ClearSight Distributed CSD

1
ClearSight Distributed (CSD)
2
CSD System Components
3
The CSD System

• Viewer
• Manages the Probes in the CSD system
• Connects to multiple Probes, opening separate
  ClearSight windows for each connected Probe
  
• Provides centralized alarm management
  capabilities in its Central Problem Manager
  

4
The CSD System

• Probes
• Monitor and analyze the local network segment to
  which they are connected, sending the results of
  their analysis as screen updates to a Viewer

5
The CSD System

• Once connected to a Probe
• Interaction is just like sitting at its keyboard
  entering commands and analyzing traffic
  
• The Viewer receives all of the real-time
  application monitoring and analysis capabilities
  available in the standalone version of ClearSight
  from a remote location

6
Connecting Probes to the Network

• If the Probe has only one NIC installed
• The NIC can be used for both management
  (Viewer-Probe communications) and monitoring
  
• If the Probe has more than one NIC installed
• One card can be used for management
• Subsequent cards can be used for monitoring

• Some of the benefits to using two or more cards
• Increased monitoring and analysis performance,
  because additional resources on the card are not
  needed for management
  
• Preserves network monitoring abilities during
  times of network problems

7
Installation Options

• ClearSight Distributed Agent Only
• No local viewing of monitoring and analysis
• ClearSight Viewer Only
• No local monitoring and analysis
• Can install on CSA
• ClearSight Viewer and Agent
• Same local functionality as CSA

• Setting Up a User List on Each Probe
• Same as User Configuration on CSA

8
Setting Up a User List on Each Probe

• Same as User Configuration on CSA
• Edit Admins default password
• Add additional users and their passwords
• Assign Permissions (rights) to each user
• Administer User Settings
• View application content

9
Agents

• Lists each Probe added to the Viewer

10
Adding Probes

• Click Add, fill out the fields and click OK
• Changing the Port number is NOT recommended
• Username and password must be previously defined
  on the Probe
  

11
Adding Probes (2)

• After clicking OK the Viewer attempts to
  connect to the Probe to determine its status.
  This is not a full-fledged connection attempt.
  Instead, the Viewer verifies
• The ClearSight service is up and running on the
  Probe
  
• Whether any other users are logged into the Probe
  from other Viewers
  
• The version of Agent software on the Probe

12
Adding ProbesWith Two or More Network Adapters

• Use the IP address of the Probes management
  adapter
  
• When the Open Adapter dialog box appears, select
  the monitoring adapter

13
Connecting to a Probe

• Double-click its entry in the list or Select the
  Probe and click Connect
  
• The Viewer attempts to connect to the IP address
  or hostname specified
  

14
Connecting to a Probe (2)

• If the connection is successful, the Viewer
  displays the Open Adapter dialog box
  
• NOTE If a user is already connected to the
  Probe, an option to take over the existing
  session will be displayed. Selecting Yes,
  disconnects the other user

• Select the adapter you want CSD to monitor and
  click OK

15
CSD Window

• A ClearSight window will open in which you can
  work with the standard ClearSight Analyzer
  functions just as you would with a standalone
  version of the software.

16
Disconnecting a Connected Probe

• Disconnect a Probe either by closing its window
  or by selecting File Exit
  
• An option to let the Probe continue to monitor
  will be displayed
  
• Selecting Yes
• The Probe will continue monitoring the network,
  updating its counters and statistics.
  
• Detected Problems are still reported to the
  Central Problem Manager
  
• Reconnecting displays statistics valid from the
  beginning of monitoring, not just from the start
  of this new connection
  
• Selecting No
• The Probe stops monitoring and waits for a new
  connection to be initiated

17
Resetting and Rebooting Probes

• Restart an Agent's service
• Reboot the Probe on which an Agent is installed

18
Central Problem Manager

• A consolidated log of Problems from the Probes
• Enable problem generation and set problem
  thresholds and severities on each Probe

19
Specify Problem Report Destination

• Specify an Viewer as a destination for problem
  reports in each Probe
  
• Assign the hostname / IP address to which this
  Probe will report Problems
  
• Assign the SNMP Community string
• Assign a segment name label

20
Windows Security Manager Option

• Make sure that all the Probes are in the same
  Windows Domain
  
• Create three User Groups
• Group 1, ClearSightUsersGroup these users can
  log into ClearSight
  
• Group 2, ClearSightContentViewGroup these users
  can view application content equivalent to the
  View Application Content permission in the
  ClearSight User Configuration
• Group3, ClearSightAdminGroup these users can
  perform software updates
  
• Assign users to Group 1 if you want to allow them
  to log into ClearSight. Also assign users to
  either or both of the other groups according to
  the permissions you want them to have.

21
Switching Between ClearSights and Windows User
Security

• From ClearSights to Windows user security,
  navigate to your CSD installation directory and
  rename the
  
• Windows_ActiveUserSecurityManager.txt file to
• ActiveUserSecurityManager.txt
• From Windows back to ClearSights user security,
  rename
  
• ActiveUserSecurityManager.txt back to
  Windows_ActiveUserSecurityManager.txt
  
• NOTE This file renaming procedure must be done
  on both the Viewer and the Probe. Be sure that
  both the Viewer and the Probe are stopped before
  renaming these files

22
Probe Software Update Capability

• The appropriate files must first be present on
  the Viewer
  
• The remote upgrade can then be initiated by
• Selecting the desired Probe in the Viewer
• Clicking the Update button (present in the
  updated Agent Manager)

23
Secure Socket Layer (SSL) Option

• Allows you to use Java RMI over SSL
• Configuration Global Settings Monitor
  Options RMI Options Select Use SSL check box

24
Deployment Considerations
25
Question OneResponse Time Requirements

• How long can you wait until you start working on
  a problem?
  
• Requires immediate response
• Permanently deployed analyzer
• Requires response within hours
• Draw from buildings pool of analyzers
• Requires response within days
• Draw from organizations pool of analyzers

26
Question TwoMultiple Problem Requirements

• How many problems do you expect to handle
  simultaneously?
  
• Is waiting until a current problem is solved
  before investigating another acceptable?
  
• Is suspending work on the current problem until a
  new problem solved acceptable?

27
Question ThreeAre Intermittent Problems A
Significant Concern

• Consider Network Recorder instead of Distributed
  Analyzer
  
• Streaming capture spanning hours, days, weeks,
  months allowing you to go back in time
  
• Correlates events and alarms to specific traffic

28
Question FourAre Compliance Audits A
Significant Concern

• Security compliance legislation
• Sarbanes-Oxley, Gramm-Leach-Bliley, 21 CFR Part
  11, HIPPA
  
• Consider Network Recorder instead of Distributed
  Analyzer
  
• Analyze security breaches reveals how they could
  have been prevented, making sensitive data more
  secure in the future
  
• Auditors can determine if and when sensitive
  information has been misused
  

29
Important PrincipleAnalyze Extremities of
Connection

• One of the primary uses of protocol analysis is
  to prove if a problem is an infrastructure,
  server, or client issue
  
• Requires analysis at the extremities of the
  conversation, at the switches that the client and
  server connect to

30
Important PrincipleAnalyze Extremities of
Connection (2)
Infrastructure
Server
Client
Lost / Dropped Packets
Delay
31
General RecommendationElements That Should Have
a Permanently Deployed Analyzer

• Devices likely to participate in 80 of problems
  or supporting mission critical functions /
  segments
  
• Common examples
• Switches connecting to
• Servers
• Edge-Routers
• Backbone Segments
• Critical User Segments
• Routers connecting to
• Edge
• Backbone

32
Generalized Recommended Solutions
33
One Closet / Switch

• One CSD
• Real-time multi-segment analysis at end-points
• New Problem Change port-mirroring (or move
  cable)
  
• If occurs while solving a problem, wait until
  current problem is resolved or suspend working on
  it
  
• Response requirement may require additional
  analyzers

34
Few Closets / Switches

• Two CSDs, one for each end-point
• Post-capture multi-segment analysis from
  end-points
  
• New Problem Relocate unit(s)
• If occurs while investigating a problem, wait
  until current problem is resolved or suspend
  working on current problem
  
• Response requirement may require additional
  analyzers
  

35
Many Closets / Switches

• Key CSDs
• Permanently deployed at devices likely to
  participate in 80 of problems or supporting
  mission critical functions / segments
  
• New Problem Change port-mirroring (or move
  cable)
  

36
Many Closets / Switches (2)

• Supplemental CSDs
• Quickly deployed to the other end-point
• Common user segments currently experiencing
  problems or otherwise being evaluated
  
• New Problem Deploy / relocate unit

37
V6.1.6 New feature
38
New Features

• Improved Application Support
• VoIP Enhancements
• Decode Enhancements
• Report Enhancements
• Filter Enhancements
• Multicast Enhancements
• Protocol Forcing
• Tools Menu Expansion

39
Improved Application Support

• Microsoft Network Messenger (MSN)
• New HTTP Child Flow Configuration
• Skype

40
Improved Application Support
Microsoft Network Messenger (MSN)

• Under Tracefile\ClearSight\Detail\App MSN, select
  the flow.
  
• Go to Conversation tab, show MSN Conversation
  information as below.

41
Improved Application Support
Microsoft Network Messenger (MSN)

• In MSN Message page, there are IM information.

42
Improved Application Support
Microsoft Network Messenger (MSN)

• Go to Statistics tab, user can find server type,
  Caller Email, Callee Email, Caller Name, Callee
  Name etc.

43
Improved Application Support
Microsoft Network Messenger (MSN)

• Navigate to Tracefile-Reports, select MSN
  Overview page. All counters have been collect
  here.

44
MSN Alarm

• Check Enable decode problem generation option
  in Configuration-Preferences-Decode-General
  page.

45
MSN Alarm (Cont.)

• Go to Configuration-Preferences-Problem-Thresho
  lds, select MSN, then check all and set all
  threshold to 1

46
MSN Alarm (Cont.)

• If open trace file 4.21 MsnLoginErrorWith911.adc
  
  
• Under Tracefiles\Problem, user can find 3
  problems.

47
MSN - Audio play back

• Trace file-Clear Sight-Detail- MSN, select a
  combined flow, expand it.
  
• Select Audio file of G.723, press the Play
  button, user can hear the talking, captured or
  monitored

48
MSN - Filter
Email

• Capture trace with talking to yoshiyan1980_at_hotmail
  .com and view the conversation
  
• Go to Decode page, click Apply filter icon.

49
MSN - Filter
Email

• Create MSN filter and named MyFilter1, with
  inputting yoshiyan1980_at_hotmail.com into Email
  address.
  
• Apply MyFilter1, some frames are filtered out,
  including yoshiyan1980_at_hotmail.com

50
MSN - Filter
Screen Name

• Use the same method,
• Also could use screen name to filter.

51
MSN - Filter
NS

• Go to user defined filter, and select MSN.
• For example, create filter with checking NS in
  MSN filter page.
  
• The frames, which include Server-NS are filtered
  out.

52
New HTTP Child Flow Configuration

• Navigate to Configuration-Preferences-Global-Mo
  nitor Options
  
• Check Show HTTP Child Flow options
• Restart ClearSight (According its prompt
  message)
  
• Open a trace or monitor or capture
• Under to Application\Detail, select HTTP
• HTTP Child Flow and its content could be showing

53
Skype - Filter

• If open a trace, for example, trace file
  mike_skype_startup.adc
  
• Go to Tracefile\ClearSight\Detail, click Skype,
  go to Skype statistics, user can find Num Client
  Requests counter.
  
• Select the 1st flow, go to conversation tab, user
  can find Skype Communications.

54
Skype Filter (Cont.)
55
Skype Filter (Cont.)

• Go to Statistics tab, there are Real IP and Dest
  IP statistics.

56
VoIP Enhancements

• Support for additional CODECs H.264, iLBC,
  MPEG2-TS, H.261
  
• VoIP Call Log history report VoIP Call Log
  browser
  
• T.38 Fax over IP
• IPTV - ASF
• New Video QoS statistics MDI counters in RTP
  statistics
  
• Video export
• Binary Megaco support

57
Support for CODEC - H.264

• Open a trace, for example, h264.cap
• Navigate to Application\Detail, select RTSP
  application
  
• Expand the single RTSP flow in the upper right
  twice
  
• RTP with H264 flow is showing

58
Support for CODEC - H.264
59
Support for CODEC - iLBC

• Open iLBC_codec.adc (in traces directory)
• Navigate to Application\Detail Page
• Select SIP application
• Expand the second RTSP flow in the upper right
  twice Select RTP application.
  
• Click to Play Audio.

60
Support for CODEC - MPEG2

• Open VLC_Generated_mpeg2_Ts.adc (in traces
  directory)
  
• Navigate to Application\Detail Page
• Select RTP application.
• Select the single flow
• Click to Play Audio.

61
Support for CODEC MPEG2 - Statistics

• Example MPEG1_2 stats
• Open JMF1.enc.
• Navigate to Application\Detail
• Select RTP application
• Select Video flow
• Select Statistics tab.
• Scroll to MPEG12 Video caller info stats

62
Support for CODEC - H.261
63
VoIP Call Log History Report

• Start ClearSight Analyzer
• Navigate to Configuration\History\Database
  Settings
  
• Check VOIP Call Log and Triple Play option and
  set its interval to 1 minute
  
• Make some VoIP packets in the network
• Or generate demo.adc one time

64
VoIP Call Log History Report

• Wait about 1 minute, Navigate to Reports\History
• Press the time configuration button above the
  tree on the left

• Select Today from drop-down combo box and press
  OK
  
• Expand VoIP Call Log in tree and click on any
  of the reports, there are reports for VoIP call
  log, see an example of Number of Calls

65
VoIP Call Log History Report (Cont.)
66
VoIP Call Log Browser

• Start ClearSight Analyzer
• Navigate to Configuration\History\Database
  Settings
  
• Check VOIP Call Log and Triple Play option and
  set Interval to 1 minute.
  
• Make some VoIP packets in the network
• Or generate demo.adc one time

67
VoIP Call Log Browser (Cont.)

• Wait about 1 minute, Navigate to Reports\Call
  browser
  
• Press Fetch button ,CSA will show call VoIP
  related data on left panel

68
VoIP Call Log Browser (Cont.)
69
T.38 - Fax Over IP

• Navigate to Application\Detail, select SIP
  application
  
• Expand the single SIP flow in the upper right
  twice.

70
(No Transcript)
71
IPTV - ASF
72
IPTV ASF (Cont.)

• Example VBrick video playback. RTP RTP/UDP
  (port 554)
  
• Start ClearSight with Ethernet adapter
• Start a capture with 8MB buffer
• Using internet explorer to load
  http//www.vbrick.com/mpeg4/video/

73
IPTV ASF (Cont.)

• Select video Shuttle Launch in the pull down
  list.
  
• After a while, view capture buffer
• In the Detail page, user could playback the
  content
  

74
Video QOS statistic VQ Factor
75
Video QOS statistic VQ Factor (Cont.)

• Select the parent flow and click on the reports
  tab
  
• Select the next page arrow, until you reach the
  3rd page.
  
• Note the new report VQ Factor.

76
MDI - Counters
77
MDI - Alarms

• Configuration/Problem/Thresholds, select RTP and
  check MDI to set the Threshold

78
MDI - Triggers

• Capture/Trigger/
• Could configure RTP/MDI alarms as Trigger

79
Export Video
80
Decode Enhancements

• Multiple Decode Windows
• Real-Time Decode Clear Button

81
Multiple Decode Windows
82
Multiple Decode Windows (Cont.)
83
Real-Time Decode Clear Button
84
Report Enhancements

• Total calls for all VoIP applications
• Triple Play reports
• Improved History reports

85
Total calls for all VoIP applications

• Go to Report/ history page
• Select any one of VoIP protocol, for example SIP
• Go to SIP call status report
• Total calls

86
Triple Play
Real-time reports
87
Triple Play
History reports
88
Triple Play
History reports (Cont.)
89
Improved History reports
Custom settings

• Select Custom of Report Time, and click calendar,
  the date having data is changing the color in the
  calendar displayed

90
Improved History reports
Database Settings

• Database Settings - time intervals can be changed
  for an entire layer

91
Improved History reports
Graph types

• Navigate to Reports\History
• The graph types can be change, types-Line/Line
  3D,Area,Bar/Bar 3D

92
Improved History reports
Title accompanies report table

• Report titles are now on the same page as the
  associated charts

93
Improved History reports
DLC channels

• Open ClearSight with Full-duplex adapter
• Navigate to Reports\History
• Select DLC
• DLC statistics are now separated by channels

94
Improved History reports
Export trend to CSV file
95
Filter Enhancements

• Real-Time Filter Indicator
• Pattern Filter Hex Support

96
Real-Time Filter Indicator

• Go to configuration\Preferences\Global\Monitor
  Settings
  
• Click set button to create a filter below the
  filter option

97
Real-Time Filter Indicator (Cont.)

• After apply filter, there is a icon of filter at
  the bottom of CSA

98
Pattern Filter Hex Support
99
Multicast Enhancements

• Multicast GUI reorganization
• IGMP support
• Channel changing support

100
Multicast GUI

• Reorganized Multicast GUI now supports IGMP

101
IGMP support
102
IGMP (Cont.)
103
Protocol Forcing

• Decode configuration

104
PF - Decode configuration
Before forcing
105
PF - Decode configuration
Forcing setting
106
PF - Decode configuration
After forcing
107
Tools Menu Expansion
Look and Feel dialog box

• Look and Feel - lets you chose CSs style
• ClearSight
• Metal
• CDE/Motif
• Windows
• Windows Classic

108
Thank you