News Stay informed about the latest enterprise technology news and product updates.

Best WAN monitoring metric: Flows or packets? Riverbed says both

WAN monitoring tools examine network flows or packets, but rarely both. Riverbed is integrating Wireshark into its Cascade appliance to provide end-to-end visibility.

The red lights and green lights of a WAN monitoring dashboard are sometimes all that a wide area network (WAN)...

manager needs to see. But flow-based WAN monitoring doesn't always provide enough detail to troubleshoot nuanced lower-layer problems. At the same time, slogging through a day's worth of packet analysis to find a few buggy transactions is far from efficient. Some WAN managers might say it's borderline torture.

WAN monitoring vendors have traditionally provided a view into network flows or packets—rarely both. That has left many WAN managers with two options: toggle between multiple monitoring tools or simplify monitoring by sacrificing one view at the expense of the other. 

After acquiring Cace Technologies—the primary sponsor of open source packet analyzer Wireshark—late last year, Riverbed Technology recently announced integration between its flow-based WAN monitoring tool, Cascade, and Wireshark's packet analysis engine. The integration enables WAN managers to use both tools in concert from a single dashboard.

Jason Irby, network administrator at Pacific Dental Services—a dental services organization with 195 affiliate offices throughout the Western and Southwestern regions of the United States—uses both Cascade and Wireshark to engineer changes, manage traffic and troubleshoot problems across the WAN.

Cascade meets most of his day-to-day WAN monitoring needs, but Irby still keeps Wireshark on hand for the occasional problem that can only be identified at the packet level, such as a recent DHCP hiccup with a virtual private network (VPN) appliance.  Irby has not tested or used the new integration, but he is certain that combining both WAN monitoring tools will make troubleshooting easier and faster. 

"It's very easy in Cascade to say, 'Find this [traffic] between this time and this host.' That takes seconds, whereas the process in Wireshark takes quite a bit of time [to sort] through packet capture," Irby said. "I know the process that's failing is captured in [Cascade], so to be able to take that portion, right click on it and send it to Wireshark is phenomenal as far as saving time. It's a phenomenally faster mean time to repair."  

Rick Drescher, director of IT at Studley Inc., a real estate services firm based in New York City, uses various freeware to monitor network health and flow activity. He typically uses Wireshark when troubleshooting something with a vendor's help desk.

"The first thing they ask for is a packet dump, and it's like, 'Hmm, uh, about that...' So, we take a laptop and download Wireshark onto it," Drescher said. "It's a pain in the [neck] when you have to do it ... so as far as the WAN is concerned, we don't do that much packet capture."

Drescher, who uses Riverbed's Steelhead WAN optimizers, has no plans to deploy Cascade but agreed that networking pros need consolidated WAN monitoring tools.

"We're not looking to install any more [WAN monitoring] tools," he said. "We would like to have as few tools as possible to manage the network that will still let us have the visibility we need."

Many vendors pitching consolidated WAN monitoring

Consolidated WAN monitoring is still immature, but Riverbed isn't the only vendor to provide it, according to Jim Frey, research director at Enterprise Management Associates. NetScout, WildPackets, Network Instruments and OpNet also provide multiple layers of visibility, he said. 

We would like to have as few tools as possible to manage the network that will still let us have the visibility we need.

Rick Drescher
Director of IT, Studley Inc.

Jesse Rothstein, CEO and co-founder of ExtraHop Networks, launched his company's first product in 2009, an "application-aware network monitoring" appliance, to meet the need for consolidated and real-time LAN and WAN monitoring. ExtraHop recently announced a partnership with SevOne to integrate its NetFlow- and device-based monitoring into ExtraHop's real-time application monitoring.   

"[These tools] tend to fall into two categories: either telescopes or microscopes. They give you a high-level overview or a packet-level analysis. There's nothing in between," Rothstein said. "These legacy tools are falling further and further behind."

Different levels of WAN monitoring solve different problems

The Riverbed/Wireshark integration is expected to be generally available as part of a software upgrade to Cascade Profiler (version 9.0) and Cascade Pilot (version 3.0, formerly Cace Pilot). The integration will only be available to customers who have deployed the Cascade Profiler, Cascade Gateway, Cascade Sensor and Cascade Shark (formerly Cace Shark) appliances, according to Yoav Eilat, director of product marketing for Cascade at Riverbed.

The progression from application-level to packet-level analysis should be as simple for WAN managers as zooming in on and navigating around Google Maps, he said.

"In a map, you can zoom from the top level to the low level just by clicking. Every time you click or move to the side, the map knows where to take you because all of those different [databases] are linked," Eilat said.  "That's the model we had in mind when we were working on this integration."

On its own, Cascade could tell a WAN manager which server was experiencing problems and the relevant performance metrics, such as the average response time over a given time period, Eilat said. Wireshark can look at an individual transaction and its packets, line by line.

"Let's say you have a Web server that's responding very slowly. Cascade could always tell that the server is responding very slowly, but it couldn't tell you this one JPG ... was causing the problem," Eilat said. "Sometimes, the only way to answer the question of what went wrong is to look at the packets."

That kind of end-to-end view from a single platform will be especially useful for WAN managers monitoring widely distributed environments, Frey said. 

"When you have widely-dispersed, far-flung branches and a complex mix of applications and users, any one of those things could be the source of the problem," he said. "Packet-based viewpoints are really definitive and give you absolutely everything you need to troubleshoot an issue when an issue comes down to being network-specific or how an application behaves ... but it's so much information ... and that's not really [required for] the bulk of the cases."

Most WAN managers typically require packet analysis to troubleshoot the subtler reasons that cause an application to behave poorly over the WAN, such as interoperability issues or retransmission errors, Frey said. Most times, high-level views into bandwidth utilization at a branch or alerts about abnormal traffic patterns suffice, he said.

Let us know what you think about the story; email: Jessica Scarpati, News Writer.

Dig Deeper on Network management and monitoring

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.