+ Reply to Thread
Results 1 to 5 of 5

Thread: Voice From an IT Consultant – Quick Network Analysis Tool

  1. #1
    Moderator ContributorNetywork Analysis Master
    Join Date
    May 2014
    Posts
    204

    Voice From an IT Consultant – Quick Network Analysis Tool

    Just happen to find such an interesting blog, named Network Fun!!!
    Here you can hear the voice from an IT consultant – Shane, who said Colasoft Capsa is one of his tools in his tool pouch (his laptop).

    Quick Network Analysis Tool

    One tool that I really like using is called Capsa, by Colasoft. Now please dont think Im advertising for them. Im not, but if Im being honest, it IS one of my tools in my tool pouch (my laptop). Its really helpful for quick troubleshooting.
    So, with that said, I had a customer ask me about a 97% utilization on the remote site MPLS link. I told him that I would go figure it out and be right back.
    10 minutes later, I come back with the source and destination of the troublemaker (not really). We found out that a guy was doing legitimate work traffic, but not the way he was supposed to. Either way, my point is that having the right tools as a network guy can help you troubleshoot problems quickly and effectively. And yes, sometimes it does require spending some money to get those tools.

    Posted by Shane

    4 comments:


    Brad MooreDecember 18, 2014 at 12:00 PM
    I could not agree more with you Shane. There are a lot of great open source tools out there, but there are also some great commercial tools which are well worth the price. As for Capsa, I’m curious about what you get from it that you don’t get from Wireshark? I use Wireshark for 95% of my network analysis issues, and for the other 5% I use Sniffer (Netscout). Does Capsa have some cool features above and beyond Wireshark? Thanks!!
    Reply
    Replies

    ShaneDecember 18, 2014 at 12:18 PM
    Not really anything wireshark can’t do. It’s just faster to go through the info. It will diagnose problems for you, like slowness, retransmission, etc. But I can start a capture and know within a few second where the problem is coming from, in some situations. When you consult, time is crucial. But, I don’t think I know everything about capsa. I’ve just used what i needed in it. But it’s very handy in time crunches.

    Brad MooreDecember 18, 2014 at 12:31 PM
    Thanks Shane. I’ll look into Capsa…I’ve become very disappointed in Sniffer over the last several years. Even though it was the original network analyzer (back in the Network General days of long ago), it’s been bought and sold to various companies on a regular basis, and development/improvements seems to have stalled for quite a while now.

    ShaneDecember 18, 2014 at 12:52 PM
    Its been worth having to me. You know in wireshark, its just takes some time to go through the captures. Capsa will compile everything together into nice graphs, etc. If you want to see more, you just click into the packet to see the rest of the header, etc. But sometimes, the packet info doesnt matter. You just need to know the problem IP, or that you see a broadcast storm, etc. It has some really nice features that you can “see” without having to thumb through the captures. I know that if I see 80,000 packets per second on a vlan that we probably have a problem on that vlan. Then I go from there. Again, TIME SAVER!

    SOURCE LINK
    Colasoft Capsa is a portable network analyzer for both LAN and WLAN performing real-time packet capturing, network monitoring, advanced protocol analysis, in-depth packet decoding, and automatic expert diagnosis.
    http://www.colasoft.com/

  2. #2
    Moderator ContributorNetywork Analysis Master
    Join Date
    May 2014
    Posts
    204
    Another blog post from IT Consultant, Shane. This article shows us how he use Colasoft Capsa to run packets capturing and help others solve networking problems.



    Broadcast Storms And The Havoc (And Headache) They Reek

    Sometimes, what looks like one problem, can actually be another. I got a call from a school system saying that their network was down for one particular school. No Internet. No server access. Nothing.
    So when I got there, things seemed to be ok. They could get to the Internet, servers, etc. Everything appeared to be ok. Then it went down again. This problem was very inconsistent. You couldnt even ping anything. But then, after some time, it would be fine.
    Well, when I was there, I really couldn't find anything wrong. Except once, when the problem actually happened. It appeared to me, at that moment, like the layer 3 core was acting up. When the problem happened, I couldnt even ping the next hop MPLS router (on the same subnet). This problem showed some really odd symptoms. So, I broke the switch stack (Brocade ICX 6610s) and left the last switch in place to run as the core by itself. The problem seemed to go away. Until the next day, when the problem happened again.
    I showed up and guess what. The problem was gone again. So I sit down and just start looking at configs, spanning tree, interface statistics, cpu utilization, etc. What in the world is going on here. Then it happened right in front of me. CPU shot up to 33% (from 1%). Internet was down and network was hosed again. So I ran a packet capture. Nothing on the first 4 VLANs that I looked at. Then I found it. The 5th VLAN I looked at was flooded with broadcasts.
    6610#sho cpu-utilization
    32 percent busy, from 9 sec ago
    1 sec avg: 32 percent busy
    5 sec avg: 32 percent busy
    60 sec avg: 32 percent busy
    300 sec avg: 32 percent busy

    So, I disconnected the fiber to the closet that VLAN went to, and CPU dropped back down to 1% on the core. Ok, leave that disconnected, and go to that closet.
    I got to that closet and plugged in my packet analysis tool (seen above). Again, flooded when I hit the right VLAN, but no other VLAN. So, what do I do? Its a stack of 2 ICX6450s. I start unplugging one port at a time until I find the flooding settles down. It just so happens the second port I unplugged calmed the network down right away. It was a PC that was connected at the other end. It appears the NIC was flaking out. Intermittent broadcast storms. Not a good situation, but with the right tools, I found the problem as it was happening. Packet captures are your friend!

    Posted by Shane



    7 comments:

    GeraJanuary 5, 2015 at 10:05 AM
    Couldn't you just configure appropriate port security to protect from broadcast storms like you do on cisco access stacks?
    Just wondering. I have never configured a brocade network (besides vrouter).



    ShaneJanuary 5, 2015 at 10:34 AM
    Good question. Yes, in Cisco, you can do the "storm-control" command. I have not in the past, but you can do that. In Brocade, yes, you can do the "broadcast limit" command. It serves as the same thing. I logged into my ICX6610 and "question marked" through to see the command:
    Core(config-if-e1000-1/1/4)#broadcast limit
    DECIMAL Multiple of 8192 Kbps for 1G, 65536 Kbps for 10G

    Very good question for sure. I appreciate it. Ill look at implementing and testing this out.


    AnonymousJanuary 8, 2015 at 3:11 PM
    I'd be interested to know how your testing on this comes out...I'd like to implement some broadcast limits. Perhaps around the 70% range on the e1000 and e10000 ports.

    Thanks and love all the Brocade items on your blog!


    ShaneJanuary 8, 2015 at 3:13 PM
    I'll test and report back to let you know. It will be in the next few weeks.


    AnonymousJanuary 14, 2015 at 4:26 PM
    Excellent, I look forward to your findings!

    What I'd like to do is implement this to eliminate possible storms, but leave the threshold high enough that it's not unnecessarily shutting down the port.

    There don't seem to be any good reference points for implementing this feature as far as reasonable settings.

    Thanks Shane!



    AnonymousJanuary 6, 2015 at 4:04 AM
    What tool are you using to analyze packets ?

    ShaneJanuary 6, 2015 at 7:32 AM
    I used capsa by colasoft. Very handy tool.

    from: http://www.shanekillen.com/2015/01/b...-headache.html
    Colasoft Capsa is a portable network analyzer for both LAN and WLAN performing real-time packet capturing, network monitoring, advanced protocol analysis, in-depth packet decoding, and automatic expert diagnosis.
    http://www.colasoft.com/

  3. #3
    Moderator ContributorNetywork Analysis Master
    Join Date
    May 2014
    Posts
    204
    Here's another "success story" for the network engineer using Capsa, still from Shane's blog.

    More Capsa Fun

    I got a call from a customer that was experiencing high latency on the network. So much so that they called me to come over and help with finding out what the issue was. So as I got there, the first thing we did, besides talk about what was going on, was to connect Capsa into the network and try to figure out what was going on.
    We first looked at the port where the firewall was connected and didnt see anything unusual. Then we moved over to a switch uplink port that the customer thought could be the issue. Sure enough, it was where the issue was. When we moved our mirrored port over to monitor that uplink, we saw around 53000 pps on Capsa. And in Capsa, we saw the offending IP address as well. It took us all of a few minutes to find the problem.
    The moral of this story: Its important for the network engineer to have the right tools to do his job. You wouldnt go to the pistol range with a knife, would you? You wouldn't want to vacuum your floors with your hands would you? Same for network troubleshooting.

    from: http://www.shanekillen.com/2015/02/more-capsa-fun.html
    Last edited by Nancy; 02-27-2015 at 02:51 AM.
    Colasoft Capsa is a portable network analyzer for both LAN and WLAN performing real-time packet capturing, network monitoring, advanced protocol analysis, in-depth packet decoding, and automatic expert diagnosis.
    http://www.colasoft.com/

  4. #4
    Moderator ContributorNetywork Analysis Master
    Join Date
    May 2014
    Posts
    204
    Capsa: What Are Your Users Doing?

    I went to a customer site the other day and they wanted to know what was going on, on their network, as far as traffic was concerned. I told them no worries. Ill figure it out.
    One thing I noticed, using my trusty Capsa, was that the users like watching videos. See below, the screenshot. After showing the IT guy this, he quickly went and blocked watching videos with his content filter.
    I've said it before, Capsa is a great product. If you are a network guy, you need this tool.

    jd.googlevideo.jpg

    from: http://www.shanekillen.com/2015/03/c...ers-doing.html
    Colasoft Capsa is a portable network analyzer for both LAN and WLAN performing real-time packet capturing, network monitoring, advanced protocol analysis, in-depth packet decoding, and automatic expert diagnosis.
    http://www.colasoft.com/

  5. #5
    Moderator ContributorNetywork Analysis Master
    Join Date
    May 2014
    Posts
    204

    Why Do You Not Have Capsa Yet???

    Another “praise” post in network engineer Shane Killen’s blog, which shows how much he loves Capsa.

    I have said many times in the past. Capsa is literally my best friend as a network troubleshooter. You can interview people all you want to figure out what the problem, but Capsa saves me so much time in troubleshooting, that all I really need from a customer is what a “general” description of what the problem is.

    If you are a network consultant and do not have Capsa, do yourself a favor. Save yourself time and money by getting this in your toolkit. Its built specifically for network engineers and troubleshooting purposes. Even if you just do network assessments, this will help you and your customers KNOW what is going on, on the network.

    In my experience, I can tell you it has saved me time and money in troubleshooting networks. Not only that, but it has also given much needed information to my customers, even when I was not troubleshooting anything. I do network assessments regularly when time permits. I want to make sure my customers know what is going on, on their network. Capsa is one way I do this.

    Why do I tell you about Capsa so much? Because I want you to have the ability to be a great network engineer.

    from: http://www.shanekillen.com/2015/05/w...capsa-yet.html
    Colasoft Capsa is a portable network analyzer for both LAN and WLAN performing real-time packet capturing, network monitoring, advanced protocol analysis, in-depth packet decoding, and automatic expert diagnosis.
    http://www.colasoft.com/

+ Reply to Thread

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts