This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Looking on recommendations/best practices on WS deployment at large Data Centers

0

Hi WS community Willing to get references/best practices/experience on WS deployment at large data centers. Looking to understand what type of configurations/arranges have worked well, which not, which tools for process/automate data collection, etc. Thanks vey much -f

asked 23 Nov '15, 08:25

fturriaf's gravatar image

fturriaf
6112
accept rate: 0%

please define "large data center" and what you are trying to do.

(23 Nov '15, 09:28) Kurt Knochner ♦

Hi Kurt I referring to DC with 10-20 row with 32 racks per row and typically 15 servers per rack, so about 10,000 servers (30% of them bare metal, rest running hypervisors). basically, looking to be able to monitor any server by mirroring network ports at ToR. Initially, thinking to deploy a small cluster of servers running Wireshark per Row, but not sure if this is a good approach or there are smarter ways to do this. Thanks

(23 Nov '15, 09:35) fturriaf

2 Answers:

0

for an environment like that, Wireshark will work if the capturing devices (ToR) are fast machines (CPU, RAM, disk IO) and you don't have to capture at full speed 10Gig.

But operating a distributed capturing architecture is not easy. Wirshark won't help you here (let's ignore remote capturing), so you will end up with a lot of a manual processing. Please think about:

  • start/stop capturing
  • copying/archiving capture files
  • searching in a large amount of capture files for certain data and/or patterns
  • loading very large capturing files, (several Gbyte)
  • etc.

Maybe a commercial capturing system would fit better into a data center environment of that size.

I'm not saying, that it's impossible with Wireshark, it's just a lot more manual work than with a commercial solution.

Maybe the following Open Source projects can help or give some ideas.

http://www.openfpc.org/
https://github.com/aol/moloch
https://github.com/RIPE-NCC/hadoop-pcap

There was also a Sharkfest talk about a similar matter

https://sharkfest.wireshark.org/assets/presentations/A6.pptx

You could try to contact the authors, maybe they can give some more hints.

Regards
Kurt

answered 23 Nov '15, 11:05

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 23 Nov '15, 14:49

Thanks Kurt. Any recommendation on commercial solutions with proven experience in Datacenter environments?

(23 Nov '15, 11:29) fturriaf
  • Riverbed (SteelCentral)
  • Savvius Omnipeek
  • Fluke
  • Endace
  • Netscout
  • Niksun (NetOmni)
  • AppDynamics
  • many more.

"Network Performance Management" and "Application Performance Management" are they search keywords @ google.

(23 Nov '15, 14:11) Kurt Knochner ♦

Yes, and additionally I would say...
The best solution depends on your specific requirements.

(23 Nov '15, 14:19) Christian_R

as always ;-)

(23 Nov '15, 14:27) Kurt Knochner ♦

@Kurt: I liked your list.
I just wanted to underline, that there is no general All in One Perfect Tool and so this list is the best answer to the question of @fturiaf.

(23 Nov '15, 14:50) Christian_R

I just wanted to underline, that there is no general All in One Perfect Tool

That's how I understood your comment :-)

(23 Nov '15, 16:46) Kurt Knochner ♦

Thanks very much for advice. Best Regards

(24 Nov '15, 14:10) fturriaf

Hint: If a supplied answer resolves your question can you please "accept" it by clicking the checkmark icon next to it. This highlights good answers for the benefit of subsequent users with the same or similar questions. For extra points you can up vote the answer (thumb up).

(24 Nov '15, 16:49) Kurt Knochner ♦

We are actually looking into an Network Performance Monitoring and diagnostic (NPMD) tool for our 2 DCs and we've seen demos of products from various brands, but do you want to monitor server- or network performance? All depend your requirements and budget. I agree with Kurt; using WS for that is not optimal, (Riverbed is using WS actually as deep packet analyzer) you'd need a tool that is doing analysis & stats on live traffic, and can store it for some time so that you can do historic analysis. There are 2 different kind of tools on the market that can do this; 1. a network packet capturing and storing tool; you need to put in-line taps on network links or span traffic to monitor sessions in a switch/router 2. a Netflow collector, which uses Netflow traffic, but these will not give you performance stats and analysis; they are however cheaper and good for Security monitoring

Below are some additional brands for NPMD tools (add them to Kurt's list) that fall in the first category (but some can do also the 2nd one); Corvil Viavi solutions (formerly Network Instruments) SevOne Packet Design You probably might want to add a network capture aggregation layer, below some brands: Gigamon Ixia Arista

Other very interesting tools that are somehow doing analysis and statistics as well, but in a complete differnt way as packet capturing/analysing tools (for network) are listed below, take a look at their websites, it's worth while; LiveAction Netbrain

and other specials; Accedian Emelux

Good luck!

(26 Nov '15, 07:30) profke
showing 5 of 9 show 4 more comments

0

Or look at the right hand side column of this page. Riverbed, providing a home for Wireshark, may have solutions you seek.

answered 23 Nov '15, 11:18

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%