NinjaProbe: Multi-Function Network Monitoring Probe And Sensor

Emerging converged network architectures require a new breed of passive monitoring appliances. Powered by Endace DAG® card technology, NinjaProbe is the first platform designed to locally acquire, analyze and store data, while delivering real-time flow statistics and full packet payloads to independent monitoring applications.

A Common Monitoring Infrastructure...

As demand for new service offerings drive higher interface speeds and increased link utilization, operators need a constant flow of information and ‘always-on’ visibility to their transport network. With switches and routers ill-equipped to handle the task, NinjaProbe is designed to be cost-effectively deployed from edge to core, simultaneously supporting critical applications and services ranging from traffic engineering to security. By replacing numerous other probe functions with a single unified and ubiquitous solution, administration and maintenance is dramatically simplified and reoccurring costs are significantly reduced.

...With Uncommon Capabilities

Designed for the most demanding environments, NinjaProbe delivers unparalleled storage capacity, local deep packet inspection and rules matching via Snort® IDS, remote traffic analysis, multi-session un-sampled NetFlow exporting and open forwarding interfaces for protocol decoding and network forensics. Leveraging unique interrupt-free line-rate data capture and a multi-core CPU environment, NinjaProbe Incorporates Endace’s unique SmartDecode™ capability to efficiently perform various, concurrent, processor-intensive functions locally, while allowing centralized applications the ability to examine raw packets with minimal transfer of data across the network. For applications requiring accurate latency measurement, NinjaProbe offers synchronized packet capture with hardware time-stamping to atomic clock accuracy. On-board replay capabilities allow these time-stamps to also be used for precise traffic play-back, enabling operators to readily recreate disaster scenarios, network loading or user experiences.

Flexible Deployment Options

With specific requirements varying between individual networks and deployment locations, the NinjaProbe product portfolio includes 1U and 3U base platforms with Packet over SONET/SDH (PoS) or Ethernet interfaces, ranging from 10Mbps to 10Gbps, and storage capacity from 750GB to 128TB. 40Gbps PoS OC-768/STM-256 interfaces are available on the NinjaProbe 40G1. All software components are totally modular, allowing each NinjaProbe site to support a distinct feature-set.

Endace Smartdecode™

NinjaProbe SmartDecode™ processes some packets locally while efficiently forwarding others to external monitoring applications. This provides the most effective use of deployed hardware, enabling multiple services to be delivered from a single platform while limiting the amount of data back-hauled across a network.

NinjaProbe Components

Data Capture Component

Ideal for bulk network forensics and post analysis of data, NinjaProbe offers sustained write-to-disk speeds up to 8Gbps. Multiple capture sessions may be run concurrently – each one with distinct 5-layer IP filters applied to target only traffic of interest. With optional GPS-, CDMA- or IEEE1588/PTP-synchronized hardware time-stamping of every single packet collected on any distributed platform, NinjaProbe enables granular sub 100 nano second event correlation with accurate delay and jitter measurements. Files may be stored in both standard PCAP format, available to most commercial network analyzers, or in the Endace extensible record format (ERF), which includes timestamping information and other per-packet metadata. For broad market compatibility, ERF files can be analyzed and decoded by both the NinjaProbe CACE Pilot™ Client / Server network analysis component and Wireshark®.

Traffic Replay Component

With packets catalogued by way of a timestamp and captured to disk in an extensible record format (ERF), NinjaProbe can transmit the stored data at up to 5Gbps – maintaining the same inter-packet delay intervals at which the traffic was received. In controlled environments, such accurate session replication capabilities are invaluable for precise network simulation, measuring financial market data feed services, testing security infrastructure performance or evaluating subscriber’s quality of experience (QoE).

NetFlow Exporting Component

From network analysis and traffic engineering to accounting and security, NetFlow is playing an ever increasing role in all areas of network monitoring. NinjaProbe’s powerful NetFlow exporting component can relieve overworked switches and routers, delivering NetFlow records simultaneously to multiple collector functions with varying packet sampling rates up to 1:1. Comprehensive 5-layer IP filters may be applied to traffic prior to a NetFlow record being generated and exported, allowing for targeted flow analysis. These records may be immediately exported or stored locally for the purpose of post examination. For regulatory compliance obligations, NetFlow records can also be used in support of data retention mandates.

Snort IDS Component

Deployed extensively for protecting global networking infrastructures against security violations and malicious attacks, Snort is widely recognized as a preeminent intrusion detection system. Leveraging unique application acceleration techniques, NinjaProbe can enable standard open source Snort to effectively operate on heavily-loaded 10Gbps segments. Together with the Endace Applied Watch Command Center, NinjaProbe delivers a world-class secure and manageable high-speed sensor solution.

Data Mining Component

Network operators demand a permanent holistic view of their entire network, providing them the ability to identify specific events on isolated segments which demand further investigation. With Snort’s comprehensive and easily modified rule sets, coupled to NinjaProbe’s superior application acceleration and data capture techniques and managed by the Endace Applied Watch Command Center, network engineers can now time-shift their situational analysis by requesting traffic dumps from up to one hour before and one hour after an alarm condition. This data file can then be mined by forensics applications for information relating to the specific cause and effect of an individual rule matching alert.

CACE Pilot Network Analysis Component

With over 900 LAN / WAN protocols decoded along with its comprehensive filtering functions, Wireshark is the leading protocol analysis and network forensics solution. Employing Endace SmartDecode and a distributed client / server architecture, NinjaProbe delivers the first enterprise-grade solution for those wanting to scale Wireshark for use across their entire network infrastructure - from edge to core. The network analysis component, comprising of a NinjaProbe CACE Pilot Server and NinjaProbe CACE Pilot Client, offers an easy but comprehensive network analysis tool for both live and stored data, with drag and drop drill-down capabilities to quickly view details of specific network conversations or protocols. Once traffic of interest has been isolated, Wireshark provides the packet decoding functionality for in-depth forensic investigations.

Data Forwarding API Component

An open data forwarding application programming interface (API) enables any trusted third-party application or service to quickly and easily access the full packet capturing capabilities of the NinjaProbe platform.

Providing a layer of abstraction between the application component and the probe functionality, the forwarding API exposes multiple, core, data acquisition and replay operations using straightforward SOAP/XML command-set constructs. Without the need for a single application tied to a proprietary probe element, this interface effectively eliminates any manual intervention between the passive capture component and data analysis software, opening the door to a common monitoring infrastructure that simultaneously drives the end-users preferred suite of proprietary or open-source applications.

Lawful Intercept Component

Acting as a lawful intercept access function, NinjaProbe can expose either an Endace generic, or Verint-specific interface to mediation and delivery functions. This interface enables mediation platforms to request filtered IP sessions, based on the specific demands of an individual warrant or court order. The data is forwarded on this interface to the mediation or delivery function where it is formatted into a standard protocol for handover to, or processing by the appropriate law enforcement agency.

Central Management Server

The NinjaProbe Central Management Server (CMS) is easy to deploy and dramatically simplifies the command and control of highly distributed NinjaProbe appliances. With a single CMS supporting potentially hundreds of NinjaProbes, network professionals and IT specialists can administer the ongoing operation of these platforms far more efficiently than addressing and ‘touching’ each one individually. Presenting a ubiquitous browser-based graphical user interface (GUI) the central management console (CMC) provides a portal from which all operations administration, maintenance and provisioning functions can be performed simultaneously across the entire NinjaProbe infrastructure.

 

Join the conversation at the NetMon Lounge

The Social Network For Network Monitoring

Hosted by Ning: netmon.ning.com