Baselining with sniffer

[bmorritt]

I would like to know what everyones suggestions would be for baselining our network with the sniffer.<br><br>

 

[wybnormal]

DOCUMENT!!!!!<br><br>Start with documenting on paper your network or at least how you think it is Once that is done, identify all switches and subnets with their masks. Find out if you can setup a promiscous(spelling?) port on each switch, if not, life will get much harder. Add all the subnet information to the advanced options on the Sniffer. Attach the sniffer to the monitoring port and give a quick look. Figure on running your baseline for at least 1 week, more then likely, 3-5 weeks. Use a fairly wide sample rate to avoid filling up the disk. Once you have the raw files, you setup your filters and retransmit them via loopback and packet generator to check various historical data points. All in all, figure roughly 6 weeks to do it right from beginning to end. If you have a small network, then it could be faster, if larger then more time would be required. Also if you have a complex network with fun things like Oracle and the like, you have to run the baseline a fair amount of time to make sure you get a realistic sample. Also look at the business model and make the baseline covers things like end-of-quarter or any special monthly reports etc.<br><br>Mike

 

[bmorritt]

We have a decent size network with several Vlans, what would your approach be ?&nbsp;&nbsp;To take 6 weeks for each Vlan?

 

[wybnormal]

I would rent a 2nd sniffer or build up or quietly built a couple more so you can catch the VLANs concurrently. That would shave quite a bit time off your baseline. It would also let you compare traffic flows on the same timeline. <br><br>Mike

 

[Guest_imported]

This is from an old friend of mine...<br><br>Understanding BaseliningIn order to understand if current performance levels are typical, if the behavior is aberrant, or if changes have occurred, users need to understand the normal behavior of their network. Baselines answer the question &quot;What is normal anyway?&quot; The fundamental definition of a baseline is well understood: a single set of values that summarize the data from a recurring time interval. For example, the baseline for the 10:00am hour would aggregate all the measurements taken during that hour over some period of time into one number that represents the normal or expected performance level for that hour. Time is an important factor in any trend analysis. It plays two roles in baselining. First is the baseline period, which is the length of time over which the data that will be baselined is collected. Second is the baseline interval, which is the timespan each baseline value represents. For example, the baseline period may last for one month. At the end of the month, the collected data is summarized into 24 values representing one-hour intervals that provide an hour by hour baseline of a typical day. Baselining periods may be applied in two ways. One is a series of discrete, sequential periods for which an analyst may want separate baselines. This approach provides a means to watch the trend in the baseline itself. For example, each month will be baselined in order to compare the current month to the previous month, or to compare a month in the current year to the same month the previous year. Alternatively, a baseline period may be a sliding window. For example, the baseline may summarize the previous weeks, and each week a new baseline is generated that overlaps with 5 weeks of the prior baseline period. This type of measurement highlights the impact of the most recent data on the general direction in which performance is heading. In either case, the analyst needs to know the start and end points of the baseline period for the summarized information to be meaningful. Baseline intervals are chosen according to the cyclical nature of the object being studied. How an interval is broken up depends on how the subject behaves or how closely it needs to be measured. Daily and weekly cycles are common, so profiling a typical day or week is useful. The obvious interval for baselining a day is by the hour; however, in a business environment it may be necessary to baseline by operating shifts, by AM vs. PM or some other site-specific interval. Weekly intervals might be by the day or by the hour for each day. It is also important to be able to exclude unnecessary or skewed data from the interval. For example, the interval may be one day, but only part of the day may be significant, such as the business day rather than the entire 24 hours. Longer intervals (e.g., months) may also be important, especially as the baseline period recedes further into the past. Baselines may be generated on a specific object to track its typical performance. They can also be generated on a class of objects to highlight how that type of object generally behaves. Baselines allow users to monitor performance in a variety of ways. The most fundamental application is to indicate typical, (i.e., expected) performance. A simple graph of the baseline will do this. Exception reports can be used to identify baselines that exceed appropriate thresholds. A common use of baselines is for comparison with current performance levels. Overlapping graphs present this in an easily understood format. Exception reports can identify managed elements that are above or below the baseline by more than an acceptable amount. This comparison may be made against the element's own performance or against the performance of the class of which the element is a member. Comparisons may also be made between classes of objects. One application of a &quot;Current vs. Baseline&quot; type of report is to study the effects of a planned change. Such a report would answer questions like: · Did the upgrade improve performance as much as was hoped/expected/promised? · Did the additional bandwidth reduce delays and improve throughput? · How much is the new application affecting performance and in what ways? Finally, changes in the baseline itself are important for judging the direction in which performance is heading, for better or for worse. Graphs can show the relative levels of sequential baseline periods or this year's baseline versus last year's. Exception reports can highlight elements whose baselines changed by more than an acceptable amount from one baseline period to the next. If a sliding baseline is used, watching the most recent tendencies becomes a basis for forecasting future behavior.