Analyze Top Network Applications

Do you know which applications are running on your network? Do you know how well they are running? If you want to know what is happening with your most important applications, PacketShaper and AppVantage can tell you.

   Steps:

1. Look at the Top Ten Classes pie graph; this shows you the ten most used classes on your network. Over 300 applications are discovered automatically by your unit.
   
   
   In the Top 10 chart above, NetNews (NNTP), web page downloads (HTTP), email downloads (POP3), inbound mail to your mail server (SMTP), file sharing with Gnutella, file downloads with FTP, real-time audio with Shoutcast, MPEG-Audio, and real-time video (MPEG-Video) are the most used applications.
   
   
2. Look at the Class Utilization with Peaks graph for all classes for a week. You will use this composite to compare individual application graphs. This will help you analyze how heavily your WAN link is loaded relative to its capacity aggregating data from all applications. You can then go into a more detailed analysis of specific applications to look at their bandwidth usage characteristics.
   
   
   From this chart you can see that the unit has been connected to a network link with maximum capacity of about 4.5Mbps. This could be a location in the network where three T-1 lines connect to a LAN. (T1-lines are 1.5Mbps each, so three would provide up to 4.5 Mbps of traffic).
   
   You can also see that both average (red) and peak (blue) traffic utilization was lower 08/04 - 08/06 which was a weekend. Lower traffic utilization on a weekend is expected on a network link at a business.
   
   Looking at just the red line in the graph, note that average utilization doesn't exceed 1Mbps on a sustained basis, even though a few peaks go higher. This indicates there is more capacity than is being utilized, so this configuration has room to grow. The average reached a maximum of ~1.5Mbps on 08/06 and 08/07, an indication that traffic patterns may saturate one of the T1 (1.5Mbps) lines for brief periods; validating that guess would require more detailed analysis for those specific dates. When a network link has multiple lines, sometimes traffic to or for specific applications only travels across one of the lines. This means that even though there is capacity for 4.5 Mbps, there can be cases where the maximum throughput is actually 1.5Mbps if the traffic is not evenly shared across the three lines.
   
   
3. Look at the Class Utilization with Peaks graph for individual classes for a week. Here are some examples and what they show:
   
   
   
   The graph of Gnutella traffic provides insights into its use on the network. Note that it's not used on the weekend (8/11 and 8/12). Also note that it peaks to 500k but only occasionally— not on a sustained basis. From this, you could guess that the number of Gnutella users is probably small and that the spikes on the graph indicate periods when individual large files are downloaded or a server on the local network is accessed by a user who downloads multiple files. If there were many Gnutella servers there would likely be a more constant stream of traffic. Gnutella traffic can be significant (peaks of 500k of our 4.5M link yet the sustained rate is more like 250k occasionally and usually more like <20k) but other times it's likely to have little or no impact on overall application performance <100k of peak usage. The traffic flow command could be used to investigate how many concurrent Gnutella sessions there are at the current time.
   
   
   The graph above shows the traffic of an Internet radio system called Shoutcast. Notice the relatively constant demand for network resources over time, as indicated by the horizontal pattern of the (red) average rate line.
   
   The red line also indicates that average utilization is about 20k. This could be either a single user listening to a 20k stream, or multiple users listening to slower streams that total 20k. The graph's peaks to 100k indicate some burstiness in the traffic; however, given that this is a one week graph, bursting even once in a hour could cause the peak rate graph to go up. These peaks may just reflect changing channels from one radio station to another.
   
   The time durations show that sometimes Shoutcast is played for short periods of time; other times it may be on most of the day. For more detailed information you could generate utilization graphs for a day or specific hours of a day.
   
   This graph of inbound POP traffic shows downloads from mail servers to individual email clients like Outlook or Eudora. Like the other applications, this application shows the week-day versus weekend pattern.
   
   Average utilization (red line) is low, meaning downloading mail is a small demand on the link. Since these packages automatically check for mail on a periodic basis, this traffic is predictably spread out relatively evenly over the course of a day.
   
   During weekdays there are more users, which is reflected in the regular peaks to 1.5Mbps during business hours. The 1.5Mbs maximum peaks also suggest that mail server traffic goes through a single T1 line; the overall inbound graph showed periods of 3Mbps-4.5Mbps of total traffic, but mail never exceeded 1.5Mbps.
   
   As expected, the weekend has either fewer users or fewer PC's turned on and checking for new email. A day utilization graph would provide details that would probably show business versus non-business hours and patterns that match email use from home in the evening.
   

   The wide variation between average (red) and peak (blue) rates indicates two things:

   • there is capacity for more email traffic
   • connections are short and contain small amounts of data
     
     

   This is why the graph looks different than the one for Shoutcast which transmits data at a continuous rate for a significant period of time.

4. Look at the Network Efficiency graph for all classes. The chart below shows optimum efficiency. (Note: The formula for efficiency is bytes - tcp-retx-bytes / bytes.)
   
   
   
   
5. Now, compare an application's Network Efficiency graph to the one for all classes. Here are some examples and an analysis of each:
   
   
   

   This Gnutella day graph illustrates the fact that an application with no traffic shows 100% network efficiency.

   You can see that between 8am and 4pm, the peer-to-peer program Gnutella was used. Gnutella servers are often the computers of individual Internet users on dial-up modems. When multiple users access these servers, chances are high that there will be congestion and dropped packets. Therefore it is not unusual to see lower network efficiency statistics than those for applications that run in corporate networks where network resources can be commensurate with applications' needs. You can see that packets were dropped here; the 75% efficiency means that 25% of packets for this application were dropped at that point in time.

   
   
   This utilization graph for Shoutcast is most easily interpreted by comparing it directly with the utilization graph for all classes above. Notice that when there is no traffic, efficiency reports 100% (no retransmissions, but no actual traffic either) and that when there is traffic, efficiency is low but consistent. PacketWise is recording approximately 40% retransmission rate for the connection between Shoutcast users and the servers they are accessing. This could be due to congestion on the Internet or elsewhere on the network. You might also see low efficiency if you've created a small partition (perhaps intentionally) for the class.


      
This Inbound POP3 graph's efficiency of about 80% shows a 10-20% retransmission rate for inbound mail traffic. Since email is a mission critical application, this large number of retransmissions should be investigated further to see why so many packets are being dropped. Network efficiency of 95%+ is more typical for email on a healthy network with adequate bandwidth. One way to reduce retransmissions and increase efficiency is to set a rate policy on a TCP class.


6. Look at the Transaction Delay graph for all applications then the application of interest. (Note: This graph is not available on ISP models.)
   
   Response time measurement (RTM) statistics are only recorded in the client-to-server direction. If RTM graphs for a class have values of zero, run the graphs in the opposite direction. In the example below, the RTM available for POP3 is Outbound.
   
   
   There are no red flags on this RTM graph of Outbound POP3. The increased response time spike on August 1st corresponds to the spike in the Utilization chart in step 2. The spike itself was probably caused by an email, with a large attachment and distribution list, that many people opened at once.