1

Traffic Analysis How ToWebinar Series

Traffic Analysis for Non Flow-Enabled Networks

January 12, 2010

22

Agenda:

Today’s Presenters:– Kevin Gillis, VP Product Management, Network Management– Jason Williams, Product Manager & The WhatsUp Guru

Agenda:– The Need for Traffic Analysis– Session 1 Recap– Flow Publisher Overview– “TAP”ing– Technical Demonstration– Q&A– Next Steps

3

The Need for Traffic Analysis

• My network is slow and I do not know why…– Existing tools don’t give me any or enough visibility…

• Into user and application network bandwidth utilization• Into network performance issues• Into locating and troubleshooting issues• Into applications and their effect on the network• Into security breaches and unauthorized usage

Tools are either too expensive or complex to deploy

4

The Need for Traffic Analysis• My network is slow and my network does not know why…

– Existing hardware does not give me any or enough visibility…• My network hardware is not NetFlow, sFlow or J-Flow capable• My network hardware is not NetFlow, sFlow or J-Flow enabled• My network hardware is flow capable but it’s too expensive enable by taking

down the network, adding hardware and upgrading the IOS • The segment of my network is not 100% flow enabled

• Current solutions– Require expertise in packet level and protocol level analysis– Require device or network upgrades/downtime– Require investment in appliances or probes

Flow enabled hardware is either too expensive or complex to deploy

5

Application and User Traffic Analysis

• Rapid isolation of server versus network based issues• Insight into reasons for application traffic

– Traffic loads– Users– Peak usage timeframes

• Locate under and over subscribed applications and servers– Standalone servers– Virtualized servers

• Traffic to individual virtual machines (VMs)

Why is server based traffic analysis important?

Creates opportunity to optimize server infrastructures based upon actual user and application utilization data

6

Server Traffic Analysis Deployment

• Flow Publisher Server Agent– Windows Server

• 32 & 64 bit: Standard and Enterprise Server 2008 and Standard & Enterprise Server 2003 SP2

• Non-virtualized and virtualized servers

• Network interface

– Runs as a Windows service• Small resource footprint

Application and user traffic analysis at the source

7

“TAP”ing

8

TAPing…What’s a TAP and how does it work?

– TAP stands for Test Access Point.– A network tap is a fully passive device.– Electrically or optically packets are copied onto the tap ports.

Considerations– Fidelity: You get 100% guaranteed view of network traffic even with larger

deployments of 10 Gigabit+. They are completely passive and do not cause any distortion even on FDX and full bandwidth networks.

• Nothing is dropped/filtered, short or large frames, bad CRD frames, regardless of bandwidth. • Nothing is altered including time relationships (spacing and response times) of frames which

are especially important with VoIP and Triple Play analysis including FDX analysis.– Do not groom data nor filter out physical layer errored packets– Do not introduce any additional jitter or distortion which is important in VoIP / Video analysis.

• Some taps (e.g. regeneration taps) have multiple output ports to allow more than one device to monitor the network at the tap point.

• A tap has one tap port per direction. To monitor 1 link, you need 2 NICs, one for each direction. You can merge both directions into one single port using a hub.

• Can handle IPv4 and IPv6 traffic.– Security: Taps are not addressable network devices & therefore cannot be hacked– Ease of Use: Taps have no setups or command line issues so getting all the data is

assured and saves users time. They are also fault tolerant.

9

TAPing…Summary:

– Taps offers high integrity and fidelity by offering 100% packet capturing with no packet or frame alterations.

– As a fully passive device, it does not impact the performance or scalability of the switch or router unit.

– Requires additional hardware to be purchased and installed potentially leading to downtime.

10

Flow Publisher 1.0 Overview

11

Flow Publisher v1.0 Summary

• Flow data generated from raw network traffic– Convert raw traffic into NetFlow v1, v5 and v9 compliant flow records

• Full range of NetFlow information• Not sampled flow data

• Pinpoint or broad traffic analysis– Windows servers and any applications (e.g. Oracle, SAP, Exchange)– Passive using TAPs (Test Access Point)– Active packet duplication through virtually any network device

supporting port mirroring

• High impact: non-invasive and inexpensive to maintain– Leverages existing network infrastructure– No device hardware or software upgrades required– Does not require network or device downtime

Enables flow analysis for non-flow capable devices

12

Flow Publisher v1.0 Features

• Two Components1. Agent Manager Interface

• Configure and manage a single or multiple agents

2. Flow Publisher Agent• Processes raw traffic data• Standalone installation

» Windows computer

– TAP or mirrored interfaces

– Accepts raw traffic from up to 4 individual interfaces

• Hosted installation– Directly on Windows Servers

» Application monitoring

» User monitoring

» VMware Virtualized Systems

Software only solution

2.

1.

13

Flow Publisher v1.0 Features cont’d

• Integrates with v14.x of WhatsUp Gold and v2.0 of Flow Monitor for:

– Real-time traffic monitoring and analysis

– Threshold alerting

– 40+ reports (web and mobile)

• Maps MAC addresses to reported interfaces • Jumbo and fragmented packet support• Configurable logging

– 3 levels of detail

• 2 levels of traffic capture– Normal

– Promiscuous

14

Flow Publisher v1.0 Features cont’d

Provides the same information into Flow Monitor for analysis and reporting as other NetFlow sources. This includes the following:

1. Protocol 2. Application (port number) 3. Conversations 4. Sender host 5. Receiver host 6. Sender domain 7. Receiver domain 8. Sender top level domain (TLD) 9. Receiver TLD 10. Top sender country 11. Top receiver country 12. Type of service (ToS) 13. Top Senders with the Most Conversation Partners14. Top Senders with the Most Failed Connections15. ICMP Types16. Top Receivers with the Most Conversation Partners17. Top Receivers with the Most Failed Connections18. Packet Size Distribution

15

Flow monitoring on non flow-enabled network

• Rapid isolation of server versus network based issues• Insight into reasons for network traffic

– Traffic loads– Users– Peak usage timeframes

• Establish a performance baseline

Why is network traffic analysis important?

Creates opportunity to generate flow based traffic without expensive software, hardware, operating system upgrades or

sacrificing down-time.

16

Agent & Collector High-level InteractionServer with Flow

Publisher agent Installed

TAP

Switch

Switch forwards mirrored traffic to Flow Publisher agent

Agent forwards NetFlow records to Flow Monitor collector

TAP forwardsbi-directional traffic to Flow Publisher agent

Server based agent forwards NetFlow records to Flow Monitor collector

`

Flow Publisher agent on PC

`

WhatsUp Gold and Flow Monitor

collector

Three flexible deployment models provide unlimited choices

1717

Non Flow-Enabled Flow MonitoringTechnical Demonstration

18

Internet

Firewall

This Switch does not support port mirroring or SPAN

Netflow Datagram

Example TAP Deployment

1919

Next Steps…

Find out more about Flow Publisher v1.0http://www.whatsupgold.com/whatsnew

Try - free 30 day evaluationhttp://www.whatsupgold.com/download

Buy – (3) ways to purchase www.whatsupgold.com/buy

1. WhatsUp Gold Representative2. An Ipswitch Reseller Partner of your choice3. Online via our ecommerce shop

Increased visibility into single segment, multi-segment, application and user traffic on your network!

20

Flip over this…1 randomly selected attendee will receive a Flip Mino camcorder

21

Questions from customers…

• Charles M– Q: So, if I install publisher on a Windows server, it now becomes a netflow device?– A: Yes, it reports netflow from the traffic it can "see", probably traffic coming from the server or going

to the server.

• Anthony F– Q: Did I hear and see correctly...This application will flow monitoring of non-flow enabled devices? 

Such as some of Cisco's smaller catalysts switches.– A: That is correct.  Our other sessions will go into details on how to set that up.

• Sergio N– Q: Is it possible to forward traffic between two interfaces? I'm thinking like a man-in-the-middle

deployment without modifying switches. For a demo deploy, just to monitor a single wan...– A: Hi Sergio, yes that would work fine. You could use a TAP or mirroring

• Lulian R– Q: How do you monitor the flows on trunk links on a Cisco 6509?– A: Hello Lulian, you would mirror the trunk ports to the agent.

Perspective from Customers

Creates opportunity to optimize server infrastructures based upon actual user and application utilization data

2222

Q & APlease submit your questions

via the Q&A feature in the lower right corner

Additional Questions?

Jason Williams – guru@ipswitch.comKevin Gillis – k@ipswitch.com

orhttp://whatsupgold.com/community – then go to Forums

23

Traffic Analysis How To Webinar Series

• Session 1 – 11:00 AM EST Tuesday, December 10, 2009– Traffic Analysis for Non-flow Enabled Networks (Part 1)

• To access and view granular user and application traffic to and from servers• To understand and troubleshoot issues for both non-virtualized and virtualized

systems and applications• Session 2 – 11:00 AM EST Tuesday, January 12, 2010

– Traffic Analysis for Non Flow-Enabled Networks (Part 1)• To understand single or multi-segment traffic patterns• To pinpoint origins of slow network performance in real-time

• Session 3 – 11:00 AM EST Tuesday, January 19, 2010– Traffic Analysis for Non Flow-Enabled Networks (Part 2)

• To increase defense against internal and external threats • To provide cost effective traffic analysis without upgrades or downtime

• Session 4 – 11:00 AM EST Tuesday, January 26, 2010– Traffic Analysis Techniques for Flow and Non-flow Networks

• To optimize the power of flow-based traffic analysis in networks• To create valuable strategies to ensure future network stability and security

2424

Thank you!