EBOOK

915-6946-01 Rev. A, January 2014www.ixiacom.com

Seeing a New Forest Through the Trees

2

3

Table of ContentsTake the Path of True Application-Awareness for Greater Business Intelligence ................................................................ 4

The New APM: Delivering Ultra-Intelligence to the Network .................... 4

The Foundation of APM: Flows, Applications, Sessions and DPI ............. 4

Fundamental Flow Monitoring ..................................................................... 5

A Brief TCP/IP Primer ................................................................................ 5

The Importance of Basic Packet Structure to the Flow ........................... 6

Monitoring the Flow .................................................................................. 6

Achieving Superior Monitoring and Analysis ............................................ 7

A Familiar Example: Web Browsing ............................................................ 7

Spyke: Moving Beyond Complexity to All-In-One Simplicity ................... 9

Spyke Brings Together Two Discrete Technologies—APM and Intelligent Access—To Yield an Exciting New Approach ...................10

Visibility—the Make-or-Break Issue ...........................................................10

The New Face of Application Performance Monitoring ............................10

An Unrivaled set of Problem-solving Resources ..................................... 11

Limitations of Performance Tools ............................................................. 11

Mastering the Challenges of Volume Data ................................................. 11

Summary ..................................................................................................12

4

Take the Path of True Application-Awareness for Greater Business IntelligenceHigher speeds. Increasing data volumes. Multiplying applications. There’s no question that we’re at the frontier of a new, challenging and opportunity-rich networking landscape. More than ever before, it’s critical to have a robust architecture with the flexibility, visibility, and scalability to deliver deep intelligence about your network to you from any web-based device. This is Application Performance Monitoring (APM) driven to a whole new level by the demands of soaring data growth. Right now, the need is critical for the power to perform Deep Packet Inspection (DPI) with total reliability on massive data flows that are only going to keep rising.

Today’s needs call for a revolutionary APM architecture that goes well beyond traditional performance monitoring to provide a richer set of data than ever before; one that touches on security, policy management and even lawful interception. This is the new APM.

The ability to extract application-specific metrics tailored to the needs of each application is absolutely critical in achieving true APM functionality. Yet, this very feature seems lacking in so many offerings. This eBook explores a new route to those very capabilities needed to support a wide range of applications—a full “tree” so to speak. That route leads to true business intelligence and brings amazing new security, reliability and flexibility resources to the new landscape.

The New APM: Delivering Ultra-Intelligence to the Network APM holds the key to enabling confident growth in the cloud because it makes possible the application visibility, optimization, and control to support today’s volume and complexity.

APM delivers the intelligence and application-awareness to dramatically raise the performance, availability, and security of cloud-based services. And APM holds the key to visibility—that all-encompassing ability to discover applications running on the network, analyze their performance, and gain a deep understanding of how the network is being used. Visibility is not only vital to security, it is also necessary for prioritizing critical applications. The good news is that there is now an APM solution that supports business intelligence by delivering end-to-end visibility of the network and applications; taking the industry beyond point solutions and infrastructure silos.

The Foundation of APM: Flows, Applications, Sessions and DPI Today, there is a lot of confusion around the idea of flow monitoring, application monitoring, session analysis and the place of Deep Packet Inspection. Vendors use these terms prolifically to describe their own product sets, but unfortunately they mean different things to different people. So for the purposes of this discussion, let’s define some of the terms.

The ability to extract application-specific

metrics tailored to the needs of

each application is absolutely critical in achieving true APM

functionality.

5

Networking used to be a wilderness of literally dozens of protocols, but TCP/IP has emerged as all-powerful.

Fundamental Flow MonitoringLet’s start with flow monitoring as the basic building block of the APM structure. For obvious reasons, many flow monitoring vendors today are claiming to be application performance vendors—and to some extent it could be argued that they are, as there is no generally accepted definition of APM.

To truly clarify the value and power of APM, let’s look at flow monitoring in terms of its technology—the packets and IP protocol itself. These fundamental concepts are actually quite simple.

As most are aware, information is transmitted across modern networks as discrete units of information called “packets” by means of a common protocol known as Transmission Control Protocol / Internet Protocol (TCP/IP). Networking used to be a wilderness of literally dozens of protocols, but TCP/IP has emerged as all-powerful.

The term itself is less important than the fact that TCP/IP is actually two different protocols cobbled together. Each packet on the network has an IP portion and TCP portion (there are others, but for the sake of this discussion, we will consider only TCP/IP).

As shown below, each packet is broken into basic parts: an IP header, a TCP header and a payload. The IP header contains the addressing information—where to send the packet. This IP header is analogous to the recipient address and return address on a letter, letting the routers and switches know where to direct the packet. The TCP header describes what type of packet it is, using “Port Numbers” to define different types of packets; for example, Port 80 typically defines a packet to or from a web server.

Figure 1: Packet Contents Figure 1 – Packet Contents

743

Layer 4

Layer 3

Layer 7 Payload

TCP Header

IP Header

The payload contains the data itself; in the web context, it might hold the URL string or the actual data from the web page itself.

One more item before we define flow monitoring:

A Brief TCP/IP PrimerVendors often refer to Layer 3 or Layer 4—or even to the ubiquitous Layer 7. These layers originate from a theoretical model of networking called the OSI model. This model defined seven layers for networking: Layer 1 is the physical medium, such as the actual copper or fiber; Layer 7 is the application itself. Although these layers have fallen into common parlance, many people do not actually understand the origins of the OSI model.

6

TCP/IP does not strictly conform to the OSI model, but rather merges some layers together. Again for simplicity, with respect to the layers, the TCP/IP packet looks as shown above.

There are effectively only three layers in TCP/IP, Layers 3, 4 and 7. Layer 3 corresponds to the IP header, Layer 4 to the TCP header and Layer 7 to the payload itself.

The Importance of Basic Packet Structure to the Flow Understanding basic packet structure is critical, as is the concept of flow monitoring. Many vendors claim APM functionality but actually offer only flow monitoring, whereas Net Optics’ Spyke™ family of APM solutions carries out true application identification and analysis—setting it apart and substantially increasing the value it brings to customers.

So now that we have described TCP/IP, let’s consider flow monitoring itself. The good news is that both TCP and IP are protocols; that is, they are well defined and documented in Internet documents called Requests for Comments (RFCs), which are openly available for anyone to implement. Protocols themselves are very strict; for example, we know that at a particular byte offset we will see the source or sender’s address; at another we will see the destination or recipient’s address; and at yet another, the TCP port number. In fact, the protocols define many fields, each at a specific and well-known location.

This arrangement makes reading IP and TCP headers and extracting information very simple, since byte count offsets are well defined and known. For this reason, many vendors rely on extracting information from the headers for statistical details about each packet (one of the header fields is packet-length so we can even use the header to determine bandwidth usage).

Monitoring the Flow Deriving statistical information from packet headers is easy, but packets do not exist in isolation; most applications rely on many packets to transfer data. The mechanism that groups together multiple packets associated with an application is commonly referred to as a “flow.”

Each unique flow may be identified by fields contained in the IP and TCP header. Five fields are commonly used to to identify a flow (referred to as a 5-tuple identification). Grouping multiple packets into flows further reduces the processing and storage overhead on monitoring systems, as we need collect statistical information only for each flow rather than for each packet.

Think of a flow as a telephone conversation: Each telephone call typically has two parties, each of whom can communicate at the same time. In the same way that a phone call is bidirectional, an IP flow is typically made up of two unidirectional flows. Many, (but importantly, not all) monitoring tools perform “flow stitching” to put the two unidirectional flows back together and form a single bi-directional flow (similar to a phone call).

Products that rely on extracting header information to identify IP flows are called flow monitoring tools. Cisco NetFlow is the most well known candidate in this space. Flow monitoring is easy to perform, as every IP packet conforms to the TCP/IP protocol irrespective of underlying application.

Many vendors rely on extracting information from

the headers for statistical details

about each packet.

7

The only way to really examine application-specific performance is to look beyond the IP and TCP header into the payload.

Achieving Superior Monitoring and Analysis Flow monitoring occurs at layer 4; it provides reasonable information about network traffic and can be carried simply and at high speed. Why then do we need to go any further? Historically it has been sufficient to examine network traffic at layer 4, as most applications used a distinct TCP port number (contained in the TCP header). This meant that we could usually identify applications based on information contained in the TCP header alone.

However, there are two main problems with this approach: First, many applications use the same, or common, TCP port number—for example, many web applications use TCP Port 80, making it impossible to differentiate applications based on port number alone. Secondly—and perhaps more importantly—the statistical information needed to characterize performance for one application may be different from that used for another, causing confusion and inaccuracy.

The only way to really examine application-specific performance is to look beyond the IP and TCP header into the payload; that is, to examine the packet at ‘Layer 7’ using deep packet inspection (DPI).

After inspecting the header, one would think it is easy to assess the payload as well, but this simplicity is deceptive. Examining the payload is actually very difficult. For one, no standards determine how applications store data in the payload, so every application takes a different approach, often proprietary. This makes the task of identifying individual applications within the payload very difficult indeed. It becomes even more challenging to employ DPI and application identification at speed.

The upside is that if we can inspect and interpret within the payload, this information is a far richer source of performance data. The challenge is large—but the rewards are great.

A Familiar Example: Web BrowsingTo diverge for a moment, let’s consider a common and relatively well-understood application of web browsing. The diagram below shows a normal web browsing session as a TCP/IP flow using TCP port 80.

However the payload is where it becomes interesting: The payload contains the URL of the website along with a wealth of other statistical data such as web server type, client browser type, server response code, page download time and much more.

Now let’s take another completely different application—this time a web-based email programme such as Yahoo Mail. Looking at the diagram again we see that Yahoo Mail shares commonality with web browsing up to and including Layer 4 and even uses the same transport protocol, HTTP. Traditional flow-based tools cannot differentiate between web browsing and Yahoo mail as they look identical up to layer 4.

However, these are clearly different applications; one is browsing, and the other is email. Whilst we might be interested in URL, page download and browser type for web browsing, these metrics are meaningless for Yahoo Mail. Email metrics are more likely to be such as “to and from” address, attachment name, subject and so on. More similarities and differences appear on the diagram below.

8

Note that there are many flow-type attributes in common between Web browsing and Yahoo Mail that are of interest, including source and destination address, bytes transferred, latency and so on. There are also many more application-specific attributes or metrics.

The ability to use DPI to look inside a payload and identify application-specific metrics is a cornerstone of Net Optics Spyke solutions, and is not currently well addressed by other vendors.

743

Figure 2 – Web Browsing vs Yahoo email

URL

Search Strings

Page Download TimeAttachment Name

To/From Address

Subject line

TCP Information

IP Information

HTTP (Port 80)

Figure 2: Web Browsing vs Yahoo email

The concept extends well beyond web browsing and Yahoo Mail, of course. There are literally thousands of applications that need consideration, making the tree diagram very complex indeed.

The current Spyke architecture can support—identify—well over 1000 applications within the payload, represented as a tree with 1000 branches in the diagram above (from the IP/TCP trunk, as opposed to application-specific metrics, which would be represented as leaves numbering in the tens of thousands). This means that although Spyke does not actually support those thousands of applications today, the architecture is in place to do so.

The salient point here is that while many vendors support only a single application above layer 4, they nevertheless claim “full application awareness” or even layer 7 support (shown as the red branch above). Most of these vendors will support some deep packet

There are literally thousands of

applications that need consideration,

making the tree diagram very

complex indeed.

9

The advantage of such pinpoint accuracy and granularity cannot be overstated.

inspection to inspect web browsing only; although they support only a single specific application, they market themselves as APM tools!

Spyke: Moving Beyond Complexity to All-In-One Simplicity The Spyke approach to APM is engineered to reflect the most advanced state of the art—far beyond conventional performance monitoring or flow monitoring—to provide a far deeper and richer set of data. The advantage of such pinpoint accuracy and granularity cannot be overstated— particularly when it comes to security, policy management and lawful intercept. Spyke has demonstrated that it represents a truly innovative approach to APM and leverages the value of this technology far beyond others currently on the market.

7

4

3

TCP Information

IP Information

HTTP (Port 80)

Figure 3 – Application Awareness

Yahoo email

Web Browsing

VoIP

Citrix

SMB

Figure 3: Application Awareness

10

Without Spyke’s visibility, you cannot

actually monitor your applications.

Spyke Brings Together Two Discrete Technologies—APM and Intelligent Access—To Yield an Exciting New Approach Spyke’s deep and enriched APM capabilities complete a truly comprehensive network access and monitoring solution. It builds on Net Optics’ proven knowledge and experience in the access and network space, forging ahead into the network’s Application Layer. Spyke is a true APM solution—a leap forward compared to vendors who offer merely flow monitoring or very limited APM functions and yet market themselves as “application-aware.”

Economical and intuitive, Spyke incorporates a multitude of solutions into one appliance—alleviating the need to invest in multiple analysis tools. Only Spyke is able to deliver total network visibility, so essential to monitoring. At this point, it is safe to say that, “Without Spyke’s visibility, you cannot actually monitor your applications.” The value of this granular monitoring is that network issues become capable of detection far earlier, guaranteeing superior service for your customers and streamlined, cost-efficient business operations for you.

Visibility—the Make-or-Break IssueCompanies may state that visibility is the major enabler of network monitoring—yet they are still unable to deploy that visibility and monitor where it counts. They continue relying on on end users to report problems—and by the time they hear of these issues, network performance has already been affected.

Now Spyke removes the guesswork, providing the ability to identify problems proactively and spur quick response. Spyke’s superior application-awareness lets it deliver alerts based on thresholds—both instantly and as trend analysis, showing you where the problems lie so you can take action and minimize their impact.

The New Face of Application Performance Monitoring Spyke is proof that at the leading edge of APM, things become simpler rather than more complex. In fact, a single-source solution reduces complexity, deploys quickly and easily, and reduces cost of ownership.

Customarily, businesses had to deploy multiple components to comprise a network monitoring system. Components include network ACCESS—in the form of a span port or tap device, SOFTWARE that can capture network traffic and analyze it, and lastly a piece of HARDWARE on which to run the software, such as a PC or laptop. Uniting these components can be complex and costly.

However, Spyke encompasses all three components in a purpose-built solution: Tap, software and hardware. A convenient graphical interface displays reports instantly on computers, smart phones, tablets or any web-based device—eliminating the need for a dedicated machine.

11

Traditional tools can quantify network congestion or measure throughput, but lack insight into true application performance.

An Unrivaled set of Problem-solving Resources Spyke incorporates the essential tools to detect, diagnose and solve issues—all in a single, integrated solution. So customers enjoy total network visibility for a single, simple and scalable investment. With substantially lower complexity, they gain the granular levels of detail they need for a healthy, smoothly running network.

One of APM’s deepest values is the ability to report on the time it takes between hitting “Enter” and seeing a response on a user’s own device. Spyke is architected to ensure optimal service delivery while making it easy for the user.

Simple to deploy and operate, with a familiar web-based interface, Spyke enables nearly anyone to drill down from a high-level view to unrivaled granularity—even to monitor every conversation on the wire! This user-friendliness cuts training and operations costs substantially and allows companies to track application usage across the network—delivering a superior end-user experience while saving money.

Limitations of Performance Tools One persistent source of frustration is tackling end user experience from a network perspective; a piecemeal attempt that yields only part of the information. Traditional tools can quantify network congestion or measure throughput, but lack insight into true application performance.

Spyke’s granularity and specificity now allows for inspecting the payload of packets that may be converging onto similar port numbers. Applications using Port 80 for example can be identified as web, VoIP or video and so forth, for correct categorization and pinpointing of end user issues.

Now that traditional flow monitoring which relies on packet headers for such information as port number, is no longer enough of a solution. Deep inspection of the payload is now the gold standard: DPI.

Spyke’s hardware-based, robust engineering for massive network traffic and ultra-heavy data payloads allows it to carry out DPI at blazing speeds—nearly impossible to perform with a software-based solution running off a dedicated PC. Now users can easily visualize network and application performance.

Mastering the Challenges of Volume Data Spyke’s architecture reflects Tapping (or access), software and custom-designed hardware to enable high speed amid rising data volumes. Spyke breaks out amazingly granular information—round trip time, page download, data on Jitter and MOS for voice, and other application-specific metrics for an clear, accurate view of the end user experience. This rich data set enables issue diagnosis and goes beyond generic metrics to the precise tailoring of metrics to suit an application—meaningful metrics.

Spyke’s ability to retain a statistical record for every single IP conversation across the entire network—both flow-specific and application-specific metrics—results in very large data sets with hundreds of millions of flow records. These must be examined and retained each day. Spyke’s unique, sophisticated database technology lets network operators query these enormous data sets to identify the few conversations causing issues: a rare and valuable ability to find the “needle in the haystack” quickly and cost-effectively.

12

Summary Spyke’s ability to support and analyze a wide range of applications—a “full tree”—differentiates it profoundly from other offerings. Extracting application-specific metrics tailored to the needs of each application is critical to true APM—yet many offerings are severely deficient by comparison in this essential capability. Customers must make extremely sure that they are investing in a true APM-capable solution in order to derive full benefit from the leading edge of this exciting and productive technology.

Application

Presentation

Session

Transport

Network

Data Link

Physical

Application Aware DPI

SPYKEOSIPort Number ID

Conversation Matrix

Volume Summary

Figure 4 – How Spyke Fits into OSI Network Layers

7654321

Figure 4: How Spyke Fits into OSI Network Layers

About the Author

David Britt, Director of APM Technology, brings to Net Optics over 20 years’ experience in networking—building solutions for network performance monitoring, security and lawful interception. Dave is the lead developer behind Net Optics’ application performance monitoring solutions.

Previously, Dave was the co-founder of Triplelayer Networks, which Net Optics acquired in January of 2012 after an eight-year history of successful joint deployments for some of the world’s largest telecommunications providers, financial services firms and enterprises across the Asia-Pacific region.

Dave has helped companies extend network visibility to remote sites and branch offices with the creation of the appTap™. This important network and application performance monitoring tool provides packet capture, flow analysis and Deep Packet Inspection (DPI) in traditional network blind spots. appTap is ideally suited to working within an entire network topology such as a remote branch or satellite office.

13

EBOOK

Ixia Worldwide Headquarters26601 Agoura Rd.Calabasas, CA 91302

(Toll Free North America)1.877.367.4942

(Outside North America)+1.818.871.1800(Fax) 818.871.1805www.ixiacom.com

Ixia European HeadquartersIxia Technologies Europe LtdClarion House, Norreys DriveMaidenhead SL6 4FLUnited Kingdom

Sales +44 1628 408750(Fax) +44 1628 639916

Ixia Asia Pacifi c Headquarters21 Serangoon North Avenue 5#04-01Singapore 554864

Sales +65.6332.0125Fax +65.6332.0127

915-6946-01 Rev. A, January 2014