340
edits
Network Burst Analysis: Difference between revisions
Jump to navigation
Jump to search
no edit summary
m (Martin.fesser moved page 4- Network burst analysis to Network burst analysis) |
No edit summary |
||
| Line 1: | Line 1: | ||
== | == Problem == | ||
How can you use the | How can you use the Allegro Network Multimeter to quickly and easily detect | ||
network bursts and find out the related sender and receiver? | network bursts and find out the related sender and receiver? | ||
== Burst detection == | |||
== | |||
The Allegro Network Multimeter offers several possibilities to detect bursts. | The Allegro Network Multimeter offers several possibilities to detect bursts. | ||
| Line 14: | Line 11: | ||
* For a higher resolution of up to 1 ms you can use the "Interface throughput" incidents. They are per interface incidents and will also be generated when a threshold is exceeded. | * For a higher resolution of up to 1 ms you can use the "Interface throughput" incidents. They are per interface incidents and will also be generated when a threshold is exceeded. | ||
== Interface throughput incidents == | |||
== | |||
We will use the "Interface throughput" incidents to detect bursts and find out | We will use the "Interface throughput" incidents to detect bursts and find out | ||
who sent the packets. | who sent the packets. | ||
| Line 32: | Line 26: | ||
After several minutes we get a notification and go to the overview under | After several minutes we get a notification and go to the overview under | ||
'Generic' -> 'Incidents'. When clicking on the incident we see details about the burst. | 'Generic' -> 'Incidents'. When clicking on the incident we see details about the burst. | ||
{| | {| | ||
| [[File:Ap-mm-burst-analysis-incident.png|600px|thumb|right]] | | [[File:Ap-mm-burst-analysis-incident.png|600px|thumb|right]] | ||
|} | |} | ||
The burst started at 14:42:26.695 and took about 5 measurement cycles (25 ms). | The burst started at 14:42:26.695 and took about 5 measurement cycles (25 ms). | ||
A PCAP link is available and will offer a capture of the time around the burst | A PCAP link is available and will offer a capture of the time around the burst | ||
| Line 40: | Line 36: | ||
The "Use as global time range" button allows for setting the global data range | The "Use as global time range" button allows for setting the global data range | ||
around the time of the burst. By using it, all modules in the | around the time of the burst. By using it, all modules in the Allegro Network | ||
Multimeter | Multimeter will display statistics and provide captures for this time range. As | ||
we want to analyze the burst we click on it. | we want to analyze the burst we click on it. | ||
== Who was responsible for the burst? == | |||
Let's take a look on the dashboard. | |||
{| | {| | ||
| | | | ||
[[File:Ap-mm-burst-analysis-dashboard.png|600px|thumb|right]] | [[File:Ap-mm-burst-analysis-dashboard.png|600px|thumb|right]] | ||
|} | |} | ||
The time resolution of the total throughput graph is too low to display the same | The time resolution of the total throughput graph is too low to display the same | ||
values as in the incident graph. But we get a good overview of the IPs with the | values as in the incident graph. But we get a good overview of the IPs with the | ||
| Line 73: | Line 68: | ||
with each other. Perhaps we can find some pattern in the traffic related to the | with each other. Perhaps we can find some pattern in the traffic related to the | ||
burst? | burst? | ||
{| | {| | ||
| | | | ||
| Line 83: | Line 79: | ||
Now let's analyze the IP address 10.54.0.108 by clicking on it and opening the | Now let's analyze the IP address 10.54.0.108 by clicking on it and opening the | ||
tab "Peers": | tab "Peers": | ||
{| | {| | ||
| | | | ||
[[File:Ap-mm-burst-analysis-ip-peer.png|600px|thumb|right]] | [[File:Ap-mm-burst-analysis-ip-peer.png|600px|thumb|right]] | ||
|} | |} | ||
Both IP addresses communicated with each other. 10.54.0.225 suddenly started | Both IP addresses communicated with each other. 10.54.0.225 suddenly started | ||
sending a unusual high amount of packets to 10.54.0.108. | sending a unusual high amount of packets to 10.54.0.108. | ||
We can now check for more details in the PCAP provided by the throughput incident. | We can now check for more details in the PCAP provided by the throughput incident. | ||
{| | {| | ||
|[[File:Ap-mm-burst-analysis-wireshark.png|600px|thumb|right]] | |[[File:Ap-mm-burst-analysis-wireshark.png|600px|thumb|right]] | ||
|} | |} | ||
Before the time of the incident the traffic was significantly lower. At | Before the time of the incident the traffic was significantly lower. At | ||
14:42:26.69497 IP address 10.54.0.108 sent a packet to 10.54.0.225 and it started | 14:42:26.69497 IP address 10.54.0.108 sent a packet to 10.54.0.225 and it started | ||
the traffic burst. | the traffic burst. | ||