Network Instruments’ Observer family of application performance troubleshooters was updated earlier this year to give enterprises the capability to troubleshoot multi-protocol label switching (MPLS) streams. Other new features in Observer 12 include improved multi-hop analysis, which can check performance issues, such as high router and switch latency, and can be used to lessen excessive jitter on IP telephony deployments, improving call quality.

Observer 12 is available in three versions offering different levels of functionality: Standard, Expert and Suite. The Standard version is designed for run-of-the-mill protocol analysis and troubleshooting. The Expert version includes the multi-hop analysis feature as well as the capability to analyse the performance of large enterprise applications, such as SQL databases, and integrate with HP’s OpenView enterprise management package.

Observer Expert can also process information from NetFlow- and sFlow-enabled switches. NetFlow is a Cisco protocol for collecting IP traffic, while sFlow has been used for similar IP traffic collection on other vendors’ network hardware, including Alcatel, Extreme, Foundry and HP ProCurve.

The full Observer Suite adds Simple Network Management Protocol (SNMP) device management, network trending and reporting, and a web publishing service that can give IT managers and other technical executives network health reports on their firm’s intranets or extranets.

The working install on a fresh Windows XP Professional system was simple, although it required two reboots: one after the program was installed; and another after Observer 12 allocated a user-specifiable amount of system memory as a buffer in which to store network packet data.

A test access point (TAP) was also required to properly take network packets from our test network. A TAP is a piece of hardware that copies traffic from full-duplex network ports and connects to a console to give a real-time display of all the network traffic traversing that link. Network Instruments supplied one of its aggregator TAPs, which can be connected to a PC or operate as a standalone system.

TAPs are taking over from Switched Port Analysers as they are much better at dealing with Gigabit Ethernet and 10 Gigabit Ethernet (10GbE) systems, and Network Instruments can even supply a TAP with optical fibre connections.

Although we could check performance of a local-area network (LAN) with several servers and client systems, firms with large enterprise systems with fast wide-area network (WAN) connections, 10GbE connections and optical fibre-connected storage area networks (SANs) will require extra hardware. Network Instruments can supply gigabit and 10GbE probe appliances, as well as the GigaStor, an appliance that can capture up to 48TBs of gigabit-speed network traffic.

After we had set up the system memory buffer, the drivers for our network interface cards (NICs) and wireless PC cards had to be updated. The reason for this is that although the drivers normally shipped with NICs or wireless cards ­ so-called network driver interface specification (NDIS) ­ can tell you how many error packets are seen on the network, these error packets are not processed or passed. Observer ships with drivers that can be easily installed to pass these error packets to the main Observer console. Observer 12 supports 802.11a/ b/g networks, but not pre-draft 802.11n networks.

Easy troubleshooting

Starting the Observer console up, we could run a SQL query against the Microsoft SQL Server 2005 database we set up on our Windows Server 2003 and check the response times we obtained. As expected, these were normal, but firms using a centralised headquarters database with branch offices downloading large chunks over WAN connections with less than optimal bandwidth and latency should easily be able to see problems.

The Observer 12 graphical user interface (GUI) has evolved gracefully over time and we found it an easy and powerful system with which to record and save packet data and then use the Observer Expert probe to analyse the file retrospectively, if required.

Observer 12 can show standard “top talkers” statistics, the network protocol distribution seen by the system, network packet size distribution, as well as virtual LAN (VLAN) statistics. It can also be used to generate network traffic to test network hardware performance and traffic flow through companies’ network infrastructure.

Observer 12 comes with a full set of alarms and triggers that can alert users to problems in real time or, alternatively, can be sent to admins via a paging service that can use Ethernet or dial-up through an onboard modem. It was easy to set up an alarm for duplicate IP addresses or unknown IP addresses. We also set up an alarm to trigger a pager message if network utilisation averaged 50 per cent over a prescribed interval.

Overall, Observer 12 is suitable for any size or enterprise that is looking for a comprehensive system for monitoring and troubleshooting network-attached hardware and applications. One of the few complaints that can be levelled at it is that a high level of technical expertise is required to set up and run the system properly, but this also applies to all comparable systems on the market.

The systems competing with Observer 12 include WildPacket’s OmniAnalysis platform, NetScout’s nGenius system, and Network General’s Sniffer and NetVigil products. The proposed takeover of Network General by NetScout could provide even tougher competition for Network Instruments, and Fluke Networks’ acquisition of Crannog software earlier this year will mean further competition in the enterprise performance management arena.

For smaller enterprises, there is also the open source Wireshark package, which, although less polished, offers enough features for experts to perform an excellent job of troubleshooting less complex networks. Wireshark also runs on Linux and Unix systems.