how can savvius help your organization?

© S A V V I U S , I N C | w w w . s a v v i u s . c o m

How can Savvius help your

organization ?

1

Santisook L.

Director

26 March 2016

© S A V V I U S , I N CThe NP Forensics

The Implications of Doing Nothing64% of organizations reported that managing

network performance has become more complex

over last 12 months

Organizations are losing on average $72,000 per

minute of unplanned network downtime

48% of organizations reported that, on average,

they spend more than 60 minutes on repairing

performance issues - per incident


Complex Network

3http://www.macdesign.net/academic/ts5325/ts5325-Submitted/u03a1-network_hierarchy.html


Traditional Network Troubleshooting Challenge

• Network slow issue (increase bandwidth, changing hardware – will not solve

the problem)

• Network or Application performances problem.

• Do not have the flexibility to monitor the entire networks, including network

segments at remote office.

• Use multiple programs to troubleshoot different network issue (WIFI, VOIP,

WIRE)

• Engineers know there’s a problem but don’t know where it is happen (in

which packet? Flow? From where to where?).

• Too much information provided, no filtering feature to narrow down the

problem for easy troubleshooting.

• Traditional troubleshooting tools were very reactive in nature, lacking the

historical visibility required to research past incidents.

WildPackets OverviewPROPRIETARY AND

CONFIDENTIAL4

© S A V V I U S , I N CThe NP Forensics 5

Network Problems $#%@

We have the Solution


Network Analysis Solving Problems of

• Isolate Network, Server, Application Problem

- Required evidence to faster finding root cause.

• Trobleshooting Cases

- Case 1 : Network Utilization Breakdown

- Case 2 : Slow Server or Slow Client

- Case 3 : Can’t Connect Server

Others

- Measure Network&Applicaion Delay, Multihop Analysis

- Poor VoIP Quality

- Network & Security Forencis

• Long Term Monitoring & Baseline

6


Application vs Network

7


• Companies always have difficulty identifying whether it is

a Network or an Application problem

• The Network department will point the problem to the

Application team and vice versa

• And problems are not resolved because no one took

ownership with no solutions in sight

• So, it is like a Boxing match

• And we have the Solution !

8

“Boxing” Match


The Weigh In is like in a Boxing match

Create a baseline…• Not just, “How much bandwidth am I consuming on my

network or segment?”

• Also, “How much is the X Application consuming?”

- What users connect to it? What outbound connections does the app

do? With what ports? With what nodes? What times? How often?

• It’s impossible to predict the winner if you don’t know your

network and applications and understand their behaviors.

- You won’t be able to be proactive to problems and quickly reactive

to change!

MY NETWORK IS SLOW!!!!!!


Scoring the FIGHT

What to look for

…

• Primary events are anything related to “Slow”

- Depending on what events you see, You will know who is at fault

• Application events:

- HTTP slow response time

- Oracle slow response time

- Inefficient client

• Network events:

- TCP SLOW segment recovery

- Slow retransmissions

- Slow acknowledgements

- Low throughput

Let the Expert Analysis help be the referee


Network & Application Delay

WildPackets OverviewPROPRIETARY AND CONFIDENTIAL

11


Did Someone Say, "TKO"?

Get Proof…

Is Application is at fault ?

Or is Network at fault ?


Follow Events to See Who is InvolvedUse the ‘right-click’ option and ‘Select Related Packets’ on the

event


Do the ‘Select Related’We ‘right-click’ on any highlighted packet and do a ‘Select

Related’, then ‘By Flow’


"Scoring the Fight"

When we select the

‘Slow Server

Response Time’

event, two sessions

to the same server

are highlighted.

This looks to be a

system or

application issue –

not the network.

But we need proof!


Visual Expert is the Proof!Here is the proof we were looking for!

Two requests for data, two quick TCP Acks, but then a long delay

before the server sent us the data we requested

Payload

Length = 0

Payload

Length = 1260

Requests and

Acks

Then the Data

gets returned

much later


Take A Closer LookLooking more granular at the timing, we see that the ACK came

back in 70ms, but the data didn’t get sent back for another 854ms!

Ack fast = Network fast

Data slow = Application

slow


Tune the Expert for your network

Make these times relevant

for your network or the

task at hand!


"And the winner is"

You!

• Determining whether the application, system, or network

is at fault using TCP

• Tapping the power of Select Related using flows to

troubleshoot root causes

• Eliminating false positives by tuning Expert Events


Case Study

20


Case Study 1: Network Utilization

Breakdown

21

• PROBLEM : Customer reported that their network runs slow in the

afternoon. Their Network Management System (NMS) shows that

they had very high utilization at that particular time. NMS does not

show what is causing the high utilization.

• SOLUTION: OmniPeek has the ability to drill down further to

millisecond intervals to identify the specific issue and understand

what happened on their network.

• OmniPeek can quickly identify what, when and who was using

the network to cause the high spoke in network utilization.


Slow Network Help


22

If utilization was the

issue, we would know

immediatelyBad network behavior

would be noticed

immediately

Visualizations show

oddities immediately


WildPackets Overview PROPRIETARY 23

In mini second view

Select the require time to check

Who is the talkerFurther

communication Breakdown


Case Study 2: Slow server or Client

24

• PROBLEM: Customer complaint that the respond time from a

simple SQL command is very slow. They would like to know if there

are any issues arising from the server or the client. Their NMS

system showed that the network utilization and latency is low during

the time.

• SOLUTION: OmniPeek can quickly identify whether the slowness

derives from the server or the client side. In this case, it was

identified to be from the server as it took a long time to execute

an SQL command.

• This saves the company many man hours as it was a tussle between

the application and network teams. This was quickly resolved by

the application team identifying some programming bugs.


Check Network response times

Validate Applications

response times

Check for generic system issues

The Packet contain


Case Study 3: Can't connect to server

26

• PROBLEM: The customer Network Management System could not

identify this customer’s problem. Clients from this company were

not able to communicate with the application server. The NMS

system does not show any abnormalities from the server nor the

connection.

• SOLUTION: Omnipeek quickly detected a massive amount of

ICMP destination port unreachable packets through the Expert

Analysis.

• We provide the solution to the customer to re enable one of the

connection port on Server A. The problem is the server port has

been disable and remain closed. On Server B, it has reached the

maximum allowable number of users and thus dropping connection

to any new users.


Check to see if anyone else is

connecting

Validate traffic is flowing to

final destination

Detected refused connections or

ICMP messages


Others


Multi-hops Analysis


29


Multi-hops Analysis-

Compare Packet Drop


30


Network & Application Delay


31


Poor VoIP Quality Help


32

Our high level information

of our VoIP environment

in a single view

Signaling and media

bounce diagrams give

detailed specifics

Here we can focus on any

call, and even listen to

them with a right-click


Forensic Search


33

Go back in time to find what

happened last week

Forensic searches can

find anything in packets,

down to a single bit or

as high level as a

baseline over a

specified period of time.


Web Page Reconstruction

May 6th, 2009 Assuring Network and Application Performance 34


Long Term Monitoring & Base Line


Savvius Use Case Study

Julie: Splunk

Administrator

In this scenario: Julie

creates Splunk

dashboards for internal

clients throughout the

organization.

A phone call

from Bill.

“Hi Julie, Pete says its my network that’s

causing the ERP issues. Can you give

me a dashboard on apps vs. network?

Julie

responds.“Sure. I just got a new little box that

delivers amazing network stats into

Splunk. I’ll have something tomorrow.”

Julie brings up the Savvius for Splunk dashboards and

copies the appropriate code into her “App Stats”

dashboard.


Savvius Use Case Study

Julie: Splunk

Administrator

Julie leaves a

message for

Bill

“Bill, I think I got what you need. I’ve got

application latency at a network level plus

network traffic and the app reports.”

Bill responds

after lunch.“Julie, that is fantastic. I could see exactly

what’s going on. Showed Pete and he has

changed his tune. The ERP vendor says

they already have a solution.”

Useful network information available in a Splunk server

means less time wasted on solving the wrong problem.

Allocating responsibility accurately keeps everyone working

together productively.


Alert on virtually anything!

Alerting, Alarming, and Notifications


It’s Mobile!


• Application vs Network Analysis

• Distributed VoIP Analysis

• Wireless Analysis

• High Speed capture and Data recording

• Network Forensic Analysis

• Customizable decodes and protocols

40

Savvius Core Value Proposition


Thank you

how can savvius help your organization?

Engineering