Reverse Network Analysis: Simple Solutions for Complex Networks

Troubleshooting network problems is easier thanks to retrospective network analysis, tools that let you go back in time to reconstruct failures.

by Charles Thompson

While network complexity and bandwidth demands continue to increase, applications such as VoIP carry larger performance requirements. Now more than ever, network administrators require versatile monitoring and analysis tools to quickly troubleshoot business-critical operations and monitor security and compliance. Retrospective network analysis (RNA) tools that let you go “back in time” to reconstruct failures or attacks offer distinct advantages over real-time-only analysis tools.

RNA allows IT professionals to quickly browse backwards through massive amounts of network traffic. It also allows network engineers to view breaches and anomalies exactly as they occurred, within the context of other activities on the network, thus sidestepping the labor-intensive step of trying to re-create problems to troubleshoot them. This requires that all network traffic is efficiently captured and stored, in much the same way a convenience store uses a video security system.

The transformation of enterprise networks into complex webs comprising multiple technologies and topologies, with users from hourly employees to CEOs demanding flawless, department-specific functionality, makes the job of network managers increasingly difficult.

Improved hardware reliability has made the network engineer’s job more complex. Instead of finding and replacing hardware that has clearly failed, network engineers need to solve an increasing number of intermittent problems, often at the application transaction level.

Still, IT professionals continue to waste valuable time, energy, and resources gathering information in an attempt to replicate intermittent problems or enforce security and compliance regulations.

Growing IT demands bring new concerns. According to a recent Network Instruments survey, nearly 70 percent of IT administrators are concerned about increased network complexity. Nearly the same percent expressed concern about an increasing volume of network traffic, and over half said their most common problem is a lack of information about network problems and their causes.

Appliances are capable of storing terabytes of packet-level traffic collected from a variety of full-duplex network topologies, including WAN, LAN, Fibre Channel, wireless, gigabit, and 10 Gigabit (10 GbE). Select appliances perform real-time processing and analytics at the probe rather than transferring packet captures over the network to the console.

Some vendors charge extra for functionality that others include. Those in the market for an RNA solution should look for products that include features such as VoIP analysis and call scoring, real-time analysis on the probe, stream or application reconstruction, and the option to offload to SANs.

RNA acts like a TiVo for the network, changing the way administrators conduct analysis. Traditional real-time packet capture and analysis gives network administrators insight into their networks via packet-level protocol decode and analysis. While these tools are useful when managing any mid- to enterprise-level network, using them to provide enough information to solve subtle or sporadic problems is an arduous task. What’s more, the ability to witness a compliance violation or security breach is limited to those lucky enough to be watching when it happens. RNA acts like a 24/7 surveillance camera—it is far easier to find the culprit using a stored video of the crime than just a photograph.

There is more to RNA than just capturing and storing the traffic. To truly be useful, a tool should make it easy to find the relevant connection or time period. RNA for the enterprise should also provide IT staff with the drill-down detail necessary for isolating problems to particular protocols, applications, servers, and stations. They should be flexible enough to monitor any topology and, for true network forensic analyze using Snort-style rules.

The benefits of employing an RNA solution are numerous and tangible:

  • Higher network availability
  • Improved ability to conduct business efficiently and effectively
  • Satisfied customers and employees
  • Ability to validate and provide evidence for compliance and security issues streamlines enforcement process

RNA can also be used for planning, rollout, and performance-management stages for new applications such as VoIP, by taking advantage of monitoring and trend data to determine exactly how applications affect the network. Preliminary testing can save an enterprise the costs and headaches associated with a problematic application rollout.

Finally, the comprehensive functionality of RNA lets IT staff spend less time attempting to recreate problems and spend more time on proactive planning. In short, reduced downtime plus faster problem resolution equals a rapid return on investment. Many organizations currently use RNA technology to provide better service and improved security to customers and employees in a way that saves time and money.

Traditional protocol analyzers have evolved over time, adding features and capabilities in a natural progression. RNA is a different type of innovation: it is a true paradigm shift in network monitoring, security, and analysis technology.

- - -

Charles Thompson is senior systems engineer for Network Instruments, LLC where he provides technical expertise and in-depth product information to enterprise accounts. Charles can be reached at .