NetScout Network Time Machine™ Series
High-performance network traffic recorders for critical link analysis, network forensics and back-in-time troubleshooting.
Application infrastructure, like the network, is distributed and diverse. Traditional network monitoring solutions that provide connectivity and resource availability metrics are no longer sufficient to fully understand the factors that affect consistent application performance to users. When application performance degrades, network engineers need tools that can be quickly and economically deployed to provide full visibility to all events on key aggregation point(s) so that an assessment can be made to where the impact was felt, and isolate to the fault domain quickly: server, network or client. Furthermore, network engineers need to support application developers and system administrators by providing the evidence to resolve the problem. The Network Time Machine answers these needs by providing instant high-level visibility of which applications and users are affected, plus detailed flow and packet level analysis.
The Network Time Machine is available as either a portable or a rackmount unit. Portable NTMs are ideal for filling gaps in forensic visibility when troubleshooting or assessing network problems. The rackmount NTM, with its higher performance and larger storage capacity, is designed to monitor critical links for long-term forensic needs. Both the portable and rackmount platforms support 1/10G interfaces.
Network Time Machine is an all-in-one appliance that supports real-time monitoring and back-in-time analysis
Application performance analysis
- Capture cards with high performance 1 and 10 Gbps interfaces allow accurate traffic recording, including physical errors and jumbo frames
- Real-time application monitoring alerts you to performance problems in network and application health
- Performance Bottleneck Analysis with back-in-time metrics graphically guides the user to the problem domain across applications, sites and servers
- Onboard application-centric analysis engine provides in-depth analysis of SQL, Oracle, LTE, MS Networking (SMB), VoIP, DNS, FTP, HTTP, POP3, Telnet, SMTP, SNMP, MS Exchange and Citrix from recorded packets
- Built-in Wireshark™ decodes provide support of dozens of additional protocols used in telecom and enterprise environments
Multi-segment network analysis
- Merges and analyzes flows captured from different locations and generates a multi-segment bounce chart. Quickly visualize and isolate the root cause of network problems, such as packet drop or abnormal network latency
- Auto-sync function compensates for the variation between system clocks of capturing devices in network segments facilitating analysis even if the capturing device is out-of-sync
- Supports clock synchronization from external sources: GPS or NTP
Network Time Machine’s stream-to-disk technology efficiently records and indexes network traffic for quick identification and analysis on the built-in ClearSight Analyzer
- Ethernet traffic is captured from multiple ports at full line rates by FPGA-based capture card (hardware filters supported)
- Entire frames are sent to the PacketStore (disk array) for storage and post analysis
- Entire frames are also sent to the various analytical and real-time monitoring engines that process, classify and index data – this information is stored in the metadata database
- The Atlas software interface provides access to the network metadata information to quickly identify the application flow in question
- For troubleshooting and in-depth network analysis, the ClearSight Analyzer provides packet view, which facilitates fundamental protocol, multi-segment flow analysis and content playback
VoIP performance analysis
- Realtime QoS, call type and codec analysis classification
- See call setup problems (e.g. can’t connect, busy) without needing to see packet decodes
- Drill-down to see which users (by phone number) are affected by poor quality or call setup issues
- Seamless extraction of packets from SIP or H.323 call setup to RTP and RTCP steam
- Playback voice and video simultaneously for problem verification including out-of-sync video and audio tracks
Compliance/security forensics
- See when a suspect host exhibits activities and who it talked with
- Pattern matching with free offset, and application/flow based filtering to quickly extract relevant flow in the captured traffic
- Bounce charts to show detailed transactions between suspect and target
- FTP, messaging, email, voice or video can be played back to quickly gather the evidence required for action
Key Features
Intuitive Application Performance Bottleneck Analysis reduces time to setup and fault domain isolation
The Network Time Machine (NTM) automatically discovers applications and reports performance trending metrics by server, network and client site. The unique Performance Bottleneck Analysis (PBA) displays server, network and client site time for each TCP flow. PBA metrics show where application time is spent; immediately identifying the root cause of application performance complaints. In addition, the NTM also shows how related performance metrics change over time, allowing identification of the fault domain to a specific server, or network. The packet extraction process is integrated with the UI so that the set of flows exhibiting the problem can be quickly analyzed. Once the relevant packets are extracted, the NTM guides users from application to flow to transaction views using an intuitive drill down process. Bounce charts give a clear indication of how transactions transverse over time and indicate problem packets without going into decode view. The result is increased operational efficiencies through a reduced learning curve, shorter time to domain isolation and quicker root cause resolution.
NetScout's Performance Bottleneck Analysis (PBA) is based on a patent-pending algorithm in which the analyzer isolates the time that a flow spends with the server, network and client. The algorithm requires one measurement point in the network near the end-point, such as the server or client. This speeds troubleshooting time as it does not require measurements at two locations to determine change in network latency.
Enhanced reporting and analysis of key performance indicators (KPIs)
With minimal configuration, the Network Time Machine trends KPIs over time for servers, applications and sites. These indicators include:
- Data volume
- Retransmissions
- Connections
- Throughput
- TCP resets
- Excessive retransmissions by site or server
- Zero window events
The Performance Bottleneck Analysis function of the NTM V8.0 shows the average time application flows (for example, SMTP and HTTP) spent on the server and network. The bottom graph area indicates a sudden increase and return to normal in server time during the analysis period.
Users can go back in time to review performance metrics even when the underlying packet has been aged and replaced with more recent traffic.
Many performance report templates are available, and can be further customized. Reports can be scheduled daily, or created on demand for a specified time range. Some report templates include:
- KPI status or trending report by application, server and site
- Problem status or trending reports by application, server and site
- H.323, RTP and SIP MOS distribution
- Network KPI trends overview
- Application/IP protocol distribution
Drilling into the PBA results from figure 1 shows how quickly NTM can get to root cause. In the upper graph, we note that the server time has increased. The middle graphs shows that this happened when the server reduced the number of connections it managed and transmitted a large number of TCP resets to the client(bottom graph).
Realtime Voice and Video Analysis
The Network Time Machine provides realtime metrics on voice and video performance - without additional agents or polling to the Call Manager. Even without visibility of the setup traffic, the NTM can reassemble the caller/callee information from the RTP stream in realtime to generate quality assessment for the video/voice stream. Its high performance capture and analysis architecture make it the ideal quickto- deploy analysis solution for VoIP in carrier grade operation.
Extract packets for a call with just a click of a button. Call setup and RTP/RTCP streams are extracted together, correlated and shown on a bounce chart for easy visualization and playback.
Automatic Tunneled Traffic Analysis in multi-tenant networks
Tunneling protocols encapsulate traffic, much like VLANs in LANs, to segment and prioritize traffic. The Network Time Machine automatically analyzes and decodes tunneled traffic, allowing network engineers of Telecom Service Providers and Large Enterprises to conduct application performance analysis and troubleshoot applications in each tunnel quickly. A large variety of tunneling protocols are supported, including IpinIP, L2TP, PPPoE, GRE, MPLS, QinQ, PBB/PBT, and GTPU. Customized tunnel protocol support can be easily defined and added. In addition, filtering conditions can easily be configured based on tunneling protocol and bit-pattern for quick extraction of relevant packets.
Onboard Application and Packet Analysis
The NTM integrates the powerful application-centric analysis engine based on the award-winning ClearSight™ Analyzer (CSA) which provides automatic application analysis. For each application flow, the CSA automatically constructs bounce charts and notes with highlighted text and color codes to indicate application impairments, such as slow TCP sever response and error status. The unique PBA metrics for each flow are displayed as a pie-chart, providing quick comparison of time spent with the server or the network
Performance Bottleneck Analysis of a connection between an individual server and client shows the time spent on the server, network, and client. This analysis can be done without the need of installing an NTM at both ends of the link.
Multi-Segment Analysis
The NTM supports multi-segment analysis so you can quickly analyze flows that are captured across multiple tiers of servers or network segments. Captures may be imported from OptiView XG, other NTM’s, the ClearSight Analyzer software or even Wireshark. This powerful capability visually identifies problems in timing, command/response and TCP level impairments such as lost packets or out-of-order sequence. It also supports WireShark decodes, providing visibility into a huge range of application issues
Secure Remote Control
Each NTM unit can be accessed remotely using the NTM Remote Agent Manager (RAM) or Remote Agent Viewer. A Remote Agent Manager can configure and control the NTM. Up to 20 Remote Agent Viewers can monitor an NTM simultaneously but cannot configure the NTM. User accounts can be setup through the RAM to limit each user’s right to extract packets captured in the NTM. Communication between NTM and Remote Agent Manager or Viewer is encrypted using SSL (RFC 1428).
The Remote Agent Manager and viewer software comes with unlimited licenses and can be freely installed in any PC running Windows® XP/Vista® 7 to access the any NTM on the network. Problems detected by NTM’s real-time monitoring are consolidated to a central problem manager within the Remote Agent Manager software.
Taps simplify access to a wide variety of network link types
NetScout's tap solutions support 10/100/1000Mbps and 10Gbps links and are available in many configurations:
- Inline Taps
- Inline aggregation Taps
- SPAN aggregation Taps
- Inline switch Taps
- SPAN aggregation switch Taps
- Any-to-any port switch Taps