The coolness factor of AppDancer/FA lies in this ability to show flows. I'm not talking about just reblasting packets over the wire, though that is possible. I'm talking about seeing and hearing what the client saw and heard. If you capture a VoIP call, you don't simply revisit the packets; you play back the entire conversation. No client or agent is required -- it's all part of the decode. Likewise, if you capture a movie stream you can watch and listen to the movie. The protocols that are supported for flow analysis are FTP, POP, SMTP, Microsoft SQL, DNS and RTP. So instead of trying to figure out the end-user experience based on a summary list of packets and delta times, you can see what the user saw!
Linking to Traffic
I set up the AppDancer/FA in our Real-World Labs® at Syracuse University. I captured Web traffic and was able to view the HTML objects. They are not stored on the analyzer; rather, the AppDancer/FA provides a URL pointer to the page. In the version I tested AppDancer/FA supported only HTTP gets, but company representatives say a newer build in the works will support posts.
Good News
Visually represents of TCP transaction flows and actual HTML objects.
Allows monitoring and replaying of H.323 and RTP VoIP conversations.
Shows actual formatted e-mail messages.
Provides deep and flexible decodes.
Monitors SNMP and Cisco CLI devices.
Bad News
Lacks interpacket expert analysis.
Doesn't support Skinny.
Software only--no gigabit wire speeds; 100 Mbps may be sketchy, depending on hardware platform.
|
In other tests, I tried to capture a VoIP call but couldn't grab the call setup because my Cisco systems were using the Cisco proprietary call setup protocol, Skinny. I was able to grab the body of the call, however, via RTP. This was very cool: I could monitor the call and replay it in post-capture analysis. Unlike the HTML pointer to the actual page, the RTP traffic is stored on the analyzer.
More useful (if not as cool) is the display of a packet flow, which shows the packets of a particular exchange -- e-mail or Web page download, for example -- with total and delta times. This shows the end-user experience from top down. From an overview to each individual packet, AppDancer/FA lets you see all the critical commands and handshakes without your having to reconstruct decoded packets. The bottom line is that it is easier to troubleshoot a problem when you have a clear visual representation of what the application is actually doing.