Many network administrators feel right at home with standard network analysis tools, which show network traffic flows as lists of packet headers with packet payloads viewable in hex or ASCII. Many other network admins, however, do not. In an effort to ease network and application troubleshooting, ClearSight Networks offers ClearSight Analyzer, a new approach to network analysis.
At its core, ClearSight offers a unique presentation of packet data. As data passes through the tap, ClearSight shows the communication between hosts as a "ladder" of packets, with arrows designating packet source and destination and colour-coded labels on each packet highlighting the disposition of the communication.
For example, a TCP retransmission seen on the wire will be flagged red, indicating a problem. A SYN/ACK/SYN handshake would be flagged green to indicate that the communication completed without issue. By presenting this data numerically beside protocol-flow representations, it's simple to navigate through the interface and determine where network problems might be occurring.
ClearSight boasts that the ClearSight Analyzer has been designed to capture network data without missing a single packet, even at gigabit speeds. In the lab, it lived up to that claim. Currently 10/100 Ethernet and Gigabit Ethernet are supported and ClearSight plans to release a 10Gb analyzer in the near future.
Intriguingly, ClearSight Analyzer is written entirely in Java, although it discretely uses the decode engine from the open source protocol analyzer Ethereal. Alternately, ClearSight provides its own decode engine and administrators can easily swap between the two, or implement their own.
I evaluated ClearSight Analyzer in two incarnations: a software-only package running on Windows and as a self-contained analysis appliance running Windows XP Professional (see photo, right). The stand-alone kit includes DataCom network taps to place the analyzer in-line on a 10/100 Ethernet or GbE work segment, either multimode fiber or copper.
ClearSight obviously has put a good deal of work into the interface, providing administrators with a well laid-out, dashboard-style console for monitoring network flows in real time. A downside to the console is that the protocols present in the summary overview are not configurable and do not include many commonly found applications, such as SSH (Secure Shell) and IMAP (Internet Message Access Protocol). It is possible to configure application protocol definitions based on TCP/UDP ports, but they are only referenced in the detail sections and not the live monitor.
The application is not persistent and only displays traffic flows seen since the monitor was last started. If the application is restarted, all traffic data seen in the prior session is lost. To circumvent this, you can capture data on the wire while you perform real-time monitoring.
ClearSight Analyzer has the ability to replay SIP (Session Initiation Protocol), SCCP (Skinny Client Control Protocol), and H.323 streams from capture files or from live data. So when monitoring VoIP (voice over IP) traffic, calls can be heard and video with accompanying audio can be displayed in the analyzer interface.
When dealing with a sizable capture, solid filtering is an absolute requirement. The filters permitted are quite wide in scope, allowing filtration by payload data, such as a SIP phone number. Creating filters with numerous rules, however, can be cumbersome.
In short, ClearSight Analyzer has a well-appointed and strikingly visual interface, which provides relatively intuitive access to the depths of network data flows. It would be nice to be able to retain data seen during a real-time session, prior to capture, but the viewpoint provided is clear.
A useful tool which gives innovative, reasonably intuitive and deep access to network packet flows.