Vendor Landscape for Application-Aware Network Performance Monitoring and Network Packet Brokers
Application-aware NPM products are more sophisticated, with deeper views into apps and use patterns, and user-centric views of how well networks service requests to platforms. NPB products ease implementation and management of NPM and related technologies, and are often part of NPM system design.
- The use of network packet brokers (NPBs) allows better visibility into and longevity of tool investments spanning network performance monitoring (NPM), application performance monitoring (APM), security, network forensics and other monitoring technologies that require packet data.
- Application-aware NPM products can provide diagnostic insight while measuring application performance. Each solution has different degrees of flexibility, providing multiple areas of value, but often siloed to the network organization.
- Growth in the NPB market is a result of the demand for aggregated traffic used by monitoring technologies such as NPM, APM and other security products that need copies of network traffic. Gartner sees consolidation beginning in this market that will accelerate in the next two years, mostly in NPB vendors being acquired or outperformed.
- Investigate solutions that can meet the current needs of network engineering and support, but don't disregard use cases in other parts of the organization that may create a better business case for investment. These may include application performance, application-level dashboards for application and business owners, and other use cases, to ensure more efficient business operations.
- Expect continued market consolidation between NPM and NPB vendors, with many introducing APM technologies that go deeper into application visibility than existing network-bound products. For this reason, selecting a strategic vendor is critical to avoid product churn.
- Due to the varying complexities of network design, ensure that traffic flows through a central monitoring point. Often, this is not economical without a major network redesign.
- Data collected by these technologies is likely to contain sensitive information, so use caution to understand where raw packet data versus summarized or filtered data is needed, to avoid legal and regulatory issues.
Table of Contents
- Vendor Landscape for Application-Aware NPM and NPB Solutions Expands
- Vendors by Category
- Application-Aware NPM
- Bottom Line
The vendor landscape for application-aware NPM and NPB solutions continues to expand, with acquisitions, consolidation and innovation in the monitoring space. These market movements prompt a closer look at the solutions, especially given the ever-increasing upgrade cycles of network bandwidth. These technologies allow visibility and monitoring of network-centric applications, end-user experience and network-based application tracing, and an understanding of the infrastructure components used to deliver an application. The NPB layer makes this data stream manageable, and is grouped into this research because these are often bought together, though up until this point they have been procured from different vendors.
Networks have always been perceived as a focal point of blame for application performance issues. This is partly due to the more advanced nature of the tools and the visibility the network affords to the applications traversing it, allowing issues to be more easily dispelled by the network team. The network, in effect, has become the backplane of a distributed application. This cycle has put a strain on the relationships between infrastructure and operations (I&O) teams and their business colleagues who are coping with service issues related to the consumption of applications on the network.
What once was simple packet capture and analysis has evolved into a much more sophisticated set of IT products that encompasses traffic management, network monitoring and unprecedented user-experience visibility from a nonintrusive network perspective. The two distinct product offerings are grouped together in this research to show our growing understanding of their interdependencies, which are required to provide effective monitoring and visibility into the network layer. These products are divided into two categories:
- Application-aware NPM
These categories have specific requirements.
These solutions allow passive packet capture of network traffic and must include the following features, in addition to packet capture technology:
- Receive and process one or more of these flow-based data sources: NetFlow, sFlow and Internet Protocol Flow Information Export (IPFIX).
- Provide roll-ups and dashboards of collected data into business-relevant views, consisting of application-centric performance displays.
- Monitor performance in an always-on state, and generate alarms based on manual or automatically generated thresholds.
- Offer protocol analysis capabilities to decode and understand multiple applications, including voice, video, HTTP and database protocols. The tool must provide end-user experience information for these applications.
- Have the ability to decrypt encrypted traffic if the proper keys are provided to the solution.
Optionally, the features of market leaders include:
- High-capacity storage of captured packet data, but this is not required as a core feature, although it can be useful from a diagnostic perspective. Products that do not store the data must provide packet capture on demand and reported in real time.
- Operation in WAN-optimized and virtualized environments through support for popular WAN optimization controllers (WOCs; e.g., Riverbed, Cisco and F5), as well as virtual network tagging, such as Cisco's virtual network tag (VNTag), VMware's ESX and Citrix's Xen.
These products must broker network traffic from multiple Switched Port Analyzer (SPAN) ports from other network elements, and manipulate the traffic to allow more efficient use of NPM, APM and security-related monitoring devices. The product can also be deployed in line to reduce the latency reported to the attached monitoring products. These products must provide the following features:
- Many-to-many port mapping, with a configuration interface (graphical user interface [GUI] or command line interface [CLI]) for real-time adjustments of packet flow, including port mapping and paths.
- Filtering of packet data based on the characteristics found in the packet headers, allowing filtering of Open Systems Interconnection (OSI) Layers 2 through 4.
- Packet slicing and deduplication, which allows a subset of the full packet data to be passed to the monitoring device, thus allowing monitoring tools to scale more efficiently.
- Aggregating multiple packet stream inputs into one larger stream, for example five 1Gb links into a single 10Gb link. Alternately, the reverse also will work, where a single 10Gb link would be fed into multiple 1Gb connections. The destination would be a monitoring tool with the proper interface.
- Distributing traffic load per device by sending it to different probes or appliances in order to scale the monitoring, or to provide redundancy in the monitoring technology.
- Insertion of hardware-based time stamps that can be used by the monitoring tools to provide more accurate measurements. These hardware-based features can change the accuracy of the packet time stamp from milliseconds to microseconds, enabling more granular time measurement.
Optionally, the features of market leaders include:
- Deep packet inspection, allowing for the filtering and routing of packets based on data characteristics in the header or payload, and support for filtering on OSI Layers 2 through 7.
- The ability to capture ingress port identification data, enabling unique identification of traffic from multiple ingress ports.
- The capability to mask specific data in the packets, which could be applied in compliance use cases, which contain confidential regular-format fields (e.g., Social Security numbers, credit card numbers, etc.).
Packet-based technologies are still essential for debugging; to derive the end-user experience, flow-based data sources do not provide latency information. This is evolving as network equipment manufacturers and monitoring technologies take advantage of advanced types of flow-based data that do introduce latency, in addition to typical usage information (see "When Is NetFlow 'Good Enough'"). The vendors outlined in the application-aware NPM section of this research can capture and analyze packet stream data, and can read and analyze flow-based data sources. Many also generate flow-based streams from the packets for other tools to analyze.
The vendors also provide offerings that include probe- and flow-based data collection and analysis, and dozens of vendors provide a singular part of the solution. Additionally, the NPM market includes products that do fault and performance monitoring, including SNMP polling and syslog collection. These products are quite commoditized, so our focus is on the evolving application-aware NPM market. The vendors in each segment will be covered in alphabetical order, with a brief mention of their targeted approach, cost model and list price for the solution. These list prices are typically not paid, especially when volume is introduced. Leverage Gartner for advice on negotiating the best price for your solution.
Description: AppNeta's PathView Cloud software as a service (SaaS)-delivered, passive measurement service uses patented technology that allows the product to do theoretical maximum bandwidth testing without saturating the connection. The company was rebranded in 2011 from its former name, Apparent Networks, which was founded in 2000. This rebranding came after an additional $6.2 million of venture funding. The PathView Cloud offering is an integrated suite of four modules, two with active monitoring and two with passive monitoring. The active modules provide path visibility from Layer 3 (PathView) through Layer 7 (AppView), while the two passive modules provide NetFlow analysis (FlowView) and centralized packet capture capability (FlowView). Although the PathView Cloud product offering is limited today, it does provide value for many organizations. Many unique use cases enable organizations to understand the speed and delivery quality of their networks. The product can do synthetic testing of voice, Web and other protocols. Example use cases for many clients include tracking the configuration of quality of service (QoS) flags across the network devices, which is critical for the effective delivery of voice and video, or any other high-priority application.
Pricing: $55 per location per month.
- AppNeta has a differentiated offering, as it is delivered via SaaS with the ability to calculate network capacity through the use of relatively few specially timed ICMP or UDP packets instead of by saturating the network, and QoS tagging consistency, while generating and analyzing flow data for consumption by other tools.
- AppNeta offers a quick implementation and value proposition, including the ability to monitor branch offices for common problems with a small form factor appliance.
- Low cost, compared with other technologies.
- AppNeta PathView Cloud caters to triage use cases more than detailed analysis or general problem detection and isolation.
- There is little visibility into the details of most applications, aside from voice.
- Packet capture storage on the devices is limited and rudimentary, and is limited to 2GB, so the product cannot replace other NPM offerings.
CA Technologies' CA Network Performance Management offering includes several components mostly acquired from the purchase of NetQoS in 2009. These offerings include CA Application Delivery Analysis (formerly CA NetQoS SuperAgent), which provides application response time monitoring; CA GigaStor (based on a reseller relationship with Network Instruments), which provides packet capture storage and protocol analysis by the Network Instruments Observer product; and CA NetQoS ReporterAnalyzer, which handles flow-based data and reporting. All these data sources roll up to the CA NetQoS Performance Center product, which consolidates and reports across the offerings. The NetQoS Unified Communications Monitor offering includes detailed monitoring for voice over IP (VoIP) and video, including native support for Avaya, Cisco and Microsoft Unified Communications platforms. Overall, the CA network performance management product portfolio is one of the most comprehensive and complex offerings on the market.
Pricing: Starts at $40,000 for an entry-level packet capture appliance.
- CA has one of the broadest portfolios on the market, providing holistic network monitoring. This stands out from its main competitors in the IT operations management market.
- Integrated reporting across the CA network management portfolio incorporates delivery reporting and dashboarding, which provides a more comprehensive picture of network performance.
- Support for Cisco Network Analysis Module (NAM), Wide Area Application Services (WAAS) and Application Control Engine Module (ACE), as well as for Riverbed, provides additional visibility for monitoring branch offices.
- Network Instruments' dependence and weaker integration can pose risks if the relationship changes, or if there is an acquisition.
- CA has some overlap between the Nimsoft and CA Enterprise offerings, which causes confusion for buyers. Additionally, CA has several overlapping technologies that do not have a standard network probe, so multiple products must be deployed, each with network packet visibility.
- Flow data is not deduplicated across devices, causing confusion in reporting from a NPM perspective.
This network equipment manufacturer was founded in 1984, and has developed a combination of hardware in the form of the Cisco NAM, which can be embedded in many of Cisco's hardware platforms to capture data, as well as deployed as an appliance or a virtual machine. The platform can accept flow-based data from any NetFlow-compatible device, along with data originating from the Performance Agent, Remote Monitoring (RMON) and Internet Protocol SLAs (IPSLAs). The Cisco NAM can also gather data from Cisco WAAS products for WAN acceleration measurement. Voice and application data are gathered and analyzed by the solution as well. This data is fed into Cisco Prime Assurance Manager (PAM), which collects and correlates data from multiple sources, including the NAMs, and allows more effective reporting, dashboarding and problem resolution. The Prime AM module plugs into the standard Cisco Prime framework for tight integration between network management product offerings. Neither Cisco product offering includes a protocol analyzer, but data can be exported to standard formats.
Pricing: Starts at $1,500 for a NAM module, and $7,028 for Cisco Prime Assurance Manager.
- Cisco can provide network equipment, monitoring and software from a single vendor, ensuring compatibility and longevity for the investment. Support is delivered consistently, globally.
- For those with extensive Cisco deployments, the Prime software suite provides a Cisco-centric view of all Cisco-deployed technologies.
- Cisco has a weaker overall product offering than many competitors.
- Cisco caters to those with large, homogeneous Cisco investments, and leaves other vendor-supported products with less coverage, though this is becoming less the norm.
Compuware has a presence in many markets for IT operations management technologies. Over a long journey, the company has transformed itself into an APM leader. Along the way, Compuware has acquired companies such as CoroNet (1995), Optimal Networks (2000) and Adlex (2005). These acquisitions were called Vantage Real-User Monitoring (agentless) and Vantage Network Monitoring, but were merged and renamed to Compuware Gomez Real-User Monitoring - Data Center, as they were merged into the Compuware Gomez product naming in the Fall 2011 release. In 2012, the Gomez products were renamed Compuware dynaTrace Data Center Real User Monitor (DCRUM). This product offering provides passive packet capture technology, with integration into Cisco NAM, WAAS, Unified Computing System (UCS) and VNTag, as well as NetFlow monitoring capabilities. Compuware dynaTrace DCROM has the standard set of capabilities, including capacity planning, voice and video monitoring. The Agentless Monitoring Device (AMD) probes handle data capture, which is fed into the Compuware Analysis Server (CAS) for processing, providing reporting, baselining, trend analysis and anomaly detection. This same product also offers passive end-user experience monitoring for the APM solution.
Pricing: Starts at $75,000 for an entry-level solution, including one AMD appliance and one CAS appliance.
- The dual use case of the same appliances for APM and NPM buyers creates a multiuse business case.
- The dual-marketed managed service from BT and Compuware in 2009 is unique in the industry, but has been put on the backburner due to an APM focus.
- Compuware does not market Compuware dynaTrace DCRUM to NPM buyers, and it is not considered a primary player in this market.
- Investment in NPM-specific use cases is not core to Compuware's laser focus on APM.
Fluke Networks' heritage as a testing tool created a natural path, moving up the stack and getting involved in the NPM market. In order to execute on this vision, the company acquired Visual Networks Systems (2006), Crannog Software (2007), Viola Networks (2008) and ClearSight Networks (2009). Interestingly, the Visual Network Systems brand was spun off from Fluke Networks in 2010. The parent company, Danaher, owns both companies, but has failed to co-market them. Often, competing technologies are developed, without leveraging existing investments. Recently, there has been more intermingling of technology and personnel, which hopefully will continue. Focus remains on the network engineering and support organizations. The product offering includes ClearSight and OptiView software modules, which take data from Network Time Machine rack mount appliances, OptiView XG handheld tablets, or any packet capture software or hardware devices. This group of products, which works together, includes packet recording and storage, protocol analysis and flow-based monitoring capabilities.
Pricing: Starts at $20,000 for an entry-level Network Time Machine packet capture appliance.
- Viability is not a concern. Due to the company's heritage, and its cabling and testing businesses, it is one of the leaders in this industry.
- Scalability is proven, due to long-term deployments in very large networks in Asia.
- The pricing is attractive, compared with other offerings whose list prices for appliances are at $20,000.
- While the OptiView products are well-received and deployed, the NPM products have a limited customer base, with some success in Japan, due to ClearSight's heritage. Sales of ClearSight have started to even out since the acquisition by Fluke Networks.
- Although the combined ClearSight and OptiView products do multisegment analysis, their approach is more manual than that of other competitors.
- Fluke Networks is known for cable testing, and moving up the value chain requires that it get involved in network monitoring and management. This is something Fluke has not yet been able to do well, and was the cause of the Visual Networks spinoff. Fluke has since unified marketing, product management and R&D, with the aim of presenting a more cohesive set of product solutions to the market.
InfoVista focuses on customers in the telco and carrier space, including managed service providers looking to provide application-level visibility services to external or internal customers primarily via a network-centric measurement approach. The products are designed for multitenancy and scalability to meet the demands of large communications service providers (CSPs) and enterprises. The 5View appliances collect and store flow- and packet-based data streams. The focus of the solution is to provide traffic usage, application and network response time, and QoS metrics. The collected data is fed into the Vista360 product, which handles reporting and rich dashboarding. Additionally, 5View Mediation provides added business intelligence capabilities. The 5View and Vista360 products have a focus on a clean, simple user interface that bubbles up relevant data to network administrators and other users. The solution is not a protocol analysis tool, so it doesn't often replace other NPM investments.
Pricing: Starts at $11,000 for an appliance, and $75,000 for a complete solution.
- Understanding and modeling of multiple carrier network components, including asynchronous transfer mode (ATM), DSL, frame relay, mobile data, MPLS and virtual private networks (VPNs) allow more extensive reporting and monitoring than most solutions on the market.
- Cost optimization is possible with unique Provider Edge (PE) multitenancy support, enabling CSPs to offer premium services to multiple external clients based on one performance management platform. Additionally, the 5View and Vista360 have shown the ability to scale to large distributed carrier networks. This technology is used by CSPs to offer application visibility services to high-value customers.
- InfoVista offers a complete solution for providers offering voice, video, computing and network services, with a single reporting and monitoring solution. Adding 5View appliances provides more application-centric monitoring and reporting than is provided from the network-centric Vista product line.
- Due to the offerings coming from different acquisitions, multiple appliances are required, each of which has a unique user interface. This can add cost and complexity to training and implementation. The vendor is aware of and correcting this issue.
- A heavy sales presence and customer base in Europe means that other geographies have a smaller percentage.
- A strong service provider focus and revenue percentage makes enterprise customers less relevant to future product directions.
Lancope's StealthWatch platform has been catering to security professionals since its inception in 2000. Lancope has spent time penetrating the NPM market over the past several years with limited success. Gartner finds in client inquiry discussions that Lancope is not often considered for NPM use cases, but presents a unique and valid approach to understanding the network and application delivery. FlowSensor analyzes packets to identify applications and their performance metrics; metadata such as URLs and response codes is extracted, and the product can export flows that can be read by other products. It also provides on-demand packet capture in a standard format for use in other protocol analyzer products. FlowSensor comes in physical and virtual appliances for monitoring VMware virtual networks. Due to Lancope being targeted at many audiences, it does not provide a protocol analyzer in the product, but data can be exported to other products. This doesn't allow Lancope to replace NPM products that provide large disk packet storage.
Pricing: Starts at $50,000 per system, which includes the FlowSensor, FlowCollector and Management Console appliances (virtual or hardware).
- Due to the platform having a more sophisticated behavior detection engine, as required for security use cases, anomalies in the network and applications are more easily detected and surfaced.
- Lancope is a thought leader in flow-based monitoring technologies, encouraging the enrichment of flow-based data sources from hardware providers. This creates greater opportunities for network administrators to leverage less expensive sources versus probe-based technologies.
- Customers seeking an NPM solution will be secondary buying centers for Lancope, as it focuses on security use cases, although it does have workflows for NPM use cases.
- Application detection and usage patterns are geared less toward NPM-type workflows, and toward security use cases.
Net Optics began in 1996, selling fiber cables and connectors, and evolved into one of the primary suppliers of taps and other connectivity options. Recently, the company expanded into the midmarket NPM segment with the introduction of the branch office-deployable appTap, and with a recent acquisition enabling data center monitoring with the Spyke product. Both of these products can generate NetFlow data to be absorbed by other products, thus avoiding the overhead that can impact performance in a branch office. The appTap allows basic visibility into VoIP, Web and other applications, and basic user-experience metrics. AppTap and Spyke both do a minimal degree of packet capture storage and analysis as well.
Pricing: Starts at $3,500 for an entry-level appTap device.
- The company has a good market understanding and vision in its expansion into other markets, allowing traffic visibility and network and application awareness.
- An integrated tap in the appTap device provides added functionality, as well as monitoring capabilities.
- Net Optics does not have proven deployments in the NPM market due to its recent acquisition and announcements.
- There is no support for 10 Gigabit Ethernet or high-speed capture and analysis in the current NPM products.
NetScout was founded in 1984, and has always been a core participant in the NPM market, with a solid presence across the enterprise and service provider spectrum. NetScout was a participant in the monitoring space with RMON monitoring, and added packet data sources in 1998, and much needed technology from Network General in the 2007 acquisition. In the past year, NetScout augmented its offering and capabilities with the additional acquisitions of Simena, Fox Replay and Psytechnics. These purchases bring NetScout into additional markets, such as security, detailed voice and video monitoring, and NPBs, which means that it can leverage the appliance deployments to a greater extent. nGenius Service Assurance includes software modules that run on an appliance that includes Service Delivery Manager, Performance Manager, Enterprise Intelligence, Trading Intelligence and Voice | Video Manager. In the carrier space, NetScout sells Subscriber Intelligence, which provides customer user session tracing with hop-by-hop analysis, as well as end-user device details. Subscriber Intelligence is paired with nGenius Service Delivery Manager to provide monitoring and reporting to understand performance issues that affect a given region or user community. These products, in addition to the Sniffer Analysis modules, allow data captured and stored on InfiniStream appliances to be analyzed and used in many different ways. NetScout's Adaptive Session Intelligence (ASI) technology is a real-time data mining and metadata creation engine that allows summarized data to be leveraged more easily across the products. Additional data sources for the software products include NetFlow appliances, as well as integrated and virtual software agents providing packet data sources. With the added Enterprise Intelligence capability in 2011, there is a much deeper understanding of transactions and end-user experience on the network from an application perspective, which can be a boon for those in other parts of the IT organization who are not directly responsible for network operations and support.
Pricing: Starts at $30,000 per InfiniStream appliance with the base level of storage and connectivity.
- NetScout is a public company with a viable revenue stream. The company makes many key acquisitions to further its expansion into network operations and engineering, as well as entering markets such as APM, unified communications (UC) and security.
- With increased analysis capabilities, NetScout serves multiple markets, with monitoring, application visibility and transaction understanding.
- The patented Adaptive Session Intelligence technology allows for efficient storage and mining of data from packet streams, providing multiple solutions with analytics capabilities.
- In many ways, NetScout sets the high bar and standard for the NPM market, including leading the consolidation efforts of previously segmented markets, thus creating a strong partner for the network engineering buyer.
- An inability to understand the workflows of non-network-engineer use cases has prevented NetScout from expanding into additional markets.
- The company is focused on having a completely passive technology, thus reducing its visibility into additional non-network-infrastructure components. The net result is a limited view for those seeking deeper insight into application or infrastructure components.
- The integration of user interfaces is still a struggle, as acquisitions place continual demands on aging hardware without providing customers with a cost-effective upgrade path; however, the use of appliance technology has remained consistent and well-integrated.
- NetScout needs to take better advantage of social media avenues for marketing and to promote the solution and strategy.
Network Instruments, founded in 1994, offers software and multiple hardware technologies for traffic management. These include the Observer product line used for monitoring, reporting, troubleshooting and analysis of packet and flow data sources. The Observer products receive data from the GigaStor product lines, which provide disk-backed packet capture technologies. Additional options include network-connected appliances that provide feeds of summarized data to the Observer Reporting Server (ORS) appliance. The Network Instruments product has many added capabilities, and the core Observer Infrastructure product allows for additional agentless polling-based monitoring of applications, databases, and many public cloud services and providers. All data collected by these products is fed into the ORS for baselining, monitoring, capacity planning, reporting, and application- and service-level dashboarding. GigaStor has deep monitoring and capture of voice and video technologies. The company also offers physical and virtual tap technologies, but has yet to introduce an NPB technology. The virtual tap technology is sold with many other products, but is not marketed on its own.
Pricing: Starts at $25,000 for ORS, $17,000 for GigaStor, $1,000 for Observer and $6,000 for Observer Infrastructure.
- The ability to do agentless polling of other applications creates additional visibility for customers who take advantage of this capability. It includes the ability to monitor cloud services such as Amazon CloudWatch, CloudKick, VCE Vblock and NetApp FlexPod.
- More video codec support than other Application-Aware NPM competitors allows a greater monitoring capability of video streams.
- Network Instruments offers a single-vendor solution for taps and probes, inclusive of active and passive FC storage area network (SAN) monitoring and associated storage technologies.
- Marketing efforts attempting to appeal to nonnetwork buyers has been ineffective. Messaging and coherence will assist with differentiation and appeal to other buyers more effectively.
- Autodiscovery, predictive capability and the correlation of alarms in the solution are not as advanced as some other vendor capabilities.
- Although Observer Reporting Server can be a good non-NPM monitoring technology, it doesn't replace existing application, virtualization, system, or network fault monitoring tools (SNMP and syslog). Instead, it allows data to be integrated for better analysis of these other components.
Ntop started in 1998 with open-source offerings, and has evolved into a commercial entity. These offerings include open-source and commercially supported options for network monitoring. The ntop product can be run on any Windows or Linux-based machine with the ability to capture packet data, as well as absorb flow-based data for network monitoring and measurement. The additional offering of the software-based nProbe allows the creation of highly efficient and scalable flow-based data. This product can be run on any Windows or Linux systems, and is licensed and used as part of other offerings covered in this research.
Pricing: The cost is free for many products, ranging up to a nominal fee for support.
- The pricing is very attractive, especially when combined with other NPM solutions, but it should be considered a flow-based data generator.
- The nProbe product provides flexible flow-based data generation, including latency, Border Gateway Protocol (BGP) path data, and custom templates and plug-ins, which provide added features.
- The company has a limited marketing and sales presence, normally discovered by the engineers in an organization.
- Viability is a question due to the small size of the company, but the products have a strong value proposition, and their open-source nature provides a future path.
Opnet Technologies, founded in 1986, caters toward NPM and APM buyers, offering a comprehensive set of products that spans the needs of both groups. Opnet built its NPM portfolio with several acquisitions, but primarily from Network Physics, which it acquired in 2007. NPM-specific offerings include AppResponse Xpert, which provides end-user-experience and network monitoring in a physical or virtual appliance form factor; and AppSensor Xpert, which includes Simple Network Management Protocol (SNMP), Windows Management Instrumentation (WMI) and IPSLA monitoring, as well as routing topology. Additionally, the AppTransaction Xpert product provides protocol analysis on demand, a deployable agent that provides filtering, troubleshooting help and a rolling buffer of packet capture. These products are often deployed together to provide a full NPM solution. They are the core component of Opnet's NPM products. Opnet's analytics strategy differentiates it in many regards by offloading much of the processing to the endpoint doing the data capture, providing a highly scalable model suited to distributed and cloud environments. The automatic correlation and modeling include time-based and metrics-based capabilities. Data is stored in multiple methods, which allows long-term storage of data, as well as the ability to quickly recall data based on a relevancy. Additional products and modules can assist with detailed visibility into Citrix XenApp and databases as well.
Pricing: Starts at $8,500 per appliance.
- Opnet offers a single-vendor solution for a convergence between APM and NPM for end-user-experience monitoring and other application protocol tracking, with thought leadership in applying NPM to the cloud and the application of analytic capabilities. Full APM functionality does require other investments in software.
- Unified views exist across the product suite with the Web dashboard framework, but still with separate user interfaces between the products.
- Value-added, network-appliance-based products allow agentless, detailed Citrix and SQL database monitoring.
- Opnet's appeal to users stretches across multiple buying centers (network, application support, development and lines of business), but it primarily sells to technical network engineers.
- The throughput of each appliance is not as high as that of some competitors, but the amount of processing and analytics Opnet does is more complex, which affects throughput.
- The product line can be confusing, due to several product name changes and overall complexity resulting from solution depth.
Founded in 1995 in Nuremberg, Germany, Paessler started selling other monitoring products, but introduced the PRTG product in 2004. It added packet-capture-based data and flow-based data in 2005. The company strategy includes freeware and commercial product offerings. These are basic, but effective for smaller to midsize networks, yet lack the sophistication and analysis capabilities of many market entrants. The typical product sale occurs from the engineer level to upper management, unlike most other products highlighted in this research, which are can be sold to higher levels in the IT organization. This puts Paessler outside the target of many competitors.
Pricing: Starts at $400 for a basic Windows software installation.
- The low cost and ease of implementation and maintenance make this an attractive offering. Usability is paramount, with multiple user interfaces available to appeal to different users, including the option to have the product viewable on mobile devices with Web or app interfaces.
- The company's messaging and marketing target engineering buyers with very upfront pricing and sales process. Software normally sells in a self-service Web commerce manner, or via larger software resellers.
- Extensive support for other types of polling, including server monitoring and multiple types of flow data, creates additional value, from a network monitoring perspective.
- The product is limited to monitoring aspects, with no ability to store or export captured packets for analysis or forensics.
- The product has software-only deployments, which often are less than ideal for network engineers who prefer self-configuring appliance form factors for deployment.
- The company is of a smaller size, and viability should be investigated before making a large investment.
The Cascade product lines came from several strategic acquisitions: Mazu Networks in 2009 and Cace Technologies in 2010. With these purchases, Riverbed made a strong entry into the NPM market, putting together a multifaceted approach. The Cascade Profiler product is the central management, reporting and monitoring system, and takes data from Cascade Shark packet capture appliances, Cascade Gateway flow collector appliances and the more lightweight Cascade Sensor response time and application decoding appliances. In addition to Profiler, there is a desktop-software-based product called Pilot, which allows protocol analysis of any exported capture file, including the ability to do multisegment analysis. The product is easy to use, and has some unique data drill-down and workflow capabilities. Riverbed's pervasive Steelhead appliances for WAN acceleration have had Shark data collection functionality embedded in the OS since version 7. Additionally, there is a software-based version of Shark for VMware environments. This product has been evolving quickly, showing strong growth for Riverbed and increasing its influence on the company's corporate direction.
Pricing: Starts at $30,000 per appliance.
- The fast-growing product segment is garnering renewed attention and interest in Riverbed's executive levels, and creating new opportunities for other lines of business.
- Visibility into ADCs and the sponsorship and steering of the open-source Wireshark protocol analyzer are unique differentiators for the Cascade product line.
- The introduction of more advanced analytics move the capabilities of the Cascade product line up the food chain of NPM vendors, garnering additional interest as organizations are forced to manage more complex and dynamic environments.
- The toolset could be better integrated and converged versus having such a wide array of different products and technologies under the Profiler product.
- The marketing and messaging toward security-related solutions are holdovers from the Mazu acquisition, which confuses core buyers of Riverbed products and technologies.
- Integration of the Wireshark protocol analyzer is nonexistent; this is something Riverbed could better leverage, given its influence and understanding of that product.
Founded in 2005 by a serial entrepreneur and his technologist, SevOne secured two rounds of venture funding totaling $3.5 million. It boasts some very large customers due to having a highly scalable peer-to-peer-based appliance platform. With both physical and virtual form factors, additional flexibility is given to the customer. The product can collect data by SNMP, WMI, VMware metrics, flow-based data sources and VoIP integrations. Additionally, SevOne provides an open API and data collection capability called xStats for pulling additional data sources that carriers and other large enterprises use to integrate additional metrics into the engine. The product has sophisticated automated baselining and dynamic thresholding on metrics collected, as well as a rich reporting and Web-based user interface. However, it still lacks a built-in protocol analyzer and native packet capture, requiring an embedded offering underpinned by the ntop nProbe product. With strong growth numbers and effective marketing, SevOne is on a path toward continued success.
Pricing: Starts at $50,000 per appliance.
- The SevOne platform is easily scaled, with a distributed peer-to-peer architecture that appeals to those operating large networks. This also allows the product to scale with a smaller footprint, due to the peer-to-peer nature of the clustering design.
- A very fast flow analysis engine deals with the highest reported flows and polling instances on a single appliance, which is confirmed by other vendors.
- The single product and form factor can replace solutions that consist of multiple products.
- The SevOne product is not a full offering, and relies on third-party embedded technologies to tell a complete NPM story.
- There is limited application visibility, compared with other vendors that have more sophisticated, deep packet inspection capabilities.
Operating as a separate brand from Fluke Networks since 2010, Visual Networks is also part of the holding company, Danaher, but it fails to co-market the two brands effectively. Recently, Visual Networks began working more closely with sister company Fluke Networks to build a more coherent story, and reduce redundant R&D efforts. It has since unified its marketing, product management and R&D, with the future goal of presenting a more cohesive set of product solutions to the market. This spinoff was done to better target service providers and enterprise buyers versus the typical Fluke customer looking for cabling and testing solutions. The comprehensive product offering includes Application Performance Appliances, which do packet capture; Network Performance Appliances, which handle flow-based data; Analysis Service Elements (ASEs), which handle specific branch office measurement with specialized appliances; and OmniPoint Elements, which run on ASEs and hypervisors, or embedded in network equipment such as Cisco Services-Ready Engine (SRE) and Riverbed. These data collection components are fed into the Visual Performance Manager (VPM) product, which handles the correlation of this data, along with third-party adapters that can pull additional information from other monitoring and delivery technologies. This approach allows the capture of data from many locations based on the devices, software and capabilities already installed in those locations. The approach is best-suited to large distributed environments where a centralized view of application and network performance is required. The centralized data analysis approach of visual networks creates lightweight footprints for the capture agent technology, which generates a flexible network stream back to the VPM. With some unique technologies, the product is a good fit for specific needs.
Pricing: Starts at $40,000.
- There is a strong focus on enterprise and service provider use cases, leveraging some network equipment manufacturers and virtual solutions commonly deployed in those environments.
- Visual Networks is one of the few market leaders in NPM SaaS solutions, although these are offered via a service provider, which removes much of the competitive advantage it could obtain with this offering.
- A good interface and usability provide a good foundation for a more workable solution toward understanding network performance.
- Parent company Danaher does not appear to be providing effective guidance or vision, and is often considered a detriment to the advancement of Visual Networks' market opportunity. Recently, there has been more intermingling of technologies, which we hope continues and may provide a more cohesive strategy for its network performance management offerings. The dashboarding technology is licensed from an OEM relationship with Edge Technologies, which removes the competitive advantages that could be gained with deeper analytics in the product.
- The use of analytics to better extract meaning and correlations from application decoding and presentation lags behind industry leaders that provide more automated insight into the application and associated infrastructure.
WildPackets provides cost-effective NPM solutions that consist of TimeLine packet capture and recording devices, Omnipliance and TimeLine Network Recorder packet capture and performance analysis devices, and OmniEngine Software Probes, which can capture packet data. These products do most of the calculation, and report summarized data to the OmniPeek protocol analyzer which acts as a client. Additionally, OmniPeek can be used to analyze any standard packet capture files on demand. Additional flow-based data can be consumed by the WatchPoint products, including those generated by other parts of the solution for real-time monitoring of network usage, as well as NetFlow and sFlow data generated from other devices in the network.
Pricing: Starts at $12,500 per appliance.
- The user interface is clean and easy to use, including the expert analysis, which helps with root cause isolation, making the product a good fit for those who are less experienced with competing tools.
- Users can extend the protocol decoder, or additional help can be obtained from WildPackets.
- After pioneering many areas including wireless, WildPackets has been a technology laggard in providing differentiated features.
- Market visibility has been reduced, as there are too many overlapping yet different products in the current offerings.
Other solutions on the market have more specific use cases, but should be investigated as well if you do not need or plan to need both capabilities. These vendors include flow-only capabilities and have no packet data sources:
- Arbor Networks
- Evident Software
- Packet Design
- Plixer International
- Quest Software
- ServicePilot Technologies
The following vendors include only packet capture and analysis capabilities for NPM purposes, but lack flow-based analysis capabilities:
- ExtraHop Networks
The following vendors do both, but do not come up in conversations for NPM use cases:
- Vineyard Networks
With the requirements of network packet access these products all require, there is a major challenge for those tasked with designing networks that can be easily monitored. Not only is the architecture of the network important when designing the core and edge, but also how the various monitoring technologies will have copies of the valuable packet data traversing the network, and which locations contain the packets most relevant to be monitored. These monitoring tool use cases include security, NPM, APM, network forensics and other monitoring technologies.
These NPBs are not only designed to route copies of the network traffic originating from SPAN, mirror, or taps on the network, but also to filter and analyze the traffic in order to make routing decisions. With network speeds constantly advancing, the cost of replacing monitoring technologies to handle higher bandwidth is not cost-effective. These products can increase the longevity of the tools, or allow them to be used to solve various problems by filtering or aggregating the relevant traffic to the relevant tool.
While we see this as mostly a stand-alone market, as it has been since inception, we anticipate more NPM players building technologies or making strategic acquisitions — and potentially a larger network or an ADC, a WOC or a general network switching vendor entering the market. This synergy is a natural progression of the vendors' existing hardware and software platforms, and can foster the creation of additional products, with limited investment in R&D. Gartner estimates the current market value at $185 million to $220 million, with a 30% growth target for 2012. With NetScout buying Simena in 2011, the long overdue consolidation of the market began. This is providing buyers with more choices, and will lead to lower prices. The following vendors are the most commonly selected and discussed in this market.
Anue's transition to this market from network test and measurement equipment in 2008 allowed it to use some of the control software it had previously used to build a rich and easy-to-configure Net Tool Optimizer product line. The flows of applications and filters are done in its control panel, and a rich GUI that is permissioned based on each component allows changes to be completed by different stakeholders in the organization. Anue positions itself as a high-growth business, with multiple international offices, making it a viable choice in the market.
Pricing: Starts at $10,000 for an entry-level device.
- An easy-to-use and rich configuration utility with granular permissions and more sophisticated dynamic filtering than other NPBs allows the management of multiple devices and complex use cases.
- Anue is early to market, with 40Gb connectivity options for customers deploying the latest Ethernet standards.
- Layer 2 through 4 support only doesn't allow more sophisticated rules based on packet data.
Apcon has a long history, dating back to 1994, with a diverse set of products. It sold a number of testing products spanning storage, networks and other equipment before getting involved in the NPB market in 2009. It continues to sell test and measurement solutions in addition to NPBs. The main NPB products are the IntellaFlex and IntellaFlex-LE products. It also sells a range of taps and other switching products.
Pricing: Starts at $15,000 for an entry-level device.
- Apcon has been in business for over a decade, and has several lines of business, making it a viable choice. The diverse product offerings have compatible interfaces, allowing the reuse of chassis and blades among products.
- The IntellaStore product offering has an onboard storage option to allow analysis of packet data without external tools.
- Layer 2 through 4 support only doesn't allow more sophisticated rules based on packet data.
Having entered the market in 2006, cPacket has always had a focus on the NPB market. The product line differentiates itself with highly accurate time stamping and multiple methods of implementation, including in-line deployment that provides the most accurate view of packet data. This is critical in areas where microbursts can cause monitoring fluctuations, such as in high-frequency trading applications. Additionally, cPacket will build custom solutions of hardware and software to enable specialized solutions for customers with unique needs. Product support for filtering packets is based on Layers 2 through 7.
Pricing: Starts at $18,000 for an entry-level device.
- cPacket provides a high degree of accuracy, with hardware-based time stamping and deployment options; only a handful of other competitors offer this.
- The custom cPacket chip does all heavy lifting of aspects such as rate processing, allowing faster processing at full line rates with deep packet inspection.
- The company's marketing consists of fringe opportunities that alienate many buyers. This also creates a higher cost due to accuracy and the custom chipset.
- The hardware design has a lower port density than most solutions on the market.
Founded in 1992, Datacom Systems was primarily a tap vendor, and still offers a wide array of solutions in this space. It co-founded and created the NPB space in 2001, which evolved from simple Layer 4 filtering capabilities, but lacks a deeper capability set to filter and handle Layer 7 data. It generally has more cost-effective solutions that can deal with the needs of midsize enterprises, and scale up to larger financial services solutions.
Pricing: Starts at $10,000 for an entry-level device.
- Datacom Systems is a co-founder of this market, as well as providing a lower-cost solution than many competitors. The solutions also are less complex.
- The company offers dense tapping solutions, which save space and power in data centers they are deployed into.
- Although it was once an innovator, the company has remained small in size.
- The company does not come up as often during Gartner client inquiries as some larger players in the NPB space.
Gigamon was a forerunner in adding intelligence to standard switching in 2003 to pioneer the NPB, and has continued with good marketing and penetration into multiple buying segments. One of the largest players in this space in terms of revenue and company size, Gigamon often is the target for other vendors to reach. Gigamon platforms include various offerings that have diverse connectivity and software functionality. Due to its presence in carrier networks, it builds highly redundant, rugged hardware with support for the latest networking connectivity standards.
Pricing: Starts at $12,000 for an entry-level device.
- Gigamon is a market innovator, with support for the latest networking technologies, including 40Gb Ethernet.
- It offers a highly scalable multiterabit chassis design for high-density deployments in large enterprise, and for service provider deployments.
- Layer 2 through 7 support only covers the first 128 bytes in the packet payload, which doesn't allow more sophisticated rules based on packet data.
- The company has yet to create software-based solutions to handle virtualization or cloud applications.
Net Optics was covered in detail in the NPM section. Entering the NPB market early in 2002, Net Optics is an innovator and a co-creator in the space. Having started as a tap company, it added intelligence and new features to the taps to create NPBs, then made the leap to more sophisticated monitoring software. In 2011 Net Optics introduced the Phantom Virtual Tap for VMware technologies, providing traffic visibility inside virtual machines and clusters. The Director Pro products support filtering on Layer 2 through 7.
Pricing: Starts at $11,000 for an entry-level device.
- Net Optics was a market co-founder, and has comprehensive offerings of hardware solutions, including different levels of switch intelligence, taps and software-based products.
- With a healthy tap business, the NPB market has been a natural fit for expansion for the company. We expect this to continue with its entry into NPM.
- Net Optics is still very much a hardware business, though it has been transforming to a software business via recent product launches over the last 18 months.
- The company's centralized management needs to work across its diverse products versus the current fragmentation of centralized management solutions.
NetScout's acquisition of Simena in late 2011 created flurry of interest in this market, as the once-split separate NPB product ecosystem started to merge with providers of NPM and the tools that plugged into them. Since the acquisition, NetScout has rebranded and enhanced the Simena product it acquired with the launch of the NetScout nGenius 1500 packet flow switch. This product offering is a single form factor licensed by port groups. Additionally, NetScout has offered a virtual tap agent since 2010, the nGenius Virtual Agent. It provides visibility into virtual environments, but is not yet managed with the packet flow switch product offering.
Pricing: Starts at $20,000 for an entry-level device.
- One of the market leaders in NPM, NetScout is public, which allows execution transparency and viability in a challenging market.
- The company's pricing power in larger deals will provide buyers with attractive bundled pricing in this generally commoditized market.
- Leveraging these product features into a core appliance offering for NPM could present additional differentiators for NetScout.
- Layer 2 through 4 support only doesn't allow more sophisticated rules based on packet data.
- There is a lack of options due to having a single form factor, which can make the products less cost-effective for smaller deployments, or unable to scale for larger deployments.
After being spun off from its parent company, Brocade, in 2007, Onpath entered the NPB market in 2010. It is venture funded, with a backing of $16 million in two rounds of funding. It has a patented, scalable switch design that enables it to scale to large installations on a single blade chassis, similar to its competitors. The switches are used by network equipment manufacturers for automated testing and monitoring, and by enterprises and service providers for traditional NPB use cases. Additionally, it supports many media types and connections beyond Ethernet, including FC, Serial/PDH/SONET/SDH and OTN. Management software is easy to use, with a clean user interface that shows the details of each switch. The product fully supports filtering based on Layers 2 through 7.
Pricing: Starts at $25,000 for an entry-level device.
- Due to a large form factor and high scalability, Onpath tends to make larger deals with customers than many of its competitors.
- It has one of the easier-to-use interfaces for the configuration and management of multiple NPB systems in a distributed network deployment.
- Onpath offers low-latency switching overhead (Layer 1 connectivity and a multicast of less than 100 nanoseconds (ns), and Layer 2 through 7 packet filtering and aggregation of less than 600 ns).
- The company's market presence is weaker than that of market leaders.
- Product pricing is higher than that of many vendors for entry-level configurations.
VSS Monitoring was founded in 2003, and started by selling network taps and other aggregators. it moved into the NPB market in 2007 and has focused on that segment ever since. The company has multiple product lines that can interconnect to form a single brokering system. Each product line is geared toward specific use cases, such as the Distributed Series, which focuses on passive, basic filtering needs; the Protector Series, which focuses on active (in-line) deployment to manipulate and better measure traffic; the Finder Series, for in-depth deep packet inspection and filtering; and the TAP Series, for basic network tap functionality. The products support filtering on Layer 2 through 7.
Pricing: Starts at $25,000 for an entry-level device.
- Extensive API options allow integration into automated workflows; this is particularly important for the service provider customer, which was the company's historical customer focus.
- The vStack capability enables interconnection of VSS products into a single system, allowing autodiscovery and self-managed and redundant system mesh for monitoring redundancy and resiliency.
- Marketing and public relations are effective for VSS, but it often oversells the features and functionality of the NPB as a full-blown monitoring solution.
- Pricing is higher than that of many vendors in the market.
Many networks are being upgraded and redesigned. Based on the design decisions implemented, the placement of monitoring tools must be accomplished easily in centralized locations where traffic flows through a central point, typically in the core. This is a good location for strategic NPBs, which enable better visibility and longevity of tool investments, including NPM, APM, security and network forensics.
These tools are implemented by several teams, but by having a prepared connection point, much of the implementation time for proof of concepts or testing of the products, as well as installation can be avoided. Data collected by these technologies is likely to contain sensitive information, and must be part of many audits. Avoid capturing raw packet data that contains sensitive information, or use more advanced methods of filtering to remove the security impact these technologies can have from an audit or a threat footprint.
With a diverse set of technologies in the NPM and NPB markets, there is room for continuing consolidation, as well as the expansion of capabilities by vendors to ensure that customers can garner the most value for their investments, and build a strategic relationship with the vendor. Paying close attention to the life span of these technologies and how they fit into your plans for network growth and your upgrade path is critical for making the best investment decisions.