43 posts categorized "Data Visualization" Feed

Give me PACKETS!! (by Mike Canney)

Give me Packets!

I have been troubleshooting “network” problems for over two decades.  From mom and pop small businesses to Fortune 10.  Literally thousands of companies.  As far as tools go, I’ve used just about all of them.  From the Network General Sniffer, Novell LanAlyzer, Optimal’s Application Expert/Vantage, Compuware Ecoscope, Cinco NetXray to Wireshark and back.  

You would be hard pressed to find something that is somewhat mainstream that analyzes packets that I haven't used to find and solve network and application issues. Flower issueI’ve have also used the majority of the popular APM/NPM tools on the market for monitoring Network and Application Performance (I won’t list them).  The one thing in common is that they’ve all been useful in their own right.  Understanding at a high level of what traffic is on the network and an inclining of ‘potential’ application performance issues. 


Continue reading "Give me PACKETS!! (by Mike Canney)" »

What Do TCP/IP Selective Acknowledgments (SACKs) Look Like? (by Phillip Storey)

Part 1: Investigating Simple Selective Acknowledgements (SACKs)

In this video, the aim is to help improve our understanding of TCP/IP Selective Acknowledgements (SACKs) and how they are different to “Normal” TCP/IP Acknowledgements (ACKs). 

How does Wireshark tell us about them and how should we interpret that information?


Wireshark SACKs view - Click on to enlarge image - 

Wireshark SACKs

SACKs are much easier to understand if we have a diagram. I’ll be using charts from a packet analysis application called NetData to help me explain.

 This is the first article of a proposed series that I have called:

Understanding Wireshark Outputs with NetData Charts


Continue reading "What Do TCP/IP Selective Acknowledgments (SACKs) Look Like? (by Phillip Storey)" »

Metadata - We all need it now! (by Darragh Delaney)

Metadata – we all need it now!

Not so long ago, flow analysis was one of the tools of choice when it came to troubleshooting security or operational problems on networks. Many vendors developed tools which could take these flow records and store them in a data base, so that you could get real-time and historical reports.

However, metadata analysis is now seen as the must have pieces of technology for keeping modern networks running both securely and efficiently. Metadata analysis systems typically use network traffic or packets as a data source. You can typically source these via SPAN, mirror ports or TAPs. The clever part of metadata analysis involves data reduction. This is where you take raw network traffic and capture interesting pieces of data like IP addresses, website names or filenames. In some instances, you end up with a 4000:1 compression ratio. For example, if I transfer a 4MB file across the network, I may capture 1KB of metadata.

See your network

The screen shot below from our own (NetFort) LANGuardian system is a good example of this data reduction.


Continue reading "Metadata - We all need it now! (by Darragh Delaney)" »

How To Combat Monitoring & Security Tool Overload! (by Keith Bromley)

How To Combat Monitoring & Security Tool Overload 

I have a fundamental question for you. Are you managing your security and monitoring tools or are they managing you? We all want to say that WE are in control, correct? Unfortunately, data from two EMA investigations shows that this might not be the case. It is summarized in this infographic – How to Combat Monitoring and Security Tool Overload.

The number of security and monitoring tools that IT personnel use is increasing. According to the EMA Network Management Megatrends 2016 Report, the average number of security and monitoring tools used by an “average” enterprise (1,000 to 4,999 employees) ranges anywhere from 4 to 15 different tools. In 2014, the average enterprise used 3 to 10 different tools (according to EMA). So in two years, there has been an increase of around 25 to 30% in the number of tools being used.

This causes IT several problems like:  

  • Getting the proper access to good quality monitoring data
  • The sheer volume of tools makes it hard for IT to manage them
  • And a mixture of virtual and physical tools is making the situation even more confusing

Continue reading " How To Combat Monitoring & Security Tool Overload! (by Keith Bromley)" »

Cisco ASA Behaviour with Packet Losses and Overtaking - Using NetData visibility (by Bob Brownell)

Cisco ASA Behaviour with Packet Losses and Overtaking

Using NetData Visibility

A question posed to ask.wireshark by wdurand in September asked why reading a file across a WAN from a NetApp file server was slower than the equivalent writing operation:


The network path included a Cisco ASA, and an explanation for the slow transfer requires an understanding of ASA behaviour. We present here our analysis of similar ASA behaviour, drawing on a pair of concurrent captures taken from both ends of a network path that traversed an ASA, from an Oracle database server to a client workstation. System behaviour is illustrated with NetData charts.


Click on Charts/Graphics to expand!

Continue reading "Cisco ASA Behaviour with Packet Losses and Overtaking - Using NetData visibility (by Bob Brownell)" »

The Importance of Lossless Visibility! (by Keith Bromley)

The Importance of Lossless Visibility!

Does lossless visibility really matter for monitoring tools? 

They’re supposed to be able to handle lost packets, corrupt packets, data gaps, etc., right?

Well, the answer is kinda, sorta, absolutely NO!

Security and monitoring tools are only as good as the data they see, or don’t see. Some tools have capabilities to help them “tolerate” missing data but that is a flawed theory and here’s why.

Missing data can lead to missed or false positive security threats, longer and more costly troubleshooting efforts, and lower customer satisfaction ratings. According to the 2016 Verizon Data Breach Investigation Report, most victimized companies don’t discover security breaches themselves. Approximately 75% have to be informed by law enforcement and 3rd parties (customers, supplier, business partners, etc.) that they have been breached—they had no idea the breach had happened. It’s hard enough to defeat modern network security threats, you don’t want to start off with limited network visibility. But that’s exactly what happens if your monitoring solution (which includes your taps, SPANs, and network packet brokers) does not feed your security and monitoring tools the correct data. For instance, check out this report from the Tolly Group about how one network packet broker drops packets and doesn’t even report it.

Visibility target

Other than missing your target reason for network visibility!

The following list shows some examples of why lossless visibility is important:

Continue reading "The Importance of Lossless Visibility! (by Keith Bromley)" »