a confluence of flows: keeping your head above water

www.wildpackets.com© WildPackets, Inc.

Jay Botelho

Director of Product Management

WildPackets

[email protected]

Follow me @jaybotelho

Show us your tweets!Use today’s webinar hashtag:

#wp_omniflowwith any questions, comments, or feedback.

Follow us @wildpackets

A Confluence of Flows

Keeping Your Head Above Water

© WildPackets, Inc. 2A Confluence of Flows

There’s no debate about the need for centralized

network monitoring

HOW?

The question is


Choices and Comprises

Overhead???

Cost???

Data

Gra

nu

lari

ty

Data Accuracy

SNMP

Flow-based

Packet-based


SNMP


SNMP

• Best used to identify and describe system configuration

• Monitor network-attached devices for high-level conditions

‒ Up/Down

‒ Total traffic (bytes, packets)

‒ Number of users

• Typically polling-based – heavy bandwidth impact

• Typically 5 second granularity

• Trouble-shooting/root cause analysis not possible


Flow-based


"Go With the Flow"

• Flows, or flow records, have become the default element used in centralized network monitoring

• A ―flow‖ is a sequence of packets that has the following seven identical characteristics:

‒ Source IP address

‒ Destination IP address

‒ Source port

‒ Destination port

‒ Layer 3 protocol type

‒ TOS byte

‒ Input logical interface

• By implication, a flow is unidirectional


Basic Flow Analysis

• Packets enter the switch or router

• Packets sampled and flows determined

• Flow records compiled and exported to flow collector

• Flow records stored and subsequently analyzed by flow analysis software

Source: Wikipedia

http://en.wikipedia.org/wiki/File:Netflow_architecture_en.svg


Flows vs. Flow Records

• Flows are a defined element

• Flow Records are analytical results that vary

by overall standard, vendor and

configuration

• The most common standards for flow

records include:‒ NetFlow

‒ IPFIX

‒ sFlow

‒ JFlow


Focus on NetFlow

• Packets typically 1500 Bytes each

• Packets come in spurts – up to several Mbytes

• 20 – 50 flow records per reporting interval

• Typically 1 minute reporting granularity

• Typically ―1 out of k‖ static sampling

• Overhead (bandwidth usage - # of packets in reporting period) linearly proportional to the # of flows

• Remember the prime directive – a switch MUST perform its primary function – forwarding packets!

• Lost reporting packets can seriously impact data reliability

• A higher number of smaller flows creates greater inaccuracies


On Your Network …


The Details


Common Flow-based Technologies

Netflow IPFIX sFlow Jflow

•Developed by

Cisco

•Proprietary

•Transit traffic &

terminated traffic

•Detailed info for

each flow

•NO payloads

•Sampling option

not 100%

accurate

• Internet Protocol

Flow Information

eXchange

•Emerging IETF

standard

•Based on

NetFlow


each flow

•NO payloads

•RFC 3176

•Statistical time-

based sampling

•Higher speed

networks

•Much less

common than

NetFlow

•NO payloads

•Sampled – not

100% accurate

•Developed by

Juniper

•Proprietary

•Similar to

NetFlow


each flow

•NO payloads

•Sampled per

global rate – not

100% accurate

Limited Troubleshooting/Root-cause Analysis


Packet-based

OmniFlow


Packet-based - OmniFlow

• Developed by WildPackets

• Analysis of every packet AND payload

• Unrivaled info for each flow

• Layer 3 - 7

• 100% accurate

• Minimal network impact – 10’s of Kbps

• Monitor AND troubleshoot


OmniFlow Data


Why Are Payloads Important?


OmniFlow and WatchPoint

• High-level, aggregated view

of all network segments

‒ Monitor per campus, per

region, per country

• Wide range of network data

‒ NetFlow, sFlow, OmniFlow

• Web-based, customizable

network dashboards

• Flexible and detailed reports


Sample WatchPoint Dashboard


Monitoring AND Detailed Analysis


Not All Flows Are Created Equal

Netflow IPFIX sFlow Jflow OmniFlow

•Developed by

Cisco

•Proprietary

•Transit traffic

& terminated

traffic

•Detailed info

for each flow

•NO payloads

•Sampled

option not

100%

accurate

• Internet

Protocol Flow

Information

eXchange

•Emerging

IETF standard

•Based on

NetFlow

•Detailed info

for each flow

•NO payloads

•RFC 3176

•Statistical

time-based

sampling

•Higher speed

networks

•Much less

common than

NetFlow

•NO payloads

•Sampled – not

100%

accurate

•Developed by

Juniper

•Proprietary

•Similar to

NetFlow

•Detailed info

for each flow

•NO payloads

•Sampled per

global rate –

not 100%

accurate

•Developed by

WildPackets

•Proprietary

•Analysis of

every packet

AND payload

•Unrivaled info

for each flow

•Layer 3 - 7

•100%

accurate

•Monitor AND

troubleshoot


Choices and Comprises

Overhead

Cost

Data

Gra

nu

lari

ty

Data Accuracy

SNMP

Flow-based

Packet-based


Summary

• Flow records are NOT created equal

• OmniFlow analyzes packet headers AND payloads

• OmniFlow is NOT statistical - 100% accurate

• OmniFlow provides analysis for all network layers

• WatchPoint aggregates data from multiple OmniFlow data streams

• When OmniFlow data isn’t available, WatchPoint also aggregates both NetFlow and sFlow data for a comprehensive network monitoring solution


Company Overview


Corporate Background

• Experts in network monitoring, analysis, and troubleshooting

‒ Founded: 1990 / Headquarters: Walnut Creek, CA

‒ Offices throughout the US, EMEA, and APAC

• Our customers are leading edge organizations

‒ Mid-market, and enterprise lines of business

‒ Financial, manufacturing, ISPs, major federal agencies,

state and local governments, and universities

‒ Over 7,000 customers / 60+ countries / 80% of Fortune 1,000

• Award-winning solutions that improve network performance

‒ Internet Telephony, Network Magazine, Network Computing Awards

‒ United States Patent 5,787,253 issued July 28, 1998• Different approach to maintaining availability of network services


What We Do

• Provide network visibility and intelligence …‒ WatchPoint, OmniPeek, OmniEngines

• Expert systems – we find the problems for you

• Superior drill-down capability – trouble-shoot from anywhere

• Flexible, customizable, extensible – leverage your investment

‒ Professional services, training, best practices

• For all network segments …‒ Data center to desktop to remote office

‒ LAN, WAN, Wireless …

‒ HTTP, Email, Database, VoIP, Video …

• To …‒ Network engineers; IT Management; Developers


Real-World Deployments

Education

Health Care / Retail

Financial

Telecom

Government

Technology

http://www.fbiband.com/

http://www.dea.gov/


Product Line Overview


Product OfferingsSoftware and Turnkey Appliances

• Enterprise Monitoring and Reporting‒ WatchPoint Server

‒ OmniFlow, NetFlow, and sFlow Collectors

• Network Probes & Recorders‒ Omnipliance Network Recorders – Edge, Core

‒ TimeLine Network Recorder

‒ OmniAdapter Analysis Cards

• Distributed Analysis Software‒ OmniPeek – Enterprise, Professional, Basic, Connect

‒ OmniEngine – Enterprise, Desktop, OmniVirtual

• Portable Solutions‒ OmniPeek software

‒ Omnipliance Portable


WatchPointCentralized Monitoring for Distributed Enterprise Networks

• High-level, aggregated view

of all network segments

‒ Monitor per campus, per

region, per country

• Wide range of network data

‒ NetFlow, sFlow, OmniFlow,

SNMP

• Web-based, customizable

network dashboards

• Flexible and detailed

reports


Omnipliance Network Recorders

• Captures and analyzes all network traffic at the source 24x7

‒ Runs our OmniEngine intelligent probe software

‒ Generates vital statistics on network and application performance

‒ Intuitive root-cause analysis of performance bottlenecks

• Intelligent data transport

‒ Network data analyzed locally

‒ Detailed analysis passed to OmniPeek on demand

‒ Summary statistics sent to WatchPoint for long term trending and

reporting

‒ Efficient use of network bandwidth

• Expert analysis speeds problem resolution

‒ Fault analysis, statistical analysis, and independent notification

• Multiple Issue Digital Forensics

‒ Real-time and post capture data mining for compliance and

troubleshooting


TimeLine Network Recorder11.7Gbps Sustained Capture

• Fastest network recording and real-time statistical

display — simultaneously‒ Network statistics display in TimeLine visualization format

• Rapid, intuitive forensics search and retrieval‒ Historical network traffic analysis and quick data rewinding

‒ Several pre-defined forensics search templates making

searches easy and fast

• A natural extension to the WildPackets product line

• Turnkey bundled solution


Omnipliance Network RecordersPrice/performance solutions for every application

Portable Edge Core TimeLineRuggedized

Troubleshooting

Small Networks /

Remote Offices

Regional Offices /

Small Datacenter

Datacenter

Workhorse

Chassis 1U 3U 3U

Memory 2 GB / 8 GB 4 GB / 8 GB 6 GB / 24 GB 18 GB / 24 GB

Expansion 1 PCI-E / 2 PCI-X 1 PCI-E or 1 PCI-X 4 PCI-E 4 PCI-E

Storage 500 GB / 2.5 TB 1 TB 8 TB 8 TB / 16 TB / 32 TB


OmniPeek Network Analyzer

• OmniEngine Manager

‒ Connect and configure distributed OmniEngines/Omnipliances

• Comprehensive dashboards present network traffic in real-time

‒ Vital statistics and graphs display trends on network and application

performance

‒ Visual peer-map shows conversations and protocols

‒ Intuitive drill-down for root-cause analysis of performance bottlenecks

• Visual Expert diagnosis speeds problem resolution

‒ Packet and Payload visualization provide business-centric views

• Automated analytics and problem detection 24/7

‒ Easily create filters, triggers, scripting, advanced alarms and alerts


Key Differentiators

• High-level network monitoring to root-cause analysis

• Single solution for today’s converged networks‒ Wired, Wireless, 1GB, 10GB, VoIP, Video, TelePresence, IPTV

• Reduce and even eliminate network downtime‒ Automated monitoring 24x7

‒ Speedy resolution of network bottlenecks

• Improve network and application performance

• Uniquely Extensible Platform – tailored to your needs‒ Plug-ins and APIs for integration and customization


Q&A

Show us your tweets!Use today’s webinar hashtag:

#wp_omniflowwith any questions, comments, or feedback.

Follow us @wildpackets

Follow us on SlideShare!Check out today’s slides on SlideShare

www.slideshare.net/wildpackets


Thank You!

WildPackets, Inc.

1340 Treat Boulevard, Suite 500

Walnut Creek, CA 94597

(925) 937-3200

a confluence of flows: keeping your head above water

Technology

wildpackets wildpackets

flow flows

flowbased wildpackets

flow records flows

wildpackets analysis

snmp wildpackets

flow source

basic flow analysis