Seven Ways to Improve Network
Using Retrospective Network Analysis and NetQoS® GigaStor™
Often application and network performance
problems go undiagnosed and unresolved as
engineers struggle to recreate intermittent
problems. Reducing or eliminating the time
needed to recreate these problems allows
engineers to solve problems faster, reducing
the mean time to repair.
This paper examines the concept of
Retrospective Network Analysis
(RNA)—capturing and storing significant
network traffic data to be analyzed at a later
date—and illustrates how using GigaStor to
enable RNA can help network engineers
streamline network troubleshooting. It also
details critical issues IT managers should
consider when choosing an RNA solution.
Seven Ways to Improve Network Troubleshooting
Using Retrospective Network Analysis (RNA) and NetQoS GigaStor
Everyone’s heard at some point: “I can’t recreate the problem, let me know if it happens again.” It is a common
problem in today's complex networking environments.
The scenario often goes like this: an end user calls the help desk to complain about application performance. If the help
desk identifies it as a network issue, a trouble ticket is issued to a network engineer who plugs in the packet analyzer
to watch the traffic, waiting until the problem presents itself again—making the engineer a watcher, not a doer.
Still Watching and Waiting for Another Incident?
For several years, network engineers have had analysis tools capture statistics about what is going on in the network at
the packet level. The limitation of using these tools to diagnose problems is that it is a reactive solution, requiring IT
staff to spend time watching and waiting to identify a problem instead of developing the solution. This waiting is
expensive and annoying for everyone.
As network engineers become increasingly accountable for the performance of applications that run over their
networks, they need a better, more proactive approach to troubleshooting. With the growing complexity surrounding
today’s corporate networks, it is more challenging than ever to capture relevant diagnostic information—as the most
important diagnostic information exists at the time leading up to the problem and when the problem occurs, and not
after the fact.
The Alternative to Watching and Waiting—Retrospective Network Analysis
With Retrospective Network Analysis or RNA enabled by the GigaStor packet collection device from NetQoS, it is no
longer necessary to recreate a problem on the network. That’s because GigaStor captures everything traversing the
network at wire-speed. The GigaStor integrated Observer Expert® software then enables back-in-time analysis for fast
identification of the cause of network problems. RNA and NetQoS GigaStor give network engineers at least seven new
ways to speed network troubleshooting.
1. Speed Resolution by Eliminating the Need to Recreate Problems
Instead of collecting packet captures after a performance issue, network engineers can go back in time to replay the
stream for the time leading up to and during the performance issue, and get expert analysis to identify the cause and
resolve the problem faster.
Pg. 2 Copyright 2007 NetQoS, Inc. 877.835.9575
Figure 1. NetQoS GigaStor continuously stores traffic for faster network troubleshooting
By capturing everything to disk, when network engineers become aware of a problem, they can go back in time, replay
the packet stream, and perform typical network analysis after the fact, or “retrospectively.”
RNA allows them to solve problems faster by eliminating problem recreation and reducing the mean time to repair.
This results in a large benefit to IT organizations with already-stretched IT resources. Removing problem recreation
from the troubleshooting process can result in significant productivity improvements and boost IT credibility in the
2. Reduce Risk by Capturing Before and After Snapshots of the Network
With the data captured and stored by the GigaStor, IT can also reduce risk. Complexity in today’s network
infrastructure is at an all-time high. Multi-tiered applications, converged voice and data networks, datacenter
consolidations, and increased requirements for remote and mobile workers make managing the infrastructure for
application performance more challenging because decisions must often be made with limited information.
Network behavior is most likely to be disrupted as soon as changes are made in the network environment. Instead of
waiting for disruption to occur, IT can begin monitoring and keep a catalogue of the network behavior before and after
changes. If problems occur, the GigaStor gives network teams the packet level visibility they need to understand what
was impacted when the change was implemented.
Pg. 3 Copyright 2007 NetQoS, Inc. 877.835.9575
3. See Exactly What Users See
To effectively conduct RNA, network engineers must be able to reconstruct web pages—to see a web page exactly
how the end-user saw it. That way the error is seen directly instead of relying on the end user to provide a useful and
When someone says: “I keep trying to get to our Intranet site and it just isn’t working,” the troubleshooting team can
see exactly what it was that the user experienced by looking at the information captured to disk by the GigaStor. Was
there an error on the page? Was the problem that most of the page downloaded but the images didn’t compress? The
engineers can even view each individual page component, down to individual .gif files and ActiveX controls.
4. Improve Efficiency by Conducting Packet Analysis Locally
Unlike traditional packet capture and analysis products, GigaStor RNA is performed locally without the need to
transfer packet data from the internal disk array across the network to a separate computer. Analysis software that IT
teams would normally use on their laptops and desktops to perform this analysis resides on the GigaStor appliance.
This means that not only much less data is traversing the network at analysis time, but also analysis of large data sets is
faster because there is no data transfer delay.
The GigaStor integrated Observer Expert analysis software can decode traffic like traditional packet analyzers, only
now it can be done both in real time as the traffic is crossing the network and retrospectively.
Figure 2. The GigaStor control panel
Pg. 4 Copyright 2007 NetQoS, Inc. 877.835.9575
Figure 3. Multi-Hop Analysis with Observer Expert
5. Investigating Network Policy Violations
RNA also enables engineers to investigate network policy violations or compliance issues. GigaStor can reassemble
packet streams and recreate e-mails, visits to web sites, instant messaging sessions, and VoIP calls. The appliance
performs real-time Expert processing locally rather than transferring the packet capture over the network to a
6. Comply with Mandates by Archiving Communications
Other benefits of RNA with GigaStor can be beneficial to specific industries. For example, to comply with the Freedom
of Information Act, government entities must archive instant messaging chat sessions, and that is difficult.
Government entities that operate their own instant messaging servers know they can be severe security risks. Using a
GigaStor device, they can create a filter to capture just the instant messaging conversations on that link and write them
to disk, and eventually to tape archive.
7. Recapture Lost Communications with Instant Replay Capabilities
GigaStor also helps keep track of communications. Network professionals can play back lost e-mails, and if a VoIP
system is in place, voice calls can be replayed without tapping into the phone system.
Pg. 5 Copyright 2007 NetQoS, Inc. 877.835.9575
The Key to RNA: Capturing and Storing Network Traffic Data—Lots of It
GigaStor from NetQoS provides complete visibility into the traffic that traverses the network. By storing all of the data,
managers don’t have to guess at what they will need to know tomorrow. They will be able to access the right
information to make the right decision because all of the pertinent information is available to them.
The GigaStor appliance connects to a span port or a tap, and it captures and stores network traffic. Most analyzers can
monitor network traffic and keep statistics for tracking and reporting. Most can also launch a packet capture when
configured. GigaStor continuously stores traffic so that when a network engineer needs to troubleshoot an issue all the
packets are available for inspection. No more waiting to recreate the problem.
Critical Factors in Designing RNA Systems
In designing an RNA system, there are a number of elements to consider including:
» An RNA system must be able to capture data on the wire at line speed even when network traffic is bursty;
otherwise packets are dropped. The GigaStor proprietary Gen2 NIC capture card has 4-8 ports (4 full-duplex links)
and has been optimized to capture and store network packets to disk. It can monitor 4-8 spans or 2-4 full-duplex
links of various link types such as WAN links, Gbps span ports, or fibre channel traffic.
» Disk write speed must be sufficient to keep up with the traffic captured off the wire. Capturing all the packets is of
little value if they are lost before they can be stored. For example, monitoring 8 Gbps span ports averaging 37%
utilization means an RNA product must be able to write to disk at 2.9 Gbps or it will not be able to keep up.
GigaStor is able to do this. RAID disk arrays allow disks to be written to simultaneously. GigaStor includes a
specialized 16 disk RAID array for a throughput of 3.2 Gbps.
» To avoid data loss the capture buffer must be sufficiently large to store packets captured off the wire before they can
be written to disk. While some RNA devices can write faster than your average load, atypical loads—bursts of
» The amount of storage in an RNA device determines how long it can store data. Two storage choices are: internal
disks or a storage area network (SAN). The amount of traffic traversing a network can be massive. A plan that starts
out as, “I’m going to keep months and months of data” often becomes, “I’m going to keep a few days of data and
archive the rest.” GigaStor provides up to 12 TB of local data storage to handle very large data storage
NetQoS GigaStor can also support up to 12GB of RAM as a buffer, the largest in the industry. This makes it possible to
capture bursts in network traffic. Many times, only a few seconds of traffic bursts need be buffered. As traffic bursts can
be a symptom of a problem, capturing that particular traffic is very important.
Pg. 6 Copyright 2007 NetQoS, Inc. 877.835.9575
All these components determine exactly how much retrospective analysis a user can perform.
An RNA system must be fast enough to capture all the data on the wire, write it to disk quickly, have enough storage
space for the data, and have enough buffer memory to handle bursts in traffic. By continuously capturing and storing
large amounts of network traffic data, the GigaStor device and its Observer Expert Retrospective Network Analysis
software enable network engineers to identify and solve problems faster. IT organizations can reduce risk, know what
users experience, analyze data at the packet level, and investigate network policy violations.
Pg. 7 Copyright 2007 NetQoS, Inc. 877.835.9575
GigaStor is a retrospective network analysis (RNA) solution capable of storing terabytes of packet-level traffic to disk
for network analysis on a variety of full-duplex network topologies, including WAN, LAN, Fibre Channel, wireless,
gigabit, and 10 Gigabit (10 GbE). This data can be used to analyze network performance, mission-critical connections,
and intermittent issues with the GigaStor unique time-based navigation utility.
When investigating network performance issues, the GigaStor eliminates the need to recreate a problem on the
network. For investigating network policy violations or compliance issues, the GigaStor reassembles packet streams
and recreates e-mails, visits to web sites, IM sessions, and VoIP calls. The appliance performs real-time Expert
processing at the probe rather than transferring the packet capture over the network to the console. The GigaStor has
a 64-bit core and can capture up to 12 TB, or offload to a SAN.
NetQoS is the fastest growing network performance management products and services provider. NetQoS has
enabled hundreds of the world’s largest organizations to take a Performance First approach to network management—
the new vanguard in ensuring optimal application delivery across the WAN. By focusing on the performance of key
applications running over the network and identifying where there is opportunity for improvement, IT organizations
can make more informed infrastructure investments and resolve problems that impact the business. Today, NetQoS is
the only vendor that can provide global visibility for the world’s largest enterprises into all key metrics necessary to
take a Performance First management approach. More information is available at www.netqos.com.
Pg. 8 Copyright 2007 NetQoS, Inc. 877.835.9575