Don't Just Go with the Flow: When Traditional Flow-Based Monitoring Is Not Enough
Enterprise network monitoring presents many complex challenges, with widely varying requirements based on the unique network architectures of each individual enterprise. Fortunately there are a variety of different tools and methods to meet most any need. Flow-based monitoring solutions are by far the most popular, with at least 30-40 different vendors offering flow-based network monitoring products. These solutions can collect a relatively detailed set of network performance data and provide a long-term record of network behavior, all based on data already available from the network infrastructure itself.
However, the data presented may not always be 100% accurate. Some flow-based technologies rely on sampling, and even those that typically don’t can revert to a sampling mode when networks get busy. After all, you’re relying on your network infrastructure (switches and routers) as the data source, so when the network gets busy and a switch or router becomes taxed, it will revert to providing network services and the expense of supplying flow-based data. This could mean simply reverting to a sampling mode, which is inherently not 100% accurate, or it could mean entire lapses in flow-based reporting, right when you need it most!
Flow-based reporting also utilizes a less reliable network protocol to transport data from the source to the flow-based data collector. Most network communication is done using TCP, which includes mechanisms for confirming receipt of information, and resending information when that confirmation is not received. Flow-based technologies use UDP, which just sends the data stream once, come what may. Though typically not a big issue, this can result in packets being dropped in the flow-based data stream, adversely affecting the quality of the resulting network monitoring data.
In addition to issues with data accuracy, high-level monitoring with just flow-based technologies like NetFlow or sFlow provides insufficient data for rapidly pinpointing and troubleshooting network issues that may arise. Flow-based technologies show what is going on, but not why it is happening. And without the “why,” you cannot achieve root cause analysis for problems on the network.
To achieve the granularity of data analysis needed to properly manage and troubleshoot an enterprise network, it’s necessary to utilize solutions that analyze all of the network data, completely, to provide not only the picture of what is going on now, but why it’s happening.
Enter OmniFlow. OmniFlow leverages packet-based analytics from WildPackets network probes and recorders, providing a detailed, 100% accurate view of all network activity. Combine that with NetFlow and sFlow reporting and you have a single solution that spans network monitoring to detailed network troubleshooting. Below we will discuss how you can use this integrated system to better manage all key network functionality.
What is OmniFlow
OmniFlow is a rich set of network-based statistics unlike that from any other flow-based technology. OmniFlow leverages the analytical power of WildPackets network probes and network recorders, providing not just traditional flow-based information on utilization, ports, and nodes, but adding detailed fault analysis (Expert analysis) and VoIP reporting based on real-time, packet-based network analysis. Because OmniFlow analyzes both the header and the payload for each and every packet, it provides a much deeper set of network statistics. WildPackets Experts automatically identify network anomalies as they happen, at whatever layer of the OSI model, and correlate this information with the network flows exhibiting the anomalous condition. WildPackets VoIP analysis provides a complete set of VoIP statistics for all of the calls on your network, with drill down into each and every call, all while continuing to monitor the network for traditional data network anomalies. With OmniFlow data you'll see not only the spike in your utilization, but the causes of the anomaly as well, all from the same network monitoring dashboard.
Performing real-time analysis
The basis of OmniFlow data is packet-based analysis, which is substantially different from flow-based statistics. With flow-based statistics, a network device like a switch or router carves out some cycles to perform analysis on packet headers as they traverse the device. Each packet is categorized into flows based on things like source and destination IP, source and destination port, etc. The network device then carves out some memory to keep track of each flow that it detects, and periodically, typically every minute, sends the results of the flow analysis to a dedicated collector which stores and further processes the data. The weakness here is that the data available for analysis is limited to the metadata developed from the packet headers as analyzed by the network device. Additionally, since neither the packets nor the headers were saved by the network device, there is no data available for further analysis. In other words, what you see is what you get.
Since OmniFlow is based on detailed packet-based analysis, of both the full header and the payload, from an appliance dedicated to the task, detailed data is available both for initial network monitoring and detailed network analysis when the need arises.
Detailed Network Analysis and Troubleshooting
At first glance, the network monitoring data reported by OmniFlow looks exactly like that available from flow-based systems. This is by design. OmniFlow data may not always be available, so it’s important to be able to combine OmniFlow data with flow-based data for aggregated reporting across all network segments. The system is able to display overall utilization for each and every network segment, in any combination and over any time range. It quickly analyzes top talkers and top applications, again over any combination of network segments and time range. It can drill into any available data, allowing more and more detailed reporting. But OmniFlow data is required when it comes to detailed network analysis and troubleshooting. The OmniFlow sources allow additional dashboards, like VoIP and Expert event reporting, that provide much more detailed information about the network. And when you see a spike in utilization, or a top talker that needs additional analysis, you can link directly back to the source of the packets, and, if still available, the packets themselves to perform extremely detailed analysis on the event in question.
Flow-based reporting is an extremely convenient method for performing overall network monitoring. But what happens when the resulting reports indicate potential problems? How do you access the detailed information necessary for true root-cause analysis? OmniFlow answers the question by providing the same level of statistical reporting available in tradition flow-based systems, while also providing detailed fault analysis and VoIP data. And when the source of the data is a network recorder, direct access to the packets that generated the network problem are just a few clicks away. Why invest in two systems, one for network monitoring and one for troubleshooting, when a single system, based on OmniFlow, can handle it all?
Author Profile - Jay Botelho is the Director of Product Management at WildPackets, Inc., a leading network analysis solutions provider for networks of all sizes and topologies. Jay holds an MSEE, and is an industry veteran with over 25 years of experience in product management, product marketing, program management and complex analysis. From the first mobile computers developed by GRiD Systems to modern day network infrastructure systems, Jay has been instrumental in setting corporate direction, specifying requirements for industry-leading hardware and software products, and growing product sales through targeted product marketing.