Searching for microbursts
For a computer network, a microburst is an unusually large amount of data in a short time frame that saturates your network and adds to latency. These bursts are seen as a spike over normal traffic when viewed on a graph. They are usually less than one millisecond long (or even shorter), and they typically occur during high traffic volume, such as after a major news event or announcement when many people are using the network simultaneously.
Note: Microbursts occur in every network, but are also very environment-specific. What may be a microburst for one company may be considered acceptable traffic for another. Given that many applications have error checking and retransmission algorithms, and that microbursts are so short that connectivity for most applications is not affected, microbursts are not a concern for many network engineers. However, some applications are more sensitive to microbursts, such as financial, audio, video, or multicast applications. The financial industry is especially keen about microbursts and reducing the effect of microbursts on their network. This section is written with a network administrator for a financial company as the primary audience, but any network administrator interested in microbursts should find the information useful.
You might have microburst issues if your latency is creeping into the tens of milliseconds (or doubling your previous baseline). Your brokers may know something is awry because revenue is dropping. Revenue is dropping because your broker’s trades are executed just behind others beating them to the market, thereby getting a better price and more revenue. All of this will occur and neither your brokers nor you may even be aware the microbursts are occurring.
Almost half of all trades executed globally are initiated and completed by computers, not humans. Since computers are reacting to price fluctuations, when a microburst occurs, packets may be dropped, which causes them to be retransmitted and that takes several milliseconds—nearly doubling the time to complete the transaction. A 1-millisecond advantage in trading applications can be worth $100 million a year to a major brokerage firm. 1
To prevent data loss because of microbursts, design your network so that its capacity can withstand the highest possible burst of activity in whatever a time frame you deem important (perhaps millisecond). Adding additional switches or load-balancers to your network are a couple of possible solutions. This way the link will never be constantly busy for more than one millisecond at a time, and no data will be delayed on the link for more than one millisecond.
Another option is to smooth out any traffic or applications not sensitive to latency or jitter sharing the same link. Using these options, you can optimize your network for bandwidth efficiency, performance, or a combination of both depending on each application’s requirements.
Even after identifying and correcting for all issues in your network, you may still have problems with your Internet Service Provider. A study performed by Microsoft Research indicates that microbursts are more likely to occur at edge or aggregation links.2 Therefore, it may be necessary to also have your ISP optimize their flows to you.
Practically speaking, the capacity necessary to keep latency below one millisecond is normally much less than the peak one millisecond data rate. This is because many links use buffers to hold the traffic exceeding the link capacity until the buffer can be cleared. Assuming the system can clear the buffer queue quickly when the burst ends, microbursts are avoided because buffer capacity was created.
In the GigaStor Control Panel, a microburst occurs when 1) the maximum bits per duration interval based on the capture card speed and utilization threshold you define is reached, and 2) the interval contains at least two packets (full or partial).
There are a few different ways to search for microbursts using Observer.
Using triggers and alarms to inform you when microbursts occur. Customize your triggers and actions and choose Microbursts from the Alarms list.
Using the Microburst Analysis tab is the easiest way to analyze large chunks of time for microbursts and view the decoded packets.
Using Network Trending for microbursts. This option is different than the packet capture and decode option available through the Microburst Analysis tab. First, packet capture does not need to be running for Microburst trending to see any microbursts. Second, Microburst trending can also be pushed to Observer Reporting Server and aggregated with Microburst trending information from other probes in your network so that you have a fuller picture of where and when microbursts are occurring.
Using the Detail Chart. This method is limited to a 15 minute time frame on the Detail Chart.