Posts Tagged ‘sniffing’

Green-Running Software

January 15, 2010

Saving money by reducing the number of servers in your infrastructure makes natural sense.

The next step that needs to be considered is green-running software.  This is software that scales incredibly well for any size of organization, and also does not require “big iron” to run.

If you have software that requires a dual-processor environment with 2gigs of RAM and a large disk array, it will cost you twice as much to operate as one that fulfills the same needs yet only requires one low-powered CPU and a gig of RAM.

This becomes even more important if the software requires remote agents to be deployed across the network, each agent taking a measured amount of resources to operate (CPU, RAM, disk space, air-conditioning).

Strong consideration should be given to the solution that requires less maintenance, less hardware, and less footprint on the earth, as it will save far more than money in the long-term:  Your sanity.


Packet Analysis and VoIP: Useless?

December 23, 2009

Many people think you need to “look inside the packets” with a network analyzer to be able to debug & troubleshoot VoIP problems.  I would argue that this is rarely the case, as network analyzers are useful in a small handful of cases and most involve troubleshooting application configuration problems.

If you look at an overnight courier like UPS, their operating model has a lot of similarities to a large VoIP network.  Clients send & receive hundreds of thousands of packages across their network on a nightly basis.

If you look at how they operate, they don’t tear open packages to try to determine why a shipment went missing or why it is late. They learned a long time ago that they needed to “watch their entire network” and have tracking systems that can insure:

  1. That the packages make it to their destination (no packages lost)
  2. The packages all reach their destination on-time (low transit latency/delay)
  3. The packages reach their destination on-time as a regular occurrence (high degree of predictability with their service/low jitter)

When running a VoIP network, it’s rarely beneficial to “look inside the packets” to see the voice contents. What’s needed is the ability to “watch the entire network” so problems can be pinpointed when, where, and why they occur for fast remediation.

Network Instrumentation: Sniffing, Simulating, and Sampling

March 19, 2008

All networks have faults.  It’s part of an operational network.

Knowing which faults will affect your business and when is key to being a network professional.  That’s why network instrumentation is important both from a business level and a technical level.

There are three different methods to instrument a network: Sniffing, Simulating, and Sampling.


Sniffing involves looking at individual packets as they pass through a network analyzer.  This type of instrumentation is valuable for seeing protocol problems or looking at specific fields inside specific packets.

If a computer cannot get a DHCP IP address, it may be beneficial to try sniffing the connection to determine what the problem is.  It will show the transmitted DHCP request, and you can then see if a response is received or not.

Pro: Deep packet level inspection.

Con: Only looks at packets passing through one interface at a time.

Usage: Typically employed ad-hoc.

Training: Must understand how network protocols interoperate.


Simulating involves creating a simulation of the event you are trying to debug and watching operational characteristics of the simulation.

If you simulate an HTML transaction from the server’s console (ie: no network involved) and it responds quickly, but the same HTML transaction responds very slowly from a remote network, that creates proof that the network is causing the slowdown for the HTML page.  No matter what performance improvements are done on the server, it won’t help resolve the problem.

Pro: Typically quick and easy to deploy.

Con: Limited ability to see WHERE the problem lies, or WHAT is causing it to occur.

Usage: Typically employed ad-hoc.

Training: Little or none required.


Sampling involves querying the network for performance characteristics on a regular basis.  This can allow for correlation between a simulation and the root cause of the issue.

In the former example of the slow loading HTML page, if it has been determined that the network is causing the slowdown, it will need to be determined where in the network the slowdown is coming from and what is causing it.

If all of the network links are sampled for performance information on a regular basis, it will be easy to look at the performance of each link utilized in the transaction to determine if errors or over-utilization caused the performance problem.

Pro: Can determine the exact location of problems and specific cause.

Con: Typically requires a great deal of deployment effort.

Usage: Continuously monitors network conditions.

Training: Requires SNMP knowledge as well as specific device MIBs and OIDs.

These three troubleshooting methodologies disclose different types of information to be disclosed about a networks’ operation.

Make sure you choose the right tool to solve the problem or you may be stuck looking at the problem from the wrong angle and not be able to get resolution in any reasonable timeframe.