network time machine - it-administrator · network monitoring solutions that provide connectivity...
TRANSCRIPT
Technical DataHigh-performance network traffic recorders for critical link analysis, network forensics and back-in-time troubleshooting
N e t w o r k T i m e M a c h i n e ™
Fastest all-in-one appliance for back in time network and application analysis
Application infrastructure, like the network, has become distributed and diverse. Traditional
network monitoring solutions that provide connectivity and resource availability metrics are no
longer sufficient to fully understand the factors that affect consistent application performance
to users. When application performance degrades, network engineers need tools that can be
quickly and economically deployed to provide full visibility to all events on key aggregation
point(s) so that an assessment can be made to where the impact was felt, and isolate to the
fault domain quickly: server, network or client. Furthermore, network engineers need to support
application developers and system administrators by providing the evidence to resolve the
problem. The Network Time Machine answers these needs by providing instant high-level visibil-
ity of which applications and users are affected, plus detailed flow and packet level analysis.
The Network Time Machine is available as either a portable or a rackmount unit. Portable NTMs
are ideal for filling gaps in forensic visibility when troubleshooting or assessing network
problems. The rackmount NTM, with its higher performance and larger storage capacity, is
designed to monitor critical links for long-term forensic needs. Both the portable and rackmount
platforms support 1/10G interfaces.
Network Time Machine is a high-perfor-mance stream-to-disk appliance designed to continuously monitor and capture traffic on critical network links to facili-tate back-in-time, deep packet analysis of traffic. Applications include: • Traffic monitoring and troubleshooting
at private or public cloud edges
• Analyze traffic across multiple network segments
• Forensic troubleshooting of poor application performance
• Setup or QoS analysis of Voice/Video over IP
• Troubleshooting of tunneled traffic in Service Provider’s core
Unique Features:• Capture traffic on multiple 10/100
Mbps, 1 Gbps and 10 Gbps Ethernet interfaces at rates in excess of 10 Gbps
• Plug-and-play operation automatically identifies applications, collects, and displays relevant statistics in user-configurable dashboards
• Innovative Performance Bottleneck Analysis (PBA) visually identifies whether problems are in the server or the network
• Provides QoS metrics, statistics and trending charts of application and flow levels for buffered and historical data.
• Best-in-class, real-time Video/Voice over IP metrics and troubleshooting
• Portable and rack mount versions with RAID options and multiple terabytes of storage.
• Application-centric analysis automati-cally shows application flows with intui-tive drill down to identify root cause
• Multi-segment analysis function built-in for quick network latency analysis
Network Time Machine™ is an all-in-one appliance that supports real-time monitoring and back-in-time analysis
Application performance analysis
•Capturecardswithhigh-performancemultiportinterfacesfor1G
and 10G line rate allow traffic recording, including physical errors
and jumbo frames.
•Real-timeapplicationmonitoringalertsyoutoperformanceprob-
lems in network and application health.
•PerformanceBottleneckAnalysiswithback-in-timemetricsgraphi-
cally guides the user to the problem domain across applications,
sites and servers
•Onboardapplicationcentricanalysisengineprovidesin-depth
analysisofSQL,Oracle,MSNetworking(SMB),VoIP,DNS,FTP,HTTP,
POP3,Telnet,SMTP,SNMP,MSExchangeandCitrixfrom
recorded packets.
•Built-inWireshark™decodesprovidesupportofdozensofaddition-
al protocols used in telecom and enterprise environments.
Multi-segment network analysis
•Mergesandanalyzesflowscapturedfromdifferentlocationsand
generatesamulti-segmentbouncechart.Quicklyvisualizeand
isolate the root cause of network problems, such as packet drop or
abnormal network latency.
•Auto-syncfunctioncompensatesforthevariationbetweensystem
clocks of capturing devices in network segments facilitating
analysis even if the capturing device is out-of-sync
•Supportsclocksynchronizationfromexternalsources:GPSorNTP
VoIP performance analysis
• RealtimeQoS,calltypeandcodecanalysisclassification
•Seecallsetupproblems(e.g.can’tconnect,busy)withoutneeding
to see packet decodes.
•Drill-downtoseewhichusers(byphonenumber)areaffectedby
poor quality or call setup issues
•SeamlessextractionofpacketsfromcallsetuptoRTPand
RTCPsteam.
•Playbackvoiceandvideosimultaneouslyforproblemverification
including out-of-sync video and audio tracks
Network Time Machine’s stream-to-disk technology
efficiently records and indexes network traffic for
quick identification and analysis on the built-in
ClearSight Analyzer
1. Ethernettrafficiscapturedfrommultipleportsatfulllinerates
by FPGA-based capture card (hardware filters supported)
2. EntireframesaresenttothePacketStore(disk array) for storage
and post analysis
3. Entireframesarealsosenttothevariousanalyticalandreal-timemoni-
toringenginesthatprocess,classifyandindexdata–thisinformation
is stored in the metadata database
4. The Atlas software interface provides access to the network metadata
information to quickly identify the application flow in question
5. Fortroubleshootingandin-depthnetworkanalysis,theClearSight
Analyzerprovidespacketview,whichfacilitatesfundamentalprotocol,
multi-segment flow analysis and content playback
Compliance/security forensics
•Seewhenasuspecthostexhibitsactivitiesandwhoittalkedwith.
•Patternmatchingwithfreeoffset,andapplication/flowbased
filteringtoquicklyextractrelevantflowinthe
captured traffic.
•Bouncechartstoshowdetailedtransactionsbetweensuspectand
target.
•FTP,messaging,email,voiceorvideocanbeplayedbacktoquickly
gather the evidence required for action.
2
SiteA
SiteB
SiteC
ServerTime
ClientTime
FlowTime
DataCenter TCP Flow
30 Sites(5 subnet ranges each)
FlukeNetworks’PerformanceBottleneckAnalysis(PBA)isbased
onapatent-pendingalgorithminwhichtheanalyzerisolates
the time that a flow spends with the server, network and client.
The algorithm requires one measurement point in the network
near the end-point, such as the server or client. This speeds
troubleshooting time as it does not require measurements at two
locations to determine change in network latency.
Key Features: Intuitive Application Performance Bottleneck Analysis
reduces time to setup and fault domain isolation
The Network Time Machine (NTM) automatically discovers applications
and reports performance trending metrics by server, network and client
site. The unique Performance Bottleneck Analysis (PBA) displays server,
networkandclientsitetimeforeachTCPflow.PBAmetricsshowwhere
application time is spent; immediately identifying the root cause of
applicationperformancecomplaints.Inaddition,theNTMalsoshows
how related performance metrics change over time, allowing identifica-
tion of the fault domain to a specific server, or network. The packet
extractionprocessisintegratedwiththeUIsothatthesetofflows
exhibitingtheproblemcanbequicklyanalyzed.Oncetherelevant
packetsareextracted,theNTMguidesusersfromapplicationtoflowto
transaction views using an intuitive drill down process. Bounce charts
give a clear indication of how transactions transverse over time and
indicate problem packets without going into decode view. The result
is increased operational efficiencies through a reduced learning curve,
shorter time to domain isolation and quicker root cause resolution.
Enhanced reporting and analysis of key performance
indicators (KPIs)
Withminimalconfiguration,theNetworkTimeMachinetrendsKPIs
over time for servers, applications and sites.
These indicators include:• Datavolume• Retransmissions• Connections• Throughput• TCPresets• Excessiveretransmissionsbysiteorserver• Zero window events
Userscangobackintimetoreviewperformancemetricsevenwhen
the underlying packet has been aged and replaced with more recent
traffic.
Many performance report templates are available, and can be further
customized.Reportscanbescheduleddaily,orcreatedondemandfor
a specified time range. Some report templates include:
• KPIstatusortrendingreportbyapplication,serverandsite• Problem status or trending reports by application, server and site • H.323,RTPandSIPMOSdistribution• NetworkKPItrendsoverview• Application/IPprotocoldistribution
3
Figure 1; The Performance Bottleneck Analysis function of the NTM V8.0 shows the average time application flows (for example, SMTP and HTTP) spent on the server and network. The bottom graph area indicates a sudden increase and return to normal in server time during the analysis period.
Figure 2: Drilling into the PBA results from figure 1 shows how quickly NTM can get to root cause. In the upper graph, we note that the server time has increased. The middle graphs shows that this happened when the server reduced the number of connections it managed and transmit-ted a large number of TCP resets to the client(bottom graph).
Realtime Voice and Video Analysis
The Network Time Machine provides realtime metrics on voice and
videoperformance-withoutadditionalagentsorpollingtotheCall
Manager.Evenwithoutvisibilityofthesetuptraffic,theNTMcanreas-
semblethecaller/calleeinformationfromtheRTPstreaminrealtime
togeneratequalityassessmentforthevideo/voicestream.Itshigh
performance capture and analysis architecture make it the ideal quick-
to-deployanalysissolutionforVoIPincarriergradeoperation.
Extractpacketsforacallwithjustaclickofabutton.Callsetupand
RTP/RTCPstreamsareextractedtogether,correlatedandshownona
bouncechartforeasyvisualizationandplayback.
Automatic Tunneled Traffic Analysis in multi-tenant networks
Tunnelingprotocolsencapsulatetraffic,muchlikeVLANsinLANs,to
segmentandprioritizetraffic.TheNetworkTimeMachineautomati-
callyanalyzesanddecodestunneledtraffic,allowingnetworkengineers
ofTelecomServiceProvidersandLargeEnterprisestoconductapplica-
tion performance analysis and troubleshoot applications in each tunnel
quickly. A large variety of tunneling protocols are supported, including
IpinIP,L2TP,PPPoE,GRE,MPLS,QinQ,PBB/PBT,andGTPU.Custom-
izedtunnelprotocolsupportcanbeeasilydefinedandadded.Inaddi-
tion, filtering conditions can easily be configured based on tunneling
protocolandbit-patternforquickextractionofrelevantpackets.
Onboard Application and Packet Analysis
The NTM integrates the powerful application-centric analysis engine
basedontheaward-winningClearSight™Analyzer(CSA)whichprovides
automaticapplicationanalysis.Foreachapplicationflow,theCSA
automaticallyconstructsbouncechartsandnoteswithhighlightedtext
andcolorcodestoindicateapplicationimpairments,suchasslowTCP
sever response and error status. The unique PBA metrics for each flow
are displayed as a pie-chart, providing quick comparison of time spent
with the server or the network.
Multi-Segment Analysis
TheNTMsupportsmulti-segmentanalysissoyoucanquicklyanalyze
flows that are captured across multiple tiers of servers or network
segments.CapturesmaybeimportedfromotherNTM’s,theClearSight
AnalyzersoftwareorevenWireshark.Thispowerfulcapabilityvisually
identifiesproblemsintiming,command/responseandTCPlevelimpair-
mentssuchaslostpacketsorout-of-ordersequence.Italsosupports
WireShark decodes, providing visibility into a huge range of application
issues.
4
Figure 5. Performance Bottleneck Analysis of a connection between an individual server and client shows the time spent on the server, network, and client. This analysis can be done without the need of installing an NTM at both ends of the link.
Figure 3. Display overall and individual call quality statistics.
Figure 4. Support for a wide variety of tunneling protocols is provided, or define your own.
Figure 6. Multi-segment bounce chart shows timing of packets as they transverse two network segments
Secure Remote Control EachNTMunitcanbeaccessedremotelyusingtheNTMRemoteAgent
Manager(RAM)orRemoteAgentViewer.ARemoteAgentManager
canconfigureandcontroltheNTM.Upto20RemoteAgentViewers
can monitor an NTM simultaneously but cannot configure the NTM.
UseraccountscanbesetupthroughtheRAMtolimiteachuser’s
righttoextractpacketscapturedintheNTM.Communication
betweenNTMandRemoteAgentManagerorViewerisencrypted
usingSSL(RFC1428).
TheRemoteAgentManagerandviewersoftwarecomeswithunlimited
licensesandcanbefreelyinstalledinanyPCrunningWindows®XP/
Vista®/7toaccesstheanyNTMonthenetwork.Problemsdetected
byNTM’sreal-timemonitoringareconsolidatedtoacentralproblem
managerwithintheRemoteAgentManagersoftware.
Taps simplify access to a wide variety of network link types FlueNetworks’tapsolutionssupport10/100/1000Mbpsand10Gbps
links and are available in many configurations:
-InlineTaps
-InlineaggregationTaps
- SPAN aggregation Taps
-InlineswitchTaps
- SPAN aggregation switch Taps
- Any-to-any port switch Taps
5
Figure 8. Simultaneously monitor up to four 1 Gbps
Network Switch
Network Time Machine
Figure 9. Simultaneously monitor up to four network segments
Network Time Machine
Network Switch Network Switch
SPAN Port SPAN Port
Figure 10. Simultaneously monitor two 1 Gbps full duplex links via inline tap
Network Switch
Network Switch
Network Time Machine
InlineTAP
Upto20Remoteagent viewers
1Remoteagent manager
Figure 7. Up to 20 Remote Viewers can remotely connect to an NTM
Product selection guide:
Model Number Express Standard Standard EA Premium Portable1A Portable2
Model Number CSN/NTM-EX3 CSN/NTM-ST3-4TBCSN/NTM-ST3-8TB
CSN/NTM-ST3-EACSN/NTM-ST3-EA3
CSN/NTM-PR3-S5 CSN/NTM-PO1A CSN/NTM-PO2-1GCSN/NTM-PO2-10G
Interface rate (Gbps)7 1 1 1 10 1 1 or 10
Number and type of interfaces
4 SFP 4 SFP 4 SFP 2XFP 4 SFP 4 SFP or2XFP
Type of media supported
10/100/1000BASE-T1000BASE-SX1000BASE-LX
10/100/1000BASE-T1000BASE-SX1000BASE-LX
10/100/1000BASE-T1000BASE-SX1000BASE-LX
10GBASE-SR10GBASE-LR
10/100/1000BASE-T1000BASE-SX1000BASE-LX
10/100/1000BASE-T1000BASE-SX1000BASE-LX
or10GBASE-SR10GBASE-LR
Stream-to-disk throughput (Gbps)1
2 4 4 10 2 3
RAID configuration 0 5 5 5 0 5
Raw capacity (TB)2 2 12 12+24/36 3.6+7.2 1.9 3.3
PacketStore capacity (TB)4
1 4/8 20/30 6.1 1.4 1.7
Max. capacity with external storage array
N/A N/A Upto216TBwith5additionalexternal
storage arrays
18.3TBwith2additionalexternal
storage arrays
N/A N/A
Note:1. Stream-to-disk throughput is the maximum traffic rate at which NTM can store data to disk with no packet loss. The traffic was all 64 byte packets and the test was run no less than 3 hours 2. Raw capacity is total raw hard disk storage available. It will be consumed by OS, NTM system programs, PacketStore and other temporary program buffers3. OS+Metadata capacity are disk space reserved for OS, NTM System Software and the Metadata database where packet indexing data is kept.4. PacketStore is the database where packets captured are stored. Amount specified is disk space reserved for storage.5. Premium3 can support both 1 and 10Gbps interfaces in the same appliance6. No SFP transceivers are included with NTM. Please order separately CSN/ACC-90XX.7. Field upgrade to add 10Gbps interface available for Standard, and field upgrade to add 1Gbps interface available for Premium
6
Portable NTM NTM Express NTM Standard NTM Standard EA or Premium
Technical Specifications:
Model Number Express Standard Standard EA Premium Portable1A Portable2
Model Number CSN/NTM-EX3CSN/NTM-ST3-4TBCSN/NTM-ST3-8TB
CSN/NTM-ST3-EACSN/NTM-ST3-EA3
CSN/NTM-PR3-S5 CSN/NTM-PO1ACSN/NTM-PO2-1GCSN/NTM-PO2-10G
CPU QuadCoreIntelXeonX3430
Processor,2.4GHz
TwoQuadCoreXeonE5620
TwoQuadCoreXeonE5620
TwoQuadCoreXeonE5620
IntelQuadCorei7Processor,2.67GHz
L5420QuadCore,2.5GHz
OS Windows Server 2008
Windows Server 2008
Windows Server 2008
Windows Server 2008
Windows7Windows Server
2008
Memory 4GB 4GB 4GB 4GB 4GB 4GB
Power supply Onenon-redundant350W
Highoutput,twohot-plug870W
Highoutput,twohot-plug870W
Highoutput,twohot-plug870W
460Wautoswitching
460Wautoswitching
Dimensions
Height:4.24cm(1.67”)
Width:43.4cm(17.1”)
Depth:61cm(24”)
Height:8.64cm(3.40”)
Width:44.31cm(17.44”)
Depth:68.07cm(26.80”)
MainframeHeight:8.64cm
(3.40”)Width:44.31cm
(17.44”)Depth:68.07cm
(26.80”)1externalstorage
included*
MainframeHeight:8.64cm
(3.40”)Width:44.31cm
(17.44”)Depth:68.07cm
(26.80”)1externalstorage
included*
Height:29cm(11.44”)
Width:42.7cm(16.8”)
Depth:14.5cm(5.69”)
Height:29cm(11.44”)
Width:42.7cm(16.8”)
Depth:14.5cm(5.69”)
Weight 9.1kg (20lb) 26.1kg(57.54lb) 26.1kg(57.54lb) 26.1kg(57.54lb) 10.2kg (22.5lb) 10.2kg (22.5lb)
* The external storage array unit included with NTM Standard EA and Premium has the same dimensions – Height: 8.68 cm (3.4”), Width: 22.6 cm (17.6” ), Depth: 56.1 cm (22.1” ), Weight: 28.39 kg (62.6 lb) (max config).
The minimum system requirements for the NTM Distributed Agent Manager and Remote Viewer are shown below.
Item Minimum requirement
Computer Industrystandardcomputer(laptopordesktop),withaCD/DVD-ROMdriveforsoftwareinstallation
Processor Pentium4(orequivalent)runningat1GHzminimum(2GHzrecommended)
RAM 512 MB minimum (1 GB recommended) 2GBminimumifrunningWindowsVistaorWindows7
Hard disk space 250MB.Inaddition,youshouldhavespacetostoresavedtracefiles.Individualtracefilescanbeaslargeas1GB,butitisnotrecommendedtoopenatracefilelargerthan256MB.2GBminimumifrunningWindowsVistaorWindows7
Operating systems MicrosoftWindowsXPHomeEditionwithSP3(disablethefirewall)MicrosoftWindowsXPProfessionalwithSP3(disablethefirewall)MicrosoftVista(32bit)withSP1orSP2MicrosoftWindows7(32bit)
Monitor VGAcolormonitorwith1024x768resolutionand256colors
Network adapter StandardEthernetnetworkinterfacecard
7
Fluke NetworksP.O.Box777,Everett,WAUSA98206-0777
Fluke Networks operates in more than 50 countries worldwide. To find your local office contact details, go to www.flukenetworks.com/contact.
©2011FlukeCorporation.Allrightsreserved.PrintedinU.S.A.12/20113780540H
Gold Support ServicesGold Support allows you to make the most of your investment while ensuring a higher
returnonyourinvestment.Minimizeyourdowntime,receivefastertroubleshootingresolu-
tion and have total access to all support resources.
With Gold Support, you’ll receive:
•Softwareandfirmwareupgradesfreeofcharge.
•Members-onlytrainingandwebcasts
•Immediate24X7livetechnicalsupportandconsulting
•Completeaccesstoourvaluableknowledgebase
•Members-onlypromotions
All NTM appliances come with 1 year standard factory warranty. Gold Maintenance Support
forNTMPortablesisavailableintheformof1yearextendedfactoryrepairwarranty.On-
sitehardwareserviceisavailableforNTMPremium,StandardandExpressappliances(sold
after July 2010) under the Gold Support Service (Network Interface Card not included).
For models, options and accessories, visit: www.flukenetworks.com/ntm
8