ITEXPO begins in:   New Coverage :  Asterisk  |  Fax Software  |  SIP Phones  |  Small Cells
January 2007
Volume 10 / Number 1

Solving the Network Crime Through Forensics

By Erik K. Linask


So you’re thinking of switching to a converged VoIP and data network that is supposed to save you money and give you countless new features to increase productivity and flexibility. Or perhaps you’ve already done so. Regardless of your current status, you’ll surely want assurances that your users are receiving certain levels of service quality. Because most service providers exaggerate the quality of VoIP calls today, you’re also probably wondering what you can do when problems occur.

VoIP (define - news - alert) applications are rather vulnerable during periods of heavy network usage or spikes, in addition to other, less common occurrences. What’s more, issues like Sarbanes-Oxley and HIPAA compliance, or even conformity with internal corporate acceptable use policies, create complex network monitoring and analysis needs, all of which are made more complicated when data and voice are converged on a single network.

Network forensics is one approach that, for all you CSI fans, is just what its name suggests — it involves essentially recreating the “crime scene” to investigate the source of the jitter, delay, or other call quality “crime.” It involves storing all data and voice packets that cross a network in order to go back and identify the problem, but it can prove invaluable, as network administrators hardly have the time to sit idly, waiting for something to happen.

Network Instruments (news - alert) (, a 12-year-old Minneapolis-based firm, is one company with a forensic solution to network monitoring, and though the company has its founding on the data side, the convergence of voice and data has created a need for it, too, to venture into the VoIP monitoring and analysis arena.

“The industry has been changing quite a bit, and we’re excited, especially from the VoIP standpoint,” said Network Instruments’ Senior Systems Engineer Charles Thompson. “Timebased analysis is becoming extremely important for accurate troubleshooting, for deploying the solution, and for tracking network trends.”

Network Instruments has a variety of different capture products that can be placed at different points in the network — in the core by the call manager or the servers, or at the access layer. Its GigaStor unit, which has been dubbed by some of its clients as TiVo for the network, typically sits in the network core, constantly storing network traffic data to disk, providing visibility, while one of its 1U appliances sits at the network edge, offering visibility to traffic between endpoints.

“The key is that they’re all reporting back to the same console,” explained Thompson. “It’s the same software that’s driving all the statistics and providing all the analysis of the data into one converged application.”

Knowing the data is being stored to disk, creating the opportunity to go back and investigate the incident retroactively, administrators can comfortably define monitoring and alerting standards, setting up thresholds for what their end users consider acceptable call quality. And since network administrators can never know what data they might need, or when they might need it, the solution makes it all available for retroactive analysis. In fact, in addition to forensic use, the GigaStor also can be used for long-term VoIP analysis and troubleshooting and for general data mining, in addition to problem identification.

The Network Instruments solution is powered by its NI-DNA (Network Instruments Distributed Network Analysis) architecture, the basis of which lies in its unified code set. This is important because, unlike many other solutions, it means its products are all developed from the same basic product set, designed to work together seamlessly, without several different components. In terms of its VoIP analysis capabilities, this means that when it was introduced back in November of 2005, it was available for Ethernet, WAN, Gigabit networks, as well as older systems that most customers probably aren’t even using any more, like Token Ring. But because the solution was built on the same codes as its others, Network Instruments was assured it would integrate seamlessly.

Network Instruments’ embedded Gen2 technology — designed and developed in-house — is one of the major components that drives its forensics solution, and its technology as a whole. It is designed to capture data while integrating the hardware and software by providing to the management console, the company’s Observer software, in a seamless, unified format — the same format on the card is the same format used in the software. As such, capabilities are built into the hardware that can take the processing load off the systems, lightening the load for other important applications, like VoIP.

“We included VoIP as just another component of our solution set that was available locally and remotely; it was available to multiple users; and it was available across multiple topologies simultaneously,” explained Thompson. “That’s how our product set has progressed, by designing new technologies and designing them from the ground up to work coherently together.”

Of course, there are a number of other vendors selling their VoIP monitoring solutions — and many work quite well, though some provide more comprehensive, integrated solutions than others. Another problem is that many such tools, while genuinely very good, were designed for lab testing and developing VoIP systems rather than for real-time VoIP analysis. They could provide wave overlay diagrams, voice inflection diagrams, do wave sampling and create wave overlays, but they weren’t designed for troubleshooting real-time VoIP communications.

Many in the industry believe there are certain things that cannot be done in real time, like MOS scoring and R-factor scoring. Network Instruments says that is not the case. In fact, in addition to its retroactive analysis capabilities, it also enables real-time MOS, packet loss, and jitter scoring — not on simulated calls, but on the calls that your users are actually making.

Its solution also includes the ability to examine aggregate network data — MOS and R-factor scores across the network, average jitter, burst percentages, and other general metrics that show how the VoIP network is performing. This, of course, is important to determining SLA compliance and such. But users can also drill down into specific calls — from call set-up to call controls to call tear-down — to examine individual trouble spots that have been identified by the monitoring and alarm configurations. So, together, the solution offers a view of the entire VoIP communications structure, including the ability to compare network utilization to call metrics, allowing administrators to adapt to periods of heavy traffic.

Optimizing network traffic can be a challenge in a pure data environment, and adding voice only complicates the scenario, and the ability to isolate problems and resolve them quickly is of utmost importance. Knowing that, a comprehensive, converged network monitoring solution that offers both real-time and retrospective analysis can be a tremendous asset to any VoIP network.


Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas