EndaceVision

A network traffic search engine that makes your
recorded network traffic 100% searchable

The benefits of EndaceVision

For organizations that rely on their network for business continuity, EndaceVision is an essential element of any security and network management solution set.

The ability to quickly isolate and examine the exact packets relating to an incident reduces response times, improves network uptime and security and drives down operational costs

EndaceVision provides:

  • 100% packet visibility on network links from 10Mbps to 100Gbps
  • Segment-specific and network-wide intelligence
  • A wide range of visualizations including accurate microburst detection, bandwidth over time and top talkers
  • Application-aware browser-based client that runs on any browser
  • Integrated event resolution workflow

Download Datasheet

Introducing EndaceVision

EndaceVision™ is a browser-based application that helps IT teams investigate and resolve a wide range of network related problems. It enables network engineers and security analysts to search, visualize and interrogate historical network traffic recorded by EndaceProbes deployed inside data centers.

Bundled with every EndaceProbe, EndaceVision can provide network-wide visualization, packet search and retrieval across an entire connected fabric of EndaceProbes, delivering detailed network visibility to accurately investigate and remediate security and network performance events identified by security and network monitoring tools (IDS, APM, SIM, SIEM, NPM tools and others).

EndaceVision creates immediate value for both security operations (SecOps) and network operations (NetOps) teams by connecting them to the exact packets they need to establish the true root cause of network problems. This reduces the time needed for incident investigation, increasing accuracy, reducing mean-time-to-resolution (MTTR), lowering costs, and improving the overall productivity of SecOps and NetOps teams.

Background

Network engineers and security analysts working for large organizations are typically inundated with high-priority alarms from a range of systems. For many organizations, the challenge is not about detecting more problems, but figuring out how to triage, respond and establish the root cause of known problems so that more issues can be resolved.

Of course, not all system-generated alarms are serious. Many of the day-to-day issues that consume operational resources are non-critical intermittent problems that are just hard to diagnose without access to detailed information about what actually happened. EndaceVision is designed not only to provide critical information when the network is on fire but also to speed up the resolution of intermittent issues by enabling teams to quickly drill down to packet level detail and see what's really going on.

EndaceVision Architecture

EndaceVision uses metadata generated from network traffic recorded by EndaceProbes deployed throughout the network to create traffic visualizations. It is uniquely architected to allow analysts to search historical network traffic on a segment-by-segment and/or on a global network-wide basis. The ability to concurrently query all of the EndaceProbes in a monitoring fabric reduces the time to visibility on critical issues and avoids the need to do repetitive sequential searches of different systems.

Searching and filtering

Users can search recorded traffic based on a wide range of parameters including link name, application classification, IP address, MAC address, port number, time stamp etc.

Learn more about filtering options

Application Awareness through DPI

EndaceProbes provide built-in Deep Packet Inspection (DPI) which classifies captured traffic by application. This makes it easy to filter and search on traffic by application to see what's happening on your network.

Learn more about DPI on EndaceProbes.

Visualizations

Working out what happened in the event of an outage or suspected breach is typically a process of discovery, iteration and elimination. To facilitate this process EndaceVision allows users to visualize traffic in a number of different ways. Users can move between views seamlessly, add new filters and zoom in/zoom out to help find the cause of a problem.

IP Bandwidth-over-time breakdown and burst analysis

Bandwidth over time is typically the starting point for many investigations and allows the user to see bandwidth utilization at different resolutions, from days or months to 1000μ where the real microbursts can be seen. The bandwidth view quickly highlights unusual traffic spikes that often explain application performance issues.

Traffic breakdown and analysis

Traffic breakdown allows a user to see which applications are present in a particular traffic segment. This view can be used at a macro-level to show all the applications in use on a network, or at a micro-level to show all of the applications being used by a particular host (and everything in between).

Conversations

The conversations visualization allows users to identify and isolate specific conversations at MAC, IP or transport layers. It is typically used in conjunction with Top Talkers to examine the behavior of a given host. Conversations can be sorted by total bits, packets, sessions and bit rate.

Traffic over time

Traffic over time offers a blend of IP bandwidth over time and traffic breakdown, allowing users to visualize how much bandwidth a specific application, IP protocol, VLAN, MPLS, Port IP or MAC consumed over any given time period. This view helps to identify bandwidth hogs and diagnose performance issues.

Top Talkers

Top Talkers graphically shows the ‘chattiest’ hosts in any given traffic segment. This allows traffic to be visualized by both number of bits and number of packets. Top Talkers helps to identify hosts that may not be configured properly or are causing congestion in the network.

Introducing Microvision - see the detail that matters

Network monitoring historically operated with a 30 to 60-second resolution on 10Mbs networks. As bandwidth increased to 10Gbps and faster, traditional monitoring should have kept pace with a resolution of 30 milliseconds, or 0.03 seconds, but it hasn't. Which means it's often not detailed enough to provide insight into network-effecting events that occur in microbursts that are shorter than the resolution these tools support. Leveraging the nanosecond resolution time stamps on traffic captured by EndaceProbes, EndaceVision’s MicroVision™ feature enables users to visualize events on a 10-microsecond scale – small enough to investigate the cause of disruptive microburst activity.

Microbursts can disrupt a network in multiple ways. A sudden synchronous burst can flood port buffers on a switch, triggering packet drops that slow transactions. Real-time traffic such as voice or video works best with constant latency values, but microbursts of other traffic can create jitter that disrupts calls. Even network attackers are starting to use microbursts, making quick connections to targets that simply can’t be seen in a 30-second monitored sample.

EndaceVision makes it easy to find the microburst locations with a user-friendly bandwidth visualization that displays both the average and maximum values for every sample point. The sampling window for bandwidth depends on the time source used by the EndaceProbe and is 0.1 second for a standard time source, and 0.01 second for a precision time source such as PTP or PPS. For each point, the maximum value is displayed as a red dot. To zoom in, either click and drag the time range or just click the dot. MicroVision processing starts automatically, with no additional user action required.

Once the microburst pattern emerges as a single or multiple bursts, a user can pivot to any of the other EndaceVision visualizations and use all of the standard tools and filters. It’s easy to see what caused the microburst, whether it’s a single node transmitting information faster than expected, or a widespread reaction to an event from all devices using a particular service, or just random synchronicity. MicroVision gives users the tools to investigate and quickly discover root causes at the micro level.


Introducing EndacePackets - browser-based packet decoding

Network engineers and analysts often need to access raw packet data in order to establish the root cause of a problem. The tool of choice for most is Wireshark, however, this can cause compliance problems - particularly for financial institutions.

Organizations have a legal responsibility to minimize the risk of information loss. This means ensuring raw packet data never leaves the capture system or the data center confines. For analysts needing to use Wireshark on their laptop, this is a challenge that is quietly overlooked by many organizations.

EndaceVision solves this by providing a browser-based, protocol decode tool, called EndacePackets™, that supports Wireshark filters. This means packets of interest can be decoded without ever leaving the EndaceProbe, and network load is reduced by avoiding the need to transfer large capture files across the network for analysis.


Workflow

EndaceVision is designed around a workflow that reflects the sequence of activities that engineers typically go through when faced with a networking problem or issue. The primary goal is to connect the user to the information that they need to make an accurate diagnosis in the shortest possible timeframe.

Network analysts live and breathe network packets, however at 10Gbps and beyond there’s a lot of packets to wade through, so EndaceVision has been designed to help users isolate the packets that they need quickly and efficiently. More often than not, the process of isolating the traffic of interest actually gives the user the answer to their query and negates the need to go down to raw packet level, which is why some customers choose not to record full packets and just record traffic metadata.

EndaceVision's workflow enables analysts and engineers to collaborate, sharing visualizations and knowledge in real time. This assists with knowledge sharing and reduces time to resolution because experienced users can be involved in investigations wherever they may be physically located.