Observer Analyzer : Analyzer : Expert Analysis : Using MultiHop Analysis
   
Using MultiHop Analysis
 
Page Contents
Tell me more about the MultiHop Analysis tool
Quickly using MultiHop Analysis
Configuring MultiHop Analysis settings
Troubleshooting synchronization errors
How to use IP mapping in MultiHop Analysis
Prerequisite: Observer Expert or Observer Suite
MultiHop Analysis is a powerful tool in Observer; it graphically shows you network conversations that traverse multiple network hops, making it easy to determine if delays are due to a particular router hop. For example, if you have a corporate LAN spread across remote offices, MultiHop Analysis can tell you which routers are causing network delay between remote offices and corporate headquarters.
If you ever encounter problems with MultiHop Analysis, see Troubleshooting synchronization errors or call the support team if you encounter issues specific to your network environment.
Tip! VIAVI included sample capture files so you can try MultiHop Analysis. These files are located in the \data subdirectory of wherever Observer was installed (C:\Program Files\Observer by default).
Before using the MultiHop Analysis tool, we recommend you become familiar with the user interface and creating packet captures from multiple probe instances—see Capturing from multiple probe instances for details.
Figure 36: MultiHop Analysis - the user interface
MultiHop Analysis user interfaceMultiHop Analysis user interface
Note: MultiHop Analysis only operates in post-capture mode; therefore, to make the tool work, you must absolutely save (or have saved) your capture files to disk and have access to those files.
To use MultiHop Analysis, complete the following steps:
1. Create and save multiple capture files—simultaneously—from multiple probe instances.
When capturing from multiple probe instances, there exists an option to immediately bring those captures into the MultiHop Analysis tool. For the sake of example, however, the proceeding steps ignore using that option.
2. On the Home tab, in the Analysis group, click MultiHop Analysis.
3. Click the Select Files to Analyze button. The MultiHop Analysis Settings window appears.
4. Ensure the Files tab is selected, and click the Add button. The Edit Segment File dialog appears.
Figure 37: The Edit Segment File dialog
Edit Segment Find dialogEdit Segment Find dialog
5. Type a descriptive name for your segment. In MultiHop Analysis, each capture file is called a segment.
6. Browse to or type the file location of the first capture file.
7. (Optional) If you know or anticipate that IP addresses will not match between hops, enable the Apply IP Mapping option and click the Settings button.
IP mapping keeps track of network entities as they undergo network address translation. For more information about this option and its use, see How to use IP mapping in MultiHop Analysis.
8. Click OK to confirm this segment’s inclusion.
9. Repeat step 4 through step 8 for each capture file (segment) that you want to add to your MultiHop Analysis session. Up to ten segments can be added during this step; ten is the maximum.
10. Ensure you return to the MultiHop Analysis Settings window (which appeared in step 3), and click OK.
 
You successfully prepared the MultiHop Analysis tool and can now view and analyze the results.
 
Tell me more about the MultiHop Analysis tool
 
All of the connections detected are listed in the upper left corner of the MultiHop Analysis display. Choose each connection you want to analyze by clicking on its corresponding check box. For the MultiHop Analysis display, it is usually more useful to look at one connection at a time.
The Hop Summary view shows delay data from the selected connections in aggregate, giving you the average delay time from multiple conversations over time. Knowing what is “normal” can help you determine when applications or third party service providers are performing adequately.
Most of the metrics (minimum and maximum delay times in total and by segment, for example) should be self-explanatory. Lost Packet Delay Time measures how much delay was introduced by dropped packets having to be re-sent.
 
 
The Summary Statistics view of MultiHop Analysis gives you a textual display of the selected connections (computed in the MultiHop Delay Analysis – Connection Dynamics view). You may select one or many connections. The statistics summary gives you details on the analyzed packets, such as: number of packets analyzed, delay time, matched packets, direction of packets, dropped packets (will be displayed in red type), time of first packet, and time of last packet.
The first part of the summary shows paths to all of the buffer files currently being analyzed and summarizes settings in effect. The second part of the summary shows essentially the same measurements as the MultiHop connection dynamics and MultiHop Analysis displays, summarized in a list format. As in the MultiHop Analysis display, Lost Packet Delay Time measures how much delay was introduced by dropped packets having to be re-sent.
 
Quickly using MultiHop Analysis
Your method of using MultiHop Analysis can differ depending on how you obtain, or obtained, the capture files you want to work with. For example, using MultiHop Analysis can be difficult if you have capture buffer files obtained at different times or from probe instances you have no personal access to but someone else does and has sent you captures. Those circumstances are best handled using the process described in Using MultiHop Analysis—and not this section.
This section describes the most efficient, easiest, and quickest way to use MultiHop Analysis but unlike the other section, it requires the following criteria be met for the process to work correctly:
You must have access to all target probe instances from your local Observer (i.e. from the local machine). Ensure that each is in your probe list, is configured, and connected.
You must have sufficient capture buffer sizes across all target probe instances; you do not want one of the probe instance capture buffers to max out too early—leaving you with too little data.
Like other captures, you must have sufficient disk space to save the file(s). This becomes increasingly important when using MultiHop Analysis because you are simultaneously creating and saving more than one capture file, and the disk space required is increased accordingly.
To quickly use MultiHop Analysis, complete the following steps:
1. On the Home tab, in the Capture group, click Configuration > Capture Multiple.
2. Select each probe instance that you want to capture from.
3. (Optional) Set a pre-filter on any probe instance by selecting a probe instance and clicking Set Filter for Selected Instance.
4. Click Start to begin the packet capture on multiple instances.
The Multiple Instance Packet Capture dialog appears, indicating the capture is actively running. Allow this dialog to remain on your screen.
5. In the Multiple Instance Packet Capture dialog, ensure both “Transfer and Save Packet Captures” and “Start MultiHop Analysis” are enabled.
6. In the Multiple Instance Packet Capture dialog, click Stop. The MultiHop Analysis Settings window appears—automatically loading and listing your new capture files.
7. (Optional) Configure any additional settings now.
8. Click OK. The MultiHop Analysis tool opens, and your analysis can now begin.
 
You successfully used MultiHop Analysis quickly and efficiently. This method is the quickest way to perform MultiHop Analysis, although this method does have necessary requirements.
 
Configuring MultiHop Analysis settings
Click the Settings button on the MultiHop analysis tool bar to specify capture files and other configuration options. Usually, the default settings will provide satisfactory results; only adjust if you run into performance problems.
 
The first tab, Settings, has options to specify the methods that MultiHop analysis uses to identify connections and synchronize timestamps on the files.
IP Address + IP ID (Port mapped)
This option is best for networks that implement Network Address Translation (NAT) firewalls between segments.
IP Address + IP ID + TCP/UDP Ports (Ports will match)
Choose this option (which is the default) for networks without address translation or port mapping.
IP Address + TCP Sequence number (TCP only, port mapped)
Choose this option if your network includes Network Address Translation (NAT) firewalls, and the volume of packets in the captures is causing the IP ID numbers to be recycled (i.e., reset to 0).
IP Address + TCP Sequence number (TCP only, ports will match)
Choose this option if your network does not have any Network Address Translation or port mapping, and the volume of packets in the captures is causing the IP ID numbers to be recycled (i.e., reset to 0).
Maximum packets to analyze per connection
Allows you to select the maximum number of packets you want to analyze; only active if the Enable is selected.
Enable
Allows you to limit the number of packets to be analyzed.
Defaults
Changes the settings back to their default values.
 
File Synchronization Method
Created: 2014-04-17
File synchronization is at the heart of MultiHop Analysis. By aligning the files in time and determining whether timestamp differences are the result of delay versus clock drift and other collection artifacts, Observer can show you not only aggregate delay, but also the proportion of delay with each hop.
 
 
Identifying how much data to synchronize and where to start
Created: 2014-04-17
There are many possible methods that Observer can use to synchronize the files. The best one to use depends on two factors: How long were the captures? and How closely in time were the captures started and stopped?
 
This is because of a phenomenon called clock drift: two system clocks inevitably drift apart because no two clock crystals are exactly the same, and even if they were, ambient temperature differences also affect clock rates. On shorter captures (i.e., four minutes or less), this is not usually an issue, so choose the first option. For longer captures (more than four minutes), the best method to choose depends on how closely the buffer files’ start and stop times conform to each other.
Synchronize using all data from both files—This method is best for shorter captures (of four minutes or less) where all the captures were started and stopped within a second of each other, and clock drift is not an issue.
Synchronize using a sliding window having the smallest variance—Using this method, Observer analyzes the two packet captures to find a window of time where the timestamps coincide with the least variance. This method is best for finding transactions across longer captures that were not very precisely synchronized regarding start and stop times.
Synchronize at the beginning of the files with a clock drift correction—This method (the default) corrects for the inevitable differences between probe system clocks by comparing the beginning and end packets of all captures to determine clock drift. This method is best for longer captures (of four minutes or more) where all the captures were started and stopped within a few seconds of each other.
 
Identifying synchronization artifacts versus actual delay
Created: 2014-04-17
Different methods work better for determining synchronization artifacts (such as clock drift and other system clock differences) versus actual delay caused by the network.
 
Calculate synchronization using average delay times—Choose this option if delay times are fairly uniform and short (such as delay times typical between local network segments).
Calculate synchronization using minimum delay times—Choose this option (the default) if there are longer delays between segments, or delay times vary from short to long (such as delay times that would be typical of a WAN connection to a remote segment of your network that experiences congestion).
Time Synchronization Window (msecs)—Use the default value (20000) in most cases. If packet IDs are being recycled (e.g. reset to zero) because they are being used up too quickly due to the volume of traffic, you can set this value lower.
Use Header following the GRE or GTP Header for Encapsulation/Tunneling—GRE (Generic Routing Encapsulation) and GTP (GPRS Tunneling Protocol) are two encapsulation protocols that may have been deployed on your network. To show the encapsulation IP addresses, leave the box unchecked; to show the nested IP addresses, check the box.
 
Troubleshooting synchronization errors
File synchronization is essential to MultiHop Analysis, and it is automatically attempted by Observer. By aligning the capture files in time and determining whether timestamp differences are the result of delay versus clock drift and other collection artifacts, Observer shows you not only total delay, but also the proportion of delay with each hop.
This, however, is the reason why synchronization errors are troublesome while using MultiHop Analysis—errors must be avoided for the tool to work as intended. If you cannot avoid synchronization errors, there exists a troubleshooting method called user offset, which could fix the issue.
Tip! Typically, user offset never needs adjusting because Observer automatically synchronizes your segments. However, adjusting user offset is useful when manual control is your absolute top priority
Note: The following steps assume you have already loaded two or more segments into MultiHop Analysis. See Using MultiHop Analysis and Quickly using MultiHop Analysis.
To troubleshoot synchronization errors, navigate to the user offset values by completing the following steps:
1. On the Home tab, in the Analysis group, click MultiHop Analysis.
2. Click the Settings button.
3. Click the Synchronization tab. This tab lists your loaded segments and the time synchronization(s) currently applied to them.
4. Adjust the values in the User Offset (sec) column.
 
 
 
After completing this task:
Some experimentation may be required when adjusting your user offset values; this process is iterative, so you can keep adjusting until you are satisfied with the results.
 
How to use IP mapping in MultiHop Analysis
Many devices in your network environment can perform Network Address Translation (NAT), such as routers and load balancers. As NATing occurs, the IP address of the network device changes, and, if not accounted for in Observer, would cause issues with the MultiHop Analysis tool because it is designed to follow an address through its entire journey. The IP mapping option exists so you can tell Observer, for example, that local IP address 10.0.36.100 is the same station/device as 218.xx.xx.xx on the full Internet.
Tip! IP mapping assumes you know exactly how one IP address translates to another after NATing. After you study how the devices in your network are NATing, IP mapping becomes a quick and simple process.
Note: The following steps assume you have already loaded two or more segments into MultiHop Analysis. See Using MultiHop Analysis and Quickly using MultiHop Analysis.
To use IP mapping in MultiHop Analysis, complete the following steps:
1. On the Home tab, in the Analysis group, click MultiHop Analysis.
2. Click the Select Files to Analyze button.
3. Double-click a file segment to edit it. The Edit File Segment dialog appears.
4. Enable the Apply IP Mapping setting.
5. Click the Settings button. The IP Mapping Settings window appears.
6. (Optional) In the Profile area, click Add to create a new profile.
7. Click the Add button, and type the IP addresses that should correspond to each other after NATing.
For example, specify that the IP address 10.0.36.100 is the same station/device as 218.xx.xx.xx on the full Internet.
8. (Optional) Repeat the process for each desired IP mapping and for each segment file (if necessary).
9. Click OK twice to confirm and save your changes.