Introducing EndaceVision™
EndaceVision is a web-based application that helps IT teams investigate and resolve a wide-range of network related problems. It enables network engineers and security analysts to search, visualize and interrogate historical network traffic recorded by EndaceProbes deployed inside data centers.
Background
Network engineers and security analysts working for large organizations are typically inundated with high-priority alarms from a range of syestems (IDS, APM, SIM, SIEM, NPM tools). For many organizations, today’s challenge is not about detecting more problems, but figuring out how to triage, respond and estabish the root cause of know problems, so that more issues can be resolved.
Of course not all system-generated alarms are serious. In fact, many of the day-to-day issues that consume operational resources are non-critical intermittent problems that are simply difficult to diagnose. EndaceVision is uniquely designed to not only provide critical information when the network is on fire, but also speed up the resolution of time-consuming intermittent issues.
Visualizations
Working out what happened in the event of an outage or suspected breach is typically a process of discovery, iteration and elimination. To faciltate this process EndaceVision allows users to visualize traffic in a number of different ways. Users can move between views seamlessly, add new filters and zoom in/zoom out to help find the cause of a problem.
IP Bandwidth-over-time breakdown and burst analysis
Bandwidth over time is typically the starting point for many investigations and allows the user to see bandwidth utilization at different resolutions, from days or months to 1000us where the real microbursts can be seen. The bandwidth view quickly highlights unusual traffic spikes that often explain application performance issues.
Traffic breakdown and analysis
Traffic breakdown allows a user to see which applications are present in a particular traffic segment. This view can be used at a macro-level to show all the applications in use on a network, or at a micro-level to show all of the applications being used by a particular host (and everything in between).
TCP/IP Conversations
The TCP/IP conversations table allows users to identify and isolate specific conversations at MAC, IP or transport layers. It is typically used in conjuntion with Top Talkers to examine the behavior of a given host. Conversations can be sorted by total bits, packets, sessions and bit rate.
Traffic over time
Traffic over time offers a blend of IP bandwidth over time and traffic breakdown, allowing users to visualize how much bandwidth a specific application, IP protocol, VLAN, MPLS, Port IP or MAC consumed over any given time period. This view helps to identify bandwidth hogs and diagnose performance issues in the network.
Top Talkers
Top Talkers graphically shows the ‘chattiest’ hosts in any given traffic segment. The visualization allows traffic to be visualized by both #bits and #packets. Top Talkers helps to isolate hosts that may not be configured properly or are causing congestion in the network.
Protocol decoding – Endace Packets
In certain situations engineers and analysys need to access raw packet data in order to establish the root cause of a problem. The tool of choice for most engineers in this situation is Wireshark, however this can cause compliance problems, particularly for financial institutions.
Organizations have a legal responsibility to minimize the risk of information loss, which means ensuring that raw packet data never leaves the capture system or data center confines. For analysts that need to use Wireshark on their laptop this is a challenge that is quietly overlooked by many organizations today. EndaceVision solves this challenge by supporting a Wireshark-like protocol decode tool called Packets. This capability means that traffic of interest can be decoded ‘in the cloud’ without the packets ever leaving the EndaceProbe. This feature significantly increases data security and also has the added benefit of reducing network load as no user data needs to transit the network for analysis.
EndaceVision Architecture
EndaceVision uses metadata generated from network traffic recorded by EndaceProbes deployed throughout the network to create traffic visualizations. EndaceProbes can be configured to record traffic metadata and the associated packets, or just the traffic metadata, depending on the organization’s retention policies.
EndaceVision is uniquely architected to allow analysts to search historical network traffic on a segment-by-segment and/or on a global network-wide basis. The ability to concurrently query all of the EndaceProbes in a monitoring fabric has the affect of dramatically reducing the time to visibility on critical issues and avoiding the need to do repetitive sequential searches of different systems.
Users can search recorded traffic based on a wide range of parameters including link name, application classification, IP address, MAC address, port number, timestamp etc.
To learn more about application classification and the different applications that EndaceVision recognizes visit the DPI page.
Workflow
EndaceVision is designed around a workflow that reflects the sequence of activities that engineers typically go through when faced with a networking problem or issue. The primarly goal is to connect the user to the information that they need to make an accurate diagnosis in the shortest possible timeframe.
Network analysts live and breath network packets, however at 10Gbps and beyond there’s a LOT of packets to wade through, so EndaceVision has been designed to help users isolate the packets that they need quickly and efficiently. More often than not, the process of isolating the traffic of interest actually gives the user the answer to their query and negates the need to go down to raw packet level, which is why some customers choose not to record full packets and just record with the traffic metadata.
A unique feature of the workflow enables analysts and engineers to collaborate, sharing visualizations and knowledge in real time. The collaboration capability assists with knowledge sharing and is proven to reduce time to resolution as experienced users can be involved in investigations wherever they may be physically located.
Reporting
For trending and managerial reasons operational teams often need to be able to generate reports in a standard format that can be shared with a non-expert audience. EndaceVision allows operational teams to set up and generate standard reports in .pdf format quickly and easily with minimal configuration or overhead. Reports are easy to understand and quick to change easily satisfying the reporting requirements of most large organizations.
Wrap up
For organziations that rely on their network for business continuity EndaceVision is an essential best-practice element of any network management and network incident solution set. The ability to isolate the exact packets that caused a problem in very short order is proven to improve response times, improve network uptime and drive down operational costs, which are important drivers for large organizations today.
EndaceVision in action
EndaceVision creates immediate value for both NetOps and SecOps teams by connecting them to the exact packets that they need to respond correctly and establish the true root cause of network problems.
Check out our YouTube channel to see EndaceVision being used in anger to investigate a range of network performance problems on high-speed network segments.
