WildPackets

NetSense

NetSense

Please note that NetSense is no longer sold.


Current Version

4.2.0

Supported Operating Systems

Windows 98/ME/NT 4 SP6a
Windows 2000 SP3
Windows XP SP1

FAQs


General

Expert

General

Return to top of page What is NetSense?

NetSense is a powerful, 32-bit Windows application that performs peer-to-peer packet transaction analysis of network protocols on trace files captured by a variety of wired and wireless analyzers. NetSense can analyze files from NAI Sniffer, Agilent, Fluke, Microsoft NetMon, UNIX tcpdump, Network Instruments Observer, and many others, including WildPackets' own award-winning analyzers. Data from each packet contained in a trace file is extracted by NetSense and displayed in several graphical and list-based report formats.

Return to top of page NetSense can't read the trace file that I saved with AiroPeek 2.0.1/EtherPeek 5.1/EtherPeek NX 2.1/GigaPeek NX 1.0. Why can't NetSense read my trace file?

AiroPeek 2.0.1/EtherPeek 5.1/EtherPeek NX 2.1/GigaPeek NX 1.0 use a new packet file format when they save out a .pkt trace file. If NetSense cannot read this new format, open the file in AiroPeek 2.0.1/EtherPeek 5.1/EtherPeek NX 2.1/GigaPeek NX 1.0 and choose Save All Packets..., change the 'Save as type' field on the 'Save As' dialogue to 'EtherPeek Classic Packet File (.pkt) or 'AiroPeek Classic Packet File (.apc)'. Doing this will save out a packet file in the older format, which should be readable in NetSense.

Return to top of page I'm trying to open a PacketGrabber file in NetSense. NetSense keeps telling me that it is an obsolete or unsupported file type. What is wrong?

To open a PacketGrabber file in NetSense, you must first open the file in EtherPeek. In EtherPeek, save the file with a different name. Then you should be able to open the file in NetSense.

Return to top of page I see a listing in NetSense's Protocol Table called Novell Raw. What does this mean?

Novell Raw is also called Ethernet 802.3 by Novell. It's an encapsulation format unique to Novell that contains neither the length nor type field as required by IEEE 802.3.

Return to top of page Why do charts become unreadable in the Packet Size/Protocol Charts with traces of 4096 in size and larger?

Perhaps the number of protocols the pie chart is trying to show as text adjacent to the pie slices is cluttered. If so, you can right click on the chart and turn these off by deselecting the 'Show Values' property. You still get the key, so you can easily determine which protocol is used by its assigned color.

Return to top of page When using ProAnalyst, the latency/throughput icons had color when I first launched the program, but after first use, the icons became blurred.

Some display adapters that only show 256 colors, especially some laptops, have this problem. Set the display to more colors if possible. Note that when the window with the icons is selected, i.e. active, the colors should be okay. The colors are really blurred; it's a Windows color palette limitation.

Return to top of page When I tried the NetSense trial version, the light bulb icon in the Packet Visualizer window was blackened and available and showed me the Problem Analysis feature available with the program. Since buying and using the full-feature version, I haven't seen this icon highlighted. Is it implemented in the current full version of the software?

Yes, but you need error packets to use this feature. Perhaps you haven't had any errors in the packet traces that you've been using to load into NetSense.

Return to top of page I've tried to run NetSense on my Macintosh with Virtual PC and I get an error message. Why does it not operate properly in this environment?

You need Virtual PC version 2.1 or higher. If you don't have this release, please download the latest copy from the Connectix web site.

Return to top of page What file formats are supported by NetSense 4.2?

Analyzer

Company

File Suffix
AiroPeek, AiroPeek NX
(see Notes 1 and 2)		 WildPackets *.apc
DA-30 (DOS version) Acterna/WWG *.an1
DataGLANce IBM *.dgc
Domino Acterna/WWG *.cap
EtherPeek, EtherPeek NX
(see Note 2)		 WildPackets *.pkt
Fireberd500 Acterna/TTC *.pkt
Fireberd500 PC Acterna/TTC *.cap
Internet Advisor Agilent *.eth *.trn
LAN900 Digitech, Inc. *.dat
LAN Analyzer Agilent *.cap
LANalyzer Novell *.tr1
LinkView PRO Acterna/WWG *.cap
NetMetrix Agilent *.trc
Network Monitor (SMS) Microsoft *.cap
NetScout NetScout Systems *.dat
Observer Network Instruments *.bfr
Protocol Inspector Fluke *.cap
SnifferPro/NetXRay Network Associates *.cap *.caz
Sniffer (DOS version) Network Associates *.enc *.trc *.fdc
Snoop Sun Microsystems *.snoop *.cap
Surveyor Finisar/Shomiti *.cap
tcpdump/libpcap UNIX and Linux Platforms *.dmp
TokenPeek WildPackets *.tpc

Note 1: AiroPeek and AiroPeek NX (version 1.2 or earlier) *.apc files cannot be opened by NetSense 4.1. Starting with NetSense 4.2, these files can be opened and analyzed.

Note 2: Unsupported File Formats.
NetSense 4.2 supports WildPackets *.pkt files through EtherPeek 5.0 and EtherPeek NX 2.0, WildPackets *.apc files through AiroPeek 1.2 and AiroPeek NX 1.2, and WildPackets *.tpc files through TokenPeek 4.5. In future versions of these products, you will need to save traces in "classic" file format in order to load them into NetSense; otherwise, you may receive a message that the file is "obsolete, unsupported, or not a trace file."

Expert

Return to top of page What does the Client/Server Expert do?

The Client/Server Expert screen shows an entry for each client/server session established in the trace file.

An example of a client/server session would be an ICMP Echo session. The Echo request originates from the client and the server sends back an Echo reply. Client/server transaction entries in the table may contain some expert diagnoses, such as "Low Throughput" or "Busy Network or Server" as indicated in columns A-F. The client/server problem key at the bottom of the screen explains columns A through F.

General information such as the protocol and port, the number of bytes exchanged, the transaction duration, the response time, and throughput is calculated and reported.

The expert system bases its findings on thresholds and heuristics from human analysis of actual problems from hundreds of production networks. While some of your problems may fall outside the portion of the "bell curve" where most problems occur, the expert will alert you to possible deficiencies in many areas.

A = Low Throughput. Throughput is calculated from the server to the client. NetSense takes into account the Ethernet or Token Ring bandwidth of the trace and how much of that bandwidth is consumed while transferring data from the server back to the client. If a very small percentage is being utilized (less than 0.01 percent), then the expert assumes that either the client is accessing the server infrequently or there is a more severe problem such as transport retransmissions that will be noted in another column. Thus, the throughput must be greater than 0.01 percent of the available local bandwidth but less than 10 percent to trigger low throughput. To see all the Client/Server connections with low throughput, perform a descending or an ascending sort on the throughput.

B = Slow Response Time. Also known as "round-trip response time" or "round-trip latency" from the client to server and back. The first thing to keep in mind is that response time is relative to where the trace was taken. The closer you are to the server, the lower the response time. Tracing from the server segment will provide the best average response time and a close measurement of the server efficiency, provided that there's not a large amount of other traffic on that segment from other servers. Tracing from the client side will give you a good idea of the overall response time of the network+server. (For more details on this subject, please consult the section on Performing Latency Analysis in Chapter 2 of this manual.) The Expert requires at least 4 packet pairs with an average of more than 100 milliseconds to trigger slow response time.

C = Busy Network or Server. The Expert takes into account the minimum round-trip delay and the average round-trip delay to trigger a busy network or server. The more fluctuation there is in response time, the more likely there is contention for network or server resources. If this is flagged by the Expert, you should study the transactions in more detail in the Packet Visualizer or your protocol analyzer to see under what circumstances the variance (between minimum and round-trip delay) occurs, for example, during login authentication? File read/writes? You could also check other traces or SNMP monitoring tools for high utilization on segments between the client and server, such as a congested backbone or WAN link. Finally, you might check the server itself for high CPU utilization and which processes are consuming the most processor time.

D = Inefficient Client. If the conditions for low throughput are met (see above) and the client is basically in a "ping pong" conversation with the server (i.e., the send-to-receive packet ratio or window is close to 1:1), then inefficient client is triggered. Look at the Packet Visualizer or your protocol analyzer for more details.

E = # of Transport Retransmissions. Transport retransmissions basically occur when the client does not receive a response to a request (like NCP) or receive an acknowledgment to sent data (TCP). Retransmissions can be caused by many factors including, but not limited to:

  • packet(s) discarded on the way to the server or back due to CRC errors or buffering in a bridge/switch/router;
  • packet(s) delayed on the way over or back due to bottlenecks along the way, especially with WAN circuits;
  • packet(s) dropped by the server due to adapter congestion; or
  • packet(s) held in server memory but delayed in processing.

A good technique for narrowing down this problem is to capture traces from different segments along the path to the server. To get a snapshot of the "top retransmitting clients" perform a descending sort on this column.

F = # of Pkts In/Out Same Router. In the case where you have multiple IP subnets defined on one router port or are using multiple IPX frame encapsulation types, you may encounter packets being "locally routed" i.e., a packet enters a router (or a NetWare server with internal IPX routing), then is sent back on the same segment. To see how serious this "packet doubling" is, take a "wide open" trace snapshot with your analyzer then analyze it with NetSense and perform a descending sort on this column. Technical solutions and trade-offs to this problem are beyond the scope of this manual, but consider using a flatter subnet for IP, go back to IP routing or layer 3 switching, or get down to one encapsulation type in the case of IPX.

Return to top of page What is the ProAnalyst Toolbox?

The Pro Analyst Toolbox in NetSense automatically sorts IP and IPX packets by protocol and application transaction, and allows you to perform:

  • Latency Analysis
  • Throughput Analysis
  • Problem Analysis
  • "What If" Analysis

The Packet Visualizer component of the Toolbox provides unique insight into protocol operation by displaying packets in a spatial fashion and allowing you to easily see packet sizes and the delays between packet transmissions.

Return to top of page What kind of "What If?" Analysis is available with NetSense?

Clicking on the "What If" button in the Latency Analysis window of NetSense activates the "What If" window where you can perform load and response time analysis for a variety of scenarios, such as:

  • "What If" my local Ethernet application ran over a WAN circuit?
  • "What If" the application could be tuned to consolidate more data into larger packets?
  • "What If" five users were running this application simultaneously?
  • "What If" the host processing time is increased?
  • "What If" the protocol can be tuned to improve the send-to-receive packet ratio?
  • "What If" we use a dedicated leased-line instead of Frame Relay to reduce the circuit latency?

NetSense will take the actual Latency Analysis data as a starting point for predicting load and response time over a wide variety of WAN and LAN transmission speeds.

Return to top of page What is meant by hop number (from where to where) and how is it calculated?

You're referring to the IPX hop counts, which show the number of routers between two IPX addresses, since routers always increment the IPX hop count by one when a packet passes through. You can even use a trace from a backbone or intermediate segment, since we add the hop count together from packets in both directions.

Return to top of page I see the diagnostic report: "possible missing packet(s) prior to packet xxx". What can you tell me about this?

Here are some possible causes of "possible missing packet(s)" message:

1) The usual cause is a dropped packet by the analyzer under heavy load such that there is a TCP gap in successively sent sequence numbers. We also check for gaps in IPX packets.

2) It could also be an out of sequence packet.

3) If the "missing packet" is followed by a transport retransmission, then it was truly a dropped packet somewhere in the infrastructure prior to reaching the analyzer.

Additional Support and Resources

If you still need assistance, please select one of the following links for additional support.

Downloads

MyPeek

Networking Resources

Contact Technical Support
Copyright © 2008 WildPackets, Inc
All registered and unregistered trademarks are the sole property of their respective owners