Emulex Confidential - © 2013 Emulex Corporation
EndaceVision with Packet Decodes
An Introduction to Endace Packets
Jim Mac...
2 Emulex Confidential - © 2013 Emulex Corporation
Introduction
Jim MacLeod
– Senior Product Manager, Emulex
– 15 years exp...
3 Emulex Confidential - © 2013 Emulex Corporation
Changing Nature of Networks
Rapid shift to 10GbE
– 40 and 100GbE adoptio...
4 Emulex Confidential - © 2013 Emulex Corporation
Who’d Want To Be An Analyst?
Insane pressure to resolve
complex issues f...
5 Emulex Confidential - © 2013 Emulex Corporation
Sharkbites - the Problem with Wireshark…
Wireshark remains the go-to too...
6 Emulex Confidential - © 2013 Emulex Corporation
10GbE Troubleshooting Best Practice
Pervasive network recording
– 100% a...
7 Emulex Confidential - © 2013 Emulex Corporation
8 Emulex Confidential - © 2013 Emulex Corporation
9 Emulex Confidential - © 2013 Emulex Corporation
10 Emulex Confidential - © 2013 Emulex Corporation
11 Emulex Confidential - © 2013 Emulex Corporation
12 Emulex Confidential - © 2013 Emulex Corporation
13 Emulex Confidential - © 2013 Emulex Corporation
14 Emulex Confidential - © 2013 Emulex Corporation
15 Emulex Confidential - © 2013 Emulex Corporation
16 Emulex Confidential - © 2013 Emulex Corporation
17 Emulex Confidential - © 2013 Emulex Corporation
18 Emulex Confidential - © 2013 Emulex Corporation
19 Emulex Confidential - © 2013 Emulex Corporation
20 Emulex Confidential - © 2013 Emulex Corporation
21 Emulex Confidential - © 2013 Emulex Corporation
22 Emulex Confidential - © 2013 Emulex Corporation
23 Emulex Confidential - © 2013 Emulex Corporation
24 Emulex Confidential - © 2013 Emulex Corporation
25 Emulex Confidential - © 2013 Emulex Corporation
26 Emulex Confidential - © 2013 Emulex Corporation
27 Emulex Confidential - © 2013 Emulex Corporation
28 Emulex Confidential - © 2013 Emulex Corporation
29 Emulex Confidential - © 2013 Emulex Corporation
30 Emulex Confidential - © 2013 Emulex Corporation
31 Emulex Confidential - © 2013 Emulex Corporation
A New Recording Paradigm
EndaceProbe next generation sniffer
100% accur...
32 Emulex Confidential - © 2013 Emulex Corporation
Total Datacentre Visibility
33 Emulex Confidential - © 2013 Emulex Corporation
Conclusion
Troubleshooting in a 10GbE world
requires 10GbE capable tool...
34 Emulex Confidential - © 2013 Emulex Corporation
Thank you.
jim.macleod@emulex.com
www.emulex.com
Upcoming SlideShare
Loading in …5
×

Introducing Endace Packets - EndaceVision™ with Protocol Decodes

781
-1

Published on

Join Jim MacLeod, Senior Product Manager at Emulex, for an interactive webinar where you'll learn how the combination of Endace Packets and EndaceVision can help troubleshoot your hardest 10GbE network problems.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
781
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • To assure you that there’s no waving of hands, here’s a 60-second view of the traffic we’re using for the demo. This is a live capture in our demo lab of replayed previously captured data, so, while it’s got spikes in the small scale, you won’t see the daily variations you would on your own network. You can see from the timestamps on the screen that this data was taken yesterday, and that there are sustained traffic spikes above 6Gbps.
  • Here’s what it looks like when viewing 10 minutes.
  • Here’s 1 hour
  • And just for fun, here’s 2 days.The trend you’re seeing is that, as we zoom out, the line flattens. There just aren’t enough pixels to show all of the spikes, so we’re having to do the same thing as all of the other tools out there: average the samples. But as network analysts, we like those spikes. We know that there are bursts and microbursts. So here’s what we at Endace have done.
  • I turned on the Bursts display, which tracks the maximum bandwidth value for each display point, with a sample size of 1ms.
  • Now I’m going to zoom back to 1 hour.
  • Here’s 10 minutes.
  • And back down to 1 minute.
  • Now I’m going to pivot my view to Traffic Breakdown over Time, with a breakdown on Applications. This lets me see what’s going on at Layer 7. For this capture, we’ve got mostly RTP traffic out there – that’s VoIP. I can also see that someone is using a lot of iTunes, plus some http video, Amazon.com, etc. While RTP is probably business traffic, iTunes and Amazon almost definitely aren’t.
  • I’m going to filter in on iTunes to see who’s using it.
  • Here’s the filter applied. I’m going to pivot my view to see who’s sending this traffic.
  • I’m still looking at the same data, but I pivoted to show the top talkers, with the iTunes filter. I also zoomed my timescale out to show the last 24 hours.There’s 1 internal host who’s really pulling the majority of traffic. You can see it on the left. The vast majority of its traffic is colored blue, to indicate that it’s receiving that data. Similarly, the 2 primary external servers are colored green.Just a reminder, this is our demo lab, doing a live capture of traffic that’s being replayed. I doubt iTunes in reality is capable of feeding 10T to a single client in 24 hours.
  • I can also change the filter to remove the iTunes and see who else the node is talking to.
  • Next question is what else this node is doing. It looks like, apart from iTunes, there’s not much else – some Facebook, a little generic http.
  • We can uncover some of that generic http with the Conversations view.
  • What I really want is to know who this node is. Yes, I probably have other tools to find out – dynamic DNS might tell me. But I’m a packet geek, and I trust what the packets tell me. So I’m going to download the mdns packets and see the advertisements from the node itself.I’m going to download the packets to the probe. It keeps them off my laptop to keep it from potentially going into PCI scope. It also means I don’t tie up my laptop in the download if it’s a large file, and my teammates can also access it if they need to.
  • Here’s where we look at the download – there’s a progress indicator, time remaining, etc, but the cool part is that I don’t have to wait for the download to complete, so I clicked on Packets.Notice that you can also download these directly as either PCAP or ERF. ERF is the Endace format for packet capture.
  • Endace Packets looks like Wireshark, because it’s the tool that our customers said they use most often.There’s a lot of mdns out there, let me filter it down to something tighter.
  • I filtered for DNS responses of type PTR, mapping the IP or IPv6 address to the hostname, then used the “contains” filter to narrow down the search to mdns .local names. I’ll dig a little more into the first packet now.
  • And there’s the culprit. The device identifies itself as “Neil L’s iPhone”. Now I can go have a chat with Neil about proper use of the local resources.
  • Just to be thorough, I also did a local download – on the probe – for some of that unidentified http traffic. Here I’ve got a filter applied to focus only on the packets which have a http request URI, which will tell me what domains the iPhone is connecting to.
  • Since EndacePackets does name resolution, it also does name de-resolution, which is useful for cases like this, where everything is going either to the Amazon cloud or to cloudfront. Just hover over a name and the address will pop up.
  • And there’s the real URI for the request. You can also see the User-Agent. CFNetwork is a sockets API in IOS, so it looks like this is an app, probably pulling down an advertisement.
  • I’ll scroll to the right and you can see the list of relative URIs – this BYOD stuff gets pretty chatty, but that’s a different vendor.
  • Introducing Endace Packets - EndaceVision™ with Protocol Decodes

    1. 1. Emulex Confidential - © 2013 Emulex Corporation EndaceVision with Packet Decodes An Introduction to Endace Packets Jim MacLeod – Senior Product Manager, Emulex
    2. 2. 2 Emulex Confidential - © 2013 Emulex Corporation Introduction Jim MacLeod – Senior Product Manager, Emulex – 15 years experience in monitoring – Product Manager for EndaceVision Endace – Emulex product line – World leader in network recording – 10 years selling network visibility
    3. 3. 3 Emulex Confidential - © 2013 Emulex Corporation Changing Nature of Networks Rapid shift to 10GbE – 40 and 100GbE adoption coming Increasing complexity – Consolidation – Virtualization Greater reliance on network – Virtual Desktop – Unified Communications More compliance & regulation – Business and customer data – Scope of data at rest Lower tolerance to downtime… – Cost measured in millions of dollars
    4. 4. 4 Emulex Confidential - © 2013 Emulex Corporation Who’d Want To Be An Analyst? Insane pressure to resolve complex issues fast More events than time – ‘Triage’ strategy Lack of immediate data – Still living in ‘HHA’ mode Tool paralysis – Too many – Too complex – Too slow #Fail.
    5. 5. 5 Emulex Confidential - © 2013 Emulex Corporation Sharkbites - the Problem with Wireshark… Wireshark remains the go-to tool for most analysts and security engineers Tool fails under 10GbE load – 14,000,000 pps on loaded 10GbE link Faster network, slower analysis – 5 minutes to open 5GB file on Core i5 – 5 minutes for each filter Troubleshooting requires accurate data – Recording at 10Gbps is challenging – Trace files need to be moved around Real compliance / security concerns
    6. 6. 6 Emulex Confidential - © 2013 Emulex Corporation 10GbE Troubleshooting Best Practice Pervasive network recording – 100% accurate capture to disk Effective traffic search – Trace file consolidation Event driven trace extraction High-level trace visualization – Layer 7 awareness is vital Effective drill-in to precise packets of interest On-appliance protocol decoder – Filters in seconds, not minutes Easy trace file export for deep- dive in Wireshark
    7. 7. 7 Emulex Confidential - © 2013 Emulex Corporation
    8. 8. 8 Emulex Confidential - © 2013 Emulex Corporation
    9. 9. 9 Emulex Confidential - © 2013 Emulex Corporation
    10. 10. 10 Emulex Confidential - © 2013 Emulex Corporation
    11. 11. 11 Emulex Confidential - © 2013 Emulex Corporation
    12. 12. 12 Emulex Confidential - © 2013 Emulex Corporation
    13. 13. 13 Emulex Confidential - © 2013 Emulex Corporation
    14. 14. 14 Emulex Confidential - © 2013 Emulex Corporation
    15. 15. 15 Emulex Confidential - © 2013 Emulex Corporation
    16. 16. 16 Emulex Confidential - © 2013 Emulex Corporation
    17. 17. 17 Emulex Confidential - © 2013 Emulex Corporation
    18. 18. 18 Emulex Confidential - © 2013 Emulex Corporation
    19. 19. 19 Emulex Confidential - © 2013 Emulex Corporation
    20. 20. 20 Emulex Confidential - © 2013 Emulex Corporation
    21. 21. 21 Emulex Confidential - © 2013 Emulex Corporation
    22. 22. 22 Emulex Confidential - © 2013 Emulex Corporation
    23. 23. 23 Emulex Confidential - © 2013 Emulex Corporation
    24. 24. 24 Emulex Confidential - © 2013 Emulex Corporation
    25. 25. 25 Emulex Confidential - © 2013 Emulex Corporation
    26. 26. 26 Emulex Confidential - © 2013 Emulex Corporation
    27. 27. 27 Emulex Confidential - © 2013 Emulex Corporation
    28. 28. 28 Emulex Confidential - © 2013 Emulex Corporation
    29. 29. 29 Emulex Confidential - © 2013 Emulex Corporation
    30. 30. 30 Emulex Confidential - © 2013 Emulex Corporation
    31. 31. 31 Emulex Confidential - © 2013 Emulex Corporation A New Recording Paradigm EndaceProbe next generation sniffer 100% accurate traffic recording – Real 10 Gbps performance Up to 64 TB of local storage – Extensible via sledding or SAN Full flow-based traffic indexing – Including application classification Open and flexible – Endace Application Dock – Programmable RESTful API EndaceVision / Endace Packets
    32. 32. 32 Emulex Confidential - © 2013 Emulex Corporation Total Datacentre Visibility
    33. 33. 33 Emulex Confidential - © 2013 Emulex Corporation Conclusion Troubleshooting in a 10GbE world requires 10GbE capable tools Wireshark needs support to remain relevant in high-speed environment EndaceVision & Endace Packets solve the scalability challenge 100% accurate recording is mandatory input – Dedicated purpose built hardware Long live Wireshark!
    34. 34. 34 Emulex Confidential - © 2013 Emulex Corporation Thank you. jim.macleod@emulex.com www.emulex.com
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×