how can savvius help your organization?
TRANSCRIPT
© S A V V I U S , I N C | w w w . s a v v i u s . c o m
How can Savvius help your
organization ?
1
Santisook L.
Director
26 March 2016
© S A V V I U S , I N CThe NP Forensics
The Implications of Doing Nothing64% of organizations reported that managing
network performance has become more complex
over last 12 months
Organizations are losing on average $72,000 per
minute of unplanned network downtime
48% of organizations reported that, on average,
they spend more than 60 minutes on repairing
performance issues - per incident
© S A V V I U S , I N CThe NP Forensics
Complex Network
3http://www.macdesign.net/academic/ts5325/ts5325-Submitted/u03a1-network_hierarchy.html
© S A V V I U S , I N CThe NP Forensics
Traditional Network Troubleshooting Challenge
• Network slow issue (increase bandwidth, changing hardware – will not solve
the problem)
• Network or Application performances problem.
• Do not have the flexibility to monitor the entire networks, including network
segments at remote office.
• Use multiple programs to troubleshoot different network issue (WIFI, VOIP,
WIRE)
• Engineers know there’s a problem but don’t know where it is happen (in
which packet? Flow? From where to where?).
• Too much information provided, no filtering feature to narrow down the
problem for easy troubleshooting.
• Traditional troubleshooting tools were very reactive in nature, lacking the
historical visibility required to research past incidents.
WildPackets OverviewPROPRIETARY AND
CONFIDENTIAL4
© S A V V I U S , I N CThe NP Forensics 5
Network Problems $#%@
We have the Solution
© S A V V I U S , I N CThe NP Forensics
Network Analysis Solving Problems of
• Isolate Network, Server, Application Problem
- Required evidence to faster finding root cause.
• Trobleshooting Cases
- Case 1 : Network Utilization Breakdown
- Case 2 : Slow Server or Slow Client
- Case 3 : Can’t Connect Server
Others
- Measure Network&Applicaion Delay, Multihop Analysis
- Poor VoIP Quality
- Network & Security Forencis
• Long Term Monitoring & Baseline
6
© S A V V I U S , I N C | w w w . s a v v i u s . c o m
Application vs Network
7
© S A V V I U S , I N CThe NP Forensics
• Companies always have difficulty identifying whether it is
a Network or an Application problem
• The Network department will point the problem to the
Application team and vice versa
• And problems are not resolved because no one took
ownership with no solutions in sight
• So, it is like a Boxing match
• And we have the Solution !
8
“Boxing” Match
© S A V V I U S , I N CThe NP Forensics
The Weigh In is like in a Boxing match
Create a baseline…• Not just, “How much bandwidth am I consuming on my
network or segment?”
• Also, “How much is the X Application consuming?”
- What users connect to it? What outbound connections does the app
do? With what ports? With what nodes? What times? How often?
• It’s impossible to predict the winner if you don’t know your
network and applications and understand their behaviors.
- You won’t be able to be proactive to problems and quickly reactive
to change!
MY NETWORK IS SLOW!!!!!!
© S A V V I U S , I N CThe NP Forensics
Scoring the FIGHT
What to look for
…
• Primary events are anything related to “Slow”
- Depending on what events you see, You will know who is at fault
• Application events:
- HTTP slow response time
- Oracle slow response time
- Inefficient client
• Network events:
- TCP SLOW segment recovery
- Slow retransmissions
- Slow acknowledgements
- Low throughput
Let the Expert Analysis help be the referee
© S A V V I U S , I N CThe NP Forensics
Network & Application Delay
WildPackets OverviewPROPRIETARY AND CONFIDENTIAL
11
© S A V V I U S , I N CThe NP Forensics
Did Someone Say, "TKO"?
Get Proof…
Is Application is at fault ?
Or is Network at fault ?
© S A V V I U S , I N CThe NP Forensics
Follow Events to See Who is InvolvedUse the ‘right-click’ option and ‘Select Related Packets’ on the
event
© S A V V I U S , I N CThe NP Forensics
Do the ‘Select Related’We ‘right-click’ on any highlighted packet and do a ‘Select
Related’, then ‘By Flow’
© S A V V I U S , I N CThe NP Forensics
"Scoring the Fight"
When we select the
‘Slow Server
Response Time’
event, two sessions
to the same server
are highlighted.
This looks to be a
system or
application issue –
not the network.
But we need proof!
© S A V V I U S , I N CThe NP Forensics
Visual Expert is the Proof!Here is the proof we were looking for!
Two requests for data, two quick TCP Acks, but then a long delay
before the server sent us the data we requested
Payload
Length = 0
Payload
Length = 1260
Requests and
Acks
Then the Data
gets returned
much later
© S A V V I U S , I N CThe NP Forensics
Take A Closer LookLooking more granular at the timing, we see that the ACK came
back in 70ms, but the data didn’t get sent back for another 854ms!
Ack fast = Network fast
Data slow = Application
slow
© S A V V I U S , I N CThe NP Forensics
Tune the Expert for your network
Make these times relevant
for your network or the
task at hand!
© S A V V I U S , I N CThe NP Forensics
"And the winner is"
You!
• Determining whether the application, system, or network
is at fault using TCP
• Tapping the power of Select Related using flows to
troubleshoot root causes
• Eliminating false positives by tuning Expert Events
© S A V V I U S , I N C | w w w . s a v v i u s . c o m
Case Study
20
© S A V V I U S , I N CThe NP Forensics
Case Study 1: Network Utilization
Breakdown
21
• PROBLEM : Customer reported that their network runs slow in the
afternoon. Their Network Management System (NMS) shows that
they had very high utilization at that particular time. NMS does not
show what is causing the high utilization.
• SOLUTION: OmniPeek has the ability to drill down further to
millisecond intervals to identify the specific issue and understand
what happened on their network.
• OmniPeek can quickly identify what, when and who was using
the network to cause the high spoke in network utilization.
© S A V V I U S , I N CThe NP Forensics
Slow Network Help
WildPackets OverviewPROPRIETARY AND CONFIDENTIAL
22
If utilization was the
issue, we would know
immediatelyBad network behavior
would be noticed
immediately
Visualizations show
oddities immediately
© S A V V I U S , I N CThe NP Forensics
WildPackets Overview PROPRIETARY 23
In mini second view
Select the require time to check
Who is the talkerFurther
communication Breakdown
© S A V V I U S , I N CThe NP Forensics
Case Study 2: Slow server or Client
24
• PROBLEM: Customer complaint that the respond time from a
simple SQL command is very slow. They would like to know if there
are any issues arising from the server or the client. Their NMS
system showed that the network utilization and latency is low during
the time.
• SOLUTION: OmniPeek can quickly identify whether the slowness
derives from the server or the client side. In this case, it was
identified to be from the server as it took a long time to execute
an SQL command.
• This saves the company many man hours as it was a tussle between
the application and network teams. This was quickly resolved by
the application team identifying some programming bugs.
© S A V V I U S , I N CThe NP Forensics 25
Check Network response times
Validate Applications
response times
Check for generic system issues
The Packet contain
© S A V V I U S , I N CThe NP Forensics
Case Study 3: Can't connect to server
26
• PROBLEM: The customer Network Management System could not
identify this customer’s problem. Clients from this company were
not able to communicate with the application server. The NMS
system does not show any abnormalities from the server nor the
connection.
• SOLUTION: Omnipeek quickly detected a massive amount of
ICMP destination port unreachable packets through the Expert
Analysis.
• We provide the solution to the customer to re enable one of the
connection port on Server A. The problem is the server port has
been disable and remain closed. On Server B, it has reached the
maximum allowable number of users and thus dropping connection
to any new users.
© S A V V I U S , I N CThe NP Forensics 27
Check to see if anyone else is
connecting
Validate traffic is flowing to
final destination
Detected refused connections or
ICMP messages
© S A V V I U S , I N C | w w w . s a v v i u s . c o m
Others
© S A V V I U S , I N CThe NP Forensics
Multi-hops Analysis
WildPackets OverviewPROPRIETARY AND CONFIDENTIAL
29
© S A V V I U S , I N CThe NP Forensics
Multi-hops Analysis-
Compare Packet Drop
WildPackets OverviewPROPRIETARY AND CONFIDENTIAL
30
© S A V V I U S , I N CThe NP Forensics
Network & Application Delay
WildPackets OverviewPROPRIETARY AND CONFIDENTIAL
31
© S A V V I U S , I N CThe NP Forensics
Poor VoIP Quality Help
WildPackets OverviewPROPRIETARY AND CONFIDENTIAL
32
Our high level information
of our VoIP environment
in a single view
Signaling and media
bounce diagrams give
detailed specifics
Here we can focus on any
call, and even listen to
them with a right-click
© S A V V I U S , I N CThe NP Forensics
Forensic Search
WildPackets OverviewPROPRIETARY AND CONFIDENTIAL
33
Go back in time to find what
happened last week
Forensic searches can
find anything in packets,
down to a single bit or
as high level as a
baseline over a
specified period of time.
© S A V V I U S , I N CThe NP Forensics
Web Page Reconstruction
May 6th, 2009 Assuring Network and Application Performance 34
© S A V V I U S , I N C | w w w . s a v v i u s . c o m
Long Term Monitoring & Base Line
© S A V V I U S , I N CThe NP Forensics
Savvius Use Case Study
Julie: Splunk
Administrator
In this scenario: Julie
creates Splunk
dashboards for internal
clients throughout the
organization.
A phone call
from Bill.
“Hi Julie, Pete says its my network that’s
causing the ERP issues. Can you give
me a dashboard on apps vs. network?
Julie
responds.“Sure. I just got a new little box that
delivers amazing network stats into
Splunk. I’ll have something tomorrow.”
Julie brings up the Savvius for Splunk dashboards and
copies the appropriate code into her “App Stats”
dashboard.
© S A V V I U S , I N CThe NP Forensics
Savvius Use Case Study
Julie: Splunk
Administrator
Julie leaves a
message for
Bill
“Bill, I think I got what you need. I’ve got
application latency at a network level plus
network traffic and the app reports.”
Bill responds
after lunch.“Julie, that is fantastic. I could see exactly
what’s going on. Showed Pete and he has
changed his tune. The ERP vendor says
they already have a solution.”
Useful network information available in a Splunk server
means less time wasted on solving the wrong problem.
Allocating responsibility accurately keeps everyone working
together productively.
© S A V V I U S , I N CThe NP Forensics
Alert on virtually anything!
Alerting, Alarming, and Notifications
© S A V V I U S , I N CThe NP Forensics
It’s Mobile!
© S A V V I U S , I N CThe NP Forensics
• Application vs Network Analysis
• Distributed VoIP Analysis
• Wireless Analysis
• High Speed capture and Data recording
• Network Forensic Analysis
• Customizable decodes and protocols
40
Savvius Core Value Proposition
© S A V V I U S , I N C | w w w . s a v v i u s . c o m
Thank you