LMTV LIVE | How to Improve Network Performance (with Keith Bromley and Jim Sullivan)

Keith Bromley from Keysight Technologies (formerly Ixia) and Jim Sullivan from ExtraHop will be talking about how to use network visibility to improve network performance. In short, network visibility is what enables you to quickly isolate and resolve performance issues; ultimately ensuring the best possible end-user experience.


Since tactical data loses 70% of its value after 30 minutes, the speed and accuracy of data analysis is critical. A proper visibility architecture addresses the strategic end-to-end monitoring goals of the network, whether they are physical, virtual, out-of-band, or inline security visibility.

Some key thoughts we will discuss during the event:

  • A Visibility Architecture is an end-to-end infrastructure which enables physical and virtual network, application, and security visibility
  • There are four keys areas of a visibility architecture:
    • Proper access to the data you need using taps, virtual taps, and bypass switches.
    • Filtering capability to maximize the flow of relevant information to your monitoring tools. NPBs are enable:  data aggregation, filtering, deduplication, and load balancing of Layer 2 through 4 (of the OSI model) packet data.
    • Application intelligence functionality allows additional filtering and analysis at the application layer, i.e. Layer 7 of the OSI stack. These capabilities give you quick access to information about your network and help to maximize the efficiency of your tools.
    • The final layer is made up of your security and monitoring tools. These devices are typically special purpose tools (e.g., sniffer, NPM, APM, etc.) that are designed to analyze specific data. The output from these tools is typically used by network engineers to make their decisions
  • APM tools can provide real-time data analytics to help you manage your network. This lets you see problems before your users do.
  • Anomaly driven data flows allow you to quickly isolate potential problems
  • A visibility architecture typically yields immediate benefits such as the following:  eliminating blind spots, reducing costs while maximizing ROI, and simplifying data control

Join us for the first of several discussions to learn how to unleash the power of network visibility.

If you can’t make it to the event, watch the podcast on-demand or check out some of these free resources.

Guest Host

Picture of Paul OffordHost Profile - Paul Offord is the CTO at performance and stability specialists, Advance7.  He has had a 40-year career in the IT industry that includes roles in hardware engineering, software engineering and network management. Prior to founding Advance7, he worked for IBM, National Semiconductor and Hitachi Data Systems.

Paul is currently leading the TribeLab project to explore new ways to help IT support people troubleshoot performance and stability problems.

[Analysis] Full Duplex Capture in SCADA and Industrial Control Networks (by Thomas Tannhäuser and Alexander Pirogov)

Why SPAN Ports Should Not be Used in Security Solutions


The convergence of IT and OT (Operational  Networks) in the context of Industry 4.0 has led to a crowded market of security solutions targeting the shop floor on different levels. While the security of the legacy IT systems was part of the initial planning of those systems, the industry now faces the challenge to integrate security solutions in legacy OT systems.

Image-1Figure 1: Layers of a typical automation system using Profinet

At least for the lower levels of the Industry 4.0 infrastructure, (control and device level) security solution vendors tend to use the mirror/span ports offered by the network switches to integrate their solutions into the infrastructure.

Here I will explore why those mirror ports shouldn't be used to build security solutions. Based on the hardware commonly used in Industrial Networks, we will specifically look at:

  • How it all works
  • Why a mirror port will drop frames even if a link is not saturated

Saturation Overload

We came across some research data Garland posted from Packet Pioneer that said a mirror port will drop up to 8% of good frames and could be a lot more. Not Good!

I took a deep breath because an 8% loss is a lot, especially if you are going to build security applications on top of the mirrored network traffic from systems using Profinet in different flavors (configuration, real-time and alarm IO).

I continued reading and calmed down, in their research, they used iperf to saturate a link that was mirrored at the same time. Saturation means the system is in an overload condition, so drops are acceptable. And every network engineer will agree, that using more than 80% of the bandwidth of an Ethernet link will result in weird behavior at some point.

But I couldn’t get past these questions, ‘What happens, if only small frames are transmitted?’ The average frame size in industrial networks is ~130 bytes, (calculated from a sampling of shop floor traces containing mostly Profinet) but the aforementioned test was done using 1500 byte frames (iperf usually uses TCP and that will send the data in chunks of MTU size).

‘What if we use more than one link?’ On the process level usually one controller talks to a number of IO-devices via one switch.

Image-2Figure 2: Process level - Profinet master and IO-Devices

In the context of industrial automation systems a test setup using a one-to-one connection running 1500 byte frames does not reflect a common scenario. And regarding automation systems, what if the traffic on those multiple links shows different bandwidth patterns?

Test Setup

Keeping those questions in mind I built a small test setup based on the open source network traffic generator and analyzer Ostinato. This tool offers a nice interface to create well defined streams of Ethernet frames for multiple network interfaces while intercepting traffic at the same time.

This is not a hardware frame generator, but capable of handling multiple 100 Mbps streams with relative low-tech network interface cards. 100 Mbps is absolutely sufficient for running tests against network switches commonly used on the lower levels in a shop floor automation environment, as this is the usual network speed used there.

Want to see the test details and results?

Read Thomas' tech note on Full Duplex Capture in Industrial Networks to learn the best practices for using network TAPs in Industry 4.0 security applications. (https://hubs.ly/H09HqD80)

 Garland’s post: https://www.garlandtechnology.com/blog/full-duplex-capture-in-industrial-networks


Authors - Thomas Tannhäuser and Alexander Pirogov are regular writers for the www.garlandtechnology.com .They are both Technologists and Network Experts.

How TCP Works - MTU vs MSS (by Chris Greer)

Hey packet people! 

There is a big difference between the Maximum Transmission Unit (MTU) on an ethernet connection or IP interface and the Maximum Segment Size in TCP. In this video we will take a look at how and where each is set, how it impacts the encompassed data, and how the network can adjust these settings. 

These core concepts will help when troubleshooting broken or slow connections due to MTU or MSS. 

Hope it helps in troubleshooting with Wireshark! 

Continue reading "How TCP Works - MTU vs MSS (by Chris Greer)" »

How To Improve Network Security and Performance (by Keith Bromley)

How To Improve Network Security and Performance 

As you may have seen, I like to talk a lot about network visibility – what it is and what the benefits are. Therefore, I often get the question, “So, how can I specifically use network visibility to solve my problems?” – sort of a Jerry Maguire “show me the money” type of question. The short answer is that there are lots of use cases available, it simply depends upon what your individual needs are. Let me show you.

Hopefully you have heard of the term “network visibility” by now. It has become commonplace over the last year or so. If not, network visibility is simply the ability to see what your network is doing and how it is performing. You can get a longer narrative of the definition here and free resources on network visibility are available here. While some might think that network visibility is a non-issue these days. It’s actually not. Many networks have had, and continue to have, network problems such as:  downtime, slow running applications, missing data, expensive troubleshooting activities, and security breaches.

The first half of the solution to this problem is straight forward. You should consider implementing a visibility architecture. This approach allows you to integrate your network architecture with your security architecture so that you can capture all of the data that you need. The right data is crucial to minimizing (and even preventing) downtime, repairing the network as fast as possible, meeting and exceeding your internal and external customer SLAs, and maximizing your network security.

The second half of the solution is to implement the right technology and processes to solve your problems. Basically, what can you, and what should you, implement? Let’s look at this subject in further detail.

First, you need to figure out what your specific trouble areas and blind spots are. You may already know about several of your problem areas. At the same time, you probably do not know what you do not know. So, there may be some hidden problems as well. These areas, called blind spots, are where you can’t tell (or don’t know about) that there is an issue. There are numerous sources for blind spots including:  the use of cloud networks, silo IT, rogue IT, mergers and acquisition with different networks and applications, etc. You can get more details on blind spots in this article .

Once you figure out what your problems areas are, take a look at this free resource. This resource examines 6 different categories of solutions that resolve different types of known problem areas and/or blind spots. These areas include:

  • Network security improvements
  • Cost containment capabilities
  • Enhanced troubleshooting efforts and network reliability
  • Removal of network blind spots
  • Optimization of Network Performance
  • Strengthening of regulatory compliance initiatives

In fact, the book contains 68 different examples of what you can do (i.e. use cases), broken down by those six categories. Some examples are:

  • How to expose indicators of compromise
  • How to make inline security tool deployments more reliable by using High Availability
  • How to reduce/eliminate the need for Change Board Approvals and crash carts
  • How to use application intelligence to conduct proactive troubleshooting
  • How to simplify inline SSL decryption by using an NPB with integrated decryption
  • And many others

Once you read the book, you will have a very good of what you should do and how to go about improving network operations. It shows you how to combine taps, bypass switches, network packet brokers, application intelligence, and security and monitoring tools to achieve your security and monitoring goals.

If you want more information on this topic, click here to see a list of resources that also might help you, especially if you want more details of the various use cases described in the book.

KeithAuthor: Keith Bromley is a product marketing manager for Ixia, Inc., with more than 20 years of industry experience in marketing and engineering. Keith is responsible for marketing activities for Ixia’s network monitoring switch solutions. As a spokesperson for the industry, Keith is a subject matter expert on network monitoring, management systems, unified communications, IP telephony, SIP, wireless and wireline infrastructure. Keith joined Ixia in 2013 and has written many industry whitepapers covering topics on network monitoring, network visibility, IP telephony drivers, SIP, unified communications, as well as discussions around ROI and TCO for IP solutions. Prior to Ixia, Keith worked for several national and international Hi-Tech companies including NEC, ShoreTel, DSC, Metro-Optix, Cisco Systems and Ericsson, for whom he was industry liaison to several technical standards bodies. He holds a Bachelor of Science in Electrical Engineering.

Oldcommguy dubs Keith "One Of The Good Guys" in today's technology!

Please note - Keith has many other popular articles on WWW.Lovemytool.com - and on Ixia.com









Wireshark Capture Interface Issue (by Tony Fortunato)

When I first started my website I had a whole section on product ‘issues’ or ‘bugs’.

My intent was to help my clients, subscribers, while reducing the number of emails I get about these issues.  Over the years, I found it to be too much work to maintain since I introduced more tools to my website.

In the past 2 years, I have eliminated almost all vendor specific tool webpages from my site that contained tips, tricks and bugs.

Wireshark is still one of the primary tools I use in the field and still do private training or presentations with it, so I thought I would keep that section on my website.

In this video I explain an issue I ran into recently with the default capture interface setting. The purpose of the video is to document the issue and help anyone who may encounter this issue.

Let me know if you find this helpful and I will create more along with my usual tips and tricks.




Continue reading other LoveMyTool posts by Tony Fortunato »

How TCP Works - Window Scaling

Hello packet-heads! 

In this video we will look at the window scale option in TCP. How does this feature improve performance across high-bandwidth, high-latency connections? How does Wireshark come up with the Calculated Window Size field? How can we set the scale factor if we missed the handshake? 

We'll answer all of these questions and more in this nine minute video. 


Continue reading "How TCP Works - Window Scaling" »