NETWORK PERFORMANCE
From the July 2006 issue of Communications News
Understand the variables
Analysis tools and gigabit-capture technology are important when gigabit links are deployed.
by Charles Thompson
Organizations are recognizing that gigabit links can improve business functions, increase productivity and enhance customer service. Most of the time, these gigabit links are deployed on the most critical parts of the network. To maximize the advantages of deploying gigabit links, organizations also should invest in reliable analysis tools. At the heart of these tools is gigabit-capture technology, which dictates the speed and accuracy of analysis.
|
|
There are a number of factors that the integrity of gigabit analysis depends on: how analyzers gain access into gigabit links, time-stamping methodology, how data is organized for analysis and the memory buffering technology.
Ensuring complete visibility of network data is the first critical component of analysis. There are three common ways for a monitoring device to access network traffic: using a switch’s SPAN session, a port aggregator or a network test access port (TAP).
In a SPAN session, the switch copies the send and receive data from each port of interest and reconstructs an integrated data stream from the channels. It then routes the integrated signal through the send channel of the SPAN port to a monitoring device.
Because both the send and receive channels are integrated into a single send channel, the SPAN port can only support a maximum of 1,000 Mbps. A full-duplex data stream can reach 2,000 Mbps on a fully saturated link (1,000 Mbps in each direction). Once link utilization crosses 1,000 Mbps, packets destined for the analyzer are instantly dropped. Also, a SPAN session does not reveal physical errors that traverse the network, and hides jitter from the monitoring device.
A port aggregator is essentially a small switch devoted to mirroring a link for analysis. Port aggregators generally cannot handle traffic exceeding 1,000 Mbps. A port aggregator also typically includes an internal memory buffer, most commonly 1 MB to 256 MB. On a fully saturated gigabit line, a 1-MB buffer provides 1/120 of a second protection against packet loss and a 256-MB buffer provides two seconds. Longer capture windows than this are typically required to analyze or solve most network problems.
A TAP is a passive-splitting mechanism installed between a “device of interest” and the network. TAPs transmit both the send and receive data streams simultaneously on dedicated channels, ensuring all data (up to 2,000 Mbps) arrives at the monitoring device in real time. TAPs never drop packets, regardless of speed or bandwidth saturation, and reveal physical layer errors to the monitoring device.
The capture technology within the monitoring device immediately time stamps all the data as it arrives. When processing millions of packets, a dedicated capture card is the best solution. One benefit of a dedicated capture card is its ability to take workload away from the system processor. This frees up resources for critical processes, such as expert analysis.
Another benefit of a dedicated capture card is its ability to time stamp packets in order, ensuring accurate analysis. Analysis is jeopardized when relying on multiple cards to capture and aggregate multiple physical data streams, because if one of those cards gets even slightly out of sync, the analysis device will time stamp data incorrectly. Also, if data shows up at the same time on multiple cards, the analysis device has to guess which card received the data first.
Accurate time stamping is crucial for troubleshooting network problems. Inaccurately time-stamped VoIP packets can look like jitter to an analyzer, even though there is no actual problem with VoIP communications.
To ensure the best performance for all types of real-time analysis, the gigabit capture card should pre-index the gigabit data stream in a format the console can efficiently use to decode and analyze packets. This process allows monitoring devices to keep up with fully saturated links and preserve resources for real-time analysis.
Relying on a capture card that pre-indexes the gigabit data stream in a generic format forces the monitoring device to use additional system CPU resources to organize it in a manner it can effectively use. This process slows overall system performance.
Depending on the product, after getting time stamped, network data either goes directly to the buffer on the card or is streamed to the buffer in physical system memory. Relying on the buffer on the capture card, which is typically 128 MB, is not adequate because this technology only permits a line-rate capture that lasts for half a second. This method is not only limited by time, but also requires a manual transfer of the data to the physical system for analysis.
For real-time analysis, the data needs to be continually streamed to the buffer in the analyzer’s physical system memory. Buffers as large as 4 GB are available for 32-bit Windows operating systems. This permits a 16-second gigabit line-rate capture window, which should be long enough to catch most anomalies. Buffers as large as 124 GB are currently available for 64-bit operating systems, permitting potentially a 512-second line-rate capture window. Using circular buffers can extend this window indefinitely.
Making a complete and accurate analysis of gigabit links is possible, as long as the appropriate gigabit-capture technology is implemented. Incomplete or inaccurate captures can skew data analysis, create false positives and overlook problems that actually do exist.
Charles Thompson is manager of sales engineering at Network Instruments, Minneapolis.
For more information:
www.rsleads.com/607cn-259
|
Market accelerating The worldwide application
acceleration market totaled $344 million in the first quarter of
2006, a 21% increase from the first quarter of 2005, according to
Gartner. The market is on pace to surpass $1.5 billion in 2006, a
23% increase from 2005. |