traffic analysis for non flow-enabled networks with whatsup flow publisher (part 1 of 2)
DESCRIPTION
Learn how WhatsUp Flow Publisher gives you traffic analysis on your network without requiring flow-enabled hardware.TRANSCRIPT
1
Traffic Analysis How ToWebinar Series
Traffic Analysis for Non Flow-Enabled Networks
January 12, 2010
22
Agenda:
Today’s Presenters:– Kevin Gillis, VP Product Management, Network Management– Jason Williams, Product Manager & The WhatsUp Guru
Agenda:– The Need for Traffic Analysis– Session 1 Recap– Flow Publisher Overview– “TAP”ing– Technical Demonstration– Q&A– Next Steps
3
The Need for Traffic Analysis
• My network is slow and I do not know why…– Existing tools don’t give me any or enough visibility…
• Into user and application network bandwidth utilization• Into network performance issues• Into locating and troubleshooting issues• Into applications and their effect on the network• Into security breaches and unauthorized usage
Tools are either too expensive or complex to deploy
4
The Need for Traffic Analysis• My network is slow and my network does not know why…
– Existing hardware does not give me any or enough visibility…• My network hardware is not NetFlow, sFlow or J-Flow capable• My network hardware is not NetFlow, sFlow or J-Flow enabled• My network hardware is flow capable but it’s too expensive enable by taking
down the network, adding hardware and upgrading the IOS • The segment of my network is not 100% flow enabled
• Current solutions– Require expertise in packet level and protocol level analysis– Require device or network upgrades/downtime– Require investment in appliances or probes
Flow enabled hardware is either too expensive or complex to deploy
5
Application and User Traffic Analysis
• Rapid isolation of server versus network based issues• Insight into reasons for application traffic
– Traffic loads– Users– Peak usage timeframes
• Locate under and over subscribed applications and servers– Standalone servers– Virtualized servers
• Traffic to individual virtual machines (VMs)
Why is server based traffic analysis important?
Creates opportunity to optimize server infrastructures based upon actual user and application utilization data
6
Server Traffic Analysis Deployment
• Flow Publisher Server Agent– Windows Server
• 32 & 64 bit: Standard and Enterprise Server 2008 and Standard & Enterprise Server 2003 SP2
• Non-virtualized and virtualized servers
• Network interface
– Runs as a Windows service• Small resource footprint
Application and user traffic analysis at the source
7
“TAP”ing
8
TAPing…What’s a TAP and how does it work?
– TAP stands for Test Access Point.– A network tap is a fully passive device.– Electrically or optically packets are copied onto the tap ports.
Considerations– Fidelity: You get 100% guaranteed view of network traffic even with larger
deployments of 10 Gigabit+. They are completely passive and do not cause any distortion even on FDX and full bandwidth networks.
• Nothing is dropped/filtered, short or large frames, bad CRD frames, regardless of bandwidth. • Nothing is altered including time relationships (spacing and response times) of frames which
are especially important with VoIP and Triple Play analysis including FDX analysis.– Do not groom data nor filter out physical layer errored packets– Do not introduce any additional jitter or distortion which is important in VoIP / Video analysis.
• Some taps (e.g. regeneration taps) have multiple output ports to allow more than one device to monitor the network at the tap point.
• A tap has one tap port per direction. To monitor 1 link, you need 2 NICs, one for each direction. You can merge both directions into one single port using a hub.
• Can handle IPv4 and IPv6 traffic.– Security: Taps are not addressable network devices & therefore cannot be hacked– Ease of Use: Taps have no setups or command line issues so getting all the data is
assured and saves users time. They are also fault tolerant.
9
TAPing…Summary:
– Taps offers high integrity and fidelity by offering 100% packet capturing with no packet or frame alterations.
– As a fully passive device, it does not impact the performance or scalability of the switch or router unit.
– Requires additional hardware to be purchased and installed potentially leading to downtime.
10
Flow Publisher 1.0 Overview
11
Flow Publisher v1.0 Summary
• Flow data generated from raw network traffic– Convert raw traffic into NetFlow v1, v5 and v9 compliant flow records
• Full range of NetFlow information• Not sampled flow data
• Pinpoint or broad traffic analysis– Windows servers and any applications (e.g. Oracle, SAP, Exchange)– Passive using TAPs (Test Access Point)– Active packet duplication through virtually any network device
supporting port mirroring
• High impact: non-invasive and inexpensive to maintain– Leverages existing network infrastructure– No device hardware or software upgrades required– Does not require network or device downtime
Enables flow analysis for non-flow capable devices
12
Flow Publisher v1.0 Features
• Two Components1. Agent Manager Interface
• Configure and manage a single or multiple agents
2. Flow Publisher Agent• Processes raw traffic data• Standalone installation
» Windows computer
– TAP or mirrored interfaces
– Accepts raw traffic from up to 4 individual interfaces
• Hosted installation– Directly on Windows Servers
» Application monitoring
» User monitoring
» VMware Virtualized Systems
Software only solution
2.
1.
13
Flow Publisher v1.0 Features cont’d
• Integrates with v14.x of WhatsUp Gold and v2.0 of Flow Monitor for:
– Real-time traffic monitoring and analysis
– Threshold alerting
– 40+ reports (web and mobile)
• Maps MAC addresses to reported interfaces • Jumbo and fragmented packet support• Configurable logging
– 3 levels of detail
• 2 levels of traffic capture– Normal
– Promiscuous
14
Flow Publisher v1.0 Features cont’d
Provides the same information into Flow Monitor for analysis and reporting as other NetFlow sources. This includes the following:
1. Protocol 2. Application (port number) 3. Conversations 4. Sender host 5. Receiver host 6. Sender domain 7. Receiver domain 8. Sender top level domain (TLD) 9. Receiver TLD 10. Top sender country 11. Top receiver country 12. Type of service (ToS) 13. Top Senders with the Most Conversation Partners14. Top Senders with the Most Failed Connections15. ICMP Types16. Top Receivers with the Most Conversation Partners17. Top Receivers with the Most Failed Connections18. Packet Size Distribution
15
Flow monitoring on non flow-enabled network
• Rapid isolation of server versus network based issues• Insight into reasons for network traffic
– Traffic loads– Users– Peak usage timeframes
• Establish a performance baseline
Why is network traffic analysis important?
Creates opportunity to generate flow based traffic without expensive software, hardware, operating system upgrades or
sacrificing down-time.
16
Agent & Collector High-level InteractionServer with Flow
Publisher agent Installed
TAP
Switch
Switch forwards mirrored traffic to Flow Publisher agent
Agent forwards NetFlow records to Flow Monitor collector
TAP forwardsbi-directional traffic to Flow Publisher agent
Server based agent forwards NetFlow records to Flow Monitor collector
`
Flow Publisher agent on PC
`
WhatsUp Gold and Flow Monitor
collector
Three flexible deployment models provide unlimited choices
1717
Non Flow-Enabled Flow MonitoringTechnical Demonstration
18
Internet
Firewall
This Switch does not support port mirroring or SPAN
Netflow Datagram
Example TAP Deployment
1919
Next Steps…
Find out more about Flow Publisher v1.0http://www.whatsupgold.com/whatsnew
Try - free 30 day evaluationhttp://www.whatsupgold.com/download
Buy – (3) ways to purchase www.whatsupgold.com/buy
1. WhatsUp Gold Representative2. An Ipswitch Reseller Partner of your choice3. Online via our ecommerce shop
Increased visibility into single segment, multi-segment, application and user traffic on your network!
20
Flip over this…1 randomly selected attendee will receive a Flip Mino camcorder
21
Questions from customers…
• Charles M– Q: So, if I install publisher on a Windows server, it now becomes a netflow device?– A: Yes, it reports netflow from the traffic it can "see", probably traffic coming from the server or going
to the server.
• Anthony F– Q: Did I hear and see correctly...This application will flow monitoring of non-flow enabled devices?
Such as some of Cisco's smaller catalysts switches.– A: That is correct. Our other sessions will go into details on how to set that up.
• Sergio N– Q: Is it possible to forward traffic between two interfaces? I'm thinking like a man-in-the-middle
deployment without modifying switches. For a demo deploy, just to monitor a single wan...– A: Hi Sergio, yes that would work fine. You could use a TAP or mirroring
• Lulian R– Q: How do you monitor the flows on trunk links on a Cisco 6509?– A: Hello Lulian, you would mirror the trunk ports to the agent.
Perspective from Customers
Creates opportunity to optimize server infrastructures based upon actual user and application utilization data
2222
Q & APlease submit your questions
via the Q&A feature in the lower right corner
Additional Questions?
Jason Williams – [email protected] Gillis – [email protected]
orhttp://whatsupgold.com/community – then go to Forums
23
Traffic Analysis How To Webinar Series
• Session 1 – 11:00 AM EST Tuesday, December 10, 2009– Traffic Analysis for Non-flow Enabled Networks (Part 1)
• To access and view granular user and application traffic to and from servers• To understand and troubleshoot issues for both non-virtualized and virtualized
systems and applications• Session 2 – 11:00 AM EST Tuesday, January 12, 2010
– Traffic Analysis for Non Flow-Enabled Networks (Part 1)• To understand single or multi-segment traffic patterns• To pinpoint origins of slow network performance in real-time
• Session 3 – 11:00 AM EST Tuesday, January 19, 2010– Traffic Analysis for Non Flow-Enabled Networks (Part 2)
• To increase defense against internal and external threats • To provide cost effective traffic analysis without upgrades or downtime
• Session 4 – 11:00 AM EST Tuesday, January 26, 2010– Traffic Analysis Techniques for Flow and Non-flow Networks
• To optimize the power of flow-based traffic analysis in networks• To create valuable strategies to ensure future network stability and security
2424
Thank you!