Datasheet: Network Time Machine | NETSCOUT

Datasheet: Network Time Machine - Fastest all-in-one appliance for back in time network and application analysis

Network Time Machine is a high-performance stream-to-disk appliance designed to continuously monitor and capture traffic on critical network links to facilitate back-in-time, deep packet analysis of traffic. Applications include:

  • Traffic monitoring and troubleshooting at private or public cloud edges
  • Analyze traffic across multiple network segments
  • Forensic troubleshooting of poor application performance
  • Setup or QoS analysis of Voice/Video over IP
  • Troubleshooting of tunneled traffic in Service Provider’s core


Unique Features:

  • Capture traffic on multiple Ethernet interfaces, from 10Mbps to 10Gbps at rates up to 20Gbps
  • Plug-and-play operation automatically identifies applications, collects and displays relevant statistics in userconfigurable dashboards
  • Innovative Performance Bottleneck Analysis (PBA) visually identifies whether problems are in the server or the network
  • Provides QoS metrics, statistics and trending charts of application and flow levels for buffered and historical data
  • Best-in-class, real-time Video/Voice over IP metrics and troubleshooting
  • Portable and rack mount versions with RAID options and multiple terabytes of storage
  • Application-centric analysis automatically shows application flows with intuitive drill down to identify root cause
  • Multi-segment analysis function builtin for quick problem isolation across distributed networks


High-performance network traffic recorders for critical link analysis, network forensics and back-in-time troubleshooting

Application infrastructure, like the network, is distributed and diverse. Traditional network monitoring solutions that provide connectivity and resource availability metrics are no longer sufficient to fully understand the factors that affect consistent application performance to users. When application performance degrades, network engineers need tools that can be quickly and economically deployed to provide full visibility to all events on key aggregation point(s) so that an assessment can be made to where the impact was felt, and isolate to the fault domain quickly: server, network or client. Furthermore, network engineers need to support application developers and system administrators by providing the evidence to resolve the problem. The Network Time Machine answers these needs by providing instant high-level visibility of which applications and users are affected, plus detailed flow and packet level analysis.

The Network Time Machine is available as either a portable or a rackmount unit. Portable NTMs are ideal for filling gaps in forensic visibility when troubleshooting or assessing network problems. The rackmount NTM, with its higher performance and larger storage capacity, is designed to monitor critical links for long-term forensic needs. Both the portable and rackmount platforms support 1/10G interfaces.


Network Time Machine is an all-in-one appliance that supports
real-time monitoring and back-in-time analysis


Application performance analysis

  • Capture cards with high performance 1 and 10 Gbps interfaces allow accurate traffic recording, including physical errors and jumbo frames
  • Real-time application monitoring alerts you to performance problems in network and application health
  • Performance Bottleneck Analysis with back-in-time metrics graphically guides the user to the problem domain across applications, sites and servers
  • Onboard application-centric analysis engine provides in-depth analysis of SQL, Oracle, LTE, MS Networking (SMB), VoIP, DNS, FTP, HTTP, POP3, Telnet, SMTP, SNMP, MS Exchange and Citrix from recorded packets
  • Built-in Wireshark™ decodes provide support of dozens of additional protocols used in telecom and enterprise environments


Multi-segment network analysis

  • Merges and analyzes flows captured from different locations and generates a multi-segment bounce chart. Quickly visualize and isolate the root cause of network problems, such as packet drop or abnormal network latency
  • Auto-sync function compensates for the variation between system clocks of capturing devices in network segments facilitating analysis even if the capturing device is out-of-sync
  • Supports clock synchronization from external sources: GPS or NTP


VoIP performance analysis

  • Realtime QoS, call type and codec analysis classification
  • See call setup problems (e.g. can’t connect, busy) without needing to see packet decodes
  • Drill-down to see which users (by phone number) are affected by poor quality or call setup issues
  • Seamless extraction of packets from SIP or H.323 call setup to RTP and RTCP steam
  • Playback voice and video simultaneously for problem verification including out-of-sync video and audio tracks


Network Time Machine’s stream-to-disk technology efficiently records and indexes network traffic for quick identification and analysis on the built-in ClearSight Analyzer

  1. Ethernet traffic is captured from multiple ports at full line rates by FPGA-based capture card (hardware filters supported)
  2. Entire frames are sent to the PacketStore (disk array) for storage and post analysis
  3. Entire frames are also sent to the various analytical and real-time monitoring engines that process, classify and index data – this information is stored in the metadata database
  4. The Atlas software interface provides access to the network metadata information to quickly identify the application flow in question
  5. For troubleshooting and in-depth network analysis, the ClearSight Analyzer provides packet view, which facilitates fundamental protocol, multi-segment flow analysis and content playback

Compliance/security forensics

  • See when a suspect host exhibits activities and who it talked with
  • Pattern matching with free offset, and application/flow based filtering to quickly extract relevant flow in the captured traffic
  • Bounce charts to show detailed transactions between suspect and target
  • FTP, messaging, email, voice or video can be played back to quickly gather the evidence required for action


Key Features

Intuitive Application Performance Bottleneck Analysis reduces time to setup and fault domain isolation
The Network Time Machine (NTM) automatically discovers applications and reports performance trending metrics by server, network and client site. The unique Performance Bottleneck Analysis (PBA) displays server, network and client site time for each TCP flow. PBA metrics show where application time is spent; immediately identifying the root cause of application performance complaints. In addition, the NTM also shows how related performance metrics change over time, allowing identification of the fault domain to a specific server, or network. The packet extraction process is integrated with the UI so that the set of flows exhibiting the problem can be quickly analyzed. Once the relevant packets are extracted, the NTM guides users from application to flow to transaction views using an intuitive drill down process. Bounce charts give a clear indication of how transactions transverse over time and indicate problem packets without going into decode view. The result is increased operational efficiencies through a reduced learning curve, shorter time to domain isolation and quicker root cause resolution.

Enhanced reporting and analysis of key performance indicators (KPIs)
With minimal configuration, the Network Time Machine trends KPIs over time for servers, applications and sites.

These indicators include:

  • Data volume
  • Retransmissions
  • Connections
  • Throughput
  • TCP resets
  • Excessive retransmissions by site or server
  • Zero window events

NetScout's Performance Bottleneck Analysis (PBA) is based on a patent-pending algorithm in which the analyzer isolates the time that a flow spends with the server, network and client. The algorithm requires one measurement point in the network near the end-point, such as the server or client. This speeds troubleshooting time as it does not require measurements at two locations to determine change in network latency.


The Performance Bottleneck Analysis function of the NTM V8.0 shows the average time application flows (for example, SMTP and HTTP) spent on the server and network. The bottom graph area indicates a sudden increase and return to normal in server time during the analysis period.

Users can go back in time to review performance metrics even when the underlying packet has been aged and replaced with more recent traffic.

Many performance report templates are available, and can be further customized. Reports can be scheduled daily, or created on demand for a specified time range. Some report templates include:
  • KPI status or trending report by application, server and site
  • Problem status or trending reports by application, server and site
  • H.323, RTP and SIP MOS distribution
  • Network KPI trends overview
  • Application/IP protocol distribution


Drilling into the PBA results from figure 1 shows how quickly NTM can get to root cause. In the upper graph, we note that the server time has increased. The middle graphs shows that this happened when the server reduced the number of connections it managed and transmitted a large number of TCP resets to the client(bottom graph).

Realtime Voice and Video Analysis
The Network Time Machine provides realtime metrics on voice and video performance - without additional agents or polling to the Call Manager. Even without visibility of the setup traffic, the NTM can reassemble the caller/callee information from the RTP stream in realtime to generate quality assessment for the video/voice stream. Its high performance capture and analysis architecture make it the ideal quickto- deploy analysis solution for VoIP in carrier grade operation.

Extract packets for a call with just a click of a button. Call setup and RTP/RTCP streams are extracted together, correlated and shown on a bounce chart for easy visualization and playback.

Display overall and individual call quality statistics.

Automatic Tunneled Traffic Analysis in multi-tenant networks
Tunneling protocols encapsulate traffic, much like VLANs in LANs, to segment and prioritize traffic. The Network Time Machine automatically analyzes and decodes tunneled traffic, allowing network engineers of Telecom Service Providers and Large Enterprises to conduct application performance analysis and troubleshoot applications in each tunnel quickly. A large variety of tunneling protocols are supported, including IpinIP, L2TP, PPPoE, GRE, MPLS, QinQ, PBB/PBT, and GTPU. Customized tunnel protocol support can be easily defined and added. In addition, filtering conditions can easily be configured based on tunneling protocol and bit-pattern for quick extraction of relevant packets.

Support for a wide variety of tunneling protocols is provided, or define your own.


Onboard Application and Packet Analysis
The NTM integrates the powerful application-centric analysis engine based on the award-winning ClearSight™ Analyzer (CSA) which provides automatic application analysis. For each application flow, the CSA automatically constructs bounce charts and notes with highlighted text and color codes to indicate application impairments, such as slow TCP sever response and error status. The unique PBA metrics for each flow are displayed as a pie-chart, providing quick comparison of time spent with the server or the network.

Performance Bottleneck Analysis of a connection between an individual server and client shows the time spent on the server, network, and client. This analysis can be done without the need of installing an NTM at both ends of the link.

Multi-Segment Analysis
The NTM supports multi-segment analysis so you can quickly analyze flows that are captured across multiple tiers of servers or network segments. Captures may be imported from OptiView XG, other NTM’s, the ClearSight Analyzer software or even Wireshark. This powerful capability visually identifies problems in timing, command/response and TCP level impairments such as lost packets or out-of-order sequence. It also supports WireShark decodes, providing visibility into a huge range of application issues.

Multi-segment bounce chart shows timing of packets as they transverse two network segments.


Secure Remote Control
Each NTM unit can be accessed remotely using the NTM Remote Agent Manager (RAM) or Remote Agent Viewer. A Remote Agent Manager can configure and control the NTM. Up to 20 Remote Agent Viewers can monitor an NTM simultaneously but cannot configure the NTM. User accounts can be setup through the RAM to limit each user’s right to extract packets captured in the NTM. Communication between NTM and Remote Agent Manager or Viewer is encrypted using SSL (RFC 1428).

The Remote Agent Manager and viewer software comes with unlimited licenses and can be freely installed in any PC running Windows® XP/Vista® 7 to access the any NTM on the network. Problems detected by NTM’s real-time monitoring are consolidated to a central problem manager within the Remote Agent Manager software.


Taps simplify access to a wide variety of network link types
Flue Networks’ tap solutions support 10/100/1000Mbps and 10Gbps links and are available in many configurations:

  • Inline Taps
  • Inline aggregation Taps
  • SPAN aggregation Taps
  • Inline switch Taps
  • SPAN aggregation switch Taps
  • Any-to-any port switch Taps


Up to 20 Remote Viewers can remotely connect to an NTM.


Simultaneously monitor up to four 1 Gbps SPAN ports


Simultaneously monitor up to four network segments


Simultaneously monitor two 1 Gbps full duplex links via inline tap

Product selection guide:

Model Network Monitoring Interface (Gbps)1 Number of Monitoring Interfaces Stream-to-Disk throughput (Gbps)2 RAID Configuration (Controller + ESA) Basic Raw Capacity (Controller + ESA) (TB)3 Maximum Raw Capacity (Controller + ESA) (TB)
Rackmount Standalone12 CSN/NTM-EX4-A 1 4 2 0 2 NA
CSN/NTM-ST4LA 1 4 4 5 8 NA
CSN/NTM-ST4MA 1 4 4 5 12 NA
CSN/NTM-PR4MA 10 2 5 5 12 12
Rackmount Expandable4,12 CSN/NTM-ST4EA5 1 4 4 5 + 5 8 + 24/36 8 + 192/288
CSN/NTM-PR4EA6 10 2 1 ESA: 5 8 2 or more ESAs: 10 5 + 5 8 + 24/36 8 + 192/288
CSN/NTM-PR4HA7 10 2 2 ESA: 10 8 4 or more ESAs: 20 5 + 50 8 + 48/72 8 + 384/576
1 4 3 0 4 NA
CSN/NTM-PO2B-1A9 1 4 4 5 4 811
CSN/NTM-PO2B-10A9 10 2 4.5 5 4 811
CSN/NTM-PO2B-10PA9 1 and 1010 4 or 210 10 5 8 8
  1. No SFP/SFP+/XFP transceivers are included with NTM. Please order separately CSN/ACC-90XX.
  2. Stream-to-disk throughput is the maximum traffic rate at which NTM can sustain storing data to disk with no packet loss.
  3. Raw capacity is total raw hard disk storage available. It will be shared by OS, NTM system programs, PacketStore and other temporary program buffers
  4. External Storage Appliance (ESA), CSN/NTM-EA-UGD or CSN/NTM-EA3-UGD, must be ordered separately.
  5. Number of ESAs supported are 1 up to 8
  6. Number of ESAs supported are 1, 2, 4, 6, 8
  7. Number of ESAs supported are 2, 4, 8, 12, 16
  8. This is the minimum sustainable S2D rate supported.
  9. Portable NTM comes with soft-shell Case on wheels. Hard case for shipping is available as option.
  10. This model host both 1Gbps and 10Gbps interfaces but only one set of interfaces can capture.
  11. Upgradable kit to CSN/NTM-PO2B-10PA available.
  12. All NTM Express, Standard and Premium come with a Rackmount kit. 48VDC support available for all NTM Standard and Premium model. 48VDC for ESA available soon.

NTM Portable PO1

NTM Portable PO2B

NTM Rackmount Controllers

NTM Rackmont Expandable with External Storage Appliance


Technical Specifications:

Model CPU OS Controller Dimension
(H x W x D)
Controller Weight Power Rating Mainframe
CSN/NTM-EX4-A Quad Core Intel
Xeon E5-2403, 1.8GHz
Windows Server 2008
Embedded SP2
4.28cm (1.68”) x
43.4cm (17.1”) x
61cm (24”)
12.45kg (27.4lb) One non-redundant 350W,
100-240 VAC,
CSN/NTM-ST4LA Two Six Core Xeon
Windows Server 2008
Embedded SP2
8.73 cm (3.44”) x
44.4 cm (17.48”) x
68.4 cm (26.93”)
28.8 kg (63.5 lb) High Output, Two hotplug
1100W, 100-240 VAC,
CSN/NTM-ST4MA Two Six Core Xeon
Windows Server 2008
Embedded SP2
8.73 cm (3.44”) x
44.4 cm (17.48”) x
68.4 cm (26.93”)
31.98 kg (70.5 lb) High Output, Two hotplug
1100W, 100-240 VAC,
CSN/NTM-ST4EA Two Six Core Xeon
Windows Server 2008
Embedded SP2
8.73 cm (3.44”) x
44.4 cm (17.48”) x
68.4 cm (26.93”)
28.8 kg (63.5 lb) High Output, Two hotplug
1100W, 100-240 VAC,
CSN/NTM-PR4MA Two Six Core Xeon
Windows Server 2012 Embedded Std. 8.73 cm (3.44”) x
44.4 cm (17.48”) x
68.4 cm (26.93”)
31.98 kg (70.5 lb) High Output, Two hotplug
1100W, 100-240 VAC,
CSN/NTM-PR4EA Two Six Core Xeon
Windows Server 2012 Embedded Std. 8.73 cm (3.44”) x
44.4 cm (17.48”) x
68.4 cm (26.93”)
28.8 kg (63.5 lb) High Output, Two hotplug
1100W, 100-240 VAC,
CSN/NTM-PR4HA Two Six Core Xeon
Windows Server 2012 Embedded Std. 8.73 cm (3.44”) x
44.4 cm (17.48”) x
68.4 cm (26.93”)
28.8 kg (63.5 lb) High Output, Two hotplug
1100W, 100-240 VAC,
CSN/NTM-PO1B Intel Xeon E3-1225 v3
@ 3.20Ghz
Windows 7
Embedded 64 Bit
26.9cm (10.6”) x
38.6cm (15.2”) x
17.5cm (6.9”)
10.4kg (23lb) 400W 110V-240V AC,
CSN/NTM-PO1B-A Intel Xeon E3-1225 v3
@ 3.20Ghz
Windows 7
Embedded 64 Bit
26.9cm (10.6”) x
38.6cm (15.2”) x
17.5cm (6.9”)
10.4kg (23lb) 400W 110V-240V AC,
Intel Xeon
E5645, 2.4GHz
Windows Server 2012 Embedded Std. 35cm (13.72”) x
42cm (16.46”) x
17.5cm (6.88”)
13kg (28.5lb) 600W 100V-240V AC,
CSN/NTM-PO2B-10PA Intel Xeon
E5645, 2.4GHz
Windows Server 2012 Embedded Std. 35cm (13.72”) x
42cm (16.46”) x
17.5cm (6.88”)
14kg (31lb) 600W 100V-240V AC,
    8.68cm(3.4”) x
44.6cm(17.6”) x
28.39kg (62.6lb) Two redundant 600W
power supplies, 100-240

The minimum system requirements for the NTM Distributed Agent Manager
and Remote Viewer are shown below.

Item Minimum requirement
Computer Industry standard computer (laptop or desktop), with a CD/DVD-ROM drive for software installation
Processor Pentium 4 (or equivalent) running at 1 GHz minimum (2 GHz recommended)
RAM 512 MB minimum (1 GB recommended)
2 GB minimum if running Windows Vista or Windows 7
Hard disk space 250 MB. In addition, you should have space to store saved trace files. Individual trace files can be as large as 1 GB, but it is not recommended to open a trace file larger than 256 MB. 2 GB minimum if running Windows Vista or Windows7
Operating systems Microsoft Windows XP Home Edition with SP3 (disable the firewall)
Microsoft Windows XP Professional with SP3 (disable the firewall)
Microsoft Vista (32 bit) with SP1 or SP2
Microsoft Windows 7 (32/64 bit)
Microsoft Windows 8 & 8.1 Professional
Monitor VGA color monitor with 1024 x 768 resolution and 256 colors
Network adapter Standard Ethernet network interface card

Gold Support Services

Gold Support allows you to make the most of your investment while ensuring a higher return on your investment. Minimize your downtime, receive faster troubleshooting resolution and have total access to all support resources.
With Gold Supprt, you'll receive:

  • Software and firmware upgrades free of charge.
  • Members-only training and webcasts.
  • Immediate 24X7 live technical support and consulting.
  • Complete access to our valuable knowl edge base.
  • Members-only promotions.


All NTM appliances come with 1 year standard factory warranty. Gold Maintenance Support for NTM Portables is available in the form of 1 year extended factory repair warranty. Onsite hardware service is available for NTM Premium, Standard and Express appliances (sold after July 2010) under the Gold Support Service (Network Interface Card not included).


For models, options and accessories, visit: