Rollout: Network General's Network Intelligence Suite 4.2

Network General is looking to close the gap between proactive-monitoring and problem-resolution tools with version 4.2 of its Network Intelligence Suite. And for large organizations, the $120,000 price of this integrated product may be justified. Network General says it has listened to customer demands for increased integration of various app and network monitoring and analysis tools. The beta's ease of setup, business-focused reporting and simple drill-down interface left us wishing we could keep the gear.

Much of the suite's base functionality can be found in a collection of tools from other vendors. Implementations with sniffing tools, such as open-source Ethereal; monitoring tools, such as CA's Concord, Dartware's InterMapper or NetScout's nGenius; and large-scale management offerings, such as IBM Tivoli or HP OpenView, would provide similar raw data on the low end and competitive toolsets on the high end. And that's Network General's pitch: It eliminates the need for a raft of other products.Although the Suite is tagged as 4.2, the numbering scheme reflects the maturity of the individual products: Distributed Sniffer, a robust, appliance-like analyzer; NetVigil, the infrastructure monitoring product, and Visualizer, a business-focused reporting tool that provides a single Web interface for monitoring, problem identification and troubleshooting. The minimum price for a NetVigil-only installation is $55,000. At that price and below, InterMapper, Concord and nGenius would do an excellent monitoring job. Springing for the full $120,000 suite provides a unified product for network and application management where most competitors offer solid but "siloed" products that tend not to play as well with others.

Turnkey Setup

For testing, Network General sent us two WinXP and one Windows 2003 machine, running the Distributed Sniffer, NetVigil and Visualizer products. The corporate-branded, 2U cases were close to a turnkey setup;

Application Performance Optimization Immersion Center

NEWS | REVIEWS | BLOGS | FORUMS
TUTORIALS | STRATEGY | MORE

Network General's price tag normally includes on-site setup and integration. We had all three boxes up and running during a 90-minute call with a senior engineer. All gear was connected over Fast Ethernet to a loaded Cisco 6500 core switch. In another hour, we were familiar with the suite's tools. Our Visualizer was set up to support up to 10 Network General devices feeding into the Visualizer; Distributed Sniffers and NetVigil appliances can be installed at remote buildings or WAN sites. In general, a single NetVigil unit can monitor about 800 devices; the Sniffer's gigabit monitoring ports can capture tens of thousands of concurrent sessions and send the results to the Visualizer.

NetVigil easily tracked down devices on our wired and wireless infrastructure. We fed it SNMP community monitor strings and it sniffed network gear, printers, clients, and Windows and Linux servers. We set the tool loose on 10 VLANs, and 30 minutes later, its data-gathering engine discovered all 653 known devices in our hardware inventory. It was easy to group found objects into departments and "containers" based on our own criteria--business function, physical location and type. We set monitoring thresholds with SMTP notifications for alarms to track base CPU loads and bandwidth utilization.Visualizer relies on one or more of Distributed Sniffer's gigabit monitoring interfaces to provide real-time data to develop its reporting trends. Data feeds directly into Visualizer's Microsoft SQL database and gets served from the Apache Tomcat 5.5 Web server on the same box. Reporting response from the SSL Web interface occasionally lagged--two to three seconds under heavy load on our 2-GHz/2-GB Xeon server--but overall performance was satisfactory. We connected one of two monitoring ports from the Distributed Sniffer to a trunk port on a Cisco 3550 switch. Reports from the sniffer correlated with the 10 VLANs we had mapped using NetVigil while also detailing traffic and trends from our remaining, unmapped VLANs and external addresses.

The Visualizer Web console collated all our network's data traffic by app type, source server, client, subnet and/or device. Visualizer automatically categorized all our primary applications: Citrix, Oracle, SQL, mail and Web traffic apps. A quick reports option let us list the 20 heaviest users based on app type, server, client or subnet. All the reporting tools provide granular drill-down within categories. We quickly ascertained that Citrix packets were the third most prevalent traffic type on the switch; two IPs were serving Citrix traffic with a roughly 40/60 load differential, and seven clients were hitting the more heavily utilized port. We also learned two client IPs on different subnets were pulling more than 50 percent of the traffic. Report template creation is straightforward, letting you create canned reports based on user type and audience, with ready export to HTML or PDF.

Outside our test environment, we successfully identified some generic multicast traffic (iTunes sharing and some other peer-to-peer users) as the cause of sporadic dropped mail sessions. A network manager had a hunch that multicast floods were causing the hiccups, but couldn't catch the perpetrators because the problem was so infrequent. Using Visualizer and NetVigil, we set thresholds to watch for lost packets between our e-mail server and clients on specific subnets based on app- specific packet retransmits, while monitoring for unauthorized multicast traffic on the troubled subnets and remote switches. A perfect storm of large-file swaps between users on two remote switches, coupled with high loads on the mail server, caused our mail-app hiccups for users on those switches. Alarms were tripped and offending IPs were identified. Users were notified, instilled with a healthy fear of IT, and the problem was resolved. n

Joe Hernick, PMP, MS, is director of IT for the Loomis Chaffee School in Windsor, Conn. Write to him at [email protected].