Troubleshooting network slowdowns

When the latest release of Network Instruments LLC's Observer network troubleshooting software arrived at our office, we had a real-life problem with one of our production Web applications. Users at several locations were experiencing slowdowns during certain times of the day while using the Web site. So we decided to put the product to the test.

We loaded Observer on a desktop at our central location, hoping to troubleshoot the problem without having to travel to the site, which was 200 miles away. We then deployed one of the new Observer network probes to an existing Microsoft Corp. Windows XP desktop system at one of the locations experiencing slowdowns. The Observer probe was easily installed via a remote desktop Web connection that is included with Windows XP. After we installed the probe and rebooted, the remote machine began collecting network traffic for us on the remote network.

What we liked

We encountered many features that we liked in Observer 9 in our attempts to find the causes of the network slowdown. We appreciated the suite's integration. In the past, we had been solving network problems using separate tools for Simple Network Management Protocol monitoring and for packet analysis. Observer conveniently contains these tools and more in a single suite.

We also liked Observer's ability to create point-and-click network filters. These filters sift through the flood of packets on the network to show only the traffic you want to see. We are accustomed to obtaining network addresses to filter by investigating users' workstations or by examining packet headers on passing network traffic. Observer allows us to simply right-click on a network packet and then create a filter on the fly using either the Media Access Control or IP address of the workstations.

In some older protocol analyzers, users had to stop the trace to view the packets. We liked that Observer could show us the network traffic almost in real time. With the new high-capacity 4G data buffer, we could take as much time as necessary to view the packets.

Observer contains several breakdowns of traffic conversations. The most useful views were Expert Analysis, Top Talkers and Internet Observer. The Expert Analysis function breaks down the entire trace file by TCP, UDP, IPX and wireless protocols. The TCP Events summary is useful as well. Totals for transmitted and received packets and bytes are all listed, along with a green/yellow/red warning system for latency and other problems.

And Observer makes it easy to find information. Abnormalities in response time become readily apparent when you sort columns.

We also found Observer to be capable of handling data generated by other protocol analyzers, such as the freeware Ethereal (www.ethereal.com) and Network Associates Technology Inc. Sniffer (www.sniffer.com). We applaud Network Instruments for building this compatibility into their product.

What we didn't like

Observer never crashed on us. Nonetheless, the application runs best on capable hardware. Although we performed much of our testing using an older

500 MHz Dell Inc. Latitude laptop, the program will run best on a 1 GHz or faster system with 512M to 1G of RAM. We would have preferred more speed, but the program was functional on our dated laptop.

We did encounter some mislabeled data in the graphing utility, which Network Instruments technical support staff confirmed. We were assured the issue was already being addressed and would be fixed in a subsequent release. When using a sophisticated network-troubleshooting tool, however, we feel there is no room for even minor errors. After all, if a mistake is made with something as simple as a label, what are the chances of a mistake in the complex algorithms for collecting and reporting the actual data?

More importantly, in the Application Analysis function, the server response time and the total transactions were incorrectly reported. When we spoke with Network Instruments tech support, they again informed us that they were aware of the problem, which will be corrected in a subsequent release. They assured us that the data was reported backward but was still usable. For us to account for this mistake by manipulating the date was too much trouble. In the end, we could not use output from this otherwise extremely useful feature to help prove the case for our analysis of the network slowdown.

Results and wishes

The bottom line is that Observer identified the cause, or the three causes, for our slowdown. The Summary View for TCP events immediately identified two worm-infected PCs that were consuming bandwidth by constantly scanning the network. Next, it showed that some employees were slowing down the system by using streaming media. Finally, it showed that we had too many people connected to the network segment.

Although Observer met our needs well, we do have a wish list for additions to the product. First, although the Connection Dynamics facility, which displays the network conversation on a vertical timeline, is a useful tool, we would like to see some correlation to absolute time. As it is, we struggled to determine when events occurred on the timeline.

Second, we did not like the fact that Observer could not save trace files from the Observer workstation to any place other than the data directory in the main program install location, which by default is C:\observer\data. This is hard-coded into the program and cannot be configured. Normally, we prefer to install executables on the primary drive and place data on secondary or mapped drives.

The bottom line

Although the product will help even novice administrators a great deal, it is essentially an advanced tool for solving complex network problems. Only experienced network wizards can wield it to defeat the most nefarious network demons.

Although we are fans of the Observer product, a program designed to catch mistakes in other products should not contain errors. We recommend holding off purchase of Version 9 until a corrected revision is available.

Greer is a network analyst at a large Texas state agency. Bishop operates PeoplesInformation.com, an Internet consulting firm. They can be reached at egreer@thecourageequation.com.