How to make a better use of your network sniffer for NPM/APM

We see more and more network teams investing in NAPM (Network and Application Performance Management) solutions, while they already have network sniffers / packet analyzers in place and are perfectly litterate when it comes to viewing and looking at network packets.

Whatever the protocol decoder -opensource or paid license, whatever the vendor (Wireshark, Savvius, Clearsight, Network Observer, ….)-, they see a complementarity between their packet analyzer and their real time stream analysis solution.

• What are the reasons for that?
• What difficulties do they face?
• How to overcome them?

What limits are they facing while using their sniffers to troubleshoot performance issues?

If you read the testimonial of Police Headquarters in Paris on their use of
SkyLIGHT PVX, you will understand the issues they were facing using packet decoders such as Wireshark and Clearsight. Here is the context:

• they run the infrastructure operations for approximately 30 000 users, spread over 300 remote sites
• they face regular complaints of application slowdown

Until 2011, they relied on protocol decoders to conduct their troubleshooting, using either Wireshark or a Clearsight product. They were going on site with these tools and tried to capture a traffic that corresponded to a performance degradation. Indeed, they claim they were very few times able to diagnose anything.

“Most of the time, we were unable to conduct an analysis at the time of the degradation and our efforts remained fruitless. 

For diagnostics, PerformanceVision outperforms our previous sniffer solutions and Netflow collectors!”

— Stéphane DEWEZ, Network Manager at Paris Police Headquarters

What makes it so difficult to troubleshoot a performance degradation with a network sniffer?

• User Performance is something subjective: hence if your sniffer does not produce a comprehensive set of performance indicators, you will have a hard time understanding when users are facing a bad or a good performance.
• User feedback does not help you locate where and when there is a degradation; usually, administrators do not get an information which is precise enough to know which clients was impacted, when, for what transaction and towards which server.
• Network sniffers are useless unless you know precisely what you are looking for; otherwise, you sit in front of too much data and you cannot use efficiently the powerful capabilities of the sniffer in terms of detailed analysis.
• Performance degradations are very often intermittent… if you have not stored that traffic, you can only hope you will be at the right time in the right place for the next occurrence. In reality, what you need is a history of your network & application performance.

What an APM/NPM solution can bring that your protocol decoder will never provide:

• an historical view of performance which helps understand when and where there was a degradation (and what is the “normal” behaviour of your application).
• a drill down from a graphical view of response times to specific conversations so that you can restrict your detailed analysis only to the conversations (and eventually to the transactions) that correspond to a degradation.
• An automated processing of packet data from the network layer to the application transactions.

Once you are there (thanks to a NPM/APM), you can make a clever use of a packet decoder

To understand how you can solve performance degradations faster, download our 4 step-guide to troubleshoot performance degradations.