In-Depth
How to Get the Best Network Traffic Reports
Probes give you the visibility to effectively monitor the network and boost troubleshooting power to ensure optimal traffic patterns.
Imagine your commute to work. Halfway there, traffic comes to an unexpected halt. You immediately tune into a traffic report. For some reason, the report doesn’t include any information about the road you are on. You listen for the next report, but once again the report doesn’t include any information about your situation. Actually, you notice that it only reports on the same three roads. Now how are you supposed to get out of this jam without knowing what is going on? Before long, minutes turn into hours and it seems like an eternity before you get going again.
That’s exactly what it’s like to monitor a network with insufficient visibility.
The most flexible, economical method of analyzing and monitoring switch-based networks is the distributed analyzer, which consists of any number of probes reporting back to a central console. In this manner, probes provide visibility– -- the traffic reports per se– -- of any segment of the network. Similar to traffic cameras, they observe and collect the data traversing links. The most efficient probes do analysis on site and only send display updates to the console to minimize network overhead. Without probes, you would have to connect a dedicated analyzer to multiple switches, and even then you would have no way of seeing all of the data in a comprehensive view.
Deploying probes across every segment of the network for 100 percent visibility is not practical, and typically not necessary. Imagine having to sit through a report that describes traffic on every single road in the area! Realistically, probes should be deployed on mission-critical links -- in our case, major highways or those roads vulnerable to outside conditions.
Ultimately, where to deploy probes depends on the design of the particular network and where you require visibility. For example, placing probes on the full-duplex links that connect servers or server farms to core switches lets you see all traffic between servers and their clients. Connecting additional probe appliances at the edge of the network will let you focus in on select segments or stations on the network for detailed problem resolution. Deploying a specialized probe on a WAN link makes WAN frames visible in addition to showing all traffic flowing in and out through the link.
The diagram below is an example of probe placement on a “typical” network. Because every network is different, the examples shown may not look like your network, but the concepts demonstrated will be applicable to most situations.
A) Ethernet Probe: An Ethernet probe connected to a switch SPAN or port mirror can show you top network users connected to that switch, help enforce corporate usage policies, and aid in troubleshooting station connections.
B) WAN Probe: A WAN probe deployed via a Test Access Port (TAP) on a WAN link can help to verify service level agreements, monitor for intruders, and aid in troubleshooting branch office connections.
C) Gigabit Trunk Probe: A trunk-aware probe deployed via a TAP on a trunk can show server, link, and application performance as well as aid in tweaking and troubleshooting trunk performance, and troubleshooting station connections.
D) Wireless Probe: A wireless probe helps to detect security threats, detect and shut down rogue access points, and troubleshoot 802.11 connections.
Failure to deploy probes in the right places on the network can result in blind spots, which can lead to inefficient troubleshooting and expensive mistakes. Deploying probes at critical areas on the network should give you sufficient visibility and the confidence that you are getting a comprehensive and accurate picture of the network.
However, even if probes are deployed at the most effective places on a network, they only show your analyzer the data that is visible to those probes. An Ethernet probe, for example, is limited to what a particular switch’s SPAN can deliver. SPAN ports do not report errors and will drop information if bandwidth utilization is high. Using a TAP on designated links will provide all data– -- including errors– -- that traverse that link, even if bandwidth is running at maximum capacity. Therefore, you are less likely to be caught off -guard. So TAPs are essential on critical links (major metropolitan roads) while SPANning may be sufficient on less critical links (smaller, less- traveled county roads).
Nobody likes to sit in traffic. Understanding traffic patterns and conditions could help you quickly get out of a jam or even avoid it in the first place. Deploying probes that are connected to a switch or TAP gives you the visibility to effectively monitor the network and boost troubleshooting power to ensure optimal traffic patterns
About the Author
Charles Thompson, manager of sales engineering for Network Instruments, LLC (http://www.networkinstruments.com), works with the Network Instruments sales organization to provide technical expertise and in-depth product information to enterprise accounts. Network Instruments is a leading developer of user-friendly and affordable network management, analysis, and troubleshooting solutions.