Network Physics NP-500 tills the LAN

Here’s the scenario: The development guys have just deployed the new version of your CRM application, and the infrastructure group has finally upgraded the backbone to Gigabit Ethernet. So why are the users still complaining about poor performance? Where’s the bottleneck?

Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Free IT resource Attend the SOA Executive Forum: Breaking SOA Bottlenecks SOAExecForum.com/may2007 Sponsored by InfoWorld Network Physics NetSensory NP-500 Network Physics, networkphysics.com Excellent  9.1 criteria score weight Protocol analysis 10 30% Reporting 9 25% Ease-of-use 8 20% Scalability 9 15% Value 9 10% Cost: NP-500: $17,495; NP-2000: $29,995 Platforms: Any TCP-based network with at least one managed Ethernet switch with span, or mirror, port Bottom Line: The NetSensory NP-500 is a tremendous forensics tool for digging deep into exactly what is going on inside the network. It captures, inspects, and analyzes specific metrics to gauge application response time as well as other useful statistics such as retransmission rate, latency, and details about TCP conversations. The reporting and analysis tools are excellent and help provide useful views into the collected data. About our Reviews and Scoring Methodology

You could spend hours doing trial-and-error troubleshooting. Or you could quickly get to the root of the problem using a network forensics tool such as the NetSensory NP-500 from Network Physics.

This 1U appliance may be small in stature, but it is big on performance. The NP-500 captures, collates, and analyzes enterprise network traffic at speeds of up to 20MBps. From there, it equips IT staff, from network designers to help-desk personnel, with the tools to drill down into captured data and efficiently identify problems such as slow servers, congested links, worm outbreaks, or bandwidth hogs.

Installation of the NP-500 requires connecting the appliance’s capture port to the span, or mirror, port of a managed workgroup switch. The NP-500 comes with two monitor ports so you can monitor two different sources at once. Choosing the proper location in the network infrastructure is important: Make sure that the traffic flows you will be monitoring pass through the switch and that the traffic is mirrored to the NP-500. Notably, the NP-500 only has copper interfaces; its big brother, the NP-2000, has copper and fiber interfaces, and can monitor traffic speeds at more than 750MBps.

Initial setup is accomplished via a browser-based UI, but all day-to-day management is done through a Java-based UI. The NP Management Console is a typical Java app: a little sluggish, but well organized overall and neatly laid out. I was able to navigate it without too much trouble.

Part of the configuration of the appliance involves defining business groups. These groups are nothing more than logical containers of network resources based on their IP addresses. For my tests, I had one business group that had my Windows Small Business Server 2003 as its only member, while other business groups included my local and remote LAN clients.

It is important to define the groups correctly from the start. While the NP-500 looks at all of the traffic sent to it, it only stores detailed information based on the business groups. I found that even though the appliance had been capturing traffic for weeks, I couldn’t analyze any traffic prior to a new business group’s creation. This is by design; because the data captured can grow so large, only the information specifically associated with a business group is kept for ongoing analysis.

 Sniff, Sniff 

The NP-500 does more than simply sniff packets on the network. It measures app response time and network performance, and helps track down traffic anomalies such as worm outbreaks. It does this by analyzing each packet of data, both TCP and UDP (User Datagram Protocol), and by measuring various aspects of an IP conversation. Some of the metrics collected include server-response time, data-transfer time, time to first byte, initial application-response time, and round-trip time.

Many applications use persistent TCP connections to reduce the number of TCP sessions between client and server, thus improving network performance. Network Physics uses the concept of a “turn” when describing application response instead of simply counting new TCP connections. A turn is a single request-response interaction between client and server. The NP-500 can “see” inside of the nailed-up TCP connection (one that is open for an extended period of time and is reused by the same application) and count the number of turns for a specific period of time.

While a turn doesn’t always indicate a single transaction, it is a good indicator of an application’s overall performance. So, if over a period of time the total number of turns is slowly decreasing, it is safe to say that overall application performance is decreasing, too.

This is where the detailed forensics available in the NP-500 comes into play. By drilling into a specific business group, administrators can generate graphs and reports and look for trends based on a wide range of metrics. Graphs can be created based on all members of the business group, by the applications in use by the group, by specific TCP conversations, or even by a specific port.

It is easy to get lost in the myriad choices for inspecting the collected data. Network Physics helps speed the analysis by including predefined templates called NetSensory Insights. The Insights are available for auditing network usage, monitoring baseline usage, troubleshooting, security, and optimization. Channel partners can create custom Insights based on specific customer needs, and new ones can be downloaded from Network Physics as they become available.

A Picture Is Worth…

The graphical capabilities built in to the NP-500 are first-rate. One of the most useful graphs is the Response Time Composition Chart. This one graph displays server response time, connection setup time, network inbound and outbound round trip time, as well as data transfer time and retransmission delay. By choosing a wide date range, it is easy to see any trends in overall network health. I spent 90 percent of my time using this chart against various aspects of my network.

The NP-500 is truly one of the coolest tools I’ve looked at in quite some time. I love that I can peer deep into the inner workings of my LAN with just a few simple mouse clicks. The amount of data collected is impressive, but far more interesting are the nearly limitless ways that data can be sliced and displayed. The reporting is excellent; IT will have all the information it needs to troubleshoot and understand the network.