an alarm, or construct a graph for any of these hosts with just a click of the mouse. OmniPeek provides you with an amazing amount of flexibility. Other analyzers decide for you what statistics will be displayed.


5. What protocols are on your network?

 

Perhaps, instead of wanting to know what users are using the most bandwidth, you want to know what applications are using up bandwidth. Are any protocol ratios too high? Are there any protocols that shouldn't be on the wire?

 


1.    To see which applications are on your network, click on the Protocols Tab.


10_cool_things_OmniPeek-10.png



2.    Double click on a protocol to see the % of usage by each host.


10_cool_things_OmniPeek-11.png


3.    Return to the Protocols Tab, right click on a protocol, and Select Related Packets. This is a two-click method of choosing all the packets in the packet list that are talking this protocol. Select Related is available throughout the program: the nodes stats, expert problems, Peer Map, etc.


6. Make multiple graphs

 

OmniPeek's extensive graphing ability enables you to correlate useful statistics. For example, are broadcast packets a significant portion of your utilization?

 

1.    Click on the Summary Tab.

 

2.    Right click on Total Broadcast, and choose Graph... Name the graph in the Graph Data Options dialog and click OK.


10_cool_things_OmniPeek-12.png


3.    Right click on Average Utilization and choose Graph... Name the graph in the Graph

Data Options dialog and click OK.

 


4. Minimize the capture window and then choose Window...Tile Horizontally. (OmniPeek is one of the few analyzers that complies with MS Windows conventions, which is certainly helpful here!)


10_cool_things_OmniPeek-13.png


7. Find problem packets through "Select Related"

 

OmniPeek Expert Tab is by far the easiest to use and most up-to-date on the market. Problems are arranged by conversation, rather than by OSI model level. ProblemFinder tests and settings are just one right click away, as are problem descriptions and possible remedies. Other analyzers force you to hunt and peck for the information you need. OmniPeek delivers this information to you automatically. It pinpoints the packets related to a network communications issue, tells you why it's probably happening, and suggests ways to fix the problem.

 

1.    Click on the Expert Tab.

 

2.    Right click on the first host, and choose Expand All.


10_cool_things_OmniPeek-14.png


3.    Scroll down until you find a particular problem you'd like to look at.

 

4.    Right click and choose Select Related Packets by Source and Destination or by

Conversation.

 

5.    Alternatively, you can go straight to the Problem Summary Log and select all packets related to a particular problem. Note how the conversations having this issue are highlighted when you return to the Packets view.


8. Determine Application Response Time

 

Application Response Time is available via the Expert Tab, where detailed round trip analysis of command-response packets is available, showing you the best, worst, and average delay. In a similar fashion, throughput is also analyzed.

 

1.    Click on the Expert Tab

 

2.    Click on the Node Details tab.


10_cool_things_OmniPeek-15.png


3.    Right click on the first host in the conversation tree, and choose Expand All.

 

4.    Walk down the tree until you see an interesting analysis in the Delay and Throughput

Analysis display in the lower right.


9. Visualize your network with expert mapping

 

The Peer Map is a great way to get a visual perspective of your network. Not only can you select related packets from hosts on the map, but you can easily create ad hoc filters or look at Top Talkers.


1.    Click on the Peer Map.

 

   Con the Peer Map


10_cool_things_OmniPeek-16.png


2.    Choose IP Map from the Map Type pull down in the upper right hand corner.

 

3.    In the Node Visibility Criteria area just below, you can choose Top Talkers via absolute number or, say, top 10%.

 

The amount of traffic through a node is represented by the size of a dot. If there is one host, such as a mail server or a web server that is skewing the results you are looking for, you can drag that node into the Hidden Node field.


10. Find that slow web server fast

 

With OmniPeeks' Expert System, you can easily spot slow servers. Here's an example of how to troubleshoot a slow web server.

 

1.    Start a new capture.

 

2.    OmniPeek ships with many standard filters, including HTTP. Click on the Filters Tab

and check the HTTP filter to immediately activate it.

 

3.    Go back to the Packets view. Enable Scrolling (Ctrl-K) so you can see incoming packets. Verify that they are HTTP packets.


10_cool_things_OmniPeek-17.png


4.  You may see HTTP access from web traffic not associated with your web server, so you will need to add a new filter. Open a browser and go to your web server. You should see your web server in the packet list display. Create a filter by right-clicking on that packet and choosing Make Filter.

 

5.    Go to the Filters Tab and enable the filter you just created.

 

6.    Now go to the Expert Tab. Click the Problem Summary pane and check for TCP Resets

or HTTP Slow Response time diagnoses.


10_cool_things_OmniPeek-18.png


7.  The Problem Log pane provides more detail, including actual time delay between specific packets (e.g. 13 seconds from Packet 908).

 


8.    Right click and select related packets by See Packet.


10_cool_things_OmniPeek-19.png


9.    Go to the Packets view and your problem packet is highlighted!

 

10. From there, try and figure out what sort of packet it is. Does it say Data in the Summary Column? What is this packet in response to? Click through the packets that preceded the bad packet.

 

Unlike other analyzers, OmniPeek's expert system ignores the ACKs when determining the HTTP Slow Response diagnosis. Look to see if the ACK was received right away. If so, and it was the data packet that triggered the diagnosis, you know it was the web server that was slow and not the network.


---------------------

Joe Habib

Director of Global Services

 

I like to follow the KISS principal (KEEP IT SIMPLE STUPID) and welcome problems as they provide me with daily challenges.

$200 Million Says Plenty about the Network Monitoring and Performance Market

By WildPackets on September 17, 2009 7:00 AM | No Comments | No TrackBacks
If anyone had doubts about the strength of the network monitoring/reporting/troubleshooting market, this week's news should put those doubts to rest. Of course we're referring to the announced purchase of NetQoS by CA for $200M in cash. This is a multiplier of approximately 4 over the reported 2008 annual revenue of $56M from NetQoS. Not a bad deal indeed for the current economic climate.
 
Though not sexy, and often considered commoditized, the network monitoring/reporting/troubleshooting market may be just the opposite. At the core of this market is packets. Yes, I said packets. Geeky, techie, call it what you want but we're back to basics on this one. Accumulating statistics on the basis of packets, whether through direct, deep packet inspection or through the use of flow-based technology available in most contemporary routers and switches, is proving to be a highly valuable capability, especially as networks grow and IT staffs shrink.
 
For years it seems the industry tried to steer clear of packets, looking to higher-level solutions like SNMP, but in the end it's becoming clear that packets never lie, and to obtain reliable network data one must start with network packets.
 
Now, I think we're going to come full circle on this one. Even the solution from NetQoS - which relies on flow-based information from routers and switches - can't provide the level of detail compared to complete packet inspection.  And this technique provides no capability of unequivocally determining a root-cause for reported problems. It merely shows network trends and alerts when thresholds are exceeded - it does not allow for detailed analysis as the offending data has already passed through the network. That's why NetQoS partnered with Network Instruments and OEM'd their Gigastor solution. With that partnership, NetQoS could provide the full monty - network reporting, monitoring, and troubleshooting. Or, as I see it, coming full circle back to packet capture and deep packet inspection -- the only way to truly identify network issues.
 
The purchase of NetQoS by CA provides validation that the network monitoring/reporting/troubleshooting market is not only alive and well, it is thriving. The traditional, "full-featured" network management solutions (like CA) are realizing that quality network monitoring, reporting, and troubleshooting are key features, and that they need capabilities like flow-based monitoring and deep packet inspection to continue to claim that their solutions are complete. The value of these types of solutions continues to rise, and the "big boys" have only two options, start developing fast or acquire. And with the head start many of us have with our network monitoring/reporting/troubleshooting solutions acquisition is by far the better alternative.

The difference between packet analysis and protocol analysis

By WildPackets on August 27, 2009 8:10 AM | No Comments | No TrackBacks

Packet analysis, protocol analysis, six of one, half a dozen of another, right? You might think so. Just do a web search on either term and you'll find them used interchangeably by just about everyone out there, including the "experts." But packet analysis is quite different from protocol analysis, and far more complete. Let me explain.


Protocol analysis is a subset of packet analysis. Protocol analyzers interrogate packet headers to first of all determine which protocol is being used for communication, like HTTP (always a well-understood example), and then to ensure that the rules of the protocol are being adhered to. Valuable, and somewhat complicated, analysis for sure, but this is strictly at the communication layer.


But what about when the protocol is absolutely correct, yet users are still raging about poor network performance? That's when we need to get to deeper layers of analysis, or true packet analysis. Packet headers, which contain the information about the protocol, aren't the only sources of information for network analysis. Packet payloads also contain critical information regarding the workings of your network, and when you include payload analysis with protocol analysis you get packet analysis - the complete solution. Packet analyzers can now address more complex network issues, like is it the network or a specific application that is causing a problem.


The answers lie in the packet payloads, and in packet, not just protocol, analysis.

Network Forensics Use Cases Beyond Security Attacks

By WildPackets on August 20, 2009 9:08 AM | No Comments | No TrackBacks

Network forensics is the capture, recording, and analysis of network events. Typically, network forensics' tools employ simple and complex filters to mine stored data to reveal anomalies (what caused them and what the results were on a network performance). The common perception is that network forensics is used to discover the source of security attacks. The recent denial-of-service attacks on Twitter is a recent headline example where network forensics was used to help identify the perpetrator. So while security attacks get the most attention, network forensics can be used for other problem incidents. Even beyond problem incidents, network forensics can even be used for things like business analysis. Below are three network forensics use cases, not including security attacks, for consideration.

 

1) Monitoring User Activity  

 

Social networking sites like Facebook and Twitter have been shown to sap productivity in the workplace. As a result, many organizations have user policies that prohibit, or at least curtail such activities. Recently,  the U.S. Marine Corp. banned marines from using Twitter for a year, as well as Facebook. Additionally, policies prohibiting non-work related "bandwidth sucking" download activities (music, videos, games, etc) are common. Lastly, users may not be going though a proxy server opening up the network to various malware. Network forensics allows all these "rogue" activities to be monitored revealing details as to who broke policy, what policy infraction was committed, and at what time it occurred.

 

2) Business transaction analysis

 

For transactions that take place in clear text like SQL, http request, FTP, or telnet, network forensics allows the network administrator to create the ultimate audit trail for business transactions. Not just server activity, but the business transactions enacted by clients and servers. Additionally, network forensics can serve to troubleshoot the transaction problems that server logs miss.

 

3) Pinpointing the source of intermittent performance issues 

 

On a practical level, here's where network forensics' tools really come in handy - the capturing and handling intermittent network problems, especially those problems that occurred hours or days ago. Traditional "reactive" ad hoc troubleshooting can miss patterns that indicate network problems, so network forensics can be used to catch things that were originally missed.

 

As the SANS Institute notes, "Network forensics can reveal who communicated with whom, when, how, and how often. It can uncover the low-level addresses of the systems communicating, which investigators can use to trace an action or conversation back to a physical device. The entire contents of e-mails, IM conversations, Web surfing activities and file transfers can be recovered and reconstructed to reveal the original transaction. More importantly, the protocol data that surrounded each conversation is often extremely valuable...."

 

Network forensics can be a powerful tool to unlock mysteries found within the network. Make sure you have a network forensics tool best suited for your organization's particular needs.

Building and Monitoring the Department of Energy 100 gig network

By WildPackets on August 13, 2009 2:35 PM | No Comments | No TrackBacks
100 gig networks are on the way.  The Department of Energy (DoE) has just awarded $62 million to build one.  

Just like any other network, visibility into the network, and the ability to monitor and troubleshoot it must also be taken into consideration.   Even with 1 gig and 10 gig networks, special hardware and software is often needed to capture and analyze all of the traffic.  And even that is not sufficient when these networks are fully saturated, or experience large spikes, small packets, and other anomalies.  

In some ways, the network monitoring industry is still working to catch up with 10 gig networks, so yes, developing new technologies and tools for 100 gig is going to be expensive and not ready for prime-time for a good while.  But this forthcoming innovation is good for everybody downstream as it will push the envelope, and drive the next generation of networking tools and corporate revenues.  

The types and number of issues surrounding the development and deployment of a 100 gig Ethernet network will depend on how deep into the network the 100 gig needs to go.  Currently, there are a few options for 100 gig core routers, but beyond that available commercial hardware stops at around 10 gigs.   A quick search on network cards greater than 10 gig came up empty.  And even if you found the cards, current twisted pair cable only goes up to 20 gigs.   To go higher than 20 gigs means re-cabling with fiber.

If the 100 gig network is just a big pipe between the major carriers, and everything in between is 1 gig and less, then the scope of the problem is pretty well defined.   The cost then is a matter of rolling out 100 gig fiber if necessary, but maybe not if multiple existing smaller capacity lines can be aggregated.  

If the project is more ambitious, and is attempting to go end to end, then there are a lot of problems and expense right out of the shoot.  Namely, everything has to be replaced in between the core router and the PC's.  Even the network card in the PC has to be upgraded to 100 gig, which has not been invented yet.  

Finally, this still leaves the challenge of monitoring a 100 gig network.  Currently, there is no single network analyzer that can capture at 100 gigs.  One way to achieve this is with a series of load balancing taps that break the traffic down into smaller 10 gig lines, which then feed into separate analyzers working in parallel.   Interesting idea, but I don't think anyone has invented it yet.   

Perhaps we need some town hall meetings to discuss?
Continue reading Building and Monitoring the Department of Energy 100 gig network.

Six Tips for Analyzing 10G Ethernet Traffic

By WildPackets on July 30, 2009 9:42 AM | No Comments | No TrackBacks

Enterprises and data centers can now easily and cost-effectively upgrade their network infrastructure to 10GigE. If you have plans to make the switch, or perhaps you have already done so, below are six tips for successful 10G network analysis.

 

1.       Match network analysis requirements with the appropriate network analysis techniques

 

Before commencing any network analysis task, it is important to understand what you hope to accomplish. This is a great time for making and archiving some baseline measurements, whether on specific network traffic like HTTP or key business applications, or the network as a whole. Filtering and periodic statistics recording are the best techniques for isolating data for baselines. Is the network slow? Are you receiving alerts? This is the time to start troubleshooting. Running multiple captures with different focuses and turning on key Expert analysis modules (if you didn't already have them enabled) are excellent techniques to use in troubleshooting.  

 

2.       Ensure you're collecting and analyzing the data you expect

 

Networks are busy places, and the higher up the stack you analyze the more data you need to sift through. Before diving into detailed analysis, step back and make sure you're collecting the data you need. Start with high-level views, like node, protocol and statistics summaries. Compare these to established baseline data to make sure nothing has changed, either in your environment or with your data collection settings. Only after convincing yourself that the basic data is in place and being collected and analyzed should you embark on detailed analysis and drill-down of the data.  

 

3.       Learn to work within the hardware limitations of network analysis probes

 

Networks are getting faster. 10 Gigabit deployments are becoming more and more common, and this will put a strain on any network analysis software or network appliance. The key here is the analysis. The packets can obviously be moved and possibly even stored at line rate, but to analyze means to interrogate every packet as well, creating competition for precious processor and memory-buffering resources. If you need to analyze in real-time, embrace the fact the in-depth, real-time analysis at 10Gbps is just not feasible with current hardware solutions. Take advantage of solutions on the market today that receive 10Gbps line-rate traffic and separate the data into more manageable streams for analysis, typically 1Gbps data streams. Then you can comfortably and confidently accomplish the real-time analysis you require.

 

4.       Optimize data collection settings to meet the demands of your network and your analysis solution

 

Network analysis, is a compromise. In most cases, your most significant compromise in network analysis is depth of analysis versus the throughput of data you hope to analyze. The greater the analysis load, the lower the throughput that can be analyzed without dropping packets. Fortunately you are not typically analyzing everything simultaneously. For example, if you're monitoring a heavily used gig interface, you don't need any wireless analysis, so why not turn the wireless analysis module off and benefit from the increased performance? Not running VoIP or video on that interface, or there's no problem with VoIP or video right now? Turn off VoIP and video analysis modules, again improving the performance of what you do wish to analyze that much more. Only interested in post-capture analysis? Then turn off all analysis modules. You can always turn them back on when you go back to analyze the data. That's why there's the option to enable and disable the functions.  

 

5.       Use advanced settings like hardware filtering and time stamping to your advantage

 

Certain functions that are critical in performing network analysis, like establishing the time each packet is captured from the network or filtering certain categories of network traffic, can be accomplished within some network interface cards themselves. This means the functions are performed in hardware, making them much faster, and relieving the network analysis software of some of the processing burden. Taking advantage of advanced features available in hardware should always be seriously considered when purchasing network interface cards for use in network analysis.  

 

6.       Determine the proper placement of network analysis probes to ensure network management and troubleshooting success

 

Collecting network data for analysis at multiple locations is always best. You'll get the most accurate results, and more collection points implies greater granularity in analyzing conditions like network response time. The same holds true for VoIP analysis. Collecting data at both ends of the call, at least for your internal phone traffic, can help you identify the source of VoIP deficiencies much more quickly. But increased collection means more appliances and more cost. Each network is different, and your analysis needs undoubtedly have unique elements. Only you can make the trade-off between collection points and cost. At a minimum, capturing data for analysis at core routers and WAN connections is essential. From there, it becomes a cost-benefit analysis to determine how deep and how wide into the network you go.

 

WildPackets is in the business of providing network analysis software, so if you have any questions about 10G, wireless, 1G, etc - get in touch, we'd love to help out.

Good news: The Cisco AP Capture Adapter just got better

By WildPackets on July 21, 2009 9:03 AM | No Comments | No TrackBacks
The Cisco AP Capture Adapter is a feature in the OmniPeek Console that can capture and aggregate wireless packets from multiple Cisco Access Points.    This feature is especially useful to companies with large numbers of Access Points (APs) that are spread throughout offices, stores, and warehouses.    It allows any one or more of the APs to be temporarily used as probes to capture traffic, and then switched back to AP mode, all remotely through software.    Being able to multi-purpose the APs in this way increases the ROI of both OmniPeek and the Cisco AP.

So the Cisco AP Capture Adapter, as a solution, is very good.   Of course, as the developer of the Cisco Remote Adapter, I am going to say that, right?    But seriously, we have been pleasantly surprised by the  popularity of this feature, and the growing number of customers who are using it.  

However, it has its drawbacks.    Because it runs on the OmniPeek Console, the captured packets have to be streamed over the network from the APs to OmniPeek, wherever it may be.    This could be on a different segment, in a different building, or in a different country.    The stream is also not encrypted.    Furthermore, if the IP address of the OmniPeek Console machine changes, which is likely, the AP configuration has to be changed to reflect that.

The point here is that the distance the packets must travel could be long, possibly over the internet, it is not secure, and it changes locations.    These are not ideal characteristics of an enterprise solution, which is why the Cisco AP Capture Adapter is used mostly for local troubleshooting.    This is too bad, since the potential is so much greater.

Now for the good news.  (Imagine a drum roll in the background.)  Ladies and gentlemen ... we have just ported the Cisco AP Capture Adapter to the OmniEngine.   (Now imagine roaring applause.)  Yes, this is good news indeed.   

By running the Cisco AP Capture Adapter on the OmniEngine, and placing the OmniEngine on the same segment or subnet as the Cisco AP wireless mesh, all of the packets from any one of the Cisco APs can be streamed and aggregated directly into the OmniEngine.   The OmniPeek Console is then used to connect to the OmniEngine and view the results of the analysis.  

By inserting the OmniEngine into the equation, a new tier is added, providing better performance, less overhead, and security.    The performance is better because the packets only have to be streamed to the OmniEngine, not all the way back to the OmniPeek Console.    This also provides a permanent capture environment, so that your AP configurations do not have to change.   

The overhead to the network is also less, since the packets have to travel  a shorter distance, through fewer routers and switches.   Security is also much better, because the OmniPeek Console interaction with the OmniEngine is through a secure and compressed connection.

But that's not all.   There are many advantages of using a distributed OmniEngine, and now users of the Cisco AP Capture Adapter will be able to take advantage of them.   Yes, this is good news indeed.    The Cisco AP Capture Adapter  for the OmniEngine is in test now, and will be available to maintenance members soon.    I am sure it will be a big hit.

-SpacePacket


Automation for Efficient Network Monitoring and Performance Analysis

By WildPackets on June 2, 2009 5:30 PM | No Comments | No TrackBacks
OmniPeek is a tool, like a hammer, but not just any hammer.   It is like Thor's hammer, and when you wield the OmniPeek hammer, you are like Thor, the God of Thunder.    You save mortal men every day.  You monitor and troubleshoot their networks, you solve their problems.   You make life better for everyone.  Yes, with OmniPeek, you are a superhero.

And if you are like me, you probably use OmniPeek in some form or another every day for network monitoring, VoIP analysis, network performance analysis, network security, or any of the other capabilities of this analyzer.   And before that, you used EtherPeek, and probably AiroPeek as well.   These products have always been easy to use, provided you with powerful analysis capabilities, and of course the UI looks great.    But as a superhero, you have a lot to do these days.   You either have to many products to test, or more than one network to monitor at the same time.

As a result, you may find yourself performing the same functions over and over again.   And you may ask yourself, how do I work this?   And you may ask yourself, where is that large automobile?   ;-)  Ok, maybe not, but although you may have the test or monitoring process down to an exact science, and a precise number of clicks, you are still not making the best use of your time.   

Sometimes it can be difficult to recognize this, or admit that it is true.  But that is ok, and that is why we are here.   We want to help you help yourself, by introducing you to the amazing world of automation.   Through automation, you can save lots of time and money.   'Nuff said, it is worth it.    To take advantage of automation, you do not have to be a programmer either.   It can definitely help, but we have developed some command line utilities that do the scripting for you. 

But, there is a catch.   In order to get the most out of automation, you first need to upgrade your OmniPeek Console to an OmniEngine, if you have not already.    That is the ante, and you will be pleasantly surprised by how little it costs to upgrade.    Yes, you can automate the OmniPeek Console, and if that is your only option, I would highly recommend it.   There are lots of benefits.

However, if you can upgrade to an OmniEngine, then do it.   Do it for all of the right reasons.   Do it for your girlfriend, or wife and children, who would like to see more of you.   Do it for your boss, who would like to save money.   But mostly, do it for yourself because you are not just a button pusher.   You are smart enough to know that if you put in a little time and effort up front, you can have a better life because of it.   And finally, do it because you can.   The fact is that the OmniEngine is the best platform for automating network monitoring and analysis processes.   

The OmniEngine is extensible in a number of ways, and that is why we call it a platform.  But today, we are focusing on automation.    At a high level, automating an OmniEngine consists of creating a capture, and analyzing the results.   But wow, talk about making a long story short.  Captures have lots of settings, and filters, and adapters, and statistics, and on and on.   And then there are the results; fast vs. slow, up vs. down, pass vs. fail, and all of the analysis required to come to that conclusion.    But for for the processes you perform over and over again, you probably know the exact set of steps required to create the capture, configure the capture, how long to run the capture, and what analysis is required to determine the result.    With OmniScript and the OmniEngine command line utilities, you can automate most, if not at all, of these steps.

So what is OmniScript?   OmniScript is the remote API used by the OmniEngine Command Line Utilities.   With OmniScript you can write scripts that control the OmniEngine, and  can virtually anything that the OmniPeek Console can do.    But with OmniScript, you can write these scripts in such a way that they can run by themselves from start to finish.    What we do here at WildPackets, is write command line utilities that can automate the OmniEngine in different ways, so you don't have to.   You just configure the utilities with all the right parameters, and integrate them right into your work flow.  

The most important thing to understand about automation, is that it is not all or nothing .   Automation is something that you can add a little bit at a time, and every time you add some, your life gets better.   So go ahead, take the next step.   It's easy, just read more about automation, in our Automation Primer on MyPeek.   And then, when you are ready to take the red pill, download OmniScript and the OmniEngine Command Line.

---

spacepacket_chris_bloom.pngMy name is Chris Bloom (aka spacepacket), and I do wild and crazy things with OmniPeek.   If you have any questions about automation, or any other questions about the extensibility of WildPackets products in general, please email me at bloom@wildpackets.com

 

 



Network Traffic Management and Analysis Survey Results from Interop

By WildPackets on May 28, 2009 1:00 AM | No Comments | No TrackBacks
At Interop 09 this past week in Las Vegas, WildPackets asked attendees of our mini-courses three questions:

  1. What types of networks do you manage?
  2. What is your average network throughput?
  3. What are your primary usages for network traffic analysis software?
Results
NOTE: With the exception of question 2, respondents could select more than one answer. For question 1 and 3, percentages will not add up to 100%.
  • Types of Networks Managed by Respondents:
    View image
  • Average Network Throughput Reported by Respondents:
    View image
  • Respondents' Primary Usages of Network Analysis Software:
    View image
Findings
Some of the findings mirrored trends that journalists and analysts have reported on. For example,
  • Over 59% of the respondents managed a Gigabit Ethernet network. 35% of the respondents who reported managing a Gigabit Ethernet network managed a 10 Gigabit Ethernet network as well.
  • Over 61% of the respondents who managed VoIP/Video in their network, managed either a Gigabit Ethernet network or both a Gigabit and 10 Gigabit Ethernet network.
  • Over 34% of the respondents do not manage 10/100 Ethernet networks.
  • 7% of the respondents manage only a Wireless network. Likewise 7% of the respondents managed only a 10/100 Ethernet network.
One trend we were surprised to find was that very few respondents (7%) use network traffic analysis software for post-capture (forensic) analysis. The majority of respondents continue to use the software for either local (55%) or distributed (41%) real-time troubleshooting and analysis.

Participate
The mini-course session attendees are not a broad sample of North American network professionals. Many of the respondents were from California, Arizona, or Nevada. To get a better representation of the networks managed today by network professionals, we're opening up the survey online from Thursday May 28 through Friday June 19th.

As a thank you for participating in our survey, we'll enter your name into a drawing for the latest iPod Touch. Your personal information will not be associated with your answers. If you prefer, you can also participate in the survey anonymously. We'll publish the results in the July Peeks newsletter, as well as announce who won the drawing.
« Cyber Security | Main Index | Archives | network forensics »