SPV - User Guide Documentation
Contents
1. 23 SPV User Guide Documentation Release 2 9 3 6 5 License Except the experimental virtual appliances for testing provided from our Web site the virtual appliances are delivered without license key You normally receive this key by e mail at the product s delivery If it 1s not the case please contact our sales department sales securactive net sales securactive net To install a license package as well as an upgrade package proceed as usual see License and upgrade installa tion page 25 3 6 6 Capturing traffic Virtual appliances are configured with only two network interfaces e ethO for administration ethl for sniffing traffic Any additional virtual adapters you may add will be listened for traffic by the packet sniffer Actual packet capture depends on the virtual switch you are using In the realm of VMWare s bundled Virtual Switch the promiscuous mode beware that name is misleading is actualy a port mirroring Also depending on the virtual switch configuration if the packet sniffer sets the promiscuous bit of the eth1 virtual adapter the mirroring mode will be activated automatically Refer to the Virtual Infrastructure Client manual http www vmware com for further details Under VMware Player you need to configure eth1 as a bridged device and give permission to the virtual appliance to turn it into promiscuous mode Other virtual switches may have different more features 3 6 7 Data storage Vir2. The data is merged i e the data is integrated in the reports with no consideration for the poller which has captured it in e Business Critical Application Dashboard Business Critical Network Dashboard Application dashboards Graphs performance bandwidth matrix Comparison tables Client Server Network performance Application performance Please note that in these reports you can enter a filter to view the data captured by one poller only The data is segregated i e the data is kept separated depending on the poller which captured the data in all other tables Please note that in these reports for a single conversation viewed by two pollers you will get two lines 3 5 3 What happens if a poller does not answer If a connection to a poller is broken the collector wait for it during 10 minutes After this time interval the collector will flag the poller as missing After these 10 minutes the collector stops waiting for the missing poller and restarts its activity Data integration will be 10 minutes shifted upon missing poller response again See example bellow minOO N IAN A pollerl ok poller2 ok gt data integration minO2 NI I pollerl ok poller2 fail gt wait for poller2 min02 minO4 N IAN N pollerl ok This may never be developed 20 Chapter 3 Deployment SPV User Guide Documentation Release 2 9 poller2 fail gt wait for poller2 min02 min04 same
3. List of recipients admingsi myfirm com Scheduling settings Report every 1 Day Period and time Start at 01 00 HH MM From To YYYY MM DE YYYY MM DI rv Figure 4 14 Create a new report To create a report template you must fill some information The name of the report for easy identification purpose The language option defines the language that will be used for this reports thus the language for the report can be different than the language of the web screen The list of recipients defines the email addresses to which the reports will be sent the recipients email addresses can be separated by a comma a semi colon or a new line e Scheduling settings define the frequency at which the reports will be sent Available options are Day Generates the report every x day s example every two days Week Generates the report every x week s the selected days example every two weeks on Friday several days in the week can be chosen Month Generates the report every x month s on y day example every month the first of the month be careful if you choose the day 29 30 or 31 you will only receive your reports if there is such day in the corresponding month e Start at defines the hour format HH MM at which the generation of the report will start Once the report will have been generated it will then be sent to the recipients email addresses 4 4 SPV Functiona
4. Server application dashboard You can access this dashboard either through the menu or by clicking on a specific server in the Application Dashboard This dashboard contains three bits of information EURT graph through time for this server and this application EURT breakdown by client zone so that you can compare the performance offered to different client zone from that server Comparison with other applications provided by that server so that you can identify whether a peak of transactions on another application is impacting the performance of that application and see the volume of data transactions and performance metrics for all applications provided by this server 52 Chapter 5 Interpreting the results SPV User Guide Documentation Release 2 9 Application End User Response Time sry hagia Hebe may DR dq raparg issik alee Inte herr ah TELP DA TT 17 ea 7a 0 EE m 1 uda rl Lt L 4 ax aw E EL D 2 m E TI n T T im td Server Overall Load fil A We 1280 m n tr a o Breakdown by cliant zone Server Applications Overview Ser EE Bien EEEEWEEERK Figure 5 14 Server Application Dashboard 5 4 4 Interactions Dashboard have been developed so that a single click drives on more detailed information on the object you are most interested in f you click on the EURT graph in any of these three dashboards you make a focus on a shorter period of time for example a SRT peak
5. X RD indic out e cT Figure 5 28 Network Round Trip Time analysis 58 Interpretation Guidelines 68 SPV User Guide Documentation Release 2 9 mE C SI LCD C 1 CN C 1L IC C NM CL M CN E 13 44 00 14 44 00 X RIT in X RTT out RD indic in 000mS RD indic out e cT 80 00 ms 13 44 00 14 44 00 RR out FRin Figure 5 29 Retransmission analysis Bandwidth from source to destination Info Query begin 2010 08 25 10 30 00402 00 Aggregate Level 15 minutes Query end 2010 08 25 19 30 00 02 00 10 30 00 19 15 00 tps 281 40 Koss NC udp 22 67 Kbis e itip 23 84 Kbis vpn 4 38 Kos NC cp 412 Kbis ssh 4 54 Kbis icmp 0 78 Kbis op clen 451 91 bis nmp at 495 30 bis mgcp gasteway 275 76 bis e other 10 80 bis I I 0 60 Mb s Figure 5 30 Retransmission analysis 64 Chapter 5 Interpreting the results SPV User Guide Documentation Release 2 9 The general slowdown for a client zone may also be the consequence of a crucial service the DNS Check out DNS Response Time page 75 Look at the Monitoring gt Bandwidth Chart to inspect the bandwidth variation and the number of TCP UDP flows as well Bandwidth from destination to source 10 30 00 1915 00 e mip 491 71 Kb s e mips 91 61 Kos ssh 43 77 Kos 300 Mb s NC udp 22 59 Kbis won 13 74 Kbis Wmip ak 415 Kb s e wc teo 1 76 Kbis e imaps 1 60 Kbis xop cient 085 Kbis 200
6. depending on the aggregation level you either reach a lower aggregation level for a shorter period or the corresponding performance conversations see Data Aggregation page 11 At the same time you will get the server and zone breakdown for that more specific period of time f you click on a server you reach the Server application dashboard f you click on a client zone you reach the Client zone application dashboard 5 5 SPV Comparison tables 5 5 1 Objectives SecurActive SPV presents performance metrics in the form of comparison tables to make it easier for network managers to compare the performance depending on where users are located This feature provides an easier way to compare application performance between client zones locate the furthest zones from a network latency stand point isolate communications where retransmission are impacting service delivery 5 5 2 Network Performance Table This table provide an easy way to compare network performance between zones e RTT Server 5 5 SPV Comparison tables 53 SPV User Guide Documentation Release 2 9 RTT Client e RR Server RR Client RD Server RD Client As many reports in SecurActive SPV the navigation through the data is based on a drill down mechanism which makes it possible to go from a very wide view of network performance throughout the network to a focus on the communication between 2 zones and then down to the detailed conversa
7. na 0 NaErmr 2 ServFail 3 NXDaomain 39 164 61 129 55 015 31 596 20 000 E rr Packets Traffic 2 9 MiB 6 8 MiB 3 6 MiB 3 7 MiB 2012 03 21 13 15 2012 03 21 19 00 Packets sum 645 427 Aggregate Level 15 minutes Number of collected results 4 DNS RT 97 ms 155 ms 18 m amp Have I got some configuration issues short TTL values lack of caching Look at the DNS conversations with the largest number of transactions This view can be accessed through Diagnostic DNS TCP events Performance Vision provides in depth view of TCP anomalies and events When conducting a troubleshooting this view can display TCP conversations where the sessions are not ended correctly Time outs RSTs This may help you understand when you can observe disconnections if the client or server side is responsible for it Bad transmission rate if the Data transfer is slow for a specific application it may of course be due to network congestion retransmission issues but also to TCP errors like 0 Windows By looking at specific conversations you can view whether the TCP window is being reduced and by whom client server Abnormal behaviors by sorting the TCP events by number of SYN packets you can easily view which ma chines are generating a very high volume of TCP session start which eventually do not drive to a complete TCP session setup If you see machines with large volume of SYN packets and fe
8. 1ms 1ms 1ms 55 2 1 168 20 15 5 1MiB 11434 15 1ms ims 1ms 57 4 1 168 20 15 1 3MiB 1692 11 61ms lt 1ms lt ims 1 52 5 1 168 20 15 2 0KiB 24 2 1ms lt ims 24 39 VLAN Sales fallback 192 168 20 15 m LDAP Inteme 14kiB 18 uu im ims lt im 13 17 VLAN Sales fallback 192 168 20 50 m Samba_CIFS 406Bytes 7 0 53 54 VLAN Sales fallback 192 168 20 220 m http 7 0KiB 93 D 1 49 57 VLAN Sales fallbadk al 168 20 233 netbios ssn 114Bytes 2 0 1 01 29 VLAN Sales fallb adk 192 168 20 220 m http 231Bytes 3 D 1 168 20 50 m http 7 OKiP 84 b 1 6 m http 2 1 8 1 1 Figure 5 39 Peak in server response time Conversations To confirm this we need to check that these two hosts are the only ones to be impacted and check whether they are impacted only when accessing to the Fileserver To do that we have a look at the Performance conversations between the VLAN Sales and the Private zone From this we can draw the following conclusions Not only 192 168 20 212 and 192 168 20 205 but also 192 168 20 220 and 192 168 20 50 are impacted e The Samba CIFS access to the fileserver is not the only application impacted but SMTP HTTP and the Web Intranet SecurActive Actions to be taken after that analysis Check the windowing configuration on the operating system of these hosts if high value this is normal Check the level of usage of the host CPU RAM usage Alternative scenarios f we had seen some retransmission
9. 804 396 8KiB Time Exceeded 11 Time to Live exceeded in Transt 0 172 16 1 20 Main office fallback 172 16 7 254 Rome fallback 161 udp 52 Main office fallback 993 122 2 KiB Destination Unreachable 3 Host Unreachable 1 172 16 1 48 Main office fallback 10 16 5 5 Headquarters fallback na icmp 254 Main office fallback 778 53 2KiB Time Exceeded 11 Time to Live exceeded in Transt 0 172 16 8 250 Drogenbos fallback 172 16 7 254 Rome fallback na icmp 254 Main office fallback 775 53 0 KiB Time Exceeded 11 Time to Live exceeded in Transt 0 172 16 8 250 Drogenbos fallback 172 16 7 254 Rome fallback na icmp 225 Main office fallback 703 48 1KiB Time Exceeded 11 Time to Live exceeded in Transt 0 172 16 1 52 Main office fallback 172 16 7 254 Rome fall back na icmp 181 49 SRV LBD 682 247 1 KiB Destination Unreachable 3 Port Unreachable 3 172 16 1 24 Main office fallback 192 168 181 49 SRV LBD 137 udp 181 49 SRV LBD 680 246 4 KiB Destination Unreachable 3 Port Unreachable 3 172 16 1 24 Main office fallback 192 168 181 49 SRV LBD 137 udp This view can be accessed through Diagnostic TCP events SPV User Guide Documentation Release 2 9 A Aggregation 11 77 Aggregation period 83 Alerting 39 Application 6 32 65 70 83 Application NC 83 Application Port Range 83 Application Signature 83 Autopcap 56 B BCA 34 43 BCN 35 44 Browser 77 Business Critical Application 34 43 Business
10. All Y internet Private X Private Fallback hd Dantin O Q Rad wQ Labo O Q Sales V Q Ww Dantin fallback Private fallback Internet Figure 2 1 Zone set schema and zone tree displayed in SPV configuration 2 2 2 Zone fallback A zone fallback or fallback only 1s the set of IP addresses which belong to a zone but to none of its children zones They are automatically created for zones that contain child zones Fallbacks are thus not configurable At first we didn t have the DMZ and LAN zones see illustration The IP addresses 192 168 0 42 and172 16 30 45 were thus put into the Private zone since they both match the definition of this zone Then we created both the DMZ and LAN zones Now the classification of those IP addresses is as follow the IP address 192 168 0 42 is both part of the Private zone since it is defined by the subnet 192 168 0 0 16 and the LAN zone which is defined by 192 168 0 0 24 Since the latter one has a more accurate definition to store the IP it falls into the LAN zone the IP address 172 16 30 45 however is part of the Private zone but none of its children Thus to distinguish from the previous case it is stored in a special zone called Private fallback which means the IP is part of Private but not more 2 3 Application concept The main objective of application is to easily categorize network usage Through this concept which is a key no
11. Pulsar Connect to pulsar via ssh or from the virtual appliance console on the Esx it Interface APS source local lo B B88B 1 eth 68 BOB Z ethi 41 84KiB Press g to enable graphical statistics Press d to enable detailed statistics prev interface v next interface lt prev node gt next node help 9 1 4 Configuration The Performance Vision Virtual Appliance is shipped with a default configuration that will likely not match your site very closely For a better experience it is recommended that you spend some time configuring some additional zones and applications to suit your traffic Here are the sections you should consult in order e User Management page 29 for adding new users Zone configuration page 30 for adding new zones or modifying the preset configuration Application configuration page 32 for registering your specific applications Business Critical applications page 34 and or bcn config to define your business critical applica tions links Reports page 37 to schedule periodic reports that will be sent via email 9 1 Virtual Appliance Step by Step 105 SPV User Guide Documentation Release 2 9 9 1 5 Six pages you should not miss in Performance Vision Network performance Performance Vision provides a series of views on how your network is behaving Here is a selection of views you should absolutely use Business Critical Networks Provided you have configured some critica
12. ea SecurActive SPV User Guide Documentation Release 2 9 by the Securactive Documentation Team July 02 2012 CONTENTS Release notes 1 KI WV Oe IE v auc ee APER owe ee US don d P OX M CUR FPES e 12 Wit Siew I2 s 59 9x3 X Xxx ROROEGK ERE ONG om ETC EDS m RR EES 2 Lo OM Sew IN oes bbe ee R3 3 04909 FLOS EOS WORK OE We amp UE OP ER MERC OR EEG 3 LA Wha snewin26 246645440 X3 x doo 99 x 43 4 3 x x 9 x 489 S405 UA X Xo 9 s 3 l WHEW INED x 20k genes Ow eee eH EGS Ee AIV RP RE dos UE RE S 4 Main terms and concepts 5 2 General Conventions 464005 o 39 9o 3 idorai tared X 9o x ROEXOEGE ROW o8 5 2 4 Zones amp Fallbacks cs sa ooa moo SASS 9m cR REOR SC Rud m eR Ro 9 BEES ES 5 2 5 JXBDIDSBUOHNSOBESDE s se v osom x Ron 64 Yee 6 oe ee Eee ORO Ee EE RR Poe oe 6 24 TP BRIGPSUBe espr vx 4 REE eRe Ea ee ee ER oe SOM E EEG ROX 9o Eee 7 2 9 Conceptof Conversation 4224446646468 b ra ROROE ROSOE AER Ro 30 R3 CHEESES 8 26 Source Destination Matrix s uo og eed E ds de HOw 9e HEED DH EEA 3 4 ow os 10 2 dJTOGOASSICEGUOD son x94 CGE G4 gad saek aga dki EEE HE SHE EG 1 Deployment 13 3 1 How to integrate Performance Vision in your network 2 1 ee ee ee ee 13 3 2 How to capture traffic 2 ecko ch POR E eS ee OR SOR ROS eeo 3 6 4o RORokoEO eG de 14 3 9 SUpPPored Protocols au ots pease idres Soe eRe REE Oe 9 Xe Oe ee eee 5 95 15 3 4 Port mirroring and duplicated packets
13. 4Te R Gauge SpvBCADTTServer 10 T R Gauge SpvBCATrafficClient 11 R Gauge SpvBCATrafficServer 12 R Counter SpvBCATrafficClientSum 13 dee R Counter SpvBCATrafficServerSum 14 q ee R Gauge spvBCAThresholdMinSRTcount 15 T R Gauge SpvBCAThresholdWarning 16 Tee eB Gauge SpvBCAThresholdAlert 17 spvNevraxBCATime 2 BCN module t sactSPVBCNModule 2 t spvBCNStateTable 1 t spvBCNStateEntry 1 Index spvBCNName qee R SLETDS sSpvBCNName 1 qpee po Sern SpvBCNZoneA 2 tee e na spvBCNZoneB 3 po R EnumVal SpvBCNGlobalStatus 4 Values Ok 1 Warning 2 Alert 3 NA 4 Nothing 5 NotEnough 6 t R EnumVal SpvBCNStatusAtoB 5 Values Ok 1 Warning 2 Alert 3 NA 4 Nothing 5 NotEnough 6 R EnumVal SPVBCNStatusBtoA 6 Values Ok 1 Warning 2 Alert 3 NA 4 Nothing 5 NotEnough 6 1 R Gauge SPVBCNRttAt oB 7 Toe c R Gauge SPVBCNRttBtoA 8 t R Gauge SPVBCNRrAt oB 9 T R Gauge SpvBCNRrBtoA 10 pese cm Counter SpvBCNRetransCountSumAtoB 11 R Counter SpvBCNRetransCountSumBtoA 12 t R Gauge SpvBCNBandwidthAtoB 13 40 Chapter 4 Configuration quesos age pe cepe COUN ter Toi She Counter Tes ae e COUN LE doe Rho gt COUnEer fas ccRocscEnumvad Values 26 SRS Gaug
14. BIAUTO NIMLOC NB 15613 1 4 MiB WPAD 32 NIM LOC NB 15567 14MiB WPAD 32 NIMLOC NB 11948 1 0 MiB AUDEBERT P 32 NIMLOC NB na 10711 962 3 KiB AUDEBERT P 32 NIMLOC NB na 10118 909 0 KiB BIAUTO 32 NIMLOC NB na 7795 700 3 KiB wpad IA 2 ServFail 6934 433 4 KiB vpad INA 2 ServFail 6930 433 1 KiB 1 32 NIMLOC NB na 5964 535 8 KiB proxy 11A 2 SerFail 5144 326 5 KiB WPAD 32 NIMLOC NB na 4458 400 5 KiB deruevsieur 8 1 A 2 ServF ail 3326 237 1 KiB deruevsteur08 1 A 2 ServFail 3324 237 0 KiB Chapter 9 Appendix SPV User Guide Documentation Release 2 9 UP Application Traffic Payload Packets Conn attempts Conn established 0 Win RD indic cit RD indic srv Dup ack Sess end Num timeout Client RST Server RST B Web test 1 1 MiB 828 6 KiB 5042 228 228 255 36 228 94 334 2 39 https 320 5 KiB 192 1 KiB 1885 126 246 0 126 247 0 00 W https 1 4 MiB 1 2 MiB 4190 76 12 1ms 8 64 12 66 32 W https 1 3 MiB 1 0 MiB 4217 53 1 1ms 53 53 B NCtcp 210 1 KiB 160 7 KiB 832 30 30 24 16 30 10 24 6 4 https 290 4 KiB 257 9 KiB 606 22 22 21 1 22 19 21 W NCtcp 124 9 KiB 99 8 KiB 424 12 12 12 3ms 2 12 7 12 W https 29 9KiB 23 3 KiB 96 6 10 1 5 1 10 W https 4452 KiB 407 9 KiB 699 14 14 9 2ms 4 14 1 9 m NCtcp 24MiB 22MiB 2819 8 8 4 8 3 8 9 m https 25 1 KB 18 9 KiB 101 7 7 7 T 7 7 0 W http 724 7 KiB 656 7 KiB 1127 45 45 T 1ms 1 45 1 7 0 m http 724 7 KiB 656 7 KiB 1127 45 45 7 1 ms 10 4
15. Connect to Pulsar see Pulsar page 26 2 Enter the command to launch the trace for example tcpdump i interface host lt host 1D 3 Enter Cont rol1 C to stop the trace Note you can access a help by entering help tcpdump you can refer to tcpdump command http www tcpdump org Please have a look at the online manual http www tcpdump org tcpdump_man html all parameters are availiable except the w Accessing the tracefile You will not be able to view the trace through Pulsar to access the PCAP file you should connect to the probe via FTP using a FTP client and the Pulsar admin user see Pulsar page 26 5 7 3 Automated packet capture AutoPCAP Principles Performance Vision can capture packets automatically in case abnormal values are observed on critical servers These packets are presented for later analysis as PCAP files which can be downloaded through the web graphical interface at the conversation level 56 Chapter 5 Interpreting the results SPV User Guide Documentation Release 2 9 Applications These files are presented in the following views Conversations e DNS messages VOIP details In each of these views a column at the right end of the table indicates PCAP a small icon indicates that packets have been captured for a given conversation or not If the PCAP file is available you can download it by clicking on the icon Once the file has been downloaded you can view the p
16. MONITORING f SPV User Guide Documentation Release 2 9 NEZ guration 2 9 6 r1 2012 04 04 13 38 admin logout help B ANALYSIS B vorr i Dashboards Critical All E Business Critical Networks Client Zone Client Zone Application Begin 2012 04 04 12 32 End 2012 04 041332 Q Q Server Zone Critical Application z all No results Figure 9 19 Once logged in you access this page Usage poller poller add IP poller modify poller delete APS poller Name Address Created the Device ID Device md5 Time SPU Uersion Sniffer status Sniffer version License Expiration Figure 9 20 The status of the license can be validated in Pulsar with the command poller IP IP APS localhost rA WA TA ee ae A 564D9B2D C67 F AS62 736B 6848A68580682 89f a724182HBbaf e6f ccBBda13b364dZa 2012 82 15 17 24 amp 6 9 13 reZ ok pid 2768 i ie E invalid no limit Configuration ce SecurActive DASHBOARDS 5 4 MONITORING ANALYSIS B vorr 2 5 13 r2 2012 02 24 11 42 admin Logout Configuration e A saina amp Pollers Log Current State u orks Appli Pollar Created Address Device ID Probe Time s Suter License Name version Status Version Status Wel 02 24 02 APS us uer localhost 564DBD87 e n 2 5 13 r2 ok pid 2869 2 5 13 invalid Dyn P 11 01 11 41 Rep Logs No pollers log found Is the sniffer working Fi
17. User Guide Documentation Release 2 9 APS config dns DNS type for help DNS server 180 1 6 6 8 8 8 8 Configuration summary DNS seruers 18 1 8 6 8 8 8 8 Figure 9 15 DNS configuration APS conf ia network NETWORK type for help Connection Type Enter 2 for DHCP Your choice 1 IP address netmask gateway type empty to remove Configuration summary NETWORK 1 interface ethB connecttupe Static address 18 1 8 12 netmask WAA COS 0 gateway ee ee Ge ee Reboot now Enter 1 for yes Your choice _ Figure 9 16 Network configuration Logins TEP Password S3c7r You can validate that the license is right from the Web interface of the virtual Appliance by clicking on Config uration then Pollers Status The license key will be displayed with its expiry date and its status See License and upgrade installation page 25 for more details Access to the Graphical Interface Use the IP address configured for the Virtual Appliance to access the GUI with a Firefox web browser Depending on the configuration the probe can be accessed through the following ports TCP 80 TCP 8080 or HTTPs The default account to access the GUI is user admin password admin Beware that this account is distinct from the account used to access Pulsar Apart from the trial version the Virtual appliances are provided with no license key You have to get the license key which
18. packet the DTT will be of 0 DTT client is the same metric in the other direction DTT sum of both server and client DTT is meaningful of the time the user is going to have to wait for the response to circulate on the network from the server to the client It is not dependent on the Server Response Time e g a DTT might be short for a long SRT the request might require a large calculation but the result represents a small volume of data or a DTT might be very large but SRT very short because the request is easy to handle but the response is very large DTT depends on from the largest impact to the smaller the size of the response the more data is contains the longer it takes to transfer it the level of retransmission the more packets are retransmitted the longer it will take to transfer the whole response the network latency the longer it take to transfer packets through the network the longer it will be to transfer the response minor impact the actual throughput which can be reached to transfer the response from the server to the client DTT may vary for most common to a the rarest globally or not on a per transaction basis if only for some transaction it may be linked to the size of some specific application response for all client zones or for some only if for some client zones only it may be linked to specific network conditions retransmissions for all servers or for some
19. this is not an error if the aggregate level changes from one page to another 6 3 How can SRT be greater than DTT Every DTT is preceded by a SRT but both are not computed simultaneously DTTs are not stored until the data transfer is complete SRTs are stored as soon as the first packet of the response is seen Thus it is frequent to have more SRTs than DTTs when browsing recent data 7 SPV User Guide Documentation Release 2 9 6 4 How can we have 0 packets and no traffic at all on a conversa tion This is a common case when the observation period encompass the end of a timeouted conversation No packets have been sent during the observation period and the elapsed time since last packet have reached the timeout limit 6 5 What is this timeout column in Analysis TCP Error As there are no timeout in standard protocol as TCP UDP this is an application level notion that the packet sniffer must guess We consider the conversation as timeouted after 2 minutes without packets exchanged 6 6 Why are some DNS request names missing Although DNS protocol states that the question section must be present in the requests not all DNS messages are name resolution requests Some DNS server may use message types unknown of the traffic analyzer that do not embed anything meaningful in the question section of the message For instance the NBNS server statistic report is such a message that makes no use of the question section
20. wait more and more poller2 data minl2 RA KARA pollerl ok poller2 fail gt integrate data of pollerl for min02 gt wait for poller2 min04 min06 min 08 minlO minl2 minl4 RA KAA pollerl ok poller2 ok gt integrate all data pollerl and poller2 Conclusion RA IN AN IAN IAN AN AI Data lost poller2 min02 3 5 4 How configure a poller All pollers are available via SSH using the Pulsar shell just like you access to the collector please refer to Pulsar page 26 A poller shell allows you to configure the poller IP hostname etc But some commands like reset or poller are not available The collector s shell allows you to show and to create or delete pollers To do this please use the poller command help poller for details 3 5 5 Limits The distributed architecture provided by version 2 5 has some intrinsic limits There is no feature for deduplication between pollers i e a network flow captured by two pollers will counted twice in reports that merge data from several pollers 7 If there is some load balancing at the packet level and not at the session level and two pollers view two different parts of the traffic the collector will not be able to rebuild this flow and no performance metric will be available in this case The positioning of each poller with regards to client and server will have some impact on some metrics SRT RTT Server RTT Client RR Server RR Client
21. 200ms 124162134 OBytes 0 i B 200 400 600 800 1 0001 2001 4001 600 Bir Esr Wor Figure 5 35 Peak in server response time Application EURT 2 Application dashboard Applications behavior analysis Start afte 2010 06 07 08 52 Start before 2010 06 08 11 34 More yyyy m m d HH MM yyyy mm dd HH MM Application Samba CiFS Search Application performance Info Query begin 2010 06 07 08 00 00402 00A ggregate Level 7200s Query end 2010 06 08 10 00 00402 00 08 00 00 08 00 00 6 DIT 12 54 ms SRT 17062 us amp RIT 23 07 ms 1200 18 00 Jun 08 06 00 08 00 00 08 00 00 Transactions 1 157 309 000 12 00 18 00 Jun 08 06 00 noz m 1800 m gt 06 00 eakdown by server Breakdown by zone client Breakdown by server Breakdown by zone client VLAN R amp D 192 168 20 9 LAN Sales fallback 0 5 1 0 1 5 2 0 2 2 6 8 10 12 Man Bs Mor l Darr Bs Mor Figure 5 36 Peak in server response time Application dashboard Interpretation Guidelines 67 SPV User Guide Documentation Release 2 9 We can easily identify that this was due to a degradation of RTT Round Trip Time indicator of network latency and not to the Server Response Time SRT or the Data Transfer Time DTT From this graph we can conclude that the server and the application are likely not to have any relationship with the slowdown By looking at the two bar charts which show respectively the breakdown
22. 38 Figure 5 33 Number of RST packets sent from the TCP servers Prerequesites Zones have been configured to reflect the customer s network topology The application Samba CIFS has been identified The traffic to the fileserver is mirrored to one of the listening interfaces of the probe Where to start a global view of the application performance 1st example er avg 315 11 me SRT avg 470 52 ms S IRI avg 68 21 ms 14 10 14 20 14 30 14 40 14 50 15 00 14 04 00 1504 00 Transactions sum 1 452 i 14 10 14 20 14 30 14 40 1450 15 00 Breakdown by server Breakdown by zone client Begin 2011 04 04 14 00 00 02 00 Aggregate Level 15 minutes Info Begin 2011 04 04 14 00 00 02 00 Aggregate Level 15 minutes Info End 2011 04 04 15 15 00 02 00 End 2011 04 04 15 15 00 02 00 Internet JE Paris fallback SRV PROXY Drogenbos fallback 3 999 Park DE 2 Frankfort fallback OO NN Turin fallback 3 Madrid fallback 3 Site Central fallbacki tT T T T 1T T 4 1 1T 1T 1 5n 3 100 200 300 400 500 600 700 500 1 000 1500 2000 2500 Figure 5 34 Peak in Server Response Time application performance Display the Application Dashboard for a relevant period of time We can easily observe a peak in SRT from 6 to 18 15 From the breakdown by zone we can easily conclude that only one zone has been impacted By clicking on that zone we can see this client zone app
23. Critical Network 35 44 Byte 5 C Client 8 Connection Time CT 83 Conversation 7 77 83 D Dashboard 43 44 48 51 Data Transfer Time 83 Deduplication 17 78 Delta sessions 83 Destination 8 Device Identifier 83 Distributed Architecture 19 DNS 75 78 DTT 61 77 E Email 39 End User Response Time 83 EURT 50 60 F Fallback 5 84 Flow 84 ICMP 72 INDEX Initial Sequence Number 78 84 IP merging 7 J Jitter 47 84 K KiB 5 L Language 29 License 25 M Matrix 10 MiB 5 Mirroring 14 17 MOS 45 47 O Observation period 84 Open Source 79 P Packet Analysis 56 Packet Loss 47 PCAP 56 PDF 36 Promiscuous mode 24 Protocol 15 84 Pulsar 26 27 R Report 36 Reset 71 Restore 27 Retransmission 71 84 Retransmission Delay 84 Retransmission Duplicate ACK 84 Retransmission Rate 84 Retransmission Total 84 RFC RFC 1034 75 RFC 1035 75 RFC 1918 5 113 SPV User Guide Documentation Release 2 9 RFC 3261 45 RFC 3435 45 RFC 3550 45 RFC 3551 45 RFC 3605 45 RFC 3927 5 RFC 4193 5 RFC 429 5 Round Trip Time 84 RST 71 RTCP 44 RTP 44 RTT 60 S Server 8 Server Response Time 84 Session 79 84 Shell 26 Signature Dynamic port 84 Signature Web application 84 SIP 44 SNMP 39 Source 8 SRT 60 77 Subnet 85 Support 28 T TAP 15 TCP 54 78 79 TCP Handshake 85 Tcpdump 56 7
24. Dashboard This confirms the following conclusions RTT went up for the VLAN_Sales only Understanding what is the perimeter of the slowdown We now know that only VLAN_Sales was impacted by this slowdown due to a longer network RTT We therefore need to understand whether this was general i e impacted all clients in the zone or isolated to certain clients To achieve this we can simply display the Performance conversations for the application Samba CIFS for the zone VLAN Sales Here is the result From this screen we can draw the following conclusion Only the clients 192 168 20 205 and 192 168 20 212 seem to be impacted The other clients have very short RTT values 68 Chapter 5 Interpreting the results SPV User Guide Documentation Release 2 9 c Conversations 7 Performance and analysis of individual conversations Start after 2010 06 07 12 00 Start before 7 2010 06 07 18 00 More mm dd HH MM ryyy mm dd HH MM Client Zone VLAN Sales y Server Zone 7 SRV FileServer v Client IP Server IP 2 192 168 20 9 Both client and server IP Application Samba CIFS Protocol Any Search Info Query begin 2010 06 07 12 00 00 02 00Aqgregate Level 900s Query end 2010 06 07 18 00 00402 00 Number of collected results 6 Client IP Server Zone Server IP Application Traffic Packets Handshake EURT RTTin RTT out 192 168 20 205 SRV FileServer 192 168 20 9 m Samba CIFS 9 8KiB 43 1 ims 195ms 192 168 20 212 SRV Fi
25. Documentation Release 2 9 80 Chapter 6 Frequently Asked Questions CHAPTER SEVEN KNOWN ISSUES 7 1 Configuration If an application is defined with both a webpattern and a client or server zone then all conversations matching this webpattern but not the zone will belongs to NC TCP even if it should belongs to another application according to the TCP ports 7 2 Interface There is no error message when a login attempt fails Sometimes where plotting data for the last hour the chart ends with a value at zero In the charts when a high value is immediately followed by a zero value then the smooth interpolation algorithm makes it go underneath the 0 line just after the O value When another language than English is requested some buttons are labelled in English nonetheless 7 3 Various SMTP delivery of reports lack retries There is no procedure to delete oldest data whenever the data disks become full Configuration dump restore don t work across version boundary 7 4 Sniffer In case of IP fragmentation the timestamps of involved packets are set to the last received one 7 5 Upgrading In some cases the sniffer may fail to restart after an upgrade and leave some stalled processes if it is restarted on its own with Pulsar page 26 One of the possible symptoms is that the poller command in Pulsar fails to display the poller and license status Rebooting solves this issue 81 SPV User Guide Documentation Release
26. Mapping 6 Click on Finish the Virtual Appliance gets installed You will get notified when the installation is com plete 7 Once the Virtual Appliance is installed you have to start it by clicking on Power on the Virtual Machine or on the green triangle 3 6 4 Access the virtual console Display the Console tab and access the CLI interface named Pulsar Performance Vision ee ae Cote en airs tee Console SE b 0207001 ADDRCONE CN NEU CHAN eth rink becomes reads 33 335434 warning proftpd uses 32 bit capabilities leg e 34 3802787 e1888 ethi e18464 set_tso TSO is Disabled 34 3121841 e18BB ethi changing MTU from 1588 to 1888 Debian GNU Linux 5 8 spv ttyl spy login 47 1288721 e18BB ethi NIC Link is Up 18BB Mbps Control None 47 1248791 ADDRCONFCNETDEV UP ethi link is not ready 47 1272581 ADDRCONFCNETDEV CHANGE ethi link becomes read 47 2757421 device ethi entered promiscuous mode Debian GNU Linux 5 8 spv ttyl spy login _ The probe is launched When the network interfaces turn into promiscuous mode click on the Console view and then Enter to display the login prompt Please note clicking on the black screen deactivates your mouse To reactivate it you can use the key combination Ctrl Alt To configure the probe please refer to the Pulsar page 26 chapter After configuration you have to reboot the virtual applicance 3 6 Virtual Performance Vision
27. Monitoring Network Performance Table Network performance chart This view will show the main network performance metrics through time for a given selection from one zone to another for example round trip time retransmission delay connection time retransmission rate volume of packets This shows the evolution of the network performance as in any view in Performance Vision you can drill down to the conversation level by clicking through the graphs You can access this view in the graphical interface in Monitoring Network Performance Chart Application performance Performance Vision provides a series of views on how your applications are behaving Here is a selection of views you should absolutely use 106 Chapter 9 Appendix SPV User Guide Documentation Release 2 9 Client Zone Network Performance Chart Begin 201203211324 End 20120321 1924 o25000 a one Client IP Figure 9 34 Network Performance Chart Business Critical Application Dashboard Provided you have configured some critical applications setting thresholds on quality for a given application you will get a summary screen of the performance of your most critical applications on this screen This is an auto refresh screen whose data can be integrated in your SNMP based monitoring suite By pointing a specific time and link you can view the origin of a degradation round trip time server response time data transf
28. Packets are saved by Performance Vision as soon as the conversation they belong to matches a certain number of conditions One of the hosts either client or server for whichever protocol is a server for one of the Business Critical Applications One of the following metrics is considered as out of the norm Server Response Time SRT for TCP flows Retransmission Rate DNS Response Time 5 7 Packet level analysis 57 SPV User Guide Documentation Release 2 9 58 traffic pcap Wireshark Ble Edt mew Go Capture Analyze Statstes Telephony Tools Help TKa SFSEEAXPSS RPSCOFLZiIPSS QQQqah uammslg B A Ethernet II Src Htc b2 26 6a 00 23 76 b2 26 6a Dst NexcomIn Oc f3 ae 00 10 f3 0c f3 ae RB Internet Protocol Src 192 168 50 50 192 168 50 50 Dst 216 52 242 80 216 52 242 80 Figure 5 21 Viewing packets in Wireshark BREAD traffic pcap Wireshark Follow TCP Stream Syrma onc jkkzt Svcpn lot skaprivipadzgninsrsNbszvonektejaPejctesdabehbiniegosbbren zovds comm_afe HTTP 1 1 cept ai eh 302 moved Temporarily Server Apache coyote 1 1 Set Cookie _lipt deletexe E res Thu 01 Jan 1970 00 00 10 G T Path Set Cookie JSESSIONID ajax 5 42896862708880674 i version 1 Path pP CP CAO DSP COR CUR ADMI DEVE TAI PSGrT hlink 910 13073939975 2 amp redirect64 1Bpc5vrmRLoRZcjkkzt 5vcpnlor3RApnhepmdzgehxr SNBszvonPkTejAPe cTc3d9bPhbi ne I amp trk EML
29. Selected 1 file Total s Empty directory Delete Server Local file Direction Remote file Size Priority Status il Queued files Failed transfers S Successful transfers T Figure 9 17 Find the Performance Vision license key file right click on it and choose Upload ftp 10 1 0 110 FileZilla Password seeeee Port Status Retrieving directory listing Command PASV Response 227 Entering Passive Mode 10 1 0 110 222 223 Command LIST Response 150 Opening ASCII mode data connection for file list Response 226 Transfer complete Status Directory listing successful x Local site Users franckolivier SECURACT IVE Generic Licences f Remote site 8 b Public v SECURACTIVE T APS Archi Clients T Doc VM Generic Licences Filename v l Filesize Filetype Last modif Filename g m License aps GENERIC 2012 20 480 MacBinary 12 12 20 License aps GENERIC 20120801 bin License app GENERIC 2012 20 480 MacBinary 12 12 20 Selected 1 file Total size 20 480 bytes 1 file Total size 20 480 bytes 2 Server Local file Direction Remote file Size Priority Status Figure 9 18 The installation is complete when the license key is not available anymore by refreshing the destina tion folder lists Username Password 96 Chapter 9 Appendix e SecurActive DASHBOARDS amp
30. a web browser using HTTP on port 80 to access to different web sites for a period of time Originally you will see for that period Client Zone Client IP Server Zone Server IP Application Traffic Internet 86 71 197 86 Private fallback 192 168 50 34 E http 535Bytes Figure 2 2 TCP conversation before degradation Once data has been aggregated if you query the same period of back in time you will have Merged for the Client IP means that the two conversations to the different Internet clients have been merged into one single entry This is only done when the Zone is Internet and matches the same server application couple So you still know that this server was accessed from the Internet zone with the ht tp application on the port 80 2 4 IP Merging 7 SPV User Guide Documentation Release 2 9 Client Zone Client IP Server Zone Server IP Application Traffic Internet Merged Private fallback 192 168 50 34 B http 5 5KiB Figure 2 3 TCP conversation after degradation 2 5 Concept of Conversation 2 5 1 Objective amp Definition The objective of a conversation is to group a set of data exchanges between two hosts for a single application into one basic entity to be able to report on network traffic in a more user friendly way A flow is a group of data exchanges between two hosts for one application over the aggregation period A conversation is a group of flows over the observation period The observation period is defined b
31. and 10242 Mi mebi For more information about binary prefix please refer to Wikipedia page http en wikipedia org wiki Binary prefix 2 2 Zones amp Fallbacks 2 2 1 Principles A zone is a virtual container in which groups of IP subnets can be kept and organized Zones are used to map the network and to present data in accordance with the context A zone contained inside another zone is called a child zone of that zone Together the Zones form a hierarchy or a tree structure The following zones are created by default e All contains all possible IP addresses Private contains RFC 1918 http tools ietf org html rf c1918 html 10 0 0 0 8 172 16 0 0 12 192 168 0 0 16 RFC 4193 http tools ietf org htmI rfc4 193 html FC00 7 RFC 4291 http tools ietf org html rfc429 html 224 0 0 0 239 255 255 255 FF00 8 RFC 3927 http tools ietf org html rfc3927 html 169 254 0 0 16 This RFC describes for IPv4 a standard method of automatically configuring network interface addresses In IPv6 link local addresses are required and are automatically chosen with the FE80 10 prefix RFC 4291 http tools ietf org html rfcA29 1 html Internet is the Fallback of All which means all the IP addresses which are not part of Private or of any other zones defined by the administrator SPV User Guide Documentation Release 2 9 Zones list Zones tree with their subnets N Unfold all zones and subnets
32. and concepts CHAPTER THREE DEPLOYMENT 3 1 How to integrate Performance Vision in your network 3 1 1 Preliminary steps Performance Vision is dedicated to analyzing the performance of business critical applications in a corporate network Hence the very first step before considering integrating Performance Vision in your network is identifying an up to date list of business critical applications including applications directly supporting business processes but also applications on which these may rely e g DNS Microsoft DS etc locating the servers hosting these applications e defining which network devices clients are using to access these applications 3 1 2 Positioning the probe Performance Vision appliance will be installed as close as possible to to the servers to provide the best analysis Measurements are more accurate if the probe is located in a central location next to the server and you will get a wider view on the performance experienced by all the users connecting to this server INTERLAN DMZ VPN INTERNET sale A P MPI QD wma Local Area Network s Aen Figure 3 1 SPV network positioning synoptic 3 1 3 Choosing a traffic capture method Two main methods may be used to establish a permanent point of traffic capture TAP or SPAN A TAP is a network device which will installed in line on the network and will send a copy of the traffic on one or two listening ports of the
33. belongs to Zone A excluding all addresses belonging to A Child Zones Flow Regroups data exchanges between two network addresses for one application on the aggregation period A flow is a group of communications between two network addresses for one application during the aggrega tion period Notice that the VLAN tag if present as well as the device identifier are considered components of the network address Initial Sequence Number The sequence number used in the SYN packet of a TCP connection Jitter Packet delay variation The Jitter is defined as the variance of RTT average difference between RTT measures and the average RTT For more details this equation is used Sqrt Average RTT1 2 RTTn 2 Average RTT1 RTTn 2 Observation period In all reports defines the observation time window Observation Period is based on a starting time and an ending time provided by the user These user defined boundaries will automatically be moved to the closest previous aggregation boundary for the starting time and to the next aggregation boundary for the ending time this modified time interval is the actual observation period Protocol The transport protocol relying on IP at the network level Protocol is defined as one of the IP protocols that SPV can track It can refer to OtherIP TCP UDP or ICMP These protocols are detected by inspecting packet headers Retransmission Packets being resent when they
34. check whether they are all on the same edge switch and check the interface configuration and media errors Slow server Hypothesis Users complain about having to try several times to connect to a web based application named Salesforce The administrator suspects the application server hosting Salesforce is slow How to analyze the problem First check to see if all applications on the application server hosting Salesforce are slow or if it is just the single web based application Salesforce slow If all applications are slow then indeed the application server may in fact be a slow server If just the one web based application Salesforce is slow while the other applications CRM are responding quickly the problem may be the application Salesforce and not a slow server 58 Interpretation Guidelines 1 69 SPV User Guide Documentation Release 2 9 To begin diagnosis go to Monitoring gt Clt Srv Table Select the application server from the drop down box labled Server Zone and click Search f we see that all applications on the server are responding slowly i e the SRT values are high for both Salesforce and CRM the issue related to the server not to applications e Second check the Connection Time of the application server If the connection times are high then this may also indicate a slow server Third check for retransmissions between
35. comm afe amp akey qqDUaT4 aHnuGVLf4pGNU3HCAzwXwWB8STOLS amp hkey 5to HTTP ost www linkedin CHTTP 1 1 302 Moved Temporarily server Apache coyore 1 1 Set Cookie _mobi 221 522570545713 Domain linkedin com Expires Mon 18 Sep 2079 15 56 32 G T Path Location http m linkedin com splash redirect ur l http amp 3AX2EX2FWww Tinkedin coms2F End save as ern nre conversazon etn zc Ascu C EBCOIC C HexDump C CArrays 8 Raw sts ors a MSS 1460 SACK_PERM 1 TSV 21757332 TS Figure 5 22 Viewing query and response Chapter 5 O RNS A I I I I I I I a a a aaao l Interpreting the results SPV User Guide Documentation Release 2 9 Note PCAP files are a sample of the conversation If you request on a one hour interval and get a PCAP file the PCAP will not contain one hour of data but only the data which match the above conditions Limitations The Automatic Packet Capture feature works under a certain number of conditions to ensure the proper execution of other services provided by Performance Vision Among these necessary limitations you need to observe the following The retention of PCAP files is limited by the disk space allocated for captures in the current version this space is limited to 10GB for both manual and automatic captures When all 10GB are used no new PCAP file is saved The maximum retention time for Automatic captures is set to 48 hours after this delay Automatic PCAP wil
36. is Disabled 34 3121841 e1888 ethi changing MTU from 1588 to 1868 Debian GNU Linux 5 8 spv ttyl py login I 47 1288721 e18886 ethi NIC Link is Up 1888 Mbps Control None 47 1248781 ADDRCONFCNETDEYV_ UP ethi link is not ready 47 1272581 ADDRCONFCNETDEV CHANGE ethi link becomes read 47 275742 device ethi entered promiscuous mode Debian GNU Linux 5 8 spy ttyl spy login 92 Chapter 9 Appendix SPV User Guide Documentation Release 2 9 Access the virtual console Display the Console tab and access the CLI interface named Pulsar The probe is launched When the network interfaces turn into promiscuous mode click on the Console view and then Enter to display the login prompt Note Clicking on the black screen deactivates your mouse To reactivate it you can use the key combination CUEIL F ALT Performance Vision hte te Colter Tce Console WEZ gs is pvit spv exit Debian GNU Linux 5 8 spy ttyl spy login admin Password Last login Wed Apr 4 11 16 59 CEST 2612 on ttyl elcome to Pulsar the SPU shell v1 25 3 ype help to display Pulsar commands ype help COMMAND to display the command help details is pvit is pvit is pvit Figure 9 10 The default credentials are user admin and password admin Performance ision eee RTT ae Cor en Sir SII Console Sears spv help Pulsar shell configure your probe help quit exit nalyzer format data disk process statu
37. kernel These packets won t get accounted for in the GUI As a realtime protocol analyzer the sniffer is also limited in what protocols it supports and how deep it inspects packets Here is a quick overview of the most blatant limitations 16 Ethernet parser supports Linux cooked capture extension used when capturing on any interfaces and 802 1q vlan tags All other Ethernet extensions are ignored Http parser does not support multi line headers ARP parser knows only Ethernet and IP addresses DNS parser support MDNS NBNS and LLMNR in the extend where these protocols mimic legacy DNS with the exception that it can unscramble NetBios encoded names FTP connection tracking merely look for PASSV or PORT commands in the TCP stream without much care for the actual protocol TCP options are ignored Postgresql parser supports only protocol version 3 0 and Mysql parser supports only protocol version 10 This should cover most of the installed base though TNS parser for Oracle databases was roughly reverse engineered from various sources especially the wireshark source code It should thus not be expected to understand all messages in all situations Chapter 3 Deployment SPV User Guide Documentation Release 2 9 SIP parser implements no proprietary extensions however prevalent As there are no concept of connections for UDP UDP conversations are ended after a timeout period of 2 minutes without any packet in a
38. loss experienced by both users This is how even in the absence of RTCP stream we can display a jitter and packet loss count and no RTT and thus no MOS 5 3 5 VolP Views VoIP Overview VoIP Overview is a view of all VoIP traffic in the network zone per zone e Number of calls e MOS value Packet loss global or caller callee Jitter global or client server RTT global or client server Note The value caller in corresponds to the metric for the RTP RTCP traffic from the caller to the callee and the value callee out corresponds to the metric for the RTP RTCP traffic from the callee to the caller From each line you drill down e to the MOS chart e to the VoIP conversations amp VoIP Overview VoIP overview by caller callee zones Begin 2 2011 04 07 14 43 End 2 2011 04 07 15 43 More Caller 10 ip MOS over time This view shows the evolution of the Mean Opinion Score through time A second graph shows the evolution of the number of calls to help you evaluate how many were impacted by a MOS degradation By pointing a specific point of time on the graph you can display the exact value for each metric on the right side of the graph By clicking on a specific point of time you are directly to the VoIP conversations for this point of time Jitter Packet Loss This view shows the evolution through time of the jitter and the packet loss This view can help
39. mail google com 17ms A NoError v 192 168 10 5 R amp D 42 7 2 KiB No request name Unknown DNS type 0 NoError 192 168 80 255 Private fallback 36 3 2 KiB WORKGROUP NB na Figure 5 19 PCAP column in DNS messages Callee Callee Zone Application MOS Packetloss Server sign traffic Voice traffic Code Last Call State Pcap aaln 1 172 25 51 150 Private fallback B NC udp 1 05 3 1 KiB 1 2 MiB 200 closed v aaln 1 172 25 51 150 na B NC udp 0 00 989 Bytes 0 Bytes 200 closed v unknown Internet B NC udp 0 19 6 9 KiB 2 3 MiB 200 closed v aaln 1 172 25 51 150 Private fallback B NC udp 0 00 3 1 KiB 1005 8 KiB 200 closed v aaln 1 172 25 51 150 Private fallback B NC udp 5 11 96 2 6 KiB 241 6 KiB 200 closed 3 aaln 1 172 25 51 150 Private fallback m NC udp 0 00 3 0 KiB 267 0 KiB 200 closed aaln 1 172 25 51 150 Private fallback B NC udp 0 00 3 0 KiB 891 4 KiB 200 closed v aaln 1 172 25 51 150 Private fallback B NC udp 0 00 2 6 KiB 195 0 KiB 200 closed 3 aaln 1 172 25 51 139 Private fallback B NC udp 0 00 96 6 3 KiB 0 Bytes 250 closed v aaln 1 172 25 51 150 Private fallback m NC ud 0 00 3 4 KiB 515 5 KiB 200 closed Figure 5 20 PCAP in VOIP details For instance if you are using Wireshark to decrypt the packets you can directly view the packets To view the query and the beginning of the response you can use the feature Follow TCP stream in the Analysis menu Conditions
40. out the hard drive This strikes a good balance between data granularity and duration of retention performance data for the last two days is available with the best granularity and long lasting global trends can be exposed from as far back as one year albeit with less detail all from the same interface Aggregated data is computed in a nutshell by identifying network conversations where the same server and the same client talked using the same application and grouping them together The metrics for each such group are summed up in accordance with their mathematical nature for instance packet counts are added and response times are averaged per packet so only one line of data is retained for each conversations group This line still contains a relevant summary of your network and application performance but it s storage takes up a lot less disk space Example A user checks out a Web page once at 16 38 Info Query begin 2010 07 30 16 38 00402 00 Aggregate Levet 120s Query end 2010 07 30 16 40 00 02 00 Number of collected results 1 Sync Begin Time End Time Client Zone Client IP Server Zone Server IP Application Traffic Packets Handshake Transactions EURT 2 amp 2010 07 30 16 38 47 2010 07 30 16 39 11 Private 192 168 10 2 Internet 88 191122 7 m http 139 0KIB 240 12 32 100ms Figure 2 11 Flow example at 16 38 to 16 40 and once at 16 41 begin 2010 07 30 16 40 00 02 00 Aggregate Levet 120s Info ey Query
41. page 5 for Zone tree and Fallback explanations You can reach the zone configuration page by clicking on the Zones label of the menu The illustration below displays a list of zones and their subnets This list of zones enable you to add a zone edit a zone or delete a zone as needed In order to create a zone you need to click on the green button below Private d 3 169 254 0 0 16 13 more subnets Figure 4 8 Button to create a zone You can select the zone s name by filling the Name field and the subnet by filling the new subnet field In order to add several subnets you can use the more button Here are some examples of valid subnets 192 168 100 0 24 1925210930100 27952 DIIEIII2I9S2 169520 07129 The administrator can e rename the zone 4 4 SPV Functional Configuration 31 SPV User Guide Documentation Release 2 9 2 Add a zone Name Parent zone Private Zone inner subnets New subnet More add a new subnet or IP Address change the previous subnets e delete a zone 4 4 3 Application configuration You can configure Applications in the configuration page Applications represent the business applications running on your network and make the reports provided easily understandable to everyone in your organization To access the configuration of Applications click on the Configuration button on the top right of the user interface Application list Add a new appl
42. probe A SPAN also commonly called port mirroring is a feature of network switches that enables a network administrator to send a copy of a given traffic on one or several interfaces VLANS to a mirroring port 13 SPV User Guide Documentation Release 2 9 The most commonly used method is the SPAN port port mirroring mainly because it enables administrators to monitor potentially any traffic going through the switch with an existing network device Collecting traffic through a SPAN port will likely not generate any additional point of failure on the network and will be regarded as a minor modification of its existing configuration Network TAP s are also an option if no SPAN is doable for example but the traffic captured will be limited to the network link s going through the TAP A connection via TAP induces additional costs If you choose to capture network traffic through a SPAN you should pay a specific attention not to copy twice the same traffic to the listening interface of the probe which would degrade the statistics provided by the probe 3 2 How to capture traffic Performance Vision can rely on two mechanisms to capture network traffic Port Mirroring commonly called SPAN amp TAP Terminal Access Point 3 2 1 Port mirroring Port mirroring also known as SPAN or roving analysis 1s a method of monitoring network traffic which forwards a copy of each incoming and or outgoing packet from one or several port s
43. provides in depth view of name resolution events and performance for DNS Netbios mDNS When conducting a troubleshooting this view can display The evolution of the DNS activity an excessive peak may reveal a misconfiguration infection The evolution of DNS response times which impacts the quality of experience of end users Unexpected name resolution protocols are you still using Netbios WINS when you thought you only rely on pure DNS Have you got more DNS requests in error than successful ones Are some of my hosts trying to resolve out of abnormal servers Rest of migrations misconfigurations infections Can I see hosts with abnormal request volumes infection misconfiguration 9 1 Virtual Appliance Step by Step 109 SPV User Guide Documentation Release 2 9 Begin 2012 03 21 13 24 End 2012 0321 19 24 Emitting zone Server Zone Emitting IP Server IP Request Name Request Type Response Code VLAN All l All Device id Poller Any v Ay z Info Begin 2012 03 21 13 15 Aggregate Level 15 minutes Capturer la page enti re et l enregistri End 2012 03 21 19 15 2012 03 21 13 15 2012 03 21 19 00 250 0 ms DNS RT avg 115 1 ms 200 0 ms 150 0 ms 100 0 ms 50 0 ms 0 14 00 15 00 16 00 17 00 18 00 30 000 25 000 Begin 2012 03 21 13 15 Info End 2012 03 21 19 15 Request pe Response Code 1 A 1 A 1 A 1 A
44. second Active required probe may not required if applications are in normal conditions passive distributed between DCa and DCb then a distributed implementation is required Two Distributed is If the traffic between servers is captured it may double counted traffic data centers adequate from clients to servers should not be double counted Active Active N data centers Distributed is Traffic between servers will be captured twice and double counted through WAN adequate N Datacenters Distributed may The traffic going from the remote sites to the datacenters will be double and M remote not be adequate counted The cost of deploying physical units may be superior to the sites benefit 3 6 Virtual Performance Vision Note For more details about step by step virtual appliance installation cf Virtual Appliance Step by Step page 87 If you are installing the virtual image of Performance Vision then you have a to take into account a few additional facts 3 6 1 How to get the image This section is based on version 2 5 13 the filename will evolve depending on the version number The ZIP archive will contain the following files ee SPV 2 5 13 r2 mf SPV 2 5 13 r2 ovf SPV 2 5 13 rZ2 diskl vmdk 3 6 2 Virtual hosts settings Performance Vision virtual appliance is designed to run in a VMWare ESX v4 or v5 environment It can be lounched with a minimum of 512MB of RAM although a larger quantity i
45. send a RST packet if the incoming TCP packet does not fit with the security policy source range IP address is banned the number of connection attempts is too high in a small period of time etc A QoS Quality of Service equipment limits the bandwitdh or the number of connections by sending a RST packet to any new connection attempt f a Intrusion Detection System e g Snort detects a malicious connection he can send a RST packet to roughly close it f a host between Client and Server wants to do a Denial of Service it can reset the connection by sending RST to both peers Basically it s the same mechanism than the previous one but the motivation is quite different 5 8 Interpretation Guidelines T1 SPV User Guide Documentation Release 2 9 Retransmissions One of the TCP metrics which is interesting to analyze is the retransmission A TCP Retransmission is when a TCP packet is resent after having been either lost or damaged Such retransmitted packet is identified thanks to its sequence number In SecurActive SPV we do not consider packets with no payload since duplicate ACKs are much more frequent and not really characteristic of a network anomaly There are several common sources of TCP retransmission A network congestion If a router can t cope with the whole traffic its queue will grow bigger until it gets full and then start dropping the incoming packets If you reach a predefined QoS limit the exceeding pac
46. server if for a specific server it may be due to a specific server issue in broad casting the response 5 8 2 Scenario guidelines Slow site connection Hypothesis One or several end users complain about a slow access to all applications both in and out the LAN 58 Interpretation Guidelines 6 SPV User Guide Documentation Release 2 9 Diagnosis You will find in this section the classical informations to grab in order to diagnose the issue 62 is the application really slower for this site You can get this information from several places R amp D Pra Sales fallback Internat Private fallback 1 500 2 000 2 500 3 000 500 Msan E sr 1 000 a or Figure 5 23 Zone comparison in the Application Performance Dashboard Action Client Zone Server Zone Traffic EURT amp gt RIT SRT DTT o amp All All 2 9 GiB 1 2s 34ms 907ms 297ms xo amp Private All 2 9 GiB 1 2s 34ms 907ms 297ms 2 O R amp D All 2 8 GiB 891ms 20ms 566ms 304ms oc Sales All 86 0 MiB 2 65 85ms 2 25 272ms x Private fallback amp j AI 10 4 KiB na na na na eO Labo All 0 Bytes na na na na x o Voip amp j All 0 Bytes na na na na x Internet All 1 1 KiB na 213ms na na Figure 5 24 EURT comparison in the Application Performance Comparison Table Does the slowdown occur for a specific application If so check Slow application page 65 You can achieve this through the client s
47. the application New signature new signature x Server zone Smaller zones have priority over largest ones Mew server rone zone M Client zone Smaller zones have nrionty over largest ones Server zanes have nrelonty over fis cent zemes Mew chent zone Fone Business critical application thresholds application is business critical 1 Figure 4 10 Application configuration screen SPV Functional Configuration 33 SPV User Guide Documentation Release 2 9 The following elements are combined to define patterns which the application flows must match Destination ports each line can be used to define a range of ports on a specific protocol UDP or TCP which the flows for this Application must match Signature a signature is an layer 7 Application pattern which makes it possible to define an Application based on pattern matching in the payload of packets Signatures may be for dynamic ports Applications or Web patterns more details in the section hereunder Warning In case of a web application these two parameters may be filled and but not necessarily we consider a OR operand between this two parameters Destination ports and Signature Client or Server zone indicates the zones in which the servers of the Application are located Warning In case of a application associated to one server or a server farm the server zone edit box must be filled with the right definition of the zone defined in the zone
48. the complete period of time currently displayed If you click on the icons associated to a specific period of time the quick links will used this specific period time when redirecting you to a detailed screen You will always see up to date information with the auto refresh feature of the BCN dashboard The information will be automatically refreshed based on the data aggregation level see aggregation period For example if the Aggregate level is 2 minutes the BCN will be updated every two minutes if the Aggregate level is 15 minutes the BCN will be updated every fifteen minutes 44 Chapter 5 Interpreting the results SPV User Guide Documentation Release 2 9 Capture time 2011 03 28 03 58 00 Private Internet 5 Conv a Latency 2205 Bl Retrans rate 0 02 lg util rate 2 89 521 2638 Internet Private gt Conv Bl Latency lt ims Bl Retrans rate 0 05 B Util rate 33 42 86 788 ad Bandwidth Figure 5 4 Detailed values for a point of time 5 3 VolP Module A specific reporting for Voice over IP traffic is provided The aim of this module is to show the volume and quality of service associated with VoIP flows 5 3 1 Supported protocols These two VoIP set of protocols are supported oP RICE RIP e MGCP RICP RIP For more information please consult the corresponding RFCs e SIP as defined in RFC 3261 http tools ietf org html rfc3261 html e MGCP as defined in RFC 343
49. the following rule PORT RANGE OR OR PORT RANGEn OR SIGNATUREI OR OR SIGNATUREn AND SERVER ZONEI OR OR SERVER ZONEn AND CLIENT ZONEI OR OR CLIENT ZONEn in case a conversation matches previous rule of several application the priority will be given to the application whose definition is the most precise i e the thinest port range signature or server client zone Application NC NC stands for Non Classified A NC Application is a special application that will match con versations that do not match any configured application Application Port Range Port or range of ports on a defined protocol TCP UDP a Port Range is defined by a range of ports described by a start port and an end port and a protocol either TCP or UDP Application Signature Mean of recognizing an Application based on a pattern in the payload This pattern may be of two sorts a dynamic port signature or web application signature A Signature is either a Dynamic port Signature or a Web application Signature Connection Time CT Time taken by the exchange of the 3 way TCP handshake CT stands for Connection Time CT is defined as the duration of the three way handshake SYN SYN ACK ACK of TCP session Conversation Regroups network exchanges between two network addresses for one application during the ob servation period A conversation is defined as a group of flows between a client and a server over an observation period Data Tra
50. user account you must be logged into the appliance as a member of the Administrator group As mentioned in the above paragraph the default admin group has the right to create modify and access the configuration You can add a new user account by clicking on the Users tab found on the configuration menu on the left hand side Then click on the Add button and fill in the User information username password and 4 4 SPV Functional Configuration 29 SPV User Guide Documentation Release 2 9 group Make sure the Act ive button is checked otherwise the user won t be able to login Thanks to this option you will be able to disable or enable an account without deleting it Example Adding a new member to Administrators group In the example below we have created a user account in the Administrators group with the user name John and foo2 as the password o User Edit User Name login John Group Administrators Change password eon Password confirmation eon Active Figure 4 5 Edit User The user name is case sensitive and it is required to be non empty and to contain only letters numbers or _ underscores You can modify a user account by clicking on the Users tab found on the configuration menu on the left hand side and then clicking on the user name of the desired user account in the user list You will be able to modify any field on a created user Please note that the password field will appear empty on edition to av
51. will be provided by email by SecurActive Traffic capture First of all The port mirroring should be activated on yours switches or TAP eventually Connect the mirror destination port to the ESX server port dedicated to the traffic capture We will now set the network in Promiscuous mode In The following example we are using an ESX server with 8 physical ports It is necessary to add a virtual network for traffic monitoring How to do it e Connect to Vsphere Client 9 1 Virtual Appliance Step by Step 95 SPV User Guide Documentation Release 2 9 PD ftp10 1 0 110 FileZilla 2 LLLI B3 27 650 10 1 0 110 Username ftp Password m Port Quickconnect Response 200 Type set to I Command PASV Response 227 Entering Passive Mode 10 1 0 110 187 12 Command ST Response 150 Opening ASCII mode data connection for file list Response 226 Transfer complete Status Directory listing successful Host Local site Users franckolivier SECURACT IVE Generic_Licences 4 Remote site n 9 b Pictures v gt Public Y SECURACTIVE B APS T Archi Clients T Doc VM J Generic Licences Filename Y Filesize Filetype Last modit Filename I p License aps GENERC a20 2A C BINA ry 12 12 20 License app GE Upload Binary 12 12 20 Empty directory listing 4 Add files to queue Open Edit Create directory Refresh E Rename a
52. 1 04 13 14 00 004 02 00 Number of collected results 14 Requester Zone Server IP Server Zone Packets Traffic Request Name DNS rt Request Type Response code VLAN Sales fallback 192 168 20 254 VLAN Sales fallback 2 477Bytes omtr2 partners salesforce com 160ms A NoError Proxy 192 168 20 254 VLAN Sales fallback 10 2 6KiB login salesforce com 147ms A NoError Proxy 192 168 20 254 VLAN Sales fallback 8 2 1KiB www salesforce com 123ms A NoError Proxy 192 168 20 254 VLAN Sales fallback 8 1 9KiB omtr2 partners salesforce com 121ms A NoError VLAN Sales fallback 192 168 20 254 VLAN Sales fallback 2 473Bytes omtrl partners salesforce com 119ms A NoError VLAN Sales fallback 192 168 20 254 VLAN Sales fallback 2 533Bytes www salesforce com ll6ms A No Error VLAN Sales fallback 192 168 20 254 VLAN Sales fallback 2 S63Bytes login salesforce com 115ms A NoError VLAN Sales fallback 192 168 20 254 VLAN Sales fallback 2 477Bytes omtr2 partners salesforce com llims A NoError VLAN Sales fallback 192 168 20 254 VLAN Sales fallback 2 5638ytes login salesforce com 110ms A NoError VLAN Sales fallback 192 168 20 254 VLAN Sales fallback 2 S33Bytes www salesforce com 100ms A NoError VLAN Sales fallback 192 168 20 254 VLAN Sales fallback 2 497Bytes emea salesforce com 6lms A NoError Proxy 192 168 20 254 VLAN Sales fallback 36 8 7KiB emea salesforce com 57ms A NoError VLAN Sales fallback 192 168 20 254 VLAN Sales fallback 2 477Bytes omtr2 par
53. 140 211 15 34 m http 12 5KiB 31 VLAN R amp D 192 168 10 4 Internet 193 48 186 4 W ssh 606 6KiB 919 AWA ROL HO N Figure 2 7 Client Server conversations On the other hand client server conversations will be used for all views reporting performance Hereunder you can see in the first line of the table that a client server conversation takes into account the traffic in both directions In summary you will find that Client Server appears when we are speaking about Performance e Source Destination appears for Usage purpose 2 6 Source Destination Matrix 2 6 1 Principles of Source Destination Matrix The Src Dst Matrix provides a representation of the volume of traffic exchanged from zone to zone The result is a matrix in which every cell represents the traffic from one zone to another zone This report provides a very synthetic view of the mapping of the traffic which are observed The Src Dst Matrix will show a mapping of all flows as follows blue cells represent the internal traffic within a single zone green to orange cells represent the traffic from one zone to another zone the intensity of the color represents the relative volume of traffic observed in each cell You can filter the flows taken into account in while forming the matrix by defining the observation period the source zone the destination zone the application The matrix is presented as follows The traffic data displayed in each cel
54. 2 002 2 eee eee ee ee eee 17 3 Distributed Architects i454 shee Ro GORGE SHEER SESS GR E COR SESS 19 36 Virtual Performance Vision 44 466 444 EE redada EEE OD ERE HERS Ea RE HS 22 Configuration 25 4l HardWare e Be Bw Rw aR Hee POE OS ee R ROS ER aw ERR DER EG PY SS 25 4 2 License and upgrade installation 2 sss bbe eee eee we 9 ox oro x o9 ow x s 25 TOME o a aha eee 6 bo A ee ee ee eee EES eee ee bbe e eee eas 26 44 SPV Functional Configuration 6 4 x 4 6 mo ee ey eu oe Ow omues Ro xU X xD B x BOS 20 Interpreting the results 43 5 Business Critical Application Dashboard 2 eee ee ee ee 43 5 2 Business Critical Networks Dashboard 2 2 ee 44 2 4 WOM Mode 2 udo xum ovo NH eae ES OES EES ee Gee qued or e 45 5 4 Application dashboards 0 0 22s 49 2 9 SPV Colmpansontables 22 4846 onm RR bh FEE HERE Gee OES ERE RES BEES 53 50 TCP Erors Eyents 22x Ram 844 ES he x SORORE GR RUE EE SES SSS DEES 55 ou Paeketlevel and SEE a us eea aaea eee uS X Ea e own 56 5 8 Interpretation Guidelines ox R PX BOR R3oeOGOx EREXS xc EUR EGR ER OE xS 59 Frequently Asked Questions 77 6 1 Firefox freezes randomly on some pages onoono oa e e les 77 6 2 Aggregate level changes when browsing from tables to charts 71 6 3 How can SRT be greater than DTT aoaaa les T 6 4 How can we have 0 packets and no traffic at all on aconversation 04 6 5 What is this timeout col
55. 2 9 7 6 Metrics In versions prior to 2 9 the retransmission rate RR was computed as the number of retransmitted TCP segments divided by the total number of TCP segments As of version 2 9 it is instead divided by the number of packets liable be retransmitted such as the TCP segments carrying a payload In versions prior to 2 9 keep alive packets occurring after the completion of a data transfer were taken into account in the computation of the Data Transfert Time DTT metric resulting in abnormally large values In order to avoid this issue as of version 2 9 data transfers are considered complete after a 1 second timeout 82 Chapter 7 Known issues CHAPTER EIGHT GLOSSARY Aggregation period Time period over which all data are aggregated into flows for each set of client server and application The Aggregation Period is defined for an aggregation level as time interval over which all flows are aggregated in the database on their IP src dst Zone src dst and Application Individual flows within the aggregated data cannot be viewed separately The Aggregation Period defines the data resolution for an aggregation level Application Group logical or business related flow to emphase valuable perspective an Application is identified with a name and a color and defined by a set of Signature or a set of Port Range at least one non empty set of either a set of client and server zones A conversation is attributed to an application with
56. 2 to 4 are dedicated to network traffic sniffing Connect one or more of these interfaces to your network according to the network traffic you want to analyze and monitor 4 2 License and upgrade installation All SPV entities virtual poller and collector see Distributed Architecture page 19 needs a specific license The licenses are specific to a given hardware serial number the device id so that each device must be sent its own license package The same procedure must be performed for all the entities either for license or upgrades please follow the steps below 1 Connect to the FTP server of the probe user ftp password S3c7r 2 Upload put your license or upgrade file Wait a few minutes and it s done Check your license or new version with the status or poller commands For upgrades please redo the same procedure on all the entities Warning It is STRONGLY recommended to reboot all the probes after upgrading use the reboot com mand in Pulsar page 26 Note Security The FTP access is writable only no read It allows only to put a Securactive signed and encrypted file This file will be automatically moved checked and executed by an internal process ServicePack In rare cases it s needed to upgrade some third party internal softwares The information is available in the release note of the new version These packages are called Service Packs To apply them put the file SPV ServicePackX rY bin usi
57. 5 http tools ietf org html rfc3435 html e RTP as defined in to RFC 3550 http tools ietf org html rfc3550 html and RFC 3551 http tools ietf org html rfc355 1 html e RTCP as defined in RFC 3605 http tools ietf org html rfc3605 html 5 3 2 Basics of VoIP Voice Over IP relies on three protocols to operate over IP networks Signalization protocol the role of this protocol is to establish and control the voice communications It usually consists of communications between the IP phone and a call manager IPBX The 2 signalization protocols supported are SIP Session Initiation Protocol and MGCP Media Gateway Control Protocol Please note that STP may follow the same route as the RTP traffic or not while MGCP follows the same route as RTP Media protocol the role of this protocol is to carry the voice signal from one IP phone to the other IP phone it can eventually go through the call manager IPBX RTP is the only media protocol supported by Performance Vision It stands for Real Time Protocol it usually runs over UDP Control protocol the role of this protocol is to carry quality and control information from one phone to the other phone RTCP is the only control protocol supported It stands for Real Time Control Protocol 5 3 VoIP Module 45 SPV User Guide Documentation Release 2 9 5 3 3 Quality of service amp MOS MOS stands for Mean Opinion Score It is a numeric indication of the perceived quality of
58. 5 1 ri 4 W https 92 3KiB 81 8 KiB 196 7 7 7 1 7 8 7j 9 https 38 2 KiB 29 0 KiB 145 9 9 T 0 9 ri 7 4 m http 129 8 KiB 121 3 KiB 143 2 2 6 2 6 Wi https 171 0 KiB 150 8 KiB 335 12 12 6 7 12 6 23 W http 803 2 KiB 725 7 KiB 1277 56 56 0 18 56 6 https 123 5 KiB 105 2 KiB 301 12 12 6 7 12 6 6 m CRM SFDC 210 9KiB 184 2 KiB 504 6 6 6 20 6 1 6 IP Application Traffic Payload Packets Conn attempts Conn established 0 Win Y i m Web test 1 1MiB 828 6 KiB 5 042 228 228 255 39 B https 320 5 KiB 192 1 KiB 1 885 126 246 35 m ftp 12 4 KiB 1 3 KiB 187 42 82 da E https 4 7 MiB 4 4 MiB 4640 D 51 00 BW https 42MiB 3 9 MiB 4 487 0 51 m h ten 7 4n 1 KIRA 1 amp n 7 KR 227 an an PA e An unavailable host A network which is not reachable either it does not exist which reveals a configuration infection issue on the source host or it is not available configuration issue A port which is not reachable either the source machine is scanning or it is misconfigured and tries to reach a service which no longer exists or has been migrated This view is great to pinpoint configuration and infection issues nam IP E mitting Zone Packets Traffic Type Code Src error IP Src error zone Dst error IP Dsterror zone Error port Protocol 225 Main office fallback 5827 398 3 KiB Time Exceeded 11 Time to Live exceeded in Transt 0 172 16 1 20 Main office fallback 172 16 7 254 Rome fallback 161 udp 225 Main office fallback
59. 8 Time To First Byte 85 Timeout 85 U Upgrade 25 User 29 V VMWare 22 87 Voice Quality 45 VoIP 44 VPN 28 Z Zone 5 30 85 114 Index
60. 8f n p 0 00 557Bytes dia Qo 2011 04 07 15 44 08 1a LIGNATIADIS 83961 na sip 0 00 3 3KiB 404 out ring 2011 04 07 15 44 00 na ACRUZ B3404 si 0 00 B6iBytes 18 g 2011 04 07 15 44 00 va ACRUZ B3404 p 0 00 5 1KIB 200 vo G 2011 04 07 15 43 48 LIGNATIADES B3018 p 0 00 709Bytes Q 2011 04 07 15 43 46 a assa 83315 0 00 6 8KIB 200 closed 2011 04 07 15 43 45 2m9s PMIGOUROUX 8312 P 4 39 0 00 605 3KiB 00 2011 04 07 15 43 45 1a PVIGOUROUX 63127 P 0 00 4 9KiB 00 vo G 2011 04 07 15 43 43 na M METZ na 83212 p on 5 36KB 200 close d 2011 04 07 15 43 39 ia FKOCH na 83678 p 0 00 3 6KIB 00 closed Figure 5 7 VoIP Calls 5 4 Application dashboards Dashboard are a report fitting on a single screen that put together all relevant information to understand how the application is doing They are present in APS from version 1 7 Note Those dashboards are not available in Securactive NPS It is extremely useful e as a starting point for troubleshooting as a tool to communicate to management and business users on how the application is actually performing It is a set of three elements that display key information on the performance of a business application 5 4 1 How can it help For reporting In a single report you have enough to explain a business user or a manager how the application performance went through time which servers were doing worse and which zones were impacted On top of the EURT all this is based on thre
61. CE LICENSE AGREEMENT IF YOU DO MOT AGREE WITH THE TERMS OF THIS APPLIAMCE LICENSE AGREEMENT SELECT THE NO I DO NOT ACCEPT OPTION AND DO NOT ACTIVATE THE APPLIANCE AND DO NOT USE THE SOFTWARE OR THE APPLIANCE IF YOU DO NOT AGREE WITH ANY OF THE TERMS OR CONDITIONS OF THIS APPLIANCE LICENSE AGREEMENT YOU ARE NOT AUTHORISED TO USE THE APPLIANCE FOR ANY PURPOSE WHATSOEVER ALSO BY INSTALLING OR OTHERWISE USING UPDATES AND OR UPGRADES FROM SECURACTIVE YOU AGREE TO BE BOUND BY ANY ADDITIONAL LICENSE TERMS OR MAINTENANCE CONTRACT THAT ACCOMPANY SUCH UPDATES OR UPGRADES IF YOU DO NOT AGREE TO THE ADDITIONAL LICENSE TERMS THAT ACCOMPAN SUCH UPGRADES YOLI MAY NOT INSTALL OR USE SUCH UPDATES OR UPGRADES A PRINTABLE VERSION OF THIS AGREEMENT IS AVAILABLE ON THE SECURACTIVE EXTRANET WHICH YOU MAY WISH TO PRINT FOR YOUR RECORDS 1 DEFINITIONS Appliance means the SecurActive product described in the Schedule which consists of either the Hardware together with the Licensed Product s and included third party software or the Virtual Appliance as defined below Appliance License Agreement means this SecurActive Appliance license agreement and the Schedule Documentation means any documentation provided to You by SecurActive whether electronic or printed which accompanies the Appliance and or the Figure 9 5 Read then click on Accept then click on Next Deploy OVF Terholate Name and Location Specify a name an
62. DNS to display more specific metrics Top DNS requests Begin 2011 09 07 10 00 End 2011 09 07 11 00 o o eo 7 Emitting zone Server Zone Emitting IP Server IP Request Type All Al Any Device id Poller Any Info Begin 2011 09 07 Q 00 Aggregate Level 2 minutes End 2011 09 07 11 Number of collected results 100 12345 gt Begin Time 2011 09 07 10 38 31 End Time 2011 09 07 10 43 32 Request Name Packets ha Traffic DNS rt 1712 198 5 KiB pypi rd securactive lan PP 2011 09 07 10 38 31 2011 09 07 10 00 50 2011 09 07 10 00 21 2011 09 07 10 00 23 2011 09 07 10 01 25 2011 09 07 10 01 16 2011 09 07 10 05 34 2011 09 07 10 43 32 2011 09 07 10 59 47 Ni 2011 09 07 10 59 23 2011 09 07 10 58 37 2011 09 07 10 56 59 2011 09 07 10 59 14 2011 09 07 10 56 10 pypi mirrors rd securactive lan mail google com reviewboard rd securactive lan WORKGROUP safebrowsing clients google com proxysecuractive lan 596 570 120 112 97 62 61 73 8 KiB 100 9 KiB 18 3 KiB 14 0 KiB 8 7 KiB 13 8 KiB 7 3 KiB 27 ms 3ms 54ms PPPPPPP 2011 09 07 10 04 57 2011 09 07 10 02 26 2011 09 07 10 51 37 2011 09 07 10 56 03 git rd securactive lan 56 sdouche babbage presence tcp local 55 6 4 KiB 5 5 KiB Figure 3 4 DNS specialied view 3 3 3 Limitations If the rate of incoming packets exceeds the rate at which the sniffer can parse the traffic for too long then some packets may be dropped by the Linux
63. Description adata a a t t a i ee se se pepe pe ope oppo RR RR AAR a a a By default hardware requirements are set to minimum Depending on your needs please consider adding more resources memory cpu and storage disk z you plan to use this evaluation version For longer than a few ays you are strongly encouraged to keep the second disk which is dedicated for data eese se pe ee eoe eoe eo peo poppe eoe eoe epe eoe aa ea eea aa oppose Performance Vision virtual appliance is designed to run primarily in a VMWare ESX v4 or v5 environment but she works on Oracle VirtualBox It can be launched with a minimum of 1024MB of RAM although a larger quantity is recommended to ensure satisfactory performance rates BuildDate 2012 04 24 Help lt Back next gt Cancel Figure 9 4 Click on Next 9 1 Virtual Appliance Step by Step 89 SPV User Guide Documentation Release 2 9 Deploy OVF Template End User License Agreement Accept Ehe end user license agreements Source OVE Template Details End User License Agreeme Name ant at SECURACTIVE APPLIANCE LICENSE AGREEMENT PLEASE READ THE TERMS AND CONDITIONS OF THIS APPLIANCE LICENSE AGREEMENT CAREFULLY BEFORE USING THE APPLIANCE THIS IS A LEGALLY BINDING AGREEMENT BETWEEN YOU AND SECURACTIVE BY CHOOSING THE ACCEPT OPTION OR OTHERWISE USING THE SOFTWARE OR APPLIANCE YOU ACKNOWLEDGE THAT YOU HAVE READ UNDERSTOOD AND AGREE TO BE BOUND BY THE TERMS OF THIS APPLIAN
64. If no transaction at all is seen during the period of time analyzed the color displayed on the BCA dashboard will be white If the number of events seen during the period of time analyzed is above zero but under this value the color displayed on the BCA dashboard will be grey It means that some events have been seen but not enough to be considered as a pertinent measurement If the number of events seen during the period of time analyzed is above or equal to this value the color displayed on the BCA dashboard will be either green orange or red depending on the EURT values The warning threshold level of the EURT End User Response Time value in milliseconds When the value is above or equal to this level the color displayed on the BCA dashboard will be orange When the value is under this level the color displayed on the BCA dashboard will be green The alert threshold level of the EURT value in milliseconds When the value is above or equal to this level the color displayed on the BCA dashboard will be red Note To be useful and pertinent these parameters must be accurate values adjusted to your network configura tion These values can be easily changed for fine tuning or to cope with any change in the network or applications you are using A new critical application will benefit of all the data history So after having defined an application as critical if the data has already been collected
65. L ffice fall back 7 2012 03 21 19 15 00 nova eth3 172 16 1 186 Main office ba 72 16 1 ffice fall K 7 2012 03 21 19 14 52 nova eth1 172 16 1 186 Mai a 172 16 1 J ffice fallb 2 2012 03 21 19 14 10 nova eth2 172 16 1 57 Main office a 172 16 1 25 Main office fallback 1 2012 0321 19 14 20 nova eth2 172 16 1 91 Main office fallba 172 16 1 255 Main office fallback 4 2012 03 21 19 14 01 nova eth2 172 16 1 119 Main offic a 172 16 1 255 Main office fallback 4 2012 03 21 18 37 18 nova eth 172 16 1 113 Main offic a Main office fallback 1 2012 03 21 18 37 18 nova eth2 172 16 1 113 Main office a 192 168 181 4 DMZ Web fallback 4 2012 03 21 19 13 37 nova eth2 2 16 1 13 n office fallba 172 16 1 255 Main office fallback 0 2012 03 21 18 18 57 eth2 16 6 169 T fallback 172 16 1 12 RV TERIX 7 012 03 21 19 0 nova eth2 16 1 186 n office fallback 172 16 1 255 office fallback 8 2012 03 21 17 18 33 nova eth1 72 16 1 113 in office fall back 172 16 1 24 office fallback 8 2012 0321 17 18 33 nova eth2 172 16 1 113 Main office fallback 192 168 181 4 DMZ Web fallback 110 Request Type Any v Any Request Name Request Type BIAUTO 32 NIMLOC NB Response Code Packets Traffic DNS RT Pcap na 40 MiB AUDEBERT P 32 NIMLOC NB 38777 234MiB 1 32 NIMLOC NB na 38722 3 4MiB 1 32 NIMLOC NB na 38351 3 4MiB AUDEBERT P 32 NIMLOC NB na 38035 33MiB AUDEBERT P 32 NIM LOC NB 20856 18MiB AUDEBERT P 32 NIMLOCINB 19516 1 7 MiB
66. Mb s mgcp gateway 389 42 bis other 1 00 Nbis o a a uo cec Oo 14 04 00 15 04 00 RTT in RTT out 400 00 ms 400 00ms RD indic in FD indic out e cT 1200 00 ms 14 10 14 20 14 30 14 40 14 50 15 00 14 04 00 15 04 00 RR out RR in 14 10 14 20 14 30 14 40 14 50 15 00 14 04 00 15 04 00 Packets Figure 5 32 Impact of congestion on retransmissions and network latency or connection time They might have overcome a QoS threshold such that all the new application requests are blocked A hint would be the increasing number of TCP RST packets To be sure you may take dive into the Analysis gt TCP Errors menu Slow application Hypothesis One or several end users complain about a slow access to a specific application a fileserver 58 Interpretation Guidelines 65 SPV User Guide Documentation Release 2 9 Server IP Application Traffic Packets Conn established Num timeout Client RST Y Server RST 172 16 1 10 m PROXY 6 2MiB 10939 234 47 120 D 172 16 1 12 http private 1 0MiB 1722 25 9 74 1 proxyauto contact c B PROXY 19 3MiB 22795 220 32 73 D proxyauto contact c B PROXY 9 0MiB 15181 184 44 67 172 16 1 10 B PROXY 9 3MiB 14615 244 42 61 172 16 1 10 m PROXY 4 7MiB 8376 208 36 55 172 16 1 10 E PROXY 11 6MiB 15668 138 26 44 172 16 1 10 m PROXY 6 6MiB 13134 348 58 43 172 16 1 10 B PROXY 2 6MiB 4361 99 21 43 172 16 1 10 B PROXY 3 0MiB 4368 81 16
67. New Features Autopcap for Business Critical Applications available in Network conversation DNS and VoIP depending on configuration It works for both local and distributed environments New Metric DTT Client added to the several screens where the DTT Server was already present New Protocols LLMNR Link Local Multicast Name Resolution mDNS Multicast DNS NDNS Net BIOS Name Service WINS Distributed poller management 1 1 3 Changes Network sniffing Automatically detects and listens again to network interfaces that come back up after a downtime period At startup automatically adjust and fine tune deduplication parameters for the best balance between pro cessing power required and deduplication efficiency Reporting User Password TLS security support e User can customize From field when sending a report Reports stored as Pdf files on the probe and available through ftp SPV GUI User Guide Documentation Release 2 9 For Business Critical Networks the Retransmission Rate threshold can now be 1 Configuration area reorganized to be clearer In the Configuration area deletion buttons have been made more intuitive Animation when running a request to avoid overloading the probe by launching several times the same request The timeframe selection in the Watch last filter is now more intuitive When a filter is set to some value it will be highlighted to be more visible I
68. Next Virtual Machines Network Access Virtual machines reach networks through uplink adapters attached to vSphere standard switches Connection Type Select which vSphere standard switch will handle the network traffic For this connection You may also create a new Network Access vSphere standard switch using the unclaimed network adapters listed below Create a vSphere standard switch Intel Corporation 82571EB Gigabit Ethernet Controller NS vmnici Down None EB vmnic2 Down None i 100 Half 1 131 151 5 1 131 151 5 254 VLAN 5 vmnict Down None yvmnicS Down None vmnic amp Down Mone vmnic Down Mone Preview Virtual Machine Port Group Physical Adapters VM Network 2 e E vmnic3 lt Back Cancel Figure 9 23 On Network Access Menu select the Esx physical port dedicated to the traffic capture here is vmnic3 and unselect the others The Esx physical will be binded to the new virtual network here VM Network2 Click on Next 9 1 Virtual Appliance Step by Step 99 SPV User Guide Documentation Release 2 9 Add Network Wizard Af Virtual Machines Connection Settings Use network labels to identify migration compatible connections common to two or more hosts Connection Type Port Group Properties Network Access Connection Settings Network Label Mirror Summary VLAN ID Optional all 4095 Preview Virtual Machine Port Group Physical Adapters Mir
69. Note that you can search for empty DNS names using the regular expression 5 in the name search box 6 7 Some TCP conversations are reported twice what s wrong First make sure that the deduplication process is not configured too tightly If the faulty TCP conversations keep being reported twice then maybe the duplicated packets are altered in some way that makes them too different from the originals For instance some firewall randomize the ISN Initial Sequence Number of TCP connections for security reason So if you mirror some traffic before and after passing though such a firewall this traffic will be reported twice since their sequence number will be different 6 8 Pcap files generated by tcpdump are mostly empty By far the most probable reason for this is that you are trying to use a filter on VLAN tagged packets This won t work since Tcpdump filters look for fixed locations in the packet and the VLAN tag offsets the actual bytes that are being matched Fortunately there is a workaround by adding the filter v1an all following filters will be offset by the VLAN tag size So for instance if you want to filter ip proto tcp onan interface receiving only VLAN tagged packets then you must use the following filter instead vlan and ip proto tcp If the network interface receives both tagged and non tagged packet then this somewhat cumbersome filter must be used ip proto tcp or vlan and ip proto tcp 6 9 How to do complex
70. RT for that application on each server that provides this application In this case it is obvious that Atlantis tend to respond much slower than Brax By clicking on it having a looking at a second dashboard called Server Application Dashboard we shall be able to determine if this permanent or punctual and whether this due to the load on this application or on another one hosted on the same server 3rd element EURT by Client zone Breakdown by zone client l c ay iT 3 c apg 54 eoo Ll m Bv Nor Figure 5 11 EURT by Client zone What we can see here is a breakdown of the EURT for this application between client zones at one glance you can determine which zone was impacted by the degradation and what are the different level of experienced performance depending on where users are located For example from the screenshot here above we could certainly think that mainly one zone was impacted by the SRT degradation and also that there are some significant differences in performance between zones due to differences in RTT values network latency 5 4 3 Drill down dashboards SecurActive APS offers two additional dashboards Client zone application dashboard e Server application dashboard 54 Application dashboards 0 Bl SPV User Guide Documentation Release 2 9 Client zone application dashboard You can access this dashboard either through the menu or by clicking on a specific client zone in the Applicati
71. SH s RTT clit 3 ms c u 2 7 3 c 3 RTT clt 9ms To SE vo NN RD cit 8 ms RD clt 6 ms c M ACK P EE session end Comments gt Standard TCP 3 way handshake Start of TCP session gt Uncommon data push from client No response is awaited by the client from server here SPV cannot know this and computes a DTT client standard 1 packet query from client awaiting data response from server An optional empty ACK is common from server if compute time of the response is long Transmission of 1 packet sized data from server is acknowledged by client Thus Data Transfer Time DTT is nul Standard multi packet query from client with multi packet response from server Optional ACK from server Start of multi packet response from server Optional ACK from client First part of data is PUSH by server Optional ACK from client Packet containing data d is lost Acknowledgment from client will hint the server that packet d was not received correctly Server retransmission of packet d which is lost again Second ACK from client waiting for next packet Final retransmission of packet d that is correctly acknowledged by client Dr packet with payload 0 Irem o M packet with nul payload FIN ACK packet flags Securactive Performance Vision interpreting a standard TCP session v1 2 Figure 6 2 Standart TCP Session 79 SPV User Guide
72. Server table page 55 you can see the Application performance between client zones for the application Salesforce 54 Chapter 5 Interpreting the results SPV User Guide Documentation Release 2 9 c Application Performa nce Client Server Table Traffic volume and application performance by application client Begin 2 2011 04 14 13 22 End 2011 04 14 14 22 More Client Zone All siyer Zone Extranet SF zj Application CRM SalesForce Search Add this page to a report amp Inf Begin 2011 04 14 13 22 00 02 00 Aggregate Level 2 minutes nfo End 2011 04 14 14 22 00 02 00 xa Action Client Zone Server Zone Traffic EURT ERT SRT DTT A BA xtra SF XXX E OOOO OOOO XO 000 2 F av Sy 2 i zl EI 3 a d h o m Figure 5 17 Application Performance Client Server table 5 6 TCP Errors Events 5 6 1 Objectives These two tables expose to the user many TCP statistics in order to reveal dysfunctions or unusual events 5 6 2 TCP Errors For each TCP conversation the following fields are displayed RD Server Client Duplicate acks number of SYNs number of handshakes number of session ends number of FINs from client number of FINs from server e number of RSTs from client number of RSTs from server number of timeouts By sorting on the RD or duplicate ack fields one can quickly check the worst conversations in term of TCP performance Also number of reset packets are usu
73. The zone and application objects do not integrate the concept of poller i e you cannot distinguish between two applications based on the fact that they are viewed by two different pollers The maximum number of sessions handled by the collector remains unchanged approx 100k concurring sessions 3 5 6 Prerequisites All pollers have to be synchronized to a single NTP All pollers and collector require an administration port connected to the network and a fixed IP address This corresponds to a rare case this case is not handled by the non distributed implementation of Performacne Vision nor by most competitors The bypass option would be to use TAPs to re aggregate both flows before it reaches the interface of the poller This is already the case in a non distributed implementation The only new element is the fact that data will be more readable if all pollers have the same capture points 35 Distributed Architecture 0000 2 SPV User Guide Documentation Release 2 9 e Connectivity between pollers and collector on port TCP 22 is required e Some network capacity is required to transfer teh data from the pollers to the collector current evaluation is 0 2 of the bandwidth analyzed 3 5 7 Adequate non adequate implementations 2 5 Two Distributed may Most applications will be deployed in normal conditions on DCa if in data centers or may not be normal conditions DCb receives no production traffic hence a
74. Time between these hosts DNS latency to resolve other server names accessed from the web server database servers for instance cf DNS Response Time e Connection and data transfer times between these hosts e Server response time of these servers Identification of the culprit First we need to find out if the experienced slowdown is due to the web front end itself To this end check every component of the EURT If SRT is fast but RTT and or DTT see also Connection Time then we are facing a network slowdown Refer to previous sections of this guide to further track down the problem f SRT is preponderant compared to DTT and RTT then the application itself is to blame Proceed to find out what is affecting performance Then check EURT between web server and each other involved servers databases If some of these EURT appear to be degraded then check recursively these other hosts If not then check the web server load average 5 8 3 Additional metrics TCP anomalies RST packets A TCP connection is reset by a RST packet There is no need to acknowledge such packet the closure is immedi ate A RST packet may have many meanings f a TCP client tries to reach a server on a closed port the server sends a RST packet The connection attempt could be a malicious one port scanning nmap etc or the consequence of an unexpectedly down server client server misconfiguration server restart etc A router might
75. UI In Monitoring information displayed by top screens has been harmonized Metrics DTT will timeout after 1 second with no data transfer If no more data is received during this period we considered that last packet received was the one to take into account for the DTT 1 5 3 Major bug Fixes Metrics Retransmission rate is now computed regardless of empty packets Metrics The de duplication process is no more fooled by varying ethernet padding GUI There were occasionally some empty lines in grouping tables Reports Scheduling of report dates when set across two days ex from 23 00 to 01 00 Reports For reports some client email applications were not displaying the PDF attached file PCAP better autopcap performances when lots of files are generated 4 Chapter 1 Release notes CHAPTER TWO MAIN TERMS AND CONCEPTS 2 1 General Conventions 2 1 1 Byte metric unit All byte metric values are given in Byte as KiB MiB GiB etc as recommended by the INTERNATIONAL ELEC TROTECHNICAL COMMISSION IEC in 2000 when using power of 2 10 multiple This means that MiB and KiB mean that the values are in Binary and equal 1024 raised to the power of 2 and 1024 raised to the power of 1 respectively This notation was designed to distinguish 103 bytes refered as KB and 1024 bytes refered as KiB In other words you would say in decimal notation 1000 k kilo and 10002 M mega e in 1024 Ki kibi
76. ackets with any protocol decoder capable of reading PCAP files Conn established Transactions EURT RTT in RTT out SRT DTT cit DTT srv CT CRT RRin RRout TTFB Pcap 0 ns 1m15s lt 1ms 1ms ims y 1 66 553s 210ms ms 55 18 lt 1ms ims 187ms 95ms 554s 1 20 232s 81ms lt ims 2118 794ms 13s 74ms 76ms 151m 0 40 97 ms 175s 38 4 s 1 5s 114s 2 1 36s 179ms S 34s 1 2ms 188ms 10 00 36s 3 913ms 126 ms s 743ms lt 1ms 43ms 123 ms 14s 1 2 891ms 63ms s 628ms 1ms 198ms Sims 21s 12s 10 31 778ms 71ms lt s 621ms 64 ms 20ms S7ms 16 38 25 43 091 436ms q 2 7 549ms 50ms lt ims 472ms lt 1ms 26ms 41ms 107s 336ms X 6 9 961ms 222ms lt ims 450ms lt 1ms 288 ms 220ms 570 ms T90ms wy Figure 5 18 PCAP column in Performance conversations 192 168 20 254 Private fallback 45 7 1 KiB mail google com 6ms A NoError E 192 168 10 254 R amp D 44 5 7 KiB pypimirrors rd securactive lan s A NoError 192 168 10 254 R amp D 44 5 9 KiB pypi mirrors rd securactive lan securact AAAA NXDomain 192 168 10 254 R amp D 44 5 2KiB pypi mirrors rd securactive lan 5 AAAA NoError 192 168 10 254 R amp D 44 5 8 KiB pypi mirrors rd securactive lan aps secu 5 AAAA NXDomain 192 168 10 254 R amp D 44 6 1 KiB pypi mirrors rd securactive lan labo sec AAAA NXDomain 192 168 10 254 R amp D 44 6 0 KiB pypi mirrors rd securactive lan rd secur lt AAAA NXDomain 192 168 10 254 R amp D 44 8 1 KIB
77. ally noteworthy One can then jump to the IP summary page of either the client or the server depending on who is to blame to gather further data on this event 5 6 3 TCP Events This page does not focus explicitly on TCP errors but aims at giving various overall statistics about each TCP con versation in order first to give an accurate view of the actual traffic in term of payload and number of connections and second to notice unexpected patterns This page can also serve as a way to find which conversations are important relevant and thus which zone application could be split to help distinguish more closely between significant flows For each TCP conversation the following fields are displayed payload number of packets e number of handshakes 5 6 TCP Errors Events 55 SPV User Guide Documentation Release 2 9 number of timeouts number of RSTs from client number of RSTs from server number of FINs from client number of FINs from server 5 Packet level analysis 5 7 1 Objectives Once you have identified the origin of an issue you may want to analyze it further by looking at the packets themselves You have two ways to realize this Manual capture through Pulsar s tcpdump command Automatic packet capture 5 7 2 Manual packet capture By connecting through Pulsar you can start a manual capture of any traffic viewed on the interface of your device To do so you need to go through 3 steps 1
78. apters 3 Mirror e E vmnica 100 Half VLAN ID All 4095 Figure 9 25 Click on vSwitchl Properties 7 vSwitch1 Properties E3 General Security Traffic Shaping MIC Teaming vSphere Standard Switch Properties Mumber oF Forts 120 e Changes will not take effect until the system is restarted Cancel Help Figure 9 26 Double click on vswitch In General Tab Edit MTU settings to 9000 9 1 Virtual Appliance Step by Step 101 SPV User Guide Documentation Release 2 9 102 7 ySwitch1 Pro perties E General Security Traffic Shaping MIC Teaming Policy Exceptions Promiscuous Made Mac Address Changes Accept Forged Transmits Accept Cancel Help Figure 9 27 In Security tabs Select Accept from the Promiscuous mode Listbox Chapter 9 Appendix SPV User Guide Documentation Release 2 9 File Edit View Inventory Administration Plug ins Help EJ A Home p ar Inventory p sn Inventory El g 10 1 0 11 localhost securalis lan VMware ESX Power k Perfor K G Supervi x virtual Guest Snapshot Open Console E _ Edit Settings Add Permission Ctrl F Report Performance Rename Open in Mew Window CEri AlE N Remove From Inventory Delete From Disk Licensed Features Time Configuration DNS and Routing Authentication Services Virtual Machine Startup Shutdown Virt
79. as authority for the DNS zone the IP address corresponding to the name Hence if the response time is high first the application will be slow from the user s point of view and secondly it will incude an unnecessary consumption of bandwidth This bandwidth will be wasted both on the LAN and on the Internet link if we make the hypothesis that the authority server sits on the Internet If we consider the case of a fairly large organization the bandwidth used by the DNS traffic will not be negligeable and will represent an additional charge the DNS server may have system issues If the server is overloaded it cannot hold all the requests and delay or drop some which leads to a general slowdown of the network perfomances You can easily cast a glance at these issues go in the Analysis gt DNS Messages menu and fill the form with appropriate values especially the Requester Zone to verify if the requests are correctly answered and in an acceptable timing Traffic issue 58 Interpretation Guidelines 75 SPV User Guide Documentation Release 2 9 amp DNS Messages DNS network protocol performance and deep analysis Begin 2 2011 04 13 07 58 End 2011 04 13 13 58 More yyyy mm 1 M Y Hr 4 Requester Zone VLAN Sales hd Server Zone All Requester IP Server IP Request Name salesforce com Search Add this page to report i Inf o Begin 2011 04 13 07 45 00 02 00 Aggregate Level 15 minutes End 201
80. ase note that the code depends on the protocol used Jitter standard deviation of latency for the me dia traffic going from one IP phone to the other Packet loss percentage of packets lost in the conversation at the point of capture of the probe based on RTP sequence numbers d RIT network latency between the two IP phones based on the timestamps provided by both IP phones Note RTT and MOS values Noe e a e icem M aviv eae iene to some extent on the quality of the measurement provided by RTCP Please note that MOS is not very sensitive to normal latency values When referring to voice or media we refer to the RTP traffic which may correspond to different things human voice prerecorded message ring back tone busy 46 Chapter 5 Interpreting the results SPV User Guide Documentation Release 2 9 line tone The VoIP module discards the jitter and packet loss data present in the RTCP flow and replace them with equivalent values computed internally This is so for several reasons t was observed that many softphones do not place accurate or even credible values in these fields RTCP stream is more often missing than present probably because it is firewalled and of little use to the VoIP client software For the VoIP module to remain passive there is no other option than compute these values for every RTP stream to generate jitter and packet loss values which will be a good estimate of the real jitter and
81. at is to say disregarding if the host is a client or a server For example traffic from A to B takes into account all traffic coming from a host in A to a host in B whichever the role they played client or server The above graphs take into account the communications from A to B only in one direction Client server In a client server conversation all flows between two hosts will be classified following the concepts of client and server This means that the flows will group data exchanges to and from a client IP address from and to a server IP address For instance a traffic from A to B for an application provided both A and B can be a server for a single application will be broken down in two conversations a conversation for client A amp server B with 8 Chapter 2 Main terms and concepts SPV User Guide Documentation Release 2 9 Zone A Zone B J P i TCP 15445 80 4 x i UDP 53 44521 i a a Pa TCP 17465 443 Jl ICMP H EL leid EM Jj T y y Traffic from A gt B Figure 2 4 Source Destination treatment ItTREERTG traffic from A to Band from B to A and a conversation from client B to server A with traffic from A to Band from B to A Clt Srv corresponds to a view of network flows for performance analysis When analysing data for performance analysis purposes an administrator wants to view flows in function of the role of ea
82. ata aggregation level see aggregation period For example if the Aggregate level is 2 minutes the BCA will be updated every two minutes if the Aggregate level is 15 minutes the BCA will be updated every fifteen minutes 5 2 Business Critical Networks Dashboard To customize this view for your own needs just go to the Configuration menu and choose the entry labeled Business Critical Network see the Business Critical applications page 34 The Business Critical Network Dashboard BCN is aimed at presenting in a single screen the status of your organization s most critical network links You can customize the business critical network dashboard to view the status of the most strategic links corresponding to your business Traffic Bandwidth 3 5Mib s 137 9MiB 303 7Kib s B 7 IHH arn e c Sales 20 0Kib s T Di Figure 5 3 Business Critical Network Dashboard From the Business Critical Network Dashboard you can drill down from the general view to more detailed infor mation for analysis and problem resolution By pointing with the mouse you can view the threshold values for each direction at each point of time indicating status OK Warning or Alert as well as the value for each direction You can also access to the bandwidth graphs and the conversations table for each link If you click on the icons that are next to the name of the link at the beginning of each line the quick links will take into account
83. atistical analysis performed require the storage of large amounts of data Further more that data must be stored over extended lengths of time so as to expose overall trends In order to minimize storage space while still making it possible to reveal trends over weeks or months Performance Vision automat ically summarizes the collected data over standard lengths of time The process of creating these summaries is called aggregation 2 7 Data Aggregation 11 SPV User Guide Documentation Release 2 9 2 7 2 Process Aggregation occurs automatically Whenever your probe displays a chart or a table this is based on already aggregated data In order to display this aggregated data Performance Vision first decides on an aggregation granularity depending on the length of the time period you requested and how far back into the past it goes Aggregation granularity Storage duration Request length for tables Request length for graphs 2 hours 5 25 days 359 days 359 days For example with graphs if you want a data granularity of two minutes you can request a period length up to 120 minutes anywhere during the last two days Another example with tables if you want a data granularity of two hours you can request a period length up to two days anywhere during the last two months Note that because the larger aggregate levels summarize more data at once they take up less disk space and can be kept in storage much longer without filling
84. by server and by client zone we can draw the following conclusions This application is distributed by one server only 192 168 20 9 The EURT vary in large proportion between client zones mainly because of RTT VLAN Sales has a much worse access to the application than VLAN_R amp D mainly because of the network latency Getting confirmation of our first conclusions By clicking on the peak of EURT in the upper graph we can narrow our observation period to understand better what happened at that point of time D Application dashboard Applications behavior analysis Start after 2010 06 07 14 00 Stait before 2010 06 07 16 00 More yyyy mmr dd HR Mv yy yy mm dd Het MM Application Samba CIFS Search Application performance Info Query begin 2010 06 07 14 00 00 02 00A ggregate Level 1205 Query end 2010 06 07 16 00 00 202 00 14 00 00 15 58 00 DTT 121 30 us SRT 209 87 us RTT 189 54 ms 1416 14 30 14 46 15 00 1516 15 30 15 46 14 00 00 15 58 00 0 Transactions 139 399 20 m TT TTT I oon enn 1416 14 30 14 46 15 00 1516 15 30 15 46 00 V T 1500 1530 eakdown by server Breakdown by zone client Breakdown by server Breakdown by zone client LAN Sales fallback 192 168 20 9 VLAN R amp D T T T T T T T T T 1 T T T T T T TT T 1 20 40 60 80 100 120 140 160 180 200 20 40 60 80 100 120 140 160 180 200 Wen Hse Mor Men Bs Morn Figure 5 37 Peak of RTT in Application
85. cel Figure 9 30 In the Network Connection Listbox choose the accurate network configured above Mirror here Click on Next H Add Hardware Ready to Complete Review the selected options and click Finish to add the hardware Device Type Options Network pom Ready to Complete Hardware type Ethernet Adapter Adapter type Flexible Network Connection VM Network Connect at power on Yes lt Back Cancel Figure 9 31 Click on Finish to complete the operation 104 Chapter 9 Appendix SPV User Guide Documentation Release 2 9 Graphical Interface As an example you can monitor the bandwidth after 5 minutes of listening by clicking on the green validation button 2 SecurActive DASHBOARDS 4 MONITORING A ANALYSIS 8 vorr 2 9 7 rINTERNAL1 2012 04 04 15 40 admin logout hell h DY Performance Begin 2012 04 04 15 25 end 2012 04 04 1540 9 O Q9 QO a4 fA Client Server n Source Zone Destination Zone Source IP Destination IP Application All z Al z Protocol Serv Port VLAN Device id Poller Any Any gt Any Bandwidth from source to destination Info Begin 2012 04 04 15 24 Aggregate Level 2 minutes End 2012 04 04 15 38 2012 04 04 15 28 NC tcp 215 0 Kb s http 198 4 Kb s https 58 2 Kb s ms wbt server 106 9 Kb s 1 5 Mb s mgcp 58 7 Kb s imaps 76 4 Kb s mac 37 5 Kb s syslog 28 8 Kb s pop3 22 8 Kb s icmp
86. ch host client or server Indeed the role of a host has an impact on the metrics displayed and the clients amp servers cannot be mixed Zone A Zone B Wu TCP 15445 80 c i a TCP 445 25665 k UDP 53 44521 TCP 17465 443 HN e ICMP X Performance between clients ri Performance between clients In A to servers in B ra in B and servers in A Figure 2 5 Client Server treatment For example clt srv graphs as the ones shown above will be generated taking into account the communications from clients in A to servers in B e from servers in B to clients in A In short the traffic displayed in client server conversations will take into consideration the data transfer in both directions Note Notice that the appliance can only distinguish reliably clients from servers when IP protocol in use is TCP when the connection establishment was successfully received by the probe and when the connection states is sufficiently active not to be timeouted In all other cases the probe assumes that the lower port is used on the server s side 25 Concept of Conversation 0000000000000 9 SPV User Guide Documentation Release 2 9 Where are both being used Src Dst will be used for all views of oriented traffic 1 e where the reports need to show the amount of data from one zone to another zone Hereunder in the first and second lines of the table y
87. configuration In the example here above we created this Application application SAP Sales will be display in red corre sponds to flows on server port TCP 8080 OR range of UDP ports from 8080 to 8090 only if the flow is sent to a server in Zone VLAN Sales Application signature application signature 1s defined as a pattern recognized in the payload of a packet that makes the identification of the application possible There are two types of application signatures e Signature Dynamic port these signatures are used to identify applications using dynamically negotiated ports e g Passive FTP Bittorrent through connection tracking Additionally Performance Vision supports protocol recognition for the following applications FTP SIP MGCP The ports on which to search for these applications can be configured on this panel 2 Dynamic port signatures fp 21 dns 53 http 80 8000 8080 3128 mgcp 2427 2727 sip 5060 bittorrent 6861 6999 e Signature Web application these signatures are used to identify applications using URLs in HTTP flows They are defined as patterns matched against the URLs contained in HTTP requests The patterns should contain at least a domain name optionally including wild card characters like or if you check regex mode you can set POSIX regular expressions 4 4 4 Business Critical applications An application can be tagged as Business Critical Those applications are used to
88. d by monitoring and collection devices TAP s can also be used in security applications because they are non obtrusive are not detectable on the network can deal with full duplex and non shared networks and will usually pass through traffic even if the tap stops working or loses power Advantages e No risk of dropped packets Monitoring of all packets including hardware errors MAC amp media Provides full visibility including congestion situations Drawbacks The device may require two listening interfaces on the analysis device Costly No visibility on intra switch traffic Not appropriate for the observation of a narrow traffic range 3 3 Supported Protocols The SPV sniffer can detect all Ethernet packets even if those packets have a VLAN tag in their Ethernet header SPV also accepts both IPv4 and IPv6 protocols Note Non Ethernet flows are invisible for the SPV solution 3 3 1 Non IP Protocols If the Ethernet protocol is not an IP protocol it will appear in Non IP submenu All those data will not appear elsewhere Non IP Volume non IP Figure 3 2 Non IP protocols menu 3 3 Supported Protocols 15 SPV User Guide Documentation Release 2 9 3 3 2 IP Protocols Ipv4 and IPv6 are both captured and splitted in four Level 3 4 protocols TCP UDP ICMP and OtherIP Protocal Figure 3 3 Level 3 4 protocol filter Some of those data are duplicated in other specialised categories Web VoIP
89. d location For the deployed template Source OVF Template Details End User License Agreement Ex Name and Location The name can contain up to 80 characters and it must be unique within the inventory Folder Help x Back re gt Cancel Figure 9 6 Name the Virtual Machine appropriately and click on Next 90 Chapter 9 Appendix Disk Format In which Format do you want to store the virtual disks SPV User Guide Documentation Release 2 9 Source OVF Template Details End User License Agreement Mame and Location Host Cluster Disk Format Network Mapping to Complete Datastore Available space GB Thick Provision Lazy Zeroed datastorei 1 280 4 Thick Provision Eager Zeroed Thin Provision lt Back net gt Cancel Deploy O F Template Ready to Complete 4re these the options you want to use Source OVE Template Details End User License Agreement Name and Location Disk Format Ready to Complete Deployment settings OVF File Download size Size on disk Name Host Cluster Datastore Disk provisioning Network Mapping Figure 9 7 Click on Finish 7 6 Deploying Virtual Tutorial Deploying virtual Tutorial Deploying disk 1 of 1 From C Documents and Settings Franck Desktop viiware 4P5 2 5 13 r2 disk1 vmdk aH 4 minutes and 30 seconds remaining When you click Finish the deployment task will b
90. dashboard focusing on the same application for that specific server or client zone This view is available for any TCP application in Dashboards Application Dashboard Application Performance Chart A more detailed view of the application performance is available here it will show an even more complete set of metrics RTT client amp server Server Response Time Data Transfer Time client amp server retransmission rate volume of packets 9 1 Virtual Appliance Step by Step 107 SPV User Guide Documentation Release 2 9 Begin 201203211324 End 2002002110222 O Q9 OO O a Application Server Zone VLAN Device id Poller Web Farm All Any lt Any X Application performance Info T 2012 03 21 13 15 Aggregate Level 15 minutes End 2012 03 21 19 15 2012 03 21 13 15 2012 03 21 19 00 e z DT avg 228 3 ms SRT avg 294 5 ms ermm avg 48 7 ms 15 00 16 00 17 00 18 00 2012 03 21 13 15 2012 03 21 19 00 10 000 Transactions sum 182 293 d d das oral anam AL a gt LL Breakdown by server Breakdown by zone client T T T T T 1 200m 600m 1000ms 200m 600m 1000ms Merm ES Menor Bzr Eso Menor Figure 9 36 Application Performance Dashboard Using filters you can focus on a specific perimeter and view the evolution of the application performance through time This view is specifically interesting to link the evolution of data transfer times to
91. display the Business Critical Application Dashboard for now and will be also used in future dashboard Business Critical is an additional 34 Chapter 4 Configuration SPV User Guide Documentation Release 2 9 amp Web application signatures You can write web patterns with a regular expression Web application youtube com regex mode This Web Application is used by Web application mail google com regex mode Unused pattern delete Web application google fr com regex mode v This Web Application is used by Figure 4 11 Web application signature configuration attribute of the application From here you can Add a new Critical Application Add button Edit the parameters of a Critical Application Edit button Remove a Critical Application Remove button o Business Critical Applications Edit parameters for this business critical application Application http Min transaction ount DU Minimal Ss of SRT events per minute Warning thresho allowing the BCA to be displayed Alert threshold ms 2500 Apply Cancel Figure 4 12 Business critical application edition When you add a new Critical Application three parameters are required for defining a critical thresholds The minimum transaction count It indicates for one minute the minimum of SRT Server Response Time events to be seen on the network for being considered as a pertinent measurement
92. ds for Round Trip Time RTT gives an approximation of the time required for a packet to reach its destination and can be further decom posed into a RTT Server delay between a data packet send by the client and its ACK from the server and a RTT Client in the other way around As a typical IP implementation will delay acknowledging of incoming data additional tricks are exploited in order to rule out these software biases make use of SYN FIN acknowledgment and some exceptional conditions such as TCP resets that suffer no such delays to estimate a realistic upper bound exclude unusually high RTT values bound RTT Server Client by SRT CRT if RTT sample set looks suspicious RTT is meaningful of the bare speed of the physical layer It is unaffected by packet retransmissions packet loss or similar occurrences RTT may be affected by from most common to the rarest e Slow network equipment between client and server such as a router or a switch Link layer overloaded ethernet collisions for instance Malfunction of one of the involved network adapter These troubles should be further investigated by comparison with other client and or server zones in order to locate the misbehaving equipment Notice that a degradation of RTT will almost invariably impact other metrics as well SRT SRT stands for Server Response Time SRT gives an estimation of the elapsed time between the last packet of an applicative request and the f
93. e mee Ree Gauge quee cR Gauge qoe sg Gauge t cR Gauge con he Hau eS ee eR Gauge we ce Gauge woe hee Gauge Tee eR e Gauge Te cR Gauge qc SR Gauge je eR Gauge aee ce aCe ToS Hh gt Gauge Tom aR Gauge spvNevraxBCNTime 2 SPV User Guide Documentation Release 2 9 spvBCNBandwidthBtoA 14 SpvBCNTrarIITQSUmALOB L5 SpvBCNTrafficSumBtoA 160 SpvBCNPacketsCountSumAtoB 17 SpvBCNPacketsCountSumBtoA 18 SpvBCNThresholdSymetricLink 19 True 1 False 2 SpvBCNThresholdBandwAvailableAtoB 20 SpvBCNThresholdBandwAvailableBtoA 21 SpvBCNThresholdBandwMinAtoB 22 SpvBCNThresholdBandwMinBtoA 23 SpvBCNThresholdBandwrateWarningAtoB 24 SpvBCNThresholdBandwrateWarningBtoA 25 SpvBCNThresholdBandwrateAlertAtoB 260 SpvBCNThresholdBandwrateAlertBtoA 27 SpvBCNThresholdRttWarningAtoB 28 SpvBCNThresholdRttWarningBtoA 29 SpvBCNThresholdRttAlertAtoB 30 SpvBCNThresholdRttAlertBtoA 31 SpvBCNThresholdRrWarningAtoB 32 SpvBCNThresholdRrWarningBtoA 33 SpvBCNThresholdRrAlertAtoB 34 SpvBCNThresholdRrAlertBtoA 35 Note Notice that none of these MIB objects is currently settable 4 4 SPV Functional Configuration 41 SPV User Guide Documentation Release 2 9 42 Chapter 4 Configuration CHAPTER FIVE INTERPRETING THE RESULTS Note Note about terms used starting from version 2 8 The in out notion has been fully replaced by Server Client So
94. e intervals servers and user groups Performance metrics represent time interval Although most of them correspond to the measurement of a concrete phenomenon it is almost impossible to provide a scale of what is a good or a bad response time with no experience of the impact it has on users For example indicating that the Network Round Trip Time from a site Atoasite Bis 200ms does not mean you have a measure which is acceptable or not In the same way a Server Response Time SRT of an application Aof100ms may be very bad when the same value would be excellent for an application B As a consequence it is important to consider performance metrics as relative values one of the key to a good interpretation of performance metrics is to compare systematically performance metric value to another time period to another users group Mixing up performance metrics for several applications does not make sense When looking at application performance metrics you should be very careful of isolating applications for analysis As a consequence the metrics which very much depend on the application s specific behaviour should not be considered altogether this 58 Interpretation Guidelines 5 SPV User Guide Documentation Release 2 9 is true for metrics such as EURT End User Response Time SRT Server Response Time and DTT Data Transfer Time RTT measurements can marginally be impacted by the behaviour of the operating system Ne
95. e started close this dialog when completed C Documents and Settings franck Desktop vmware 4Ps 1 1 GB 16 0 GB Virtual Tutorial datastorel 1 Thick Provision Lazy Zeroed bridged to vM Network the Virtual Appliance gets installed Cancel Figure 9 8 You get notified when the installation is complete Deploying virtual Tutorial Completed Successfully 9 1 Virtual Appliance Step by Step H Deployment Completed Successfully 91 SPV User Guide Documentation Release 2 9 10 1 0 11 vSphere Client File Edit View Inventory Administration Plug ins Help F Home p at Inventory gt fl Inventory Hu b amp amp I3 mE oO ge E ah parte Performance ision Performance vision E Supervision Getting Started 4 Summary r Resource Allacation CE Virtual Tutorial consolidate server applications virtual machines run an hosts The sa many virtual machines Basic Tasks gt Power on the virtual machine Edit virtual machine settings Re Pal ri M M E IaI are r ola Ia Figure 9 9 Click on Power on the Virtual Machine or on the green triangle Performance Vision Getting Started Summary Resource Allocation Performance Events Console Permissions b 80207001 AUURCUNE CN NEU CHAN eth Titik becomes reads 33 335434 warning proftpd uses 32 bit capabilities leg e 34 38027871 e1986 ethi e186646_set_tso TSO
96. e synthetic metrics that are easy to explain so that you can address non technically aware people with an understandable speech about what is going on e RTT network performance e SRT Server Performance e DTT Delivery of application response through the network For troubleshooting For network administrators this report brings together all the information about a business application required to validate whether there is a slowdown or not identify the origin of a slowdown network application response delivery which users or servers were impacted 54 Application dashboards 49 SPV User Guide Documentation Release 2 9 2011 09 08 13 32 2011 09 08 14 32 SOIT avg 25s SRT avg 16s XRIT avg 81 2 ms 1 13 40 13 50 1410 1420 14 30 2011 09 08 13 32 2011 09 08 14 32 Transactions sum 7 319 13 40 13 50 14 00 14 10 14 20 14 30 13 46 4400 m 1416 M Breakdown by server Breakdown by zone client Private fallback 2 000ms 6 000ms 10000ms 14000ms 500ms 1500ms 2500ms 3500ms 4500ms Bzr Bsr Bor Bzr Bsr Bor Figure 5 8 Overall view of the application dashboard In no more than one click you can conclude on whether there was a slowdown or not what was the origin of the degradation which client zones were impacted With a single additional click i e two clicks in total you can view whether all clients in a zone were impacted or
97. ely occur on the same type of traffic and continuously ICMP What is ICMP ICMP stands for Internet Control Message Protocol and is also a common IP transport protocol It seems pretty explicit although most people reduce ICMP to ping reply commands a good way to test whether a host can be reached through a network and how much it takes for a packet to make a round trip through the network Obviously ping and trace route like tools are very useful for network administrators but there is much more to say about ICMP and the help it can provide for network administration amp diagnosis In total ICMP can be used to send more than twenty types of control messages Some are just messages some others are a way for IP devices or routers to indicate the occurrence of an error Error messages Let s describe the most typical ICMP error messages you can find on networks ICMP Network Unreachable Let s take the simplest example one machine sitting on a LAN 192 168 0 7 has one default gateway 192 168 0 254 which is the router It is trying to reach a server which does not sit on the LAN 10 1 0 250 and which cannot be reached because 192 168 0 254 does not know how to route this traffic ICMP Host Unreachable Let s take the simplest example one machine sitting on a LAN 10 1 2 23 has one default gateway 10 1 2 254 24 which is the router It is trying to reach a server which does not sit on the LAN 192 168 1 15 The tra
98. end 2010 07 30 16 42 00 02 00 Number of collected results 1 Sync Begin Time End Time Client Zone Client ii P Server Zone Server IP Application Traffic Packets Handshake Transactions EURT amp V 2010 07 3016 41 34 2010 07 30 16 41 56 Private 192 168 10 2 Internet 88 191 122 7 m http 55 9KiB 152 7 30 112ms Figure 2 12 Flow example at 16 40 to 16 42 Then here is the aggregated line for both events if you query between 16 38 and 16 42 Query begin 2010 07 30 16 38 00 02 00 Aggregate Levet 120s 7 30 16 42 00 02 00 Info Query end 2010 07 Number of collected results 1 Sync Begin Time End Time Client Zone Client IP Server Zone Server IP Application Traffic Packets Handshake Transactions EURT Q 2010 07 30 16 38 47 2010 07 30 16 41 56 Private 192 168 10 2 Internet 88 191 122 7 m htp 194 9KiB 392 19 62 106ms Figure 2 13 Flow aggregation from 16 38 to 16 42 Observe that the traffic and the packet handshake and transaction counts have been added and the EURT aver aged For example handshake is now 19 12 7 Note Performance Vision requires a complete set of data for an aggregate level to compute its summary This is the reason why captured network events don t appear right away on your probe the probe first waits until the end of the minimal aggregate time of 2 minutes computes its summary and only then is the aggregated data for these last 2 minutes made available in the interface 12 Chapter 2 Main terms
99. er time quantity of transactions Info Begin 2012 03 21 13 15 Aggregate Level 15 minutes End 2012 03 21 19 15 ber of coll Number of collected results 4 Applicaton Y 201249211315 EURT thresholds over time 2012 02 21 15 15 Traffic m Web Fam aaa ee Et ae n RE DS ne eo 177 9 MiB m Web Appli salap ERRITARRA t m Proxy ESS E o Tansactions Figure 9 35 Business Critical Application You can access this view in the graphical interface in Dashboards Critical Applications Application Performance Dashboard A simple click from the Business Critical Application Dashboard drives you to the Application Performance Dashboard it shows you the evolution of the End User Response Time through time along with the volume of transactions and its breakdown in Round Trip Time Server Response Time and Data Transfer Time At a glance you can understand the origin of a change in the End User response time Underneath this first graph you find two additional bar charts which help you understand which server s and Client Zone s are performing better worse and due to what component of the End User Response Time The servers and zones are always presented from the one that corresponds to the highest volume of transactions to the lowest You can drill down and display either the Client Application Dashboard or the Server Application Dashboard by clicking on a specific server or client zone This drives you to a specific application
100. erver Zone Traffic cT ERT jit RR fh RD o GA Internet 577 8 MiB 68ms 67ms 021 326ms Paris LAN Intemet 577 8 MiB 68ms 67ms 0 21 326ms x VLAN R amp D Internet 387 7 MiB 63ms 63ms 0 08 892ms x S VLAN Sales Intemet 190 1 MIB 77ms 74ms 041 147ms x Proxy Intemet 181 8 MiB 73ms 76ms 0 38 96 160ms x s VLAN Sales fallback Internet 8 3 MIB 100ms 62ms 0 89 96 59ms 26 O Printer HP4100 Internet 0 Bytes na a na na 9 Printer HP2840 Internet 0 Bytes x o Printer HP4250 Internet 0 Bytes x O Serveur Production Internet 0 Bytes 9 VLAN ToIP Internet 3 5 KIB 6 VLAN Wifi Intemet 1 3 KiB x lt 6 2 VLAN Labo Internet 0 Bytes xo MPLS Dantin Intemet 0 Bytes x o VPN Dantin Intemet 0 Bytes eC O Zone IPv6 Internet 0 Bytes xo Paris LAN fallback Internet 0 Bytes x lt Internet intemet 684 Bytes 2C O Extranet SF Internet 0 Bytes x TolP B3G Intern et 0 Bytes Figure 5 16 Network Performance Client Server table unfolded 5 5 3 Application Performance Table Securactive APS This table provide an easy way to compare application performance between zones e EURT s RIL Server e RTT Client e SRI e DIT As many reports in SecurActive SPV the navigation through the data is based on a drill down mechanism which makes it possible to go from a very wide view of application performance to a focus on a specific client or server zone and then down to the detailed conversations In the illustration Application Performance Client
101. erver table Figure 5 25 Begin 2011 04 04 13 00 End 2011 04 04 14 00 More yyyy mm dd HH MM vyy mm dd M Client Zone R amp D gt Server Zone Labo x Application Search Add this page to a report I fo Begin 2011 04 04 13 00 00 02 00 Aggregate Level 2 minutes n End 2011 04 04 14 00 00402 00 ae Action Client Zone Server Zone Application Traffic EURT SRT CRT in ERT DTT cT o R amp D Labc E 11 applications 162 2 MiB na 18n 1 25 15m 2C O R amp D Lab E htp 74 9 MIB 6ms 5ms 199m 2c 5 R amp D Lat http ait 29 6 MiB 79m 72ms i 7ms co R amp D Labo m ssh 28 2 MIB 538m 4ms 1 533ms xo R amp D Lab ftp passive 27 9 MiB T a na l ia x o R amp D Labo m at 1 1 MiB 4ms 3ms 5ms 1 1 lt 5 R amp D Lab a microsoft d 300 5 KIB 55ms 5 05 18m 36m 2 R amp D Lab snmp 202 1 KiB na na na na xs R amp D Labo m NC 29 4 KiB gms ims 16 55 7ms 1 2c 2 R amp D Labo jetdirect 16 0 KiB na na 5 na x lt gt R amp D Lat m ftp 2 6 KiB 318m 315m ec o R amp D Labo netbios ssn 1 6 KIB na na EURT comparison between applications for a given zone Client server table Does the slowdown occur for a specific server If so check Slow server page 69 e Did you upgrade the clients workstations recently If so it s a specific systemissue you may ask the System Administrator for more details e Did you upgrade your network equipment If so the router switch configuration is probably involved Now we might inspect deeply in the SPV dashboa
102. es You can add the current page with the selected criteria to a report Show report list Add to report MyReport Add Figure 4 16 Add a view to a report template Please note that while the time is fixed the date will remain relative to the moment the report is sent If the view you re adding starts yesterday at 20 00 and ends today at 8 00 and the report is scheduled to be sent next Friday then the effective capture time bracket will be from Thursday at 20 00 to Friday at 8 00 Note Before release 2 9 an additional time delta was added under certain circumstances As of 2 9 it s not longer the case all dates are relative to the day the report is being sent 38 Chapter 4 Configuration SPV User Guide Documentation Release 2 9 Actions on reports A report template can be deleted with the button Delete You can clone a report template all its parameters and included views will be duplicated A new report template is created with copy added to the report name Preview will start the generation of the report right now and you will be able to see the PDF file with your favorite PDF viewer once it has been generated Edit allows you to change the parameters of the report template name of the report the list of recipients and the scheduling settings Send now will start the generation of the report right now and the report will be sent by mail once it has been generated Sending Email So that yo
103. esponding to a single machine the one which is scanning Spyware Worms An infected machine is trying to propagate its spyware virus or worm throughout the network obviously it has no previous knowledge of the network architecture 74 Chapter 5 Interpreting the results SPV User Guide Documentation Release 2 9 How would we see it A large number of ICMP Host Unreachable errors coming from one or several routers corresponding to a limited number of hosts trying to reach a large volume of non existing machines on a limited set of ports Server disconnected reboot A service on UDP DNS Radius is interrupted because the server program is temporarily stopped or the host machine is temporarily shutdown Many requests are then discarded How would we see it Many CMP Port Unreachable messages preceeded by some unreachable host if the host itself was shut down are emmited during a short period of time for this service host port DNS Response Time Background The DNS Domain Name System which has been defined in detail in the RFC 1034 http tools ietf org html rfc1034 html and RFC 1035 http tools ietf org html rfcl035 html is key to the good performance of TCP IP networks It works in a hierarchical way This means that if one of the DNS servers is misconfigured or compromised all the network which relies on it is also impacted Although the DNS protocol is quite simple it generates a significant number of
104. esponse a packet with a non null payload which number of acknowledgment correspond to the first packet Session An established communication channel between two devices using TCP a Session is defined as TCP communication between 2 devices beginning by a successful Handshake and ending by a Timeout or Packet with the RST flag from any of the devices or a Packet with FIN from any of the device that is acknowledged by a FIN ACK by the other device and followed by a FIN of this same last device no FIN ACK is necessary to conclude that the connection is closed Signature Dynamic port Connection tracking of Application based on dynamic TCP UDP port negotiation detection a Dynamic Port Signature is identified by a name in a set of internally predefined pattern name and an associated port Each pattern name refers to an internal connection tracker that will start from the given associated port and will follow connexion on other port Signature Web application Allows to distinguish conversation that use HTTP by using simple pattern matching on the target URL A Web application signature is defined by a single pattern The pattern syntax allows hostname and optionally a path separated by Ge www example com my path or www example com Notice that a wildcards character is allowed in domain or path part of the pattern Only Conversation which are detected to be based on HTTP will have URL of their GET POST CONNECT request matc
105. ffic flows and reaches the last router before the server 192 168 1 254 24 this router cannot reach 192 168 1 15 because it is unplugged down or it does not exist 72 Chapter 5 Interpreting the results SPV User Guide Documentation Release 2 9 Lig T 10 1 0 250 The router sends back an ICMP error 10 1 0 250 message Network Unreachable to 10 1 0 250 ICMP Network 2 168 0 254 Unreachable 2 168 0 254 m P 3 The workstation tries to connect to 10 1 0 250 p 4 on HTTP port 80 192 168 0 7 192 168 0 7 The router 192 168 1 254 sends a back an ICMP Host Unreachable eiiis Fr 92 168 115 error to 10 1 2 23 a st 192 168 1 254 24 192 168 1 1 192 168 1 254 24 192 168 0 253 16 ICMP Host Unreachable 192 168 0 254 16 192 168 0 253 16 192 168 0 254 16 The workstation 10 1 2 23 tries to connect 101223 10192 168 1 15 on HTTP o 10 1 2 23 ICMP Port Unreachable Let s take a second example one machine sitting on a LAN 192 168 0 7 Itis trying to reach a server 192 168 0 254 which sits on the LAN on port UDP 4000 on which the server does not respond The server refuses the connection on port 4000 and sends back an ICMP port Unreachable Error A di J 2 168 0 254 ICMP Port Unreachable 192 168 0 7 Where is the challenge with ICMP You may be tempted to say if it is that simple why do we need SecurActive SPV on top of any sniffer All the information s
106. for this application the thresholds levels will be automatically applied on the BCA dashboard even for a period back in time 4 4 SPV Functional Configuration 35 SPV User Guide Documentation Release 2 9 4 4 5 Business Critical Networks A BCN consists of a virtual link between two zones its objective 1s to monitor normal volume and performance levels between two network segments which represent a strategic network link for your organization e g link from the data center to a remote site from the server VLAN to a user VLAN An administrator can configure thresholds for warning and alert on bandwidth consumption Retransmission Rate RR and Round Trip Times RTT A specific configuration screen allows configuring the specified BCN To access it just go to the Configuration menu and choose the entry labeled Business Critical Networks Edit the Business Critical Network Add a new business Critical Add List of Business Critical Networks v Link between zones Private and Interne Network zone from Private Network zone to Internet Threshold Warning Alert Warning Alert Utilisation Rate p 9 3 S 9 qm 2S 3 8 gt Fr n Bandwidth Available 20 0 Mibps Mibps Min Volume for triggering 0 01 Mibps 01 Mibps Symetric Link P Delete FOS Apply b Link between zones Private and R amp D b Link between zones Private and Labo b Link between zones Private and Sales b Link between zones I
107. g Creating default settings Done Restoring data hard drive disks This is to be used when you are delivered new data disk s If you want to use it anyway any existent data capture and configuration will be lost Default values will be restored pulsar format_data_disk These processses should not be interrupted Do NOT use Ctrl C Preparing disk Formatting disk Installing disk Generating database This may be quite long 5 min Done More about pulsar help provides both global and command help Tab completion is enabled for commands and subcommands such as help config and show Configuration example pulsar config network NETWORK Connection Type 1 Static network Z5 DACP 4 3 System 27 SPV User Guide Documentation Release 2 9 Pulsar shell configure your probe help quit exit LILILLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLLL SPV SSS SSS SS SS SS SE ES EE SE EE ES ES ES ES EE ES SE SS SS analyzer csv_status format_data_disk process reset status show system commands dig ifconfig partitions set_date traceroute network support Figure 4 2 Available commands Your choice 1 IP address 192 168 1 1 netmask 255 255 255 0 gateway 192 168 1 254 Support access through VPN The probes come with an already configured VPN connection to allow access for support operations if needed The VPN address is set by default and should normally not be changed If it needs to be changed t
108. g on the version number The ZIP archive will contain the following files e SPV 2 9 4 r mf e SPV 2 9 4 rl ovf e SPV 2 9 4 r disk1 vmdk 9 1 2 Virtual Appliance Specifications The Performance Vision Virtual Appliance is designed to run in a VMWare ESX v4 or v5 environment It is designed to run with a minimum RAM of 500MB although a larger quantity is recommended to ensure satisfactory performance rates Here are the configurations which are validated RAM 512MB 4GB 6GB 8GB 12GB or 16GB vCPU 1 4 or 8 9 1 3 Installation The system detects the space available on the disk for the new Virtual Machine we recommend to allocate the following spaces Trial Virtual Appliance 4GB RAM 2 vCPU gt 2 0 GHz Production Virtual Poller 8 GB 2 vCPU gt 2 0 GHz Virtual Appliance gt 16 GB 4 vCPU gt 2 4 GHz You get Get it Started Once the Virtual Appliance is installed you have to start it 87 SPV User Guide Documentation Release 2 9 VMware vSphere Client vmware VMware vSphere Client To directly manage a single hast enter the IP address or hast name To manage multiple hosts enter the IP address or name of a Center Server IP address Name fio 1 0 11 User name Password use Windows session credentials coe om Figure 9 1 Connect to your Vsphere Client Deploy OVF Template Source Select the source location Source OVF Template Deta
109. gure 9 21 section It can also be done through 9 1 Virtual Appliance Step by Step the web interface in the page Poller status in the Configuration SPV User Guide Documentation Release 2 9 e 2 Then on your ESX server icon go to the Configuration tab e 3 Click on the Networking Menu on the left column a 10 1 0 1 localhost securalis lan Mware ESXi 5 0 0 469512 E Performance vision GB Performance Vision 2 9 7 Te Ik Getting Started Summary VirtualMachines Resource Allocation Performance Configuration Local Users amp Groups Event E Supervision GST i E Virtual Tutorial View vSphere Standard Switch Health Status Networking Refresh Add Networking Properties Processors Memory Standard Switch vSwitchD Remove Properties Storage Virtual Machine Port Group Physical Adapters Networking L3 vM Network Bj vmnic 100 Full m Storage Adapters E 4 virtual machine s Network Adapters Performance Vision Advanced Settings Performance Vision 2 9 7 Test TBO Power Management Virtual Tutorial Supervision Software VMkemel Port Licensed Features L3 Management Network Time Configuration vmkO 10 1 0 11 e 4 Click on Add Networking Vieu vSphere Standard Switch Networking Refresh Add nd Properties Standard Switch Switch Remove Properties Virtual Machine Port Group LJ VM Network NS E
110. have either been lost or damaged Packet Retransmission is identified thanks to their TCP sequence and acknowledgment numbers and checksum values Only packets with a non null payload are checked Retransmission Delay Delay between a packet and it s the next retransmission RD stands for Retransmission Delay RD is defined as the time between a packet and its next retransmission Retransmission Duplicate ACK Duplicate acknowledgment Packet with null payload Duplicate ACK are TCP ACK packets that are identified thanks to their same acknowledgment value and their empty payload Retransmission Rate Ratio of retransmissed packets to the total number of packets RR stands for Retransmis sion Rate RR is defined as the ratio of retransmitted packets to the total number of packet in a conversation Retransmission Total Delay between a packet and the last retransmission TRD stands for Total Retransmission Delay TRD is defined as the time between a packet and its last retransmission Round Trip Time Time between an applicative query and a response at the network level RTT stands for Round Trip Time RTT is defined as the time between a packet with a non null payload and the corresponding acknowledgment a packet with a null payload and the TCP ACK flag Server Response Time Time between a query and an answer at the applicative level Server Response Time is the elapsed time between a client packet with a non null payload and the corresponding server r
111. hed against Web application signature s pattern A match occurs when the pattern match the complete target URL 84 Chapter 8 Glossary SPV User Guide Documentation Release 2 9 Subnet Set of network addresses that have a common declared IP address routing prefix A Subnet is defined by an IP address and a netmask TCP Handshake 3 Way negociation that is part of TCP for establishing a TCP session A TCP Handshake is defined between 2 devices as exchange of 3 TCP packets flagged SYN SYN ACK ACK Time To First Byte Time for a user to connect to a server and receive a first response from the application TTFB stands for Time To First Byte and is defined as the interval between the SYN packet and the first packet with a non null payload from the server Timeout Session end by inactivity Session Timeout will be reported after 120 seconds of complete inactivity i e no packets seen Zone A logical group of subnets A Zone is identified with a name and defined as a set of subnets More it must be placed in the Zone container hierarchy following subnets natural subnet inclusion constraints A Zone is attributed to an IP if the IP is included in one of the Zone subnets 85 SPV User Guide Documentation Release 2 9 86 Chapter 8 Glossary CHAPTER NINE APPENDIX 9 1 Virtual Appliance Step by Step 9 1 1 How to get the image of the Virtual Appliance This section is based on version 2 5 9 the filename will evolve dependin
112. his can be done by the command config and option 7 The VPN service is stopped by default It can be started or stopped at any moment by the corresponding commands support startorsupport stop Note In order to have the VPN connection of the probe working fine you will probably have to configure your network and or security equipment like your firewalls Default Host IP address is 88 191 121 167 and default port is 443 4 3 4 Access Performance Vision Through a Web browser We assume here that the probe has been previously configured through the command line interface and the user knows the probe IP address The probe can be accessed either with SSH or with a Web browser To connect with a Web browser the port to use are the 80 8080 or 443 Authentication Username admin Password CILIT Log in Figure 4 3 Login parameters in SPV 28 Chapter 4 Configuration SPV User Guide Documentation Release 2 9 Thus if the IP address of the probe has been configured as 10 0 0 1 then just open the URL http 10 0 0 1 with your Web browser or https 10 0 0 1 for using the HTTPS protocol Please note that you can verify that you are actually connected to a Performance Vision appliance by checking that the certificate serial number is 00 90 26 d5 46 2a 5e 66 ec To log in please use admin as user and admin as password You are now logged in and ready to use the Graphical User Interface In order to offer the best perfor
113. ic applications and metrics corresponding to your specific business 43 SPV User Guide Documentation Release 2 9 From the BCA dashboard you can drill down from the general view to detailed analysis and problem resolution views HTTP Internal l amp 7 7 BH https DV B Salesforce App Dashboard Figure 5 2 Quick links in the Business Critical Application Dashboard view Capture time 2010 10 25 14 52 00 EURT 3 85 Transactions 126 id Ano dashboard 5 Conv Thus from each Business Critical Application with a single click on the appropriate icon you can Directly access to the corresponding Application Dashboard Add a filter on this specific Critical Application in case you have defined a lot of Critical Applications and you want to see only one for a moment Edit Application characteristics Directly access to the details of Conversations for this Application Note If you click on the icons that are next to the name of the application at the beginning of each line the quick links will take into account the complete period of time currently displayed If you click on the icons associated to a specific period of time the quick links will used this specific period time when redirecting you to a detailed screen You will always see up to date information with the auto refresh feature of the BCA dashboard The in formation will be automatically refreshed based on the d
114. ication Search for an application 2 UELLE Remove selected applications Q Delete Delete Name Description Critical Edit E afpovertcp AFP over TCP o F B agentx AgentX o s 8H http World Wide Web HTTP o F B ssh SSH Remote Login Protocol eo F B xmpp client XMPP Client Connection o F g B pipi d B 3com tsmux 3COM TSMUX F E acap ACAP s Figure 4 9 Application list screen To create an application go the to Application submenu in the left menu This panel displays the existing Applications by default or user defined To create an Application click on Add you will see the configuration screen An Application can be defined using the following elements Name it corresponds to the designation of each Application which will be used in displays This is a mandatory field Color it is the color which will be used to display this specific Application in graphs This is a mandatory field Comment it is a description field which should be used to track information related to this Application 32 Chapter 4 Configuration SPV User Guide Documentation Release 2 9 Application Add Application information Application Mame le Application Color a Application Description Protocol Set of protocols and ports ranges any of them will flag the application New protocol TCR Ports New protocol TCP M Ports Signature Choose dynamic ports and web applications any of them will flag
115. ics are available through SNMP The values can be queried through SNMP Performance Vision MIB GUI Find the company vendor name behind a MAC address for non IP traffic e Metrics Added a new metric 0 Window event in TCP Events GUI JavaScript performance improvements 1 3 What s new in 2 7 3 SPV User Guide Documentation Release 2 9 1 4 2 Changes e PCAP AutoPcap files are now kept for 72 hours instead of 48 hours Export All data views can now be exported directly as a PDF page new Export as PDF icon GUI Updated TCP conversation workflow for an improved usability 1 5 What s new in 2 9 1 5 1 New Features Alerts Business Critical Networks metrics are available through SNMP The values can be queried through SNMP Performance Vision MIB Metrics Implementation of a new heuristic to find out clients from servers without SYN packets Metrics Support for HTTP chunked transfer encoding 1 5 2 Changes Reports Queried time interval in reports has been simplified Reports Email recipients are now optional as reports are now also stored on the probe and available through ftp Reports Reports edition now displays time intervals of each individual pages e PCAP The former limitation on storage size of manual PCAP files 20 GB has been removed User can now freely manage size of captures depending on available storage capacity GUI Time selection improvement e G
116. if the server response time degradation was due to another application hosted on the same server machine 5 4 2 Components 1s element the evolution of End User Response Time through time 14 no TOT l cix On rans saad Figure 5 9 End User Response Time EURT graph This EURT graph shows the evolution of the quality of experience for users of this application over the period of time the number of transactions help you consider the evolution of EURT with rigor and common sense you would not consider a degradation of EU Response Time for 10 applicative transactions in the same way as for 10 000 50 Chapter 5 Interpreting the results SPV User Guide Documentation Release 2 9 The breakdown of EURT in three intelligible components RTT for network latency SRT for Server Response Time and DTT for Data Transfer Time let you know at first glance what is the origin of the possible performance degradation For example in the screenshot here above we can observe an increase in the SRT the network and the time required to send the response to the client have not increased Either the server overall responded slower or some specific queries required a much larger treatment time you can determine this by drilling down to that specific point of time 2nd element EURT by Server Breakdown by server 50 100 is 200 250 ms Mise Mon Figure 5 10 EURT by server What we can see here is a comparison between the EU
117. ils Name and Location Disk Format 0 x pen Ready to Complete g Look in eG vmware m ex E3 Ie My Recent Documents Desktop My Documents Pr My Computer i mM File name APS eval ovf Places Files of type OVF packages ovf oval Cancel A Help lt Back Next gt Cancel A Figure 9 2 In the Virtual Machines tab in the File menu select Deploy a new OVF template Find the Performance Vision OVF file and Click on Open 88 Chapter 9 Appendix SPV User Guide Documentation Release 2 9 Deploy OVF Template Source Select the source location Source OVF Template Details Name and Location Disk Format Ready to Complete Deploy from a file or URL C Documents and Settings franck Desktop vmware APS 2 5 Enter a URL to download and install the OVF package From the Internet or specify a location accessible From your computer such as a local hard drive a network share or a CD DYD drive Figure 9 3 Click on Next Deploy OVF Template BR O F Template Details Verify OVF template details Source O F Template Details A End User License Aareema Product Performance Vision Name and Locatior 4 Version Evaluation E Host Resource P Vendor SecurActive LU orm dy to Complete Publisher No certificate present Download size 707 9 MB Size on disk 4 4 GB thin provisioned 118 4 GB thick provisioned
118. in our Graphs any RTT and RR in out should be considered as RTT RR Server Client as in the following rules RIT in stands for RTT Server RIT out stands for RTT Client e RR in stands for RTT Server e RR out stands for RTT Client 5 1 Business Critical Application Dashboard To customize this view for your own needs just go to the Configuration menu and choose the application you want to be a business one see the Business Critical applications page 34 The purpose of the Business Critical Application Dashboard BCA is to have regrouped into one single view the most important elements that are critical for your business In one single screen vital information is presented to people in charge in order to radically improve early diagnostics and impact analysis The right information is directly available through a completely configurable and dynamic dashboard view What is monitored is the EURT End User Response Time metric Thus this dashboard reflects the quality of experience of the users for the selected critical applications n red poor quality n orange medium quality n green good quality n grey not enough data gathered Application 2 m over HB 8744 eb Portai EERE HEE E EXESIESES Se See ELE niii Figure 5 1 Business Critical Application Dashboard view 5 1 1 Business Critical Application Dashboard Capabilities You can customize the business critical dashboard to view specif
119. ion Then only a selected set of frame bytes are compared e For small frames which size is below the size of an IP header all bytes are taken into account for bigger frames bytes after the Ethernet header including the VLan tag if collapsing VLans and up to the 64th byte of the frame or less if the frame is smaller excepting the TOS TTL and IP checksum fields are taken into account The rational behind skipping Ethernet header is that we want to pair two packets if only their Ethernet addresses or VLan tag differ one is a copy of the other merely one switch away from it The rational behind excluding TOS TTL and checksum fields of the IP header is to be able to pair two packets when one is a copy of the other only one hop away from the first one after traversing one or several routers Then a packet signature is build from the remaining bytes and compared to those of previously received packets If a packet with the same signature was previously received then the new packet is merely dropped The deduplication algorithm makes use of a few parameters for limiting the number of packets to check The maximum delay between two potential duplicates default 100ms Any duplicate frame that is re ceived after this delay will be processed as a legitimate frame The current average delay between echoed packets this one is recomputed by a short but frequent compre hensive search through all packets received up to the maximum all
120. irst packet of the server s response 60 Chapter 5 Interpreting the results SPV User Guide Documentation Release 2 9 SRT represents the processing time of the server at the application layer for a given request SRT may be affected by from the most common the the rarest Time greedy application request a complex SOL command can let the server processes during many sec onds Application layer overloaded too many requests such that the server can t handle all of them in a small period of time Marginally SRT can be affected by the increase of network latency between the point of capture and the server parallel increase of the RTT Server value To pinpoint the root cause of the slowdown we firstly want to compare the SRT for a given couple server application to other applications on the very same server If there is a blatant difference the application is guilty Otherwise we want to compare it to other servers in the same zone then different zones DTT DTT stands for Data Transfer Time DTT server is defined as the time between the first data packet of the response with ACK flag and a non null payload from the server and the last packet considered as part of the same response if the packet has the same acknowledgement number FIN RST packets from server or client will also be considered as closing the sequence A Timeout will cancel a DTT Note that if the answer is small enough to be contained in only one
121. is no way to retrieve the password If you totally lost the password the Securactive support team can generate a new one See Support access through VPN page 28 You can also restore the probe see Restore probe state page 27 4 3 3 Configure the probe Use the config command to setup up the probe pulsar config service 1 dns hostname network ntp smtp support xxall default x x Your choice Yo OF W ND 26 Chapter 4 Configuration SPV User Guide Documentation Release 2 9 Typing enter will launch the whole interactive configuration process Warning This command is mandatory as it will configure key elements needed for proper operations DNS servers hostname IP address NTP SMTP Some changes in configuration require to reboot the probe command reboot Restore probe state You may need to restore some probe original configuration There are three way of achieving this As these are destructive commands a strong confirmation will be requested You want to erase any single data from your previous network captures This preserves configuration settings and IHM user accounts pulsar reset data Stopping services Deleting data Done The command reset a11 will destroy both your configuration and capture database You will have a fresh new database Configuration settings users and pollers will be reset to default values pulsar reset all Stopping all services Resettin
122. issues configuration issues which affect the performance of the network as well as security issues which jeopardize the network integrity The purpose of this section is to cover the main configuration issues you may encounter with DNS when it comes to network performance Hypothesis You noticed a general slowdown for a specific host zone or the entire LAN You didn t find out the issue with the previous methods Maybe this problem has nothing to do with the business applications or you network equipment Diagnosis The DNS server s need to have a very high availability to resolve all the names into IP addresses that are necessary to good function of applications on the network An overloaded DNS server will take some time to respond to a name request and will slow down all applications that have no DNS data in their cache An analysis of the DNS flows on the network will reveal some malfunctions like Latency issues If we can observe that the mean time between the client request is significantly higher than the average on a LAN it should remain close to 1 ms we may face three kinds of issue the client is not requesting the correct DNS server DHCP misconfiguration for example You can check this out in the interface by looking at the Server IP fields it means that the DNS server has an issue with regards to the caching of DNS names The cache system makes it possible to resolve a name without requesting the DNS server which h
123. its in the payload But in every network you will find some ICMP errors they may be due to a user trying to connect to a bad destination or trying to reach a server on the wrong port The key is in having a global view of how many errors you have normally and currently and from where to where The key to leveraging ICMP information is in having a relevant view of it and understanding what it means How can ICMP help on network diagnostic and security monitoring From the explanation here above we can keep in mind that by analysing ICMP errors we can identify machines that try to connect networks or machines that are routable from the LAN s machine or ones that try to connect on actual servers but for services which ports are not open Here are some examples of phenomena that can be identified that way 58 Interpretation Guidelines 73 SPV User Guide Documentation Release 2 9 Misconfigured workstation A workstation repeats a large volume of missed attempts to connect to a limited number of servers it may be that this machine does not belong to the company s workstations external consultant on the network whose laptop is trying to reach common resources on his home network DNS printers or it may be the machine of someone coming from a remote site with its own configuration or a machine that has been simply wrongly configured How would we see it A large number of ICMP Host Unreachable errors coming from one or seve
124. kets will be dropped as well Such drop will result in TCP retransmission A common way to identify this kind of problem is by taking a glance to the traffic statistics If you see a flat line at the max traffic allowed then you get the root cause of retransmission If the traffic graph looks OK you can check over the load of the routers switches you own e g with the SNMP data If the load is too high you found the culprit e An overloaded server Check the Section Slow Server A hardware failure Maybe a network equipment is simply down It will obviously result in TCP retrans mission until a new route is computed or the issue fixed This type of retransmission should occur with very short time effects and give some quite big peaks of retransmission on very broad types of traffic on a specific subnet If this happens often it becomes important to find the faulty hardwares by tracking down which subnets are concerned A packet header corruption Network equipments are used to rewrite portions of packets Ethernet source destination IP Checksum maybe TOS field A buggy firmware can result in corruption while rewriting protocol headers In this case the packet will probably be dropped within the network route Even if it reaches the destination the TCP IP stack won t consider it as a valid packet for the current TCP ses sions and the stack will wait the correct packet It will end in a TCP retransmission anyway This problem will lik
125. l 4 virtual machines Physical Adapters s EB mnic 100 Ful LJ Performance Vision Performance Vision 2 9 7 Test TBO Virtual Tutarial Supervision Yhlkemel Port L Management Network vmk 10 1 0 11 Vlan ID optional for vlans tags 0 Disables VLAN tagging on port group 4095 Enables VLAN tagging on port group e 5 Then click on Next and Finish to complete the operation Setup promiscuous parameters The Esx Server now manages 2 virtual networks The aim of the second vswitch vSwitch1 is to show the flows in promiscuous mode To set up promiscuous mode on the Mirror Network Add a listening network card to virtual appliance Here we should add a listening network port in promiscuous mode Power on the virtual appliance e Validate traffic Capture There are 2 main methods to validate the traffic capture 98 Chapter 9 Appendix SPV User Guide Documentation Release 2 9 Add Network Wizard BR SIE Connection Type Networking hardware can be partitioned to accommodate each service that requires connectivity Connection Type Network Access Connection Types virtual Machine Add a labeled network to handle virtual machine network traffic C Zn Th wMkernel TCP IP stack handles traffic For the Following ESXi services vSphere vMotion iSCSI NFS and host management Help lt Back Cancel Figure 9 22 Select Virtual machine as Connection Types then Click on
126. l Configuration 37 SPV User Guide Documentation Release 2 9 From and To fields are optional This allows you to define a validity period for the report In such case the report will only be sent in the period ranging from the first date up to the second date 2 Report configuration amp Create a new report Available reports Sent every 1 day at 12 00 00 To admin si securactive net Containing 2 views Delete L Clone Preview l amp Edition EN Send Now Figure 4 15 Report A template just created The new report template just created will appear in the list of available report templates A summary is displayed scheduling frequency generation time first recipient emails At this stage it is empty and does not contain any view this is why you have Containing 0 views indicated After having added some views to the report here will be indicated the number of views contained in the report Add views to report To add a view to a report template just go to the screen with the desired view Select a time period and run the search Once search is completed the link Add this page to a report becomes active When you click on it a drop box with the list of available template reports is displayed You can chose the template report to which you want to add the current view and click on the button Add If you need you can click on Show report list it will open the configuration area with the list of available report templat
127. l be deleted The sniffer component of Performance Vision cannot forge more than 5 000 PCAP files simultaneously if more than 5 000 conversations are hold on Business Critical Applications servers at once some conversa tions will not be recorded at packet level Please note that the threshold values and voluntary limitations will be reviewed in newer versions in the light of our experience and the customer feedback we will receive Please note that if you need an exhaustive trace of a given set of conversations you can also use the manual capture feature available through Pulsar 5 8 Interpretation Guidelines The objective of this section is to help our customers to make the best use of the performance reports provided by their appliance You will find enclosed a brief overview of how application performance issues can be solved with SPV This first section focuses on synthetic metrics to produce a measure of the quality of experience of users QoS End User Response Time and give you a simple explanatory framework to understand the cause of application slowdowns Round Trip Time Server Response Time and Data Transfer Time Note Some metrics and views described below are only available in Securactive APS 5 8 1 Objectives Before you start analyzing performance reports there is a certain number of elements which you must bear in mind Performance metrics should not be considered as absolute values but in comparison with different tim
128. l must be read as from the Line zone to the Column zone You can expand a parent zone to show its children zones by clicking on the symbol You can use the filters to display the traffic from one specific zone to another specific zone 10 Chapter 2 Main terms and concepts SPV User Guide Documentation Release 2 9 Private Internet R amp D Labo Sales Voip Private fallback m m Private fallback Internet 342 Bytes Figure 2 8 Source Destination Matrix Source zone Sales Destination zone All Application l x E All Private Internet R amp D Labo wW Sales Voip Private fallback Prom deis C ismo oe wes wee Sales hp2830 1 9 KIB 2 1 KIB 2 8 KIB LL Figure 2 9 Filtered matrix 2 6 2 Top down analysis The Src Dst matrix can be the starting point for a fine tuned analysis of traffic bandwidth and conversation In each cell there are two buttons one to display the bandwidth graph from zone A to zone B one to display the conversations from zone A to zone B Bandwidth Graph View conversation Figure 2 10 Cell detailed view The first link will open the conversation table and will display all the traffic between the two zones whereas the second one will display a bandwidth chart from the source zone on the left and the destination zone on the top 2 Data Aggregation 2 1 Rationale By nature the operations of st
129. l networks setting thresholds on volume and quality indicators between 2 zones you will get a summary screen of the performance of your most critical network links on this screen This is an auto refresh screen whose data can be integrated in your SNMP based monitoring suite By pointing a specific time and link you can view the origin of a degradation latency retransmission excessive bandwidth consumption and in which direction it occurred Begin 2012 03 21 13 24 End 2012 0321 19 24 v o o o a AN t Poller a m M ain office rankfort 8 Gi Figure 9 32 Business Critical Networks You can access this view in the graphical interface in Dashboards Critical Networks Network Performance table This view will show you the main network performance metrics from zone to zone By unfolding the different layers of zones you will be able to identify between which parts of your network high latency retransmissions can be observed This view is excellent to assess the performance of your network depending on your topology ork Perform ient Server T J Begin 2012 03 21 13 24 End 2012 03 21 19 24 o v Q o o a r Zone VI Client Zone Serve LAN Device id Poller Info Begin 2012 03 21 13 15 Aggregate Level 15 minutes id 2012 21 19 00 Salesoffces ParkAC Headquarters fallback XXXXXXXX 0000000020 Bas COE bA P E SRSF 333323 Figure 9 33 Network Performance Table You can access this view in the graphical interface in
130. leServer 192 168 20 9 m Samba CIFS 542 2MiB 1179057 166 ims ims 32ms 192 168 20 217 SRV FileServer 192 168 20 9 m Samba CIFS 24 4MiB 44009 7 i15ms ims ims 192 168 20 202 SRV FileServer 192 168 20 9 m Samba CIFS 561 3KiB 1143 0 ims ims ims 192 168 20 15 SRV FileServer 192 168 20 9 m Samba CIFS 9 1MIiB 11434 15 ims ims ims 192 168 20 50 SRV FileServer 192 168 20 9 m Samba CIFS 406Bytes 7 0 Figure 5 38 Peak in server response time Conversations D Conversations Performance and analysis of individual conversations Start after 2010 06 07 12 00 Start before 2 2010 06 07 18 00 More mn d HH Mi mm dd HA MM Client Zone VLAN Sales bd Server Zone Private Client 1p 7 Server IP 7 Both client and server IP P Application Protocol Any Search 12345 Info 99 begin 2020 05 07 12 00 00 02 00Aggragate Lavel 9005 Query end 2010 06 07 18 00 00 02 00 Number of cellactad results 100 Client Zone Client IP Server Zone Server IP Application Traffic Packets Handshake EURT RITin RTT out f 59 59 VLAN Sales fallback 192 168 20 220 SRV_FileServer 8 261 0KiB 4293 360 ims 198ms 14 52 VLAN Sales fallback 132 168 20 205 SRV FileServer 8 0KiB 26 1 lt 1ms 196ms 44 38 alb 192 168 20 205 9 8KiB 43 1 1ms 195ms 5 58 46 192 168 50 13 5KiB 33 2 2ms lt ims 109ms 1 35 35 1 168 20 212 542 2MiB 1179057 166 1ms lt ims 32ms 1 56 43 132 16 217 24 4MiB 44009 7 15ms ims ims 57 44 1 16 202 561 3KiB 1143 0
131. lication dashboard From this you can conclude that only one client 2 user was impacted This issue was definitely due to a slow response of the server it may be due to an application issue or a request which is specifically hard to respond to 2nd example Application Dashboard for a relevant period in the past 48 hours for example This dashboard shows in the upper part the evolution of the End User Response Time EURT through time for this fileserver We can easily observe that the quality of experience of users accessing to this application got much worse yesterday afternoon 66 Chapter 5 Interpreting the results SPV User Guide Documentation Release 2 9 10 10 10 20 10 30 10 40 10 50 11 00 10 08 00 11 08 00 60 00 Transactions sum 496 40 00 20 00 0 10 10 10 20 10 30 10 40 10 50 11 00 1016 Gan b ees xl Breakdown by server Breakdown by client Inf Begin 2011 04 13 10 00 00 02 00 Aggregate Level 15 minutes Inf Begin 2011 04 13 10 00 00 02 00 Aggregate Level 15 minutes NTO End 2011 04 13 11 00 00 02 00 NTO End 2011 04 13 11 00 00 02 00 Number of collected results 7 Syne Client iP Traffic Y Transactions EURT x RTT srt Q 12162173 13 8MiB 342 15s 175ms 741ms Q 1216232 973 9KiB 45 608ms 88ms 344ms e 172 16 2 157 535 8KiB 29 413ms 90ms 1lms e 172 16 2 144 12 1KiB 2 244ms 118ms 125ms 172162137 10 3KiB 2 422ms 328ms 94ms Q 1216222 9 0KiB 2 533ms 332ms
132. ll packets matching the specified criteria will be identified as the particular application Any Port Range OR Applicative Signature AND Any Server zone AND Any Client zone For more information about the configuration of applications refer to the Configuration page 25 section 2 3 2 Examples An application which is run on a server which IP is 192 168 1 4 with MSSQL will be defined as follows Port Range 1433 TCP e Server zone a MSSQL Server zone which contains the subnet 192 168 1 4 32 An HTTP application running on a server along with several other applications will be defined as follows Applicative signature a Web application on intranet securactive lan 2 4 IP Merging In order to maximize usage of the available disk space some information are removed to allow better aggregation This is the case for IP data of foreign host on aggregation level 3 and 4 2 4 1 Principle Upon data consolidation of third aggregation level all IP tagged on the Internet zone will be removed in favor of a merged identifier In consequence these IP will appear as merged in all tables where IP values are displayed if the IP was belonging to Internet Zone and your observation period is such that the third or the fourth aggregation level is used This will happen with big observation period gt 8 hours and also on old data gt 1 week old 2 4 2 Example Let s say a user has accessed to the Internet zone with the same application for example
133. mances the use of Mozilla Firefox is recommended 4 3 5 How to configure User Interface language User interface is available in English and French languages The language is detected automatically based on the default language of the browser used to access the probe So to get the User interface to use the desired language the administrator should check and configure the default language of its browser Hu ca x m amp G G n ral Onglets Contenu Applications Vie priv e S curit Avanc Bloquer les MEME D amp Charger les Certaines pages Web sont propos es dans plusieurs langues i Choisissez les langues d affichage de ces pages dans votre ordre Exceptions noxa Ronee h Avanc Langues par ordre de pr f rence Polices et coul Francais France fr fr Mon Police par d fg Francais fr sPiAvanc Anglais en Anglais Etats Unis en us Langues Choix de la la Figure 4 4 Configuration of the French language in Firefox 4 4 SPV Functional Configuration 4 4 1 User Management There are two groups of users in the Users Configuration interface The Administrators group The Users group These two groups have different access permissions to the application pages the administrators group provides its members a full access to the Configuration pages Users group members will be able to read reports but will not have access to the configuration page In order to create a new
134. more adequate If this is the case then the network administrator can take some easy steps to improve his network s performance 76 Chapter 5 Interpreting the results CHAPTER SIX FREQUENTLY ASKED QUESTIONS 6 1 Firefox freezes randomly on some pages This seams to be caused by the java plugin and deactivating this plugin fixes the issue This has no effect on SPV since it does not use java To disable the Java plugin enter the Tools Add ons This will open a new window with a button bar on top with a Plugins icon Select it and it will open the list of all currently installed plugins Locate your java plugin that is the one that handles java applets on the following screenshot it s titled IcedTea NPR Web Browser Plugin but it may also appear under the name OpenSDK or merely Java Once located select it and click on the Disable button You should then restart firefox Gel Add ons Extensions Themes Languages IcedTea NPR Web Browser Plugin using IcedTea6 1 8 1 6b18 1 8 1 Oubuntul The IcedTea NPR Web Browser Plugin using IcedTea6 1 8 1 6b16 1 8 1 Oubuntul executes java applets Shockwave Flash Shockwave Flash 10 1 ras Find Updates Figure 6 1 The Add ons pop up window of Firefox 6 2 Aggregate level changes when browsing from tables to charts The aggregate level for tables is chosen to display a synthetic view on data while the charts choose the aggregate level in order to have enough points to plot So
135. n localhost securalis lan 9 NA V Commands E Shut Down Guest ll Suspend A Restart Guest Gp Edit Settings m Open Console Performance Vision Getting Started Summary Resource Allocation Performance Events Console date host ntpdate reboot top hostname smtp Performance ision Getting Started ETT EMI T mn Siri ESI E Console Weil ss dns atp spv kb fr spvit spvit SAU config service Enter Enter Enter Enter Enter Enter Enter 1oStname smtp for dns for hostname for network for ntp for smtp for snmp for support our choice Resources Consumed Host CPU 169 MHz Consumed Host Memory 696 00 MB Active Guest Memory 215 00 MB Refresh Storage Usage Provisioned Storage ly 17 04 GB Not shared Storage 17 04 GB Used Storage 17 04 GB Storage Drive Type Capacity B3 datastoret 1 Non SSD 460 75 GB 34 lt gt Network Type 49 VM Network Standard port group Mirror Standard port group system commands dig ifconfig partitions df set date traceroute system info log snmp og snmp The summary view provided by Vsphere displays the parameters such as IP addresses Figure 9 13 The command kb parameter enables to change the keyboard language configuration for example kb fr for French keyboard Figure 9 14 The Config command is used to setup the probe in function of your environment Chapter 9 Appendix SPV
136. n Non IP traffic screen data can be filtered by MAC address Bookmarked pages now have their own specific title instead of a generic name In DNS screens the filter on request types are now sorted alphabetically New Screens DNS Performance Graph with DNS response times and number of packets over time TOP DNS Servers DNS traffic and average response time sorted by servers TOP DNS Clients DNS traffic and average response time sorted by clients DNS Overview New filters Synthesis per DNS request types and DNS responses codes Pulsar vpn command has been renamed as support 1 1 4 Major bug fixes 1 2 Display of some charts could fail in some cases long zone names added to long application names Configuration was not correctly flushed in some cases It was possible to define two applications on the same ports for the same IP or subnet which was leading to approximate metrics for these applications Oracle parser could stop working in some cases Potential deadlock under intensive usage with the implication of several different parsers at once Fix an issue with Flash player and Internet Explorer that forbids drill down into graphics Whats new in 2 6 1 2 1 New Features GUI User manual is now accessible from the GUI GUI Advanced filters on client server pages GUI IP subnet filter in matrix page GUI Improved time frame selection with last five used history Pulsar P
137. ng the same method 25 SPV User Guide Documentation Release 2 9 4 3 System The probes come with a Command Line Interface named Pulsar This allows the user to check the probe state and configure it when needed 4 3 1 Connect to the probe If this is your first encounter with the probe you will have for the first time only to access to the probe physically just use a screen and keyboard plugged to the probe Log in with user admin and default password admin Once the network address of the the probe will have been set up you will be able to access to it directly through SSH on port 22 also with the same user admi n 4 3 2 Pulsar When logged in you should see the following prompt version number can vary Welcome to Pulsar the SPV shell v1 14 0 Type help to display Pulsar commands Type help COMMAND to display the command help details poseidon Figure 4 1 Pulsar prompt on the poseidon probe Note Pulsar uses 3 colors while displaying informations Green outputs are informations Yellow outputs are warnings Red outputs are errors If needed you can set the keyboard mapping with the kb mapping command Typing kb displays the list of available mappings Pulsar allows you to change the administration password through passwd command This should be your first command Typing passwd in the pulsar shell launches the standard UNIX password change process Warning At this point there
138. nsfer Time Time spent by the client or the server to send data The DTT stands for Data Transfer Time DTT server is defined as the time between the first data packet with ACK flag and a non null payload from the server and the last packet considered as part of the same answer DTT client is the symmetric metric in opposite direction Packets are considered part of the same answer if packet share the same acknowledgment number FIN RST from server or client A Timeout will cancel a DTT Note that if the answer is small enough to be contained in only one packet the DTT will be of 0 Delta sessions Number of session established minus those closed Delta Session is a metric defined as the difference of the number of opened session to the number of closed session Negative value means that more session were closed than opened Device Identifier Identifies the physical network adapter that received the network traffic associated to a conver sation End User Response Time Total time the user waited to get an applicative answer The EURT stands for End User Response Time EURT is defined as the sum of the RTT client server the SRT and the DTT client server A timeout will cancel the computation of EURT 83 SPV User Guide Documentation Release 2 9 Fallback Set of IP addresses which belongs directly to a zone and not to any of its children zones The Fallback of Zone is an implicit Zone containing the set of the addresses which
139. nternet and Voip Figure 4 13 Editing an existing Business Critical Network From here you can add a new BCN or edit the parameters of an existing BCN Modifications will also be applied on already captured traffic For each Critical Network you have to configure the following parameters The source destination network zones One or several thresholds for both Warning and Alert levels all these thresholds are computed from source to destination and not from client to server We call this an oriented metric Oriented latency RTT in ms Oriented retransmission rate Utilization rate according to bandwidth available Mib s e A minimum volume for triggering Mib s This value represents the minimum bandwidth observed from which you will consider the performance and volume thresholds as relevant The thresholds values can be configured as symmetric by ticking the Symmetric Link check box or be configured as distinct values for both directions This is particularly useful when the critical network refers to asymmetric connections like ADSL has one of its zones closer to the poller than the other zone and latency RTT computation is im pacted see Distributed Architecture page 19 You can define thresholds from either one criterion or more any of the following latency retransmission rate and consumption level But you cannot define a BCN from one zone to itself as their intended purpose is t
140. ny direction This might not match the underlying protocol VoIP dialogs are identified by their call id only which imply that if the sniffer listens to various independent SIP proxys or servers then call id collisions can not be ruled out this choice was made because it proven useful in practice 3 4 Port mirroring and duplicated packets 3 4 1 Introduction The configuration of a port mirroring session has to respect some specific rules and standards The main goals of a port mirroring session are to Gain insight into the highest number of flows which are seen as strategic by the IT manager And ensure that all collected flows are appropriately analysed It is crucial to ensure that a minimum number of flows are not duplicated to the interfaces 3 4 2 Detail SPV solutions takes into account duplicated packets packets may be dropped However this will involve a significant loss of performance There are two main rules Basic port mirroring sessions also called 1 to 1 port mirroring session This configuration does not generate duplicated packets However increasing the number of 1 to 1 port mirroring sessions could produce this phenomenon Switch oon oooga ir jJ Datas IN OUT Server Figure 3 5 1 to 1 port mirroring session Multiple port mirroring sessions also called N to 1 port mirroring session In this specific event the dupli cated packets phenomenon can occur Figure 3 6 N t
141. o 1 port mirroring 3 4 Port mirroring and duplicated packets 17 SPV User Guide Documentation Release 2 9 Warning According to the number of listening points in a multi switch mode this phenomenon can occur despite the use of a 1 to 1 port mirroring session A VLAN is a definition of a set of ports this means that the port mirroring session is a N to 1 port mirroring session 3 4 3 Some examples of duplicated packets non duplicated packets In a standard port mirroring configuration N to 1 it is highly likely that some transmitted packets to the appliance are duplicated In the following example configuring a port mirroring session on both the IN traffic and the OUT traffic of the switch means that the appliance will receive twice the same traffic Clients Figure 3 7 Example with duplicated packets By only listening to the IN traffic or only the OUT traffic on the Ethernet ports concerned we will ensure the flow transmission to be in a unique way for the sessions between the client and server thus avoiding the duplication of packets Figure 3 8 Example without duplicated packets Note In the event of a N to 1 port mirroring session the total bandwidth of the source Ethernet ports of the mirror should not exceed the maximum bandwidth of the destination Ethernet ports of the mirror 3 4 4 Removal of duplicated packets The SecurActive system checks and controls the duplicated packet
142. o check the performance of most important links or routes between two network segments By applying your changes the BCN Dashboard will be updated in accordance with the new threshold values including already captured data To be useful and pertinent these parameters must be accurate values adjusted to your network configuration These values can be easily changed for fine tuning or to cope with any change in the network or applications you are using 36 Chapter 4 Configuration SPV User Guide Documentation Release 2 9 4 4 6 Reports Creating Reports is just a matter of a few clicks You can easily create and define exactly the level of information you want to get You will receive it directly in your mailboxor via FTP at the frequency you prefer Configuration In the first step you start by creating a template that will mainly define the name of the report the list of recipients and the scheduling settings In the second step you just have to add the different views you want to see to the appropriate template Then you re done just check your mailbox To create a report template in the Configuration area select Reports in the menu list on the left This will display the list of existing report templates Use the button Create to create a new report template Please note that this feature is only available for users with administration rights o Create a report Report settings General Name My report Language English
143. oid giving out information and will not be modified upon edition if it is left empty In order to save any modifications click on the Apply button You can delete a user account by clicking on the Users tab found in the configuration menu on the left hand side and then clicking on the check box next to the user name of the account you wish to delete Then clicking on Delete button will delete all selected Users 2 Users list W Add a new user Remove selected users Delete Delete User name Group Active Edit ral John Administrators Yes a admin Administrators Yes JP Figure 4 6 User account John is about to be deleted 4 4 2 Zone configuration The aim of this chapter is to help the administrator of the platform to configure zones When you change or create a zone the modifications will be immediately applied for future integrated data but not to the already captured data which keep their old zone attribute 30 Chapter 4 Configuration SPV User Guide Documentation Release 2 9 How to access the configuration menu After clicking on the top right configuration button you will observe a tree configuration menu with different items 5PV Settings Zones Business Critical Networks Applications Web Applications Dynamic Protocols Reports Probe Settings Users Pollers Status Dump Restore Figure 4 7 Configuration menu Zones management Pleaser refer to Zones amp Fallbacks
144. ok for abnormal traffic through this view by looking at cells where there should be no traffic in normal conditions example Internet to Internet if you are capturing traffic on your private network 108 Chapter 9 Appendix SPV User Guide Documentation Release 2 9 You can drill down to a bandwidth graph or to detailed conversations with a single click Internet Broadcast Main office Park AC 3 3 7 ____________ ____Zone IPv6Hea dquarters fallback Drogenbos s Frankfort Lisboa s Madrid w Paris Rome 5 Turin Sales offices fallback Zone IPv6 Internet Figure 9 38 Matrix View This view can be accessed through Monitoring Traffic Matrix Bandwidth Graph You can graph the evolution of bandwidth through time From there you can drill down to detailed conversations to display the main contributors of a peak of traffic for example Bandwidth from source to destination Begin 2012 03 21 13 15 regate Level 15 Info End 2012 03 9 15 Figure 9 39 Bandwidth Graph This view can be accessed through Monitoring Bandwidth chart Top reports You can easily get the top clients servers applications for any traffic all or a specific application zone etc You can sort each top on the most adequate criteria volume sessions SYNS etc This view can be accessed through Monitoring Top Reports DNS performance Performance Vision
145. on Dashboard This dashboard contains three bits of information EURT graph through time for this client zone and this application EURT breakdown by server so that you can compare the performance offered by different servers to that client zone EURT per client so that you can identify whether all clients are impacted by a slowdown or which indi vidual client generates more volume or has worse application performance Application End User Response Time Cane Sais POUR NTR TRUBS imeal bene EDG Info Qay ere JOLB D4 13 LEA ee Figure 5 12 Client zone application dashboard The breakdown by client is interesting to know whether all the zone was impacted or just some individual users and on which component of the EURT network latency server response time or data transfer time and for which number of transaction and amount of traffic Breakdown by clients Sync Clic or Traff EETA Liwi EURI wI 5d Dg i i C6 L72 16 8 20 L5 1MiB 2077 B 65 2ome S06ms 7 65 S i C5 172 16 86 31 11 2MIB 1723 Bibs Zems 366m B E ES x 172 16 86 26 Lz zMiB Hen 3 25 46me d 15 id me C 172 16 86 79 BEAMS 2754 LIEN LI Tome ld Brux 412me 5 LH 172 16 8 24 13 4 min 19385 azz mm firme 17Hmm 145m 5 C 172 16 8 22 s nminm 1533 ZU mm aame Lima ELTE a m 172 15 8 32 Enz 3kKim 24 165ma 19me 147mz ome er Gn 172 156 8 2 25 HK ih 4 T48msz Amin 148mz T xe Cus 172 16 B 73 1nn 5kKin 1n E ome nm 1 rnr Figure 5 13 Breakdown by client
146. or VLAN of a switch to another port where the analysis device is connected Port mirroring can be managed locally or remotely To configure the port mirroring an administrator selects one or several ports from which all packets will be copied source ports and another port or ports where the copy of the packets will be sent destination port The administrator can include either all packets in the port mirroring or only the transmitted received packets In case both transmitted and received packets are included a packet going from a Ist monitored port to another monitored port will be copied twice to the destination port This will have an impact on the measures and performance provided by the analysis device e g retransmission rates response times Performance Vision captures and evaluates the data without any impact on the original traffic The port mirroring is the most commonly used solution to capture traffic because it is inexpensive flexible in terms of how much traffic can be captured at once and remotely configurable Please note that a port mirroring may have some drawbacks such as t can consume significant CPU resources while active There is a risk of not receiving some packets like media errors n the case of traffic congestion at the switch level the port mirroring is likely to drop some traffic because the SPAN process does not have priority In some cases a better solution for long term monitoring may be a
147. ou can see that the data exchange between the two hosts has been split up in two conversations from A to B and from B to A Source IP Destination Zone Destination IP Application Traffic Payload Packets 192 168 80 22 VLAN Sales fallback 192 168 20 208 BH Smtp ssl 3 5MiB 3 0MiB 8389 192 168 20 208 VLAN Labo fallback 192 168 80 22 E Smtp ssl 1 2MiB 799 8KiB 7907 192 168 20 237 VLAN R amp D 192 168 10 9 W ssh 1 1MiB 771 3KiB 5294 192 168 80 22 VLAN Sales fallback 192 168 20 217 E Smtp ssl 864 5KiB 824 8KiB 752 192 168 80 6 VLAN R amp D 192 168 10 6 W Web Intranet Sec 553 6KiB 521 5KiB 497 192 168 10 9 VLAN Sales fallback 192 168 20 237 Em ssh 372 1KiB 41 0KiB 5128 204 14 234 36 VLAN Sales fallback 192 168 20 213 B Salesforce 352 7KiB 337 0KiB 298 192 168 20 217 VLAN Labo fallback 192 168 80 22 E Smtp ssl 243 0KiB 216 7KiB 498 Figure 2 6 Source Destination conversations Client Zone Client IP Server Zone Server IP Application Traffic Packets Handshake Transactions VLAN_R amp D 192 168 10 5 Internet 128 237 157 136 W ircu 1 7KiB 18 VLAN Sales fallback 192 168 20 217 Internet 174 36 30 4 m http 3 6KiB 22 VLAN R amp D 192 168 10 10 Internet 209 85 137 125 m NC tcp 2 6KiB 34 VLAN R amp D 192 168 10 8 Internet 208 71 169 36 m ircu 1 6KiB 1 VLAN Sales fallback 192 168 20 202 Internet 991 121 2221 vpn 16 9KiB 184 VLAN R amp D 192 168 10 4 Mother2 88 191 105 6 m Srv_Mother2 16 8KiB 180 VLAN R amp D 192 168 10 6 Internet
148. owed delay How often the current average should be computed default every 10s e How far back in time we should look for duplicates relative to the current average default average 1 x sigma These default values should fit most settings 3 5 Distributed Architecture 3 5 1 How does the distributed infrastructure work Appliances hosting only the sniffer component of SPV are called pollers The appliance hosting the components in charge of collecting merging and integrating the data from the pollers into a single database is called collector The collector appliance may also host one sniffer component The pollers listen and analyze the network traffic The collector receives data from the pollers integrate them in the database and then provides an access to the data through the Web UI 35 Distributed Architecture 00 49 SPV User Guide Documentation Release 2 9 Poller SSH TCP 22 Collector T RN Sniffer Data x Poller ee Sniffer Data Pagi 7 Poller Sniffer Data Poller Sniffer Data You can add a new poller via Pulsar page 26 by using the command poller add IP The specified IP of the poller must be reachable with SSH port 22 The Pollers Status page in the Configuration menu display some status information about pollers 3 5 2 Where is data being merged segregated
149. passive TAP or an Ethernet repeater hub Advantages Low cost this feature is embedded in most switches Can be configured remotely through IP or Console port The only way to capture intra switch traffic A good way to capture traffic on several ports at once Drawbacks Not adequate for fully utilized full duplex links packets may be dropped Filters out physical errors mpact on the switch s CPU Can alter the timing of the frame with an impact on response time analysis Wo Chapter 3 Deployment SPV User Guide Documentation Release 2 9 SPAN has a lesser priority than port to port data transfer 3 2 2 Network TAP A network TAP Terminal Access Point is a hardware device which can passively capture traffic on a network It is commonly used to monitor the network traffic between two points in the network If the network between these two points consists of a physical cable a network TAP may be the best way to capture traffic The network TAP has at least three ports a port A a port B and a monitor port To place a tap between points A and B the network cable between point A and point B is replaced with a pair of cables one going to the TAP s A port one going to the TAP s B port The TAP passes all traffic between the two network points so they are still connected to each other The TAP also copies the traffic to its monitor port thus enabling an analysis device to listen Network TAP s are commonly use
150. ral routers to this machine or this group of machines The ICMP information contained in the payload of each of these errors would probably show they are trying to reach a certain number of hosts for some services or applications Migration legacy A certain number of machines keep requesting DNS resolution to a DNS server which has been migrated this could be true for any application available on the network Their users certainly feel worse performance when trying to use these services How would we see it A large number of CMP Host Unreachable errors coming from one or several routers to a group of machines The ICMP information contained in the payload of each of these errors would probably show they are all trying to reach the previous IP address of a given server Network device misconfiguration A router does not have a route configured some machines are trying to reach some resources unsuccessfully How would we see it A large number of ICMP Network Unreachable errors coming from one router to many machines The ICMP information contained in the payload of each of these errors would probably show they are all trying to reach the same network through the same router Port scanning A machine is trying to complete a network discovery It is trying to connect to all servers around to see on which ports they are open How would we see it A large number of CMP Port Unreachable errors coming from one or several routers corr
151. rds Check the Monitoring gt Network Performance Chart Do the Retransmission Rate and Retransmission Delay vary If so we might face a congestion issue Take a look at the router s load etc Chapter 5 Interpreting the results SPV User Guide Documentation Release 2 9 193 56 4 82 securactive univ lillel f 217 109 951 178 github com 51 101 233 77 rev gaoland ne bacchus jerne eu org 50 100 150 200 250 300 350 400 450 500 Ese sv Bor Figure 5 26 EURT comparison between servers in the Application Performance Dashboard d Server Performa nce Network performance by server Begin 2011 04 04 13 00 End 2011 04 04 13 30 Mor yyyy mm dd HH MM yyyy mm dd HH MM Application ssh Protocol Any Server Zone All Search Add this page to a report Info Begin 2011 04 04 13 00 00 02 00 Aggregate Level 2 minutes End 2011 04 04 13 30 00 02 00 Number of collected results 17 Sync Server IP Server Zone Traffic Conn established EURT M X RIT SRT DTT RD in RD out 193 48 186 4 Internet 656 4KiB 1 478ms 30ms 119ms 329ms 247ms 241ms 207 97 227 239 Internet 20 0KiB 2 433ms 115ms 268ms 48ms 193 56 4 82 Internet 212 5KiB 1 237ms 99ms 137ms ims 7723310151 Internet 7 5KiB 1 93ms 55ms 32ms Sms 21710991178 Internet 77 8KiB o MESE ms 37ms lt 1ms Figure 5 27 Server Response Time comparison through Server Performance 13 10 00 14 04 00 RTT in RTT out RD indic in
152. retransmission rates and data volumes Application Performance Chart Begin 20120321 13 24 end 20120321924 O Q9 Q9 CO GO a Client Zone Server Zone Client IP Server IP Application Serv Port VLAN Device id Poller Sales offices x A v Web Farm Any v Any v Info Begin 2012 03 21 13 15 Aggregate Level 15 minutes End 2012 03 21 19 15 2012 03 21 13 15 2012 03 21 19 00 20 DTT ct avg 46 1 ms 600ms DTT srv avg 62 5 ms 15s SRT avg 409 6 ms 40 0ms RITin avg 7 5 ms RIT out avg 16 1 ms RD indic in avg 192 1 us RD indic out avg 0 6 ms ect avg 32 0 ms 0 14 00 15 00 16 00 17 00 18 00 2012 03 21 13 15 2012 03 21 19 00 RR out avg 0 15 Rin avg 0 12 14 00 15 00 16 00 17 00 18 00 2012 03 21 13 15 2012 03 21 19 00 100 000 Packets sum 524 455 50 000 0 Figure 9 37 Application Performance Dashboard This view is available for any TCP application in Monitoring Application Performance Chart Matrix and bandwidth Performance Vision provides a set of reports on traffic volumes Matrix View This view shows the mapping of traffic Using filters you can get this mapping for a specific part of your network or application It shows the quantity of traffic exchanged from zone to zone To further in details you can unfold zones to display its sub zones The color code easily shows where the largest traffic can be observed You can also lo
153. ror e E vmnic3 VLAN ID All 4095 Help lt Back Cancel 4a Figure 9 24 We can customize the new network label as Mirror here The following option allows VLAN tags Add Network Wizard Ready to Complete Verify that all new and modified vSphere standard switches are configured appropriately Connection Type Network Access Connection Settings Summary Host networking will include the Following new and modified standard switches Preview Virtual Machine Port Group Physical Adapters Mirror e E vmnic3 VLAN ID All 4095 lt Back L mis Cancel Events Permissions Cee tis gelled Configuration View vSphere Standard Switch Networking Refresh Add Networking Properties Local Users amp Groups Virtual Machine Port Group Physical Adapters J VM Network e EB vmnico 100 Ful Q2 E 4 virtual machine s Performance Vision cb Performance Vision 2 9 7 Test TBO virtual_Tutorial cu Supervision ur VMEkemel Port 3 Management Network e vmkO 10 1 0 11 Standard Switch vSwitch1 Remove Properties Virtual Tutorial Virtual Machine Port Group Physical Adapters J Mirror e E vmnic3 100 Half 3 E 3 virtual machine s VLAN ID All 4095 Performance Vision eb Performance Vision 2 9 7 Test TBO ur a 100 Chapter 9 Appendix SPV User Guide Documentation Release 2 9 Standard Switch vSwitch1 Remove ele T Virtual Machine Port Group Physical Ad
154. rther indication of a slow server Go to Analysis gt TCP errors Select the application server Salesforce from the drop down box labeled Server Zone and click Search RD in 334ms 333ms 48 330 165 452 263ms 346ms 58 330 165 463 215ms 273ms 37 328 164 446 338ms 365ms 37 18 9 25 5 15 15 20 10 5 12 10 10 301ms 2 1 1 0 10 1 4 310ms 300ms 10 7 UP uu u e eo 165 165 164 9 16 5 5 5 5 5 7 RD out Dup ack Conn attempts Conn established Sess end Client FIN Server FIN Client RST Server RST Num timeout 122 330 2 133 330 1 118 328 7 18 5 35 3 2 10 10 10 10 2 8 1 7 Figure 5 41 Slow server TCP Errors Here we see that there are a lot of server resets and timeouts Given all the above information we can conclude that the application server is operating slowly At this point the server administrator should perform direct diagnosis on the application server to verify CPU RAM and HD usage 70 Chapter 5 Interpreting the results SPV User Guide Documentation Release 2 9 N tier application performance issue Hypothesis Users are complaining about slow response time from an in house web application This application being an N tier architecture its performance as seen by a client is tied to several parameters DNS latency to resolve web server name from the client host see DNS Response Time Connection time to server Data Transfer
155. s configuration show system commands dig ifconfig ns lookup ntpdate partitions df Mm i nr rehnont set date Figure 9 11 The help command lists the possible actions Note The virtual machine has a second 100 GB hard disk that you can resize depending on your needs but then you d have to format it via pulsar s format_data_disk command To enter several DNS servers the addresses must be separated by a space You then have to reboot the Virtual Appliance Insert a license key Except the empirical virtual appliances of test provided from our Web site the virtual appliances are delivered without license key You normally receive this key by e mail at the product s delivery If it is not the case please contact our sales department sales securactive net To install a license key it is necessary to be connected to the virtual appliance by FTP in binary mode Filezilla Client does it by default Connect to the Virtual Appliance 9 1 Virtual Appliance Step by Step 93 Figure 9 12 Performance Vision AEE Summary SS Sa SPV User Guide Documentation Release 2 9 Resource Allocation Performance Events Console Permissions General Guest OS VM Version CPU Memory Memory Overhead VMware Tools IP Addresses DNS Name State Host Active Tasks vSphere H Protection 8 1 vCPLI 1024 MB 53 20 MB Running Current 10 1 0 95 View all spv Powered O
156. s phenomenon on all listening ports It also ensures all duplicated packets are removed However in some cases some duplicated packets could be mixed up with retransmitted packets It is therefore crucial to minimize the duplicated packet rate In order to reach a low rate of duplicated packets the appliance provides information on the duplicated packet rate though the Pulsar command This means that 5 12 of the listening traffic is duplicated 18 Chapter 3 Deployment SPV User Guide Documentation Release 2 9 Welcome to Pulsar the SPV shell v1 13 0 to display Pulsar commands e hel E J Type help COMMAND to display the command help details vsonde73 analyzer mirror 5 12 vsonde73 Figure 3 9 Information on the duplicated packets rate in Pulsar 3 4 5 Deduplication algorithm The sniffer usually receive frames from multiple locations on a network and so it can be cumbersome if not impossible to avoid the situation where the same frames are mirrored toward the probe Deduplication is the process of ignoring selectively packets that are artificial duplicates due to the network infrastructure The following chapters covers the deduplication system in order to help minimizing duplication issues The packet sniffer detects and drop duplicate frames before parsing their content according to the following algo rithm First of all frames smaller than the Ethernet header size are not checked against duplicat
157. s recommended to ensure satisfactory performance rates However all settings cannot be tested in case of doubt it is recommended to fall back on these tested settings e RAM 512MB 4GB 6GB 8GB 12GB or 16GB e CPU 1 4 or 8 22 Chapter 3 Deployment SPV User Guide Documentation Release 2 9 3 6 3 Installation 1 Connect to your Vsphere Client and then in the Virtual Machines tab in the File menu select Deploy a new OVF template Find and open the Performance Vision OVF file Click on Next twice and then accpt the license agreement Name the Virtual Machine appropriately SPV applicance for example rv cm x b The system detects the space available on the disk for the new Virtual Machine we recommend to allocate the following spaces Trial Virtual Appliance 4GB RAM 2 vCPU gt 2 0 GHz e Virtual Poller 8 GB 2 vCPU gt 2 0 GHz e Virtual Appliance gt 16 GB 4 vCPU gt 2 4 GHz You get Deploy OVF Template Ready to Complete Are these the options you want to use When you click Finish the deployment task will be started Deployment settings OVF File Download size 1 1 GB Size on disk 16 0 GB Name Virtual Tutorial Host Cluster Datastore datastore1 1 Disk provisioning Thick Provision Lazy Zeroed bridged to vM Network Name and Location Disk Format Ready to Complete C Documents and Settings franckiDesktop yvmwarel4PS Network
158. searches on domain names On search boxes about domain names Web and DNS reports you can use a regular expression by prefixing the entry with a tilde character For exmaple you can use this to filter all but some names For instance here is a valid input to filter all but Google s and Amazon s 78 Chapter 6 Frequently Asked Questions SPV User Guide Documentation Release 2 9 e 21t 4X 2g900gleXN fr oom 9 J amazon V 2 3 11279 6 10 What about Open Source SecurActive uses internationally proven and rock solid open source components such as Linux Python Zope Postgresql Git GCC Our company has chosen to actively contribute to the open source community by regularly submitting patches to these projects and provide access to parts of its own code 6 11 Standard TCP Session time ms SPV Events SYN Handshake 15 RTT server DTT client RTT server 25 4 RTT srv TTFB SRT DTT srv RTT client DTT client RTT server RTT server RTT client RTT client RTT client Retrans Retrans DTT server FIN server FIN client END l https github com securactive 6 10 What about Open Source 7 client B i server SPV Metrics handshake DTT cit 10ms push client SRT p DTT srv_Oms simple query sample request response DTT cit 4 ms RT 6 ms S RTT srv 3 DTT srv request 34 ms RTT clit 3 ms a ACK P
159. service of VoIP It is expressed by a number ranging from 1 to 5 1 corresponding to the lowest quality and 5 to the highest close humain voice MOS Rating S Bolm Fair Poor Please note that in real network a MOS note of over 4 4 is unachievable A low MOS will translate into echo and degraded signal MOS is in principle the result of a series of subjective tests in the context of network analysis MOS will be estimated using a formula that integrates 3 factors Network latency RTT recommended value 100ms e Jitter recommended value lt 30ms e Packet loss rate recommended value lt 5 5 3 4 Prerequisites To provide MOS values for VoIP traffic it is necessary to capture the three flows signalization STP or MGCP media RTP and control protocol RTCP If one of these flows is not present in the traffic capture brought to the listening interface s the MOS value will not be calculated Other quality of service metrics will remain available Metrics obtained by analysis of the protocol SUE Sign RIT network latency between each phone value in amp out interval between a re quest and the first response definitive or tem porary from the signalization server Sign SRT signalization server response time Sign RD retransmission delay for the signal ization traffic Sign RR retransmission rate for the signaliza tion traffic Code indicates how the VoIP call ended e g error or not ple
160. the clients and the application server If there are a lot of re transmissions then either the application server or a network device in between are dropping packets Go to Monitoring gt Network performance chart Select the application server Salesforce from the drop down box labled Server Zone and click Search 300 00 ms 200 00 ms 14 16 14 30 14 46 15 00 15 16 14 16 14 30 14 46 15 00 15 16 2 000 00 1 500 00 14 00 00 15 58 00 RTT in avg 151 39 ms 20000ms e RTT out avg 301 50 us RD indic in avg 8 96 ms 150 00 MS RD indic out avg 101 75 us ecT avg 109 16 ms 15 46 14 00 00 15 58 00 RR out avg 0 08 e FR in avg 1 89 15 46 14 00 00 15 58 00 Packets sum 15 062 Figure 5 40 Slow server Network performance chart Here we see that there is a high Retransmission Rate RR Server going from the clients to the application server However none of the packets from the server to the clients needed to be retransmitted RR Client is around 0 This indicates that the application server is in fact dropping the packets and is therefore a slow server Assuming that the route taken form the client to the server is the same route taken from the server to the client as is industry standard practice Lastly check the TCP errors of the clients and the Application server If the server reset count or number of timeouted sessions is high this is a fu
161. tion of Performance Vision the administrator can group similar network usages into categories that will make sense for his network context Additionally by configuring Applications reports on network traffic are made clearer and are readable by any user regardless of their understanding of the underlying infrastructure IP addresses and subnet or ports used by each application An application is a set of network services which together correspond to a business application For example an application named ERP could be configured to match network traffic on port TCP 80 on a server Zone containing the specific server 192 168 20 4 32 2 3 1 Application definition An application can be defined using one or several of these elements e Application Port Range single port or on a defined protocol UDP or TCP 6 Chapter 2 Main terms and concepts SPV User Guide Documentation Release 2 9 e Application Signature designates a pattern contained in the payload of a packet which is used to recognize an application There are two types of Applicative Signature Signature Web application pattern matching on urls from HTTP requests Signature Dynamic port connection tracking on supported protocol such as FTP Bittorrent e Server Zone zone in which the servers are located see Types of conversations page 8 for details on client server identification Client Zone zone in which the clients of the application are located A
162. tions Network Performance Client Server table page 54 and Network Performance Client Server table unfolded page 54 are two illustrations of this benefit n this table we have identified the two zones between which the network response time was the highest amp Network Performance Client Server Table ram voume and network performance by client zone and server zone Begin 2011 04 14 13 22 End 2011 04 14 14 22 More Client Zone P All zj Server Zone Internet zj Search Add this page to report x Info Begin 2011 04 14 13 22 00402 00 Aggregete Level 2 minutes End 2011 04 14 14 22 00 02 00 wa Action Client Zone Server Zone Traffic cT ERT RR RD o All Internet 577 8 MiB 68ms 67ms 0 21 326ms o Paris LAN Internet 577 8 MIB 68ms 67ms 021 326ms o VLAN R amp D Intemet 387 7 MiB 63ms 63ms 0 08 892ms eo amp VLAN Sales Intem et 190 1 MiB 77ms 74ms 041 147ms ec oO VLAN TolP Internet 3 5 KiB ne eo VLAN Wifi Intemet 1 3 KiB P do VLAN Labo Intemet 0 Bytes x amp j MPLS Dantin Intemet 0 Bytes 2o VPN Dantin Internet 0 Bytes x 9 Zone IPv6 Intemet 0 Bytes O Paris LAN fallback Internet 0 Bytes x Intemet Intemet 684 Bytes o Extranet SF Internet 0 Bytes rese TolP B3G Internet 0 Bytes Figure 5 15 Network Performance Client Server table e n this table we have identified the two zones between which we could observe the highest retransmission rate wa Action Client Zone S
163. tners salesforce com Sims A NoError VLAN Sales fallback 192 168 20 254 VLAN Sales fallback 4 994Bytes emea salesforce com 30ms A NoError Figure 5 42 DNS Response Time for a specific requester zone here VLAN Sales If we establish the top hosts making DNS requests it will be possible to pinpoint misconfigured clients not keeping in a local cache the DNS server responses this approach makes it possible to distinguish between an issue coming from the user s workstation and one coming from the general function of the network Please note that hosts making a very high volume of DNS requests may correspond to a malicious behaviour for example some malwares try to establish connections to Internet by resolving domain names and sometimes the DNS protocol is used in cover channels to escape information DNS errors issue We can also ask for the top hosts receiving most DNS error messages non existing hosts etc This will also put the light on misconfigured stations generating an unnecessary traffic and lowering the overall network perfor mance DNS Internal misconfiguration To do this we need to identify the AXFR and I XFR transactions towards its autorithy server If these updates occur too often and therefore generate an unnecessary traffic we can conclude that there is an issue If the bandwidth used is too large it means that our DNS server requests a full zone transfer AXFR when an iterative transfer IXFR would have been
164. tual appliances come with no data disk thus everything traffic data as well as pcaps and reports will be written to the system disk only If you plan to keep a long history of data then a dedicated data disk is mandatory To create one attach a new drive to your VM and then run the format data disk command from pulsar Notice that you will not be able to resize this data disk hereafter the required size depends on the traffic you plan to monitor but anything below 500GB seams dubious the data previously acquired will be lost you are required to reboot the appliance once done 24 Chapter 3 Deployment CHAPTER FOUR CONFIGURATION 4 1 Hardware The first thing to do is to plug a screen and a keyboard to the probe for first set up only and then to provide electrical power Once done just turn power on For the screen the connectivity is a standard VGA port Two are available one is located on the front side of the probe the other is located on the rear side of the probe For the keyboard you can plug it to any of the four USB ports Two of them are located on the front side of the probe the two others are located on the rear side of the probe By default the probes are equipped with four Gigabit Ethernet interfaces labeled 1 to 4 The first one is the administration port used to connect to the probe Plug the Gb1 network interface to your network to be able to connect to the probe The three others interfaces
165. twork Round Trip Times for TCP are based the TCP acknowledgment mechanism This means that although RTT is generally a good measurement of round trip latency if the operating system of one of the parties is so overloaded that the acknowledgment process becomes slower RTT values will be impacted RTT Server would be impacted on the server side and RTT Client on the client side RTT should then be analyzed in parallel to CT Connection Time because the treatment of new session by the IP stack has a higher priority Some values are averaged measures For each conversation two kinds of values are reported counters for instance packets or byte counters which are the sum over all connections aggregated for this conversation performance metrics for instance RTT SRT DTT and the likes which are average values over all samples aggregated for this conversation EURT EURT stands for End User Response Time This metric is an aggregate of various other measures meant to give an idea of the perceived overall end user experience It is taken as the sum of RTT SRT and DTT EURT has no meaningful physical counterpart Only its evolution makes sense and allow the system administrator to check at a glance whether a network zone is behaving as usual or not Notice that expected correct values for both SRT and DTT depend on the protocol at hand As a consequence you should not try to compare two EURT of different applications RTT RTT stan
166. ual Machine Swapfile Location Security Profile Host Cache Configuration Figure 9 28 Right click of the virtual appliance then choose Edit settings Performance Vision Virtual Machine Properties Hardware Options Resources virtual Machine Ve r Memory Configuration Add Hardware Device Type What sort of device do you wish to add to your virtual machine Show All Devices Choose the type of device you wish to add Information This device can be added to this Virtual Machine USB Controller ls ISE Device unavailable Ethernet Adapter Help Back Cancel SSS P Figure 9 29 In the Hardware tab Click on Add then choose Ethernet adapter and Click on Next Attach the New Ethernet adapter to the Network in promiscuous mode 9 1 Virtual Appliance Step by Step 103 SPV User Guide Documentation Release 2 9 Add Hardware Network Type What type of network do you want to add Device Type m Adapter Type Network connection Type Flexible Ready to Complete Adapter choice can affect both networking performance and migration compatibility Consult the VMware KnowledgeBase For more information on choosing among the network adapters supported For various guest operating systems and hosts reor Connection Network label vm Network M Port NjA Device Status V Connect at power on Help lt Back Can
167. ulsar now displays license information on the pol ler command Chapter 1 Release notes SPV User Guide Documentation Release 2 9 1 2 2 Changes GUI Top screen reorganisation We now have Tops for clients servers applications and ports GUI ICMP messages regarding different connections are no more merged 1 2 3 Major bug fixes Metrics TCP keepalives do not interrupt a data flow any more e Pulsar Fix pulsar process command e GUI Fix filters on unilateral flows or retransmission Reports Fix missing columns in some reports 1 3 Whats new in 2 7 1 3 1 New Features Config POSIX regular expressions are available in web patterns Reports Can now reorder pages in a report GUI DNS resolution requests can now be done and undone with a button column by column and no longer through field mouse over 1 3 2 Changes GUI Replace in out by srv clt in all pages Metrics Deduplication is now performed independently for every interfaces vlans if these are not aggre gated Config Search and zone edition is now faster 1 3 3 Major bug fixes Metrics SIP connection were not properly tracked in some cases e Pulsar Fix pulsar analyzer ifaces and help commands GUI Fix empty unfolded line bug in grouping tables e System Restart processes when they consumes too much memory 1 4 Whats new in 2 8 1 4 1 New Features Alerts Business Critical Applications metr
168. umn in Analysis TCP Error 2 222r 6 6 Why are some DNS request names missing 2l es 6 7 Some TCP conversations are reported twice whats wrong 6 8 Pcap files generated by tcpdump are mostly empty 2 2l 6 9 How to do complex searches on domain names 6 10 Whatabout Open Source a seo Abe REE ox 9x4 394x399 595324435935 611 Standard TCP Session en o rea eo ee HSS ROGO dod gs ORE ES ES Re 7 Known issues Jh CONDONO 2 ote ee See ee EEE HEE 2ek poxkossos 39 Rom ezrognoxo 4 9 Ee ES vo sco oboe oes eo Seo oe Oe eee ee EEE eee PERE eee eee CER 00 PPP To SPI x9 295 938 9 wo REUS SORS S WO UR Ge ROM eee Oe ee eG NOE SUR WR ee Toy WG uon no box o9 om ovum b wo wc RokGhubO ob oxwch 9o ade R4 09 998 5 3 honos sda NE Loc se ea et ena ee eke oe ee aS oe eee ee ose See eee Ee eA ee 8 Glossary 9 Appendix 91 Virtual Appliance Step by Step 2 22 29 roo 9 om bebe eee ER ee GER EG x RS Index 81 Sl 81 Sl 81 Sl 82 83 87 87 113 CHAPTER ONE RELEASE NOTES 1 1 What s new in 2 5 1 1 1 Installation notes e Service Pack update must be installed before migrating from 2 x to 2 5 If the Service Pack is not installed the 2 5 upgrade will not start Migration must be done from a 2 x version If you currently have 1 x version please update first to version 2 0 or 2 3 Then install the Service Pack then install the 2 5 update 1 1 2
169. ur reports could be sent properly to the recipients email addresses you need to configure the SMTP server within Pulsar page 26 You can do that with the config smtp command Then just add a valid SMTP host and in option a login and password if you use an authenticated SMTP server You also can modify with the same command the F rom header of the emails generated by the probe After that you can either reboot the probe or use smtp stop followed by smtp start commands to activate the new configuration 4 4 7 SNMP Optionally SNMP requests are answered on default SNMP port see Pulsar page 26 documentation The SNMP objects that are thus made available are twofold First there are the standard SNMP objects then SPV specific objects System MIB The probe uses the UNIX Net SNMP daemon which serves standard MIB So you can monitor your probe from your SNMP console as you would normally monitor any UNIX server For instance the usual statistics about network interface usage file system available spaces I O operations etc are available Monitoring specific MIB In addition to these default information the probe provides various statistics under iso org dod internet private enterprises securactive The comprehensive MIB files are available from our web site so this section only sketches what kind of infor mation is available You are encouraged to download the actual MIB for use with your common purpose SNMP console This will gi
170. ve you access to nterface statistics for each network interface such as the count of received packets dropped packets and duplicated packets Protocol statistics for each recognized protocol which can give a good impression on the realtime compo sition of the whole network stream Various CPU RAM information that are destined to troubleshoot an SPV more than to reveal anything about the network License related information such as date of expiry and so on Averaged metrics such as RTT or DNS response time l http www net snmp org http www securactive net en documents 250 securactive mibs download 4 4 SPV Functional Configuration 39 SPV User Guide Documentation Release 2 9 BCN and BCA MIBS Since the 2 9 version two new modules are available BCA and BCN Please update your MIB file if you use a SPV MIB before 2 9 Here is a tree description of the BCA and BCN MIB BCA module t sactSPVBCAModule 1 t spvBCAStateTable 1 t spvBCAStateEntry 1 Index spvBCAName t Rat SLITHIO spvBCAName 1 pe R Enunmval SpvBCAStatus 2 Values Ok 1 Warning 2 Alert 3 NA 4 Nothing 5 NotEnough 6 R Gauge SPVBCAEURT 3 R Gauge SpvBCASRT 4 qees pe Gauge SpvBCASRTCount 5 R Counter SpvBCASRICountSum 6 T R Gauge SpvBCARTTClient 7 t R Gauge SpvBCARTTServer 8 T R Gauge SpvBCADTTClient 9
171. versations where some voice was exchanged unsuccessful calls are conversations without any voice exchanged VoIP Conversations amp Details The two last views show each call individually with some usage metrics for VoIP Conversations The VoIP Details view is the same table but with performance metrics 48 Chapter 5 Interpreting the results SPV User Guide Documentation Release 2 9 144200 1542 00 Successful ongeing calls avg 13 7 Unsuccessful cngang calgavg 14 2 Figure 5 6 VoIP Calls Volume Sync Begin Time Call Duration Caller Caller Zone Callee Callee Zone Application Mos Packet loss Traffic Code Last Call State g 2011 04 07 15 44 51 i FBLANCHARD Private fallback 83208 na sip 0 00 22KB 200 closed 2011 04 07 15 44 50 ia system na 00085dBaaf64 na sip 0 00 555Bytes dial 2011 04 07 15 44 50 aM na 83780 sip 0 00 32XiB 200 closed 2011 04 07 15 44 43 nin aE Private fallback 83052 sip 0 00 7 1KIB 200 closed 2011 04 07 15 44 43 na F POIRIEZ Private fallback B4739 sip 0 00 77KB 200 closed 2011 04 07 15 44 41 1a PMAGNI na 83382 000 3 6KiR 200 closed Q 2011 04 07 15 44 31 lm 15s LYAHI 83784 0 00 9 16MiB 00 vok 2011 04 07 15 44 31 1a LYAHI 83784 P 0 00 3 1KiB 00 vo 2011 04 07 15 44 25 ia system 09085683525 P 9 00 2418 0O ch d 2011 04 07 15 44 11 PMEURER 00354732815 p on 43KB losed e 2011 04 07 15 44 08 ia system 000854Bad1
172. w no session setup this machine is either misconfigured or infected This view can be accessed through Diagnostic TCP events ICMP errors Performance Vision provides in depth view of ICMP errors When conducting a troubleshooting this view can display ICMP errors will report the volume of flows which cannot be setup either because the network host or port 1s unreachable This can reveal Begin 20120321 13 24 End 2012 03 21 19 24 oo0oQcG 00 Emitting zone Server Zone Emitting IP Server IP Request Name All e Al Device id Poller Ary lel Ary l Info B 012 03 21 13 15 Aggregate Level 15 minutes End 2012 03 21 19 15 Number of collected results 100 1 345 End Time Poller VLAN Device id Requester IP Requester Zone Server IP ServerZone 3 2012 03 21 19 14 59 nova eth3 172 16 1 119 Main office i ack 172 16 1 255 Main office fallback 0 2012 03 21 19 14 49 nova eth3 172 16 1 57 Main office fallba 172 16 1 255 Main office fallback 0 2012 03 21 19 14 57 nova eth3 172 16 1 132 Mai a 172 16 1 255 Main office fallback 4 20120321 19 th1 72 16 1 1 L office a 172 16 1 255 Main office fallback 4 2012 03 21 19 14 59 nova eth3 72 16 1 91 M office fallba 72 16 1 255 M ffice fall back 6 2012 0321 19 14 41 nova eth1 72 16 1 91 M office fallba 172 16 1 M ffice fall K 3 012 03 21 19 th1 172 16 1 57 Main office fallba 172 16 1 j ffice fall b 1 2012 03 21 19 14 56 nova eth1 172 16 1 119 n office a 172 16 1
173. y a starting time and an ending time provided by the user A conversation is defined by the following criteria The device identifier that received the packets The VLAN tag that might be present in the packets e Source or client IP address please refer to the chapter Types of conversations page 8 Destination or server IP address Application please refer to the chapter Application concept page 6 2 5 2 Types of conversations Performance Vision offers two ways to analyse network conversation From an user s perspective network conversations can be seen in two different ways which correspond to two different needs Client Server or Source Destination This chapter explains how those views differ which kind of information they provide and how they can be used Source destination In a source destination conversation all flows between two hosts will be classified following the concepts of source and destination This means that the flows will group data exchanges from a source IP address to a destination IP address regardless of their function of client or server For instance a traffic from A to B foran application will be broken down in two conversations a conversation from A to Bandaconversation from B to A Src Dst conversations correspond to a view of network flows for traffic analysis When analysing data for traffic analysis purposes an administrator wants to view flows without considering the role of each host th
174. you understand MOS variations and see which metric is impacting MOS 5 3 VolP Module 47 SPV User Guide Documentation Release 2 9 1442 00 15 4209 vos avg 4 37 1450 15 00 1510 1520 1539 15 40 1442 00 15 4209 7000 Ongoing Cals avg 61 7 By pointing a specific point of time on the graph you can display the exact value for each metric on the right side of the graph By clicking on a specific point of time you are directly to the VoIP conversations for this point of time 2011 09 07 08 15 2011 09 07 18 15 Callee jtter avg 328 6 us Caller jtter avg 118 0 ps 09 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 2011 09 07 08 15 2011 09 07 18 15 Callee Packet loss avg 0 9 Caller Packet loss avg 0 09 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 2011 09 07 08 15 2011 09 07 18 15 10 Ongoing Calls avg 3 09 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 VoIP Bandwidth amp Call Volume This view shows a chart of bandwidth used for voice and signalization for the first one 14 42 00 15 42 00 6 Cales bamdiwidih awg 207 00 Kols 10 80 Mole Caller bandwidth awg 290 24 Hols Server sipbandw avg 4 95 Kols Clert sign bandw avg 355 Hols Figure 5 5 VoIP Bandwidth Chart the evolution of the volume of calls through time Calls are distributed between successful and unsuc cessful calls Successful calls are con
Download Pdf Manuals
Related Search