Introducing Endace Packets - EndaceVision™ with Protocol Decodes
•Télécharger en tant que PPTX, PDF•
0 j'aime•1,280 vues
This document discusses the challenges network analysts face in investigating issues at 10GbE network speeds. It outlines how traditional tools like Wireshark struggle with the volume of data at high speeds. The document then introduces EndaceVision and Endace Packets as a solution, which leverages purpose-built hardware for 100% accurate network recording at 10GbE speeds and faster protocol decoding. It argues these tools allow analysts to more effectively search, filter, and drill down into precise packets of interest when troubleshooting complex network issues.
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Introducing Endace Packets - EndaceVision™ with Protocol Decodes
Similaire à Introducing Endace Packets - EndaceVision™ with Protocol Decodes (20)
Plus de Emulex Corporation
Plus de Emulex Corporation (20)
Dernier
Dernier (20)
Introducing Endace Packets - EndaceVision™ with Protocol Decodes
- 1. Emulex Confidential - © 2013 Emulex Corporation EndaceVision with Packet Decodes An Introduction to Endace Packets Jim MacLeod – Senior Product Manager, Emulex
- 2. 2 Emulex Confidential - © 2013 Emulex Corporation Introduction Jim MacLeod – Senior Product Manager, Emulex – 15 years experience in monitoring – Product Manager for EndaceVision Endace – Emulex product line – World leader in network recording – 10 years selling network visibility
- 3. 3 Emulex Confidential - © 2013 Emulex Corporation Changing Nature of Networks Rapid shift to 10GbE – 40 and 100GbE adoption coming Increasing complexity – Consolidation – Virtualization Greater reliance on network – Virtual Desktop – Unified Communications More compliance & regulation – Business and customer data – Scope of data at rest Lower tolerance to downtime… – Cost measured in millions of dollars
- 4. 4 Emulex Confidential - © 2013 Emulex Corporation Who’d Want To Be An Analyst? Insane pressure to resolve complex issues fast More events than time – ‘Triage’ strategy Lack of immediate data – Still living in ‘HHA’ mode Tool paralysis – Too many – Too complex – Too slow #Fail.
- 5. 5 Emulex Confidential - © 2013 Emulex Corporation Sharkbites - the Problem with Wireshark… Wireshark remains the go-to tool for most analysts and security engineers Tool fails under 10GbE load – 14,000,000 pps on loaded 10GbE link Faster network, slower analysis – 5 minutes to open 5GB file on Core i5 – 5 minutes for each filter Troubleshooting requires accurate data – Recording at 10Gbps is challenging – Trace files need to be moved around Real compliance / security concerns
- 6. 6 Emulex Confidential - © 2013 Emulex Corporation 10GbE Troubleshooting Best Practice Pervasive network recording – 100% accurate capture to disk Effective traffic search – Trace file consolidation Event driven trace extraction High-level trace visualization – Layer 7 awareness is vital Effective drill-in to precise packets of interest On-appliance protocol decoder – Filters in seconds, not minutes Easy trace file export for deep- dive in Wireshark
- 7. 7 Emulex Confidential - © 2013 Emulex Corporation
- 8. 8 Emulex Confidential - © 2013 Emulex Corporation
- 9. 9 Emulex Confidential - © 2013 Emulex Corporation
- 10. 10 Emulex Confidential - © 2013 Emulex Corporation
- 11. 11 Emulex Confidential - © 2013 Emulex Corporation
- 12. 12 Emulex Confidential - © 2013 Emulex Corporation
- 13. 13 Emulex Confidential - © 2013 Emulex Corporation
- 14. 14 Emulex Confidential - © 2013 Emulex Corporation
- 15. 15 Emulex Confidential - © 2013 Emulex Corporation
- 16. 16 Emulex Confidential - © 2013 Emulex Corporation
- 17. 17 Emulex Confidential - © 2013 Emulex Corporation
- 18. 18 Emulex Confidential - © 2013 Emulex Corporation
- 19. 19 Emulex Confidential - © 2013 Emulex Corporation
- 20. 20 Emulex Confidential - © 2013 Emulex Corporation
- 21. 21 Emulex Confidential - © 2013 Emulex Corporation
- 22. 22 Emulex Confidential - © 2013 Emulex Corporation
- 23. 23 Emulex Confidential - © 2013 Emulex Corporation
- 24. 24 Emulex Confidential - © 2013 Emulex Corporation
- 25. 25 Emulex Confidential - © 2013 Emulex Corporation
- 26. 26 Emulex Confidential - © 2013 Emulex Corporation
- 27. 27 Emulex Confidential - © 2013 Emulex Corporation
- 28. 28 Emulex Confidential - © 2013 Emulex Corporation
- 29. 29 Emulex Confidential - © 2013 Emulex Corporation
- 30. 30 Emulex Confidential - © 2013 Emulex Corporation
- 31. 31 Emulex Confidential - © 2013 Emulex Corporation A New Recording Paradigm EndaceProbe next generation sniffer 100% accurate traffic recording – Real 10 Gbps performance Up to 64 TB of local storage – Extensible via sledding or SAN Full flow-based traffic indexing – Including application classification Open and flexible – Endace Application Dock – Programmable RESTful API EndaceVision / Endace Packets
- 32. 32 Emulex Confidential - © 2013 Emulex Corporation Total Datacentre Visibility
- 33. 33 Emulex Confidential - © 2013 Emulex Corporation Conclusion Troubleshooting in a 10GbE world requires 10GbE capable tools Wireshark needs support to remain relevant in high-speed environment EndaceVision & Endace Packets solve the scalability challenge 100% accurate recording is mandatory input – Dedicated purpose built hardware Long live Wireshark!
- 34. 34 Emulex Confidential - © 2013 Emulex Corporation Thank you. jim.macleod@emulex.com www.emulex.com
Notes de l'éditeur
- To assure you that there’s no waving of hands, here’s a 60-second view of the traffic we’re using for the demo. This is a live capture in our demo lab of replayed previously captured data, so, while it’s got spikes in the small scale, you won’t see the daily variations you would on your own network. You can see from the timestamps on the screen that this data was taken yesterday, and that there are sustained traffic spikes above 6Gbps.
- Here’s what it looks like when viewing 10 minutes.
- Here’s 1 hour
- And just for fun, here’s 2 days.The trend you’re seeing is that, as we zoom out, the line flattens. There just aren’t enough pixels to show all of the spikes, so we’re having to do the same thing as all of the other tools out there: average the samples. But as network analysts, we like those spikes. We know that there are bursts and microbursts. So here’s what we at Endace have done.
- I turned on the Bursts display, which tracks the maximum bandwidth value for each display point, with a sample size of 1ms.
- Now I’m going to zoom back to 1 hour.
- Here’s 10 minutes.
- And back down to 1 minute.
- Now I’m going to pivot my view to Traffic Breakdown over Time, with a breakdown on Applications. This lets me see what’s going on at Layer 7. For this capture, we’ve got mostly RTP traffic out there – that’s VoIP. I can also see that someone is using a lot of iTunes, plus some http video, Amazon.com, etc. While RTP is probably business traffic, iTunes and Amazon almost definitely aren’t.
- I’m going to filter in on iTunes to see who’s using it.
- Here’s the filter applied. I’m going to pivot my view to see who’s sending this traffic.
- I’m still looking at the same data, but I pivoted to show the top talkers, with the iTunes filter. I also zoomed my timescale out to show the last 24 hours.There’s 1 internal host who’s really pulling the majority of traffic. You can see it on the left. The vast majority of its traffic is colored blue, to indicate that it’s receiving that data. Similarly, the 2 primary external servers are colored green.Just a reminder, this is our demo lab, doing a live capture of traffic that’s being replayed. I doubt iTunes in reality is capable of feeding 10T to a single client in 24 hours.
- I can also change the filter to remove the iTunes and see who else the node is talking to.
- Next question is what else this node is doing. It looks like, apart from iTunes, there’s not much else – some Facebook, a little generic http.
- We can uncover some of that generic http with the Conversations view.
- What I really want is to know who this node is. Yes, I probably have other tools to find out – dynamic DNS might tell me. But I’m a packet geek, and I trust what the packets tell me. So I’m going to download the mdns packets and see the advertisements from the node itself.I’m going to download the packets to the probe. It keeps them off my laptop to keep it from potentially going into PCI scope. It also means I don’t tie up my laptop in the download if it’s a large file, and my teammates can also access it if they need to.
- Here’s where we look at the download – there’s a progress indicator, time remaining, etc, but the cool part is that I don’t have to wait for the download to complete, so I clicked on Packets.Notice that you can also download these directly as either PCAP or ERF. ERF is the Endace format for packet capture.
- Endace Packets looks like Wireshark, because it’s the tool that our customers said they use most often.There’s a lot of mdns out there, let me filter it down to something tighter.
- I filtered for DNS responses of type PTR, mapping the IP or IPv6 address to the hostname, then used the “contains” filter to narrow down the search to mdns .local names. I’ll dig a little more into the first packet now.
- And there’s the culprit. The device identifies itself as “Neil L’s iPhone”. Now I can go have a chat with Neil about proper use of the local resources.
- Just to be thorough, I also did a local download – on the probe – for some of that unidentified http traffic. Here I’ve got a filter applied to focus only on the packets which have a http request URI, which will tell me what domains the iPhone is connecting to.
- Since EndacePackets does name resolution, it also does name de-resolution, which is useful for cases like this, where everything is going either to the Amazon cloud or to cloudfront. Just hover over a name and the address will pop up.
- And there’s the real URI for the request. You can also see the User-Agent. CFNetwork is a sockets API in IOS, so it looks like this is an app, probably pulling down an advertisement.
- I’ll scroll to the right and you can see the list of relative URIs – this BYOD stuff gets pretty chatty, but that’s a different vendor.