Going With The Flow

As businesses use their data networks to deliver more applications and services, monitoring and managing the network for problems and ensuring high performance can become a challenge. A shift to flow-based network monitoring is proving fruitful for some.

In the past, network monitoring usually involved checking to see that network devices were working properly and that data packets were moving from one location to another in a timely fashion. But metrics such as packet round-trip time, packet loss, and packet delay weren't all that relevant to users who were more interested in how well applications and services were delivered to their desktops.

Network managers now are spending more time looking at application performance and bandwidth utilization using a variety of tools from networking vendors such as Apparent Networks, Cisco Systems, Compuware, Coradiant, NetQoS, NetScout, Network General, Network Physics, and Visual Networks. Those tools monitor "flows" of like data, usually tied to a specific application, and make use of information from Cisco switches and routers, called NetFlow information, to provide what's generically known as flow-based network monitoring.

Real-Time Analysis
Jeff Duke, senior network engineer at the Indiana Department of Technology, uses 30 Sniffer systems from Network General to oversee a Gigabit Ethernet network used by tens of thousands of state officials and employees. Earlier network-monitoring systems sent activity reports for later analysis. "I couldn't see data, packets, or flows in real time," he says. "It wasn't even near real time. I was looking at a week ago."

With the Sniffer systems installed throughout the network at key locations such as firewalls and other access points, Duke says he gets "all the stats on a flow or set of flows, and I can troubleshoot any problem that comes up." The state will migrate to a 10-Gigabit Ethernet network, and good network-monitoring tools are crucial, Duke says. "As the network gets bigger, application troubleshooting gets bigger," he says.

John Schnelle, manager of network architecture and network management systems at Black & Decker Corp., says monitoring a network that reaches 300 sites in 50 countries can be difficult. Until the company installed NetQoS ReporterAnalyzer, which uses NetFlow data to monitor traffic running through some 800 interfaces, the toolmaker had little visibility into the type of applications running on the network.

"It's a simple, distributed, scalable way to do network engineering," Schnelle says. The system identified several applications that were consuming more bandwidth than they should have. After fixing those, "we gave administrators in the field read-access, which saves us a lot of trouble calls." Schnelle plans to expand the flow-based network-monitoring capabilities to identify and shut down malicious traffic when it appears on the network.

Flow-based monitoring also is useful for watching how Web sites deliver information to visitors. Major League Baseball has more than 70 Web servers, some of which serve up stats, while others deliver images or streaming media. The league uses seven load-balancing switches to distribute the traffic but had a problem monitoring and managing the sites.

Analyzing Web logs wasn't useful, says Ryan Nelson, director of operations at MLB Advanced Media, a division of MLB. "To debug problems, we had to dig through a 10-Gbyte log stream each day. And I only have a small team of six administrators."

To compound the problem, MLB keeps adding features and functions to the site, "creating more bugs that have to be debugged," Nelson says. He turned to TrueSight, a Web-monitoring appliance from Coradiant that analyzes the flow of traffic and the Web logs to pinpoint problems. "It used to be that finding a bug would take so much effort to track and resolve. Now when we see something weird happening, we go to Coradiant. It's always there collecting information and it tells us what the issue is," he says.Focus On Users
Flow-based monitoring will become more important as businesses extend applications to partners and suppliers, and to ensure that customers have a good experience when using the applications, says Jon Oltsik, an analyst with the Enterprise Strategy Group. That's especially true for delay-sensitive applications like voice over IP and other real-time apps. "Many of these kinds of applications won't work unless the user experience is up to par," he says.

Keeping track of data packets is no longer enough. As more services are added to the network, the user experience is what matters most. That's why more network administrators are likely to add flow-based monitoring to their network management tool chest.

-- with Paul Travis