Tag Archives: network troubleshooting

The Key to Rapidly Troubleshooting Network Performance Issues

Today’s networks are becoming faster and faster to accommodate the increasing demands of service and application growth, making network and application performance monitoring and troubleshooting essential, yet very challenging. Not only are organizations struggling to keep pace, but they are finding that visibility into the traffic traversing the networks is steadily decreasing.

To address this lack of visibility, organizations must implement network monitoring and analysis solutions with detailed troubleshooting that are compatible with high-speed networks. Oftentimes, the statistical data used to compile monitoring dashboards and reports common in today’s flow-based monitoring solutions are insufficient for performing detailed root cause analysis, driving network engineers to use multiple products from multiple vendors to perform different levels of analysis. This significantly increases the cost for IT departments to do business, in a time when budgets are already razor thin.

However, organizations can meet this challenge by implementing tools that scale to 10G+ networks and are built with more powerful analytical platforms capable of handling the massive increases in transactions and data traversing the network.  In addition, these tools must be able to provide real-time feedback on overall network performance, so the data is always available for detailed, packet-based analysis.

WildPackets’ Omnipliance family of network analysis and recording devices includes each of these features, and can provide the necessary visibility on all network segments at 10G, 40G and even 100G. Join us on Wednesday, April 16, 2014 at 8:30am PT for a webinar that will discuss how to increase visibility into higher-speed networks. Register here.

5 Cool Things You Can Do with Compass Live

What is the one 2012 prediction all network engineers agree on? Network traffic is increasing and will continue to increase for years to come. And because of that there is a high demand for good tools to monitor and analyze large amounts of data.

To address this, WildPackets launched a beta version of Compass Live last summer. A real-time interactive dashboard for analyzing wired and wireless networks. Compass Live has a series of interactive graphs that provide visualization into everything from overall utilization of the network to top protocols and nodes with both .pkt (from WildPackets) and .pcap (from Wireshark) trace files.

Throughout our beta program, which will continue through June 2012, we’ve received a lot of great responses from our users. Below are a few of their favorite features as well as some of our own.

Here are five cool things you can do with Compass!

1. Capture and aggregate network traffic.
In Compass Live it is very easy to capture and aggregate traffic from multiple wired and wireless adapters. Simply enable the adapters you wish to monitor, and click the play button. Wired and wireless traffic can even be mixed together.

2. Troubleshoot wireless roaming problems.
For wireless networks, Compass Live offers a unique signal strength graph. To activate this, simply change the graph to “Signal,” and you will see the average signal strength of your network over time. Like all the graphs in this dashboard, you have the ability to dissect signal strength, and view it from a protocol or particular node viewpoint, making it easy to troubleshoot signal strength problems for specific users or access points.

A very useful application of the wireless signal strength feature is for analysing wireless roaming. Let’s assume we’re using the aggregation feature within Compass and simultaneously monitoring channels 1, 6, and 11 in the b/g range; these being the active channels in our WLAN. Because we can track the signal strength of a specific node, we can easily determine if a user is mobile and if so, when they roam, or move from one AP to another. If the signal strength is changing in a specific direction (either increasing or decreasing), that node is most probably mobile. And if the signal strength is going down, at some point we should see the signal strength spike back up, indicating that the node has roamed to another AP on a different channel. This provides an entire history of the “roam,” letting us know how much the signal strength degraded before the wireless client decided it was time to roam and how long it took the data to begin flowing again once the user was associated with the new AP. This information is critical is assessing the overall health of your network for handling time-sensitive applications, like voice over Wi-Fi (VoFi).

3. See both sides of traffic with Transmit and Receive statistics.
For the more detail-oriented protocol analysts, there’s the transmit/receive option on Compass Live. With a single click, you can change the view to show the network traffic going in and out of your total network, or out of individual nodes or groups of nodes. Understanding this characteristic is critical when performing baseline assessments of your network.

4. Zoom in and out of conversations.
Compass Live can provide you with both a holistic picture of your network activity as well as the details. For example, if you are interested in seeing a larger view of what has just happened on your network, you can easily open a Compass project. A Compass project opens up all the files you captured simultaneously, and then graphs the activity that occurred on your network during this time period — traditionally, you would have to open each file individually for analysis. This ability provides you with an easily understandable view of how your network functioned or did not function for a select period of time.

Now, if you want a more detailed view, zoom in on a few seconds of data, and click the millisecond button. This will expand the view from one second granularity to millisecond granularity, allowing you to view in detail the specific conversations that created the network spike. Seeing these specific details will help you determine if there is a need for more detailed packet analysis. The screenshots below show how you can go from the seconds view to milliseconds view, and then from the milliseconds view how you can zoom into just the few milliseconds you are interested in. Talk about finding the needle in the haystack!

5. Generating HTML reports.
The HTML reporting function in Compass Live generates a one page dashboard style HTML report. The report consists of the time line graph with the selected nodes and protocols. This makes it very easy to make changes to the interactive dashboard quickly, and then generate exactly the data you need in the HTML report. The HTML report can then be published for others.

If you are interested in testing Compass Live please join our Beta program. We’ll be updating this application more in 2012, and we always appreciate feedback from our users. To learn more about Compass Live, check out this free OnDemand webcast.

Top Trends in Cyber Security and Attacks

IT security experts have labeled 2011 as the “Year of the Hack,” and appropriately so. Last year saw a diverse group of breaches that were financially and politically motivated. While each attack has its own unique fingerprint, some common elements are emerging – the quiet, persistent and sophisticated nature of today’s attacks.

If you compare a hack like the Microsoft MSBlaster Worm of 2003 to Sony PlayStation’s data breach of April 2011, the motivation, sophistication, and direct cost are in stark contrast. The MSBlaster was a fairly rudimentary Distributed Denial of Service attack, and the motivation behind it was hacker glorification, i.e. penetrating a system just to boast about it over beer. It caused mostly embarrassment to the effected companies, and more annoyance than actual monetary losses (though in some cases significant costs were incurred to wipe out the infections). On the other side, the attack on Sony was financially motivated and garnered credit card numbers, passwords, and other very personal information of 70M users directly costing Sony $170 million dollars and an estimated 10 to 100x that much in indirect costs.

As Distributed Denial of Service (DDoS) attacks and viruses, which are oftentimes associated with the idea of hacking for hacking sake, have steadily gone down in recent years, Advanced Persistent Threats (APT) have gone up. APTs typically have political and financial motivation, and often include an element of revenge. According to a study by Bit9, of the 765 IT executives interviewed for their Endpoint Survey, 60% said that APT is the biggest fear they have with security breaches and 28% feared that theft and disclosure was coming from insiders—APT threats can often be an insider job, or at least aided by risky behavior from within the enterprise network.

Advanced Persistent Threats are what the name implies: a long-term pattern of sophisticated hacking attacks aimed at governments, companies, and political activists. However, that just skims the surface of understanding what APTs are and how they can affect you, so let’s take a look at each of the words that define Advanced Persistent Threat.

Hacking techniques have been continually evolving, becoming more advanced at every turn, and often in APTs hackers combine multiple targeting methods. Since the perpetrators of APTs have strong financial backing and serious motivation, they often take time to focus on operational security, not often done in more opportunistic, less advanced threats. But the methods need not always be advanced. Consider the Citigroup breach of 2011. Though the target and the purpose certainly categorize this attack as an APT, the method turned out to be incredibly simple. The perpetrators identified a security flaw in the web-based banking where once logged in with a known good account, they could simply change the account number in the URL string and immediately gain access to another account. It was then a simple task of writing scripts to first guess account numbers, and whenever a good one was found, to scrape the user information from the compromised account. Though perhaps not “advanced” in this case, the method was highly effective resulting in more than 200,000 compromised customer accounts.

As stated earlier, and as evidenced by the Sony and Citigroup attacks, APTs are not opportunistic, simply seeking an easy in for boasting rights. These are “low and slow” attacks, meaning they are relatively unnoticeable and steal information over a longer period of time. And the perpetrators will maintain long-term access to the target. Should access be broken along the way, every attempt will be made to regain access and continue with the attack. Similar to what Peter Gibbons was attempting to do in the movie Office Space.

APTs are typically backed by powerful, well-funded organizations (think organized crime or rogue governments), with the intent and the capability to achieve their goals. A key element includes coordination and execution by human action vs. automation, at least until a stealthy, automated process can be implemented that has limited risk of being identified. Oftentimes to stay under the radar an APT will remain manual and incorporate minimal automation.

As APTs begin to grow and DDoS attacks and viruses become less of a threat, it is important to ensure that you have security policies in place to protect your network. Even though 28% of IT executives fear theft and disclosure will come from within, 60% of these firms are either using the “honor system” or have no internal security policy whatsoever. In addition, a recent survey by Ponemon Institute reported that although 90% of respondents had at least one breach in 2011, 40% of those surveyed had no clue where the breach stemmed from, and 33% could only identify the source of some attacks. Without a clear understanding of the source, how can you possibly protect yourself from another occurrence?

In addition to the active security systems in place today, you need a security “insurance policy,” since it’s clear that today’s state-of-the-art security systems don’t do a complete job – after all, 90% of survey respondents had at least one breach in 2011, and 70% had two or more! This insurance policy takes the form of a network recorder, which passively records each and every packet traversing your network. When an attack happens, and statistics indicate it will, you’ll have a complete recording of the incident, allowing you to identify how the attack happened, what information was compromised and how tune your existing network security tools to prevent future breaches.

To learn more about the trends and how to protect your network, check out our webcast “Cyber Security – IDS/IPS is Not Enough.”