ClearSight Networks' Analyzer 5.0

I put the agent and viewer on the same PC in standalone mode. Alternatively, I could have installed them separately in a distributed mode (see "Insight Into ClearSight," for more on this setup).

The Syracuse labs has plenty of enterprise resources to keep the analyzer busy, including DHCP, DNS, Microsoft Exchange, Microsoft SQL and Web servers. For a view of the production traffic, I connected my laptop to a monitoring port on a Hewlett-Packard 2650 switch (J8165A). I added an Asterisk 1.0 PBX to test how well ClearSight can view and analyze VoIP (voice over IP) traffic using SIP (Session Initiation Protocol).Our Asterisk runs on a dual-processing 1,400-MHz Pentium III server with 1,024 MB of RAM and a Linux Red Hat 7.3 (Valhalla) operating system. I used a ZyXel Wi-Fi/VoIP phone and Xten Networks' X-Lite SIP softphone installed on a wireless laptop to communicate with each other and with the Asterisk PBX over three Cisco 1020 Lightweight Access Points managed by a Cisco 4024 Wireless LAN Controller. I mirrored the AP-connected switch ports to a monitoring port on the 4024, then connected my ThinkPad to the same port.

I Can See Clearly Now

Once ClearSight had a network view on the switches under test, it updated the viewer immediately with real-time statistics on the physical and network layers and on application flows between endpoints.

By default, ClearSight monitors a number of application flows and packs a summary into an intuitive user interface (see the screenshot below), which indicates when communication channels between endpoints are clear (green), partially obstructed (yellow) or completely clogged (red).

For each application flow, one right-click of the mouse started a packet capture for further analysis. Right-clicking on one of the endpoints in the flow also provided a one-click SLA (service-level agreement) monitor by response time for the respective resource.You also can view packet analysis by problems identified in discrete packets. A "decode" window for either ClearSight's 2.0 packet decoder or the Ethereal decoder provided a detailed analysis of the packet and its content, even when WEP (Wired Equivalent Privacy) was enabled.

Few Obstacles in the Way

Things got interesting when I started monitoring the SIP traffic on the Cisco LAN Controller. ClearSight's viewer automatically siphoned off SIP traffic for review. A detailed view of the protocol traffic provided a window into the essential elements of SIP signaling. It also provided an RTP (Real-time Protocol) window that let me listen in on and analyze the real-time voice traffic.

During a SIP packet-capture session, I detailed the time it took to roam between different APs (access points) associated with the Cisco LAN Controller in a trace file. I also could combine that file with a second trace file for further analysis. Roaming between the Cisco APs resulted in a communication loss of less than one second. Although I noticed the impact during an active call while roaming, other asynchronous traffic like e-mail and SMB (polled mode) was unaffected.

In addition, I could right-click on an RTP channel to bring up an E-Model Calculator and get statistics on the VoIP call, including MOS (mean opinion score). The viewer generated a VoIP QoS (quality of service) report with the MOS in plain view, as well as network statistics like delay and jitter to round out the QoS analysis. You can even detail your VoIP protocols in real time.ClearSight isn't free like Ethereal's analyzer, but you get what you pay for: a clear view into application performance and problems at the physical and network layers.

Sean Doherty is a senior technology editor and lawyer based at our Syracuse University Real-World Labs®. Write to him at [email protected].

In distributed mode, ClearSight Analyzer 5.0 lets you use a PC to monitor and analyze network data captured by agents on remote PCs. It also enables multiple-segment packet capture and analysis, but you'll need to buy a dual-port NIC and drivers from the vendor.

ClearSight easily monitors and analyzes application flows between endpoints in real time. An application flow is a set of packets performing a discrete function. Such packets may include Get/Post volleys between a Web server and a browser, e-mail messages between an e-mail client and a server, and conversations between a ZyXel phone and an X-Lite softphone.

A number of application flows are defined out of the box, such as DNS, Exchange, HTTP and SMTP. Others can be easily configured by TCP port number.ClearSight's analysis even extends to WEP traffic. A GUI configuration window allows up to four WEP key settings in 64- or 128-bit configurations.

Once set, ClearSight fully analyzed WEP traffic on our test bed. But without WEP keys, it could only provide summary information on packet source and destination.