Network Timeout Network Packet Analysis Tool

Overview

What is Network Timeout?

Network Timeout is a community-driven effort that aims to improve access to network- and application-analysis tools and technical knowledge base. Network Timeout offers free offline analysis of network packet captures and provides a rich array of L2-L7 metrics helpful in troubleshooting both network- and application-level problems. After registering, users can upload packet captures and view results of the analysis in an interactive web interface. Users can share the results of the analysis with other members for input and discussion on the Network Timeout forum. Network Timeout uses an offline version of the real-time commercial network traffic analyzer developed by ExtraHop Networks.

How much does Network Timeout cost?

Network Timeout is available free of charge.

What technology powers Network Timeout?

Network Timeout uses the ExtraHop Application Delivery Assurance system. The ExtraHop system, which is the result of several years of research and development, was purpose built to ensure that business-critical transactions do not fail. The ExtraHop solution improves customer satisfaction, increases revenue, and reduces MTTR through:

• End-to-end agentless visibility across networks, applications, databases, and storage arrays
• Simultaneous real-time analysis of all transactions
• Trend-based alerting and proactive early warning for potential problems

What is ExtraHop?

ExtraHop Networks, Inc. was founded in early 2007 by Jesse Rothstein and Raja Mukerji, engineering veterans from F5 Networks and architects of the BIG-IP v9 product. The company's pioneering Application Delivery Assurance system is the industry's first completely passive network appliance that provides application-level visibility with no agents, configuration, or overhead. The privately held company is headquartered in Seattle, Washington, and funded by Madrona Venture Group and other private investors. ExtraHop's customers span a wide range of industries and includes Nintendo, Microsoft, LexisNexis, McAfee, Alaska Airlines, and Continental Airlines, among others.

What is the difference between Network Timeout and ExtraHop Networks?

Network Timeout is a community-driven effort that aims to improve access to network- and application-analysis tools and technical knowledge base. ExtraHop Networks is a solutions vendor for enterprise network- and application-performance management products. Although Network Timeout is made possible with the support of ExtraHop Networks, the Network Timeout community is a separate effort that focuses on sharing experiences with network and application troubleshooting and broadening the knowledge base available to IT enthusiasts and professionals.

Gathering Packet Captures

Which capture file formats does Network Timeout accept?

• Pcap Format. Network Timeout supports network packet captures in the pcap format. Open-source freeware tools are available for gathering network packet captures in the pcap format, notably Wireshark and tcpdump. Many common enterprise sniffers, such as NetScout nGenius and Network Instruments Observer, have the option of exporting network packet captures in the pcap format. If you already have network packet captures in formats other than pcap, you can convert many of them to pcap using editcap and tshark (see supported formats for conversion in Q1.13 of the Wireshark FAQ). For example, to convert capture files from Sniffer (.enc) format, use tshark as follows: tshark -r capture.enc -w capture.pcap.
• L2 Device. Since Network Timeout performs analysis at L2, the packet capture must be taken from an ethernet or 802.11 device. Packet captures taken from L3 devices such as PPP or tun devices will not work. "Linux cooked" captures also will not work.
• Full-Length Frames. Since Network Timeout performs transaction-level analysis at L7, it requires network packet captures to contain full-length frames, not just headers or truncated payload.
  • When using the graphical version of Wireshark, go to Capture and then Options, and make sure that Limit each packet to N bytes is not checked.
  • When using tcpdump, make sure to specify the snaplen command-line argument with the parameter 0, for example tcpdump -i eth0 -s 0 -w capture.pcap.
  • When using NetScout nGenius, set Slice Size to 0 in the Data Capture Settings.
  • When using Network Instruments, do not select the Save Partial Packets option in the Save Packet Capture dialog.

Are there limitations on the size or time interval of the packet capture?

• Size. You can upload capture files up to 30MB in size. You can reduce capture file size by filtering by IP address, ports, time, and so forth.
• Maximum Time Interval. You can upload capture files where the time interval between the first packet and the last packet is up to four hours. You can reduce a capture file's time interval by filtering by time.
• Minimum Time Interval. For best results, a capture file should contain at least five seconds of traffic.

What type of traffic should I capture for best results?

• No transit links. The ExtraHop solution accounts traffic to L2 devices it detects in the packet trace. For example, traffic captured off a transit link provides limited granularity of reporting. As a result, it is suggested that traces are gathered from VLANs where key servers (such as web, application, database, and storage) appear as L2 entities. In other words, do not capture traffic from a VLAN where a downstream router is located between the sniffer and the key servers.
• For best visibility into a pool of web servers behind a load balancer, capture traffic off a VLAN that contains those servers behind the load balancer.
• For best visibility into a three-tier architecture, combine traces from VLANs that contain web, application, and database servers.
• No one-way TCP traffic. In enterprise datacenters, network traffic might flow asymmetrically through redundant links. In order to perform advanced L4-L7 analysis, the ExtraHop solution needs to see both directions of the TCP conversation. For traffic captured off a link that carries only one side of TCP conversations, such as responses from the web servers, but not the requests, L4-L7 analysis will not be available.
• Reduce number of packet drops. Network packet capture tools might not be able to record all traffic if the system is not well-provisioned for dedicated network capture. In addition, switch mirror ports often used by enterprise packet capture tools might drop packets when the overall load on the switch is too high. The ExtraHop solution is resilient to a small amount of dropped packets. However, when too much traffic is dropped, the resulting analysis will become increasingly incomplete. Refer to your network packet capture tool documentation for tips on improving the quality and completeness of captured traffic.

I've never captured network traffic before. How can I get started?

Capturing Traffic Using the Graphical Version of Wireshark

• Open Wireshark, click Capture, and then click Options
• To ensure that the captured data is not truncated and full-length frames are captured, make sure that Limit each packet to N bytes is NOT checked.
• To limit capture file size to 30MB, you can select the second option under the Stop Capture... section and specify ...after 30 Megabytes.
• To limit the packet capture to traffic of interest, you can filter it to only include certain ports or IP addresses. Click on Capture Filter and construct an appropriate filter expression. For example, to limit traffic to HTTP and DNS only, enter the filter tcp.port == 80 or udp.port == 53.
• To start capturing traffic, click Start.
• Refer to the Wireshark User Guide for more details).

Capturing Traffic Using the Command-Line Tool tcpdump

• The following example shows how you can use tcpdump to capture network traffic: tcpdump -i eth0 -s 0 -C 30 -w capture.pcap port 80 or port 53.
• The -s 0 option specifies to not truncate packets.
• The -C 30 option limits capture file size to 30MB.
• The port 80 or port 53 pcap filter expression limits captured traffic to ports 80 and 53.
• Please refer to the tcpdump MAN page for more details.

Uploading Capture Files

How do I upload a packet capture?

• You must register prior to being able to upload a packet capture.
• After you register, click Analyze.
• Provide a name and optionally a description for the capture file you want to upload.
• Decide whether you want to share the results of the analysis with others.
• Click Browse to locate a packet capture you have saved on your local computer.
• Click Upload. When the capture file finishes uploading, you'll be sent to the ExtraHop UI.

Viewing Results

How do I view results?

After the capture file is uploaded, results of the analysis are displayed automatically in the ExtraHop user interface. Now you can explore the results:

• Navigate the Results within the ExtraHop UI. See the Interpreting Results section for examples.
• Allow Others to See the Results of the Analysis. Click Share Session and provide other users with the URL displayed. If these users are not registered yet, they must register before being able to access your session. If you do not see this link, you are viewing results of analysis from a capture file you did not upload originally.
• Exit the ExtraHop UI. Click Return to Network Timeout to return to the Network Timeout analysis page. You can return to the ExtraHop UI by clicking on the Active capture link at the top of the page.

Can I come back to a previously saved packet capture?

Yes. You can return to a previously saved packet capture in one of two ways:

• If you've just uploaded this capture file and it is still in your active session, click Analyze and then click the Active capture link at the top of the page.
• If you want to return to a packet capture you've uploaded before instead of the capture file in your current session, click Analyze and select a packet capture under the Load one of your previously uploaded capture files heading.

Can I share my packet captures with other users?

Yes. You can either make your capture file public or share it with specific users:

• Share with everyone by making your capture file public. You can decide to make a capture file public at upload time. For previously uploaded packet captures, you can modify the Shared setting by clicking Analyze, then Manage your capture files, and then Modify/Delete.
• Share with specific users by providing them with a URL to your current session. After you've uploaded a capture file, click Share Session in the ExtraHop UI and provide the other users with the URL displayed. If these users are not registered yet, they must register before being able to access your session. If you do not see this link, you do not have a right to share this analysis.

Is there a library of previously uploaded packet captures?

Yes. Click Analyze and then select a capture file under the heading Load a recently shared capture file.

Interpreting Results

How do I navigate the ExtraHop UI?

See our Documentation page, which includes instructional videos.

How do I know what a particular metric means?

On every page of the ExtraHop UI, context-sensitive help is available by clicking the Help button in the top right-hand corner.

I'm not sure what my results mean.

Interpreting results is often an art that requires an intimate understanding of the network protocols involved in the communication recorded in the capture file. Inviting community discussion can help you to get timely and relevant feedback. You can start a new discussion on the Network Timeout forum by posing the question to your peers. If you'd like others to view the results of the analysis, you can make your capture file public or post a URL to your active session in the post body.

I'm still not sure what my results mean, and my problem is urgent.

If you'd like to get input on your issue from the team that designed the analysis engine powering Network Timeout, please contact ExtraHop Networks to ask about consulting services.

What metrics and protocols currently are supported?

The ExtraHop solution supports a wide range of network protocols, from L2-L7. The set of supported protocols is frequently expanded according to the product roadmap and customer demand. Network Timeout only includes a subset of functionality available in the ExtraHop solution. Please contact ExtraHop Networks for additional information.

Exporting Results

How can I export the results of the Network Timeout analysis?

On any screen that has a PDF button, click it to export the results displayed on that screen to a PDF report. On some browsers, you must allow popups from www.networktimeout.com first.

Security & Privacy

If I register, will you contact me?

You don't have to provide your name and contact information, other than your email address. However, if you do, someone from the ExtraHop team may contact you to gauge your interest in the real-time network- and application-analysis solutions for the enterprise.

Will Network Timeout or anyone else have access to my packet capture?

Network Timeout and ExtraHop Networks will have access to your capture file, and we may use it to improve the service or products. We will not license or sell your data to third parties. We may use your capture file for our own internal testing in order to improve our products or services.

Can I allow access to a capture file's analysis with everyone?

Yes, when you upload a capture file you have the option of sharing the results with everyone by choosing Yes for Shared.

Can I modify access to a capture file's analysis after I've uploaded it?

Yes. From the Analysis page, click on Manage your capture files and select Modify/Delete for the packet capture you want to change, and then select or deselect the Share checkbox.

Can I explicitly share the results of analysis with someone?

Yes, you can allow others to view the results of the analysis. After you've uploaded the capture file and started viewing the results in the ExtraHop UI, click Share Session and provide other users with the URL displayed. If these users are registered yet, they must register before being able to access your session. If you do not see this link, you do not have a right to share this analysis.

Can I delete the capture file from the service?

Yes. This will prevent analysis results for the packet capture from being seen by you or other users, but Network Timeout and ExtraHop Networks may continue to use uploaded capture files internally. Here's how you delete a capture file:

• Click Analyze and then Manage your capture files.
• On the "Your capture files" page, click Modify/Delete.
• On the "Modify capture details" page, click Delete.

Additional Functionality

Can I upload larger capture files?

We may be able to accommodate larger capture file uploads upon request. Please submit a request through our feedback form.

Is there a software or virtual-appliance version that I can run myself?

Not yet. Right now ExtraHop solutions include datacenter-grade appliances that perform this analysis at 1G and 10G scale in real time. Please contact ExtraHop Networks for more information.

What is the difference between real-time analysis and offline analysis?

Offline network analysis is best exemplified by sniffers (such as Wireshark), which capture all of the raw network packets to disk and provide tools to decode this data after the fact. Real-time network analysis is an innovative approach that processes all network packets as they arrive and extracts relevant L2-L7 metrics. This stream of metrics serves as a basis for real-time trending and alerting, is used for proactive troubleshooting, and is stored for historical analysis and capacity planning. Network Timeout only provides offline analysis based on uploaded packet captures. A real-time version of the engine powering Network Timeout is available commercially from ExtraHop Networks. Please contact ExtraHop Networks for more information about the ExtraHop solutions.

Troubleshooting

My capture is rejected with the following error: "The capture file's time interval was too large...."

Reduce the capture's time interval.

My capture is rejected with the following error: "The uploaded file wasn't recognized as a valid capture file."

The capture is not in the pcap format. Please convert the file to the pcap format prior to uploading.

My capture is rejected with the following error: "A problem occurred while processing the uploaded file. Please check to make sure the file is a valid capture file."

Your trace either only included L7 headers and no payload or only the first N bytes of payload. Please provide a capture that captures full-length frames.

I don't see my devices.

See What type of traffic should I capture for best results? above.

I don't see the protocol/metric/analysis/data I expected.

Protocol missing from the left-hand tree control.

• Is the protocol supported? Please contact us through the feedback form or our forum.
• Is protocol not supported? Please contact ExtraHop Networks to find out whether this protocol is supported in the enterprise version or contact us through the feedback form or our forum.

Metric is missing.

• Is metric supported (e.g. described in Help), but the counter is empty? Please contact us through the feedback form or our forum.
• Is metric not supported, but should be? Please contact ExtraHop Networks to request an enhancement or contact us through the feedback form or our forum.

My question is not on this list - I'm stuck.

Please browse the Network Timeout forum for related topics. If you don't see anything relevant, please start a new discussion by posing the question to the community.

Technical Support

Does Network Timeout provide technical support?

No, we don't provide any official support; however if you need help you can ask the community at the Network Timeout forum. If you want to share something with us privately, you can use our feedback form. You can also contact ExtraHop Networks to inquire about consulting services.