OverviewColasoft nChronos, integrating real-time surveillance with back-in-time analysis, is an enterprise-class network monitoring and performance analysis solution. Designed for 24x7 network packets capturing, analysis and storage, dedicated to the sustainable, efficient and safe running of networks, Colasoft nChronos provides a reliable data basis for determining constructive suggestions for enterprise profit growth. Excellent in data drilldown, data tracing and locating, and security forensics, nChronos makes it possible to troubleshoot historical network issues by rewinding and zooming in to any previously recorded time period. This feature saves a tremendous amount of time and effort that would be required to reconstruct network scenarios. Besides troubleshooting network issues, Colasoft nChronos can also be used to evaluate and benchmark longterm network performance along with auditing user activity.
Benefits for Network EngineersTrafficVisibility–Thereal-timetrendchartsshowtrafficstatusgraphically,togiveusersaclearunderstanding of network traffic. Comprehensive statistics tell network traffic distribution.Intelligent Alerts – Wit rich alarm types and alarm triggers, nChronos is able to find abnormal network traffic at the very first time, which is helpful to prevent application and service interruption.ForensicsTruth–Whenfaultshappen,nChronoscanprovidetheproofwhetherthefaultsarecausedbynetworks or applications, so as to stop finger pointing.Scenario Reproduce – With the back-in-time analysis, it is convenient to reproduce the original scene how the issues happen. No need to wait for the issues to happen again.
Value and AdvantagesWith an analysis performance of up to 20 Gbps, Colasoft nChronos is able to capture large traffic of backbone links in line speed, and to analyze and store the traffic in real-time, and able to monitor several network adapters simultaneously to aggregate the traffic from multiple links. With a storage capacity of hundreds of TB, Colasoft nChronos is able to store the real-time analysis results and packets. Together with a storage filter and splicing storage technology, nChronos is able to store only the interested and useful information, which makes the storage space utilized effectively.
FeaturesLong-term capturing and recordingWith the huge storage capacity, the original packets, data stream, conversations, application logs, and all analysis statistics can be stored for long term.Real-time monitor & analysisColasoft nChronos offers real-time network statistics. With the Real-time statistics, network administrators can instantly understand the current pattern of the network.Drill-down analysisColasoft nChronos offers complete access to application level traffic flows, network statistics and data links information across all seven OSI layers levelPacket decodingColasoft nChronos offers a powerful ability to help IT professionals to conduct in-depth network analysis and optimize the entire network performance so as to increase enterprise network productivity.
Retrospective analysisColasoft nChronos can fast retrieve the traffic packets at any time period and simultaneously drill down for data-mining and full analysis.
Schedulable, user-defined reportsColasoft nChronos provides both system and user-defined reports. Reports can be sent to specified email recipients. Users can schedule hourly, daily, weekly and monthly reports.Alerts and abundant alarm parameters Colasoft nChronos helps users to create a network baseline, setup online triggered alerts for network eventsforwarningandpreventingnetworkoutrages.Application performance analysis and transaction analysisColasoft nChronos can define custom application monitoring functions as well as transaction monitoring based on the application data.
Problem DescriptionA business system of an ISP machine room had abnormal traffic for a time period. There will be a traffic burst every 1 hour, the burst lasted about 5 to 10 minutes, and the traffic were mainly sent by the business system hosts.Inordertodeterminethecauseoftheproblem,nChronosServerisdeployedbypassonthedistribution switch of the business system for long-term packet capture analysis.Analysis ProcedureAnalyze traffic during normal periodFirst, we analyzed the traffic of the business system during normal period. It can be seen from the figure below that the peak traffic of normal period is 13.65Mbps (second-level accuracy) and the average traffic is 8.47Mbps.
During normal period, the traffic volume between 10.199.90.51 and xx.125.96.36 was obviouslygreaterthanothercommunicationpairs,asshowninthefigurebelow.Analyzedthe traffic between the two hosts, checked with the business system people and found that the traffic was normal for business communication.
Analyze traffic during abnormal periodAtaround15:55onthedaywhennChronosServerwasdeployed,therewasatrafficburst,with peak traffic reaching 85.53 Mbps (second-order accuracy), as shown below:
At that moment, the IP conversation with the largest traffic volume was happening between 10.199.90.51 and 10.199.72.168, and the traffic volume far exceeded that of the communication between 10.199.90.51 and xx.125.96.36, as shown in the figure below:
ExtractedthepacketsoftheIPconversation,andfoundthat10.199.90.51accessed10.199.72.168 through the TCP port 3181, and the data were almost sent from 10.199.90.51 to 10.199.72.168. The conversation contained a lot of information similar like system, but the log entries are all for May 2014, as shown in the figure below.
After verification, 10.199.72.168 is a network management platform, and the port 3181 is also the service port of the network management system.Analysis ConclusionThrough the above analysis, the periodical traffic burst was the communication between the business system in the machine room and the network management server. It can basically ruleoutthepossibilityofdirectattacks fromexternal networks.From the communication content, it should be 10.199.90.51 reporting the history logs to the network management system. To further locate it, it is recommended to check the host 10.199.90.51 and the network management system to determine whether the data content and the volume are normal or not.