On the performance line

Networks long ago went from being computer geeks' pet projects to serving as the backbone for government officials' daily business. Now, network analysis tools are finally catching up.

It's no longer enough for tools to be protocol analyzers that ensure the esoteric metrics of network performance are captured for analysis by the trained eye. They now must also help administrators make sure that business applications and services running atop those networks are operating smoothly. Additionally, the tools must support historical trend analyses and help information technology workers plan for future capacity needs.

For Jason Rahm, a subject matter specialist at Scott Air Force Base in Illinois, the tools he uses give him a "50,000-foot view" of the network he controls and an ability to zoom down to the system level. The insight is aimed at one purpose.

"I need to know how applications are performing because that's all my users are concerned about," he said. "They need to know they can hit their Web sites whenever they want to."

Traditional analyzers such as the older Sniffer line of tools — now owned by Network General Corp. — are good for solving problems at the data link and other lower levels of the network protocol stack, said Warren Hill, a senior network engineer at the Federal Highway Administration. But they can't indicate if there is a problem with a particular application.

"Newer analyzers allow you to do real-time application analysis," he said. "With [older tools], you could go to the packet level and perhaps

deduce if it was [an application layer] problem, but the newer tools let you see the actual application."

For tools developers, that means providing solutions that allow network managers to dissect the data packets and classify them by application and understand how traffic flows affect each application, said Bill Berkman, marketing director at tools vendor ClearSight Networks Inc.

"That gives them a much better idea of the dynamics of the network," Berkman said. "They can then more rapidly identify what the problem is and the users that are affected, and either deal directly with the problem or get the users off the network."

ClearSight's Analyzer, for example, automatically detects faults and other events in application-specific traffic and then allows network managers to drill down through each application to the faulty servers and connections associated with the application. The tool can show the packet flows between clients and servers and the transactions associated with faults, and it also can reproduce application content passing across a particular connection for troubleshooting purposes.

Like other vendors, ClearSight offers different versions of the tool for different networks. Company officials sell solutions for full-duplex Gigabit Ethernet and half-duplex and full-duplex 10/100 Ethernet networks, and they recently started offering a 10G solution. Full-duplex means that data can be transmitted in two directions simultaneously, and half-duplex means that one party can transmit data at a time. The majority of the company's sales are now for the gigabit tools, Berkman said, which cost $35,000 or more.

Wireless and more

Another growing challenge for network managers is the sheer breadth of topologies they must handle, said Douglas Smith, president and co-founder of tools vendor Network Instruments LLC. It's not only standard Ethernet with a hub anymore, he said, but also various flavors of local- and wide-area networks, speeds and wireless protocols.

Using specific tools for each of those requirements is impractical, Smith said, so users are increasingly looking to a single vendor to produce toolsets with all or most of the functionality, managed through a single console.

Wireless is probably the biggest challenge because the technologies are so different from the collision-detection techniques of wired Ethernet networks, he said. Also, wireless networks have no defined edge.

"It means we'll probably have to develop different ways for using the tools," Smith said. "But once that's taken into account, then, basically, it's still the same network."

Network Instruments' flagship Observer product line comes in various options, though the Observer Suite is the most comprehensive as a single solution. The Gigabit Observer Suite System, for example, is a portable, ruggedized 64-bit system that can capture, view and decode more than 500 protocols in real time, manage various network devices and probes, and produce long-term trend analyses for both LAN/WAN statistics and device diagnostics.

Netcordia Inc. officials take a similar approach to completeness with NetMRI, especially focusing on ease of use. Plug

the device into the network, and it automatically discovers the network topology and immediately begins to report problems using an adaptive, rules-based analysis engine, company officials said.

The end result is a system-level view of the network, which is particularly useful for managing things such as virtual LANs (VLANs), said Terry Slattery, Netcordia's chief executive officer.

In instances in which multiple VLAN subnetworks might be running in a larger physical domain, NetMRI can help isolate which host or client systems are responsible for the performance of particular VLANs and what kind of traffic load is on a VLAN, for example, Slattery said.

He said that insight is even more valuable when VLANs interact with wireless domains, in which you have to check that systems on the open, or wireless, side of the VLAN are not affecting an organization's internal network.

NetMRI comes in three models: a campus version, priced at $25,000; an enterprise model that costs $50,000; and a high-end enterprise plus version that sells for a little less than $88,000.

But, no matter what approach officials at tools vendors take, the driving force today for network monitoring and analysis is the business, said Tom Bienkowski, product line manager at Network General Corp., which formed in July after Silver Lake Partners and Texas Pacific Corp. bought the Sniffer Technologies business from McAfee Inc.

"Users do want [our tools] to be more than just protocol analyzers," Bienkowski said. "We also have to be able to integrate with other [management] solutions such as [Hewlett-Packard Co.'s] OpenView, so we have to be open to our probes being queried by other tools."

Network General officials cater to these demands with products that complement the large pool of basic Sniffer systems that are already embedded in the networks of company customers.

Sniffer Distributed, for example, is a solution that adds software modules for monitoring and analysis under an item-by-item licensing mechanism.

Network General's Appera integrates with Sniffer Distributed to monitor critical business applications such as those from SAP AG, PeopleSoft Inc. and Oracle Corp. systems, in addition to in-house, custom-built applications.

The bulk of Network General's sales come from Ethernet products, which cost $8,000 to $26,000 for Gigabit Ethernet solutions, Bienkowski said.

In today's market, bandwidth has become relatively cheap, and networks have fulfilled the predictions that people made in the 1980s, said John Fulmer, senior director for managed network services at DigitalNet Inc., which provides networking services to government agencies.

The network's performance is now more or less taken for granted, he said. So the issue is not the networks anymore, but the performance of applications running on them.

"Smaller organizations with just a few servers will still have [a] need for point tools with more focused capabilities," Fulmer said. "But bigger organizations need tools that provide service-level management and a view of how services are performing down to the router, switch and server" levels.

Robinson is a freelance journalist based in Portland, Ore. He can be reached at hullite@ mindspring.com.