Recently in Network Managment Category

Top 10 OmniPeek Plug-ins

By WildPackets on March 9, 2010 3:40 PM | No Comments | No TrackBacks

The OmniPeek Plug-ins are flying off the shelves.  And they should, since they are free to customers with maintenance.   There are over 40+ plug-ins available on MyPeek.   Some are more popular than others.   To help you decide which ones to try first, we have taken a look at the stats, and have come up with the top 10 most downloaded plug-ins.


top_10_omnipeek_plugins-1.png

Google Map Plug-in!

The Google Map Plug-in displays a Google Map in the OmniPeek capture window showing the locations of all the public IP addresses of captured packets. This feature is a great way to monitor your Web site at a high level and to see in real time where in the world those hits are coming from.

 

Read more...



top_10_omnipeek_plugins-2.png

The Instant Messenger Plugin

This plugin displays conversations for the AIM, MSN, and Yahoo protocols in real-time, showing the screen names of the people chatting as well as the actual text.   Individual screen names can be selected, showing only the conversations for that screen name.

 

Read more...



top_10_omnipeek_plugins-3.png

Remote TCPDump Adapter

The Remote TCPDump Adapter for OmniPeek is a revolutionary new way to monitor network traffic remotely. With OmniPeek and the Remote TCPDump Adapter you can dramatically extend the reach of your network monitoring capabilities by turning virtually every Linux and Unix based machine on your network into a network probe, and you can do this without installing any new software on those remote machines.

 

Read more...




top_10_omnipeek_plugins-4.png

 SQLFilter Plug-in

The SQLFilter plug-in brings simple, powerful data mining to WildPackets' flagship network analyzers. The plug-in lets you perform Structured Query Language (SQL) searches across very large, user-defined sets of packet files from within OmniPeek.

 

Read more...


top_10_omnipeek_plugins-5.png

NetFlow Analyzer Plug-ins

The NetFlow Analyzer Plug-ins for the OmniPeek Console and OmniEngine collect NetFlow traffic and display NetFlow statistics in OmniPeek.

 

Read more...









top_10_omnipeek_plugins-6.png

Wireless Channel Aggregator

The WildPackets' Wireless Channel Aggregator captures wireless packets from multiple channels simultaneously (without scanning), measures vital statistics on each channel separately, and calculates the latency of devices roaming between access points.

Read more...


top_10_omnipeek_plugins-7.png

Regular Expression Filter Plug-in

The FilterMe Plug-in allows the user to create and maintain a list of regular expressions that can be used as filters during real-time capture and file windows.

 

Read more...


top_10_omnipeek_plugins-8.png

WatchMe Plug-in

The WatchMe and Browser Plug-ins displays web pages.   The WatchMe Plug-in follows links in real-time that network users are surfing to, while the Browser Plug-in reassembles packets back into web pages.

 

Read more...



top_10_omnipeek_plugins-9.png

FindMe Plug-in

The FindMe Plug-in adds a tab to the capture window that contains a list of text strings that are searched for each packet. As packets are being processed, the plug-in searches for each instance of each text entry in each packet and makes log entries when the text is found.

Read more...



top_10_omnipeek_plugins-10.png

Latency Monitor

The Latency Monitor measures network and application latency.   These are graphed together and can be easily compared to determine which one is the culprit.   Alarms can also be set to inform you if latency thresholds are exceeded.

 

Read more...

Three tips for determining whether latency is caused by the network or application

By WildPackets on February 18, 2010 8:00 AM | No Comments | No TrackBacks


Networks typically run various applications, from single-tier, locally-hosted applications like e-mail, to multi-tier web-based applications, or even time-sensitive, multi-hop applications like VoIP. While application traffic typically resides within the data center, SaaS and cloud computing are rapidly growing trends that are driving application traffic outside of the traditional enterprise network, making network latency even more of an issue. Pinpointing and correcting slowdowns is therefore a necessity, and can be a real challenge. So what is responsible for the latency creating poor application performance- the network or the application itself?

 

First, we must distinguish between the two basic types of latency - network and application latency. Network latency is the amount of time it takes for an application to make a request and the server to respond with an acknowledgement (a packet message used in the transmission control protocol to acknowledge receipt of a packet). Application latency is the amount of time needed for the application to process the request and send a response containing real data.

 

Most network-monitoring products provide some sort of latency-monitoring features, typically either one or the other, not both. Here are three tips to determine whether latency is be caused by the network or the applications (or both) in your environment.

 

1)       Clearly determine network versus application latency

 

Every application issue is blamed on the network until proven otherwise - "guilty until proven innocent." Clearly measuring network latency vs. application latency is the proof the network engineer needs for acquittal. Packet-level monitoring is ideal for accumulating evidence. By visually inspecting a packet-level conversation between a client and a poor performing application, one can see whether the network (or a network device) is the source of the delay, or if the application is the bottleneck. This is done by comparing the responsiveness of the TCP ACK to a client request versus the application response, which includes actionable payload data. Quite often the network acknowledges the client request quickly (within milliseconds) while the application may take tenths of seconds or even seconds to respond with payload data. When you see this, you know it's the application causing the problem.

 

2)       Periodically test and monitor key applications and network connections

 

Periodic, active monitoring can also provide insight into network performance on key interfaces, and can alert you when conditions begin to degrade. While this technique only addresses network latency (not application latency), it can still provide important data when determining whether the issue is network or application related. For example, let's say the organization's CRM application is via a web-hosted service. Running periodic traffic in the background (even just pings) to the CRM application host can provide an ongoing baseline of the performance of the network between users and the host. If the baseline increases, alarms are used to notify that the network latency is becoming an issue. User complaints about CRM performance without a marked change in the network latency baseline almost always indicate the application host or the application itself is at fault.

 

3) Graphing latency over time

 

Graphing latency over time helps to identify patterns and anomalies that deserve closer attention. Latency monitoring can help correlate areas of latency with other relevant statistics, as well as the actual network traffic occurring at that time. This type of high-resolution forensic analysis can help to detect latency problems at the highest level and drill down quickly for closer inspection.

 

Ideally, network latency and application latency measurements can be graphed together over time, making clear whether the problem lies with the network or the application. Comparing the measurements of the two types of latency over time and seeing the differences can provide information that might have otherwise been overlooked.

 

Latency monitors can include a feature that sets thresholds on latency, so alarms will go off when normal conditions are exceeded. The administrator can be made aware of excessive latency before application performance becomes a widespread issue, allowing him or her to make necessary adjustments to the network proactively. This type of proactive latency monitoring allows the administrator to detect and correct problems in the network and applications before users even notice a slowdown.

10 Cool Things You Can Do With OmniPeek

By WildPackets on February 10, 2010 10:12 AM | No Comments | No TrackBacks

By Joe Habib, WildPackets Director of Global Services


OmniPeek is the first protocol analyzer to offer both expert diagnostics and frame decoding in real time, during capture. WildPackets' OmniPeek has been carefully designed to help IT Professionals analyze and diagnose increasingly diverse volumes of network data, providing precise, contemporary analysis of the problems facing today's networks.

 


Here are ten cool things you can do today with OmniPeek!


10_cool_things_OmniPeek-1.png

Main window of OmniPeek, showing the Expert view


1. Capture and view packets


Though you can see global network statistics without capturing packets, for most analysis sessions you'll want to capture packets. One of OmniPeek's many strengths is in its flexibility. This is immediately apparent in the packet list display, where you can easily customize the display.

 

10_cool_things_OmniPeek-2.png

1.    Click the New Capture button on the Start Page, or pull down File...New from the menu bar. Click OK in the Capture Options Dialog, then click the Start Capture button.


2.    OmniPeek provides several ways to customize your view of traffic with a single click.


a. The auto scroll option (Ctrl-K) allows you to see packets as they come in, which is useful if you're looking for particular information in the Summary or Expert columns.

b. The Show Packet List, Show Decode View, and Show Hex View buttons allow you to pick the content you want to see in real-time. Most other analyzers show all three (and not usually in real time) and do not allow you to toggle between the different views.

10_cool_things_OmniPeek-3.png

c. Right-click on one of the columns in the packet list to customize the column display.


2. Capture filtering the easy way


OmniPeek ships with a set of common, pre-defined filters, but its real power is in the ease with which you can create your own filters.

 

1.    As packets are coming in, choose something you might want to filter on, such as a protocol or source IP address. Right click on that packet (stop the scrolling, if necessary, by keying Ctrl-K).


10_cool_things_OmniPeek-4.png


2.    Click on Make Filter - notice that the information on the packet you chose is already set up in the Edit Filter dialog for you.

10_cool_things_OmniPeek-5.png

3.    3.  Name the filter and make modifications. You may wish to restrict the data to only one attribute, for example, source IP address or protocol.

 

4.    4.  Click OK to save the filter.

 

5.    5.  Click on the Filters tab and find your new filter in the list. Check the box next to the filter. You will now be capturing only packets that meet the criteria of that filter. (Alternatively, you can reject only those packets matching the filter criteria by clicking on the Reject Matching button.)


10_cool_things_OmniPeek-6.png


6.   6. Go back to the packet list in the Packets view. You should only be seeing packets that meet your filter criteria. Notice the packet counts differ in the upper left corner (Packets Received vs. Packets Filtered)


3. Advanced filtering

 

      OmniPeek's advanced filtering is easier to use than most analyzers' simple filtering. Filtering on specific protocol decode fields, for example, can be accomplished in just a couple of mouse clicks. Suppose you wanted to view all packets with a Time To Live (TTL) of under 128. A packet with a TTL of less than 128 indicates the packet has most likely traversed a router. When dealing with network slowdowns, it's interesting to understand where the packet came from and where it's going. TTL helps us understand the packet's path. Here's how to build the filter:

 

1.    Click on the Packet List Tab.

 

2.    Choose any IP packet and double-click to open the decode view.

 

3.    Right click on the TTL field under the IP Header section and select k.

 

4.    An advanced filter is already made for you!

 

5.    Double click on the Value box.

 

6.    Change the Operator to '<' (other LAN analyzers do not have this capability).

10_cool_things_OmniPeek-7.png

7.    Name the filter and click OK.

 

8.    Go to the Filters Tab and click on the filter you just created. Packets will then be filtered on the fly!

 

9.    The same filter can be used for post capture analysis, too. OmniPeek doesn't force you to define filters in multiple places.


4. Who are the Top Talkers?

 

Top Talkers is a common troubleshooting statistic. The network is slow, for example, and you may want to see which stations are using the most bandwidth.

 

1.    Click on the Nodes Tab. By default, the View Type is Hierarchical, where logical addresses and symbolic names are nested beneath their physical addresses along with their transmit and receive statistics. However, you can easily change the default view to one showing the Top Talkers.

 

2.    Pull down IP from the View Type, then click on a column to sort on Bytes or Packets sent or received. Right click on the columns to customize the display.

 

3.    To view a subset of the talkers, choose a value in the Display Top drop down.


10_cool_things_OmniPeek-8.png


4.    Note that you can see the top 5 or 10 or 100, etc. Double click on a host to view its protocols in Detail Statistics.


10_cool_things_OmniPeek-9.png


Make a filter, build an alarm, or construct a graph for any of these hosts with just a click of the mouse. OmniPeek provides you with an amazing amount of flexibility. Other analyzers decide for you what statistics will be displayed.


5. What protocols are on your network?

 

Perhaps, instead of wanting to know what users are using the most bandwidth, you want to know what applications are using up bandwidth. Are any protocol ratios too high? Are there any protocols that shouldn't be on the wire?

 


1.    To see which applications are on your network, click on the Protocols Tab.


10_cool_things_OmniPeek-10.png



2.    Double click on a protocol to see the % of usage by each host.


10_cool_things_OmniPeek-11.png


3.    Return to the Protocols Tab, right click on a protocol, and Select Related Packets. This is a two-click method of choosing all the packets in the packet list that are talking this protocol. Select Related is available throughout the program: the nodes stats, expert problems, Peer Map, etc.


6. Make multiple graphs

 

OmniPeek's extensive graphing ability enables you to correlate useful statistics. For example, are broadcast packets a significant portion of your utilization?

 

1.    Click on the Summary Tab.

 

2.    Right click on Total Broadcast, and choose Graph... Name the graph in the Graph Data Options dialog and click OK.


10_cool_things_OmniPeek-12.png


3.    Right click on Average Utilization and choose Graph... Name the graph in the Graph

Data Options dialog and click OK.

 


4. Minimize the capture window and then choose Window...Tile Horizontally. (OmniPeek is one of the few analyzers that complies with MS Windows conventions, which is certainly helpful here!)


10_cool_things_OmniPeek-13.png


7. Find problem packets through "Select Related"

 

OmniPeek Expert Tab is by far the easiest to use and most up-to-date on the market. Problems are arranged by conversation, rather than by OSI model level. ProblemFinder tests and settings are just one right click away, as are problem descriptions and possible remedies. Other analyzers force you to hunt and peck for the information you need. OmniPeek delivers this information to you automatically. It pinpoints the packets related to a network communications issue, tells you why it's probably happening, and suggests ways to fix the problem.

 

1.    Click on the Expert Tab.

 

2.    Right click on the first host, and choose Expand All.


10_cool_things_OmniPeek-14.png


3.    Scroll down until you find a particular problem you'd like to look at.

 

4.    Right click and choose Select Related Packets by Source and Destination or by

Conversation.

 

5.    Alternatively, you can go straight to the Problem Summary Log and select all packets related to a particular problem. Note how the conversations having this issue are highlighted when you return to the Packets view.


8. Determine Application Response Time

 

Application Response Time is available via the Expert Tab, where detailed round trip analysis of command-response packets is available, showing you the best, worst, and average delay. In a similar fashion, throughput is also analyzed.

 

1.    Click on the Expert Tab

 

2.    Click on the Node Details tab.


10_cool_things_OmniPeek-15.png


3.    Right click on the first host in the conversation tree, and choose Expand All.

 

4.    Walk down the tree until you see an interesting analysis in the Delay and Throughput

Analysis display in the lower right.


9. Visualize your network with expert mapping

 

The Peer Map is a great way to get a visual perspective of your network. Not only can you select related packets from hosts on the map, but you can easily create ad hoc filters or look at Top Talkers.


1.    Click on the Peer Map.

 

   Con the Peer Map


10_cool_things_OmniPeek-16.png


2.    Choose IP Map from the Map Type pull down in the upper right hand corner.

 

3.    In the Node Visibility Criteria area just below, you can choose Top Talkers via absolute number or, say, top 10%.

 

The amount of traffic through a node is represented by the size of a dot. If there is one host, such as a mail server or a web server that is skewing the results you are looking for, you can drag that node into the Hidden Node field.


10. Find that slow web server fast

 

With OmniPeeks' Expert System, you can easily spot slow servers. Here's an example of how to troubleshoot a slow web server.

 

1.    Start a new capture.

 

2.    OmniPeek ships with many standard filters, including HTTP. Click on the Filters Tab

and check the HTTP filter to immediately activate it.

 

3.    Go back to the Packets view. Enable Scrolling (Ctrl-K) so you can see incoming packets. Verify that they are HTTP packets.


10_cool_things_OmniPeek-17.png


4.  You may see HTTP access from web traffic not associated with your web server, so you will need to add a new filter. Open a browser and go to your web server. You should see your web server in the packet list display. Create a filter by right-clicking on that packet and choosing Make Filter.

 

5.    Go to the Filters Tab and enable the filter you just created.

 

6.    Now go to the Expert Tab. Click the Problem Summary pane and check for TCP Resets

or HTTP Slow Response time diagnoses.


10_cool_things_OmniPeek-18.png


7.  The Problem Log pane provides more detail, including actual time delay between specific packets (e.g. 13 seconds from Packet 908).

 


8.    Right click and select related packets by See Packet.


10_cool_things_OmniPeek-19.png


9.    Go to the Packets view and your problem packet is highlighted!

 

10. From there, try and figure out what sort of packet it is. Does it say Data in the Summary Column? What is this packet in response to? Click through the packets that preceded the bad packet.

 

Unlike other analyzers, OmniPeek's expert system ignores the ACKs when determining the HTTP Slow Response diagnosis. Look to see if the ACK was received right away. If so, and it was the data packet that triggered the diagnosis, you know it was the web server that was slow and not the network.


---------------------

Joe Habib

Director of Global Services

 

I like to follow the KISS principal (KEEP IT SIMPLE STUPID) and welcome problems as they provide me with daily challenges.

802.11n Ratification - Enterprises, Time to Get Wet!

By WildPackets on September 11, 2009 8:39 AM | No Comments | No TrackBacks

As Joanie Wexler points out in her recent Network World article "Prepping for (finally!) a standard 11n world," the imminent ratification of the 802.11n standard will push enterprises to be more serious about investing in 802.11n. Though some early-adopters have already jumped in, either just to test the waters or because their wireless application plans demanded increased performance, most enterprises have been holding off for the final ratification. For those enterprises entering the 11n water for the first time, the Network World article offers some good preparation tips, whether your entry is from the 3m board or a slow stroll in from the shore.

 

In addition to the tips already offered, several other important points come to mind as you prepare your entry. And you guessed it, our tips center around network management.

 

First, the benefits you'll realize as you move towards 11n will likely have you rethinking the way you use wireless, so what better time to also rethink how you  manage wireless. It goes without saying that your wireless management infrastructure will need to be upgraded to include 11n. Some management applications are just getting there, while others, like OmniPeek, have been there for many years already with a substantial amount of real-world testing, not to mention the use of OmniPeek as part of the Wi-Fi Alliance 802.11n interoperability testing. A move to 11n will most certainly include a move to WPA2 for security, if you haven't already made that move, increasing the need for a network management solution that handles both wireless and wired traffic simultaneously so you can monitor your 802.1x authentication all the way back to the wired sources. And with the increased bandwidth of 802.11n, you'll likely be considering applications like voice-over-wireless, which will require additional measurement techniques like wireless roaming to ensure proper operation of your network and ensure wireless call quality. Basically the message is this: plan for wireless management up front as you make the transition to 11n and make sure your wireless management solutions meet the demands of the new applications you intend to deploy.

 

Second, this is an excellent time to consider HOW you plan to monitor the wireless network, either for troubleshooting or 24x7 observation. Wireless networks are becoming much, much larger, and the days of walking around with a laptop running wireless analysis software to do troubleshooting are drawing to a close. However, wireless networks still require a "point of presence" to do adequate monitoring and certainly any troubleshooting, meaning data must be collected near the source of the reported problem. "Overlay" networks have been the standard solution for the past several years, but this is expensive solution requiring duplicative hardware and network resources (network drops, router ports, etc.). This can be mitigated during your 11n planning by designing in just a bit more density in your AP deployment and then relying on wireless management solutions that can leverage deployed APs and turn them sensors when monitoring or troubleshooting is required. This solution is highly cost-effective since the additional density typically only results in about a 10% increase in the number of APs, much less than the number of dedicated sensors you would need to deploy, and every AP can be put to use in the network resulting in even better network performance when not in use as sensors. This is an extremely important consideration as you roll out a new 802.11n deployment and the cost savings over a traditional "overlay" solution can be substantial.

 

So, whether you're diving in head first or just putting in your little toe, this is the time to reconsider not just network upgrades and the new applications you wish to introduce, but the new management challenges for the network as well. The increased throughput, increased mobility and increasing integration between your wireless and wired network put new demands on your wireless network management solutions. Make sure your solution has already proven that it can meet these demands. OmniPeek has been doing this for years.

Surveys Reveal New Chasm - Hype vs. Reality

By WildPackets on July 20, 2009 9:00 AM | No Comments | No TrackBacks
WildPackets recently conducted a network-related survey at Interop Las Vegas, Cisco Live!, and online. In total, over 250 responses came in (not an enormous sample, but statistically relevant). It should be noted that approximately 75% of the participants use products other than WildPackets for network analysis - the survey was as objective as possible.

From this experience (and others), we've concluded that surveys are good at revealing "chasms" between what is being written about in the tech trades today and what is actually being adopted by businesses.

While tech trades provide ample coverage about 10 Gigabit Ethernet and its "onslaught" of adoption, only 28% of survey respondents have these fat pipes in production. An overwhelming majority, around 65%, work with Gigabit Ethernet, 10/100 Ethernet, WAN and / or wireless.

Conversely, surveys can reveal or validate themes and perceptions in the marketplace. For example, this particular survey supported one of the 2009 themes - the increase in distributed operations - that Craig Mathias recently pointed out in his recent webcast, "Wireless LAN Operations: 5 Key Challenges that Stifle Productivity." Survey results indicated that 81% of organizations primarily use network traffic analysis software for either distributed 24x7 monitoring or distributed real-time troubleshooting and analysis.

Perhaps a statistical anomaly, but we were surprised at how few (2%) of the respondents use Aruba network equipment compared to Cisco (the highest at 36%), HP, Dell, Juniper and Foundry. NOTE: this particular survey question was not asked at the Cisco Live! event.

Below is a detailed look into the survey results (with graphs!).

Results

NOTE: Survey respondents could select more than one answer for most questions; percentages will not add up to 100%.

  • Types of Networks Managed by Respondents:

networks_managed_all.jpg
  • Average Network Throughput Reported by Respondents:

average_throughput_all.jpg
  • Respondents' Primary Usages of Network Analysis Software:

primary_usages_all.jpg
Findings

Surprisingly, most of the findings from our website survey supported the findings from our Interop survey. There were a few striking differences.

  • 66% of the Interop respondents, compared to 72% of the website respondents, manage a 10/100 Ethernet network either solely or with other types of networks. Only 59% of the Cisco Live! respondents manage a 10/100 Ethernet network either solely or with other types of networks.
  • 35% of the Interop respondents, compared to 29% of the website respondents, who reported managing a Gigabit Ethernet network managed a 10 Gigabit Ethernet network as well. 60% of Cisco Live! respondents managed both a Gigabit Ethernet network and 10 Gigabit Ethernet network.
  • 61% of the Interop respondents, compared to 86% of the website respondents, who managed VoIP/Video in their network, managed either a Gigabit or 10 Gigabit Ethernet network. 100% of the Cisco Live! respondents who managed VoIP/Video managed either a Gigabit or 10 Gigabit Ethernet network.
  • Also, 3% of the Interop respondents (5% of the website respondents) reported managing only a Gigabit or 10 Gigabit Ethernet network, compared to 13% of Cisco Live! respondents.

Additionally, website respondents as well as Cisco Live! respondents were more likely than Interop respondents to use network analysis software for distributed data collection for post-capture (forensic) analysis: 26% of the website respondents and 27% of the Cisco Live! respondents, compared to 7% of the Interop respondents. Cisco Live! survey respondents were also less likely to use network traffic analysis software for local real-time troubleshooting (27% versus 49% average for all survey respondents) and more likely to use it for distributed 24x7 monitoring (50% versus 39% average for all survey respondents).




« network forensics | Main Index | Archives | Network Monitoring »