nGenius is a network traffic analysis system that provides centralised monitoring of networks, to application level, in both the local area and the wide area. The product has two key components: nGenius probes and the nGenius Performance Manager application.
Performance Manager (PM) is the data collection and analysis component. The core application uses a Sybase back-end database for the actual data storage, and the user interface is Web-based (in fact once you get past the front page, the main GUI functionality is contained in a Java program that's downloaded for you). Once it's set running, the PM interrogates its various data sources at customisable, predetermined intervals, and obtains statistical data that's then used to tell the operator what he or she wants to know.
There are three key types of data source. First is traditional SNMP/MIB-II interrogation, which the PM uses to extract traffic data from the various devices whose existence you've told it of. Next is the relatively modern range of flow monitoring protocols – specifically, PM understands both the new SFlow standard and Cisco's proprietary NetFlow equivalent. Third is integration with NetScout's own nGenius probes, which are deployed as 'network taps' across the corporate network, and which collect information for examination by the PM. In reality, NetFlow data is actually collected by nGenius probes (up to 10 NetFlow sources per probe), which stores statistical information in the form of ingress and egress counts for each interface.
Let's pause a moment to look at the probes. These are proprietary hardware devices, based on Intel processors but with NetScout's proprietary operating system and software held in flash memory. There's a whole list of probes available, both single- and multi-port, and you deploy them in the same way as you would, say, an RMON probe: either via a physical tap into a network segment or via a "mirror" port in a switch. In their standard form, the probes collect information, analyse it, and store statistical information ready for passing up to the PM; it wouldn't be practical to equip the probes with enough memory or disk space to record complete packet detail indefinitely, but statistical stuff is usually sufficient.
An optional extra to the probe range is the Flow Recorder, which will be launched at the end of April (but which we looked at for this review); it's a Linux-based box which connects into an nGenius probe and which records not just the summary information but also the detail of the packets that the probe is seeing, so that you can play back the actual network traffic later. Although it's unreasonable to expect what's effectively a Linux-based computer to keep up with a super-high-speed link, one nice trick is that you can tell the probe to filter packets before passing them out for recording – so you can choose to record only the header information of each packet. This makes the data volumes you're storing much smaller and means that in the average case you can record complete, useful header data even for a Gigabit link.
More about the PM
Anyhow, back to the PM. The first task when you install the unit is to define the various devices you want it to pull its data from, and what types of data you want. There's a vast list of different applications to choose from, though you can define your own if you so wish. Applications are defined either by port number (for traditional stuff like FTP, video streaming and the like) or by URL (if you're using Web-based applications), and if you want to define your own, this is done by stipulating a collection of IP addresses and port numbers. Incidentally, you can define global settings (which are automatically sent to all probes) and you can fine-tune individual probes with their own special extra settings where you want to do something slightly different.
Once you've told the system where to get its data, and at what intervals (shorter intervals equals more network traffic, so unsurprisingly there's a compromise to make), it will sit and collate data from the various sources. Examining the data is a simple case of choosing a data source from the list and picking how you want to examine the data (see below). Although the GUI follows the usual two-pane (overview/detail) approach, the main detail pane has a number of tabs along the top – think Excel worksheets. This allows you to have a number of different "detail" views going on at once and to flick between the various items just by clicking the appropriate tab; the average network manager probably has a set of standard views he or she uses all the time, and this feature makes that a breeze.
Everything so far is pretty obvious and simple. The act of viewing the network's activity is where things start to get clever, because the system is designed to let you look at the stats from any angle you wish. So if you care about a particular link between two routers, you can choose a port at one end of the link and examine the performance. You can, however, also view data at the top level by VLAN, by one or more QoS levels, or by application. Note that you don't have to tell the system what VLANs exist or what QoS levels you're interested in – it figures out what's there based on the data it sees in packets, and it's even clever enough to understand how to put the traffic flows back together in a multi-link (trunked) connection that uses 802.1Q or ISL trunk protocols.
However you view data, nGenius allows you to drill down intuitively into the detail. Say, for instance, you'd asked it to show you the "top 10 talker" applications; for each application in the resulting graph, you could drill down and see which links were involved with that application, what VLANs it was using, what the QoS distribution is, and so on. The drill-down process is a simple case of right-clicking and picking the desired option, and you can represent the results in a number of graphical forms or as a table (which you can export if you want to throw it at Excel for management reporting). And whenever you drill down, nGenius preserves the filters you've chosen thus far – so if you click on an application and then drill down into a switch port that's being used by it, you'll see only the data for that application on that switch port. For drill-downs that you do a lot (e.g. your "favourite", or more likely most heavily loaded connections) you can add items to the "QuickViews" item in the popup menu.
If you drill down into an item and you want to see the real traffic flow, you can tell the probe to launch a real time data capture. Because the probe is basically a grab-and-filter device, these real-time captures will be pre-filtered based on the context in which you were viewing the item detail – so if you were interested in SAP data on a given switch port, what you'll see is precisely that, with all the extraneous stuff removed. The capture facility is just what you'd expect to see in a network watcher – intelligent packet decodes, saving of traces for future reference, and so on – but one neat trick is that the Java GUI only pulls header details over the network until you click on a packet, and only then does it retrieve the entire packet detail.
Because the PM collects statistical information, you can do not just real-time and historical reporting but also some extrapolation of future growth. When you draw a graph of historical performance data, you'll see a little line wandering on into the future – which is nGenius' estimate of where your traffic levels are going. The capacity planning features are, in fact, very versatile – so based on the thresholds you set for each link, application or host in the configuration screens, it'll predict when those thresholds will be reached and thus allow you to plan ahead. On a related note, it will come as no surprise that along with these "critical" thresholds, you can configure the system to send threshold-based alerts to system managers (via email, pagers, etc) as you would in a traditional network management package.
The final monitoring tool we should mention is the Active Agent. This is an application client emulator which you can use to measure the response times of your applications for ongoing monitoring. So you can schedule DNS lookups, pings, HTTP GETs or even sequences of activities, and the agent will perform the appropriate functions at the stipulated times and report its findings to a nominated probe.
Access to all of the above features is defined by user and role. You'd probably want to give some users read-only access and others read/write access, but you can in fact go a step further and allow some users to see only the packet headers, not the payload, in a traffic capture (a typical example would be for an outsourced network person to be able to help with diagnostics without sending sensitive data out of the building).
For the read-only management types, "newspapers" are the answer. These are idiot-proof summaries of the various activities happening on the network which management can use to get an overview of how things are performing. Like the main PM, you can drill down into items, but only in a very coarse-grained way – because the hierarchy of pages is based on data and graphs that are processed nightly. Although if you dig down far enough the newspaper function has the option of fetching live data from the probes, this feature is really aimed at those who want a high-level overview without having to learn how to fly the PM.
nGenius is a big, serious network management product. It's surprisingly simple to use, though, because although the initial roll-out and setup can be convoluted in a complex network, everything's brought together quite sensibly and the user interface makes it easy to navigate around the network in the context that makes the most sense at the time. Historical statistical information and real-time analysis are nothing new, but being able to examine the data from an angle other than port-by-port is an excellent bonus, and the addition of the Flow Recorder to enable accurate replay of actual historic packet information is a super idea.
Although the system is surprisingly easy to use, performance will depend on the hardware you run it on. nGenius stores serious amounts of data and uses a commercial DBMS, so don't skimp on the hardware.