packet capture in high-speed and data center networks
DESCRIPTION
Watch the full ondemand webcast here: http://bit.ly/15slKEH High Speed networking (10G, 40G, and up to 100G) is growing in core networks and data centers. The business needs driving this speed are also leading to changing traffic patterns, like East-West traffic among servers, or simultaneous use of redundant links. However, the uptime requirements mean that visibility is as important as ever. This webinar will look at effective monitoring through packet capture in high speed networks, and how to position capture points to see inside areas that may be neglected by previous monitoring methods.TRANSCRIPT
www.wildpackets.com © WildPackets, Inc.
Full Speed Ahead Packet Capture in High-Speed and Data
Center Networks
Show us your tweets! Use today’s webinar hashtag:
#wp_highspeed with any questions, comments, or feedback.
Follow us @wildpackets
Jay Botelho
Director of Product Management
WildPackets
Follow me @jaybotelho
© WildPackets, Inc. #wp_highspeed
Administrivia
• All callers are on mute ‒ If you have problems, please let us know via the Chat window
• There will be Q&A at the end ‒ Feel free to type a question at any time
• Slides and recording will be available: ‒ Via a follow-up email
2
© WildPackets, Inc. #wp_highspeed
Agenda
• Trends in High-Speed Networking
• The New Role of Overlay Networks
• Changing Role of Packet-Based Network Analysis
• Key Monitoring Points for Network Visibility
• About WildPackets
3
www.wildpackets.com © WildPackets, Inc.
Trends in High-Speed Networking
4
© WildPackets, Inc. #wp_highspeed
10G – Dispelling the Myth
• According to The Register (http://www.theregister.co.uk/2013/01/03/2013_not_year_of_10gbe/):
‒ 2013 will NOT be the year for widespread adoption of 10G
‒ Technology is solid – it’s a cost issue
‒ Businesses just don't need 10x the bandwidth and aren't willing
to pay 3x the cost.
• Server migration to 10G underwhelms during 3Q12 (http://www.delloro.com/news/server-migration-to-10-gbps-network-connections-underwhelms-during-
3q12) :
‒ The 10G controller and adapter market results were almost flat
sequentially during the third quarter of 2012
‒ “The price premium for 10G is too wide of a gap” - Sameh
Boujelbene, Senior Analyst, Dell’Oro Group
5
© WildPackets, Inc. #wp_highspeed
Optimistic Predictions from Vendors
6
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-696667.html
© WildPackets, Inc. #wp_highspeed
How is 10G Being Utilized?
• Major traffic driver: backup
• Current challenge: 2x and 4x
1G EtherChannel on backup
servers is saturating
• New architecture spec for 10x
1G EtherChannel
• What’s coming: virtualized
server clusters growing – one
has 360 VMs
• Focus now on large, flat 10G
data center fabrics
• Fabric Path/TRILL “standard”
• Nexus 7000 with 32 ports of
10G
• Driving need: constant
demand for 1G aggregation
Slide 7
Example 1: Heavy Mfg Example 2: Network OEM
© WildPackets, Inc. #wp_highspeed
Migration to 40/100G
8
http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11-696667.html
© WildPackets, Inc. #wp_highspeed
New Architectures - New Traffic Patterns
• Standalone VM Host
(Virtual Server)
• Coordinated VM
Hosts
• Cloud
9
www.wildpackets.com © WildPackets, Inc.
The New Role of Overlay Networks
10
© WildPackets, Inc. #wp_highspeed
Standalone VM Networking
• Multiple guests, single host ‒ One or more vNICs per guest
‒ One or more physical NICs on host
• Switch interfaces ‒ Guest vNICs
‒ Host physical NICs (pNICs)
‒ Possible network separation via multiple L2 vSwitches
• Logically behaves like a TOR or workgroup switch ‒ No transit traffic, leaf network
‒ Usually no L3 (Routing) between VLANs/vSwitches
11
© WildPackets, Inc. #wp_highspeed
Standalone VM Networking
12
© WildPackets, Inc. #wp_highspeed
North/South vs East/West
13
© WildPackets, Inc. #wp_highspeed
Coordinated VM Networking
• Single switch among multiple VM hosts ‒ Each vSwitch per host like a blade switch
‒ Physical network like a backplane, but usually no L3
• Maintains single forwarding table ‒ Inter-VM traffic between hosts sent encapsulated to target host
‒ No need to “learn” VM MAC addresses
• Port profiles per guest ‒ If VM moves, profile moves too
‒ vSwitch forwarding tables automatically updated
‒ Physical switches must learn new host for VM
14
© WildPackets, Inc. #wp_highspeed
Coordinated VM Networking
15
Distributed vSwitch (shared across VM hosts)
© WildPackets, Inc. #wp_highspeed
Overlay vs. Underlay
16
Distributed vSwitch (shared across VM hosts)
© WildPackets, Inc. #wp_highspeed
Cloud
• Software-allocated networking ‒ Network configuration de-coupled from networking hardware
‒ A basic form of SDN
• Focus on connectivity ‒ Get servers up and running
‒ Keep traffic hidden between customers
• Self-service paradox ‒ Cloud allows customers to provision and monitor VMs
‒ Security requires traffic to be hidden between customers
‒ Therefore customers can’t monitor the network
17
© WildPackets, Inc. #wp_highspeed
Cloud Network
18
www.wildpackets.com © WildPackets, Inc.
Changing Roles of
Packet-based Network Analysis
19
© WildPackets, Inc. #wp_highspeed
Strategy for Monitoring 10G Ethernet
0% 20%
40% 60%
Other
All set - our mirroring sol'n converts 10G to 1G
All set - tools already support 10G
Can't afford upgrading tools to 10G
Want to keep 1G tools as long as possible
Our tools don't support 10G
4.1%
14.4%
21.9%
21.9%
32.9%
41.1%
Which of the following apply to your strategy for monitoring 10G
segments? (Select all that apply)
SOURCE: Benchmarking Network and Security Operations: Tools, Processes, and
Enabling Technologies Study, 2009, Enterprise Management Associates. n=124
© WildPackets, Inc. #wp_highspeed
10G Compromises
• 10G to 1G taps
• Apply pre-capture filters or triggered captures to
selectively stream to disk
• 10G NIC upgrades in architectures designed for
multi-port 1G deployments
© WildPackets, Inc. #wp_highspeed
Typical Network Analysis Workflow
Let It Roll! Alerts/ Alarms
User Complaints
Problem?
Connect the Analyzer
Start a Trace Reproduce
if Necessary
NO
YES
© WildPackets, Inc. #wp_highspeed
1Gig Is Easy - Now
• Use almost any NIC
• Use almost any computer
• Capture and analyze all in real-time
• Little or no special hardware needed (taps, etc.)
• Little to no impact on existing network traffic
• “Analysis on the fly” still feasible
© WildPackets, Inc. #wp_highspeed
10Gig Network Analysis Workflow
Identify Key Analysis Pts
Deploy 24x7 Monitoring
Alarms/ Alerts
Problem?
Rewind Data
Analyze Tune if
Necessary
NO
YES
© WildPackets, Inc. #wp_highspeed
10G Provides Unique Challenges
• Traditional NICs not up to the task
• Processing power is a limiting factor
• Storage capacity is a limiting factor
• I/O bus and disk write speeds are a limiting factor
• 10G forces clarity in analysis
• At 10G, it truly is looking for a needle in a haystack
• “Line rate” – be wary of that claim!
Importance: Packet-based PM tools remain only truly effective
approach to definitive monitoring and definitive troubleshooting –
Jim Frey, Enterprise Management Associates, Inc., July 2010
© WildPackets, Inc. #wp_highspeed
10G Network Data Storage
• 1Gbps steady-state traffic assuming no storage
overhead:
7.68 GB/min
460 GB/hr
11 TB/day
2.9 days in a 32TB appliance
• 10Gbps:
76.8GB/min
4.6 TB/hr
110 TB/day
7.0 hours in a 32TB appliance
© WildPackets, Inc. #wp_highspeed
10G Network Data Capture
© WildPackets, Inc. #wp_highspeed
10G Network Analysis
• Analyze the essentials
• Be specific when possible
• Know your network – baselines are critical
• Know your limits
• Real-time vs. forensics
• Filter and slice (whenever possible)
• Anticipate hardware resource needs
www.wildpackets.com © WildPackets, Inc.
Key Monitoring Points
for Network Visibility
29
© WildPackets, Inc. #wp_highspeed
Where to Capture
• On the Network
• On the vSwitch
• On a Virtual Tap
• On the VM Guest
30
© WildPackets, Inc. #wp_highspeed
On the Network
• Classical switch SPAN port or tap ‒ View traffic in/out of a Host
• The Good: ‒ Familiar configuration and process
‒ “Easy” if you control the network
• The Bad: ‒ Misses intra-host traffic
31
© WildPackets, Inc. #wp_highspeed
On the Network
32
© WildPackets, Inc. #wp_highspeed
On the vSwitch
• Span port from virtual switch / hypervisor ‒ Dedicated VM guest to receive packets
‒ Potentially external capture • Use pNIC as target for SPAN
• Also RSPAN/ERSPAN
• The Good: ‒ Visibility of intra-host traffic
‒ Built-in to infrastructure
• The Bad: ‒ Capturing on local VM increases IO of net & disk
‒ Still have to know which host for specific VM guest
‒ May violate separation of customer traffic
33
© WildPackets, Inc. #wp_highspeed
vSwitch Span Port
34
© WildPackets, Inc. #wp_highspeed
With a Virtual Tap
• Tap to manage SPAN on distributed vSwitches
• Integrates with VM control system ‒ Reads orchestration info to find which host for VM guest
‒ Auto-configures capture source
• The Good: ‒ Reduced effort, increased visibility
‒ Should auto-filter for customer traffic separation
• The Bad: ‒ May be VM vendor specific, e.g. only VMware
• Examples: NetOptics, Gigamon, BigSwitch
35
© WildPackets, Inc. #wp_highspeed
Virtual Tap Infrastructure
36
Distributed vSwitch (shared across VM hosts)
Virtual Tap
© WildPackets, Inc. #wp_highspeed
Capturing Packets in Cloud
• Private Cloud (In-house) ‒ Under your control
• Functionally similar to distributed VM
‒ If you control the network, you can sniff “anywhere” • Legal concerns for customer-owned guest VMs
• Public Cloud / Private Cloud (3rd Party) ‒ Unlikely that you can negotiate net sniffing rights
‒ IaaS VMs can likely sniff their own traffic • Non-promiscuous sniffing
• Restore visibility on per-VM basis
• You’ll have to re-aggregate traffic among VMs
37
© WildPackets, Inc. #wp_highspeed
Capturing on VM Guest
38
© WildPackets, Inc. #wp_highspeed
Summary
• 10G technology is ready – needs to make business
sense
• Data center architectures are evolving quickly –
analysis systems need to keep up
• Plan for 40G, but it’s years away for most
• Faster networking technology and new virtualization
and cloud schemes are challenging conventional
network monitoring and troubleshooting
• Plan ahead for network infrastructure monitoring and
troubleshooting as new solutions are deployed
39
www.wildpackets.com © WildPackets, Inc.
Q&A
Show us your tweets! Use today’s webinar hashtag:
#wp_highspeed with any questions, comments, or feedback.
Follow us @wildpackets
Follow us on SlideShare! Check out today’s slides on SlideShare
www.slideshare.net/wildpackets
www.wildpackets.com © WildPackets, Inc.
WildPackets Corporate Overview
Optimizing Network and Application Performance
© WildPackets, Inc. #wp_highspeed
Corporate Background
• Experts in network monitoring, analysis, and troubleshooting
‒ Founded: 1990 / Headquarters: Walnut Creek, CA
‒ Offices throughout the US, EMEA, and APAC
• Customers spanning leading edge organizations
‒ Mid-market and enterprise lines of business
‒ Financial, manufacturing, ISPs, major federal agencies,
state and local governments, universities
‒ Over 7,000 customers / 60+ countries / 80% of Fortune 1,000
• Award-winning solutions that improve network performance
‒ Internet Telephony, Network Magazine, Network Computing awards
‒ United States Patent 5,787,253 issued July 28, 1998 • “Apparatus and Method of Analyzing Internet Activity”
© WildPackets, Inc. #wp_highspeed
Why Our Customers Need Us
• VoIP, video, cloud, virtualization, and key business
applications are saturating critical network services
• Evolving network technologies create discontinuities ‒ 1 Gig 10 Gig 40 Gig 100 Gig networks
‒ Wireless, BYOD initiatives
• Users and business can not tolerate network
problems for mission critical services
Increasing demand for better real-time network visibility,
network analytics, network forensics, and DPI
© WildPackets, Inc. #wp_highspeed
How We Create Value
We provide innovative, industry-leading, real-time
network performance management solutions
‒ Easy-to-use, easy-to-learn user interface
‒ Uniquely extensible solutions
‒ Wireless network leadership
‒ Detailed analytics related to network applications
‒ Fastest network traffic capture appliance in its class
‒ Technical superiority at competitive price point
WildPackets has continually advanced its solution to meet the needs of its
customers
© WildPackets, Inc. #wp_highspeed
Unprecedented Network Visibility
ROOT-CAUSE ANALYSIS
OmniPeek network analyzer performs deep packet inspection
and can reconstruct all network activity, including e-mail and
IM, as well as analyze VoIP and video traffic quality.
PINPOINT NETWORK ISSUES ANYWHERE
Omnipliance Portable can rapidly identify and troubleshoot
issues before they become major problems—wired or
wireless—down the hall or across the globe.
UNDERSTAND END-USER PERFORMANCE TimeLine and Omnipliance network recorders monitor
and analyze performance across critical network
segments, virtual environments, and remote sites.
NETWORK HEALTH
WatchPoint can manage and report on key
device performance and availability across
the entire network, from anywhere on the network.
GLOBAL
DISTRIBUTED
PORTABLE
DPI
© WildPackets, Inc. #wp_highspeed
A History of Innovation
2003 Distributed real-time
troubleshooting
2001 • First 802.11
wireless analyzer
• First network
analyzer with
automated expert
analysis
2005 Combined distributed
network and VoIP
network analysis
2008 Enterprise-wide
Monitoring and Reporting
2009 Innovative dashboard
with drill-down for VoIP
and video
2012 • Capture, record, and
analyze from 40G
network segments
• First wireless network
analyzer to support
801.11ac, k, r, u, v, w
2011 • Total visibility with
zero packet loss
• First wireless
network analyzer to
support capture and
analysis of 802.11n
3-stream wireless
2010 First to achieve 11 Gbps
sustained capture-to-disk
www.wildpackets.com © WildPackets, Inc.
Product Line Overview
© WildPackets, Inc. #wp_highspeed
Omni Distributed Analysis Platform
OmniPeek Enterprise Packet Capture, Decode and Analysis
• Ethernet,1/10 Gigabit, 802.11, and voice and video over IP
• Portable capture and OmniEngine console
• Aggregate analysis data across multiple capture points
Omnipliance / TimeLine Distributed Enterprise Network Forensics
• High-performance packet capture and real-time analysis
• Stream-to-disk for forensics analysis
• Integrated OmniAdapter network analysis cards up to 40G
WatchPoint Centralized Enterprise Network Monitoring Appliance
• Aggregation and graphical display of network data
• WildPackets OmniEngines
• NetFlow and sFlow
© WildPackets, Inc. #wp_highspeed
Omni Distributed Analysis Platform Software and Turnkey Solutions
• Enterprise monitoring and reporting
‒ WatchPoint Server
‒ OmniFlow, NetFlow, and sFlow Collectors
• Software probes and network recorders
‒ Omnipliance network recorders – Edge, Core
‒ TimeLine network recorders
‒ OmniAdapter analysis cards
• Distributed analysis software
‒ OmniPeek – Enterprise, Professional, Basic, Connect
‒ OmniEngine – Enterprise, Desktop, OmniVirtual
• Portable solutions
‒ OmniPeek network analyzer
‒ Omnipliance Portable
© WildPackets, Inc. #wp_highspeed
Key New Features in v7
• 40G network support
• Analyze issues from end to end:
Multi-Segment Analysis (MSA)
• Collect data from non-technical end users:
OmniPeek Remote Assistant (ORA)
• Single, interactive dashboard for
utilization, top talkers, top protocols,
latency, Experts, flows, and wireless
signal strength
• New wireless specifications
‒ 802.11ac 802.11k
‒ 802.11r 802.11u
‒ 802.11v 802.11w
© WildPackets, Inc. #wp_highspeed
OmniPeek Network Analyzer
• Distributed analysis manager
– Connect to and configure distributed OmniEngines, Omnipliances,
and TimeLines
• Comprehensive dashboards present network traffic in real-time
– Vital statistics and graphs display trends on network and application
performance
– Visual peer-map shows conversations and protocols
– Intuitive drill-down for root-cause analysis of performance bottlenecks
• Visual Expert diagnosis speeds problem resolution
– Packet and payload visualizers provide business-centric views
• Automated analytics and problem detection 24/7
– Easily create filters, triggers, scripting, advanced alarms, and alerts
© WildPackets, Inc. #wp_highspeed
Omnipliance Network Recorders
• Captures and analyzes all network traffic 24x7
– Runs WildPackets OmniEngine software probe
– Generates vital statistics on network and application performance
– Intuitive root-cause analysis of performance bottlenecks
• Expert analysis speeds problem resolution
– Fault analysis, statistical analysis, and independent notification
• Multiple issue digital forensics
– Real-time and post capture data mining for compliance and troubleshooting
• Intelligent data transport
– Network data analyzed locally
– Detailed analysis passed to OmniPeek on demand
– Summary statistics sent to WatchPoint for long term trending and reporting
– Efficient use of network bandwidth
• User-extensible platform
– Plug-in architecture and SDK
© WildPackets, Inc. #wp_highspeed
TimeLine Network Recorder
• Continuous network recording and comprehensive
real-time statistical display — simultaneously ‒ 12Gbps sustained capture with zero packet loss
‒ Network statistics display in TimeLine visualization format
• Rapid, intuitive forensics search and retrieval ‒ Historical network traffic analysis and quick data rewinding
‒ Several pre-defined forensics search templates making
searches easy and fast
• A natural extension to the WildPackets product line
• Turnkey bundled solution ‒ Appliance + OmniEngine, OmniAdapter, OmniPeek Connect
© WildPackets, Inc. #wp_highspeed
WildPackets Network Recorders Price/Performance Solutions for Every Application
Portable Edge Core TimeLine
Ruggedized
Troubleshooting
Small Networks
Remote Offices
Datacenter Workhorse
Easily Expandable
Enterprise, Highly-
Utilized Networks
Aluminum chassis / 17” LCD 1U rack mountable chassis 3U rack mountable chassis 3U rack mountable chassis
Dual 2.13 GHz Quad-Core Intel
Xeon L5630 "Westmere"
Quad-Core Intel Xeon X3460
2.80Ghz
Dual Intel Xeon Quad Core
E5530 2.4GHz
Dual Intel Xeon Quad Core
X5560 2.8GHz
24GB RAM 4GB RAM 6GB RAM 18GB RAM
2 PCI-E Slots 2 PCI-E Slots 4 PCI-E Slots 4 PCI-E Slots
2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports 2 Built-in Ethernet Ports
6TB SATA storage capacity 1TB SATA storage capacity 8/16TB SATA
storage capacity
8/16/32/48TB SATA
storage capacity
4.5Gbps CTD 1.1Gbps CTD 3Gbps CTD 12Gbps CTD
© WildPackets, Inc. #wp_highspeed
WatchPoint Centralized Monitoring for Distributed Enterprise Networks
• High-level, aggregated
view of all network
segments
– Monitor per campus, per
region, per country
• Wide range of network
data
– NetFlow, sFlow, OmniFlow
• Web-based, customizable
network dashboards
• Flexible detailed reports
• Direct link to detailed,
packet-based analysis
© WildPackets, Inc. #wp_highspeed
Comprehensive Support and Services
Standard Support
Maintenance and upgrades
Telephone and email contacts
Knowledgebase
MyPeek Portal
Premier Support
24 x 7 x 365
Dedicated escalation manager
2 customer contacts per site
Plug-in reconfiguration assistance
WildPackets Training Academy
Public, web-based, and on-site classes
Complete curriculum: technology and product focused
Practical applications and labs covering network analysis,
wireless, VoIP monitoring and advanced troubleshooting
Consulting and Custom Development Services
Deployment, configuration, and assessment engagement
Systems integration and testing
Application integration, driver, decode, interface development
© WildPackets, Inc. #wp_highspeed
WildPackets Key Differentiators
• Visual Expert intelligence with intuitive drill-down
– Let computer do the hard work, and return results, real-time
– Packet /payload visualization is faster than packet-per-packet diagnostics
– Experts and analytics can be memorized and automated
• Automated capture analytics
– Filters, triggers, scripting, and advanced alarming system combine to provide
automated network problem detection 24x7
• Multiple issue network forensics
– Can be tracked by one or more people simultaneously
– Real-time or post capture
• User-extensible platform
– Plug-in architecture and SDK
• Aggregated network views and reporting
– NetFlow, sFlow, and OmniFlow
© WildPackets, Inc. #wp_highspeed
24x7 Network Monitoring,
Analysis, and Troubleshooting
www.wildpackets.com © WildPackets, Inc.
Thank You!
WildPackets, Inc.
1340 Treat Boulevard, Suite 500
Walnut Creek, CA 94597
(925) 937-3200