PV - User Guide Documentation
Contents
1. 117 10 Frequently Asked Questions 121 10 1 Firefox freezes randomly on some pages 121 10 2 Aggregate level changes when browsing from tables to charts 121 103 How can SRT be greater than DIT 4 geen cane bee we bode EE OH OX Rex 121 10 4 How can we have 0 packets and no traffic at all a 122 10 5 What is this timeout column in Analysis TCP Error eee 122 10 6 Why some DNS request names missing 122 10 7 Some TCP conversations are reported twice whats wrong 122 10 8 files generated by tcpdump are mostly empty 122 10 9 How to do complex searches on domain names 122 10 10 How comes my VM keeps losing 123 10 11 What about Open Source 123 10 12 Standard TOP Session zu sabra rdus 123 11 Known issues 11 1 11 2 11 5 11 4 11 5 11 6 11 7 Interface Smer 42549 Upgrading Metrics Pulsar 5x 12 Glossary 13 Appendix Integration with other Tools 13 1 13 2 15 5 13 4 13 5 13 6 Index Custom Filters SPV For Developp2. eeu ba 63 13 SPV Functi nal Conhgu rati n s ze sararae 9 8 3X 30v BEER Cw 3x b o3 EEE E S 67 8 Interpreting the results 51 8 1 Business Critical Application Dashboard 81 8 2 Business Critical Networks Dashboard 82 YOUPIMOOWIC 442 ow 24h ox wx Ser E X9 Y ww eee 3 83 8 4 Application dashboards 96 So PCP eS 91 6 Packeidevel Analysis e xonoko9 Beet 92 5 Intectpretauon Guidelines 22 22844844348884814854 8 naaa ROUES 95 9 Licensing and Upgrades 113 uou ovo 2 eed Ge FRG REE Ee EEE 113 9 2 Deployment Mode 2 uem 9 omo PR Per eos RB eso x bE Ee See wed OX x P 113 9 3 Product Range Summary s a eee Ue ER RD DEERE o xo 114 94 Hardware Versions S ss eae So yee BR ee Wm E Eo 2 115 23 VMWare VERSIONS se ce uus sda OR NO ROB GR P IROUR eee GR 115 96 Performance Vision Versions 116 97 How can determine the model that is right for me 116 Ls ees a ete naaar aer ra 6 ee awe 117 99 License and Upgrade Installation
3. INSERT IMTO ALUES LESS 190m i Figure 2 10 The queries over time 2 8 CIFS Analysis In the Protocols section the set of CIFS performance pages allows you to analyse the CIFS traffic CIFS includes SMB to v3 protocols It shows the CIFS commands with the usual metrics responsiveness payload size and some specific ones like metadata payload or data size effectively written by the server Of course when a file is handled its path and tree will be available The CIFS set of protocols contains plenty of commands and statuses In Performance Vision we have classified the statuses in three categories success warning and error You can find the details of how each status is classified in the appendix C FS Status Categories We defined a category of common statuses containing the most common CIFS errors and warnings The list contains the following statuses e SIATUS NO SUCH FILE SIATUS NO SUCH DEVICE e SIATUS OBJECT NAME NOT FOUND 18 Chapter 2 Use The PV Graphical Interface PV User Guide Documentation Release 3 3 e STATUS OBJECT PATH INVALID e STATUS OBJECT PATH NOT FOUND e STATUS OBJECT PATH SYNTAX BAD e STATUS DFS EXIT PATH FOUND e STATUS REDIRECTOR STARTED e STATUS TOO MANY OPENED FILES e STATUS ACCESS DENIED STATUS PORT CONNECTION REFUSED e STATUS FILE DELETED e STATUS INSUFF SERVER RESOURCES STATUS MORE PROCESSING REQUIRED e
4. P OB Performance Vision 2 9 7 Te Getting Started Summary Virtual Machines Resource Allocation Performance localhost securalis lan VMware ESXi 5 0 0 469512 Local Users amp Groups Event 9 Supervision Hardware iew vSphere Standard Switch Virtual Tutorial gt Health Status Networking Refresh Add Networking Properties Processors Memory Standard Switch vSwitchO Remove Properties Storage Physical Adapters Networki 419 R vmnio 100 Ful 2 Storage Adapters Network Adapters E Advanced Settings Performance Vision 2 9 7 Test TBO Power Management Virtual Tutorial EC Supervision a Port Licensed Features 592 Management Network e 10 1 0 11 Figure 6 12 Networking Menu 4 Click on Add Networking View vSphere Standard Switch Networking Refresh Add Networking Properties Standard Switch vSwitchd Remove Properties Virtual Machine Port Group L3 VM Network E 4 virtual machine s Physical Adapters e GR vmnico 100 Full Performance Vision Performance Vision 2 9 7 Test TBO Virtual Tutorial Supervision Port L3 Management Network vmkO 10 1 0 11 Figure 6 13 Add Networking Then on Network Access Menu select the Esx physical port dedicated to the traffic capture here is vmnic3 and unselect the others
5. RTT out 1 1 192 168 20 205 SRV FileServer 192 168 20 9 m Samba CIFS 9 8KiB 43 1 lt 1 3 19505 192 168 20 212 SRV FileServer 192 168 20 9 Samba CIFS 542 2 1179057 166 ims ims 32ms 192 168 20 217 SRV FileServer 192 168 20 9 Samba CIFS 24 4MiB 44009 7 15ms ims ims 192 168 20 202 SRV FileServer 192 168 20 9 m Samba CIFS 561 3KiB 1143 0 ims ims ims 192 168 20 15 SRV FileServer 192 168 20 9 Samba CIFS 9 1MiB 11434 15 ims ims 1ms 192 168 20 50 SRV FileServer 192 168 20 9 Samba CIFS 406Bytes 7 0 Figure 8 36 Peak in server response time Conversations 8 7 Interpretation Guidelines 103 PV User Guide Documentation Release 3 3 To achieve this we can simply display the Performance conversations for the application Samba CIFS for the zone VLAN Sales Here is the result From this screen we can draw the following conclusion Only the clients 192 168 20 205 and 192 168 20 212 seem to be impacted The other clients have very short RTT values amp Conversations Performance and analysis of individual conversations It after 7 2010 06 07 12 00 Start before 7 2010 06 07 18 00 wm dd HAMM VLAN Sales Server Zone 7 Private Figure 8 37 Peak in server response time Conversations To confirm this we need to check that these two hosts are the only ones to be impacted and check whether they are impacted only when accessing to the Fileserver
6. corresponds to the metric for the traffic from the caller to the callee and the value out corresponds to the metric for the RTP RTCP traffic from the callee to the caller From each line you drill down to the MOS chart to the VoIP conversations VoIP Overview vorr overview by caner zones MOS over time This view shows the evolution of the Mean Opinion Score through time A second graph shows the evolution of the number of calls to help you evaluate how many were impacted by a MOS degradation By pointing a specific point of time on the graph you can display the exact value for each metric on the right side of the graph By clicking on a specific point of time you are directly to the VoIP conversations for this point of time Jitter Packet Loss This view shows the evolution through time of the jitter and the packet loss This view can help you understand MOS variations and see which metric is impacting MOS 8 3 VoIP Module 85 PV User Guide Documentation Release 3 3 By pointing a specific point of time on the graph you can display the exact value for each metric on the right side of the graph By clicking on a specific point of time you are directly to the VoIP conversations for this point of time 2011 09 07 08 15 2011 09 07 18 15 avg 328 6 us avg 118 0 us 09 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 201
7. ERROR UNUSED NT STATUS DEVICE NOT CONNECTED NT STATUS DEVICE POWER FAILURE NT STATUS FREE VM NOT AT BASE NT STATUS MEMORY NOT ALLOCATED NT STATUS WORKING SET QUOTA SMB STATUS MEDIA WRITE PROTECTED NT STATUS DEVICE NOT READY NT STATUS INVALID GROUP ATTRIBUTES NT STATUS BAD IMPERSONATION LEVEL NT STATUS CANT OPEN ANONYMOUS NT STATUS BAD VALIDATION CLASS NT STATUS BAD TOKEN TYPE NT STATUS BAD MASTER BOOT RECORD NT STATUS INSTRUCTION MISALIGNMENT 5 STATUS INSTANCE NOT AVAILABLE SMB STATUS PIPE NOT AVAILABLE STATUS INVALID PIPE STATE SMB STATUS PIPE BUSY SMB STATUS ILLEGAL FUNCTION SMB STATUS PIPE DISCONNECTED SMB STATUS PIPE CLOSING 13 6 CIFS Status Categories 163 PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page 0xc00000b2 NT STATUS PIPE CONNECTED 0xc00000b3 NT STATUS PIPE LISTENING 0xc00000b4 SMB STATUS INVALID READ MODE 0xc00000b5 SMB STATUS IO TIMEOUT 0xc00000b6 NT STATUS FILE FORCED CLOSED 0xc00000b7 NT STATUS PROFILING NOT STARTED 0xc00000b8 NT STATUS PROFILING NOT STOPPED 0xc00000b9 NT STATUS COULD NOT INTERPRET 0xc00000ba 5 STATUS FILE IS DIRECTORY 0xc00000bb STATUS SUPPORTED 0xc00000bc NT STATUS REMOTE NOT LISTENING 0xc00000bd NT STATUS DUPLICATE 0xc00000be NT STATUS BAD NETWORK PATH 0xc00000bf NT STATUS NETWORK BUSY 0xc00000c0 NT STATUS DEVICE DOES NOT EXIST 00000 1 NT STATU
8. OE 9 09 9 3 90579 3 99 02 98 9 CS RUE eee ws 30 9 9 0 0 uum de de deu oe dere ERE OR 52825 42 RUE GA AUR uxo ub ded a 30 20 20000 Lek OF OE E X303 5X RO 4408 eee eee x OE OS WE 33 4 Metrics Computation 35 uu om RED Ree OK RD RES 4 8 3 504 90 40 35 42 36 5 Deployment 39 5 1 How to integrate Performance Vision in 39 202 How lo capiiretiamC o p stes mom xS RE 4888 40 2 Supported Protocols 2 6 s sa tbe EERE EK E NOR 62 41 5 4 Port mirrorme and duplicated packets a a a 43 2 Distributed Architeci re amp lt s sess Ge ERROR EERE NDA Re EUR RO x OR EU 45 50 Virtual Performance Vision s gt a s x mox ox 3 o 0 EOROROr EO 4o PERE EE Xo 3 x 3 48 S 50 6 Virtual Appliance Step by Step 53 6 1 How to get the image of the Virtual Appliance 53 6 2 Virtual Appliance Specifications su 9x ox x 624684685 eh 2 53 eae eh eee ee RE eG eee EG 54 64 22078 eee bee ee 61 65 How to use the product s 444 oko o o9 Rom REEL HERE EY DEH E RO ERR 62 7 Configuration 63 144 o 0 DRM 63 12 12
9. 0000098 0000099 000009 0000095 000009 000009 000009 0000097 00000 0 00000 1 00000 2 00000 3 00000 4 00000 5 00000 6 00000 7 00000 8 00000 9 00000 00000 00000 00000 00000 00000 0000050 00000 51 NT STATUS INVALID IMAGE FORMAT NT STATUS NO TOKEN NT STATUS BAD INHERITANCE SMB STATUS RANGE NOT LOCKED STATUS DISK FULL NT STATUS SERVER DISABLED NT STATUS SERVER NOT DISABLED NT STATUS TOO MANY GUIDS REQUESTED NT STATUS GUIDS EXHAUSTED NT STATUS INVALID ID AUTHORITY NT STATUS AGENTS EXHAUSTED NT STATUS INVALID VOLUME LABEL NT STATUS SECTION NOT EXTENDED NT STATUS MAPPED DATA NT STATUS RESOURCE DATA NOT FOUND NT STATUS RESOURCE TYPE NOT FOUND NT STATUS RESOURCE NAME NOT FOUND NT STATUS ARRAY BOUNDS EXCEEDED NT STATUS FLOAT DENORMAL OPERAND NT STATUS FLOAT DIVIDE BY ZERO NT STATUS FLOAT INEXACT RESULT NT STATUS FLOAT INVALID OPERATION NT STATUS FLOAT OVERFLOW NT STATUS FLOAT STACK CHECK NT STATUS FLOAT UNDERFLOW NT STATUS INTEGER DIVIDE BY ZERO NT STATUS INTEGER OVERFLOW NT STATUS PRIVILEGED INSTRUCTION SMB STATUS TOO MANY PAGING FILES NT STATUS FILE INVALID NT STATUS ALLOTTED SPACE EXCEEDED NT STATUS INSUFFICIENT RESOURCES 5 STATUS DFS EXIT PATH FOUND SMB STATUS
10. SecurActive PV User Guide Documentation Release 3 3 by the PV Documentation Team September 08 2015 CONTENTS 1 Release notes 1 LA Wha eth ek PAE EAE HR EO ER SEE 536mm 43m ws 1 12 CWhatslNew I Ou 2 25 522 EERO EEE 1 Lo x 2 14 WhatsNewidn3 lS 2 422264 Rbk ni EO RO SE 4 2 Lo Whats Newm I OECROX EOE RS Ee EES 3 Lo What s New in 2 16 3 1 Whats NewS lo sse deo ERR GC R EES 4 LS Whats Newin nuke tah FOXRGRO amp Wok X mode 5 48 4 19 What sNewin2 13 4 LIO Wie ewes SASSER 4814 SOURCE OASEEEE EEE ERE EHS 5 Lob wage wig ll pee eee eee eee ee 3X3 eee ud que 5 5 i AE docu dv 2o a ee ok eee ee a Ee 5 113 Whats Bow m29 Lok oo XE de UR m CY db cdm EAE don CR de ROS 4 6 Lis Whee 22067 resa beii eee RY 6 LIS Whats Newin 7 ssa be be ocr 7 LIO 22272000 2 5 52 555525455 Re eee ee eee ewe 7 LIT 22601122 se dk We RE pas x EC A x X EU ERE a 5 9 2 Use The PV Graphical Interface 11 2 1 Access Through a Web browser 11 Zc Network
11. Show the TCP events of this conversation postgresql IPv4 TCP PostgreS sq Show the SQL transactions for this conversation 7 postgresql IPv4 TCP PostgreS ET S Sync Application Stack ICMP a m icmp Ethernet IPv4 ICMP micmp Ethernet IPv4 ICMP Figure 2 18 Links from flow metrics to detailed metrics Note Drilldown can return no data for several reasons e The selected transaction does not match an activated Zone for metrics like SQL or CIFS e No response has been parsed for the transaction check the client and server packet counts for unilateral flow The payload does not generate a metric flow like keep a A navigation between metrics that are related is available For live or notifications for CIFS example you can obtain the DNS queries that are related to a HTTP connection by clicking the DNS link in one of the result in the Pages view of the HTTP protocol section Command Status Port CIFS 445 0x08 5 2 read 445 0x10 SMB2 query info 0x00000000 SMB status ok 0x00000000 SMB status ok Flows an n 28 Request Type Links Begin Time Chent zone WS L N ONS 13 2014 11 17 10 32 56 000 ONS L3 2014 11 17 10 32 58 430 Service System Datab sername Port Command SQL PostgreSQL 543 UPDATE Su
12. Virtual Machine Port Group 3 Mirror e 7 3 virtual machine s VLAN ID All 4095 Physical Adapters vmnic3 100 Half 2 Performance Vision Performance Vision 2 9 7 Test TBO 8 Virtual Tutorial Figure 6 18 Two Virtual Networks The aim of the second vswitch vSwitch1 is to show the flows in promiscuous mode To set up promiscuous mode on the Mirror Network Standard Switch vSwitch1 Remove properties T Virtual Machine Port Group Physical Adapters 2 Mirror e EB vmnic3 100 Half 2 VLAN ID All 4095 Figure 6 19 Click on vSwitchl Properties In General tab edit MTU settings to 9000 The in Security tabs select Accept from the promiscuous mode listbox 6 3 7 Add a listening network card to virtual appliance Here we should add a listening network port in promiscuous mode Right click of the virtual appliance then choose Edit settings 63 Installation 59 PV User Guide Documentation Release 3 3 vSwitch1 Properties General Security Traffic Shaping Teaming m vSphere Standard Switch Properties Number of Ports 120 Y Changes will not take effect until the system is restarted m Advanced Properties MTU 2000 z Figure 6 20 General settings MTU vSwitch1 Properties General Security Traffic Shaping NIC Teaming m Policy Exceptions Promiscuous Mode MAC Address Changes Accept
13. Forged Transmits Accept Figure 6 21 Security settings accept promiscuous mode File Edit View Inventory Administration Plug ins Help Home ar Inventory p Inventory E 5 10 1 0 11 localhost securalis lan VMware ES ui Perfor Power B Supervi Guest Virtual Snapshot 9 Open Console C Edit Settings Add Permission Ctrl P Report Performance Rename Open in Mew Window Remove From Inventory Delete From Disk Licensed Features Time Configuration DNS and Routing Figure 6 22 Click on Edit Settings 60 Chapter 6 Virtual Appliance Step by Step PV User Guide Documentation Release 3 3 In the Hardware tab click on Add then choose Ethernet adapter and click on Next Attach the new ethernet adapter to the network in promiscuous mode Performance Vision Virtual Machine Properties Hardware Options Resources Virtual Machine Ve Memory Configuration Show Devices EC Mee 1011 68 Hardware Device Type What sort of device do you wish to add to your virtual machine Device Type Choose the type of device you wish to add Information This device can be added to this Virtual Machine Help SSS 2 Figure 6 23 Attach Ethernet Adapter In the network connection listbox choose the accurate network configured above Mirror here then click on Next
14. 00002 5 00002 6 00002 7 00002 8 00002 9 00002 00002 00002 00002 00002 00002 0000240 0000241 0000242 0000243 0000244 0000245 0000246 0xc00002d7 0000248 0000249 000024 Oxc00002db 000024 0000244 000024 0xc00002df 0xc00002e0 00002 1 00002 2 00002 3 00002 4 00002 5 00002 6 00002 7 00002 8 00002 9 00002 13 6 CIFS Status Categories NT STATUS DS CANT NT STATUS DS CANT MOD OBJ CLASS NT STATUS DS CROSS DOM MOVE FAILED NT STATUS DS GC NOT AVAILABLE NT STATUS DIRECTORY SERVICE REQUIRED NT STATUS REPARSE ATTRIBUTE CONFLICT NT STATUS CANT ENABLE DENY ONLY NT STATUS FLOAT MULTIPLE FAULTS NT STATUS FLOAT MULTIPLE TRAPS NT STATUS DEVICE REMOVED NT STATUS JOURNAL DELETE PROGRESS NT STATUS JOURNAL NOT ACTIVE NT STATUS NOINTERFACE NT STATUS DS ADMIN LIMIT EXCEEDED NT STATUS DRIVER FAILED SLEEP NT STATUS MUTUAL AUTHENTICATION FAILED NT STATUS CORRUPT SYSTEM FILE NT STATUS DATATYPE MISALIGNMENT ERROR NT STATUS WMI READ ONLY NT STATUS WMI SET FAILURE NT STATUS COMMITMENT MINIMUM NT STATUS REG NAT CONSUMPTION NT STATUS TRANSPORT FULL NT STATUS DS SAM INIT FAILURE NT STATUS ONLY IF CONNECTED NT STATUS DS SENSITIVE GROUP VIOLATIO
15. 4 2 4 From transactions to pages Since all transactions of a page are necessarily emitted by the same user then all transactions are associated to this user in chronological order time and the Referrer field are our two best tools from now on Notice that since a page routinely involves transactions of several sockets and since that different sockets are reassembled by different TCP parsers which thus delivers segments at different pace then it s possible for the HTTP metric to reconstruct a transaction A before a transaction B even if B happened and was received by the probe before A for instance if A s socket reassembly was delayed by a missing frame In such occurrence the referrer relation between A and B may not be honored We do not wait for the pairing with a response to attach a query to the page it belongs to When we attach a new query to a client we look for the referrer of this transaction within the ones that are already attached to this client in case the referrer field 1s absent we use the same kind of referrer cache as found in KSniffer https www usenix org legacy event osdi04 tech full_papers olshefski olshefski pdf If the referred page is it self attached to another page two behaviors are available we detach it thus turning the referrer into the root of a new page or we follow the chain of attachment and attach the new transaction to the parent page Note that the first behavior is possible only when th
16. Destination or server IP address Application please refer to the chapter Application 3 5 2 Types of Conversations Performance Vision offers two ways to analyse network conversation From a user s perspective network conversations can be seen in two different ways which correspond to two different needs Client Server or Source Destination This chapter explains how those views differ which kind of information they provide and how they can be used Source Destination In a source destination conversation all flows between two hosts will be classified following the concepts of source and destination This means that the flows will group data exchanges from a source IP address to a destination IP address regardless of whether they function as a client or a server For instance a traffic from A to Bforan application will be broken down in two conversations a conversation from A to Bandaconversation from B to A Src Dst conversations correspond to a view of network flows for traffic analysis When reviewing data for traffic analysis purposes an administrator wants to view flows without considering the role of each host that is to say disregarding if the host is a client or a server Zone A Zone B j mi TCP 15445 80 1 ir TCP 445 25665 E 14452 UDP 53 44521 TCP 17465 443 1 ICM 5 Traffic from A gt 8 4 4 Traffic from B gt A Figure 3 4 Source De
17. Graph Types All Edit this Host Create New Host Management Graph Trees Graph Templates 3 DIE Graph Template Name Devices Create Junkie Denied Parsers Collection Create Linux Memory Usage Methods Data Queries Create ucd net CPU Usage Data Input Methods Graph Templates create Select a graph to create Host Templates E C EJ C1 C1 Data Templates Data Query Junkie Muxer Stats Import Export Import Templates Export Templates Configuration Settings Figure 13 6 Create CPU and memory graphs As well as one for junkie s packet sources useful to monitor dups as well as dropped packets in addition to general purpose interface usage statistics on all listening devices Data Query Junkie Query Pkt Sources j Data Query Metrics Dumped Cells Metric Data Query SNMP Interface Statistics Index Status Description Name IF MIB Type High Speed Hardware Address IP Address Speed 1 1 lo lo softwareLoopback 24 10000000 10 127 0 0 1 E ethernetCsmacd 6 1000000000 1000 _52 54 00 AD EF 63 o Select a graph type n Out Bits Figure 13 7 Create device protocol graphs 13 1 Integration with other Tools 133 PV User Guide Documentation Release 3 3 At the very bottom of the page you will have the opportunity to add graphs to monitor hard disk space interesting partitions and srv Data Query SPV BC
18. e ccs 54466 65 4 OS 11 2 3 Application Performance um ok ue dG RR e e LR ER GRO RON ORO UB 12 24 BORNE 13 2 5 Conversations Flow Details amp Raw Data 14 240 Analysis espa 4 eo x Ee 0 Rum ee ee POR EORR 14 27 01201010 11 26 66 6 6 6 4 Pe GSE Ee BES Ee DEES 8 RSE S We 16 22 1 ogee mov 6 0m 4 ACA ee ee ee 8 eG 18 20 o x95 CRA ERG x4 52245 94448 Ee Ree Wm ea 20 EUM 0016 2224 oe 8 Oe BS 22 211 DNS 01010 2 2 243009 9 22 2012 woes tee eee eee eee eRe 020 640 6 64 0883 48444 23 2s c3 x 9 48 He PR 55 4545431 9 33 995195955 35 5 23 24 DAI DOWN s ce eee ade dom dete ue eee ooh RARER XO CRE UR 4 23 219 Coy Exo cedo w P eee eo SSeS Gee ERE 3 60 60 25 Z LO OER Roy Rom wu he o X 4 hon gt EA Bud RR ra 25 3 Main terms and concepts 27 SJ General Conventions s s 4 PT XC Kom we Se Oe o dere Ue 27 cea lt 0244 0 40060669 27 224546 29 IPM 5 2452 35 3 915 2 35 9 3 5
19. 13 6 CIFS Status Categories The CIFS Status codes must be interpreted in one of two ways depending on the capabilities negotiated between the client and the server either as an NTSTATUS value or as an SMBSTATUS value For more details on the NT statuses you can check the official documentation here http msdn microsoft com en us library cc704588 aspx If you re looking for the SMB statuses check the CIFS documentation here http msdn microsoft com en us library ee44 1884 aspx We have classified these statuses into three categories depending on their severity as shown in the table below NTSTATUS severity 0x00000000 0x00000080 0x000000c0 0x00000100 0x00000101 0x00000102 0x00000103 0x00000104 0x00000105 0x00000106 0x00000107 0x00000108 0 00000109 0x0000010a 0x0000010b 0x0000010c 0x0000010d 0x0000010e 0x000001 10 0x00000111 0x000001 12 0x000001 13 0x000001 14 0x00000115 0x00000116 0x000001 17 0x000001 18 0x000001 19 0x00000120 0x00000121 0x00000122 0x00000123 0x00000124 0x00000367 0 00010002 0 00050002 0 00060001 0x000c0001 0x00160002 0x005b0002 158 SMB STATUS OK NT STATUS ABANDONED NT STATUS USER APC NT STATUS KERNEL NT STATUS ALERTED NT STATUS TIMEOUT NT STATUS PENDING NT STATUS REPARSE STATUS MORE ENTRIES NT STATUS NOT ALL ASSIGNED NT STATUS SOME NOT MAPPED NT STATUS OPLOCK BREAK IN PROGRESS NT STATUS VOLUME MOUNTED NT STATUS COMMITTED NT
20. 4 Internet Protocol version 4 Ethernet IPv4 IPv6 Internet Protocol version 6 Ethernet IPv6 IRC Internet Relay Chat Ethernet IPv4 TCP IRC Jabber Extensible Messaging and Presence Protocol Ethernet IPv4 TCP Jabber MGCP Media Gateway Control Protocol Ethernet IPv4 UDP MGCP SDP MySQL MySQL or MariaDB databases Ethernet IPv4 TCP MySQL Netbios Network Basic Input Output System Ethernet IPv4 TCP Netbios NTP Network Time Protocol Ethernet IPv6 UDP NTP PCanywhere Symantec s PCanywhere Ethernet IPv4 TCP PCany where POP Post Office Protocol Ethernet IPv6 TCP POP PostgreSQL PostgreSQL database Ethernet IPv4 TCP PostgreSQL RDP Remote Desktop Protocol Ethernet IPv4 TCP RDP RTCP RTP Control Protocol Ethernet IPv4 UDP RTCP RTP Real time Transport Protocol Ethernet IPv4 UDP RTP SDP Session Description Protocol Ethernet IPv4 UDP SIP SDP SIP Session Initiation Protocol Ethernet IPv4 UDP SIP SKINNY Skinny Client Control Protocol Ethernet IPv4 TCP SKINNY SMTP Simple Mail Transfer Protocol Ethernet IPv4 TCP SMTP SSLv2 Secure Sockets Layer Ethernet IPv4 TCP SSLv2 TCP Transmission Control Protocol Ethernet IPvA TCP TDS Tabular Data Stream Ethernet IPv4 TCP TDS TDS msg Tabular Data Stream messages Ethernet IPv4 TCP TDS TDS msg Telnet Interactive terminal Ethernet IPv4 TCP Telnet TLS Transport Layer Security Ethernet IPv4 TCP TLS TNS Transparent Network Substrate Oracle Ethernet IPv4 TCP TNS UDP User Datagram Protocol Ethernet IPvA4 UDP
21. 861 Bytes 43 ms 43 ms 853 Bytes 45 ms 45 ms 567 Bytes 44 ms 44 ms 855 Bytes 44 ms 44 ms 494 Bytes 44 ms 44 ms na 115 M Hee ee oud x ase eee ud 0690909999996 4444444 Using the graphs you can check HTTP status and performance including timing error rate payload size over time 4 2 Use The PV Graphical Interface 2 6 HTTP Analysis PV User Guide Documentation Release 3 3 HTTP Performance Chart Begin 2013 0316 1200 92013031700 Q Q Client Zone Server Zone Client IP Server All gt All Device id HTTP Status Host Poller Client or server IP VLAN Custom Filters BETA Begin 2013 03 16 12 00 End 2013 03 17 00 00 Page LT Load Time HIT RT Response Time Aggregate Level 15 minutes 800 5 600ms 400ms 200ms A 13 00 14 00 15 00 16 00 17 00 18 00 19 00 Hits in Error 4 amp Sxx Page Count Total Hit Count 30 25 20 15 10 13 00 14 00 15 00 16 00 17 00 18 00 19 00 Response Content Length Avg Query Content Length Avg 48 8KiB 39 1KiB 29 3KiB 19 5KiB 9 8 20 00 21 00 22 00 23 00 20 00 21 00 22 00 23 00 13 00 14 00 15 00 16 00 17 00 18 00 19 00 20 00 21 00 22 00 23 00 Page LT Load Time avg 14 9 ms HIT RT Response Time avg 407 3 ms Hits in Error 4 amp 5 sum 0 Page Count sum 139
22. MySQL TNS Example of invalid inputs MySQL 13 2 32 String A character string enclosed between single or double quotes It can contains wildcards that matches anything or for more accurate search it can be prefixed by a which will treat the value as a regular expression pattern Operators e Example of valid inputs some thing a z 2 Example of invalid inputs not enclosed between quotes 13 2 33 Wildcard or regex Either a string containing wildcards or a regular expression if prefixed by The value should be surrounded by simple or double quotes Operators Example of valid inputs google com 4 Nogooglev toom f r Securactive org Example of invalid inputs foo com 13 2 34 Zone name The name of a zone using the path notation Private Local The operator will return results matching only this specific zone whereas the in operator will also return results contained in children zones Note that the value mustbe enclosed between single or double quotes Operators Example of valid inputs Private Local Example of invalid inputs NonExistent Zone 13 3 SPV For Developpers For developpers it is possible to programmatically generate and retrieve the result pages as HTML or PDF 13 3 1 Getting Data To request a page you wil use the same URL that you would in a Web browser Filters are implemented in the URL the f
23. Port Range 1433 P protocol 33 Application 29 PV User Guide Documentation Release 3 3 P Server 192 168 1 4 32 An HTTP application running on a server along with several other applications will be defined as follows Web Application Pattern xintranet securactive lanx 3 4 IP Merging In order to maximize usage of the available disk space some information are removed to allow better aggregation This 18 the case for IP data of foreign host on aggregation levels 3 and 4 3 4 1 Principle Upon data consolidation at the third aggregation level all IP tagged on the Internet zone or whatever name was given to this default zone will be removed in favor of a merged identifier Consequently these IPs will appear as merged in all tables where IP values are displayed if the IP was belonging to Internet Zone and your observation period is such that the third or the fourth aggregation level is used This will happen with long observation periods 8 hours and also on old data 1 week old 3 4 2 Example Let s say a user has access to the Internet zone using the same application for example a web browser using HTTP on port 80 to access to different web sites for a period of time Originally you will see for that period Client Zone Client IP Server Zone Server IP Application Traffic Internet 86 71 197 86 Private fallback 192 168 50 34 E http 535Bytes Figure 3 2 TCP conversation b
24. RST packets A TCP connection is reset by a RST packet There is no need to acknowledge such packet the closure is immedi ate A RST packet may have many meanings If a TCP client tries to reach a server on a closed port the server sends a RST packet The connection attempt could be a malicious one port scanning nmap etc or the consequence of an unexpectedly down server client server misconfiguration server restart etc A router might send a RST packet if the incoming TCP packet does not fit with the security policy source range IP address is banned the number of connection attempts is too high in a small period of time etc A QoS Quality of Service equipment limits the bandwitdh or the number of connections by sending a RST packet to any new connection attempt If a Intrusion Detection System e g Snort detects a malicious connection he can send a RST packet to roughly close it If a host between Client and Server wants to do a Denial of Service it can reset the connection by sending RST to both peers Basically it s the same mechanism than the previous one but the motivation is quite different Retransmissions One of the TCP metrics which is interesting to analyze is the retransmission A TCP Retransmission is when a TCP packet is resent after having been either lost or damaged Such retransmitted packet is identified thanks to its sequence number In SecurActive SPV we do not consider packets with no payload
25. Traffic Packet Count Retransmission Rate RR Round Trip Time RTT GUI One click integration from Performance Vision to Wildpackets OmniPeek take the best of both worlds High Level Identify issues and drill down to specific traffic with Performance Vision Low Level In depth troubleshooting at packet level with Wildpackets OmniPeek Zones High flexibility in network zone definition to easily deal with complex architectures Subnet MAC Adress VLAN Listening Device Poller Zones Support CSV based zone definition through both import and export Manage your network zones with the internal editor or use your own favorite tool Excel or any other CSV capable application Reports Possibility to edit modify parameters page per page Sniffer Junkie is now in charge of zone application tagging so this work is distributed on each poller What s New in 2 12 5 PV User Guide Documentation Release 3 3 Sniffer Support MTU metric e Sniffer Junkie now gets the PCAP files from pcap replay directory as it was from a new network interface 1 13 What s new in 2 9 1 13 1 New Features e Alerts Business Critical Networks metrics are available through SNMP The values can be queried through SNMP Performance Vision MIB Metrics Implementation of a new heuristic to find out clients from servers without SYN packets Metrics Support for HTTP chunked transfer encoding 1 13 2 Chang
26. 13 6 CIFS Status Categories 169 PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page 0xc000026c NT STATUS DRIVER UNABLE TO LOAD 0xc000026d NT STATUS DFS UNAVAILABLE 0xc000026e NT STATUS VOLUME DISMOUNTED 0xc000026f NT STATUS 86 INTERNAL ERROR 0xc0000270 NT STATUS WX 86 FLOAT STACK CHECK 0xc0000271 NT STATUS VALIDATE CONTINUE 0xc0000272 NT STATUS NO MATCH 0xc0000273 NT STATUS NO MORE MATCHES 0xc0000275 NT STATUS NOT A REPARSE POINT 0xc0000276 NT STATUS IO REPARSE TAG INVALID 0xc0000277 NT STATUS IO REPARSE TAG MISMATCH 0xc0000278 NT STATUS IO REPARSE DATA INVALID 0xc0000279 NT STATUS IO REPARSE TAG NOT HANDLED 0xc0000280 NT STATUS REPARSE POINT NOT RESOLVED 0xc0000281 NT STATUS DIRECTORY IS REPARSE POINT 0xc0000282 NT STATUS RANGE LIST CONFLICT 0xc0000283 NT STATUS SOURCE ELEMENT EMPTY 0xc0000284 NT STATUS DESTINATION ELEMENT FULL 0xc0000285 NT STATUS ILLEGAL ELEMENT ADDRESS 0xc0000286 NT STATUS MAGAZINE NOT PRESENT 0xc0000287 NT STATUS REINITIALIZATION NEEDED 0xc000028a NT STATUS ENCRYPTION FAILED 0000285 NT STATUS DECRYPTION FAILED 0xc000028c NT STATUS RANGE NOT FOUND 0xc000028d NT STATUS NO RECOVERY POLICY 0xc000028e NT STATUS NO EFS 0xc000028f NT STATUS WRONG EFS 0000290 NT STATUS NO USER KEYS 0xc0000291 NT STATUS FILE NOT ENCRYPTED 0xc0000292 NT STATUS NOT EXPORT FORMAT 0xc0000293 NT STATUS FILE ENCRYPTED 0xc0000
27. 6 ms 5 standard 1 packet query from RT RTT srv 3 ms client awaiting data response from server DTTsrv Oms Anoptional empty ACK is common RTT cit 3ms from server if compute time of the response is long Transmission of 1 packet sized data from server is acknowledged by client Thus Data Transfer Time DTT is nul DTT client st requ RTT server 54 RTT server SRT DTT server simple query sample re sponse 30 14 RTT client gt Standard multi packet query from client with multi packet response from server 2 DTT client 2 RTT server Optional ACK from server RTT serv Start of multi packet response from RTT client Optional ACK from client 1 First part of data is PUSH by server RTT client Optional ACK from client RTT cit 9 ms complex query sample se respon 5 5 9 2 ACK 5 ini 5 RD cit 8 ms Packet containing data d is lost Acknowledgment from client will hint the server that packet d was 70 RTT client not received correctly Server retransmission of packet d Retrans 5 which is lost again Second ACK from client waiting for 5 next packet a Retrans DTT server Final retransmission of packet d that 1 is correctly acknowledged by client Legend FIN server c FIN client 5 n 04 9 un Securactive Performance Vision interpreting
28. Add Hardware Network Type What type of network do you want to add Device Type Adapter Type Network connection Type Flexible Adapter choice can affect both networking performance and migration compatibility Consult the VMware KnowledgeBase For more information on choosing among the network adapters supported for various quest operating systems and hosts Connection Network label Network Port Device Status Connect at power on Help lt Back 1 Figure 6 24 Network Connection Click on Finish to complete the operation 6 4 Validate the traffic capture You can power on the virtual appliance and validate traffic Capture There are 2 main methods to validate the traffic capture with the graphical interface GUI or with Pulsar With the GUL as an example you can monitor the bandwidth after 6 minutes of listening by clicking on the green validation button See Use The PV Graphical Interface for more information about how to use the GUI With Pulsar connect via ssh or from the virtual appliance console on the Esx and type bmon See Pulsar for more information about the command line interface 64 Validate the traffic capture 006 PV 6 5 User Guide Documentation Release 3 3 Add Hardware Ready to Complete Review the selected options and dick Finish to add the hardware Device Type Options Network connect d Ready to Comp
29. VNC Virtual Network Computing Ethernet IPv4 TCP VNC 13 5 Licenses of open source libraries 13 5 1 Operating System SPV uses the Debian operating system http www debian org SPV does not use the non free repository provided by Debian According to Debian Social Contract v1 1 April 26 2004 the license of a Debian component may not restrict any party from selling or giving away the software as a component of an aggregate software distribution containing programs from several different sources The license may not require a royalty or other fee for such sale 13 5 2 License inventory for the sniffer glibc GNU Lesser General Public License guile library GNU General Public License version 2 or later with exceptions no copyleft on link guile sglite3 GNU Lesser General Public License version 3 or later e Junkie Copyright and AGPLv3 libpcap library BSD style license 3 clause BSD libgc libgc license libuuid libuuid License 13 5 Licenses of open source libraries 155 PV User Guide Documentation Release 3 3 openssl library BSD style license SSLeay license pOf fp file GNU Lesser General Public License 13 5 3 License inventory for the javascript GUI 13 5 4 License inventory for GUI and database management e jquery The MIT License jquery mb browser The MIT License or GNU General Public License e jquery multiple select The MIT License jquery ui The M
30. s needed to upgrade some third party internal softwares information is available in the release note of the new version These packages are called Service Packs To apply them put the file SPV ServicePackX rY bin using the same method 9 9 1 Check the license or upgrade The status of the license can be validated in Pulsar with the command Usage poller poller add IP poller modify poller delete APS poller Name APS Address localhost Created the 2612 82 18 17 23 Device ID 564D9B2D C67 F 0562 38B 684806858682 Device 89f a724182B8baf e6f cc8B8da13b3644d2a Time 2012 02 15 17 24 SPU Version 2 5 13 2 Sniffer status ok pid 2768 Sniffer version 2 5 13 License invalid Expiration no limit Figure 9 8 Pulsar command It can also be done through the web interface in the page Poller status in the Configuration section The page displays SPV versionand License Status and then see if your upgrade or license is correctly installed PV User Guide Documentation Release 3 3 3 Pollers Log Current State Folter Created Address Device ID Probe Time mE T Name version 5 Version 2012 02 24 2012 02 24 11 01 11 41 APS localhost 564DBD87 2 5 13 2 ok pid 2869 2 5 13 d Is the sniffer working Figure 9 9 Poller Status page invalid license 9 9 License and Upgrade Installation 119 PV User Guide Documentation Release 3 3
31. 1s element the evolution of End User Response Time through time 24 13 1402 cn nn 400 eon Figure 8 9 End User Response Time EURT graph This EURT graph shows the evolution of the quality of experience for users of this application over the period of time the number of transactions help you consider the evolution of EURT with rigor and common sense you would not consider a degradation of EU Response Time for 10 applicative transactions in the same way as for 10 000 The breakdown of three intelligible components RTT for network latency SRT for Server Response Time and DTT for Data Transfer Time let you know at first glance what is the origin of the possible performance degradation For example in the screenshot here above we can observe an increase in the SRT the network and the time required to send the response to the client have not increased Either the server overall responded slower or some specific queries required a much larger treatment time you can determine this by drilling down to that specific point of time 2nd element EURT by Server Breakdown by server T T T 1 50 100 150 200 250 9 2 Wen Figure 8 10 EURT by server 88 Chapter 8 Interpreting the results PV User Guide Documentation Release 3 3 What we can see here is a comparison between the EURT for that application on each server that provides this application In this case it is obvious that Atla
32. 2 2 2 2 2 Sniffer Data The pollers listen and analyze the network traffic The collector receives data from the pollers integrate them in the database and then provides an access to the data through the Web UI You can add a new poller via Pulsar by using the command poller add IP The specified IP of the poller must be reachable with SSH port 22 The Pollers Status page in the Configuration menu display some status information about pollers 55 Distributed Architecture sss PV User Guide Documentation Release 3 3 5 5 2 Where is data being merged segregated The data 15 merged 1 6 the data 15 integrated in the reports with no consideration for the poller which has captured it in Business Critical Application Dashboard Business Critical Network Dashboard Application dashboards Graphs performance bandwidth matrix Comparison tables Client Server Network performance Application performance Please note that in these reports you can enter a filter to view the data captured by one poller only The data is segregated i e the data is kept separated depending on the poller which captured the data in all other tables Please note that in these reports for a single conversation viewed by two pollers you will get two lines 5 5 3 What happens if a poller does not answer If a connection to a poller is broken the collector wait for it during 10 minutes After this time
33. 5 according to bandwidth available Mib s A minimum volume for triggering Mib s This value represents the minimum bandwidth observed from which you will consider the performance and volume thresholds as relevant The thresholds values can be configured as symmetric by ticking the Symmetric Link check box or be configured as distinct values for both directions This is particularly useful when the critical network refers to asymmetric connections like ADSL has one of its zones closer to the poller than the other zone and latency RTT computation is im pacted see Distributed Architecture You can define thresholds from either one criterion or more any of the following latency retransmission rate and consumption level But you cannot define a BCN from one zone to itself as their intended purpose is to check the performance of most important links or routes between two network segments By applying your changes the BCN Dashboard will be updated in accordance with the new threshold values including already captured data To be useful and pertinent these parameters must be accurate values adjusted to your network configuration These values can be easily changed for fine tuning or to cope with any change in the network or applications you are using 7 3 6 Reports Creating Reports 18 just a matter of a few clicks You can easily create and define exactly the level of information you want to get You will receive it
34. 5 2500ms 3500ms 4500ms Eze Bor Figure 8 8 Overall view of the application dashboard 8 4 1 How can it help For reporting In a single report you have enough to explain a business user or a manager how the application performance went through time which servers were doing worse and which zones were impacted On top of the EURT all this is based on three synthetic metrics that are easy to explain so that you can address non technically aware people with an understandable speech about what is going on e RTT network performance e SRT Server Performance DTT Delivery of application response through the network 84 Application dashboards 87 PV User Guide Documentation Release 3 3 For troubleshooting For network administrators this report brings together all the information about a business application required to validate whether there is a slowdown or not identify the origin of a slowdown network application response delivery which users or servers were impacted In no more than one click you can conclude on whether there was a slowdown or not what was the origin of the degradation which client zones were impacted With a single additional click i e two clicks in total you can view whether all clients in a zone were impacted or if the server response time degradation was due to another application hosted on the same server machine 8 4 2 Components
35. Figure 7 10 Business critical application edition The warning threshold level of the EURT End User Response Time value in milliseconds When the value is above or equal to this level the color displayed the BCA dashboard will be orange When the value is under this level the color displayed on the BCA dashboard will be green The alert threshold level of the EURT value in milliseconds When the value is above or equal to this level the color displayed on BCA dashboard will be red Note To be useful and pertinent these parameters must be accurate values adjusted to your network configura tion These values can be easily changed for fine tuning or to cope with any change in the network or applications you are using A new critical application will benefit of all the data history after having defined an application as critical if the data has already been collected for this application then the thresholds levels will be automatically applied on the dashboard even for a period back in time 7 3 5 Business Critical Networks A BCN consists of a virtual link between two zones its objective 1s to monitor normal volume and performance levels between two network segments which represent a strategic network link for your organization e g link from the data center to a remote site from the server VLAN to a user VLAN administrator can configure thresholds for warning and alert on bandwidth consu
36. ISO 8859 1 utf 8 q 0 7 q 0 3 Response view raw content View body Display 1 0 200 Server Apache X Content Type Options nosniff Cache Control private 5 0 0 must revalidate Content Encoding gzip Vary Accept Encoding Content Length 164 Content Type text javascript charseteutf 8 X Cache MISS from sq65 wikimedia org X Cache Lookup HIT from s q65 vikimedia org 3128 X Cache HIT from amssq34 esams wikimedia org X Cache Lookup HIT from amssq34 esams wikimedia org 3128 Age 3 X Cache HIT from knsq27 knams wikimedia org X Cache Lookup HIT from knsq27 knans vikimedia org 80 Connection keep alive 0000 1 88 08 00 00 00 OO 00 00 03 65 BE Cl OA C2 30 86 SF 45 72 EE 61 2D 7 09 CD 09 38 65 17 0 2 0020 22 25 6C BS 06 BB B4 08 00 11 Fl 00 80 05 45 98 SF SF F2 87 07 30 SE CE 68 84 BG 41 0 0040 54 C6 B6 71 01 27 BA 6C F7 BB B6 B3 90 18 09 14 1C 04 BS 59 29 18 28 A7 80 77 1 4 1 0060 19 FD 13 F4 BD SC 55 29 38 C9 98 28 52 26 F6 85 Cl 79 81 F8 52 86 80 CB C2 26 F4 2 j V UI B 8 amp 0080 88 70 FB Bl 7F 95 68 BS OF 18 29 02 98 90 BC 88 61 06 B4 SE 16 00 S C7 17 3C 46 1 93 0040 00 00 00 By default for performance r
37. Information on the duplicated packets rate in Pulsar This means that 5 12 of the listening traffic is duplicated Chapter 5 Deployment PV User Guide Documentation Release 3 3 5 4 5 Deduplication algorithm The sniffer usually receive frames from multiple locations on a network and so it can be cumbersome if not im possible to avoid the situation where the same frames are mirrored several times toward the probe Deduplication is the process of ignoring selectively packets that are artificial duplicates due to the network infrastructure On the other hand automatic deduplication makes it harder to find out if duplicates were present in the network in the first place The following chapters covers the deduplication system in order to help minimizing duplication issues The packet sniffer detects and drops duplicate frames based on a digest of their content which 1s compared to the digest of the packets received shortly before After this rough description we are going to see in more depth over what content is computed the aforementioned signature which previous packets are considered and how short the sniffer looks for duplicates in the past When computing the digest only a selected set of bytes are compared For small frames which size is below the size of an IP header all bytes are taken into account For bigger frames bytes after the Ethernet header including the VLan tag if collapsing VLans and up to the 64th b
38. NT STATUS INVALID OPLOCK PROTOCOL 0xc00000e4 NT STATUS INTERNAL DB CORRUPTION 0xc00000e5 NT STATUS INTERNAL ERROR 0xc00000e6 NT STATUS GENERIC NOT MAPPED 0xc00000e7 NT STATUS BAD DESCRIPTOR FORMAT 0xc00000e8 NT STATUS INVALID USER BUFFER Co 164 Chapter 13 Appendix PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page NTSTATUS severity 00000 9 00000 00000 00000 00000 00000 00000 0000070 00000 1 00000 2 00000 4 0000075 0000076 00000 7 0000018 0000079 OxcO00000fa 00000 OxcO00000fc 00000 00000 0xc0000100 0000101 0000102 0000103 0000104 0000105 0000106 0000107 0000108 0000109 000010 0xc000010b 000010 000010 000010 0000107 0000110 0000111 0000112 0000113 0000114 0000115 0000116 0000117 0000118 0000119 000011 000011 5 000011 0000114 000011 0xc00001 1f NT STATUS UNEXPECTED IO ERROR NT STATUS UNEXPECTED CREATE ERR NT STATUS UNEXPECTED MAP ERROR NT STATUS UNEXPECTED MM EXTEND ERR NT STATUS NOT LOGON PROCESS NT STATUS SESSION EXISTS NT STATUS INVAL
39. Operators Example of valid inputs 0 NoError ServFail Example of invalid inputs 45778 SomeCode 13 2 16 Date and time A date and time value of the following format YYYY MM DD hh mm Note that the value must be enclosed between simple or double quotes Operators lt lt gt gt Example of valid inputs 2000 01 01 00 00 72012 06 14 17 15 Example of invalid inputs 2000 01 01 2013 11 02 14 58 13 2 17 Decimal or hexa Either decimal number an hexadecimal number which must be prefixed by 0x Operators lt lt gt gt Example of valid inputs 0x21 0x7a5E 4 Example of invalid inputs 0X45 OxTH 13 2 18 Duration A duration in microseconds minutes etc depending on the unit set The lowest value 18 in microsecond specified as us ns Operators lt lt gt gt Example of valid inputs 42115 4us 5m Example of invalid inputs 4 microseconds 13 2 CustomFilters 149 PV User Guide Documentation Release 3 3 13 2 19 Ethernet Type The ethernet protocol ID Operators Example of valid inputs 4 0 0800 2048 e Example of invalid inputs FOO 123456789 13 2 20 HTTP Method A symbol representing the HTTP method name Operators Example of valid inputs GET HEAD Example of invalid inputs get 13 2 21 HTTP status A HTTP status number or a symbol representing the category of HT
40. PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page NTSTATUS severity RPC NT INVALID ASYNC HANDLE RPC NT INVALID ASYNC CALL RPC NT PROXY ACCESS DENIED RPC NT NO MORE ENTRIES RPC NT 55 CHAR TRANS OPEN FAIL RPC NT SS CHAR TRANS SHORT FILE RPC NT SS IN NULL CONTEXT RPC NT 55 CONTEXT MISMATCH RPC NT 55 CONTEXT DAMAGED RPC NT 55 HANDLES MISMATCH RPC NT SS CANNOT GET CALL HANDLE RPC NT NULL REF POINTER NT VALUE OUT OF RANGE RPC NT BYTE COUNT TOO SMALL RPC NT BAD STUB DATA NT INVALID ES ACTION RPC NT WRONG ES VERSION RPC NT WRONG STUB VERSION RPC NT INVALID PIPE OBJECT RPC NT INVALID PIPE OPERATION RPC NT WRONG PIPE VERSION RPC NT PIPE CLOSED RPC NT PIPE DISCIPLINE ERROR RPC NT PIPE EMPTY 13 6 CIFS Status Categories 175 LCA PV User Guide Documentation Release 3 3 176 Chapter 13 Appendix Aggregation 33 121 Aggregation period 127 Alerting 76 Application 29 70 99 105 127 Application NC 127 Application Port Range 127 Autopcap 92 B Bandwidth Chart 13 BCA 72 81 BCN 73 82 Browser 121 Business Critical Application 72 81 Business Critical Network 73 82 Byte 27 C Cacti 131 Client 31 Collector 127 Connection Time CT 127 Conversation 30 121 127 CSV 23 D Dashboard 81 82 86 89 Data Transfer Time DTT 127 Deduplication 43 122 Delta sessions 127 Destination 31 Device
41. The Esx physical will be bound to the new virtual network here VM Network2 Click on Next We can customize the new network label as Mirror here Vlan ID optional for vlans tags 63 Installation B7 PV User Guide Documentation Release 3 3 Add Network Wizard Connection Type Networking can be pertitioned to sccommadete each service thet requires connectivity Connection Network Access Connection Types Virtual Machine Add a labeled network to handie vitual machine network affir C wMkermnel The kernel stack handles traffic For the ESXI services vSphere vieron GCSE NFS and host managemart Figure 6 14 Select Virtual machine as Connection Types then Click on Next Select which vSphere standard switch will handle the network traffic For this connection You may also create a new vSphere standard switch using the unclaimed network adapters listed below Create a vSphere standard switch peed Networks Intel Corporation 82571EB Gigabit Ethernet Controller 89 vmnici Down None 89 vmnic2 Down None i 100 Half 81 131 151 5 1 131 151 5 254 VLAN 5 vmnic4 Down Mone vmnicS Down Mone vmnic6 Down Mone vmnic Down Mone Preview Virtual Machine Port Group Physical Adapters VM Network 2 ef vmnic3 Figure 6 15 vSphere Switch Add Network Wizard 6 Virtual Machines Connection Settings Use network to iderkiy m
42. Time greedy application request a complex SOL command can let the server processes during many sec onds Application layer overloaded too many requests such that the server can t handle all of them in a small period of time Marginally SRT can be affected by the increase of network latency between the point of capture and the server parallel increase of the RTT Server value To pinpoint the root cause of the slowdown we firstly want to compare the SRT for a given couple server application to other applications on the very same server If there is a blatant difference the application is guilty Otherwise we want to compare it to other servers in the same zone then different zones DTT DTT stands for Data Transfer Time DTT server is defined as the time between the first data packet of the response with ACK flag and a non null payload from the server and the last packet considered as part of the same response if the packet has the same acknowledgement number FIN RST packets from server or client will also be considered as closing the sequence A Timeout will cancel a DTT Note that if the answer is small enough to be contained in only one packet the DTT will be of 0 DTT client is the same metric in the other direction DTT sum of both server and client DTT is meaningful of the time the user is going to have to wait for the response to circulate on the network from the server to the client It is not dependent on
43. WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING Chapter 13 Appendix PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page NTSTATUS severity 0xc000000b NT STATUS INVALID CID 0xc000000c NT STATUS TIMER NOT CANCELED 0xc000000d SMB STATUS INVALID PARAMETER 0xc000000e SMB STATUS NO SUCH DEVICE Y 0xc000000f SMB STATUS NO SUCH FILE Y 0xc0000010 SMB STATUS INVALID DEVICE REQUEST Y 0xc0000011 SMB STATUS END OF FILE Y 0xc0000012 SMB STATUS WRONG VOLUME 0000013 SMB STATUS NO MEDIA IN DEVICE 0000014 NT STATUS UNRECOGNIZED MEDIA 0xc0000015 SMB STATUS NONEXISTENT SECTOR 0xc0000016 SMB STATUS MORE PROCESSING REQUIRED Y 0xc0000017 NT STATUS NO MEMORY 0xc0000018 NT STATUS CONFLICTING ADDRESSES 0xc0000019 NT STATUS NOT MAPPED VIEW 0xc000001a NT STATUS UNABLE TO FREE VM 0xc000001b NT STATUS UNABLE TO DELETE SECTION 0xc000001c NT STATUS INVALID SYSTEM SERVICE 0xc000001d NT STATUS ILLEGAL INSTRUCTION 0xc000001e SMB STATUS INVALID LOCK SEQUENCE Y 000001 SMB STATUS INVALID VIEW SIZE Y 0xc0000020 NT STATUS INVALID FILE FOR SECTION 0000021 SMB STATUS ALREADY COMMITTED 0xc0000022 SMB S
44. Zone name Zone name Operand Type Owin win count clt Owin count srv app bandw bandw clt bandw srv begin capture begin capture end ce Counc delta session device diffserv diffserv olt diffserv srv dtt dtt dtt CdCl Sry dup ack counc Zero Window Size in both direction Zero Window Size from client Zero Window Size from server Total traffic Traffic from caller Traffic from callee Number of SYN packets Capture begin time Capture end time Connection time Number of successful handshakes Difference between created session and finished sessions Client or Server Diffserv Client Diffserv Server Diffserv Sum of both DTT client and server Data transfer time from client Data transfer time from server Total duplicate acks Decimal or hexa Decimal or hexa Decimal or hexa Application name Byte quantity Byte quantity Byte quantity Decimal or hexa Date and time Date and time Duration Decimal or hexa Decimal or hexa Decimal or hexa Duration Duration Decimal or hexa Decimal or hexa Decimal or hexa Duration Decimal or hexa Continued on next page 146 Chapter 13 Appendix PV User Guide Documentation Release 3 3 Table 13 8 continued from previous page Operand Type dup qok ocountsbv eth proto Irin count P
45. be processed In such case the result is that only a part of the total traffic will be analyzed An alert is sent to the Administrator 9 9 License and Upgrade Installation Apart from the trial version all virtual and physical appliances are provided with no license key You have to get the license key which will be provided by email by SecurActive SPV entities virtual poller and collector see Distributed Architecture needs a specific license The licenses are specific to a given hardware serial number the device id so that each device must be sent its own license package Note With this system you can transform an APS into an APP or an APS Free into an APS express for example There is a special case when you transform any APP probe into a non APP you must do a for mat data disk command after installation to be able to save captured data See Pulsar The same procedure must be performed for all the entities either for license or upgrades please follow the steps below Connect to the FTP server of the probe user ftp password S3c7r 2 Upload put your license or upgrade file Wait a few minutes and it s done The installation is complete when the license key is not available anymore by refreshing the destination folder lists Check your license or new version with the status or poller commands For upgrades please redo the same procedure on all the entities 9 8 Limits 117 PV User Guide Documenta
46. partitions df passwd set_date set_time traceroute tzselect hostname log smtp snmp support Figure 7 2 Available commands 7 2 7 Configuration example pulsar config network NETWORK Connection Type 1 Static network 2 Your choice 1 IP address 192 169 1 1 netmask 255 255 255 0 gateway 192 168 1 254 7 2 8 Support access through VPN The probes come with an already configured VPN connection to allow access for support operations if needed The VPN address is set by default and should normally not be changed If it needs to be changed this can be done by the command config and option 7 The VPN service is stopped by default It can be started or stopped at any moment by the corresponding commands support start orsupport stop 66 Chapter 7 Configuration PV User Guide Documentation Release 3 3 Note In order to have the VPN connection of the probe working fine you will probably have to configure your network and or security equipment like your firewalls Default Host DNS is vpn securactive net and default port is 443 7 2 9 Support with no remote access In case the probe is not accessible from the Internet you can use the diag command It ll generate tarball containing all necessary information for the support team to do the diagnostic Once the tarball is generated you ll have to download the file by FTP with the classical admin account in the diag directory and send it to the support t
47. process MonitorNevrax RUNNING pid 10201 uptime 22 05 18 distribute RUNNING pid 10202 uptime 22 05 18 dumptimer RUNNING pid 16877 uptime 1 19 02 junkie RUNNING pid 16575 uptime 1 19 14 junkie dumper RUNNING pid 16725 uptime 1 19 09 low space watchdog RUNNING pid 10203 uptime 22 05 18 nevrax RUNNING pid 10205 uptime 22 05 18 storage RUNNING pid 10204 uptime 22 05 18 You can see in this example that some processes have been restarted recently Here is the table of all involved processes with a brief explanation 7 2 Pulsar 65 Moni torNevrax distribute dumptimer junkie junkie dumper low space watchdog nevrax storage PV User Guide Documentation Release 3 3 Check nevrax resource consumption Deploy configuration and collect synchronize and merges CSV files about traffic statistics Signal the end of a 2 minutes statistics collection Network sniffer that computes various statistics about the traffic Write the statistics into CSV files for the RDBMS Checks available disk space Web user interface Stores new data into the RDBMS and handle data aggregation 7 2 6 More about pulsar help provides both global and command help Tab completion is enabled for commands and subcommands such as help config and show Pulsar shell configure your probe help quit exit csv status extend_disk format_data_disk process reset status show system commands dig ifconfig
48. service_description BCA SSH use generic service check command check securactive bca ssh host name beta define service name pop3s Service description BCA POP3S use generic service check command check securactive bca pop3s 13 1 Integration with other Tools 137 PV User Guide Documentation Release 3 3 host name define service name service description use check command host name 1 define name service_description use check command host name 1 define service name Service description use check command host name beta bos hbtp BCA_http generic service check_securactive_bca https beta ben BetDVerslnternet generic service BCN RetDVersInternet check securactive bcn R D beta ben voip BCN VOIP generic service check securactive bon Voip beta PV BCA BCN and Nagios BCA BCN beta ocal Voip Private Serveurs Voip Begin 2013 03 18 14 08 Aggregate Level 2 minutes End 2013 03 18 15 08 Number of collected results 7 2013 03 18 14 08 EURT thresholds over time EERE E HE EEE ee 2013 03 18 15 08 1 Traffic 4070 eT TT TT tT 5 ic Transactions 64 8 165 0 Bytes amm 29 7 MiB 10479 1 8 MiB 1549 Figure 13 12 BCA on PerformaceVision Begin 2013 03 18 14 07 Aggregate Level 2
49. since duplicate ACKs are much more frequent and not really characteristic of a network anomaly There are several common sources of TCP retransmission 106 A network congestion If a router can t cope with the whole traffic its queue will grow bigger until it gets full and then start dropping the incoming packets If you reach a predefined QoS limit the exceeding packets will be dropped as well Such drop will result in TCP retransmission A common way to identify this kind of problem is by taking a glance to the traffic statistics If you see a flat line at the max traffic allowed then you get the root cause of retransmission If the traffic graph looks OK you can check over Chapter 8 Interpreting the results PV User Guide Documentation Release 3 3 the load of the routers switches you own e g with the SNMP data If the load is too high you found the culprit An overloaded server Check the Section Slow Server A hardware failure Maybe a network equipment is simply down It will obviously result in TCP retrans mission until a new route is computed or the issue fixed This type of retransmission should occur with very short time effects and give some quite big peaks of retransmission on very broad types of traffic on a specific subnet If this happens often it becomes important to find the faulty hardwares by tracking down which subnets are concerned A packet header corruption Network equipments are used to rewr
50. 0 14 00 15 00 16 00 17 00 18 00 30 000 25 000 mum The evolution of DNS response times which impacts the quality of experience of end users Unexpected name resolution protocols are you still using Netbios WINS when you thought you only rely on pure DNS Do you have more DNS requests in error than successful ones Info Begin 2012 03 21 13 15 Aggregate Level 15 minutes End 2012 03 21 19 15 N umber of collected results 4 Request Response Code Packets Traffic DNS RT 1 A na 39164 29 MiB 6 14 1 A 0 NoError 61129 6 8 MiB 97 ms Q 114 2 ServFail 55015 36 MiB 166 ms G 14 1 A 3 NXDomain 31596 37 MiB 18 ms Are some of my hosts trying to resolve out of abnormal servers Rest of migrations misconfigurations infections see hosts with abnormal request volumes infection misconfiguration Begin 201203211324 End 20120321192 Zone Emitting Emitting zone Server Request Name Request Type Response Code Device id Poller Have I got some configuration issues short TTL values lack of caching Look at the DNS conversations with the largest number of transactions This view can be accessed through Diagnostic DNS 22 Chapter 2 Use The PV Graphical Interface PV User Guide Documentation Release 3 3 2 12 TCP Events Performance Vision provides an in depth view of TCP anomalies and events Whe
51. 00 09 10 09 20 09 30 09 40 Response Payload Query Payload Meta Payload 19 1MiB 09 00 09 10 09 20 09 30 09 40 Response Packets Query Packets 20 000 T UI Figure 2 12 The CIFS graph with its four charts Status File ID Path Queries rrors Warnings SAT w 0xc0000120 NT status cancelled 80x60000000 SMB 2 0xc8008120 NT status celled 1 10 0000120 NT status 1 0xc0000120 NT status celle 1 10 00000000 SMB status ok 0x8023 urs 1 19 0000129 NT status cance lled 6x8613 Peugeot VPdm 1 1 1735 771 1 1 4 1 1 0xc0000120 NT status cancelled 0x402e 0 0000120 NT status cancelled sqlprod 0x00000000 SMB status ok 2 0xc0000120 NT status cancelled 0 14 Peugeot Pda Inbox 0x00000000 SMB status ok Exp Figure 2 13 CIFS queries showing Status File Path and SRT 2 9 Matrix The matrix view provides a representation of various metrics where every cell represents the value of this metric from one zone to another zone Each cell can contains extra values to better interpret the result such as the number of packets used to compute a mean and so on This report provides a very synthetic view of the mapping of the metric which is observed The matrix can be used both for Client Server and Source Dest observations The Client Server matrix can be found in the APPLICATIONS section while the Source Dest matrix can be found i
52. 0xc0000226 NT STATUS NOT TINY STREAM 0xc0000227 NT STATUS RECOVERY FAILURE 0xc0000228 NT STATUS STACK OVERFLOW READ 0xc0000229 NT STATUS FAIL CHECK 0xc000022a NT STATUS DUPLICATE OBJECTID 0xc000022b NT STATUS OBJECTID EXISTS 0xc000022c NT STATUS CONVERT TO LARGE 0xc000022d NT STATUS RETRY 168 Chapter 13 Appendix PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page NTSTATUS severity 0xc000022e 0000221 0000230 0000231 0000232 0000233 0000234 0000235 0000236 0000237 0000238 0000239 000023 0xc000023b 0xc000023c 0000234 000023 0000231 0000240 0000241 0000242 0000243 0000244 0000245 0000246 0000247 0000248 0000249 0000250 0xc0000251 0xc0000252 0xc0000253 0xc0000254 0xc0000255 0xc0000256 0xc0000257 0xc0000258 0xc0000259 0xc000025a 0xc000025b 0xc000025c 0xc000025e 0000251 0000260 0000261 0xc0000262 0xc0000263 0xc0000264 0xc0000265 0xc0000266 0xc0000267 0xc0000268 0000269 0xc000026a 0xc000026b NT STATUS FOUND OUT OF SCOPE NT STATUS ALLOCATE BUCKET NT STATUS PROPSET NOT FOUND NT STATUS MARSHALL OVERFLOW NT STATUS INVALID VARIANT NT STATUS DOMAIN CONTROLLER NOT FOUND NT STATUS ACCOUNT LOCKED OUT SMB STATUS HANDLE NOT CLOSABLE NT STATUS CONNECTION REFU
53. 120 Chapter 9 Licensing and Upgrades CHAPTER TEN FREQUENTLY ASKED QUESTIONS 10 1 Firefox freezes randomly on some pages This seams to be caused by the java plugin and deactivating this plugin fixes the issue This has no effect on SPV since it does not use java To disable the Java plugin enter the Tools Add ons This will open a new window with a button bar on top with a Plugins icon Select it and it will open the list of all currently installed plugins Locate your java plugin that 15 the one that handles java applets on the following screenshot it s titled IcedTea NPR Web Browser Plugin but it may also appear under the name OpenSDK or merely Java Once located select it and click on the Disable button You should then restart firefox Note This should not appear anymore since release 2 10 Flash plugin is not required anymore IcedTea NPR Web Browser Plugin using IcedTea6 1 8 1 6b18 1 8 1 Oubuntul 5 IcedTea NPR Web Browser Plugin using IcedTea6 1 8 1 6b15 1 8 1 ubuntul execute ava applets Disable a Shockwave Flash 10 1 Find Updates Figure 10 1 The Add ons pop up window of Firefox 10 2 Aggregate level changes when browsing from tables to charts The aggregate level for tables is chosen to display a synthetic view on data while the charts choose the aggregate level in order to have enough points to plot So this is not an error if the aggregate level changes from one pag
54. 16 00 More yyyy mm dd MM yyyy mm dd Het Application Samba 5 Search Application performance Info Query begin 2010 06 07 14 00 00 402 00 ggregate Level 1205 Query end 2010 06 07 16 00 00402 00 14 00 00 15 58 00 DIT 121 30 us SRT 209 87 us 100 ms 9 189 54 ms 1416 14 30 14 46 15 00 1516 15 30 1546 14 00 00 15 58 00 Transactions 139 399 30 m Cee mnn Fn 1416 14 30 1446 15 00 1516 15 30 1546 EE m A 00 M 14 30 1500 1530 eakdown server Breakdown by zone client Breakdown by server Breakdown by zone client Sales fallback 192 168 20 9 R amp D T T T T T T T T 1 T T T T T T T T T 1 20 40 60 80 100 120 140 160 180 200 20 40 60 80 100 120 140 160 180 200 Figure 8 35 Peak of RTT in Application Dashboard c Conversations 7 Performance and analysis of individual conversations Start after P 2010 06 07 12 00 Start before 2010 06 07 18 00 More yyyy mm dd HH MM yyyy mm dd HH MM Client Zone 7 VLAN Sales Server Zone P SRV FileServer Client Ip ServerIP 192 168 20 9 Both client and server IP Application Samba CIFS Protocol Any z Search Info Query begin 2010 06 07 12 00 00 02 00 Aggregate Level 9005 Query end 2010 06 07 18 00 00 02 00 Number of collected results 6 Client IP Server Zone Server IP Application Traffic Packets Handshake EURT
55. 17 21 19 05 521 Duration Status Re Spore Flags Client Elements Time line Client DTT SRT Server DTT 00 12600 ms700 mi800 ms900 1 1 1 ser 7208 9 Ez s 2 i i E GET 204 4424 44 44444444 2 g You can also display the details of a single transaction by clicking on it This will show a summary of the HTTP query and the response in addition to the headers and an excerpt of the payload 2 7 SQL Analysis In the Protocols section the set of pages for SQL performance allows you to analyze the SQL traffic It shows you the queries with the usual metrics responsiveness payload size SQL errors etc from the following database systems SQL Server PostgreSQL Oracle Database or MySQL The poller should be able to decode the protocols from the following database systems SQL The poller should be able to decode the Tabular Data Stream TDS protocol from version 7 0 to 7 4 Server which corresponds to SQL Server 2000 to SQL Server 2012 Post Only the protocol 3 0 is supported which is implemented in PostgreSQL 7 4 and later greSQL MySQL The protocol v10 is supported which is implemented by MySQL 3 21 0 and later Oracle Oracle database uses the Transparent Network Substrate protocol TNS Since this protocol is proprietary and almost no technical specification 18 available the decoding is best effort It has mainly been tested on Ora
56. 172 16 8 26 12 2MIB 660 3 25 46ms 3 15 146ms G 172 16 8 29 66 5Mi5 2753 Sima rome 146m 412mx e 172 16 8 24 13 4min 193 3780ms Some 17 145mx 172 16 8 22 1614 104mxs e 172 16 8 32 6n2 3K in 774 165 ms 19m 147 mx 70m 5 172 16 8 28 25 B0Kkin 148m Amer 149me Ime e 172 16 8 23 105 5K in 15 56m ime 100m Figure 8 13 Breakdown by client EURT breakdown by client zone so that you can compare the performance offered to different client zone from that server Comparison with other applications provided by that server so that you can identify whether a peak of transactions on another application is impacting the performance of that application and see the volume of data transactions and performance metrics for all applications provided by this server Application End User Response Time Inf aqui 168 08 21 wads 2 1 smena o 3 Im m 4 z LI Server Overall Load ton rre 5 2 Breakdown by client zone Server Applicetions Overview apas plica Thetneibers oun 7 ore rr E Lees 2 ae 19 2 Mi LI n i 2 m T T Bow Boe Bow Figure 8 14 Server Application Dashboard 8 4 4 Interactions Dashboard have been developed so
57. 20 a wo 2m a wwo 2m 01 mo a INTO 2 71 INTO 2tms a 2tm went pro 2 71 su Q mar mo 2m 71 marmo 2im sa mermo 207 Figure 2 9 The queries that have the highest SRT measure 2 7 3 Queries You can also browse the queries over time save sat Query OTT spoweDTT Oracle SELECT ams Oracle SELEC sas 71 2 n Oracle SELEC FROM xas m Oracle SELECT sss ims Oracle FROM 3 01 Oracle seLect m 71 ams 17220 Oracle INSERT INTO SELECT 5 p 17229 Oracle SELECT DISTIMCT FROM 71 ms 229 SELECT 39 1 Tm Onde SELECT FROM 71 199m Oracle SELECT FROM 264980 D Oracle 29905 ims Oracle saec 3995 7 2018 Oracle sun FROM 5 zs 71 Oracle SELEC 2 17220 Oracle UPDATE ser Oracle SELECT DISTINCT FROM 71 62m Oracle INSERT INTO ims Ims Oracle Lus as 75208 Oracle SELECT FROM 2960 15m Oracle SELECT FROM 2099 71 Sm Orie SELECT m c m 3655 71 Oracle INSERT INTO SeLect Oracle SELECT FROM xos Oracle SELECT DISTINCT FROM 71 3m Oracle 30m Oracle INSERT INTO NVES Se Oracle INSERT INTO UES 1609 Once INSERT INTO NUES te
58. 254 R amp D 44 6 0 pypi mirrors rd securactive lan rd secur AAAA NXDomain 192 168 10 254 R amp D 44 8 1 KiB mail google com 17ms NoError 192 168 10 5 R amp D 42 7 2 KiB eque e Unknown DNS type 0 NoError 192 168 80 255 Private fallback 36 32KiB WORKGROUP NB na Figure 8 16 PCAP column in DNS messages Callee Callee Zone Application MOS Packet loss Server sign traffic Voice traffic Code Last Call State Pcap aaln 1 172 25 51 150 Private fallback NC udp 1 05 3 1 KiB 1 2 MiB 200 closed aaln 1 172 25 51 150 na m NC udp 0 00 989 Bytes Bytes 200 closed unknown Internet W NC udp 0 19 6 9 KiB 2 3 MiB 200 closed aaln 1 172 25 51 150 Private fallback NC udp 0 00 3 1 KiB 1005 8 KiB 200 closed aaln 1 172 25 51 150 Private fallback m NC udp 5 11 2 6 KiB 241 6 KiB 200 closed we aaln 1 172 25 51 150 Private fallback NC udp 0 00 3 0 KiB 267 0 KiB 200 closed 1 172 25 51 150 Private fallback B NC udp 0 00 96 3 0 KiB 891 4 KiB 200 closed aaln 1 172 25 51 150 Private fallback W NC udp 0 00 2 6 KiB 195 0 KiB 200 closed aaln 1 172 25 51 139 Private fallback B NC udp 0 00 6 3 KiB 250 closed 10 172 25 51 150 Private fallback m NCud 0 00 96 3 4 KiB 515 5 KiB 200 closed Figure 8 17 PCAP in VOIP details For instance if you are using Wireshark to decrypt the packets you can directly view the packets To view the query and the beginni
59. 3 steps Connect to Pulsar see Pulsar 2 Enter the command to launch the trace for example tcpdump_tofile i interface host lt HOSt 3 Enter Cont ro14C to stop the trace Use the tcpdump command instead of tcpdump tofile to display the results of real time packet capture Note you can access a help by entering help tcpdump_tofile you can refer to tcpdump command http www tcpdump org Please have a look at the online manual http www tcpdump org tcpdump man html all parameters are availiable except the w Accessing the tracefile To access the PCAP file generated by the tcpdump tofile command you should connect to the probe via FTP using a FTP client and the Pulsar admin user see Pulsar 8 6 3 Automated Packet Capture AutoPCAP Principles Performance Vision can capture packets automatically in case abnormal values are observed on critical servers These packets are presented for later analysis as PCAP files which can be downloaded through the web graphical interface at the conversation level 92 Chapter 8 Interpreting the results PV User Guide Documentation Release 3 3 Applications These files are presented in the following views Conversations DNS messages VOIP details In each of these views a column at the right end of the table indicates PCAP a small icon indicates that packets have been captured for a given conversation or not If the PCAP fil
60. Ethernet Type Address or netmask Address or netmask Address or netmask MAC address MAC address MAC address String Decimal or hexa Byte quantity Zone name Zone name Zone name 145 PV User Guide Documentation Release 3 3 13 2 8 Non IP Operand Type app bandw bandw clt bandw srv capture begin capture end device evh proto mac mac mac IU Count 010011 Pkt count Srv poller name proto protostack vlan VoIp Te EE zone cit Sry cit zone srv zone 13 2 9 VolP Total traffic Traffic from client to server Traffic from server to client Capture begin time Capture end time Ethernet Protocol Client or Server MAC address Client MAC physical address Server MAC physical address Client MTU Maximum Transmission Unit Server MTU Maximum Transmission Unit Number of IP packets Number of packets sent from client Number of packets sent from server Poller name distributed probe Protocol Protocols stack Tagged Link 802 1Q Total traffic in both directions Server or Client Zone Zone of the client IP Zone of the server IP Application name Byte quantity Byte quantity Byte quantity Date and time Date and time Decimal or hexa Ethernet Type MAC address MAC address MAC address Decimal or hexa Decimal or hexa Decimal or hexa Decimal or hexa Decimal or hexa String Wildcard or regex Decimal or hexa Byte quantity Zone name
61. Hardware type Ethernet Adapter Adapter type Flexible Network Connecbon Network Connect at power Yes Figure 6 25 Ready to Complete n Interface APS source local 4 885 2 H BHB bB BOB Hu 41 U4Kib 23 Y Bubp Press g to enable graphical statistics 1 to enable detailed statistics Press d t prev interface v next interface lt prev node gt next node help Figure 6 26 Command displays the traffic per interface How to use the product The Performance Vision Virtual Appliance is shipped with a default configuration that will likely not match your site very closely For a better experience it is recommended that you spend some time configuring some additional zones and applications to suit your traffic Here are the sections you should consult in order User Management for adding new users Zone configuration for adding new zones or modifying the preset configuration Application configuration for registering your specific applications Business Critical Applications and or bcn config to define your business critical applications links Reports to schedule periodic reports that will be sent via email Eventualy read the Use The PV Graphical Interface then Interpreting the results and you will see your network differently 62 Chapter 6 Virtual Appliance Step by Step SEVEN CONFIGURATION 7 1 Hardware The first thing to do 15 to plug a scree
62. List The SPV sniffer decodes the different protocol levels as described in the Glossary Protocol Stack You can use them to filter the captured flows or to define applications Here the comprehensive list of them with an example of a common use case Protostack ARP Address Resolution Protocol Ethernet ARP BGP Border Gateway Protocol Ethernet BGP Bittorrent Peer to peer file sharing Ethernet IPv4 TCP Bittorent CIFS Microsoft Common Internet File System Ethernet IPv4 TCP Netbios CIFS Citrix BETA Citrix Remote Desktop Ethernet IPv4 TCP Citrix DHCP Dynamic Host Configuration Protocol Ethernet IPv4 UDP DHCP DNS Domain Name System Ethernet IPv4 UDP DNS ERSPAN Cisco Encapsulated Remote Switched Port Analyzer Ethernet Ipv4 GRE ERSPAN Ethernet Ethernet Protocol Certainly the first protocol of the stack Ethernet FCoE Fibre Channel over Ethernet Ethernet FCoE FTP File Transfer Protocol Ethernet IPv4 TCP FTP Gnutella Peer to peer file sharing Ethernet IPv4 UDP Gnutella GRE Generic Routing Encapsulation tunneling Ethernet IPv4 GRE HTTP Hypertext Transfer Protocol Ethernet IPv4 TCP TLS HTTP ICMP Internet Control Message Protocol Ethernet IPv4 ICMP ICMPv6 Internet Control Message Protocol for IPv6 Ethernet IPv6 ICMPv6 Continued on next page 154 Chapter 13 Appendix PV User Guide Documentation Release 3 3 Table 13 9 continued from previous page IMAP Internet Message Access Protocol Ethernet IPv4 TCP IMAP
63. OVF template Annuler Figure 6 2 Find the Performance Vision OVA file and Click on Open The system detects the space available on the disk for the new Virtual Machine we recommend to allocate the following spaces Trial Virtual Appliance 4GB RAM 2 vCPU 2 0 GHz Production Virtual Poller 8 GB 2 vCPU 2 0 GHz Virtual Appliance 16 GB 4 vCPU 2 4 GHz The Virtual Appliance gets installed You get notified when the installation is complete 6 3 1 Get it Started Once the Virtual Appliance is installed you have to start it 6 3 2 Access the virtual console The probe is launched When the network interfaces turn into promiscuous mode click on the Console view and then Enter to display the login prompt Note Clicking on the black screen deactivates your mouse To reactivate it you can use the key combination Ciel ALD To know how to login and how works the command line interface please see Pulsar With Pulsar you can configure your keyboard your timezone and the system like IP DNS NTP 54 Chapter 6 Virtual Appliance Step by Step PV User Guide Documentation Release 3 3 e Deploy OVF Template EN Deploy from a fle or URL Enter a URL to download and instal the OVF package from the Internet or specfy a locaton accessble from your computer such as a local hard drve a network share or
64. Server context In this matrix we are presented with a different view of the metrics Here we can observe in the red cell that all of the communications initiated from machines in the Remote zone to the machines in zone Internet accounted for 12 9GiB total for both direction Meanwhile in the blue cell the communications initiated by machines from zone Internet to those in the zone Remote accounted for 52 5 2 9 Matrix 21 PV User Guide Documentation Release 3 3 2 10 Top Reports You can easily get the top clients servers applications for any traffic all or a specific application zone etc You can sort each top on the most adequate criteria volume sessions SYNS etc This view can be accessed through Monitoring Top Reports 2 11 DNS Performance Performance Vision provides an in depth view of name resolution events and performance for DNS Netbios mDNS etc When troubleshooting this view can display The evolution of the DNS activity an excessive peak may reveal a misconfiguration infection DNS Performance Chart Begin 201203211324 End 20120321 19 24 Emitting zone Server Zone Emitting Server IP Request Name Request Type Response Al x Al x Any x Ay Device id Poller Any Any Info Begin 2012 03 21 13 15 Aggregate Level 15 minutes End 2012 03 21 19 15 250 0 ms 200 0 ms 150 0 ms 100 0 ms 50 0 ms
65. a image from the Internet from You should reach a subscription page with a form that needs to be filled such as below Download a trial Virtual Appliance MaCompagny Netherlands Envoyer Then complete the Captcha and submit such as below D SecurActive Performance Vision Welcome to SecurActive Virtual Appliance downloads Your request has been forwarded to SecurActive Regards SecurActive s team If your request is granted you ll receive 2 emails from Performance Vision First email subject Performance Vision Evaluation Documentation Second email subject Performance Vision Download of your evaluation Virtual Appliance From that second click on the Download Link which will lead you to a page such as below You will need to Download this file 6 2 Virtual Appliance Specifications The Performance Vision Virtual Appliance is designed to run in a VMWare ESX v4 or v5 environment It is designed to run with a minimum RAM of 4096MB although a larger quantity is recommended to ensure satisfactory performance rates Here are the configurations which are validated RAM 4GB to 192GB 1 to 8 of 2 9GHZ 53 PV User Guide Documentation Release 3 3 Performance Vision Download Thank you for testing r 6 3 Installation Figure 6 1 Connect to your Vsphere Client In the Virtual Machines tab in the File menu select Deploy a new
66. a server IP of the netflow capture IP which replied to a connection demand Client or Server MAC address Client MAC physical address Server MAC physical address Client MTU Maximum Transmission Unit Server MTU Maximum Transmission Unit Client or Server Operating System Client Operating System Server Operating System Total payload Payload from client to server Number of IP packets with a payload Number of packets with payload sent from client Number of packets with a payload sent from server Total retransmission payload Retransmission payload from client to server Retransmission payload from server to client Payload from server to client Number of IP packets Number of packets sent from client Number of packets sent from server Decimal or hexa Decimal or hexa Decimal or hexa Application name Byte quantity Byte quantity Byte quantity Decimal or hexa Date and time Date and time Duration Decimal or hexa Decimal or hexa Decimal or hexa Duration Duration Decimal or hexa Decimal or hexa Decimal or hexa Duration Decimal or hexa Decimal or hexa Decimal or hexa Decimal or hexa Ethernet Type Duration Decimal or hexa Decimal or hexa Decimal or hexa Address or netmask Address or netmask Address or netmask Address or netmask MAC address MAC address MAC address Decimal or hexa Decimal or hexa OS name OS name OS name Byte quantity Byte quantity Decimal or hexa Decimal or h
67. a standard TCP session v1 3 Figure 10 2 Standard TCP Session 1 https github com securactive 10 10 How comes my VM keeps losing sync 123 PV User Guide Documentation Release 3 3 124 Chapter 10 Frequently Asked Questions CHAPTER ELEVEN KNOWN ISSUES 11 1 Configuration application is defined with both a webpattern and a client or server zone then all conversations matching this webpattern but not the zone will belongs to NC even if it should belongs to another application according to the TCP ports Note This webpattern issue is fixed since release 2 10 11 2 Interface There is no error message when a login attempt fails Sometimes where plotting data for the last hour the chart ends with a zero value n the charts when a high value is immediately followed by a zero value then the smooth interpolation algorithm makes it go underneath the 0 line just after the 0 value Note This chart issue is fixed since release 2 10 When another language than English is requested some buttons are labelled in English nonetheless 11 3 Various SMTP delivery of reports lack retries There is no procedure to delete oldest data whenever the data disks become full Configuration dump restore don t work across version boundary Note Since release 2 11 you cannot restore a incompatible configuration anymore 11 4 Sniffer n case of IP fragmentation the timestamps of involved pac
68. about Performance 32 Chapter 3 Main terms and concepts PV User Guide Documentation Release 3 3 Source Destination is relevant when we are speaking about Usage 3 5 3 Top Down Analysis The Src Dst matrix can be the starting point for a fine tuning analysis of traffic bandwidth and conversation In each cell there are two buttons e one to display the bandwidth graph from zone to zone B one to display the conversations from zone to zone B Bandwidth Graph View conversation Figure 3 8 Cell detailed view The first link will open the conversation table and will display all the traffic between the two zones whereas the second one will display a bandwidth chart from the source zone on the left and the destination zone on the top 3 6 Data Aggregation 3 6 1 Rationale By nature the operations of statistical analysis performed require the storage of large amounts of data Further more that data must be stored over extended lengths of time so as to expose overall trends In order to minimize storage space while still making it possible to reveal trends over weeks or months Performance Vision automati cally summarizes the collected data The process of creating these summaries is called aggregation 3 6 2 Process Aggregation occurs automatically Whenever your probe displays a chart or a table this is based on already aggregated data In order to display this Performance Vision first decides on an aggre
69. between pollers i e a network flow captured by two pollers will counted twice in reports that merge data from several pollers But you can filter the data for each poller f there is some load balancing at the packet level and not at the session level and two pollers view two different parts of the traffic the collector will not be able to rebuild this flow and no performance metric will be available in this case The positioning of each poller with regards to client and server will have some impact on some metrics SRT RTT Server RTT Client RR Server RR Client The maximum number of sessions handled by the collector remains unchanged 100 concurring sessions 5 5 6 Prerequisites All pollers have to be synchronized to a single NTP All pollers and collector require an administration port connected to the network and a fixed IP address Connectivity between pollers and collector on port 22 is required e Some network capacity is required to transfer teh data from the pollers to the collector current evaluation is 0 2 of the bandwidth analyzed 5 5 7 Adequate non adequate implementations 2 5 Two Distributed may Most applications will be deployed in normal conditions on DCa if in data centers or may not be normal conditions DCb receives no production traffic hence a second Active required probe may not required if applications are in normal conditions passive
70. by the exchange of the 3 way TCP handshake CT stands for Connection Time CT is defined as the duration of the three way handshake SYN SYN ACK ACK of TCP session Conversation Regroups network exchanges between two network addresses for one application during the ob servation period conversation is defined as a group of flows between a client and a server over an observation period Data Transfer Time DTT Time spent by the client or the server to send data The DTT stands for Data Transfer Time DTT server is defined as the time between the first data packet with ACK flag and a non null payload from the server and the last packet considered as part of the same answer DTT client is the symmetric metric in opposite direction Packets are considered part of the same answer if packet share the same acknowledgment number FIN RST from server or client A Timeout will cancel a DTT Note that if the answer is small enough to be contained in only one packet DTT will be of 0 Delta sessions Number of session established minus those closed Delta Session is a metric defined as the difference of the number of opened session to the number of closed session Negative value means that more session were closed than opened Device Identifier Identifies the physical network adapter that received the network traffic associated to a conver sation DiffServ Code Point DSCP 6 bits value taken from the TOS field of IP header used in some
71. directly in your mailboxor via FTP at the frequency you prefer Configuration In the first step you start by creating a template that will mainly define the name of the report the list of recipients a description and the scheduling settings In the second step you just have to add the different views you want to see to the appropriate template Then you re done just check your mailbox To create a report template in the Configuration area select Reports in the menu list on the left This will display the list of existing report templates Use the button Create to create a new report template Please note that this feature is only available for users with administration rights To create a report template you must fill some information The name of the report for easy identification purpose The full description of this report which will be copied in the PDF file generated The language option defines the language that will be used for this reports thus the language for the report can be different than the language of the web screen The list of recipients defines the email addresses to which the reports will be sent the recipients email addresses can be separated by a comma a semi colon or a new line Scheduling settings define the frequency at which the reports will be sent Available options Day Generates the report every x day s example every two days 74 Chapter 7 Configuration PV User Guide D
72. hexa volp traffio Voice total traffic Byte quantity voip traffic sign Signalization total traffic Byte quantity zone Server or Client Zone Zone name zone olt Zone of the client IP Zone name zone srv Zone of the server IP Zone name Type definitions 13 2 10 Address or netmask This can be either a complete IPv4 or IPv6 address or it can also be an IP address completed with wildcards patterns to form a netmask Operators Example of valid inputs 192 168 192 168 5 10 Example of invalid inputs 192 524 1 1 13 2 11 Application name This value must be a valid application name enclosed between quotes Operators Example of valid inputs http Example of invalid inputs unknown app 13 2 12 Byte quantity This value indicates a quantity of bytes withits unit Note that there s no space between the quantity and the unit Operators lt lt gt gt Example of valid inputs 42 4KB 4KiB 56MiB Example of invalid inputs 4 KiB 148 000 Chapter 18 Appendix PV User Guide Documentation Release 3 3 13 2 13 DNS Type A DNS type value either numeric or symbolic Operators Example of valid inputs 4 A MX Example of invalid inputs 1223648 FOO 13 2 14 DNS class A DNS class either numeric or symbolic Operators Example of valid inputs 1 IN Example of invalid inputs A MX 13 2 15 DNS result A DNS result code either numeric or symbolic
73. in their Ethernet header SPV also accepts both IPv4 and IPv6 protocols Note Non Ethernet flows are invisible for the SPV solution 5 3 1 Non IP Protocols If the Ethernet protocol is not an IP protocol it will appear in Non submenu those data will not appear elsewhere Hon IP E Volume non IP Figure 5 2 Non IP protocols menu 53 Supported Protocols 04 PV User Guide Documentation Release 3 3 Protocol Figure 5 3 Level 3 4 protocol filter 5 3 2 IP Protocols Ipv4 and IPv6 are both captured and splitted in four Level 3 4 protocols TCP UDP ICMP and OtherIP Some of those data are duplicated in other specialised categories Web VoIP DNS to display more specific metrics Begin 2011 09 07 10 00 2011 09 07 11 00 Q o 9 Emitting zone Server Zone Emitting Server IP Request Type All All Device id Poller Any Info Begin 2011 09 07 3Q 00 Aggregate Level 2 minutes End 2011 09 07 11 Number of collected results 100 12345 Begin Time End Time Request Name Packets v Traffic DNS rt 2011 09 07 10 38 31 2011 09 07 10 43 32 pypi rd securactive lan 1712 198 5 KiB 2011 09 07 10 38 31 2011 09 07 10 43 32 pypi mirrors rd securactive lan 596 73 8 KiB 2011 09 07 10 00 50 2011 09 07 10 59 47 N 570 100 9 KiB 1 2011 09 07 10 00 21 2011 09 07 10 59 23 mail google com 120 18 3 KiB 27 ms 2011 09 07 10 00 23 2011 09 07 10 58 37 reviewboard rd securactive lan 112
74. minutes End 2013 03 18 15 07 Number of collected results 3 1 2013 03 18 14 07 Network thresholds over time 2013 03 18 15 07 Traffic Y 1 Bandwidth Private Local R amp D gt Intemet mE o mE 925 210 5 Kib s BEERS rns cC Figure 13 13 BCN on PerformanceVision Service Status LastCheck Duration attempt BCA IMAPs OK 2013 03 18 15 06 02 0d 1h 1m 225 BCA MyApplication 2013 03 18 15 06 02 Od 11 1 222 1 4 5 2013 03 18 15 06 02 04 1h 1 225 1 4 BCA SSH 2013 03 18 15 06 02 1h 1m22s 14 O 2013 03 18 15 08 02 040 33m 225 44 http 2013 03 18 15 06 02 11 1 225 1 4 BCA nts O 15 06 02 0d oh 10m 22s BCN RetDVersinternet 2013 03 18 15 08 02 04 Oh 1m 56s OKI 2013 03 18 15 06 02 04 Oh 2m 565 DRE 2013 03 18 15 06 02 0d Oh 2m 565 OK 2013 03 18 15 06 02 Od 1h 14m 215 BCN VOIP PING ttempt Status Information 14 Ok 4 4 3 4 1 4 1 4 1 4 9 Ok Ok Alert Ok Alert Alert Ok Ok PING OK Packet loss 0 RTA 2 06 ms Figure 13 14 BCA and BCN check on Nagios 13 2 Custom Filters 13 2 1 Client Server 138 Chapter 13 Appendix PV User Guide Documentation Release 3 3 Operand Type Owin Owitn count clt Owin count srv app bandw bandw clt bandw srv begin captur
75. not a slow server To begin diagnosis go to Monitoring gt Clt Srv Table Select the application server from the drop down box labled Server Zone and click Search f we see that all applications on the server are responding slowly i e the SRT values are high for both Salesforce and the issue related to the server not to applications Second check the Connection Time of the application server If the connection times are high then this may also indicate a slow server 104 Chapter 8 Interpreting the results PV User Guide Documentation Release 3 3 Third check for retransmissions between the clients and the application server If there are a lot of retrans missions then either the application server or a network device in between are dropping packets Go to Monitoring gt Performance Over Time chart Select the application server Salesforce from the drop down box labled Server Zone and click Search 14 00 00 15 58 00 RTTin avg 151 39 ms 300 00 ms 1 RTT out avg 301 50 us RD indic in avg 8 96 ms 1 MS RD indic out avg 101 75 200 00 ms avg 109 16 ms 14 16 14 30 14 46 15 00 15 16 15 30 15 46 14 00 00 15 58 00 RR out avg 0 08 e RRin avg 1 89 14 16 14 30 14 46 15 00 15 16 15 30 15 46 14 00 00 15 58 00 Figure 8 38 Slow server Performance Over Time chart Here we see that there is a high Retransmission R
76. on the icons associated to a specific period of time the quick links will used this specific period time when redirecting you to a detailed screen You will always see up to date information with the auto refresh feature of the BCN dashboard The information will be automatically refreshed based on the data aggregation level see aggregation period For example if the Aggregate level is 2 minutes the BCN will be updated every two minutes if the Aggregate level is 15 minutes the BCN will be updated every fifteen minutes 8 3 VoIP Module A specific reporting for Voice over IP traffic is provided The aim of this module is to show the volume and quality of service associated with VoIP flows 8 3 1 Supported protocols These VoIP protocols are supported SLP FRICP ARIP MGCP A RICP RIP e SKINNY FRICP RIP For more information please consult the corresponding RFCs e SIP as defined in RFC 3261 http tools ietf org html rfc3261 html MGCP as defined 3435 http tools ietf org html rfc3435 html e RTP as defined in to 3550 http tools ietf org html rfc3550 html and 3551 http tools ietf org html rfc3551 html e RTCP as defined in RFC 3605 http tools ietf org html rfc3605 html 8 3 2 Basics of VolP Voice Over IP relies on three protocols to operate over IP networks e Signalization protocol the role of this protocol is to establish and control the voice communications It us
77. processes on the probe Those events are raised in a new information page in the Configuration menu Error events are reported in a status bar available for the administrator group Configuration of the data merging over time data lose precision The loss levels are now configurable You can choose to not merge at all What s New in 2 13 Pulsar The command allows to set the MTU of each poller GUI Shows that an upgrade is incoming with the install logs no more white screen Upgrade Upgrade logs now have their own file var log nova install log BCN workflow Added a performance chart displaying oriented RTT DTT RD and Retransmission rate New Oriented Flows Details page has more information about oriented conversations Advanced filters are now the same in the Application and in the Network menus New Metrics displayed and filterable Diffserv IP header to classify the flows displayed in both Flows Details page MAC address Ethernet addresses displayed in both Flows Details pages OS For TCP only the new sniffer can detect the network fingerprint of a wide range of operating systems Displayed in both Flows Details pages Chapter 1 Release notes PV User Guide Documentation Release 3 3 1 10 Whats New in 2 12 Metric Add metric MTU Max Transfer Unit in the Source Dest Matrix and Oriented Conversation Zone New zone factory settings License New VMware ve
78. the Server Response Time e g a DTT might be short for a long SRT the request might require a large calculation but the result represents a small volume of data or a DTT might be very large but SRT very short because the request is easy to handle but the response 18 very large DTT depends on from the largest impact to the smaller the size of the response the more data is contains the longer it takes to transfer it the level of retransmission the more packets are retransmitted the longer it will take to transfer the whole response the network latency the longer it take to transfer packets through the network the longer it will be to transfer the response minor impact the actual throughput which can be reached to transfer the response from the server to the client 8 7 Interpretation Guidelines 97 PV User Guide Documentation Release 3 3 DTT may vary for most common to a the rarest globally or not on a per transaction basis if only for some transaction it may be linked to the size of some specific application response for all client zones or for some only if for some client zones only it may be linked to specific network conditions retransmissions for all servers or for some server if for a specific server it may be due to a specific server issue in broad casting the response 8 7 2 Scenario guidelines Slow site connection Hypothesis One or several end users compla
79. the consequence of a crucial service the DNS Check out DNS Response Time Look at the Monitoring Bandwidth Chart to inspect the bandwidth variation and the number of TCP UDP flows as well They might have overcome a QoS threshold such that all the new application requests are blocked A hint would be the increasing number of RST packets To be sure you may take dive into the Analysis gt TCP Errors menu 87 Interpretation Guidelines 89 PV User Guide Documentation Release 3 3 Bandwidth from source to destination begin 2010 08 25 10 30 00402 00 Aggregate Level 15 minutes Info Query end 2010 08 25 19 30 00 02 00 10 30 00 19 15 00 e 281 40 NC 22 67 23 84 wpn 438 412 ssh 454 icmp 0 78 Kbis oppien 45191 bis 495 30 b s mocp gateway 2757808 other o Figure 8 28 Retransmission analysis Bandwidth from destination to source 10 30 00 1915 00 491 71 hops 9161 ssh 4377 Kbis NC udp 2259 Kb s ven 1374 Kbis 415 Kos emio 176 Kbis maps 1 60 Kbis xop cient 085 Kbis mgzp gatevay 389 42 bis 14 04 00 15 04 00 RIT in RTT out 400 00ms 9 RD indic in FD indic out 400 00 ms 200 00 ms 22222222222222222222222 14 04 00 15 04 00 RRout e RRin 14 04 00 15 04
80. the same page either directly or indi rectly We d like it to be the first chronologically but that s not necessarily the case due to mirroring 4 2 2 From packets to HTTP messages The sniffer receives fragments of HTTP messages It starts to reconstruct a new HTTP message as soon as it receives the start of a header Some fragments of the message may be missing though in which case it may be incapable of associating a body fragment to the proper HTTP message thus leading to erroneous payloads and dubious chronology saving part of content in HTTP save files without notice reporting the timestamp of message end 36 Chapter 4 Metrics Computation PV User Guide Documentation Release 3 3 4 2 3 From individual messages to transactions HTTP offers no better way to associate response with corresponding query than to rely on ordering first response of the socket with first query and so on So for every socket the sniffer stores all queries not already paired with a response Notice that on a socket a proxy may mix queries of different users and that two interconnected proxies may even mix queries to distinct servers Notice also how damaging a single dropped packet may be if it hides a query or a full response to the sniffer since all pairing following this gap will be questionable Also servers may not respond leading to a timeout of the pending queries which will be inserted in database without any response
81. the server depending on who is to blame to gather further data on this event 8 5 3 TCP Events This page does not focus explicitly on TCP errors but aims at giving various overall statistics about each TCP con versation in order first to give an accurate view of the actual traffic in term of payload and number of connections and second to notice unexpected patterns This page can also serve as a way to find which conversations are important relevant and thus which zone application could be split to help distinguish more closely between significant flows For each TCP conversation the following fields are displayed payload number of packets number of handshakes number of timeouts number of RSTs from client number of RSTs from server 8 5 TCP Errors Events 91 PV User Guide Documentation Release 3 3 number of from client number of FINs from server 8 6 Packet level analysis 8 6 1 Objectives Once you have identified the origin of an issue you may want to analyze it further by looking at the packets themselves You have two ways to realize this Manual packet capture through Pulsar s t codump command Automated Packet Capture e Triggered Packet Capture from the data of a result row 8 6 2 Manual packet capture By connecting through Pulsar you can start a manual capture of any traffic viewed on the interface of your device To do so you need to go through
82. the transaction It can be a command 14 decimal or hexadecimal form or a command code inside strings Operators Example of valid inputs SMB2_com_logoff 2 0 Example of invalid inputs random text 13 2 28 SMB status The status of the SMB transaction It can be a status 1d 1n decimal or hexadecimal form or a status code inside quotes The special values warning and error are also accepted and mean respectively a match on every success warning and error status The special value common matches a set of common statuses Operators Example of valid inputs SMB status no such file error 0xc000000f Example of invalid inputs random text 13 2 29 SMB sub command The SMB sub command associated with the command used the transaction It can be a sub command id in decimal or hexadecimal form or a sub command code inside strings Operators Example of valid inputs SMB_TRANS2_open2 16 0 Example of invalid inputs random text 13 2 30 SQL command A single SQL command inside quotes Operators Example of valid inputs CREATE INDEX INSERT Example of invalid inputs SELECT FROM users INSERT 13 2 CustomFilters 151 PV User Guide Documentation Release 3 3 13 2 31 SQL system The name of the RDBMS dialect used in the connection inside quotes Operators Example of valid inputs
83. through the TAP A connection via TAP induces additional costs If you choose to capture network traffic through a SPAN you should pay a specific attention not to copy twice the same traffic to the listening interface of the probe which would degrade the statistics provided by the probe 5 2 How to capture traffic Performance Vision can rely on two mechanisms to capture network traffic Port Mirroring commonly called SPAN amp TAP Terminal Access Point 5 2 1 Port mirroring Port mirroring also known as SPAN or roving analysis 18 a method of monitoring network traffic which forwards a copy of each incoming and or outgoing packet from one or several port s or VLAN of a switch to another port where the analysis device is connected Port mirroring can be managed locally or remotely To configure the port mirroring an administrator selects one or several ports from which all packets will be copied source ports and another port or ports where the copy of the packets will be sent destination port The administrator can include either all packets in the port mirroring or only the transmitted received packets In case both transmitted and received packets are included a packet going from a Ist monitored port to another monitored port will be copied twice to the destination port This will have an impact on the measures and performance provided by the analysis device e g retransmission rates response times Performance Vision ca
84. two groups have different access permissions to the application pages the administrators group provides its members a full access to the Configuration pages Users group members will be able to read reports but will not have access to the configuration page 7 3 SPV Functional Configuration 67 PV User Guide Documentation Release 3 3 M X cO G n ral Onglets Applications Vie priv e S curit Avance 40 Bloquer les Certaines pages Web sont propos es dans plusieurs langues Choisissez les langues d affichage de ces pages dans votre ordre 44 Activer jav de preference N Langues par ordre de pr f rence Polices et coul Francais France fr fr Anglais en Anglais Etats Unis en us Charger les Langues Choix de la laf Figure 7 3 Configuration of the French language in Firefox In order to create a new user account you must be logged into the appliance as a member of the Administrator group As mentioned in the above paragraph the default admin group has the right to create modify and access the configuration You can add a new user account by clicking on the Users tab found on the configuration menu on the left hand side Then click on the Add button and fill in the User information username password and group Make sure the Act ive button is checked otherwise the user won t be able to login Thanks to this option you will be able to disable or enable an a
85. xm Bee oF Al Figure 3 5 Client Server treatment For example the clt srv graphs shown above will be generated taking into account the communications from clients in A to servers in B from servers in B to clients in A In short the traffic displayed in client server conversations will take into consideration the data transfer in both directions Note The appliances can only distinguish reliably clients from servers when the IP protocol in use is TCP when the connection establishment was successfully received by the probe and when the connection state is sufficiently active to not be in timeout In all other cases the probe assumes that the lower port is used on the server s side Where are both being used Src Dst will be used for all views of oriented traffic 1 e where the reports need to show the amount of data from one zone to another zone Hereunder in the first and second lines of the table you can see that the data exchange between the two hosts has been split into two conversations from A to B and from B to A Source IP Destination Zone Destination IP Application Traffic Payload Packets 192 168 80 22 VLAN Sales fallback 192 168 20 208 Smtp ssl 3 5MiB 3 0MiB 8389 192 168 20 208 VLAN Labo fallback 192 168 80 22 Smtp ssl 1 2 799 8KiB 7907 192 168 20 237 VLAN R amp D 192 168 10 9 ssh 1 1MiB 771 3KiB 5294 192 168 80 22 VLAN_Sales fallback 192 168 20 217 Smt
86. 0 254 16 Unreachable 192 168 0 253 16 192 168 0 254 16 B 10 1 2 254 24 The workstation 10 1 2 23 tries to connect 10 1223 to 192 168 1 15 on HTTP 10 1 2 23 The server refuses the connection on port 4000 and sends back an ICMP port Unreachable Error ICMP Port Unreachable 192 168 0 7 Where is the challenge with ICMP You may be tempted to say if it is that simple why do we need SecurActive SPV on top of any sniffer the information sits in the payload But in every network you will find some errors they may be due to a user trying to connect to a bad destination or trying to reach a server on the wrong port The key is in having a global view of how many errors you have normally and currently and from where to where The key to leveraging ICMP information is in having a relevant view of it and understanding what it means How can ICMP help on network diagnostic and security monitoring From the explanation here above we can keep in mind that by analysing ICMP errors we can identify machines that try to connect networks or machines that are routable from the LAN s machine or ones that try to connect on actual servers but for services which ports are not open Here are some examples of phenomena that can be identified that way Misconfigured workstation A workstation repeats a large volume of missed attempts to connect to a limited number of servers it may be that this machine d
87. 00 Packets Server IP ication Traffic Packets Conn established Num timeout Client RST 7 Server RST 172 16 1 10 m PROXY 6 2MiB 10939 234 47 120 0 172 16 1 12 http private 1 0MiB 1722 25 9 74 1 proxyauto contact c m PROXY 19 3MiB 22795 220 32 73 0 proxyauto contact c BH PROXY 9 0MiB 15181 184 44 67 0 172 16 1 10 m PROXY 9 3MiB 14615 244 42 61 0 172 16 1 10 m PROXY 4 7MiB 8376 208 36 55 0 172 16 1 10 m PROXY 11 6MiB 15668 138 26 44 0 172 16 1 10 m PROXY 6 6 13134 348 58 43 0 172 16 1 10 m PROXY 2 6MiB 4361 99 21 43 0 172 16 1 10 m PROXY 3 0MiB 4368 81 16 38 0 Figure 8 31 Number of RST packets sent from the TCP servers 100 Chapter 8 Interpreting the results PV User Guide Documentation Release 3 3 Slow application Hypothesis One or several end users complain about a slow access to a specific application a fileserver Prerequesites Zones have been configured to reflect the customer s network topology The application Samba CIFS has been identified The traffic to the fileserver is mirrored to one of the listening interfaces of the probe Where to start a global view of the application performance 1st example DIT 315 11 SRT avg 470 52 ms avg 6821 14 04 00 15 04 00 Transactions sum 1 452 Breakdown by server Breakdown by zone client Info Begin 2011 04 04 14 00 00 02 00 Aggregate Level 15 minutes Info Begin 2011 04 04 14 00 00 02 00 Aggre
88. 0020039 RPC NT INVALID VERS OPTION 0xc002003a RPC NT NO MORE MEMBERS 0xc002003b RPC NT NOT ALL OBJS UNEXPORTED 0xc002003c RPC NT INTERFACE NOT FOUND 0xc002003d RPC NT ENTRY ALREADY EXISTS 0xc002003e RPC NT ENTRY NOT FOUND 0xc002003f RPC NT NAME SERVICE UNAVAILABLE 0xc0020040 RPC NT INVALID NAF ID 0xc0020041 RPC NT CANNOT SUPPORT 0xc0020042 RPC NT NO CONTEXT AVAILABLE 0xc0020043 RPC NT INTERNAL ERROR 0xc0020044 RPC NT ZERO DIVIDE 0xc0020045 RPC NT ADDRESS ERROR 0xc0020046 RPC NT FP DIV ZERO 0xc0020047 RPC NT FP UNDERFLOW 0xc0020048 RPC NT FP OVERFLOW 0xc0020049 RPC NT CALL IN PROGRESS 002004 RPC NT NO MORE BINDINGS 0xc002004b RPC NT GROUP MEMBER NOT FOUND 0xc002004c EPT NT CANT CREATE 0xc002004d RPC NT INVALID OBJECT 0xc002004f RPC NT NO INTERFACES 0xc0020050 RPC NT CALL CANCELLED 0020051 RPC NT BINDING INCOMPLETE 0xc0020052 RPC NT COMM FAILURE 0xc0020053 NT UNSUPPORTED AUTHN LEVEL 0xc0020054 RPC NT NO PRINC NAME 0xc0020055 RPC NT NOT RPC ERROR 0xc0020057 RPC NT SEC PKG ERROR 0xc0020058 RPC NT NOT CANCELLED 174 Chapter 13 Appendix 0xc0020062 0xc0020063 0020064 0030001 0030002 0030003 0030004 0030005 0030006 0030007 0030008 0030009 003000 0xc003000b 0xc003000c 0xc0030059 0xc003005a 0xc003005b 0xc003005c 0xc003005d 0xc003005e 0030051 0030060 0030061
89. 00205 SMB STATUS INSUFF SERVER RESOURCES 0xc0000206 NT STATUS INVALID BUFFER SIZE 0xc0000207 NT STATUS INVALID ADDRESS COMPONENT 0xc0000208 NT STATUS INVALID ADDRESS WILDCARD 0xc0000209 NT STATUS TOO MANY ADDRESSES 0xc000020a NT STATUS ADDRESS ALREADY EXISTS 0xc000020b NT STATUS ADDRESS CLOSED 0xc000020c NT STATUS CONNECTION DISCONNECTED 0xc000020d NT STATUS CONNECTION RESET 0xc000020e NT STATUS TOO MANY NODES 0xc000020f NT STATUS TRANSACTION ABORTED 0xc0000210 NT STATUS TRANSACTION TIMED OUT 0xc0000211 NT STATUS TRANSACTION NO RELEASE 0xc0000212 NT STATUS TRANSACTION NO MATCH 0xc0000213 NT STATUS TRANSACTION RESPONDED 0xc0000214 NT STATUS TRANSACTION INVALID ID 0xc0000215 NT STATUS TRANSACTION INVALID TYPE 0xc0000216 NT STATUS NOT SERVER SESSION 0xc0000217 NT STATUS NOT CLIENT SESSION 0xc0000218 NT STATUS CANNOT LOAD REGISTRY FILE 0xc0000219 NT STATUS DEBUG ATTACH FAILED 0xc000021a NT STATUS SYSTEM PROCESS TERMINATED 0xc000021b NT STATUS DATA NOT ACCEPTED 0xc000021c NT STATUS NO BROWSER SERVERS FOUND 0xc000021d NT STATUS VDM HARD ERROR 0xc000021e NT STATUS DRIVER CANCEL TIMEOUT 0xc000021f NT STATUS REPLY MESSAGE MISMATCH 0xc0000220 NT STATUS MAPPED ALIGNMENT 0xc0000221 NT STATUS IMAGE CHECKSUM MISMATCH 0xc0000222 NT STATUS LOST WRITEBEHIND DATA 0xc0000223 NT STATUS CLIENT SERVER PARAMETERS INVALID 0xc0000224 5 STATUS PASSWORD MUST CHANGE 0xc0000225 NT STATUS NOT FOUND
90. 02f1 NT STATUS NO IP ADDRESSES 00002 2 NT STATUS WRONG CREDENTIAL HANDLE 0000243 NT STATUS CRYPTO SYSTEM INVALID 0 00002 4 NT STATUS MAX REFERRALS EXCEEDED 00002 5 NT STATUS MUST BE KDC 0xc00002f6 NT STATUS STRONG CRYPTO NOT SUPPORTED 00002 7 NT STATUS TOO MANY PRINCIPALS 0000218 NT STATUS NO PA DATA 0xc00002f9 NT STATUS PKINIT NAME MISMATCH 0xc00002fa NT STATUS SMARTCARD LOGON REQUIRED 0xc00002fb NT STATUS KDC INVALID REQUEST 0xc00002fc NT STATUS KDC UNABLE TO REFER 0xc00002fd NT STATUS KDC UNKNOWN ETYPE 0xc00002fe NT STATUS SHUTDOWN IN PROGRESS 0xc00002ff NT STATUS SERVER SHUTDOWN IN PROGRESS 0xc0000300 NT STATUS NOT SUPPORTED ON SBS 0xc0000301 NT STATUS WMI GUID DISCONNECTED 0xc0000302 NT STATUS WMI ALREADY DISABLED 0xc0000303 NT STATUS WMI ALREADY ENABLED 0xc0000304 NT STATUS MFT TOO FRAGMENTED 0xc0000305 NT STATUS COPY PROTECTION FAILURE 0xc0000306 NT STATUS CSS AUTHENTICATION FAILURE 0xc0000307 NT STATUS CSS KEY NOT PRESENT 0xc0000308 NT STATUS CSS KEY NOT ESTABLISHED 0xc0000309 NT STATUS CSS SCRAMBLED SECTOR 0xc000030a NT STATUS CSS REGION MISMATCH 0xc000030b NT STATUS CSS RESETS EXHAUSTED 0xc0000320 NT STATUS PKINIT FAILURE 0xc0000321 NT STATUS SMARTCARD SUBSYSTEM FAILURE 0xc0000322 NT STATUS NO KERB KEY 0xc0000350 NT STATUS HOST DOWN 0xc0000351 NT STATUS UNSUPPORTED PREAUTH 0xc0000352 NT STATUS EFS ALG BLOB TOO BIG 0xc0000353 NT S
91. 064 NT STATUS NO SUCH USER 0xc0000065 NT STATUS GROUP EXISTS 0xc0000066 NT STATUS NO SUCH GROUP 0xc0000067 NT STATUS MEMBER GROUP 0xc0000068 NT STATUS MEMBER NOT IN GROUP 0xc0000069 NT STATUS LAST ADMIN 0xc000006a SMB STATUS WRONG PASSWORD 0xc000006b NT STATUS ILL FORMED PASSWORD 0xc000006c NT STATUS PASSWORD RESTRICTION 0xc000006d SMB STATUS LOGON FAILURE 0xc000006e NT STATUS ACCOUNT RESTRICTION 0xc000006f SMB STATUS INVALID LOGON HOURS 0xc0000070 SMB STATUS INVALID WORKSTATION 0xc0000071 SMB STATUS PASSWORD EXPIRED 0xc0000072 SMB STATUS ACCOUNT DISABLED 0xc0000074 NT STATUS TOO MANY LUIDS REQUESTED 0xc0000075 NT STATUS LUIDS EXHAUSTED 0xc0000076 NT STATUS INVALID SUB AUTHORITY 0xc0000077 NT STATUS INVALID ACL 0xc0000078 NT STATUS INVALID SID 0xc0000079 NT STATUS INVALID SECURITY DESCR 0xc000007a NT STATUS PROCEDURE NOT FOUND 162 Chapter 13 Appendix PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page NTSTATUS severity 0xc000007b 0xc000007c 0000074 0xc000007e 0xc000007f 0000080 0000081 0000082 0000093 0000084 0000095 0000086 0000087 0000088 0000089 000008 0000085 000009 0000084 000008 0000081 0000090 0000091 0000092 0000093 0000094 0000095 0000096 0000097
92. 0KiB 2 533ms 332ms 200ms 172162134 OBytes T T T T T T T 1 200 400 600 800 10001 2001 4001 600 Bzr Figure 8 33 Peak in server response time Application EURT 8 7 Interpretation Guidelines 101 PV User Guide Documentation Release 3 3 By clicking on that zone we can see this client zone application dashboard From this you can conclude that only one client 2 user was impacted This issue was definitely due to a slow response of the server it may be due to an application issue or a request which is specifically hard to respond to 2nd example d Application dash board Applications behavior ana lysis art after 2010 06 07 08 52 Start before 7 2010 06 08 11 34 HH MM mm dd HH MM lication Samba CIFS Search Application performance Query begin 2010 06 07 08 00 00402 00A ggregate Level 7200 Info Query end 2010 06 08 10 L 00 00402 00 18 00 Jun 08 06 00 eakdown by server Breakdown by zone client Breakdown by server Breakdown by zone client Figure 8 34 Peak in server response time Application dashboard Application Dashboard for a relevant period in the past 48 hours for example This dashboard shows in the upper part the evolution of the End User Response Time EURT through time for this fileserver We can easily observe that the quality of experience of users accessing to this application got much worse yesterday afternoon We can easi
93. 0xc0000172 0xc0000173 0xc0000174 0xc0000175 0xc0000176 0xc0000177 0xc0000178 0xc000017a 0xc000017b 0xc000017c 0xc00001 7d 0xc000017e 0000171 0000180 0000181 0xc0000182 0xc0000183 0xc0000184 0xc0000185 0000186 0000187 0000188 0000189 0xc000018a 0xc000018b 0xc000018c 0000184 0xc000018e Oxc000018f 0xc0000190 0xc0000191 13 6 CIFS Status Categories NT STATUS SECRET TOO LONG NT STATUS INTERNAL DB ERROR NT STATUS FULLSCREEN MODE NT STATUS TOO MANY CONTEXT IDS NT STATUS LOGON TYPE NOT GRANTED NT STATUS NOT REGISTRY FILE NT STATUS NT CROSS ENCRYPTION REQUIRED NT STATUS DOMAIN CONFIG ERROR NT STATUS MISSING MEMBER NT STATUS ILL FORMED SERVICE ENTRY NT STATUS ILLEGAL CHARACTER NT STATUS UNMAPPABLE CHARACTER NT STATUS UNDEFINED CHARACTER NT STATUS FLOPPY VOLUME NT STATUS FLOPPY ID MARK NOT FOUND NT STATUS FLOPPY WRONG CYLINDER NT STATUS FLOPPY UNKNOWN ERROR NT STATUS FLOPPY BAD REGISTERS NT STATUS DISK RECALIBRATE FAILED NT STATUS DISK OPERATION FAILED NT STATUS DISK RESET FAILED NT STATUS SHARED IRQ BUSY NT STATUS FT ORPHANING NT STATUS BIOS FAILED TO CONNECT INTERRUPT NT STATUS PARTITION FAILURE NT STATUS INVALID BLOCK LENGTH NT STATUS DEVICE NOT PARTITIONED NT STATUS UNABLE TO LOCK MEDIA NT STATUS UNABLE TO UNLOAD MEDIA NT STATUS EOM OVERFLOW NT STATUS NO MEDIA NT STATUS NO SUCH MEMBER NT STATUS INVALID M
94. 1 09 07 08 15 2011 09 07 18 15 Callee Packet loss 0 Caller Packet loss avg 0 010 09 00 10 00 11 00 12 00 13 00 14 00 15 00 16 00 17 00 18 00 2011 09 07 08 15 2011 09 07 18 15 10 Ongoing Calls avg 3 VoIP Bandwidth amp Call Volume This view shows a chart of bandwidth used for voice and signalization for the first one Figure 8 5 VoIP Bandwidth Chart the evolution of the volume of calls through time Calls are distributed between successful and unsuc cessful calls Successful calls are conversations where some voice was exchanged unsuccessful calls are conversations without any voice exchanged Figure 8 6 VoIP Calls Volume VoIP Conversations amp Details The two last views show each call individually with some usage metrics for VoIP Conversations The VoIP Details view 18 the same table but with performance metrics 8 4 Application dashboards Dashboard are a report fitting on a single screen that put together all relevant information to understand how the application is doing They are present in APS from version 1 7 86 Chapter 8 Interpreting the results PV User Guide Documentation Release 3 3 Sync Begin Time Duration Caller Caller Zone Calice Callee Zone Application MOS Packet loss Traffic 0 2011 04 07 15 44 51 FBLANCHARD Private fallback 83208 0 00 KiB 2011004 0715 44 50 ia system na 000850888 84 sip 000 555Byt
95. 1 Integration with other Tools 13 1 1 How to integrate your APS with Cacti Importing PV template in your Cacti We recommend following these easy steps in order to ease the integration of PV hosts into the open source Cacti network monitoring system Download configuration files First you must download a set of files from our web site Unzip this archive somewhere before proceeding These files are two fold three of them being host templates can be uploaded from Cacti GUI The others begin SNMP query templates must be copied in Cacti s resource directory Upload host templates Log in your Cacti GUI with the admin user and go to the mport Templates page There you can upload the file named cacti host template sniffer xml home rixed src main sact junkie config cacti cacti hc Browse Select your RRA settings below Recommended OUse custom RRA settings from the template Hourly 1 Minute Average Daily 5 Minute Figure 13 1 Import Export Which should bring you to a success page such as Repeat this operation for the two other host templates cacti host template pv central xml and cacti host template pv probe xml Copy data queries This step is not enough though since these templates use custom SNMP data queries If you go to Data Queries you will notice a set of new entries 1 http download securactive net pv misc nagios cacti config zip 131 PV User Guide Documentation R
96. 14 0 KiB 3ms 2011 09 07 10 01 25 2011 09 07 10 56 59 WORKGROUP 97 8 7 KiB 2011 09 07 10 01 16 2011 09 07 10 59 14 safebrowsing clients google com 62 13 8 KiB 54 ms 2011 09 07 10 05 34 2011 09 07 10 56 10 proxysecuractive lan 61 7 3 KiB 2011 09 07 10 04 57 2011 09 07 10 51 37 git rd securactive lan 56 6 4 KiB 2011 09 07 10 02 26 2011 09 07 10 56 03 sdouche babbage presence tcp local 55 5 5 KiB PP PPPPPPP Figure 5 4 DNS specialied view 5 3 3 Limitations If the rate of incoming packets exceeds the rate at which the sniffer can parse the traffic for too long then some packets may be dropped by the Linux kernel These packets won t get accounted for in the GUI As a realtime protocol analyzer the sniffer is also limited in what protocols it supports and how deep it inspects packets Here is a quick overview of the most blatant limitations Ethernet parser supports Linux cooked capture extension used when capturing on interfaces and 802 19 vlan tags All other Ethernet extensions are ignored ARP parser knows only Ethernet and IP addresses DNS parser support MDNS NBNS and LLMNR in the extend where these protocols mimic legacy DNS with the exception that it can unscramble NetBios encoded names FTP connection tracking merely look for PASSV or PORT commands in the TCP stream without much care for the actual protocol TCP options are ignored Postgresql parser supports only protocol version 3 0 and Mysql pa
97. 2 Tempor arily apache 1 d MSS 1460 SACK 1 TSV 21757332 15 _lipt del s Thu n 1970 00 00 10 iid pathe 2 05 Cooki je 5 ajas 12880802 08880671 1 cP 7 upc ur TT nbwpmdzgwhxr sNBszvonPkrejaPe crc d EgOBbbPSNdzcvdzAPCSgLr DO comm afe amp akey aqqDUaT4 aHnuGVLf4pGNU3HCAzwXWB8STOL S amp hkey 5 ost 22 linkedin cHrTP 1 1 302 Moved Temporarily se Apache er Bet cookies mobi E 1322 0545713 Domain linkedin com Expires Mon 18 Sep 2079 15 56 32 G T Path Location http inkedin com splash redirect 1 http3AX2FN2FWwW Tini kedin coms2F axu HexDump arrays 6 DO 01 20 2 50e aa 11 0e 30 16 d 0 02 0040 fd 84 00 00 00 00 01 03 03 01 Fle C Users Bors ppData Locel empliraffic Packets 48 14 Marked 0 Load ome 0 00 004 Figure 8 19 Viewing query and response Note Why SPV does not use directly a Zone or an Application to capture PCAP files We want to capture the flow for troubleshooting since the very first packet But with the information of this only one packet SPV cannot know what is the Zone or Application of the flow Note PCAP files are a sample of the conversation If you request on a one hour interval and get a PCAP file the PCAP will not contain one hour of data but only the data which match the above condit
98. 295 NT STATUS WMI GUID NOT FOUND 0000296 NT STATUS WMI INSTANCE NOT FOUND 0xc0000297 NT STATUS WMI ITEMID NOT FOUND 0xc0000298 NT STATUS WMI TRY AGAIN 0xc0000299 NT STATUS SHARED POLICY 0xc000029a NT STATUS POLICY OBJECT NOT FOUND 0xc000029b NT STATUS POLICY ONLY IN DS 0xc000029c NT STATUS VOLUME NOT UPGRADED 0xc000029d NT STATUS REMOTE STORAGE NOT ACTIVE 0xc000029e NT STATUS REMOTE STORAGE MEDIA ERROR 0xc000029f NT STATUS NO TRACKING SERVICE 00002 0 NT STATUS SERVER SID MISMATCH 0xc00002al NT STATUS DS NO ATTRIBUTE VALUE 0xc00002a2 NT STATUS DS INVALID ATTRIBUTE SYNTAX 00002 3 NT STATUS DS ATTRIBUTE TYPE UNDEFINED 0xc00002a4 NT STATUS DS ATTRIBUTE OR VALUE EXISTS 0xc00002a5 NT STATUS DS BUSY 0xc00002a6 NT STATUS DS UNAVAILABLE 00002 7 NT STATUS DS NO RIDS ALLOCATED 0xc00002a8 NT STATUS DS NO MORE RIDS 00002 9 NT STATUS DS INCORRECT ROLE OWNER 0xc00002aa NT STATUS DS RIDMGR INIT ERROR 0xc00002ab NT STATUS DS OBJ CLASS VIOLATION 0xc00002ac NT STATUS DS CANT ON NON LEAF 170 Chapter 13 Appendix PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page NTSTATUS severity 00002 00002 00002 0000250 00002 1 00002 2 0xc00002b3 0xc00002b4 0000255 0000256 00002 7 Oxc00002b8 0000269 00002 1 00002 2 0xc00002c3 0xc00002c4
99. 4 3121841 e1888 ethi changing MTU from 1500 to 1800 Debian GNU Linux 5 8 spv ttyl login 47 1288721 e1888 ethi NIC Link is Up 1888 Mbps Control None 47 1240791 ADDRCONFCNETDEV UP ethi link is not ready 2 47 1272681 ADDRCONFC NETDEV CHANGE ethi link becomes read 47 2757421 device ethi entered promiscuous mode Debian GNU Linux 5 8 lt ttyl spy login _ Figure 6 10 Console login prompt The summary view provided by Vsphere displays the parameters such as IP addresses Performance Vision General Resources Guest OS Debian GNU Linux 5 64 bit Consumed Host CPU 169 MHz Version 8 Consumed Host Memory 696 00 MB CPU 1 vCPU Active Guest Memory 215 00 MB Memory 1024 MB Refresh Storage Usage Memory Overhead 53 20 MB Provisioned Storage 17 04 GB vMware Tools Running Current Not shared Storage 17 04 GB IP Addresses 10 1 0 95 View all Used Storage 17 04 GB Storage Drive Type Capacity DNS Name spv datastorel 1 Non SSD 460 75 GB 34 State Powered On Host localhost securalis lan Active Tasks Network Type vSphere Protection Y 9 Network Standard port group Mirror Standard port group Commands L Shut Down Guest ll Suspend Restart Guest ip Edit Settings 89 Open Console Figure 6 11 Summary View Note The virtual machine has a second 150 GB hard disk that you can resize depending on your needs but then you
100. 6 CIFS Status Categories PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page NTSTATUS severity 6 NT STATUS ACCESS DISABLED BY POLICY OTHER NT STATUS FAILED DRIVER ENTRY NT STATUS DEVICE ENUMERATION ERROR NT STATUS MOUNT POINT RESOLVED NT STATUS INVALID DEVICE OBJECT PARAMETER NT STATUS MCA OCCURED NT STATUS DRIVER BLOCKED CRITICAL NT STATUS DRIVER BLOCKED NT STATUS DRIVER DATABASE ERROR NT STATUS SYSTEM HIVE TOO LARGE NT STATUS INVALID IMPORT OF NON DLL NT STATUS SMARTCARD WRONG PIN NT STATUS SMARTCARD CARD BLOCKED NT STATUS SMARTCARD CARD NOT AUTHENTICATED NT STATUS SMARTCARD NO CARD NT STATUS SMARTCARD NO KEY CONTAINER NT STATUS SMARTCARD NO CERTIFICATE NT STATUS SMARTCARD NO KEYSET NT STATUS SMARTCARD IO ERROR NT STATUS DOWNGRADE DETECTED NT STATUS SMARTCARD CERT REVOKED NT STATUS ISSUING UNTRUSTED NT STATUS REVOCATION OFFLINE C NT STATUS PKINIT CLIENT FAILURE NT STATUS SMARTCARD CERT EXPIRED NT STATUS DRIVER FAILED PRIOR UNLOAD NT STATUS WOW ASSERTION NT INVALID STRING BINDING RPC NT WRONG KIND OF BINDING RPC NT INVALID BINDING RPC NT PROTSEQ NOT SUPPORTED NT INVALID PROTSEQ RPC NT INVALID STRING UUID RPC NT INVALID ENDPOINT FORMAT RPC NT INVALID NET ADDR NT NO ENDPOINT FOUND NT INVALID TIMEOUT RPC NT OBJECT NOT FOUND RPC NT ALREADY REGISTERED RPC NT TYPE ALREADY REGISTERED RPC NT ALR
101. 6 EXCEPTION CONTINUE NT STATUS WX86 EXCEPTION LASTCHANCE NT STATUS WX86 EXCEPTION CHAIN NT STATUS IMAGE MACHINE TYPE MISMATCH EXE NT STATUS NO YIELD PERFORMED NT STATUS TIMER RESUME IGNORED NT STATUS ARBITRATION UNHANDLED NT STATUS CARDBUS NOT SUPPORTED NT STATUS WX86 CREATEWXSOTIB NT STATUS MP PROCESSOR MISMATCH NT STATUS HIBERNATED NT STATUS RESUME HIBERNATION 13 6 CIFS Status Categories lt 159 PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page NTSTATUS severity 0x40000294 0x40000370 0x40020056 0x400200af 0 80000001 0 80000002 0 80000003 0 80000004 0 80000005 0 80000006 0 80000007 0x8000000a 0x8000000b 0x8000000c 0x8000000d 0x8000000e 0x8000000f 0 80000010 0 80000011 0 80000012 0 80000013 0 80000014 0 80000015 0 80000016 0 80000017 0 80000018 0x8000001a 0x8000001b 0x8000001c 0x8000001d 0x8000001e 0x8000001f 0 80000020 0 80000021 0 80000022 0x80000023 0x80000024 0x80000025 0x80000026 0x80000027 0 80000028 0 80000029 0x8000002d 0x80000288 0x80000289 0xc0000001 0xc0000002 0xc0000003 0xc0000004 0xc0000005 0xc0000006 0xc0000007 0xc0000008 0xc0000009 0xc000000a 160 NT STATUS WAKE SYSTEM NT STATUS DS SHUTTING DOWN RPC NT UUID LOCAL ONLY RPC NT SEND INCOMPLETE NT STATUS GUARD PAGE VIOLATION NT STATUS DATATYPE MISALIGNMENT NT STATUS BREAKPOINT NT STATUS SINGLE S
102. A was a problem executing this data query You can run this data query in debug mode to get more information 5 Select a graph type SPV BCN Latency Cancel Create Figure 13 8 Create disk space graphs If you already have some defined you will also find a graph template for every BCA and 3 possible graphs for every BCN for latency retransmission and traffic Data Query SPV BCA Name Data Query SPV BCN Name L Select a graph type Figure 13 9 Create BCA and BCN graphs Once you have checked all graphs you are interested in then click on the Create button and if all goes well you should be welcomed with a message such as Created graph CactiTest Denied Parsers Created graph CactiTest Avg Response Time Created graph CactiTest Load Average Created graph CactiTest Memory Usage Created graph CactiTest Packets 1 Created graph CactiTest Packets ethi 1 Created graph CactiTest Packets eth1 2 Created graph CactiTest Packets eth1 3 Created graph CactiTest Packets eth1 4 Created graph CactiTest Cells voip Created graph CactiTest Cells udp Created graph CactiTest Cells tcp Created graph CactiTest Cells icmp Created graph CactiTest Cells dns Created graph CactiTest Cells url Created graph CactiTest Cells other ip Created graph CactiTest Cells n
103. Broadcast Local APIPA RFC3927 Clients LAN Building 1 Building 2 Financial IT LAN Guests LAN gwa Management Sales VPN WIFI WIFI Guest Servers Antivirus Backup Citri Database DMZ DMZ External DMZ Internal DNS Domain Controller Multicast Private fallbad Public Remote Figure 3 1 Zone tree as displayed in SPV select boxes showing the default configuration 3 2 2 Selections Zone names although not used in the aforementioned process play an important role in the GUI As you can see on the example zone names are organised in a tree of sub names delimited with slashes not unlike a standard file system For instance LAN Servers Web is made of three components meant to be read as the host Web amidst the Servers inthe LAN Here LAN is said to be the parent zone of LAN Servers and LAN Fallback and LAN Servers is said to be the parent zone of LAN Servers Mail and LAN Servers Web In all select boxes of the GUI selecting a parent zone will select all conversations that fall in this zone or in any of its child zone For instance in the above example selecting LAN Servers will select all conversations in LAN Servers Mail LAN Servers Web and LAN Servers Fallback 28 Chapter 3 Main terms and concepts PV User Guide Documentation Release 3 3 3 2 3 Fallbacks By convention a fallback is a zone with a larger filter but lower priority than a set of more specific rules For instance in th
104. Client and Server Zone zone in which the clients and servers are located see Types of Conversations for details on client server identification Protocol Stack allow to select only those flows identified by the sniffer as featuring this protocol stack use with caution Poller to filter on a single poller Device Identifier to filter on a single network adapter VLAN to select flows from a given Ethernet VLAN tag or range Ethernet Protocol to filter on a given Ethernet protocol Client and Server Ethernet Address MAC addresses or ranges of the clients and servers of this application Web Application Pattern allow to select those HTTP messages concerning only a given URL pattern Web Application Pattern The web application pattern in an application rule is used to identify specifically HTTP applications They are defined as patterns matched against the URLs contained in HTTP requests The patterns should contain at least a domain name optionally including wild card characters like or if you check regex mode you can set POSIX regular expressions Notice that in a typical conversation several HTTP messages referring to several URLs will be present The application rule will only be checked against the first encountered URL per socket This is not a problem if all URLs in a given socket follow the same pattern which is usually the case provided your pattern is not too picky 7 3 4 Business Critical Applicati
105. EADY LISTENING RPC NT NO PROTSEQS REGISTERED NT NOT LISTENING RPC NT UNKNOWN MGR TYPE RPC NT UNKNOWN IF RPC NT NO BINDINGS RPC NT PROTSEQS NT CANT CREATE ENDPOINT RPC NT OUT OF RESOURCES NT SERVER UNAVAILABLE RPC NT SERVER TOO BUSY RPC NT INVALID NETWORK OPTIONS NT NO CALL ACTIVE NT CALL FAILED RPC NT CALL FAILED DNE 173 PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page 0020014 RPC NT PROTOCOL ERROR 0xc002001f RPC NT UNSUPPORTED TRANS SYN 0xc0020021 RPC NT UNSUPPORTED TYPE 0xc0020022 RPC NT INVALID TAG 0xc0020023 RPC NT INVALID BOUND 0xc0020024 RPC NT NO ENTRY NAME 0xc0020025 RPC NT INVALID NAME SYNTAX 0xc0020026 RPC NT UNSUPPORTED NAME SYNTAX 0xc0020028 RPC NT UUID NO ADDRESS 0xc0020029 RPC NT DUPLICATE ENDPOINT 0xc002002a RPC NT UNKNOWN AUTHN TYPE 0xc002002b RPC NT MAX CALLS TOO SMALL 0xc002002c RPC NT STRING TOO LONG 0xc002002d RPC NT PROTSEQ NOT FOUND 0xc002002e RPC NT PROCNUM OUT OF RANGE 0xc002002f RPC NT BINDING HAS NO AUTH 0xc0020030 RPC NT UNKNOWN AUTHN SERVICE 0xc0020031 RPC NT UNKNOWN AUTHN LEVEL 0xc0020032 RPC NT INVALID IDENTITY 0xc0020033 RPC NT UNKNOWN AUTHZ SERVICE 0xc0020034 EPT NT INVALID ENTRY 0xc0020035 EPT NT CANT PERFORM OP 0xc0020036 EPT NT NOT REGISTERED 0xc0020037 RPC NT NOTHING TO EXPORT 0xc0020038 RPC NT INCOMPLETE NAME 0xc
106. EMBER NT STATUS KEY DELETED NT STATUS NO LOG SPACE NT STATUS TOO MANY SIDS NT STATUS CROSS ENCRYPTION REQUIRED NT STATUS KEY HAS CHILDREN NT STATUS CHILD MUST VOLATILE NT STATUS DEVICE CONFIGURATION ERROR NT STATUS DRIVER INTERNAL ERROR SMB STATUS INVALID DEVICE STATE NT STATUS IO DEVICE ERROR NT STATUS DEVICE PROTOCOL ERROR NT STATUS BACKUP CONTROLLER NT STATUS LOG FILE FULL NT STATUS TOO LATE NT STATUS NO TRUST LSA SECRET NT STATUS NO TRUST SAM ACCOUNT NT STATUS TRUSTED DOMAIN FAILURE NT STATUS TRUSTED RELATIONSHIP FAILURE NT STATUS EVENTLOG FILE CORRUPT NT STATUS EVENTLOG CANT START NT STATUS TRUST FAILURE NT STATUS MUTANT LIMIT EXCEEDED 167 PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page 0xc0000192 NT STATUS NETLOGON NOT STARTED 0xc0000193 SMB STATUS ACCOUNT EXPIRED 0xc0000194 NT STATUS POSSIBLE DEADLOCK 0xc0000195 NT STATUS NETWORK CREDENTIAL CONFLICT 0xc0000196 NT STATUS REMOTE SESSION LIMIT 0xc0000197 NT STATUS EVENTLOG FILE CHANGED 0xc0000198 NT STATUS NOLOGON INTERDOMAIN TRUST ACCOUNT 0xc0000199 NT STATUS NOLOGON WORKSTATION TRUST ACCOUNT 0xc000019a NT STATUS NOLOGON SERVER TRUST ACCOUNT 0xc000019b NT STATUS DOMAIN TRUST INCONSISTENT 0xc000019c NT STATUS FS DRIVER REQUIRED 0000202 NT STATUS NO USER SESSION KEY 0xc0000203 NT STATUS USER SESSION DELETED 0xc0000204 NT STATUS RESOURCE LANG NOT FOUND 0xc00
107. Http gt match e check_snmp_securactive pl H 10 0 0 1 a http i r check bca pattern match http case insensitive https gt not match Http gt match e check_snmp_securactive pl H 10 0 0 1 a googlelhttp check bca regex match google or http case sensitive e check_snmp_securactive pl H 10 0 0 1 a http check bca regex match http case sensitive http gt match https gt not match Http gt not match e check_snmp_securactive pl H 10 0 0 1 n check all ben e check_snmp_securactive pl H 10 0 0 1 n fallback check bcn regex math fallback case sensitive check_snmp_securactive pl H 10 0 0 1 a http i n internet atob check bca regex math http case insensitive check bcn regex math internet case insensitive 66 99 and check only zone to zone b way Nagios configuration file example This is only an example of nagios configuration file define command command name check securactive command line SUSER2S check_snmp_securactive pl H SHOSTADDRESSS define command command name check securactive bca command line SUSER2S check_snmp_securactive pl H HOSTADDRESSS a 15 5 25 define command command name check securactive bcn command line SUSER2S check_snmp_securactive pl H HOSTADDRESSS n 15 5 25 define host host name beta alias beta address 192 168 30 30 use generic host define service name bca_ssh
108. I GUI Advanced filters on client server pages e GUI IP subnet filter in matrix page e GUI Improved time frame selection with last five used history Pulsar Pulsar now displays license information on the pol ler command 1 16 2 Changes GUI screen reorganisation We now have Tops for clients servers applications and ports GUI ICMP messages regarding different connections are no longer merged 1 15 What s New in 2 7 7 PV User Guide Documentation Release 3 3 1 16 3 Major bug fixes Metrics TCP keepalives no longer interrupt a data flow Pulsar Fix Pulsar process command GUI Fix filters on unilateral flows or retransmission Reports Fix missing columns in some reports 1 17 What s New in 2 5 1 17 1 Installation notes Service Pack update must be installed before migrating from 2 x to 2 5 If the Service Pack is not installed the 2 5 upgrade will not start Migration must be done from a 2 x version If you currently have 1 version please update first to version 2 0 or 2 3 Then install the Service Pack then install the 2 5 update 1 17 2 New Features Autopcap for Business Critical Applications available in Network conversation DNS and VoIP depending on configuration It works for both local and distributed environments New Metric DTT Client added to the several screens where the DTT Server was already present New Protocols LLMNR Li
109. ID PARAMETER 1 NT STATUS INVALID PARAMETER 2 NT STATUS INVALID PARAMETER 3 NT STATUS INVALID PARAMETER 4 NT STATUS INVALID PARAMETER 5 NT STATUS INVALID PARAMETER 6 NT STATUS INVALID PARAMETER 7 NT STATUS INVALID PARAMETER NT STATUS INVALID PARAMETER 9 NT STATUS INVALID PARAMETER 10 NT STATUS INVALID PARAMETER 11 NT STATUS INVALID PARAMETER 12 STATUS REDIRECTOR NOT STARTED NT STATUS REDIRECTOR STARTED NT STATUS STACK OVERFLOW NT STATUS NO SUCH PACKAGE NT STATUS BAD FUNCTION TABLE NT STATUS VARIABLE NOT FOUND SMB STATUS DIRECTORY NOT EMPTY NT STATUS FILE CORRUPT ERROR NT STATUS NOT A DIRECTORY NT STATUS BAD LOGON SESSION STATE NT STATUS LOGON SESSION COLLISION NT STATUS NAME TOO LONG NT STATUS FILES OPEN NT STATUS CONNECTION IN USE NT STATUS MESSAGE NOT FOUND SMB STATUS PROCESS IS TERMINATING NT STATUS INVALID LOGON TYPE NT STATUS NO GUID TRANSLATION NT STATUS CANNOT IMPERSONATE NT STATUS IMAGE ALREADY LOADED NT STATUS ABIOS NOT PRESENT NT STATUS ABIOS LID NOT EXIST NT STATUS ABIOS LID ALREADY OWNED NT STATUS ABIOS NOT LID OWNER NT STATUS ABIOS INVALID COMMAND NT STATUS ABIOS INVALID LID NT STATUS ABIOS SELECTOR NOT AVAILABLE NT STATUS ABIOS INVALID SELECTOR NT STATUS NO LDT NT STATUS INVALID LDT SIZE NT STATUS INVALID LDT OFFSET NT STATUS INVALID LDT DESCRIPTOR NT STATUS INVALID IMAGE NE FORMAT NT STATUS RXACT INVALID STATE NT STATUS COMMIT FAILURE NT S
110. IT License jquery ui statusbar The MIT License mColorPicker The MIT License jsonrpclib Apache Salt Apache Ixml BSD GPL PSF CWI enum Choice of GPL or Python license psycopg2 GPL with exceptions or ZPL dnspython ISC paramiko LGPL PostgreSQL PostgreSQL Licence setuptools PSF FormEncode PSF pycrypto Public domain docutils public domain Python 2 Clause BSD GPL 3 see COPYING txt Python Python Software Foundation licence pychartdir SecurActive license Pillow Standard PIL License Components licensed under the Repoze license 156 Chameleon pyramid pyramid_mako pyramid_tm repoze lru repoze profile repoze who superlance supervisor Chapter 13 Appendix PV User Guide Documentation Release 3 3 translationstring venusian Components licensed under the BSD license Fanstatic Jinja2 MarkupSafe Pygments Sphinx collective recipe template configobj fanstatic js amcharts jS Jquery Js Jquery kinetic Js jquery timepicker addon js Jqueryul mechanize mock netaddr pyprof2calltree pyramid_debugtoolbar reportlab sqlparse Components licensed under the MIT license 13 5 Mailer Mako MiniMock Paste PasteDeploy SQLAIchemy Tempita WebOb WebTest beautifulsoup4 cmdln ecdsa pyparsing Licenses of open source libraries 157 PV User Guide Documentation Release 3 3 pytz Six e wsgi intercept
111. Identifier 127 DiffServ Code Point DSCP 127 Distributed Architecture 45 DNS 109 122 DNS perfoarmance 22 DTT 97 121 E Email 76 End User Response Time 128 EURT 88 96 Export 23 Fallback 27 128 INDEX Flow 128 G Graphical Interface 9 H HTTP analysis 14 HTTP hit 128 HTTP page 128 HTTPS 79 ICMP 23 107 Initial Sequence Number 122 128 IP merging 30 J Jitter 85 128 K KiB 27 L Language 67 License 111 117 License Check 119 Login 11 M Matrix 16 Maximum Transfert Unit MTU 128 Media Access Control MAC address 128 metric 34 MiB 27 Mirroring 40 43 MOS 83 85 N Nagios 134 Netflow 50 O Observation period 128 Open Source 123 Operating System OS 128 177 PV User Guide Documentation Release 3 3 P Packet Analysis 92 Packet Loss 85 PCAP 92 PDF 23 74 Performance Chart 12 Poller 128 Promiscuous mode 49 Protocol 41 Protocol Stack 128 Pulsar 63 66 H Report 74 Reset 106 Restore 64 Retransmission 106 128 Retransmission Delay RD 128 Retransmission Duplicate ACK 128 Retransmission Rate RR 128 Retransmission Total 129 RFC RFC 1034 109 RFC 1035 109 RFC 3261 83 RFC 3435 83 RFC 3550 83 RFC 3551 83 RFC 3605 83 Round Trip Time RTT 129 RST 106 RTCP 83 RTP 83 RTT 96 5 Server 31 Server Response Time 5 129 Session 123 129 Shell 63 SIP 83 SNM
112. L NI VAPPLIANCE 51 VOUS NACCEPTEZ PAS LES TERMES DE CE CONTRAT DE LICENCE D APPLIANCE VOUS NE SEREZ PAS ALTORISE A UTILISER L APPLLANCE A QUELQUE FIN 5017 DE PLUS EN INSTALLANT OU EN UTILISANT DES MISES A JOUR OU DES MISES A NIVEAU DE SECURACTIVE VOUS ACCEPTEZ EXPRESSEMENT DE VOUS SOUMETTRE TERMES DE TOUTES LICENCES SUPPLEMENTAIRES ACCOMPAGNANT DE TELLES MISES A JOUR Qu MISES A NIVEAU 51 VOUS NACCEPTEZ PAS LES STIPULATIONS DES LICENCES SUPPLEMENTAIRES ET OU DU CONTRAT DE MAINTENANCE ACCOMPAGNANT CES MISES NIVEAU VOUS NE SEREZ PAS AUTORISE A INSTALLER QU A UTILISER CES MISES A JOUR OU ces MISES A NIVEAU UNE VERSION IMPRIMABLE DE CE CONTRAT EST DISPONIBLE SUR Le SITE EXTRANET DE SECURACTIVE VOUS POUVEZ LIMPRIMER SI VOUS DESIREZ ARCHIVER CE conma 1 DEFINITIONS Annexe d signe les informations qui Vous sont fournies par SecurActive temps autre L Annexe qu fait parte du Contrat de Licence d Acplance ar cse certanes nformatons concernant votre utisaton des Produts Gonc d s en Licence et notamment Votre identifiant Votre mot de passe et ou Votre d d activation Applance d sgne le produit de SecurActve d crit en Annexe qu comprend tle Mat riel ansi que le ou les Produits Conc d s en Licence et les logaeis sers qu y sont indus sot Appkance vrtuele d frie c apr s E ent Coen Figure 6 5 Read then click on Acc
113. N NT STATUS PNP RESTART ENUMERATION NT STATUS JOURNAL ENTRY DELETED NT STATUS DS CANT MOD PRIMARYGROUPID NT STATUS SYSTEM IMAGE BAD SIGNATURE NT STATUS REBOOT REQUIRED NT STATUS POWER STATE INVALID NT STATUS DS INVALID GROUP TYPE NT STATUS DS NO NEST GLOBALGROUP MIXEDDOMAIN NT STATUS DS NO NEST LOCALGROUP IN MIXEDDOMAIN NT STATUS DS GLOBAL CANT HAVE LOCAL MEMBER NT STATUS DS GLOBAL CANT HAVE UNIVERSAL MEMBER NT STATUS DS UNIVERSAL CANT HAVE LOCAL MEMBER NT STATUS DS GLOBAL CANT HAVE CROSSDOMAIN MEMBER NT STATUS DS LOCAL CANT HAVE CROSSDOMAIN LOCAL MEMBER NT STATUS DS HAVE PRIMARY MEMBERS NT STATUS WMI NOT SUPPORTED NT STATUS INSUFFICIENT POWER NT STATUS SAM NEED BOOTKEY PASSWORD NT STATUS SAM NEED BOOTKEY FLOPPY NT STATUS DS CANT START NT STATUS DS INIT FAILURE NT STATUS SAM INIT FAILURE NT STATUS DS GC REQUIRED NT STATUS DS LOCAL MEMBER OF LOCAL ONLY NT STATUS DS NO FPO IN UNIVERSAL GROUPS NT STATUS DS MACHINE ACCOUNT QUOTA EXCEEDED NT STATUS MULTIPLE FAULT VIOLATION NT STATUS CURRENT DOMAIN NOT ALLOWED NT STATUS CANNOT MAKE 171 PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page 0xc00002eb NT STATUS SYSTEM SHUTDOWN 0xc00002ec NT STATUS DS INIT FAILURE CONSOLE 0xc00002ed NT STATUS DS SAM INIT FAILURE CONSOLE 0xc00002ee NT STATUS UNFINISHED CONTEXT DELETED 0xc00002ef NT STATUS NO TGT REPLY 0xc00002f0 NT STATUS OBJECTID NOT FOUND 0xc000
114. NK FAILED 0xc000013f NT STATUS LINK TIMEOUT 0xc0000140 NT STATUS INVALID CONNECTION 0xc0000141 NT STATUS INVALID ADDRESS 0xc0000142 NT STATUS DLL INIT FAILED 0xc0000143 NT STATUS MISSING SYSTEMFILE 0xc0000144 NT STATUS UNHANDLED EXCEPTION 0xc0000145 NT STATUS APP INIT FAILURE 0xc0000146 NT STATUS PAGEFILE CREATE FAILED 0xc0000147 NT STATUS NO PAGEFILE 0xc0000148 NT STATUS INVALID LEVEL 0xc0000149 NT STATUS WRONG PASSWORD CORE 0xc000014a NT STATUS ILLEGAL FLOAT CONTEXT 0xc000014b NT STATUS PIPE BROKEN 0xc000014c NT STATUS REGISTRY CORRUPT 0xc000014d NT STATUS REGISTRY IO FAILED 0xc000014e NT STATUS NO EVENT PAIR 0xc000014f NT STATUS UNRECOGNIZED VOLUME 0xc0000150 NT STATUS SERIAL NO DEVICE INITED 0xc0000151 NT STATUS NO SUCH ALIAS 0xc0000152 NT STATUS MEMBER NOT IN ALIAS 0xc0000153 NT STATUS MEMBER IN ALIAS 0xc0000154 NT STATUS ALIAS EXISTS 0xc0000155 NT STATUS LOGON NOT GRANTED 0xc0000156 NT STATUS TOO MANY SECRETS 166 Chapter 13 Appendix PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page NTSTATUS severity 0xc0000157 0xc0000158 0xc0000159 0xc000015a 0xc000015b 000015 000015 000015 0000151 0000160 0000161 0000162 0000163 0000164 0000165 0000166 0000167 0000168 0000 169 0xc000016a Oxc000016b 000016 0000164 0xc000016e
115. Not classified NC tcp Not classified tcp flows IP protocol tcp NC udp Not classified udp flows IP protocol udp Bl Puru C Proxy 3128 Active API Server Port Port 3128 2 Pattern www linkedin com 5 Pattern www facebook 5 c Social Network Figure 7 8 Application list screen Application http x Name http Color 1 7 36 oO Description World Wide Web HTTP Figure 7 9 Application configuration screen 7 3 SPV Functional Configuration 71 PV User Guide Documentation Release 3 3 Name it corresponds to the designation of each Application which will be used in displays This is a mandatory field Color it is the color which will be used to display this specific Application in graphs This is a mandatory field Description it is a description field which should be used to track information related to this Application BCA HTTP PCAP flags to mark this application as Business Critical as requiring HTTP analysis and or automatic traffic capture Then using the Add rule button you can attach as many rules to this application A flow that will match of these rules will be associated with this application A rule can test any combination of IP Protocol to select a given IP protocol such as TCP or Application Port Range single port or port range Client and Server IP Address IP addresses or ranges of the clients and servers of this application
116. P 76 Source 31 SRT 97 121 Subnet 129 Support 66 T TAP 40 122 123 TCP events 22 TCP Handshake 129 Tcpdump 92 122 Timeout 129 TLS 79 Top reports 21 Triggered PCAP 94 178 U Upgrade 117 User 67 V VMWare 47 51 123 Voice Quality 33 VoIP 83 VPN 66 W Web Application Pattern 129 Z Zone 27 68 129 Index
117. PostgreSQL 543 SELECT Figure 2 19 Links from detailed metrics back to flows 24 Chapter 2 Use The PV Graphical Interface PV User Guide Documentation Release 3 3 2 15 PDF CSV Export On any web page of the web interface except for the Configuration section you will have the ability to export data either in PDF or CSV formats As long as no query has been performed the export buttons remain deactivated Once a query has been run the buttons are activated and you can export the data in the format you prefer In PDF you will have a PDF document presenting the same data tables or graphics as the ones you got on your browser page In CSV you get a text file with the corresponding data values You can then use this CSV file on any of your own data processing In case you have several graphics or tables on a page you will have to choose the one you want to export the associated values Note Please note that you cannot export the Matrix views into CSV files the hierarchical nature of the Matrix does not fit into the flat structure of the CSV format 2 16 Filters For the full technical documentation please see the appendix Custom Filters In each report page you can filter the query on different fields AII filters will be combined with the AND operator When you set a filter and send a request then this filter is saved for the current session For a more complex search you can use the custom filters input In this
118. S TOO MANY COMMANDS 00000 2 NT STATUS ADAPTER HARDWARE ERROR 0xc00000c3 NT STATUS INVALID NETWORK RESPONSE 00000 4 SMB STATUS UNEXPECTED NETWORK ERROR 0xc00000c5 NT STATUS BAD REMOTE ADAPTER 0xc00000c6 SMB STATUS PRINT QUEUE FULL Y 0xc00000c7 SMB STATUS NO SPOOL SPACE Y 0xc00000c8 SMB STATUS PRINT CANCELLED Y 0xc00000c9 SMB STATUS NETWORK NAME DELETED Y 0xc00000ca SMB STATUS NETWORK ACCESS DENIED Y 0xc00000cb SMB STATUS BAD DEVICE TYPE 0xc00000cc SMB STATUS BAD NETWORK NAME Y 0xc00000cd NT STATUS TOO MANY NAMES 0xc00000ce SMB STATUS TOO MANY SESSIONS Y 0xc00000cf NT STATUS SHARING PAUSED 0000040 SMB STATUS REQUEST NOT ACCEPTED Y 0xc00000d1 NT STATUS REDIRECTOR PAUSED 0xc00000d2 NT STATUS NET WRITE FAULT 0xc00000d3 NT STATUS PROFILING AT LIMIT 0xc00000d4 SMB STATUS NOT SAME DEVICE Y 0xc00000d5 SMB STATUS FILE RENAMED 0xc00000d6 NT STATUS VIRTUAL CIRCUIT CLOSED 0xc00000d7 NT STATUS NO SECURITY ON OBJECT 0000048 NT STATUS CANT WAIT 0xc00000d9 SMB STATUS PIPE EMPTY Y 0xc00000da NT STATUS CANT ACCESS DOMAIN INFO 0xc00000db NT STATUS CANT TERMINATE SELF 00000 NT STATUS INVALID SERVER STATE 0xc00000dd NT STATUS INVALID DOMAIN STATE 0xc00000de NT STATUS INVALID DOMAIN ROLE 000004 NT STATUS NO SUCH DOMAIN 0xc00000e0 NT STATUS DOMAIN EXISTS 0xc00000e1 NT STATUS DOMAIN LIMIT EXCEEDED 0xc00000e2 NT STATUS OPLOCK NOT GRANTED 0xc00000e3
119. SED NT STATUS GRACEFUL DISCONNECT NT STATUS ADDRESS ALREADY ASSOCIATED NT STATUS ADDRESS NOT ASSOCIATED NT STATUS CONNECTION INVALID NT STATUS CONNECTION ACTIVE NT STATUS NETWORK UNREACHABLE NT STATUS HOST UNREACHABLE NT STATUS PROTOCOL UNREACHABLE NT STATUS PORT UNREACHABLE NT STATUS REQUEST ABORTED NT STATUS CONNECTION ABORTED NT STATUS BAD COMPRESSION BUFFER NT STATUS USER MAPPED FILE NT STATUS AUDIT FAILED NT STATUS TIMER RESOLUTION NOT SET NT STATUS CONNECTION COUNT LIMIT NT STATUS LOGIN TIME RESTRICTION NT STATUS LOGIN WKSTA RESTRICTION NT STATUS IMAGE MP UP MISMATCH NT STATUS INSUFFICIENT LOGON INFO NT STATUS BAD DLL ENTRYPOINT NT STATUS BAD SERVICE ENTRYPOINT NT STATUS LPC REPLY LOST NT STATUS IP ADDRESS CONFLICTI NT STATUS IP ADDRESS CONFLICT2 NT STATUS REGISTRY QUOTA LIMIT SMB STATUS PATH NOT COVERED NT STATUS NO CALLBACK ACTIVE NT STATUS LICENSE QUOTA EXCEEDED NT STATUS PWD TOO SHORT NT STATUS PWD TOO RECENT NT STATUS PWD HISTORY CONFLICT NT STATUS PLUGPLAY NO DEVICE NT STATUS UNSUPPORTED COMPRESSION NT STATUS INVALID HW PROFILE NT STATUS INVALID PLUGPLAY DEVICE PATH NT STATUS DRIVER ORDINAL NOT FOUND NT STATUS DRIVER ENTRYPOINT NOT FOUND NT STATUS RESOURCE NOT OWNED NT STATUS TOO MANY LINKS NT STATUS QUOTA LIST INCONSISTENT NT STATUS FILE IS OFFLINE NT STATUS EVALUATION EXPIRATION NT STATUS ILLEGAL DLL RELOCATION NT STATUS LICENSE VIOLATION NT STATUS DLL INIT FAILED LOGOFF
120. STATUS BUFFER OVERFLOW e STATUS WRONG PASSWORD e STATUS NETWORK ACCESS DENIED e STATUS TOO MANY SESSIONS To filter results by this category use the following custom filter clfs status common The drilldown workflow of the CIFS metric starts with an overview of the different commands and a chart of per formances over time then continues with the Top pages Top IP Top File Top Tree Top User The troubleshooting pages are Queries and Raw Data Note In the Top Files page the CIFS queries without any file path are removed from the results CIFS E Overview bs Performance IP client E Top IP server Top Files Top Trees E Top Users Queries Raw Data Figure 2 11 The CIFS Menu from Overview to Raw Data 2 8 1 Graph The performance graph shows lots of metrics over time You can compare applicative performance such as DTT and SRT with the number of queries the payloads in each direction and finally the applicative packets 2 8 2 Queries The Queries page shows all CIFS transactions in detail It can display the CIFS transaction information like User Domain File Path Command Status with their relative performance metrics SRT DTT and their associated deviation 2 8 CIFS Analysis 19 PV User Guide Documentation Release 3 3 Response DTT Query sRT 30ms 20ms 10ms 0 09 00 09 10 09 20 09 30 09 40 Errors Warnings e ok 15 000 10 000 09
121. STATUS NOTIFY CLEANUP 5 STATUS NOTIFY DIR NT STATUS NO QUOTAS FOR ACCOUNT NT STATUS PRIMARY TRANSPORT CONNECT FAILED NT STATUS PAGE FAULT TRANSITION NT STATUS PAGE FAULT DEMAND ZERO NT STATUS PAGE FAULT COPY ON WRITE NT STATUS PAGE FAULT GUARD PAGE NT STATUS PAGE FAULT PAGING FILE NT STATUS CACHE PAGE LOCKED NT STATUS CRASH DUMP NT STATUS BUFFER ALL ZEROS NT STATUS REPARSE OBJECT NT STATUS RESOURCE REQUIREMENTS CHANGED NT STATUS TRANSLATION COMPLETE NT STATUS DS MEMBERSHIP EVALUATED LOCALLY NT STATUS NOTHING TO TERMINATE NT STATUS PROCESS NOT IN JOB NT STATUS PROCESS IN JOB NT STATUS WAIT FOR OPLOCK SMB STATUS INVALID SMB SMB STATUS SMB BAD TID STATUS SMB BAD FID SMB STATUS OS2 INVALID ACCESS STATUS SMB BAD COMMAND SMB STATUS SMB BAD UID Chapter 13 Appendix PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page NTSTATUS severity 0x00710001 0x007c0001 0x00830001 0x00ad0001 0x00ae0001 00 0002 0 00 0002 0x00fc0002 0x010a0001 0x01130001 0x03e20001 0 40000000 0 40000001 0x40000002 0x40000003 0x40000004 0x40000005 0x40000006 0x40000007 0x40000008 0 40000009 4000000 0x4000000b 0x4000000c 0x4000000d 0x4000000e 0x4000000f 0x40000010 0x4000001 1 0x40000012 0x40000013 0x40000014 0x40000015 0 40000016 0 40000017 0 40000018 0 40000019 0x4000001a 0x4000001b 0x4000001c 0x4000001d 0x4000001e 0x4000001
122. Step by Step Performance Vision Usememe admin Password sees P Log in Figure 2 1 Login parameters in PV If the IP address of the probe has been configured as 10 0 0 1 then just open the URL nttp 10 0 0 1 with your Web browser or https 10 0 0 1 to use the HTTPS protocol You can verify that you are actually connected to a Performance Vision appliance by checking that the certificate serial number is 00 90 26 d5 46 2a 5e 66 ec To log in please use admin as user and admin as password You are now logged in and ready to use the Graphical User Interface For best performances Mozilla Firefox is recommended 2 2 Network Performance Performance Vision provides a series of views to show how your network is behaving 2 2 1 Business Critical Networks Provided you have configured some critical networks setting thresholds on volume and quality indicators between 2 zones you will get a summary screen of the performance of your most critical network links on this screen This is an auto refresh screen whose data can be integrated in your SNMP based monitoring suite if you enabled the SNMP daemon via Pulsar 11 PV User Guide Documentation Release 3 3 By hovering a specific time and link you can view the origin of a degradation latency retransmission excessive bandwidth consumption and in which direction it occurred E ES nutes i um Zn Mns 3806 778 1 MiB Figur
123. TATUS ACCESS DENIED Y 0xc0000023 NT STATUS BUFFER TOO SMALL 0xc0000024 SMB STATUS OBJECT TYPE MISMATCH Y 0xc0000025 NT STATUS NONCONTINUABLE EXCEPTION 0xc0000026 NT STATUS INVALID DISPOSITION 0xc0000027 NT STATUS UNWIND 0xc0000028 NT STATUS BAD STACK 0xc0000029 NT STATUS INVALID UNWIND TARGET 0xc000002a NT STATUS NOT LOCKED 0xc000002b NT STATUS PARITY ERROR 0xc000002c NT STATUS UNABLE TO DECOMMIT VM 0xc000002d NT STATUS NOT COMMITTED 0xc000002e NT STATUS INVALID PORT ATTRIBUTES 000002 NT STATUS PORT MESSAGE TOO LONG 0xc0000030 NT STATUS INVALID PARAMETER MIX 0xc0000031 NT STATUS INVALID QUOTA LOWER 0xc0000032 SMB STATUS DISK CORRUPT ERROR 0000033 NT STATUS OBJECT NAME INVALID 0xc0000034 SMB STATUS OBJECT NAME NOT FOUND Y 0xc0000035 SMB STATUS OBJECT NAME COLLISION Y 0xc0000037 SMB STATUS PORT DISCONNECTED Y 0xc0000038 NT STATUS DEVICE ALREADY ATTACHED 0xc0000039 SMB STATUS OBJECT PATH INVALID Y 0xc000003a SMB STATUS OBJECT PATH NOT FOUND Y 0xc000003b SMB STATUS OBJECT PATH SYNTAX BAD 0xc000003c NT STATUS DATA OVERRUN 0xc000003d NT STATUS DATA LATE ERROR 0xc000003e SMB STATUS DATA ERROR 000003 SMB STATUS ERROR 0xc0000040 SMB STATUS SECTION TOO BIG Y 0000041 SMB STATUS PORT CONNECTION REFUSED Y 0xc0000042 SMB STATUS INVALID PORT HANDLE Y Co 13 6 CIFS Status Categories 161 PV User Guide Documentati
124. TATUS MAPPED FILE SIZE ZERO SMB STATUS TOO MANY OPENED FILES 13 6 CIFS Status Categories 165 PV User Guide Documentation Release 3 3 Table 13 10 continued from previous page 0xc0000120 NT STATUS CANCELLED 0xc0000121 5 STATUS CANNOT DELETE 0xc0000122 NT STATUS INVALID COMPUTER NAME 0xc0000123 5 STATUS FILE DELETED 0xc0000124 NT STATUS SPECIAL ACCOUNT 0xc0000125 NT STATUS SPECIAL GROUP 0xc0000126 NT STATUS SPECIAL USER 0xc0000127 NT STATUS MEMBERS PRIMARY GROUP 0xc0000128 SMB STATUS FILE CLOSED 0xc0000129 NT STATUS TOO MANY THREADS 0xc000012a NT STATUS THREAD NOT IN PROCESS 0xc000012b NT STATUS TOKEN ALREADY IN USE 0xc000012c NT STATUS PAGEFILE QUOTA EXCEEDED 0xc000012d NT STATUS COMMITMENT LIMIT 0xc000012e NT STATUS INVALID IMAGE LE FORMAT 0xc000012f NT STATUS INVALID IMAGE NOT MZ 0xc0000130 NT STATUS INVALID IMAGE PROTECT 0xc0000131 NT STATUS INVALID IMAGE WIN 16 0xc0000132 NT STATUS LOGON SERVER CONFLICT 0xc0000133 NT STATUS TIME DIFFERENCE AT DC 0xc0000134 NT STATUS SYNCHRONIZATION REQUIRED 0xc0000135 NT STATUS DLL NOT FOUND 0xc0000136 NT STATUS OPEN FAILED 0xc0000137 NT STATUS IO PRIVILEGE FAILED 0xc0000138 NT STATUS ORDINAL NOT FOUND 0xc0000139 NT STATUS ENTRYPOINT NOT FOUND 0xc000013a NT STATUS CONTROL C EXIT 0xc000013b NT STATUS LOCAL DISCONNECT 0xc000013c NT STATUS REMOTE DISCONNECT 0xc000013d NT STATUS REMOTE RESOURCES 0xc000013e NT STATUS LI
125. TATUS PORT NOT SET 0xc0000354 NT STATUS DEBUGGER INACTIVE 0xc0000355 NT STATUS DS VERSION CHECK FAILURE 0xc0000356 NT STATUS AUDITING DISABLED 0xc0000357 NT STATUS PRENTA4 MACHINE ACCOUNT 0xc0000358 NT STATUS 05 CANT HAVE UNIVERSAL MEMBER 0xc0000359 NT STATUS INVALID IMAGE WIN 32 0xc000035a NT STATUS INVALID IMAGE WIN 64 0xc000035b NT STATUS BAD BINDINGS 0xc000035c NT STATUS NETWORK SESSION EXPIRED 0xc000035d NT STATUS APPHELP BLOCK 0xc000035e NT STATUS ALL SIDS FILTERED 0xc000035f NT STATUS NOT SAFE MODE DRIVER 0xc0000361 NT STATUS ACCESS DISABLED BY POLICY DEFAULT 0000362 NT STATUS ACCESS DISABLED BY POLICY PATH 0xc0000363 NT STATUS ACCESS DISABLED BY POLICY PUBLISHER 172 Chapter 13 Appendix Status 0xc0000364 0000365 0000366 0000368 0000369 0xc000036a 0xc000036b 0xc000036c 0xc000036d 000036 0000361 0000380 0000381 0xc0000382 0xc0000383 0xc0000384 0xc0000385 0xc0000386 0xc0000387 0xc0000388 0xc0000389 000038 0xc000038b 000038 000038 000038 0009898 0xc0020001 0xc0020002 0xc0020003 0xc0020004 0xc0020005 0xc0020006 0xc0020007 0xc0020008 0xc0020009 0xc002000a 0xc002000b 0xc002000c 0xc002000d 0xc002000e 0xc002000f 0xc0020010 0020011 0020012 0xc0020013 0xc0020014 0xc0020015 0xc0020016 0xc0020017 0xc0020018 0xc0020019 0xc002001a 0xc002001b 0xc002001c 13
126. TEP SMB STATUS BUFFER OVERFLOW SMB STATUS NO MORE FILES NT STATUS WAKE SYSTEM DEBUGGER NT STATUS HANDLES CLOSED NT STATUS NO INHERITANCE NT STATUS GUID SUBSTITUTION MADE NT STATUS PARTIAL COPY 5 STATUS DEVICE PAPER EMPTY NT STATUS DEVICE POWERED OFF NT STATUS DEVICE OFF LINE NT STATUS DEVICE BUSY NT STATUS NO MORE EAS NT STATUS INVALID NAME NT STATUS EA LIST INCONSISTENT NT STATUS INVALID FLAG NT STATUS VERIFY REQUIRED NT STATUS EXTRANEOUS INFORMATION NT STATUS RXACT COMMIT NECESSARY NT STATUS NO MORE ENTRIES NT STATUS FILEMARK DETECTED NT STATUS MEDIA CHANGED NT STATUS BUS RESET NT STATUS END OF MEDIA NT STATUS BEGINNING OF MEDIA NT STATUS MEDIA CHECK NT STATUS SETMARK DETECTED NT STATUS NO DATA DETECTED NT STATUS REDIRECTOR HAS OPEN HANDLES NT STATUS SERVER HAS OPEN HANDLES NT STATUS ALREADY DISCONNECTED NT STATUS LONGJUMP NT STATUS CLEANER CARTRIDGE INSTALLED NT STATUS PLUGPLAY QUERY VETOED NT STATUS UNWIND CONSOLIDATE STATUS STOPPED ON SYMLINK NT STATUS DEVICE REQUIRES CLEANING NT STATUS DEVICE DOOR OPEN SMB STATUS UNSUCCESSFUL SMB STATUS NOT IMPLEMENTED SMB STATUS INVALID INFO CLASS NT STATUS INFO LENGTH MISMATCH NT STATUS ACCESS VIOLATION NT STATUS IN PAGE ERROR NT STATUS PAGEFILE QUOTA STATUS INVALID HANDLE NT STATUS BAD INITIAL STACK NT STATUS BAD INITIAL PC OK OK OK OK WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
127. TP status number Success will correspond to all HTTP successful codes Operators Example of valid inputs 404 Success Example of invalid inputs GET 13 2 22 MAC address MAC address of the form XX XX XX XX where XX is a hexadecimal number Operators Example of valid inputs 01 23 45 67 89 ab FF ab 45 7b D6 55 Example of invalid inputs AA AA AA AA 13 2 23 OS name The name of an operating system like Linux or windows Note that the value must be enclosed between single or double quotes Operators Example of valid inputs linux windows Example of invalid inputs unknown os 13 2 24 Port number The value represents a TCP or UDP port number as a numeric value It can also be given as a port range as in 45 80 Operators lt lt gt gt e Example of valid inputs 75 110 80 e Example of invalid inputs 85 12 150 Chapter 13 Appendix PV User Guide Documentation Release 3 3 13 2 25 Protocol name This value represents the name of a protocol like t cp or icmp Operators Example of valid inputs icmp mtp tcp Example of invalid inputs FOO 13 2 26 Rate A numeric value as a percentage The value can be lower than 1 as in 0 024 Operators lt lt gt gt Example of valid inputs 0 25 45 99 Example of invalid inputs 45 5 13 2 27 SMB command The SMB command used
128. To do that we have a look at the Performance conversations between the VLAN_Sales and the Private zone From this we can draw the following conclusions Not only 192 168 20 212 and 192 168 20 205 but also 192 168 20 220 and 192 168 20 50 are impacted The Samba access to the fileserver is not the only application impacted but SMTP HTTP and the Web Intranet SecurActive Actions to be taken after that analysis Check the windowing configuration on the operating system of these hosts if high value this is normal Check the level of usage of the host CPU RAM usage Alternative scenarios f we had seen some retransmission check whether they are all on the same edge switch and check the interface configuration and media errors Slow server Hypothesis Users complain about having to try several times to connect to a web based application named Salesforce The administrator suspects the application server hosting Salesforce is slow How to analyze the problem First check to see if all applications on the application server hosting Salesforce are slow or if it is just the single web based application Salesforce slow If all applications are slow then indeed the application server may in fact be a slow server If just the one web based application Salesforce is slow while the other applications CRM are responding quickly the problem may be the application Salesforce and
129. Total Hit Count sum 306 Response Content Length Avg avg 1 2 KiB 9 Query Content Length Avg avg 4 4 HTTP Status Chart Begin 2013 03 17 00 00 End 2013 0317 12 00 t Q Client Zone Server Zone ClentiP ServerIP All v All Client server IP VLAN Custom Filters BETA N M Begin 2013 03 17 00 00 2222 End 2013 03 17 12 00 Server Error 5 Aggregate Level 15 minutes Unknown Informational 1 Client Error 4xx Redirection 3xx 01 00 02 00 03 00 04 00 05 00 06 00 07 00 Unknown sum 30 Informational 1xx sum 0 9 Server Error 5x sum 0 Client Error 4xx sum 0 Redirection Success 2xx 08 00 09 00 10 00 11 00 beato cn 3xx sum 118 Success 2xx sum 128 15 PV User Guide Documentation Release 3 3 You can view the captured HTTP transactions in detail by using the Pages and Hits pages The first one lists all the HTML pages while the second one gives you the details of every transaction including image javascript css and other resources used to construct a page Poller When clicking a page you get a timechart of all the transactions that occurred to build the page From this view you can inspect how the various servers involved were responding to the client s browser This allows you to get a visual overview of how the page was constructed over time 2013 03
130. Virtual Tutorial datastore1 1 Disk provisioning Thick Provision Lazy Zeroed Network Mapping bridged to Network 48 Chapter 5 Deployment PV User Guide Documentation Release 3 3 6 Click on Finish the Virtual Appliance gets installed You will get notified when the installation is com plete 7 Once the Virtual Appliance is installed you have to start it by clicking on Power on the Virtual Machine or on the green triangle 5 6 4 Access the virtual console Display the Console tab and access CLI interface named Pulsar Performance Vision Getting Stored Ses Resource Aoraton Console 21 11 21 D ADIR iW Tink becomes 335434 warning proftpd uses 32 bit capabilities leg 3627871 e1088 ethi e1 4 8 _set_tso TSO is Disabled 3121841 e1888 ethi changing MTU from 1588 to 1888 GNU Linux 5 8 lt ttyl login 47 1288721 e1888 ethi NIC Link is Up 1888 Mbps Control None 47 1248791 ADDRCONFCNETDEV UP link is not ready 47 1272681 ADDRCONF NETDEV CHANGE ethi link becomes read 47 2757421 device ethi entered promiscuous mode Debian GNU Linux 5 8 lt ttyl spy login _ The probe is launched When the network interfaces turn into promiscuous mode click on the Console view and then Enter to display the login prompt Please note clicking on the black screen deactivates your mouse To reactivate it you can use the key co
131. a valid SMTP host and in option a ogin and password if you use an authenticated SMTP server You also can modify with the same command the From header of the emails generated by the probe After that you can either reboot the probe or use smtp stop followed by smtp start commands to activate the new configuration 76 Chapter 7 Configuration PV User Guide Documentation Release 3 3 7 3 7 Degradation This configuration page allows to change how the aggregator system will merge the data This merging is done per metric You can also tell to the aggregator system to not degrade a metric at all For each item there is an embeded help here some additional information IP degradation is done in two passes the first one is zoned you are supposed to set your Internet zone or equivalent Then a second step of IP degradation is available for all IPs 08 00 08 01 Internet 10 MB 100 ms 08 05 08 06 Internet 3MB 200 ms 08 10 08 11 Internet 183 28 100 2 6 MB 150 ms 08 10 08 11 Internet 3MB 200 ms 08 12 08 14 Lan Server 192 168 100 8 5 MB 10 ms Data Aggregation 3 08 00 08 11 00 Internet 16 MB 166 ms 08 10 08 11 00 Internet 6 MB 150 ms 08 12 08 14 Lan Server 192 168 100 8 5 MB 10ms Data Merging 08 00 08 11 00 Internet 22 MB 158 ms 08 12 08 14 Lan Server 192 168 100 8 5 MB 10 ms Figure 7 15 IP aggregation then degradation 7 3 8 SNMP Optionally SNMP requests are answered on default SNMP port
132. age N tier application performance issue Hypothesis Users are complaining about slow response time from an in house web application This application being an N tier architecture its performance as seen by a client is tied to several parameters DNS latency to resolve web server name from the client host see DNS Response Time Connection time to server Data Transfer Time between these hosts DNS latency to resolve other server names accessed from the web server database servers for instance cf DNS Response Time 8 7 Interpretation Guidelines 105 PV User Guide Documentation Release 3 3 Connection and data transfer times between these hosts Server response time of these servers Identification of the culprit First we need to find out if the experienced slowdown is due to the web front end itself To this end check every component of the EURT If SRT is fast but RTT and or DTT see also Connection Time then we are facing a network slowdown Refer to previous sections of this guide to further track down the problem If SRT 18 preponderant compared to DTT and RTT then the application itself is to blame Proceed to find out what is affecting performance Then check EURT between web server and each other involved servers databases If some of these EURT appear to be degraded then check recursively these other hosts If not then check the web server load average 8 7 3 Additional metrics TCP anomalies
133. all Network Application and VoIP performance related aspects and allows to 9 2 Provide clear information on the mapping of traffic Continuously analyze network and application usage Improve configuration and optimization of IT infrastructure Proactively manage network capacity to avoid congestions Identify opportunities to make infrastructure savings Measure the Quality of Experience of end users vs SLA Diagnose performance degradations and accelerate resolutions Identify slowdowns their origin network server application and their impact Manage performance of complex application chains Analyze the impact of application deployments on network resources and end user performance Perform deep transaction analysis at application level for major name services web database and file shar ing protocols Get a full view of performances in both hardware and virtual based environments Deployment Mode 72 29 SINGLE MULTIPLE PROBE PROBES Figure 9 1 Deployment Mode 9 2 1 Single Probe Stand alone Appliance Performance Vision in a stand alone mode is composed of a single unit which analyzes the traffic stores the statistics and presents the data through an interface 113 PV User Guide Documentation Release 3 3 9 2 2 Multiple Probes Distributed Architecture Performance Vision in a distributed mode will capture and analyze traffic in several physical locations through distinct appliances ca
134. ame user admi n When logged in you should see the following prompt version number can vary Welcome to Pulsar the SPV shell v1 14 0 1 0 display Pulsar commands ype help COMMAND to display the command help details poseidon Figure 7 1 Pulsar prompt on the poseidon probe Note Pulsar uses 3 colors while displaying informations Green outputs are informations Yellow outputs are warnings Red outputs are errors 63 PV User Guide Documentation Release 3 3 If needed you can set the keyboard mapping with the kb mapping command Typing kb displays the list of available mappings Pulsar allows you to change the administration password through passwd command This should be your first command Typing passwd in the pulsar shell launches the standard UNIX password change process Warning At this point there is no way to retrieve the password If you totally lost the password the Securactive support team can generate a new one See Support access through VPN You can also restore the probe see Restore probe state 7 2 2 Configure the probe Use the config command to setup up the probe pulsar config Service dns hostname network ntp smtp Support 11 default x x Your choice YO OF WN rm Typing enter will launch the whole interactive configuration process Warning This command is mandatory as it will configure key elements needed for proper operatio
135. and time Duration Decimal or hexa Decimal or hexa Decimal or hexa Continued on next page 140 Chapter 13 Appendix PV User Guide Documentation Release 3 3 Table 13 2 continued from previous page Operand Type dtt GIE ders cuc sry 12102 dup ack Counc Cup Ck Count dup ack countc end eth proto SUIT fin count LIT COUNT ip ip dst ip netflow 15 506 mac mac dst mac Sic mtu IDGU Srv OS CS payload payload clt payload count payviload count cit paylodd count srv payload ret payload ret clt payload ret srv payload srv pkLt count pkt count sry poller name proto protostack rd rda indic 10 018 rd anlicasrv rd rate rd rate clt rd rate srv rd SEV Oriented DTT Data transfer time from client Data transfer time from server Total duplicate acks Duplicate acks from client to server Duplicate acks from server to client Number of session finished Ethernet Type Protocol End user response time Total number of FIN packets Number of FIN sent by client IP Number FIN sent by server IP Either source or destination IP or subnet IP address to which network communication is sent IP of the netflow capture IP address from which network communication originates Client or server MAC address Destina
136. any user regardless of their understanding of the underlying infrastructure IP addresses and subnet or ports used by each application An application is a set of network services which together correspond to a business application For example an application named ERP could be configured to match network traffic on port TCP 80 on a server Zone containing the specific server 192 168 20 4 32 3 3 1 Application definition An application can be defined using a set of filters a flow must match to enter the application These filters can use various elements of a flow from its IP addresses to its ports poller protocols and so on Notice that depending on what flow is considered some of the information may not be available For instance the attribution of an application for a NetFlow cannot use anything beside bare IP addresses protocol and ports As a consequence an application defined on a given VLAN MAC address or protocol stack will never accept a NetFlow rules are checked one after the other and the first matching rule gives the flow its application in a process similar to the one used for zone attribution The priority of these rules can be changed to alter the order in which these checks are performed For more information about the configuration of applications refer to the Configuration section 3 3 2 Examples An application which is run on a server which has an IP of 192 168 1 4 with MSSQL will be defined as follows
137. at a glance what version fits best your needs depending on your specific traffic PV User Guide Documentation Release 3 3 Information Pollers Status Database Summary Database Workload m Applicative Logs Figure 9 5 Database Workload in the Configuration area 9 voir 1 a Feb 11 13 00 Feb 12 1 sa Non te other 11 z 2m 1l 2 Jil mma 13 00 Feb 06 13 00 Feb 07 13 09 Feb 08 13 00 Feb 09 13 00 Feb 10 Figure 9 6 Chart of the number of flows analyzed ur m a Feb 14 13 00 Feb 15 13 0 ons 13 0 Feb 13 9 8 Limits Each Performance Vision version supports a given number of flow analyses One flow analysis is either a set of exchanges between one client and one server for one application or a layer 7 transaction If the data processed by the central collector reaches the license limit the system will still continue to work smoothly An email alert will be sent to the administrator to make him aware that the limit has been reached AII data above the limit will be ignored by sampling and will not be processed In such case the result 18 that only a part of the total traffic will be analyzed Whatever the Performance Vision version 2015 licenses there is a protection at 500 000 flows analyses to main tain the stability and efficiency of the system flow analyses made over this limit will be ignored and will not
138. ata Aggregation 33 PV User Guide Documentation Release 3 3 times are averaged per packet so only one line of data is retained for each conversation group This line still contains a relevant summary of your network and application performance but it s storage takes up a lot less disk space Example A user checks out a Web page once at 16 38 Info Query begin 2010 07 30 16 38 00402 00 Aggregate Levet 120s Query end 2010 07 30 16 40 00 02 00 lumber of col res Sync Begin Time End Time Client Zone Client Server Zone Server Application Traffic Packets Handshake Transactions EURT 7 07 1921 2 Internet 88 1911227 2 amp 2010 07 30 16 38 47 2010 07 30 16 39 11 Private lected results 1 Figure 3 9 Flow example at 16 38 to 16 40 and again at 16 41 Query begin 2010 07 30 16 40 00 02 00 Aggregate Levet 120s Query end 2010 07 30 16 42 00 02 00 Number of collected results 1 Sync Begin Time End Time Client Zone Client Server Zone Server IP Application Traffic Packets Handshake Transactions EURT 8 2010 07 30 16 41 34 2010 07 30 16 4156 Private 192 168 102 Internet 88 191 122 7 m htp 55 9KiB Figure 3 10 Flow example at 16 40 to 16 42 is the aggregated line for both events if you query between 16 38 and 16 42 Info Query begin 2010 07 30 16 38 00 02 00 Aggregate Levet 1205 Query end 2010 07 30 16 42 00 02 00 Number of collected results 1 Sync Begin Time E
139. ate RR Server going from the clients to the application server However none of the packets from the server to the clients needed to be retransmitted RR Client is around 0 This indicates that the application server 18 in fact dropping the packets and is therefore a slow server Assuming that the route taken form the client to the server is the same route taken from the server to the client as is industry standard practice Lastly check the TCP errors of the clients and the Application server If the server reset count or number of timeouted sessions 18 high this 15 a further indication of a slow server Go to Analysis gt TCP errors Select the application server Salesforce from the drop down box labeled Server Zone and click Search RD in RD out Dup ack Conn attempts Conn established Sess end Client FIN Server FIN Client RST Server RST Num timeout 334ms 333 5 48 330 165 263ms 346ms 58 330 215ms 273ms 37 328 338ms 365 5 37 18 165 463 165 133 330 1 164 446 164 118 328 9 25 9 0 7 5 15 15 20 16 301ms 2 10 5 12 5 2 1 5 310ms 1 5 0 10 5 300ms 1 5 4 7 Figure 8 39 Slow server TCP Errors Here we see that there are a lot of server resets and timeouts Given all the above information we can conclude that the application server is operating slowly At this point the server administrator should perform direct diagnosis on the application server to verify CPU RAM and HD us
140. ate select Private and any of its subzones 26 Chapter 2 Use The PV Graphical Interface CHAPTER THREE MAIN TERMS AND CONCEPTS 3 1 General Conventions 3 1 1 Byte metric unit byte metric values are given in Byte as KiB MiB GiB etc As recommended by the INTERNATIONAL ELECTROTECHNICAL COMMISSION IEC in 2000 when using power of 2 10 multiple This means that the values in MiB and KiB are in binary and equal to 1024 raised to the power of 2 and 1024 raised to the power of 1 respectively This notation was designed to distinguish 10 3 bytes referred as KB and 1024 bytes referred as KiB In other words you would say in decimal notation 1000 1k kilo and 1000 2 1M mega in binary 1024 1Ki kibi and 1024 2 1Mi For more information about binary prefix please refer to Wikipedia page http en wikipedia org wiki Binary prefix 3 2 Zones 3 2 1 Principles A zone 18 an arbitrary container in which groups of peers can be kept and organized according to their network address Each peer being attributed a zone a conversation between two peers comes with two zones a client and a server zone A zone consists merely of a name a priority and a set of optional filters Each conversation is tagged with a client and server zone using the client and server IP and MAC addresses according to this process every rule is tried in order of priority and the first zone that has filters that comply wit
141. ation page Applications represent the business applications running on your network and make the reports provided easily understandable to everyone in your organization To access the configuration of Applications click on the Configuration button on the top right of the user interface To create an application go the to Application submenu in the left menu This panel displays the existing Applications by default or user defined To create an Application click on Create new application you will see the configuration screen An Application can be defined using the following elements Comma Separated Values 70 Chapter 7 Configuration PV User Guide Documentation Release 3 3 Applications editor Create new application Review and test application matching rules 46 Select unused applications Filter escript x Name Description Flags Rules File Sharing 445 Microsoft DS3 Port 445 3 Pattern mail google com 5 ES Google Mail mail google com 193 80 Procotols IPv4 HTTP Pattern google com 443 tcp Procotols IPv4 TCP HTTP Pattern google com 2 CJ Proxy 8080 HTTP Alternate Port 8008 2 8080 2 google TTW Client zone Private Pattern google fricom 85 m http World Wide Web HTTP 14 3 Bl imaps imap4 protocol over TLS SSL 993 2 ssh SSH Remote Login Protocol Port 22 2 E3 Kerberos tcp 88 Server zone Private 88 tcp 103 mc
142. cal address Poller name distributed probe Protocols stack Server response time Number of SRT computed in a time interval Tagged Link 802 1Q Server or Client Zone Zone of the client IP Zone of the server IP Decimal or hexa Byte quantity Byte quantity Byte quantity SMB status SMB sub command Wildcard or regex Decimal or hexa String Decimal or hexa Decimal or hexa Address or netmask Address or netmask Address or netmask MAC address MAC address MAC address String Wildcard or regex Duration Decimal or hexa Decimal or hexa Zone name Zone name Zone name Operand Type app bandw banaw olt bandw srv Application name Total traffic Traffic from client to server Traffic from server to client Byte quantity Byte quantity Byte quantity Date and time Date and time Decimal or hexa capture begin Capture begin time capture end Capture end time device diffserv Client or Server Diffserv Client Diffserv A1ftsery sry Server Diffserv eth proto Ethernet Type Protocol icmp code ICMP code Source IP of the ICMP error Destination IP og ICMP error ICMP error port zone clt Source zone of the ICMP error zone srv Destination zone of the ICMP error ICMP type Either client or server IP or subnet IP which send the packet IP of the netflow capture IP which replied to a connection demand Client or Server MAC addres
143. cceptable timing d DNS Messages 7 DNS network protocol performance and deep analysis Begin 2011 04 13 07 58 End 2 2011 04 13 13 58 More Requester Zone VLAN Sales M Server Zone 2 All Request Name 2 salesforce com Search Add this page to report amp Info Begin 2011 04 13 07 45 004 02 00 Aggregate Level 15 minutes End 2011 04 13 14 00 00 02 00 Number of collected results 14 Requester Zone Server Server Zone Packets Traffic Request Name DNS rt Request Type Response code VLAN Sales fallback 192 168 20 254 VLAN Sales fallback 2 477Bytes omtr2 partners salesforce com 160ms Proxy 192 168 200 254 VLAN Sales fallback 10 2 6KiB login salesforce com 147ms Proxy 192 168 20 254 VLAN Sales fallback e 123ms Proxy 192 168 20 254 VLAN Sales fallback VLAN Sales fallback 192 168 20 254 VLAN Sales fallback VLAN Sales fallback 192 168 20 254 VLAN Sales fallback 192 168 20 254 192 168 20 254 192 168 20 254 192 168 20 254 192 168 20 254 192 168 20 254 575 192 168 20 254 5 Sims VLAN Sales fallback 192 168 20 254 VLAN Sales fallback 4 994Bytes emea salesforce co m 30ms 121ms 119ms 116 5 115ms 11105 110 5 100ms gt gt gt gt gt gt gt gt gt gt gt gt gt gt z m Figure 8 40 DNS Response Time for a specific requester zone here VLAN Sales Traffic issue If we establish the top hosts making DNS requests it will be possible to pinpoint misconfigured clients not
144. ccount without deleting it Example Adding a new member to Administrators group In the example below we have created a user account in the Administrators group with the user name John and 2 as the password 22 User Edit User Name login John Group Administrators hd Change password eoo Password confirmation 604486 Active Figure 7 4 Edit User The user name is case sensitive and it is required to be non empty and to contain only letters numbers or _ underscores You can modify a user account by clicking on the Users tab found on the configuration menu on the left hand side and then clicking on the user name of the desired user account in the user list You will be able to modify any field on a created user Please note that the password field will appear empty on edition to avoid giving out information and will not be modified upon edition if it is left empty In order to save any modifications click on the Apply button You can delete a user account by clicking on the Users tab found in the configuration menu on the left hand side and then clicking on the check box next to the user name of the account you wish to delete Then clicking on Delete button will delete all selected Users 68 Chapter 7 Configuration PV User Guide Documentation Release 3 3 25 Users list Add anew user Remove selected users Delete M Delete User name Group Active Edit John Admini
145. ch a matrix where the zone ocal was chosen both for source and destination We can see the zone and all 116 child zones the contextual matrix which displays a zone among its ancestor zone This 18 convenient to check which part of the network is related to a specific zone An example of a contextual matrix that allows us to check how the ocal zone fits into the whole configuration mm Internet Private Dest Internet Private Local Remote 3 GiB 2 3 GiB 4 8 GiB 4 0 GiE 2 1 GiB 4 1 GiB Source Total 26 Internet 21 0 GiB 18 7 GiB Private Local 2 0 GiB B me Remote 10 5 GiB 9 6 GiB Figure 2 15 The contextual Matrix The navigation within these matrices are thus different The detailed matrix allows to select the zone to display ignoring all other ones while the contextual zone allows to select which zone to focus among its ancestor zone You can filter the flows taken into account by defining the observation period the source zone the destination zone the application and other common filter such as VLAN poller and so on Another matrix example All Internet Private Server IPv6 RFC Remote Routable Unicast RFC 3587 Client Total 2 0 MiB MiB 5 Internet 15 4 GiB GiE 5 3 iE Private Local Servers DNS 4 3 GiB 2 06 3iB 32 0 GiB iB 11 2 GIE gt Remote 13 8 GiB 3 GiB 3 5 GiB Figure 2 16 The detailed Matrix in the Client
146. ck links in the Business Critical Application Dashboard view Thus from each Business Critical Application with a single click on the appropriate icon you can Directly access to the corresponding Application Dashboard Add a filter on this specific Critical Application in case you have defined a lot of Critical Applications and you want to see only one for a moment Edit Application characteristics Directly access to the details of Conversations for this Application Note If you click on the icons that are next to the name of the application at the beginning of each line the quick links will take into account the complete period of time currently displayed If you click on the icons associated to a specific period of time the quick links will used this specific period time when redirecting you to a detailed screen You will always see up to date information with the auto refresh feature of the BCA dashboard The in formation will be automatically refreshed based on the data aggregation level see aggregation period For example if the Aggregate level is 2 minutes the BCA will be updated every two minutes if the Aggregate level is 15 minutes the BCA will be updated every fifteen minutes 8 2 Business Critical Networks Dashboard To customize this view for your own needs just go to the Configuration menu and choose the entry labeled Business Critical Network see the Business Critical Applications Th
147. cle 10g and 11g with JDBC drivers 16 Chapter 2 Use The PV Graphical Interface PV User Guide Documentation Release 3 3 inspect page Summary URL Begin End Method Status Flags VLAN Poller Client Client side MAC Client IP User Agent Data Server Server side MAC Server IP HTTP Server Mime type Data http fr wikipedia org w index php tties Sp CI AIcial SABan Go to this URL 2013 03 17 21 19 06 735 2013 03 17 21 19 06 752 GET 200 AJAX 250 Poller UNKNOWN on device 100 SSE port 49495 Mozilla S 0 Windows NT 6 1 WOW64 AppleWebKit S35 2 KHTML 570 8 headers 0 B payload 1 pkt 91 198 174 225 port 80 Apache text javascript charseteutf 8 612 B headers 164 B payload 3 pkt Display Unparsed Parsed Query view raw content View body Display GET w index php title Sp amp C3sA9cials3ABannerListLoader amp cache cn j s amp Languagesfr proj ect wikipediakcountrysFR HTTP 1 1 Host Connection X Requested With User Agent Accept Referer Accept Encoding Accept Language Accept Charset fr wikipedia org keep alive XM HttpRequest Mozilla S 0 Windows NT 6 1 WOW64 AppleWebKit 535 2 KHTML like Gecko Chrome 15 0 874 121 Safari 535 2 application json text javascript q 0 01 http fr wikipedia org wiki Pont d Arcole gzip deflate sdch fr FR fr q 0 8 en US q 0 6 en q 0 4
148. d have to format it via Pulsar s format data disk command When your probe is setup you have to reboot the Virtual Appliance 6 3 3 Insert a license key Except the empirical virtual appliances of test provided from our Web site the virtual appliances are delivered without license key You normally receive this key by e mail at the product s delivery If it is not the case please contact our sales department sales securactive net For more information about licensing and how to install the license please see Licensing and Upgrades 6 3 4 Access the probe interface To login to the web interface please see Access Through a Web browser 56 Chapter 6 Virtual Appliance Step by Step PV User Guide Documentation Release 3 3 Then you should check you re license is well configured to do that see Licensing and Upgrades 6 3 5 Traffic capture First of all The port mirroring should be activated on yours switches or TAP eventually Connect the mirror destination port to the ESX server port dedicated to the traffic capture We will now set the network in Promiscuous mode In The following example we are using an ESX server with 8 physical ports It is necessary to add a virtual network for traffic monitoring How to do it 1 Connect to Vsphere Client 2 Then on your ESX server icon go to the Configuration tab 3 Click on the Networking Menu on the left column 101 01 GB Performance Vision
149. d in detail in the 1034 http tools ietf org html rfc1034 html RFC 1035 http tools ietf org html rfcl035 html is key to the good performance of TCP IP networks It works in a hierarchical way This means that if one of the DNS servers is misconfigured or compromised all the network which relies on it is also impacted Although the 8 7 Interpretation Guidelines 109 PV User Guide Documentation Release 3 3 DNS protocol is quite simple it generates a significant number of issues configuration issues which affect the performance of the network as well as security issues which jeopardize the network integrity The purpose of this section is to cover the main configuration issues you may encounter with DNS when it comes to network performance Hypothesis You noticed a general slowdown for a specific host zone or the entire LAN You didn t find out the issue with the previous methods Maybe this problem has nothing to do with the business applications or you network equipment Diagnosis The DNS server s need to have a very high availability to resolve all the names into IP addresses that are necessary to good function of applications on the network An overloaded DNS server will take some time to respond to a name request and will slow down all applications that have no DNS data in their cache An analysis of the DNS flows on the network will reveal some malfunctions like Latency issues If we can observe tha
150. d packets By only listening to the IN traffic or only the OUT traffic on the Ethernet ports concerned we will ensure the flow transmission to be in a unique way for the sessions between the client and server thus avoiding the duplication of packets Switch C Datas IN RQ IE hz E Datas IN A AD AD ub iade B Clients E Figure 5 8 Example without duplicated packets Note In the event of a to 1 port mirroring session the total bandwidth of the source Ethernet ports of the mirror should not exceed the maximum bandwidth of the destination Ethernet ports of the mirror 5 4 4 Removal of duplicated packets The SecurActive system checks and controls the duplicated packets phenomenon on all listening ports It also ensures all duplicated packets are removed However in some cases some duplicated packets could be mixed up with retransmitted packets Itis therefore crucial to minimize the duplicated packet rate or at least to arrange the mirroring such that duplicates follow the original as closely as possible In order to reach a low rate of duplicated packets the appliance provides information on the duplicated packet rate though the Pulsar command Welcome to Pulsar the SPV shell v1 13 0 Type help to display Pulsar commands Type help COMMAND to display the command help details vwsonde73 analyzer mirror 5 12 vsonde73 Figure 5 9
151. d using a formula that integrates 3 factors Network latency RTT recommended value 100ms e Jitter recommended value lt 30ms Packet loss rate recommended value lt 5 8 3 4 Prerequisites To provide MOS values for VoIP traffic it is necessary to capture the three flows signalization 5 or MGCP media RTP and control protocol RTCP If one of these flows is not present in the traffic capture brought to the listening interface s the MOS value will not be calculated Other quality of service metrics will remain available Metrics obtained by analysis of the protocol SIP MGCP Sign RIT network latency between each phone value in amp out interval between a re quest and the first response definitive or tem porary from the signalization server Sign SRT signalization server response time Sign RD retransmission delay for the signal ization traffic Sign RR retransmission rate for the signaliza tion traffic Code indicates how the VoIP call ended e g error or not please note that the code depends on the protocol used Jitter standard deviation of latency for the me dia traffic going from one IP phone to the other Packet loss percentage of packets lost in the conversation at the point of capture of the probe based on RTP sequence numbers RIT network latency between the two IP phones based on the timestamps provided by both IP phones Note RTT and MOS values depend to s
152. ded to a report you can modify the filters with the Edit button For each page you may add an optional description to explain its purpose Note Before release 2 9 an additional time delta was added under certain circumstances As of 2 9 it s not longer the case all dates are relative to the day the report is being sent Actions on reports A report template can be deleted with the button Delete You can clone a report template all its parameters and included views will be duplicated A new report template 15 created with copy added to the report name Preview will start the generation of the report right now and you will be able to see the PDF file with your favorite PDF viewer once it has been generated Notice that the generated report will query the same time intervals than the next scheduled report This can lead to some blank pages if the data for these intervals were not collected yet Edit allows you to change the parameters of the report template name of the report the list of recipients and the scheduling settings Send now will start the generation of the report right now and the report will be sent by mail once it has been generated Again the report will query the same time interval than the next scheduled report Sending Email So that your reports could be sent properly to the recipients email addresses you need to configure the SMTP server within Pulsar You can do that with the config smtp command Then just add
153. different servers to that client zone EURT per client so that you can identify whether all clients are impacted by a slowdown or which indi vidual client generates more volume or has worse application performance The breakdown by client 1s interesting to know whether all the zone was impacted or just some individual users and on which component of the EURT network latency server response time or data transfer time and for which number of transaction and amount of traffic Server application dashboard You can access this dashboard either through the menu or by clicking on a specific server in the Application Dashboard This dashboard contains three bits of information EURT graph through time for this server and this application 84 Application dashboards 111 1 89 PV User Guide Documentation Release 3 3 Temm ete es ae em 204 Meee ime Query vnd 3900 08 13 18 48 66 602 0 c adm a 2 Hl m Breakdown by servers Breakdown by clients par shens Ir 1 bean met ar 1 2 9 12943 3 lt 1990 aem np NES 1 ae Figure 8 12 Client zone application dashboard Breakdown by clients 5ync Chent EURI RII SRI DII 2 172 16 8 30 15 1MiB 2077 8 65 29ms 906ms 7 66 172 16 8 31 11 2MiB 1723 5 65 22ms 356ms 5 35
154. distributed between DCa and DCb then a distributed implementation is required Two Distributed is If the traffic between servers is captured it may double counted traffic data centers adequate from clients to servers should not be double counted Active Active N data centers Distributed is Traffic between servers will be captured twice and double counted through WAN adequate Datacenters Distributed may The traffic going from the remote sites to the datacenters will be double and M remote not be adequate counted The cost of deploying physical units may be superior to the sites benefit This corresponds to a rare case this case is not handled by the non distributed implementation of Performacne Vision nor by most competitors The bypass option would be to use TAPs to re aggregate both flows before it reaches the interface of the poller 3 This is already the case in a non distributed implementation The only new element is the fact that data will be more readable if all pollers have the same capture points 55 Distributed Architecture AT PV User Guide Documentation Release 3 3 5 6 Virtual Performance Vision Note For more details about step by step virtual appliance installation cf Virtual Appliance Step by Step If you are installing the virtual image of Performance Vision then you have a to take into account a few additional facts 5 6 1 How to get the image This section is based on versi
155. drive Figure 6 3 Click on Next e Deploy OVF Template EN OVF Template Details Verify OVF template OVF Template Details Product Performance Vicon verson Vendor Searactive Dowioadsze Sae on dsk 387 9 MB thn provisioned 265 0 GB thick provisoned Description Attention La configuraton mat riel est au minimum Selon vos besors veuler ajouter des ressources m more processeur et de l espace de stockage La VM Performance Vision congue pour fonctonner sur VMWare ESX 4 ou 5 mais fonctionne parfaitement avec Orade VrtualBox Figure 6 4 Click on Next e Deploy OVF Template End User License Agreement Accept the end user agreements JUser License CRAT De LICENCE APPLIANCE SECURACTIE avarar DUTILISER UAPPLIANCE VEUILLEZ LIRE ATTENTIVEMENT LES STIPULATIONS ou PRESENT CONTRAT DE LICENCE D APPLIANCE QUI CONSTITUE UN ENGAGEMENT JURIDIQUE ENTRE SECURACTIVE ET VOUS EN CHOISISSANT L OPTION TACCEPTE OU EN UTILISANT LE LOGICIEL OU UAPPLIANCE VOUS RECONNAISSEZ QUE VOUS AVEZ LU ET COMPRIS LE CONTRAT DE LICENCE D APPLIANCE ET VOUS ACCEPTEZ EXPRESSEMENT DE VOUS SOUMETTRE AUX STIPULATIONS DE CE CONTRAT 51 VOUS NACCEPTEZ PAS LES STIPULATIONS DE CE CONTRAT DE LICENCE D APPLIANCE SELECTIONNEZ L OPTION JE NACCEPTE PAS NACTIVEZ PAS LAPPLIANCE ET NUTILISEZ NILE LOGICIE
156. e to another 10 3 How SRT be greater than DTT Every DTT is preceded by a SRT but both are not computed simultaneously e DTTs are not stored until the data transfer is complete SRTs are stored as soon as the first packet of the response is seen Thus it is frequent to have more SRTs than DTTs when browsing recent data 121 PV User Guide Documentation Release 3 3 10 4 How can we have 0 packets and no traffic at all on a conver sation This is a common case when the observation period encompass the end of a timeouted conversation No packets have been sent during the observation period and the elapsed time since last packet have reached the timeout limit 10 5 What is this timeout column in Analysis TCP Error As there are no timeout in standard protocol as TCP UDP this is an application level notion that the packet sniffer must guess We consider the conversation as timeouted after 2 minutes without packets exchanged 10 6 Why are some DNS request names missing Although DNS protocol states that the question section must be present in the requests not all DNS messages are name resolution requests Some DNS server may use message types unknown of the traffic analyzer that do not embed anything meaningful in the question section of the message For instance the NBNS server statistic report is such a message that makes no use of the question section Note that you can search for empty DNS names using the re
157. e using HTTPS and a terser way to pass credentials wget no check certificate https admin admin SPV skin simplehtml nevrax network ipstats_ds 13 3 4 Programming Example You can also create a program to retrieve result pages from SPV Here is a simple example in python2 import urllib import urllib2 def get spv data url user passw create authentication auth urllib2 HTTPPasswordMgrWithDefaultRealm 13 3 SPV For Developpers 153 PV User Guide Documentation Release 3 3 auth add password None url user passw urllib2 install_opener urllib2 build_opener urllib2 HTTPBasicAuthHandler auth request req urllib2 Request url f urllib2 urlopen req return f read def create url domain page filters pdf True filter args filter s k v for k v in filters iteritems filter args urllib urlencode filter args if as pdf skin skin pdf else skin skin simplehtml return http s s s 2 s amp auth force http 5 domain skin page filter args set up the query domain myspv domain page nevrax network bw chart page html tilters capture begin 2013 0l 531 14350 capture end 222297 serviceid user passw admin url create url domain page filters as pdf True result get spv data url user passw open output pdf w write result 13 4 Protocol Stack
158. e 2 2 Business Critical Networks You can access this view in the graphical interface in Dashboards Critical Networks 2 2 2 Performance over time chart This view will show the main network performance metrics through time for a given selection from one zone to another for example round trip time retransmission delay connection time retransmission rate volume of packets This shows the evolution of the network performance as in any view in Performance Vision you can drill down to the conversation level by clicking through the graphs Begin 2012 03 21 13 24 End 2012 03 21 1924 Client Zona Server Zone 2012 03 21 13 15 3 Figure 2 3 Performance over time chart You can access this view in the graphical interface in Monitoring Network Performance Chart 2 3 Application Performance Performance Vision provides a series of views to show how your applications are behaving 2 3 1 Business Critical Application Dashboard Provided you have configured some critical applications setting thresholds on quality for a given application you will get a summary screen of the performance of your most critical applications on this screen This is an auto refresh screen whose data can be integrated in your SNMP based monitoring suite By hovering a specific time and link you can view the origin of a degradation round trip time server response time data transfer time quantity of transactions Figure 2 4 Bu
159. e Business Critical Network Dashboard BCN is aimed at presenting in a single screen the status of your organization s most critical network links You can customize the business critical network dashboard to view the status of the most strategic links corresponding to your business NEN gt Figure 8 3 Business Critical Network Dashboard From the Business Critical Network Dashboard you can drill down from the general view to more detailed infor mation for analysis and problem resolution Capture time 2011 03 28 09 58 00 Private Internet zz Latency 2205 Bl Retrans rate 0 02 3 rate 2 25 81 Internet Private Latency ims Bl Retrans rate 0 09 rate 33 42 6 7Mig Bandwidth Figure 8 4 Detailed values for a point of time 82 Chapter 8 Interpreting the results PV User Guide Documentation Release 3 3 By pointing with the mouse you can view the threshold values for each direction at each point of time indicating status OK Warning or Alert as well as the value for each direction You can also access to the bandwidth graphs and the conversations table for each link If you click on the icons that are next to the name of the link at the beginning of each line the quick links will take into account the complete period of time currently displayed If you click
160. e above example the LAN Servers Fallback zone collects all IP addresses in the 192 168 1 0 24 subnet after some more precise zones tried to match with subsets of this subnet Notice that the priority of the fallback must be lower than the priority of these smaller zones otherwise they would be shadowed by the fallback Notice also that if the example configuration was instead LAN Servers Mail 192 168 1 25 localhost LAN Servers Web 192 168 1 80 localhost LAN Servers 192 168 1 1 192 168 1 100 localhost i e with LAN Servers instead of LAN Servers Fallback then selecting the LAN Servers zone in the GUI would actually select LAN Servers Mail and LAN Servers Web in addition to the fallback In other words there would be no way to select in the GUI only the peers that are in the servers IP range but that are neither the mail nor the web server Using the Fallback naming convention allow one to select either a specific server LAN Servers Mail LAN Servers Web all servers LAN Servers or only the other servers than mail and web LAN Servers Fallback 3 3 Application The main objective of application is to easily categorize network usage Through this concept which is a key notion of Performance Vision the administrator can group similar network usages into categories that will make sense for his network context Additionally by configuring Applications reports on network traffic are made clearer and are readable by
161. e begin capture end CL delta session device diffserv diffserv oclt diffserv srv dtt dtt dtt dtt iC TE dtt count srv 81 dup ack count dup dup ack count end eth proto eure fin count 1 DI EE ip netflow ip srv mac mac mac mtu mtu OS OS SEV payload payload payload payload payload payload payload payload ret srv payload sryv pkt oount pkc countjclt pkc coultasrv CLE Siv clt Srv count Count OA t Counts ret ret clt Zero Window Size in both direction Zero Window Size from client Zero Window Size from server Total traffic Traffic from client to server Traffic from server to client Number of SYN packets Capture begin time Capture end time Connection time Number of successful handshakes Difference between created session and finished sessions Client or Server Diffserv Client Diffserv Server Diffserv Sum of both DTT client and server Data transfer time from client Data transfer time from server Total duplicate acks Duplicate acks from client to server Duplicate acks from server to client Number of session finished Ethernet Type Protocol End user response time Total number of FIN packets Number of FIN sent by client IP Number FIN sent by server IP Either client or server IP or subnet IP which demand a connection to
162. e content type of the referred page does no prevent it ie is not typically reserved to non root transactions such as image css and other typically embedded content You can choose between these two behavior with the http detach referred parameter Second behavior keep referred transactions attached is better when iframes are involved but it is believed that the first and default one should generally leads to better results other than iframes the only observed case where a referenced transaction was obviously not a page root was an ajax POSTing to the same URL as referrer continuously thus detaching it s predecessor If When we eventually receive the response of a transaction and thus hopefully its content type we revise our judgment on the attachment if the transaction seems to have not been triggered by AJA X and its content type is indicative of a standalone document pdf ps or html with status 200 then we detach it turning it into a root Otherwise if the content type is not indicative of a typically embedded content image css etc then we check the delay between the page root and this transaction and if found greater than a parameter http page construction max delayo then its detached as well To speed up information retrieval some global per page values are precomputed in the sniffer every trans actions attached to a page contribute its counters into the page as soon as it was received less than http page contribut
163. e is available you can download it by clicking on the icon Once the file has been downloaded you can view the packets with any protocol decoder capable of reading PCAP files Conn established Transactions EURT RTT RTT out SRT DTT cit DTT srv CT CRT RR in RR out 0 48 ims 1m15s 5 lt 1 1ms 1 66 5535 210ms ims 55 15 ims ims 187ms 95ms 5548 1 20 2325 8 ims 21 18 794ms 135 74ms 76ms 151ms 0 40 97 1755 3848 15s 11 4s 2 1 36s 179ms 1ms 34s S 2ms 188ms 10 00 365 4 3 913 126 ims 743 43ms 123 145 1 2 891ms 63ms ims 628 198 Sims 215 125 10 31 778ms 71 Ims 621ms 64ms 20ms 57 1635 254396 091 436ms 4 549ms 50 5 105 472ms 1 26ms 41ms 1075 336 4 6 9 961ms 222ms ims 450 ims 288 220 570 790 4 Figure 8 15 PCAP column in Performance conversations 192 168 20 254 Private fallback 45 7 4KiB mail google com 6ms A NoError E 192 168 10 254 R amp D 44 5 7 pypimirrors rd securactive lan A NoError 192 168 10 254 R amp D 44 5 9KiB pypimirrors rd securactive lan securact s AAAA NXDomain 192 168 10 254 R amp D 44 5 2 pypimirrors rd securactive lan NoError 192 168 10 254 R amp D 44 5 8KiB pypimirrors rd securactive lan aps secu s AAAA NXDomain 192 168 10 254 R amp D 44 6 1 KiB pypimirrors rd securactive lan labo sec ims AAAA NXDomain 192 168 10
164. e version allows you to have some basic overview of the network level aspects on your traffic Obviously advanced features application level reporting import export features are not available but it s free for one year Evaluation is a free evaluation version that allows you to test all features for 15 days After that period of time it will automatically switch to the Free version The Audit version is dedicated to our partners With this version valid during 15 or 30 days they can provide value added services to customers like performance assessments or in depth usage audits Express is an entry level version designed for small networks management and for small network assess ment or audits For a very affordable price it enables administrators to control network application and VoIP usage amp performance even if some of the advanced features are not available Full version enables administrators to monitor all network application and VoIP aspects of large datacenters including redundant ones and dealing with multiple locations through a distributed architecture Depending on the amount of traffic to be analyzed the Full comes in three different versions Small 20 000 flow analysis Medium 100 000 flow analysis Large 500 000 flow analysis Hardware Versions 115 PV User Guide Documentation Release 3 3 9 6 Performance Vision Versions Please find below the detailed specifications of the differ
165. eam by email or any file sharing platform file size can be huge probe diag Creating a diagnostic package could be long Download the diagnostic file with a FTP client DIAG E2A346A2 55F7 5834 40AE BIEC5967FB61 2014061 7 2 10 What information to give to the support team Use the info command This command summarizes all the basic information needed for support assistance such as state of the probe ip address of support tunnel and other useful information probes info UU TID E2A346A2 55F7 5834 A0AE BIEC5967FB61 Platform vmware Role Collector Release 3 0 9 5rl internal License Valid license 2015 01 02 00 00 00 usage 42 Datadisk present True srv usage 27 D69200 1J9 245525525540 122 165 00 225 14 20 25 2 2999259 225991 Admin interface Support interface Sniffer state RUNNING Distribute state RUNNING Storage state RUNNING IHM State RUNNING Database up Irue 7 2 11 How to configure User Interface language User interface is available in English and French languages The language is detected automatically based on the default language of the browser used to access the probe So to get the User interface to use the desired language the administrator should check and configure the default language of its browser 7 3 SPV Functional Configuration 7 3 1 User Management There are two groups of users in the Users Configuration interface The Administrators group The Users group These
166. easons to keep the storage to a reasonable size only the type of query e g SELECT UPDATE is kept in aggregate levels above 2 minutes You can configure this behavior in the Data Merging configuration page 2 7 1 Graph The main SQL graph allows you to view the performance of your SQL queries over time You can graph the performance of a specific query or a specific server using the filters 07 50 Queries 07 50 08 00 08 10 08 20 08 30 08 40 08 50 09 00 09 10 Response Payload 100 000 2 2 Top Views 9 Query OTT srt a 08 00 08 10 08 20 08 30 08 40 Query Payload 08 00 08 10 08 20 08 30 08 40 Query Packets eil igi le IP IPS 07 50 08 00 08 10 08 20 08 30 08 40 08 50 09 00 09 10 M N 09 00 09 10 09 00 09 10 You can request the top most solicited server according to the number of queries or total payload for example You can request the list of queries that occur most often or which take the longest time to get a response 2 7 SQL Analysis 17 PV User Guide Documentation Release 3 3 Sync Seve Sev Queries w sEmon Query Payload Response Query Packets Response Packets SRT Query DTT Response OTT Aa 12 14934 1 5 MB 90 823 458 678 m i ime 3 ms H 172 3 926 37 M 304199 273910 ims ms 1 50 340 7uB 197 604 162448 m
167. ed environments 114 Chapter 9 Licensing and Upgrades 2 9 4 PV User Guide Documentation Release 3 3 Virtual Appliances for VMWare environments Full Small Medium or Large all features Evaluation for testing Audit for auditing services Express Small or Large entry level Poller remote probe for distributed environments Hardware Versions The hardware appliances comes only in Full or Poller versions Full enables administrators to monitor all network application and VoIP aspects of large datacenters including redundant ones and dealing with multiple locations through a distributed architecture Depending on the amount of traffic to be analyzed here are the flow analyses recommendations for the different versions of the hardware appliances PV 500 40 000 flow analysis PV 1000 80 000 flow analysis PV 2000 200 000 flow analysis PV 4000 300 000 flow analysis PV 8000 400 000 flow analysis Please see Licensing Model chapter for more details Poller is a specific version for distributed environments that acts as a remote analysis point One or several pollers can be installed on different locations It works in conjunction with a central collector which must be a Performance Vision Full as only this version supports distributed environments 9 5 VMWare Versions The Performance Vision virtual appliances comes in several versions in order to fit different customer s needs 9 4 The Fre
168. efore degradation Once data has been aggregated if you query the same period of back in time you will have Client Zone Client IP Server Zone Server IP Application Traffic Internet Merged Private fallback 192 168 50 34 http 5 5KiB Figure 3 3 TCP conversation after degradation For the Client IP merged means that the two conversations to the different Internet clients have been merged into one single entry This is only done when the Zone is Internet and matches the same server application couple So you still know that this server was accessed from the nternet zone with the ht tp application on the port 80 3 5 Conversation 3 5 1 Objective amp Definition The objective of a conversation is to group a set of data exchanges between two hosts for a single application into one basic entity to be able to generate a more user friendly report on network traffic A flow is a group of data exchanges between two hosts for one application over the aggregation period A conversation is a group of flows over the observation period The observation period is defined by a start time and an end time provided by the user A conversation is defined by the following criteria The device identifier that received the packets The VLAN tag that might be present in the packets 30 Chapter 3 Main terms and concepts PV User Guide Documentation Release 3 3 Source or client IP address please refer to the chapter Types of Conversations
169. egex match 8 showall Print all instead of only matching pattern onlvraulty Print only faulty services not OK BCA or BCN Name of htpp ssh Ihis is treated as a regexp n http will match BCA http http intranet https If NAME is will check all bonsNAME Name of BCN All Private Private fallback This is treated as a regexp n fallback will match all BNC containing fallback If NAME is will check all bcn Check Only BCN Status A gt B Check Only BCN Status gt Do not use regexp to match NAME landscape Print tables in landscape mode default is portrait mode t timeout INTEGER timeout for SNMP in seconds Default 5 V prints version number Examples e check_snmp_securactive pl H 10 0 0 1 check all bca and bcn of probe 10 0 0 1 it will return global status e check_snmp_securactive pl H 10 0 0 1 C public 2 check bca and ben it will return global status public community default and v2c snmp protocol default e check snmp securactive pl H 10 0 0 1 a http 136 Chapter 13 Appendix PV User Guide Documentation Release 3 3 check regex match http case sensitive https gt match Http gt not match check snmp securactive pl H 10 0 0 1 a http i check bca regex match http case insensitive https gt match
170. elease 3 3 console graphs Console gt Import Templates Logged in as admin Logout DCITOITC ONNENNNNNNMNNMNMNMMNMNMNNMNMNMMgMggsggscctsdscssd New Graphs Cacti has imported the following items Graph Management CDEF Graph Trees success Total All Data Sources update Data Sources success Multiply by 1024 update D success 1000 and saturated new success c d 1000 and saturated new Collection success Turn Bytes into Bits update Methods success Total All Data Sources Multiply by 1024 update Dat scm GPRINT Preset Data Input Methods success Normal update success Load Average update Graph Templates Input Method Host Templates Data T success Get SNMP Data update ata Templates success Linux Get Memory Usage update 17115513 21148 success Get SNMP Data Indexed update dns Data Template Export success ucd net CPU Usage System update Templates success ucd net CPU Usage User update success ucd net CPU Usage Nice update Settings success ucd net Load Average 1 Minute update success ucd net Load Average 5 Minute update Plugin success ucd net Load Average 15 Minute update Management success Linux Memory Free update success Linux Memory Free Swap update success ucd net Memory Buffers update success ucd net Memory Free update S
171. emplates A summary is displayed scheduling frequency generation time first recipient emails At this stage it is empty and does not contain any view this is why you have Containing 0 views indicated After having added some views to the report here will be indicated the number of views contained in the report 7 3 SPV Functional Configuration 75 PV User Guide Documentation Release 3 3 Add views to report To add a view to a report template just go to the screen with the desired view Select a time period and run the search Once search is completed the link Add this page to a report becomes active When you click on it a drop box with the list of available template reports is displayed You can chose the template report to which you want to add the current view and click on the button Add If you need you can click on Show report list it will open the configuration area with the list of available report templates n You can add the current page with the selected criteria to a report Show report list Add to report Report of the proxy Figure 7 14 Add a view to a report template Please note that while the time 15 fixed the date will remain relative to the moment the report is sent If the view you re adding starts yesterday at 20 00 and ends today at 8 00 and the report is scheduled to be sent next Friday then the effective capture time bracket will be from Thursday at 20 00 to Friday at 8 00 Once the page is ad
172. ent Performance Vision versions Reporting PDF Export CSV Export SNMP Config Import Export Access to Support Option Figure 9 4 Performance Vision Versions 9 6 1 Licensing Model The licensing model is based on the capacity on the central database Whatever the number of pollers only one local poller or several remote ones what is taken into account for the sizing is the amount of data processed by the central collector There is only one criteria the central database capacity in terms of numbers of flow analysis Four versions exist in the Performance Vision product range they offer the following capacity levels Hardware PV 500 40 000 flow analysis recommendation PV 1000 80 000 flow analysis recommendation PV 2000 200 000 flow analysis recommendation PV 4000 300 000 flow analysis recommendation PV 8000 400 000 flow analysis recommendation Virtual Express e Small lt 20 000 flow analysis Large 500 000 flow analysis Virtual Full e Small lt 20 000 flow analysis Medium 100 000 flow analysis Large 500 000 flow analysis 9 7 How can I determine the model that is right for me The simplest way is to deploy the Evaluation version You will then find a dedicated screen called Database Workload located in the Configuration area It displays the number of different flow analyses integrated in the database over the time So it is easy to determine
173. ept and Next e Deploy OVF Template Nm Storage Where do you want to store the vetual machne fies Select a destration storage for the machine fies TProvisioned Thin Pro 25178 Supporte Datastore NiS Nors 8 Loci datasto Non SD 65 1 Figure 6 6 Name the Virtual Machine appropriately and click on Next 8 Deploy OVF Template Disk Format In which format do you want to store the vrtual dks Datastore Avalable space 08 2592 Thick Provision Lazy Zeroed C Thick Provison Eager Zeroed Thin Provison id Figure 6 7 Disk configuration a Deploy OVF Template Ready to Complete Are the options you want to use emplate Det When you dick Finish the deployment task wil be started License Agreement Deployment settings ame and Local OVF file C Users binther Downloads Perfomnancevisonave Download sae 3667 MB Sze ondisk 37 98 Name Performance Vision Disk provisionng Mapping Admin to Mirror power on after deployment Figure 6 8 Click on Finish 6 3 Installation PV User Guide Documentation Release 3 3 Performance Vision Getting Started Summary Resource Allocat Performance Events aJr a rj N OAN bD 0257006 i 1 3 ethHW 34 3827871 1 0 ethi 1 00 _set_tso TSO is Disabled 3
174. er Breakdown by zone client T T 1 10 1908 bl 10008 Mert Wer Wr 8 rT or Figure 2 5 Application Performance Dashboard This view is available for any TCP application in Dashboards Application Dashboard 2 3 3 Application Performance Chart A more detailed view of the application performance is available here it will show an even more complete set of metrics RTT client amp server Server Response Time Data Transfer Time client amp server retransmission rate volume of packets Using filters you can focus on a specific perimeter and view the evolution of the application performance through time This view is specifically interesting to link the evolution of data transfer times to retransmission rates and data volumes This view is available for any TCP application in Monitoring Application Performance Chart 2 4 Bandwidth You can graph the evolution of bandwidth through time From there you can drill down to detailed conversations to display the main contributors of a peak of traffic for example 2 4 Bandwidth 13 PV User Guide Documentation Release 3 3 Sales Begin 2012 03 21 13 15 Info End 2012 03 21 19 15 Figure 2 7 Bandwidth Graph This view can be accessed through Monitoring Bandwidth chart 2 5 Conversations Flow Details amp Raw Data A conversation represents the exchanges between two IP addresses So why do we need Flow Details pages
175. erformed on the corresponding value When 7 3 SPV Functional Configuration 69 PV User Guide Documentation Release 3 3 Fallback 1 rules Internet 1 rules IPv6 RFC 1 rules Routable Unicast RFC 3587 1 rules 6to4 RFC 3056 1 rules Doc RFC 3849 1 rules Teredo RFC 4380 1 rules Routable Unicast RFC 3587 fallback Zone fallback IPv4 into v6 1 rules 20 IPv4 1 rules 100 IPv6 1 rules 100 Private 1 rules Broadcast Local 1 rules APIPA RFC3927 3 rules Clients 1 rules v LAN 1 rules Building 1 1 rules Building 2 1 rules Financial 1 rules Figure 7 7 Overview of the zone tree editor several fields are set all must match simultaneously for a conversation to be associated with this zone in other word the filters are logically anded together Here are some examples of valid subnets 192 165 100 0 24 192 0169 100 12732 CUTTEEIIO92416840 0 7295 and valid MAC addresses 52245 a0700200701 9 32 43 0 00 00 01 20 Finally the numeric priority field allows to alter the default priority 0 greater priorities being tested before lower priorities Note that priorities can be negative values as well as positive values Zones management using an external file Alternatively one can export the zone configuration onto a CSV file that can be edited using any spreadsheet program and imported again 7 3 3 Application configuration You can configure Applications in the configur
176. ers Protocol Stack List Licenses Of open source libraries CIFS Status Categories 125 125 125 125 125 126 126 126 127 131 131 138 152 154 155 158 177 ONE RELEASE NOTES 1 1 What s new in Full Operating System Upgrade The data disk has new partitions with a full new OS Debian 8 0 Updated VMware tools Updated SSL libraries Fixed occasional Linux kernel bugs seen on some environments Other Features amp Improvements A new Top Database page in the SQL menu e Support of MPLS Improved custom filters with now more than 500 research fields Pulsar Shell configuration now works with transactions Business Critical Applications BCA can be sorted by status to get most degraded applications first More flexibility with LDAP authentication Appliance monitoring data available in the configuration menu 1 2 What s New in 3 2 CIFS SMB Performance Analysis CIFS Analysis Supports SMB 1 0 2 0 and 3 0 without encryption Decode file path SRT DTT meta data commands etc New Pages CIFS Overview Performance Top IP Client Top IP Server Top Files Top Trees Top Users Queries Raw Data CIFS custom filters Custom Filters L3 L7 links between Flows amp Transactions Switch from Flows to Transactions and switch from Transactions to Flows Inline help and Protocol documentation Other Features amp Imp
177. es Reports Queried time interval in reports has been simplified Reports Email recipients have become optional as reports are now also stored on the probe and available through ftp Reports Report edition now displays time intervals of each individual pages e PCAP The former limitation on storage size of manual PCAP files 20 GB has been removed User can now freely manage the size of captures depending on available storage capacity GUI Time selection improvement e GUI In Monitoring information displayed screens has been harmonized Metrics DTT will time out after 1 second with no data transfer If no more data is received during this period we considered that last packet received was the one to take into account for the DTT 1 13 3 Major Bug Fixes Metrics Retransmission rate is now computed regardless of empty packets Metrics The de duplication process is no longer fooled by varying ethernet padding GUI There were occasionally some empty lines in grouping tables Reports Scheduling of report dates when set across two days ex from 23 00 to 01 00 Reports For reports some client email applications were not displaying the PDF file attached e PCAP better autopcap performances when lots of files are generated 1 14 What s new in 2 8 1 14 1 New Features Alerts Business Critical Applications metrics are available through SNMP The values can be queried thr
178. es dial Qo 1 9 83700 0 00 32xib 200 clo 9 2011 04 07 15 44 43 d 00 2011 04 07 15 44 B4739 0 00 44 41 83382 0 00 C 20110407 15 44 31 8378 0 009 2011 04 07 15 44 31 83784 9 00 9 2011 04 07 15 44 25 0 00 x 5 2011 04 07 15 44 11 00354732815 200 QC 20110407 15 44 08 090850840181 0 00 5 2011 04 07 15 44 08 83961 0 00 2011 04 07 15 0 00 5 2011 04 07 15 44 00 B3404 0 00 0 3 30 200 5 2011 04 07 15 43 46 833 0 00 20110407 15 43 45 831 39 0 00 2011 04 07 15 43 45 900 2011 04 07 15 43 43 2 83212 0 01 e 2011 04 07 15 43 39 FKOCH m B3678 9 01 Figure 8 7 VoIP Calls Note Those dashboards are not available in Securactive NPS It is extremely useful as a starting point for troubleshooting as a tool to communicate to management and business users on how the application is actually performing It is a set of three elements that display key information on the performance of a business application 2011 09 08 13 32 2011 09 08 14 32 avg 25s SRT avg 16s OFERT avg 81 2 ms 13 40 1350 14 00 14 10 14 20 14 30 2011 09 08 13 32 2011 09 08 14 32 500 Transactions sum 7 319 400 300 200 100 13 40 13 50 14 00 14 10 14 20 14 30 1 13 46 _ 2 1416 u Breakdown by server Breakdown by zone client Private fallback r amp d T T T T T T T T T 2000ms 6 000ms 10 000ms 14 000ms 500ms 1500
179. esholdBandwrateWarningAtoB 24 R Gauge SpvBCNThresholdBandwrateWarningBtoA 25 R Gauge spvBCNThresholdBandwrateAlertAtoB 26 t R Gauge SpvBCNThresholdBandwrateAlertBtoA 27 R Gauge SpvBCNThresholdRttWarningAtoB 28 Gauge SpvBCNThresholdRttWarningBtoA 29 R Gauge SpvBCNThresholdRttAlertAtoB 30 qe R Gauge spvBCNThresholdRttAlertBtoA 31 R Gauge SpvBCNThresholdRrWarningAtoB 32 Gauge SpvBCNThresholdRrWarningBtoA 33 R Gauge SpvBCNThresholdRrAlertAtoB 34 R Gauge SpvBCNThresholdRrAlertBtoA 35 Note Notice that none of these MIB objects is currently settable 7 3 9 TLS Decryption Some of the protocols inspected by SPV may be encrypted using TLS namely HTTP SKINNY SIP Under some conditions SPV can decrypt these streams and proceed with inspection as normal In other words it is possible to visualize HTTPS transactions To activate this feature you must fulfill all of the following requirements Have access to the private keys of the targeted servers and upload them into SPV Please bear in mind that anyone with your private key can do the same as SPV probe so make sure you upload it using HTTPS and secure access to the probe file system Force the server or the client to use these keys to encrypt the handshake in other words disable those encryption algorithms such as Diffie Hellman For instance
180. ess of the poller where they were captured If a capture was done on multiple pollers at a time then they will have the same name and same filters They will be grouped together in the management interface Figure 8 22 The triggered PCAP management page with the first one created on two pollers 8 7 Interpretation Guidelines The objective of this section is to help our customers to make the best use of the performance reports provided by their appliance You will find enclosed a brief overview of how application performance issues can be solved with SPV This first section focuses on synthetic metrics to produce a measure of the quality of experience of users QoS End User Response Time and give you a simple explanatory framework to understand the cause of application slowdowns Round Trip Time Server Response Time and Data Transfer Time Note Some metrics and views described below are only available in Securactive APS 87 Interpretation Guidelines 095 PV User Guide Documentation Release 3 3 8 7 1 Objectives Before you start analyzing performance reports there is a certain number of elements which you must bear in mind Performance metrics should not be considered as absolute values but in comparison with different time intervals servers and user groups Performance metrics represent time interval Although most of them correspond to the measurement of a concrete phenomenon it is almost impossible to provide a scale of
181. et with FIN from any of the device that 18 acknowledged by a FIN ACK by the other device and followed by a FIN of this same last device no FIN ACK 15 necessary to conclude that the connection is closed Subnet Set of network addresses that have a common declared IP address routing prefix A Subnet is defined by an IP address and a netmask TCP Handshake 3 Way negociation that is part of TCP for establishing a TCP session A TCP Handshake is defined between 2 devices as exchange of 3 TCP packets flagged SYN SYN ACK ACK Timeout Session end by inactivity Session Timeout will be reported after 120 seconds of complete inactivity 1 e no packets seen Web Application Pattern Mean of recognizing an Application based on a pattern in the payload Currently these patterns are checked against HTTP URLs only The pattern syntax allows hostname and optionally a path separated by 7 ie www example com my path or www example com Notice that a wildcards character 1s allowed in domain or path part of the pattern Only Conversation which are detected to be based on HTTP will have URL of their GET POST CONNECT request matched against Web application signature s pattern A match occurs when the pattern match the complete target URL Zone zone corresponds to the location of a sender or emitter See Zones for more details 129 PV User Guide Documentation Release 3 3 130 Chapter 12 Glossary CHAPTER THIRTEEN APPENDIX 13
182. etransmission payload from server to client Payload from server to client Number of IP packets Number of packets sent from client Number of packets sent from server Poller name distributed probe server Port Protocol Protocols stack Retransmission delay Retransmission delay from client to server Retransmission count both directions Total retransmission delay indic Retransmission delay indic client to server Retransmission delay indic server to client Total retransmission rate Retransmission rate client to server Total retransmission rate for signalization Retransmission rate server to client Signalization retransmission delay Number of sign retransmission both directions Retransmission delay from server to client Total retransmission traffic Retransmission traffic from client to server Retransmission traffic from server to client Total Number of RST sent Number of RST sent by client IP Number of RST sent by server IP Decimal or hexa Decimal or hexa Decimal or hexa Ethernet Type Duration Decimal or hexa Decimal or hexa Decimal or hexa Address or netmask Address or netmask Address or netmask Address or netmask MAC address MAC address MAC address Decimal or hexa Decimal or hexa OS name OS name OS name Byte quantity Byte quantity Decimal or hexa Decimal or hexa Decimal or hexa Byte quantity Byte quantity Byte quantity Byte quantity Decimal or hexa Decimal or hexa Decimal or hexa St
183. etry Count Import After an initial failure the number of ping retries Cacti will attempt before failing Templates SNMP Options Export SNMP Version Templates Choose the SNMP version for this device Version2 SNMP Community S SNMP read community for this device public ettings SNMP Port Plugin 161 Management Enter UDP port number to use for SNMP default is 161 E 20000 The maximum number of milliseconds Cacti will wait for an SNMP response does not work with php snmp support System Utilities Maximum OID s Per Get Request hh ser Specified the number of OID s that can be obtained in a single SNMP Get request Management Additional Options Logout User Our beloved SPV Central Collector Notes Enter notes to this host 4 Create Figure 13 5 Devices Created Once created the device will be already populated with a set of data queries appropriate for this kind of host Creating graphs for this host You can now select the Create Graphs for this Host link at the top of the device description page You will be offered plenty graph templates to create many of which are not relevant for the casual user We recommend you create one to monitor memory and CPU resource usage 4 a onsole graphs conso Console gt Create New Graphs Logged in as admin Logout CactiTest 192 168 10 236 SPV Central Collector New Graphs Host CactiTest 192 168 10 236
184. exa Decimal or hexa Byte quantity Byte quantity Byte quantity Byte quantity Decimal or hexa Decimal or hexa Decimal or hexa Continued on next page 13 2 CustomFilters 139 PV User Guide Documentation Release 3 3 Table 13 1 continued from previous page Operand Type poller name DOFLsrv protostack rd ro olt rad count rd andie fondre rindi rd rate rd rate rd rate rd ret ret clt ret srv roe Count ESE COUNT rtt Jap FEL Coun LEO Counc rtt srv BSIL COUDL timeout vlan voip traffic zone zone clt zone srv Poller name distributed probe Server Port Protocol Protocols stack Retransmission delay Retransmission delay from client to server Retransmission count both directions Total retransmission delay indic Retransmission delay indic client to server Retransmission delay indic server to client Total retransmission rate Retransmission rate client to server Retransmission rate server to client Retransmission delay from server to client Total retransmission traffic Retransmission traffic from client to server Retransmission traffic from server to client Total Number of RST sent Number of RST sent by client IP Number of RST sent by server IP Sum of RTTin both directions RTT for data from server to client Number of RTT for data from server to client Number of RTT for data from client to server RTT for data from client to ser
185. f 0x40000020 0x40000021 0x40000022 0x40000023 0x40000024 0x40000025 0x40000026 0x40000027 0x40000028 0x40000029 0x4000002a 0x4000002b SMB STATUS OS2 NO MORE SIDS SMB STATUS OS2 INVALID LEVEL SMB STATUS OS2 NEGATIVE SEEK SMB STATUS OS2 CANCEL VIOLATION SMB STATUS OS2 ATOMIC LOCKS NOT SUPPORTED SMB STATUS SMB USE MPX SMB STATUS SMB USE STANDARD SMB STATUS SMB CONTINUE MPX SMB STATUS OS2 CANNOT COPY 5 STATUS OS2 EAS DIDNT FIT SMB STATUS OS2 EA ACCESS DENIED NT STATUS OBJECT NAME EXISTS NT STATUS THREAD WAS SUSPENDED NT STATUS WORKING SET LIMIT RANGE NT STATUS IMAGE NOT AT BASE NT STATUS RXACT STATE CREATED NT STATUS SEGMENT NOTIFICATION NT STATUS LOCAL USER SESSION KEY NT STATUS BAD CURRENT DIRECTORY NT STATUS SERIAL MORE WRITES NT STATUS REGISTRY RECOVERED NT STATUS FT READ RECOVERY FROM BACKUP NT STATUS FT WRITE RECOVERY NT STATUS SERIAL COUNTER TIMEOUT NT STATUS NULL LM PASSWORD NT STATUS IMAGE MACHINE TYPE MISMATCH NT STATUS RECEIVE PARTIAL NT STATUS RECEIVE EXPEDITED NT STATUS RECEIVE PARTIAL EXPEDITED NT STATUS EVENT DONE NT STATUS EVENT PENDING NT STATUS CHECKING FILE SYSTEM NT STATUS FATAL APP EXIT NT STATUS PREDEFINED HANDLE NT STATUS WAS UNLOCKED NT STATUS SERVICE NOTIFICATION NT STATUS WAS LOCKED NT STATUS LOG HARD ERROR NT STATUS ALREADY WIN32 NT STATUS WX86 UNSIMULATE NT STATUS WX86 CONTINUE NT STATUS WX 86 SINGLE STEP NT STATUS WX86 BREAKPOINT NT STATUS WX8
186. f ICMP Network Unreachable errors coming from one router to many machines The ICMP information contained in the payload of each of these errors would probably show they are all trying to reach the same network through the same router Port scanning A machine is trying to complete a network discovery It is trying to connect to all servers around to see on which ports they are open How would we see it A large number of CMP Port Unreachable errors coming from one or several routers corresponding to a single machine the one which is scanning Spyware Worms An infected machine 15 trying to propagate its spyware virus or worm throughout the network obviously it has no previous knowledge of the network architecture How would we see it A large number of ICMP Host Unreachable errors coming from one or several routers corresponding to a limited number of hosts trying to reach a large volume of non existing machines on a limited set of ports Server disconnected reboot A service on UDP DNS Radius is interrupted because the server program is temporarily stopped or the host machine is temporarily shutdown Many requests are then discarded How would we see it Many Port Unreachable messages preceeded by some unreachable host if the host itself was shut down are emmited during a short period of time for this service host port DNS Response Time Background The DNS Domain Name System which has been define
187. field you can combine filters with any logical operators OR AND NOT and can order subexpressions using parentheses You can filter on most of the common available fields Begin 2013 03 20 14 32 End 2013 03 20 15 32 x 9 a 4 Client Zone c 3 Server VLAN Device id Poller Custom Filters BETA j Figure 2 20 Custom Filters Example Below are some of the available fields the full list is in Custom Filters app capture begin capture end device diffserv diffserv clt diffserv srv domain ip ip clt ip dst ip src ip srv mac mac clt mac dst mac src mac srv OS OS Clt Os srv port srv proto vlan zone zone clt zone dst zone src zone srv Use clt and srv suffixes for Client and Server in the Application Universe which is in client server mode Use src and dst suffixes for Source and Destination in the network Universe which is in source destination mode 2 15 PDF CSV Export 25 PV User Guide Documentation Release 3 3 Here are some examples of valid expressions e 11 02 see OF Ipe Sr V 11 20 cone in 7Private Servers or port srv lt 1024 proto udp and port srv 53 or zone in Private DNS domain www google fr com appe http or appe nhttps Note zone Private selects only the flows with a client or server zone witch is exactly Private and no other zones zone in Priv
188. for the Apache web server make use of the SSLCipherSuite parameter Here for instance we allow only the cipher suite using RSA key exchange algorithm SSLCipherSuite kRSA Force the servers or clients to forget about previous TLS sessions or wait long enough typically some hours SPV will make its best to remember new TLS sessions but will dedicate only a limited amount of memory to do so Also memorized sessions are not written to disk and so will not survive restarting the sniffer 7 3 SPV Functional Configuration 79 80 PV User Guide Documentation Release 3 3 Make sure the probe will receive 10096 of the traffic to from targeted servers as decryption can not work around missing packets Make sure required resources are available since decryption is CPU intensive Chapter 7 Configuration CHAPTER EIGHT INTERPRETING THE RESULTS Note Note about terms used starting from version 2 8 The in out notion has been fully replaced by Server Client So in our Graphs any RTT and RR in out should be considered as Server Client as in the following rules RTT in stands for RTT Server RIT out stands for RTT Client RR in stands for RR Server RR out stands for RR Client 8 1 Business Critical Application Dashboard To customize this view for your own needs just go to the Configuration menu and choose the application you want to be a business one see the Business Critical Applicati
189. gate Level 15 minutes End 2011 04 04 15 15 00 02 00 End 2011 04 04 15 15 004 02 00 Inte Paris nmm E Drogenbos fallback PEIE Park DE 2 Frankfort mp Turin fallback ji Madrid fallback 3 Site Central fallback 1T T T T T T 1 100 200 300 400 500 5600 700 500 1 000 1500 2000 2 500 Figure 8 32 Peak in Server Response Time application performance Display the Application Dashboard for a relevant period of time We can easily observe a peak in SRT from 6 to 18 15 From the breakdown by zone we can easily conclude that only one zone has been impacted 1010 10 20 10 30 10 40 10 50 11 00 10 08 00 11 08 00 60 00 Transa ictions sum 496 40 00 20 00 0 10 10 10 20 10 30 10 40 10 50 11 00 mm EE 10 30 10346 2 1 02 Breakdown by server Breakdown by client Begin 2011 04 13 10 00 004 02 00 Aggregate Level 15 minutes Begin 2011 04 13 10 00 00 02 00 Aggregate Level 15 minutes Info End 2011 04 13 11 00 00 02 00 Info End 2011 04 13 11 00 00 02 00 Number of collected results 7 on Client IP Traffic Transactions 1 EURT z RTT SRT 2 172 16 2 173 13 8MiB 342 15s 175ms 741ms o 172 16 2 32 973 9KiB 45 608ms 88 5 344ms 2 172162157 535 8KiB 29 413ms 90 5 115 5 172 16 2 144 12 1KiB 2 244ms 118 5 125ms i 2 172 16 2 137 10 3KiB 2 422ms 328ms 94ms eo 172 16 2 22 9
190. gateway 192 168 0 254 which is the router It is trying to reach a server which does not sit on the LAN 10 1 0 250 and which cannot be reached because 192 168 0 254 does not know how to route this traffic F 10 1 0 250 The router sends back ICMP error 10 1 0 250 message Network Unreachable to 10 1 0 250 vork ICMP Netw Unreachable 192 168 0 254 192 168 0 254 x 7 3 The workstation tries to connect to 10 1 0 250 P on HTTP port 80 192 168 0 7 192 168 0 7 ICMP Host Unreachable Let s take the simplest example one machine sitting on a LAN 10 1 2 23 has one default gateway 10 1 2 254 24 which is the router It is trying to reach a server which does not sit on the LAN 192 168 1 15 The traffic flows and reaches the last router before the server 192 168 1 254 24 this router cannot reach 192 168 1 15 because it is unplugged down or it does not exist ICMP Port Unreachable Let s take a second example one machine sitting on a LAN 192 168 0 7 It is trying to reach a server 192 168 0 254 which sits on the LAN on port UDP 4000 on which the server does not respond 8 7 Interpretation Guidelines 107 PV User Guide Documentation Release 3 3 The router 192 168 1 254 sends J back an ICMP Host Unreachable 9 192168115 error to 10 1 2 23 7 192 168 1 254 24 192 168 1 15 192 168 1 254 24 192 168 0 253 16 ICMP Host 192 168
191. gation granularity depending on the length of the time period you requested and how far back into the past it goes Aggregation granularity Storage duration Request length for tables Request length for graphs 2 minutes 48 hours 60 minutes 120 minutes 15 minutes 7 days 8 hours 16 hours 2 hours 2 months 2 days 5 25 days day year 359 days 359 days For example with graphs if you want a data granularity of two minutes you can request a period length up to 120 minutes anywhere during the last two days With tables if you want a data granularity of two hours you can request a period length up to two days anywhere during the last two months Note that because the larger aggregate levels summarize more data at once they take up less disk space and can be kept in storage much longer without filling out the hard drive This strikes a good balance between data granularity and duration of retention performance data for the last two days is available with the best granularity and long lasting global trends can be exposed from as far back as one year albeit with less detail all from the same interface Aggregated data is computed in a nutshell by identifying network conversations where the same server and the same client talked using the same application and grouping them together The metrics for each such group are summed up in accordance with their mathematical nature for instance packet counts are added and response 3 6 D
192. ggregation as much as possible The sniffer now decodes HTTPS a new page to set the SSL keys is available in the configuration 77 5 Decryption What s New in 2 16 Graphical interface Result columns can be retracted to give place for the other ones Normalize all search forms use same filters on all pages when it makes sense Add a basic support of Netflow v5 add the filter external capture to filter on it Huge performance improvement on CSV export of the database results Final Custom filters filters like svt gt 500ms are now available see Filters 1 5 Whats New in 2 17 3 PV User Guide Documentation Release 3 3 1 7 1 8 1 9 Whats New in 2 15 Transaction HTTP HTTP transactions are activated for flagged Zones and Applications in the Configuration menu New chart showing the hits per status New Hits report page New Host and Top Server pages A new filter input appears in most of forms custom filters see Filters Config sniffer more settings added What s New in 2 14 Sniffer better sniffing and dumping performance Sniffer more accurate SRT DTT in presence of lost TCP segments Transactions HTTP More thorough analysis of web applications New transaction querying mode used in a new report page New chart HTTP performance with Page Load and Hit RT over time First step of a notification system Some events are now created by the different
193. gular expression 5 in the name search box 10 7 Some TCP conversations are reported twice what s wrong First make sure that the deduplication process is not configured too tightly If the faulty TCP conversations keep being reported twice then maybe the duplicated packets are altered in some way that makes them too different from the originals For instance some firewall randomize the ISN Initial Sequence Number of TCP connections for security reason So if you mirror some traffic before and after passing though such a firewall this traffic will be reported twice since their sequence number will be different 10 8 Pcap files generated by tcpdump are mostly empty By far the most probable reason for this 18 that you are trying to use a filter on VLAN tagged packets This won t work since Tcpdump filters look for fixed locations in the packet and the VLAN tag offsets the actual bytes that are being matched Fortunately there is a workaround by adding the filter v1an all following filters will be offset by the VLAN tag size So for instance if you want to filter ip proto tcp interface receiving only VLAN tagged packets then you must use the following filter instead vlan and ip proto tcp If the network interface receives both tagged and non tagged packet then this somewhat cumbersome filter must be used proto tcp or vlan and ip proto tcp 10 9 How to do complex searches on domain names On search boxes ab
194. h this conversation is selected Thus it may be important to consider the priority of a zone in the rare occurrence where the default ordering scheme does not yield the expected results For instance here is a simple configuration in order of priority LAN Servers Mail 192 168 1 25 localhost LAN Servers Web 192 168 1 80 localhost LAN Servers Fallback 192 168 1 1 192 168 1 100 localhost LAN Fallback 192 168 1 0 24 localhost Remote poller2 Internet 27 PV User Guide Documentation Release 3 3 Here we two servers for mail and web that are tested first by IP if the VLAN is 120 and the poller if localhost then all other servers using an IP range then the LAN then the remote site everything from poller2 and everything else in Internet Notice that some fields are unused MAC Device meaning any value will do Whatever changes are made in the zone tree a global fallback here it s Internet will be created by default to store any conversation that is not matched by any rule this remains true even after filters are added for this zone Also this zone is special in that the IP addresses of these conversations will be degraded over time to reduce storage requirements Your actual configuration will of course be much more complex Indeed even the default configuration is larger Routable Unicast RFC 3587 Routable Unicast RFC 3587 fallbacl 6to4 RFC 3056 Doc RFC 3849 Teredo RFC 4380 Private
195. han to reveal anything about the network License related information such as date of expiry and so on Averaged metrics such as RTT or DNS response time BCN and BCA MIBS Since the 2 9 version two new modules are available BCA and BCN Please update your MIB file if you use a SPV MIB before 2 9 Here is a tree description of the BCA and BCN MIB BCA module t sactSPVBCAModule 1 spvBCAStateTable 1 t spvBCAStateEntry 1 Index spvBCAName dee Gering spvBCAName 1 Enumval SpvBCAStatus 2 Values Ok 1 Warning 2 Alert 3 NA 4 Nothing 5 NotEnough 6 R Gauge SpvBCAEURT 3 Gauge SpvBCASRT 4 qee R Gauge SPpVBCASRTCount 3 R Counter SpvBCASRTCountSum 6 mR auge SpvBCARTTClient 7 R Gauge SpvBCARTTServer 8 R Gauge SpvBCADTTClient 9 Gauge SpvBCADTTServer 10 t R Gauge SpvBCATrafficClient 11 f emee Gauge SpvBCATrafficServer 12 t R Counter BSpVBCATFarfsoClrenrsSumtls Tee Counter SpvBCATrafficServerSum 14 Gauge SpvBCAThresholdMinSRTcount 15 R Gauge SpvBCAThresholdWarning 16 R Gauge spvBCAThresholdAlert 17 t spvNevraxBCATime 2 BCN module t sactSPVBCNModule 2 t spvBCNStateTable 1 d t spvBCNStateEntry 1 Index spvBCNName
196. hen client server identification is usually trivial Unfortunately most traffic does not fall into this category n the client is the peer that actively opens the connection 1 6 sends the initial SYN But we may miss the SYN or we may have forgotten it if we have not received traffic for that socket for more than 2 minutes especially problematic for lengthy connections such as remote control protocols In either TCP UDP we may have indicative port numbers port number below 1024 on one side and greater than 1024 on the other is a strong indication of the server location TCP we may have seen past SYNs directed at one of the ports which again gives an indication of that port being the server When all else fails the server is chosen according to a complex heuristic that s mostly equivalent to choosing at random 4 1 2 Keep Alive Applicative keep alives are small messages that are sent from either peer to the other when no traffic have used this socket for some time They must not be taken into consideration when computing SRT and so on The ica keepalive max size parameter is dedicated to the detection of ICA citrix keep alive messages The standard TCP keep alive packet is normally detected using its size and sequence number according to the RFC In case the previous sequence number is unknown though the tcp keepalive timer may be used as an alternative after this inactivity period any TCP
197. hich network communication 18 sent Zone name from which network communication originates Capture begin time Capture end time Average query transfert time Sum of HTTP hits Sum of Hits with an error status 4 and 5xx Average of the hit response time URL Host http page count http page lt http request length http request method http response dtt Sum of HTTP pages Average of page load time Sum of content length generated by HTTP queries The HTTP method used to query Average response transfert time Byte quantity Byte quantity Decimal or hexa Decimal or hexa Decimal or hexa Duration Duration Decimal or hexa Decimal or hexa Decimal or hexa Duration Duration Decimal or hexa Decimal or hexa Decimal or hexa Byte quantity Zone name Zone name Zone name Date and time Date and time Decimal or hexa Duration Decimal or hexa Decimal or hexa Duration String Decimal or Duration Byte quantity HTTP Method Duration http response length Sum of content length generated by HTTP responses Byte quantity http response server Software declared as the HTTP server String http response status The HTTP response code 1xx to 5xx ATTP status http url path URL Path Wildcard or regex http user_agent User agent String ip Either client or server IP or subnet Address or netmask TD cd IP which demand a connection to a server Address or netmask lp Y IP which replied to a connection demand Add
198. ical IP implementation will delay acknowledging of incoming data additional tricks are exploited in order to rule out these software biases e make use of SYN FIN acknowledgment and some exceptional conditions such as TCP resets that suffer no such delays to estimate a realistic upper bound exclude unusually high RTT values 96 Chapter 8 Interpreting the results PV User Guide Documentation Release 3 3 bound RTT Server Client by SRT CRT if RTT sample set looks suspicious RTT is meaningful of the bare speed of the physical layer It is unaffected by packet retransmissions packet loss or similar occurrences RTT may be affected by from most common to the rarest Slow network equipment between client and server such as a router or a switch Link layer overloaded ethernet collisions for instance Malfunction of one of the involved network adapter These troubles should be further investigated by comparison with other client and or server zones in order to locate the misbehaving equipment Notice that a degradation of RTT will almost invariably impact other metrics as well SRT SRT stands for Server Response Time SRT gives an estimation of the elapsed time between the last packet of an applicative request and the first packet of the server s response SRT represents the processing time of the server at the application layer for a given request SRT may be affected by from the most common the the rarest
199. icate acknowledgment Packet with null payload Duplicate ACK are TCP ACK packets that are identified thanks to their same acknowledgment value and their empty payload Retransmission Rate RR RR stands for Retransmission Rate RR is defined as the ratio of retransmitted packets to the total number of packet with a non zero payload in a conversation 128 Chapter 12 Glossary PV User Guide Documentation Release 3 3 Retransmission Total Delay between a packet and the last retransmission TRD stands for Total Retransmission Delay TRD is defined as the time between a packet and its last retransmission Round Trip Time RTT Time between an applicative query and a response at the network level RTT stands for Round Trip Time RTT is defined as the time between a packet with a non null payload and the corre sponding acknowledgment a packet with a null payload and the TCP ACK flag Server Response Time SRT Time between a query and an answer at the applicative level Server Response Time 18 the elapsed time between a client packet with a non null payload and the corresponding server response a packet with a non null payload which number of acknowledgment correspond to the first packet Session established communication channel between two devices using TCP a Session is defined as TCP communication between 2 devices beginning by a successful Handshake and ending by a Timeout or Packet with the RST flag from any of the devices or a Pack
200. ide the best analysis Measurements are more accurate if the probe is located in a central location next to the server and you will get a wider view on the performance experienced by all the users connecting to this server INTERLAN INTERNET a 4 Co u ec EU 7 a 2 2 al P M QD Oy iin 7 Local Area Network 1 Figure 5 1 5 network positioning synoptic 5 1 3 Choosing a traffic capture method Two main methods may be used to establish a permanent point of traffic capture or SPAN A is network device which will installed in line on the network and will send a copy of the traffic on one or two listening ports of the probe A SPAN also commonly called port mirroring is a feature of network switches that enables a network administrator to send a copy of a given traffic on one or several interfaces VLANS to a mirroring port The most commonly used method is the SPAN port port mirroring mainly because it enables administrators to monitor potentially any traffic going through the switch with an existing network device Collecting traffic through a SPAN port will likely not generate any additional point of failure on the network and will be regarded as a minor modification of its existing configuration Network are also an option if no SPAN 18 doable for 39 PV User Guide Documentation Release 3 3 example but the traffic captured will be limited to the network link s going
201. igretion compatble connections common to twa or more hosts Commecton Type Port Group Properties Connection Settings Label Mirror IE V AK D Vitus Machine Port Group Physical Adapters Mirror e no VLAN ID AF 4095 Figure 6 16 The following option allows VLAN tags 58 Chapter 6 Virtual Appliance Step by Step PV User Guide Documentation Release 3 3 0 Disables VLAN tagging on port group 4095 Enables VLAN tagging on port group 5 Then click on Next and Finish to complete the operation Add Network Wizard 28 42 Ready to Complete Very that new end vSphere standard ere configured epproonetely Host networking fl indude the folowing naw and modfed standard switches Previa Figure 6 17 Networking Summary 6 3 6 Setup promiscuous parameters The Esx Server now manages 2 virtual networks es Resource Allocation Performance Configuration LocalUsers amp Groups Events Permissions View vSphere Standard Switch Networking Refresh Add Networking Properties Virtual Machine Port Group L3 Network 4 virtual machine s Physical Adapters vmnico 100 Ful 0 Io Performance Vision Performance Vision 2 9 7 Test TBO Virtual Tutorial Supervision VMkemel Port L3 Management Network vmkO 10 1 0 11 9 Sooo Standard Switch vSwitch1 Remove Properties
202. imes and number of packets over time TOP DNS Servers DNS traffic and average response time sorted by server TOP DNS Clients DNS traffic and average response time sorted by client DNS Overview New filters Synthesis per DNS request types and DNS responses codes Pulsar e vpn command has been renamed as support 1 17 4 Major bug fixes Display of some charts could fail in some cases long zone names added to long application names Configuration was not correctly flushed in some cases t was possible to define two applications on the same port for the same IP or subnet which led to approxi mate metrics for these applications Oracle parser could stop working in some cases Potential deadlock under intensive usage with the implication of several different parsers at once Fix an issue with Flash player and Internet Explorer that forbids drill down into graphics 1 17 What s New in 2 5 9 PV User Guide Documentation Release 3 3 10 Chapter 1 Release notes TWO USE THE PV GRAPHICAL INTERFACE 2 1 Access Through a Web browser We assume here that the probe has been previously configured through the command line interface and the user knows the probe s IP address The probe can be accessed either with SSH or with a Web browser To connect with a Web browser the ports to use are the 80 8080 or 443 For physical see Configuration For virtual see Virtual Appliance
203. in about a slow access to all applications both in and out the LAN Diagnosis You will find in this section the classical informations to grab in order to diagnose the issue is the application really slower for this site You can get this information from the Application Performance Dashboard R amp D Pro Sales fallback 8 Internet Private fallback 500 1000 1500 2 000 2 500 3 000 Dir Figure 8 23 Zone comparison in the Application Performance Dashboard Does the slowdown occur for a specific application If so check S ow application Does the slowdown occur for a specific server If so check Slow server 193 56 4 82 securactive univ lillel f 217 109 91 178 github com 51 101 233 77 rev gaoland ne bacchus ierne eu org 50 100 150 200 250 300 350 400 450 500 Dir Figure 8 24 comparison between servers in the Application Performance Dashboard 98 Chapter 8 Interpreting the results PV User Guide Documentation Release 3 3 Server Performance Network performance by server Begin 2011 04 04 13 00 End 2011 04 04 13 30 Mor yyy mm dd HH MM yyyy mm dd HH MM Application ssh Protocol Any Server Zone 9 Search Add this page to a report 8 I f Begin 2011 04 04 13 00 00 02 00 Aggregate Level 2 minutes nto End 2011 04 04 13 30 00 02 00 Number of collected results 17 Sync Server IP Server Zone Traffic Conn estab
204. interval the collector will flag the poller as missing After these 10 minutes the collector stops waiting for the missing poller and restarts its activity Data integration will be 10 minutes shifted upon missing poller response again See example bellow 00 pollerl ok poller2 ok data integration min02 pollerl ok poller2 fail gt wait for poller2 min02 minO4 pollerl ok poller2 fail gt wait for poller2 min02 min04 same wait more and more poller2 data minl2 pollerl ok poller2 fail gt integrate data of pollerl for min02 gt wait for poller2 min04 min06 min 08 10 minl2 minl4 RA IAN A pollerl ok poller2 ok gt integrate all data pollerl and poller2 Conclusion Data lost poller2 min02 This may never be developed 46 Chapter 5 Deployment PV User Guide Documentation Release 3 3 5 5 4 How configure a poller pollers are available via SSH using the Pulsar shell just like you access to the collector please refer to Pulsar A poller shell allows you to configure the poller IP hostname etc But some commands like reset or poller are not available The collector s shell allows you to show and to create or delete pollers To do this please use the poller command help poller for details 5 5 5 Limits The distributed architecture provided by version 2 5 has some intrinsic limits There is no feature for deduplication
205. interval over which all flows are aggregated in the database on their IP src dst Zone src dst and Application Individual flows within the aggregated data cannot be viewed separately The Aggregation Period defines the data resolution for an aggregation level Application Group logical or business related flow to emphase valuable perspective an Application is identified with a name and a color and defined by a set of Signature or a set of Port Range at least one non empty set of either a set of client and server zones A conversation is attributed to an application with the following rule PORT RANGE I OR OR PORT RANGEn OR SIGNATUREI OR OR SIGNATUREn AND SERVER ZONEI OR SERVER ZONEn AND CLIENT ZONEI OR CLIENT ZONEn in case a conversation matches previous rule of several application the priority will be given to the application whose definition is the most precise i e the thinest port range signature or server client zone Application NC NC stands for Non Classified A NC Application is a special application that will match con versations that do not match any configured application Application Port Range Port or range of ports If not used in conjonction with an IP protocol then apply to both TCP or Collector Central database and Web GUI of Performance Vision The collector can also host a local poller and usually collects statistics from remote pollers Connection Time CT Time taken
206. ion max delay seconds after the root these transactions will contribute to the page load time To be able to dump a root transaction with all these counters we must of course delay the dump of roots as much as possible thus raising memory requirements 4 2 HTTP 37 PV User Guide Documentation Release 3 3 4 2 5 Protections To limit memory and CPU usage the sniffer implements these protections page reconstruction is only active for some IP addresses and TCP ports client or server See the HTTP flag in zone and applications definition transactions that do not comes from goes to one of these IP addresses will not be attached to a root transaction It will be inserted in database but will be excluded from page list the total number of simultaneously tracked and remembered HTTP transactions is limited by http max tracked unlimited by default New transactions above this will be ignored with catas trophic consequences on transaction pairing the total number of simultaneously tracked and remembered HTTP transactions for which we want page reconstruction is limited by http max tracked for reconstruction unlimited by default max size of http save file is limited by http max content size 50k by default the memory dedicated to the referrer cache is limited by http referrer mem 4 2 6 Limitations Page load time is the most interesting metric yet we have seen that many conditions must be met to accurately recon
207. ions Limitations The Automatic Packet Capture feature works under a certain number of conditions to ensure the proper execution of other services provided by Performance Vision Among these necessary limitations you need to observe the following The retention of PCAP files is limited by the disk space allocated for captures in the current version this space is limited to 10GB by default for both manual and automatic captures When all 10GB are used no new PCAP file is saved You can change this value in Sniffer Config page The maximum retention time for Automatic captures is set to 48 hours after this delay Automatic PCAP will be deleted This cannot be modified The sniffer component of Performance Vision 18 set forge 5 000 PCAP files simultaneously if more than 5 000 conversations are needed change the parameter in Sniffer Config page otherwise some conversations will not be recorded at packet level Please note that the threshold values and voluntary limitations will be reviewed in newer versions in the light of our experience and the customer feedback we will receive Please note that if you need an exhaustive trace of a given set of conversations you can also use the manual capture feature available through Pulsar 94 Chapter 8 Interpreting the results PV User Guide Documentation Release 3 3 8 6 4 Triggered Packet Capture Triggered PCAP are generated from the user interface either by the resul
208. it ip netflow Ip EV mac In c cilt Hat Vv sry MCU Sev OS OS SEV payload payload clt payload count pavload ocoUunteclr payload count srv payload ret payload ret clc payload ret srv payload srv pkt count pkt count clt SIV poller name port protostack rd indic Ed zxndic rd rate rd rate rd rate rd rate C1t SrV Coun GOUN SEV Duplicate acks from client to server Duplicate acks from server to client Number of session finished Ethernet Type Protocol End user response time Total number of FIN packets Number of FIN sent by client IP Number FIN sent by server IP Either client or server IP or subnet IP which demand a connection to a server IP of the netflow capture IP which replied to a connection demand Client or Server MAC address Client MAC physical address Server MAC physical address Client MTU Maximum Transmission Unit Server MTU Maximum Transmission Unit Client or Server Operating System Client Operating System Server Operating System Total payload Payload from client to server Number of IP packets with a payload Number of packets with payload sent from client Number of packets with a payload sent from server Total retransmission payload Retransmission payload from client to server R
209. ite portions of packets Ethernet source destination IP Checksum maybe TOS field A buggy firmware can result in corruption while rewriting protocol headers In this case the packet will probably be dropped within the network route Even if it reaches the destination the TCP IP stack won t consider it as a valid packet for the current TCP ses sions and the stack will wait the correct packet It will end in a TCP retransmission anyway This problem will likely occur on the same type of traffic and continuously ICMP What is ICMP ICMP stands for Internet Control Message Protocol and is also a common IP transport protocol It seems pretty explicit although most people reduce ICMP to ping reply commands a good way to test whether a host can be reached through a network and how much it takes for a packet to make a round trip through the network Obviously ping and trace route like tools are very useful for network administrators but there is much more to say about ICMP and the help it can provide for network administration amp diagnosis In total ICMP can be used to send more than twenty types of control messages Some are just messages some others are a way for IP devices or routers to indicate the occurrence of an error Error messages Let s describe the most typical ICMP error messages you can find on networks ICMP Network Unreachable Let s take the simplest example one machine sitting on a LAN 192 168 0 7 has one default
210. keeping in a local cache the DNS server responses this approach makes it possible to distinguish between an issue coming from the user s workstation and one coming from the general function of the network Please note that hosts making a very high volume of DNS requests may correspond to a malicious behaviour for example some malwares try to establish connections to Internet by resolving domain names and sometimes the DNS protocol is used in cover channels to escape information DNS errors issue PV User Guide Documentation Release 3 3 We can also ask for the top hosts receiving most DNS error messages non existing hosts etc This will also put the light on misconfigured stations generating an unnecessary traffic and lowering the overall network perfor mance DNS Internal misconfiguration To do this we need to identify the AXFR and I XFR transactions towards its autorithy server If these updates occur too often and therefore generate an unnecessary traffic we can conclude that there is an issue If the bandwidth used is too large it means that our DNS server requests a full zone transfer AXFR when an iterative transfer IXFR would have been more adequate If this is the case then the network administrator can take some easy steps to improve his network s performance 8 7 Interpretation Guidelines 111 PV User Guide Documentation Release 3 3 9 1 CHAPTER NINE LICENSING AND UPGRADES Performance Vision Covers
211. kets are set to the last received one 125 PV User Guide Documentation Release 3 3 11 5 Upgrading n some cases the sniffer may fail to restart after an upgrade and leave some stalled processes if it is restarted on its own with Pulsar One of the possible symptoms is that the 11 command in Pulsar fails to display the poller and license status Rebooting solves this issue 11 6 Metrics n versions prior to 2 9 the retransmission rate RR was computed as the number of retransmitted TCP segments divided by the total number of TCP segments As of version 2 9 it is instead divided by the number of packets liable be retransmitted such as the TCP segments carrying a payload n versions prior to 2 9 keep alive packets occurring after the completion of a data transfer were taken into account in the computation of the Data Transfert Time DTT metric resulting in abnormally large values In order to avoid this issue as of version 2 9 data transfers are considered complete after a 1 second timeout 11 7 Pulsar Whenresizing the datadisk console display several occurrences of this error message parted sending ioctl XXXX to a partition This can safely been ignored 126 Chapter 11 Known issues CHAPTER TWELVE GLOSSARY Aggregation period Time period over which all data are aggregated into flows for each set of client server and application The Aggregation Period is defined for an aggregation level as time
212. kt count req class req name stege LCY res class res name res rcode IEGSLVDe COunt ip requester Lowe ey mac mec Vo DE macssry poller name Proto vlan zone zone clt zone srv 13 2 Custom Filters Capture begin time Capture end time Total traffic Traffic from client to server Traffic from server to client Number of IP packets Number of packets sent from client Number of packets sent from server The DNS class of the request The name or IP address to resolve The DNS type of the request The DNS class of the response The response to the DNS name resolution request Code of DNS response The DNS type of the response DNS response time Number of DRT computed in a time interval Ethernet Type Protocol Either client or server IP or subnet Source IP which issued the DNS request for resolution IP which replied to a connection demand Client or Server MAC address Client MAC physical address Server MAC physical address Poller name distributed probe Protocol Tagged Link 802 1Q Total traffic in both directions Server or Client Zone Zone from where the DNS request came from Zone of the server IP Date and time Date and time Decimal or hexa Byte quantity Byte quantity Byte quantity Decimal or hexa Decimal or Decimal or hexa DNS class Wildcard or regex DNS Type DNS class String DNS result DNS Type Duration Decimal or hexa
213. lished EURT X SRT RD in RD out 193 48 186 4 Internet 656 4KiB 1 478ms 30ms 1195 329ms 247ms 241ms 207 97 227 239 Internet 20 0KiB 2 433 5 115ms 268ms 48ms 2 193 56 4 82 Internet 212 5KiB 1 237ms 99ms 137ms lt lr 77 233 101 51 Internet 7 5KiB 1 93ms 55ms 325 5ms 2 217 109 91 178 Internet 77 8KiB 0 75005 37ms 375 lt 175 Figure 8 25 Server Response Time comparison through Server Performance Did you upgrade the clients workstations recently If so it s a specific systemissue you may ask the System Administrator for more details Did you upgrade your network equipment If so the router switch configuration is probably involved Now we might inspect deeply in the SPV dashboards Check the Monitoring Performance Over Time Chart 13 10 00 14 04 00 RTT in RTT out X RD indic in X RD indic out e Figure 8 26 Network Round Trip Time analysis Do the Retransmission Rate and Retransmission Delay vary If so we might face a congestion issue Take a look at the router s load etc 1111 22 13 44 00 14 44 00 RTTin 80 00 ms X RIT out B RD indic in 60 00 np indic out e cT 40 00 ms 1400 00 ms 1200 00 ms 20 00 lt 0 13 50 14 00 14 10 14 20 14 30 14 40 13 44 00 14 44 00 RR out e 15 0096 Figure 8 27 Retransmission analysis The general slowdown for a client zone may also be
214. lled Pollers They be either physical or virtual appliances which send their statistics to a central Performance Vision unit called Collector All the data is aggregated into a single database and accessible through a single User Interface 9 2 3 Platforms Performance Vision probes are available for two different platforms vmware cmd HARDWARE VIRTUAL APPLIANCES APPLIANCES Figure 9 2 Performance Vision Platforms Hardware Appliances This product line is based on hardware appliances specifically tuned for high performance rates The range of appliances available makes it possible to provide an adequate solution for all size of situations Virtual Appliances for VMWare systems This product line is designed for an implementation in virtualization servers in VMWare systems The range of appliances available makes it possible to provide an adequate solution for all size of situations depending on the resources CPU memory and disks allocated to the virtual instances 9 3 Product Range Summary Performance Vision Hardware Virtual i Express Full Poller 500 1000 2000 4000 5181010 Collector Small Collector a Poller Large Small Medium n a a Large Figure 9 3 Product Range Summary Our product range is summarized in the following way 1 Hardware Appliances 1U amp 2U Servers e Performance Vision all features Poller remote probe for distribut
215. ly identify that this was due to a degradation of RTT Round Trip Time indicator of network latency and not to the Server Response Time SRT or the Data Transfer Time DTT From this graph we can conclude that the server and the application are likely not to have any relationship with the slowdown By looking at the two bar charts which show respectively the breakdown by server and by client zone we can draw the following conclusions This application is distributed by one server only 192 168 20 9 The EURT vary in large proportion between client zones mainly because of RTT VLAN Sales has a much worse access to the application than VLAN_R amp D mainly because of the network latency Getting confirmation of our first conclusions By clicking on the peak of EURT in the upper graph we can narrow our observation period to understand better what happened at that point of time This confirms the following conclusions RTT went up for the VLAN Sales only Understanding what is the perimeter of the slowdown We now know that only VLAN Sales was impacted by this slowdown due to a longer network RTT We therefore need to understand whether this was general 1 e impacted all clients in the zone or isolated to certain clients 102 Chapter 8 Interpreting the results PV User Guide Documentation Release 3 3 c Application dashboard Applications behavior analysis Start after P 2010 06 07 14 00 Start before 2010 06 07
216. mbination Ctrl Alt To configure the probe please refer to the Pulsar chapter After configuration you have to reboot the virtual applicance 5 6 5 License Except the experimental virtual appliances for testing provided from our Web site the virtual appliances are delivered without license key You normally receive this key by e mail at the product s delivery If it is not the case please contact our sales department sales securactive net sales securactive net To install a license package as well as an upgrade package proceed as usual see Licensing and Upgrades 5 6 6 Capturing traffic Virtual appliances are configured with only two network interfaces ethO for administration eth for sniffing traffic Any additional virtual adapters you may add will be listened for traffic by the packet sniffer Actual packet capture depends on the virtual switch you are using In the realm of VMWare s bundled Virtual Switch the promiscuous mode beware that name is misleading is actualy a port mirroring Also depending on the virtual switch configuration if the packet sniffer sets the promiscuous bit of the ethl virtual adapter the mirroring mode will be activated automatically Refer to the Virtual Infrastructure Client manual http www vmware com for further details Under VMware Player you need to configure eth as a bridged device and give permission to the virtual appliance to turn it into promiscuous mode Othe
217. mption Retransmission Rate RR and Round Trip Times RTT A specific configuration screen allows configuring the specified BCN To access it just go to the Configuration menu and choose the entry labeled Business Critical Networks List of Business Critical Networks v Link between zones Private and Internet Network zone from Private 7 Network zone to Internet Threshold Warning Alert Bandwidth Available 10 0 Mibps Min Volume for triggering 0 1 Mibps Symmetric Link Delete Ap gt Link between zones Fileserver and Private gt Link between zones All and Broadcast gt Link between zones Remote and Local gt Link between zones ZoneTest and Internet gt Link between zones Private fallback and All Figure 7 11 Editing an existing Business Critical Network 7 3 SPV Functional Configuration 73 PV User Guide Documentation Release 3 3 From here you can add a new BCN or edit the parameters of an existing BCN Modifications will also be applied on already captured traffic For each Critical Network you have to configure the following parameters The source destination network zones One or several thresholds for both Warning and Alert levels all these thresholds are computed from source to destination and not from client to server We call this an oriented metric Oriented latency RTT in ms Oriented retransmission rate 5 Utilization rate
218. n and a keyboard to the probe for first set up only and then to provide electrical power Once done just turn power on For the screen the connectivity 18 a standard port Two are available one is located on the front side of the probe the other is located on the rear side of the probe For the keyboard you can plug it to any of the four USB ports Two of them are located on the front side of the probe the two others are located on the rear side of the probe By default the probes are equipped with four Gigabit Ethernet interfaces labeled 1 to 4 The first one 1s the administration port used to connect to the probe Plug the Gb1 network interface to your network to be able to connect to the probe The three others interfaces 2 to 4 are dedicated to network traffic sniffing Connect one or more of these interfaces to your network according to the network traffic you want to analyze and monitor 7 2 Pulsar The probes come with a Command Line Interface named Pulsar This allows the user to check the probe state and configure it when needed 7 2 1 Connect to the probe If this is your first encounter with the probe you will have for the first time only to access to the probe physically just use a screen and keyboard plugged to the probe Log in with user admin and default password admin Once the network address of the the probe will have been set up you will be able to access to it directly through SSH on port 22 also with the s
219. n the NETWORK section The matrix is presented as follows E Private Local Clients Servers Dest WIFI Backup DMZ VMware ESX Web WIFI Guest DMZ External Source Total 843 5 MiB 128 5 MiB 763 0 KiB 274 6 KiB 2 0 MiB 790 2 MiB 6 5 MiB 576 1 KiB 207 3 KiB 1 1 MiB Private Local Clients WIFI WIFI Guest 842 8 MiB 789 5 MiB Servers Backup 128 9 MiB mm 86 9 MiB DMZ DMZ External 394 1 207 3 KiB VMware ESX 142 1 74 8 KiB Web 2 7 MiB 2 0 MiB Figure 2 14 The detailed Matrix The matrix will show a mapping of all flows as follows blue cells represent the total for a zone the sum of all the values in a row or in a column green to red colored cells represent the traffic from one zone to another zone The color represents the relative value regarding the maximum value of the whole matrix red 18 the largest value displayed 20 Chapter 2 Use The PV Graphical Interface PV User Guide Documentation Release 3 3 In the matrix above we can see that there was 142 1 of traffic from machines in the ESX zone to the machines in zone Wifi Guest The opposite direction shown in blue tells us that the traffic on the machines from the Wifi Guest zone to those in the ESX zone amounted for 274KiB There are two types of matrix presentations the detailed matrix which displays a zone and all its child zones show how zone is spread in its subzones The matrix above 18 su
220. n troubleshooting this view can display TCP conversations where the sessions are not ended correctly Timeouts RSTs etc This may help you understand when you can observe disconnections if the client or server side is responsible for it IP Application Traffic Payload Packets Conn attempts Conn established 0 Win RD indic cit RD indic srv Dup ack Sess end Num timeout Client RST Server RST Web test 11MiB 828 6 KiB 5042 228 228 255 36 228 94 334 2 39 m https 320 5KiB 192 1 KB 1885 126 246 126 247 90 https 1 4 MiB 1 2 MiB 4190 76 12 8 64 12 66 32 https 13MiB 1 0 MiB 4217 53 1 53 53 B NCtcp 210 1KiB 160 7 832 30 30 24 16 30 10 24 6 m https 2904 KiB 257 9 KB 606 22 22 21 1 22 19 21 m NCtcp 1249 99 8KiB 424 12 12 12 3 2 12 7 12 m https 299 23 3KiB 96 6 10 1 8 10 m https 445 2 407 9 699 14 14 9 m uctep 24MiB 2 2 MB 2819 https 25 1 KiB 18 9 KB 101 7 7 7 m http 724 7 KiB 656 7 KiB 1127 45 45 7 1ms 11 45 1 724 7 KIB 656 7 1127 45 45 https 923KB 818 8 196 7 7 m https 382KiB 29 0 KB 145 9 9 7 129 8 121 3 KiB 143 2 1ms 10 45 1 gt ti 2 2 ti 171 0 KiB 150 8 335 12 12 7 12 t 8032 7257 1277 56 56 18 5 ttps 123 5 105 2 KiB 301 12 12 E 7 12 CRM SFDC 2109 184 2 KiB 504 6 6 6 20 6 4 4 Bad transmission rate if the data transfer is slow for a specific a
221. nalysis Top URL Calls volume Conversations Conversations Conversations Raw Data PROTOCOLS Name Services Performance Flow Details All Metrics SQL ICMP Performance IP Server Errors Top IP Client Non Ip Top Query CIFS overview Performance Overview rs Top IP dient Top Protocols Traffic Figure 2 17 Overview of the relation between the metrics If some TCP connections are slow it is also possible to go directly to the protocol analysis if available If they re actually SQL connections an SQL icon will be available on the corresponding lines and clicking it you will see all the SQL analysis that matches these TCP connections Likewise for HTTP transactions or other metrics we are able to analyze in details Sync Server Application Stack CIFS s shoute e B TCP Netbios CIFS Q os ShowtheCIFSt on Wi cis TCP Netbios 5 8 Application Stack DNS Q domain IPv4 UOP DNS Ll Flows Sync 14 Server MAC Application Stack HTTP Q cp Show the TCP events of this conversation m http 4 Li Q wm Show the HTTP transactions for this conversation E http 4 Sync 14 Server MAC Application Stack SQL p
222. nd Time Client Zone Client IP Server Zone Server Application Traffic Packets Handshake Transactions EURT 7 2010 07 30 16 41 56 ivate 192 16 2 Internet 88 191 122 7 A 2010 07 30 16 38 47 Figure 3 11 Flow aggregation from 16 38 0 16 42 Observe that the traffic and the packet handshake and transaction counts have been added and the EURT aver aged For example the handshake is now 19 12 7 Note Performance Vision requires a complete set of data for an aggregate level to compute its summary This is the reason why captured network events don t appear right away on your probe The probe first waits until the end of the minimal aggregate time of 2 minutes computes its summary and only then is the aggregated data for these last 2 minutes made available in the interface 34 Chapter 3 Main terms and concepts CHAPTER FOUR METRICS COMPUTATION Here you can find details on how some of the less obvious metrics are computed and how they are affected by the sniffer configuration You may safely skip this section unless you need a deeper understanding of how the sniffer Works 4 1 Conversations Many generic metrics are computed on TCP streams To be able to interpret these correctly it may be useful to be aware of a few things 4 1 1 Client or Server To find out which peer 18 the client the sniffer tries several options f it understands the protocol at hand and has successfully identified it t
223. networks to govern the QoS of each packet No standard meaning being assigned to given values only the raw numeric value is reported For a given conversation the probe keeps only the biggest DSCP encountered In practice a whole conversation should be governed by a single DSCP value 127 PV User Guide Documentation Release 3 3 End User Response Time Total time the user waited to get an applicative answer The EURT stands for End User Response Time EURT 15 defined as the sum of the RTT client server the SRT and the DTT client server A timeout will cancel the computation of EURT Fallback By convention a zone which collect a larger set of addresses that includes addresses of other more specific zones See Fallbacks for more details Flow Regroups data exchanges between two network addresses for one application on the aggregation period A flow is a group of communications between two network addresses for one application during the aggrega tion period Notice that the VLAN tag if present as well as the device identifier are considered components of the network address HTTP hit A HTTP hit designate a single HTTP transaction used to build a HTTP page This 18 typically an image a script a stylesheet The transaction to obtain the HTML is itself considered as a hit Thus a page that contains 2 images and 1 stylesheet all stored in different URLs is made of 4 hits HTTP page A HTTP page 18 the set of HTTP transactions
224. ng a flow if it s overloaded The network may skip forwarding the datagram if it s congested To make things worse SPV does not currently report missing netflow frames 5 7 4 Limitation regarding content Instead of the many measurements undertaken from the mirrored packets netflow provides only mere volumetry such as for each IP address protocol and ports start stop timestamps packets and bytes count number of packets number of TCP SYNs FINs RSTs ToS switch input output port numbers 50 Chapter 5 Deployment PV User Guide Documentation Release 3 3 5 7 5 Limitation regarding collection Netflows are typically exported only after each individual flow 18 idle for more than a given timeout grows larger than a configured threshold or is active for more than a given duration This later parameter is an important concern If the max age of a netflow is allowed to exceed SPV data integration period 2 mins then received netflows risk being late for database insertion and ignored This is much shorter than most installations For instance default activity duration for CISCO equipment is typically 30 minutes Attention Configure all your netflow emitters to expire flows after not much more than 2 minutes 5 7 Netflow 51 PV User Guide Documentation Release 3 3 52 Chapter 5 Deployment CHAPTER SIX VIRTUAL APPLIANCE STEP BY STEP 6 1 How to get the image of the Virtual Appliance You can get
225. ng of the response you can use the feature Follow TCP stream in the Analysis menu Conditions Packets are saved by Performance Vision as soon as the conversation they belong to matches a certain number of conditions If Capture HTTP if checked in a Zone then if an IP address matches the zone subnet either as client or server If Capture HTTP if checked in an Application the if a port or IP address matches the application either as client or server e And one of the following metrics is considered as out of the norm Server Response Time SRT for TCP flows Retransmission Rate DNS Response Time 8 6 Packet level analysis 93 PV User Guide Documentation Release 3 3 SEXES 2 sj a qaa ay mxim ytes yt ts B Ethern net II Src 26 64 00 23 76 52 26 64 2 Dst NexcomIn Oc f3 ae 00 10 f3 0c f3 ae m Inter met Protocol Src 192 168 50 50 192 168 50 50 051 216 52 242 80 216 52 242 80 36 40 00 40 06 59 C0 a8 32 32 dB 34 e aa 11 Oe 00 00 00 00 40 02 30 02 04 2990 9 01 4b 00 00 00 00 01 03 M i Packess 48 Displayed 48 Marked 0 Load tme 0 00 174 Figure 8 18 Viewing packets in Wireshark traffic pcap Wireshark gt a 1307 393997 ex 27 jkkzrsvcpn ior 3kapnipndzgnhxr s NB SZ YOAPkTejAPe jctrc3d9bePhbinitgDBbbP8Ndzcwdz StS mm red I EML comm afe 17 UTPAL A 30
226. nk Local Multicast Name Resolution mDNS Multicast DNS NDNS Net BIOS Name Service WINS Distributed poller management 1 17 3 Changes Network sniffing Automatically detects and listens again to network interfaces that come back up after a downtime period At startup automatically adjust and fine tune deduplication parameters for the best balance between pro cessing power required and deduplication efficiency Reporting User Password TLS security support User can customize From field when sending a report Reports stored as PDF files on the probe and available through ftp GUI For Business Critical Networks the Retransmission Rate threshold can now be 190 Configuration area reorganized for clarity n the Configuration area delete buttons are now more intuitive Animation when running a request to avoid overloading the probe by launching the same request several times 8 Chapter 1 Release notes PV User Guide Documentation Release 3 3 The timeframe selection in the Watch last filter is now more intuitive When a filter is set to some value it will be highlighted to be more visible n Non IP traffic screen data can be filtered by MAC address Bookmarked pages now have their own specific title instead of a generic name n DNS screens the filter on request types are now sorted alphabetically New Screens DNS Performance Graph with DNS response t
227. nly used to monitor the network traffic between two points in the network If the network between these two points consists of a physical cable a network TAP may be the best way to capture traffic The network TAP has at least three ports a port A a port B and a monitor port To place a tap between points A and B the network cable between point and point B 18 replaced with a pair of cables one going to the A port one going to the TAP s B port The TAP passes all traffic between the two network points so they are still connected to each other The TAP also copies the traffic to its monitor port thus enabling an analysis device to listen Network TAPs are commonly used by monitoring and collection devices TAP s can also be used in security applications because they are non obtrusive are not detectable on the network can deal with full duplex and non shared networks and will usually pass through traffic even if the tap stops working or loses power Advantages No risk of dropped packets Monitoring of all packets including hardware errors MAC amp media Provides full visibility including congestion situations Drawbacks The device may require two listening interfaces on the analysis device Costly No visibility on intra switch traffic Not appropriate for the observation of a narrow traffic range 5 3 Supported Protocols The SPV sniffer can detect all Ethernet packets even if those packets have a VLAN tag
228. ns DNS servers hostname IP address NTP SMTP Some changes in configuration require to reboot the probe command reboot 7 2 3 Restore probe state You may need to restore some probe original configuration There are three way of achieving this As these are destructive commands a strong confirmation will be requested You want to erase any single data from your previous network captures This preserves configuration settings and IHM user accounts pulsar reset data Stopping services Deleting data Done The command reset a11 will destroy both your configuration and capture database You will have a fresh new database Configuration settings users and pollers will be reset to default values pulsar reset all Stopping all services Resetting Creating default settings Done 64 Chapter 7 Configuration PV User Guide Documentation Release 3 3 7 2 4 Formating data hard drive disks This is to be used when you are delivered new data disk s If you want to use it anyway any existent data capture and configuration will be lost Default values will be restored pulsar format data disk These processses should not be interrupted Do NOT use Ctrl C Preparing disk Formatting disk Installing disk Generating database Ihis may be quite long 5 min Done 7 2 5 Listing running processes The process command list all the processes running on the appliance as well as their uptime pulsar
229. ntis tend to respond much slower than Brax By clicking on it having a looking at a second dashboard called Server Application Dashboard we shall be able to determine if this permanent or punctual and whether this due to the load on this application or on another one hosted on the same server 3rd element EURT by Client zone Breakdown by zone client E m oim E B j Figure 8 11 EURT by Client zone What we can see here is a breakdown of the EURT for this application between client zones at one glance you can determine which zone was impacted by the degradation and what are the different level of experienced performance depending on where users are located For example from the screenshot here above we could certainly think that mainly one zone was impacted by the SRT degradation and also that there are some significant differences in performance between zones due to differences in RTT values network latency 8 4 3 Drill down dashboards SecurActive APS offers two additional dashboards Client zone application dashboard Server application dashboard Client zone application dashboard You can access this dashboard either through the menu or by clicking on a specific client zone in the Application Dashboard This dashboard contains three bits of information EURT graph through time for this client zone and this application EURT breakdown by server so that you can compare the performance offered by
230. ocumentation Release 3 3 Report settings General Name 89 Report proxy Description 00 This report describes the different flows received by the proxy Language 2 English 21 mer support securactive net Scheduling settings Report every 1 Day Period and time Start at 23 55 From 2 2012 06 19 To YYYY MM DD Figure 7 12 Create a new report Week Generates the report every x week s the selected days example every two weeks on Friday several days in the week can be chosen Month Generates the report every x month s on y day example every month the first of the month be careful if you choose the day 29 30 or 31 you will only receive your reports if there is such day in the corresponding month Start at defines the hour format HH MM at which the generation of the report will start Once the report will have been generated it will then be sent to the recipients email addresses From and To fields are optional This allows you to define a validity period for the report In such case the report will only be sent in the period ranging from the first date up to the second date 25 Report configuration 4 Create a new report Available reports Sent every 2 day at 23 55 00 To supporti securactive net Containing 3 vlews Edit Send Now Figure 7 13 Report A template just created The new report template just created will appear in the list of available report t
231. odified time interval is the actual observation period Operating System OS Different operating systems implement the core network protocols differently The probe attempts to guess the operating system that s used at both ends of a conversation based on these differences This information even if inaccurate and unreliable can still be used to help identify a host or a network trouble Poller Remote probe that listen and analyze the network traffic to produce statistics that the collector will fetch and insert into the central database Protocol Stack The various protocols identified in a flow For instance an HTTP conversation that s carried in TCP over IP over Ethernet may be reported with the Eth IPv4 TCP HTTP protocol stack whereas in case of a IPv6 in v4 tunnel the protocol stack would be Eth IPv4 IPv6 TCP HTTP Not only this notation makes all sort of tunnels visible but it also make apparent some protocols that are detected by the sniffer despite running on non standard ports Retransmission Packets being resent when they have either been lost or damaged Packet Retransmission is identified thanks to their TCP sequence and acknowledgment numbers and checksum values Only packets with a non null payload are checked Retransmission Delay RD Delay between a packet and it s next retransmission RD stands for Retransmission Delay RD 18 defined as the time between a packet and its next retransmission Retransmission Duplicate ACK Dupl
232. oes not belong to the company s workstations external consultant on the network whose laptop is trying to reach common resources on his home network DNS printers or it may be the machine of someone coming from a remote site with its own configuration or a machine that has been simply wrongly configured How would we see it A large number of ICMP Host Unreachable errors coming from one or several routers to this machine or this group of machines The information contained in the payload of each of these errors would probably show they are trying to reach a certain number of hosts for some services or applications Migration legacy A certain number of machines keep requesting DNS resolution to a DNS server which has been migrated this could be true for any application available on the network Their users certainly feel worse performance when trying to use these services 108 Chapter 8 Interpreting the results PV User Guide Documentation Release 3 3 How would we see it A large number of CMP Host Unreachable errors coming from one or several routers to a group of machines The ICMP information contained in the payload of each of these errors would probably show they are all trying to reach the previous IP address of a given server Network device misconfiguration A router does not have a route configured some machines are trying to reach some resources unsuccessfully How would we see it A large number o
233. omatically authenticate your request using Basic HTTP Authentication 2 Your download client may require the server itself to initiate the Basic HTTP Authentication process For instance wget does so when you omit the auth no challenge option If so you can instruct SPV to initiate the process by appending amp auth force http to the query string part of the URLs NB Basic HTTP Authentication does not protect your credentials from snooping You may thus want to use https URLs instead of http 13 3 3 Scripting Examples In the first example we will retrieve the Top Servers page as stripped down HTML filtering for the SSH applica tion using the command line with wget Using the auth no challenge option wget user admin password admin auth no challenge http SPV skint simplehtm_ nevrax netw Using the auth query string parameter wget user admin password admin http SPV tskinct simplehtml nevrax network ipstats dst html In the next example we will retrieve the Bandwidth Chart page as a PDF using the command line with cur1 curl will automatically initiate Basic HTTP Authentication when you pass credentials with the curl u admin admin http SPV c skinttpdf nevrax network bw chart page html filter capture If HTTPS is used to keep your credentials concealed your client may need an option to skip the server certificate check Here is an example with wget Same wget query as abov
234. ome extent on the quality of the measurement provided by RTCP Please note that MOS is not very sensitive to normal latency values When referring to voice or media we refer to the RTP traffic which may correspond to different things human voice prerecorded message ring back tone busy line tone The VoIP module discards the jitter and packet loss data present in the RTCP flow and replace them with equivalent values computed internally This is so for several reasons t was observed that many softphones do not place accurate or even credible values in these fields RTCP stream is more often missing than present probably because it is firewalled and of little use to the VoIP client software 84 Chapter 8 Interpreting the results PV User Guide Documentation Release 3 3 For the VoIP module to remain passive there is no other option than compute these values for every RTP stream to generate jitter and packet loss values which will be a good estimate of the real jitter and loss experienced by both users This is how even in the absence of RTCP stream we can display a jitter and packet loss count and no RTT and thus no MOS 8 3 5 VoIP Views VoIP Overview VoIP Overview is a view of all VoIP traffic in the network zone per zone Number of calls MOS value Packet loss global or caller callee Jitter global or client server RTT global or client server Note The value caller
235. on Release 3 3 Table 13 10 continued from previous page 0xc0000043 SMB STATUS SHARING VIOLATION 0xc0000044 NT STATUS QUOTA EXCEEDED 0xc0000045 NT STATUS INVALID PAGE PROTECTION 0xc0000046 NT STATUS MUTANT NOT OWNED 0xc0000047 NT STATUS SEMAPHORE LIMIT EXCEEDED 0xc0000048 NT STATUS PORT ALREADY SET 0xc0000049 NT STATUS SECTION NOT IMAGE 0xc000004a NT STATUS SUSPEND COUNT EXCEEDED 0xc000004b SMB STATUS THREAD IS TERMINATING 0xc000004c NT STATUS BAD WORKING SET LIMIT 0xc000004d NT STATUS INCOMPATIBLE FILE MAP 0xc000004e NT STATUS SECTION PROTECTION 0xc000004f SMB STATUS EAS NOT SUPPORTED 0xc0000050 SMB STATUS EA TOO LARGE 0xc0000051 NT STATUS NONEXISTENT EA ENTRY 0xc0000052 NT STATUS NO EAS ON FILE 0xc0000053 NT STATUS EA CORRUPT ERROR 0xc0000054 SMB STATUS FILE LOCK CONFLICT 0xc0000055 SMB STATUS LOCK NOT GRANTED 0xc0000056 SMB STATUS DELETE PENDING 0xc0000057 NT STATUS CTL FILE NOT SUPPORTED 0xc0000058 NT STATUS UNKNOWN REVISION 0xc0000059 NT STATUS REVISION MISMATCH 0xc000005a NT STATUS INVALID OWNER 0xc000005b NT STATUS INVALID PRIMARY GROUP 0xc000005c NT STATUS NO IMPERSONATION TOKEN 0xc000005d NT STATUS CANT DISABLE MANDATORY 0xc000005e NT STATUS NO LOGON SERVERS 0xc000005f NT STATUS NO SUCH LOGON SESSION 0xc0000060 NT STATUS NO SUCH PRIVILEGE 0xc0000061 SMB STATUS PRIVILEGE NOT HELD 0xc0000062 NT STATUS INVALID ACCOUNT NAME 0xc0000063 NT STATUS USER EXISTS 0xc0000
236. on 2 and enter the proper SNMP community in accordance to the SNMP settings of the collector You must use a bigger SNMP timeout than the default one On the screenshot below you can see we set a timeout of 20s nsole graphs Console Devices gt Edit Logged in as admin Logout ogo Devices new New Graphs General Host Options Management Description Graph Give this host a meaningful descnption CactiTest Management Hostname I92468 10236 Graph Trees Fully qualified hostname or IP address for this device 192 168 10 236 Data Sources Host Template Choose the Host Template to use to define the default Graph Templates and Data Queries associated with this Host SPV Central Collector jm Devices Number of Collection Threads The number of concurrent threads to use for polling this device This applies to the Spine poller only 1 Thread default Ir Disable Host Dats Queres Check this box to disable all checks for this host Disable Host Availability Reachability Options Downed Device Detection Templates The method Cacti will use to determine if a host is available for polling SNMP Uptime Graph Templates NOTE It is recommended that at a minimum SNMP always be selected Host Templates Timeout Value 400 Data Templates timeout value to use for host ICMP and UDP pinging This host SNMP timeout value applies for SNMP pings Ping R
237. on 2 5 13 the filename will evolve depending on the version number The ZIP archive will contain the following files SPV 2 5 13 r2 mf ee SPV 2 5 13 r2 ovf SPV 2 5 13 r2 diskl vmdk 5 6 2 Virtual hosts settings Performance Vision virtual appliance is designed to run in a VMWare ESX v4 or v5 environment It can be lounched with a minimum of 512MB of RAM although a larger quantity is recommended to ensure satisfactory performance rates However all settings cannot be tested in case of doubt it is recommended to fall back on these tested settings e RAM 512MB 4GB 6GB 8GB 12GB or 16GB CPU 1 4 or 8 5 6 3 Installation 1 Connect to your Vsphere Client and then in the Virtual Machines tab in the File menu select Deploy a new OVF template Find and open the Performance Vision OVF file Click on Next twice and then accpt the license agreement Name the Virtual Machine appropriately SPV applicance for example A N The system detects the space available on the disk for the new Virtual Machine we recommend to allocate the following spaces Trial Virtual Appliance 4GB RAM 2 vCPU gt 2 0 GHz Virtual Poller 8 GB 2 vCPU gt 2 0 GHz e Virtual Appliance gt 16 GB 4 vCPU gt 2 4 GHz You get Deploy OVF Template Ready to Complete Are these the options you want to use C Documents SettingsYfranck DesktopYemwarelAPS 1 1 GB 16 0 GB Ready to Complete
238. onip Created graph CactiTest Traffic eth Created graph CactiTest Disk Space Created graph CactiTest Disk Space srv Figure 13 10 Summary Congratulations You now have many new graphs to monitor both your PV and your network Do not forget to create new graphs for the new BCA BCN you may add in the future Creating a device for your probe Although monitoring a probe is much less interesting since you won t be able to fetch any BCA BCN from a mere probe you can still add your PV probes in your Cacti monitoring system by following almost the same steps as above only selecting a device of type PV Probe instead of PV Central Collector 134 Chapter 13 Appendix PV User Guide Documentation Release 3 3 Figure 13 11 graphs displayed 13 1 2 How to integrate your APS with Nagios Introduction Nagios is a powerful tool to easily monitor IT network and servers It can alert on reachability issue software or hardware problems But it s much harder to alert on End User Response Time With the help of the SNMP module of your PV probes you can add new check on Nagios to perform this and other advanced checks Prerequisites PV side The license cannot be a Free or Express version to enable SNMP Enable the PV SNMP via SSH user admin with command snmp start Create at least one BCA or one BCN Network side Network access from Nagios server to PV host f
239. ons The purpose of the Business Critical Application Dashboard BCA is to have regrouped into one single view the most important elements that are critical for your business In one single screen vital information is presented to people in charge in order to radically improve early diagnostics and impact analysis The right information is directly available through a completely configurable and dynamic dashboard view What is monitored is the EURT End User Response Time metric Thus this dashboard reflects the quality of experience of the users for the selected critical applications n red poor quality n orange medium quality n green good quality n grey not enough data gathered Application r time Traffic Transactions 5 246 eS M Web Portal Figure 8 1 Business Critical Application Dashboard view 8 1 1 Business Critical Application Dashboard Capabilities You can customize the business critical dashboard to view specific applications and metrics corresponding to your specific business e From the BCA dashboard you can drill down from the general view to detailed analysis and problem resolution views 81 PV User Guide Documentation Release 3 3 Internal 7 A Capture time 2010 10 25 14 52 00 https EURT 3 85 Transactions 128 B Salesforce App Dashboard dashboard 4 Conv NC E PP Figure 8 2 Qui
240. ons Any application can be tagged as Business Critical Those applications are used to display the Business Critical Application Dashboard To flag a given application as critical or remove this flag edit this application by clicking on it on the application list and toggle the Critical Application checkbox When you flag an application as Critical three additional parameters are requested The minimum transaction count It indicates for one minute the minimum of SRT Server Response Time events to be seen on the network for being considered as a pertinent measurement If no transaction at all is seen during the period of time analyzed the color displayed on the BCA dashboard will be white If the number of events seen during the period of time analyzed is above zero but under this value the color displayed on the dashboard will be It means that some events have been seen but not enough to be considered as a pertinent measurement If the number of events seen during the period of time analyzed is above or equal to this value the color displayed on the BCA dashboard will be either green orange or red depending on the EURT values 72 Chapter 7 Configuration PV User Guide Documentation Release 3 3 Analyze HTTP Capture PCAP Critical application v Define as a critical application Min transaction count 0 Thresholds Warn 800 ms Thresholds Alert 1000 ms Remove Cancel Update
241. or protocol SNMP UDP port 161 Nagios Side A Nagios script can be download from our website http download securactive net pv misc nagios nagios pv snmp pl or on github https github com securactive nagios PV snmp Nagios v3 e Perl5 e Perl libraries Net SNMP and Getopt Long you can install them with cpan Script must be executable by Nagios chmod x nagios snmp pl Command line usage Help nagios pv snmp pl help 13 1 Integration with other Tools 135 PV User Guide Documentation Release 3 3 SNMP Network PV Monitor for Nagios version 0 4 GPL licence Usage nagios pv snmp pl h v H host C snmp community 2 1 login x passwd verboes print extra debugging information h print this help message H hostname HOST name or IP address of host to check C community COMMUNITY NAME community name for the host s SNMP agent default public 10 610581 081111 X DasSSwd PASSWD 20 Login and auth password for snmpv3 authentication If no priv password exists implies AuthNoPriv 2 use snmp v2c privpass PASSWD Priv password snmpv3 AurthPriv protocol L Drotocols eesuthproto Drivproto lt authproto gt Authentication protocol md5 sha default md5 lt privproto gt Priv protocole des aes default des P port PORT SNMP port Default 161 1 insensitive Case insensitive for r
242. orm of GET parameters http DOMAIN PATH filter fieldl1 valuel amp filter field2 value2 If the capture begin or capture end filters are omitted the engine will instead request data for the last hour The URL can parameterized 10 ask engine to render the output either as stripped down HTML as PDF This is done by prepending respectively 152 Chapter 13 Appendix PV User Guide Documentation Release 3 3 skintt tsimplehtml skin pdf to path of the URL http DOMAIN skin pdf PATH filter fieldl valuel filter field2 value2 NB This is the same kind of URL you get when you click the Export as PDF button in the user interface 13 3 2 Authentication SPV normally uses its own authentication forms which you see whenever you log in the user interface with a Web browser This authentication system uses cookie based sessions to keep you logged in which can be inconvenient to support programmatically SPV therefore also provides support for session less access with the Basic HTTP Authentication mechanism Command line download clients like curl or wget support it natively There are two ways to switch SPV over to session less Basic HTTP Authentication 1 Your download client may support it automatically curl does wget does if you pass the auth no challenge command line option In this case pass your login and password in the nor mal way supported by your client and SPV will aut
243. ot reachable either the source machine is scanning or it is misconfigured and tries to reach a service which no longer exists or has been migrated This view is great to pinpoint configuration and infection issues Packets Traffic We Code rc r zone stemoriP 7 Dsterror zone 5827 398 3KiB Time Exceeded 11 T 72 16 7 25 396 8 Time This view can be accessed through Diagnostic TCP events 2 14 Drill Down You can navigate between the metrics to drill down to the point where you want to analyze fine details about performance problems or the opposite to explore the context of such problems You can also easily navigate to a different related metric 2 12 TCP Events 23 PV User Guide Documentation Release 3 3 You can see several labeled icons at the beginning of most result tables that direct you to a more detailed more general page matching a particular line APPLICATIONS Dashboards Business Critical Applications Requests Application Server Application Top Serve Client Zone Application Top Clients IP server Overview Top Requests Top Files Performance Detailed Matrix HTTP Contextual Matrix Status Tops Reports DNS Performance Raw Data Servers Top IP Server Voip Clients Top IP Client MOS ES Applications Top Host Jitter Packet Loss EB Ports Top User Agent Bandwidth A
244. ough SNMP Performance Vision MIB GUI Find the company vendor name behind a MAC address for non IP traffic Metrics Added a new metric O Window event in TCP Events GUI JavaScript performance improvements 6 Chapter 1 Release notes PV User Guide Documentation Release 3 3 1 14 2 Changes e PCAP AutoPcap files are now kept for 72 hours instead of 48 hours Export All data views can now be exported directly as a PDF page new Export as PDF icon GUI Updated TCP conversation workflow for an improved usability 1 15 Whats New in 2 7 1 15 1 New Features Config POSIX regular expressions are available in web patterns Reports Can now reorder pages in a report GUI DNS resolution requests can now be done and undone with a button column by column and no longer through field mouse over 1 15 2 Changes GUI Replace in out by srv clt in all pages Metrics Deduplication is now performed independently for every interfaces VLANS if these are not ag gregated Config Search and zone edition is now faster 1 15 3 Major bug fixes Metrics SIP connections were not properly tracked in some cases Pulsar Fix Pulsar analyzer ifaces and help commands GUI Fix empty unfolded line bug in grouping tables System Restart processes when they consume too much memory 1 16 What s New in 2 6 1 16 1 New Features e GUI User manual is now accessible from the GU
245. out domain names Web and DNS reports you can use a regular expression by prefixing the entry with a tilde character For exmaple you can use this to filter all but some names For instance here is a valid input to filter all but Google s and Amazon s 122 Chapter 10 Frequently Asked Questions PV User Guide Documentation Release 3 3 ae 21 aks 2g900gleN fr oom 9 J amazon V 2 3 11 216 10 10 How comes my VM keeps losing sync Even if you configure NTP on a virtual appliance ESX helper programs will try to set the date and time of the VM from the ESX guest This process will run concurrently with NTP date synchronisation with undefined results So if you have a VM that s regularly out of sync make sure your ESX itself has the correct time 10 11 What about Open Source SecurActive uses internationally proven and rock solid open source components such as Linux Python Zope Postgresql Git GCC Our company has chosen to actively contribute to the open source community by regularly submitting patches to these projects and provide access to parts of its own code 10 12 Standard TCP Session A B time ms OPV Events client prone sever SPV Metrics Comments SYN 3 t Standard TCP 3 way handshake Start of TCP session Handshake 8 Uncommon data push from client No response is awaited by the client from server here SPV cannot know this and computes a DTT client push client 15 4 RTT server
246. p ssl 864 5 824 8KiB 752 192 168 80 6 R amp D 192 168 10 6 W Web Intranet 553 6 521 5KiB 497 192 168 10 9 VLAN_Sales fallback 192 168 20 237 m ssh 372 1KiB 41 0KiB 5128 204 14 234 36 VLAN Sales fallback 192 168 20 213 Salesforce 352 7KiB 337 0KiB 298 192 168 20 217 VLAN Labo fallback 192 168 80 22 243 0KiB 216 7KiB 498 Figure 3 6 Source Destination conversations On the other hand client server conversations will be used for all views reporting performance Hereunder you can see in the first line of the table that a client server conversation takes into account the traffic in both directions Client Zone Client IP Server Zone Server IP Application Traffic Packets Handshake Transactions VLAN R amp D 192 168 10 5 Internet 128 237 157 136 E ircu 1 7KiB 18 0 1 VLAN Sales fallback 192 168 20 217 Internet 174 36 30 4 m http 3 6KiB 22 4 Ti VLAN R amp D 192 168 10 10 Internet 209 85 137 125 W NC tcp 2 6KiB 34 4 1 VLAN R amp D 192 168 10 8 Internet 208 71 169 36 m ircu 1 6KiB 17 0 2 VLAN Sales fallback 192 168 20 202 Internet 91 121 2 221 vpn 16 9KiB 184 4 42 VLAN R amp D 192 168 10 4 Mother2 88 191 105 6 m Sro Mother2 16 8KiB 180 4 33 VLAN R amp D 192 168 10 6 Internet 140 211 15 34 http 12 5KiB 31 3 1 VLAN R amp D 192 168 10 4 Internet 193 48 186 4 m ssh 606 6KiB 919 4 11 Figure 3 7 Client Server conversations In general you will find that Client Server is relevant when we are speaking
247. packet that looks like a Keep Alive will be ignored 4 1 3 DTT timeouts The objective of the TCP DTT metric is to measure the duration of a single write or of a sequence of closely related writes For protocols that do not follow the pattern request response it is very important to detect when two data transfers are separate in time suggesting they are unrelated The tcp dtt timeout parameter helps 35 PV User Guide Documentation Release 3 3 with that If two packets are separated by more than this duration then they do not belong to the same DTT By default it is set to 1s so that lost packets nor a full reception buffer would not interrupt the DTT but an actual pause from the sending application will be detected as such 4 1 4 What is a retransmission According to the sniffer any TCP packet with a payload or a SYN a FIN or RST flag which a sequence number that was already covered is a retransmission here covered means that this sequence number was in a packet that has already been analyzed Fast retransmission 15 thus counted as retransmission 4 2 HTTP The HTTP metric offers a very synthetic notion of a page which is a set of HTTP documents fetched by the same user and combined by his browser into a single object a page Reconstructing pages from the actual packets involves an unusually high number of operations and thus deserves quite a detailed description 4 2 1 HTTP specific glossary Although not re
248. po Re SLITHO 1 Strang SpvBCNZoneA 2 Spy SPVBCNZoneB 3 qe R EnumVal SpvBCNGlobalStatus 4 Values Ok 1 Warning 2 Alert 3 NA 4 Nothing 5 NotEnough 6 R EnumVal SpvBCNStatusAtoB 5 78 Chapter 7 Configuration spvNevraxBCNTime 2 PV User Guide Documentation Release 3 3 Values Ok 1 Warning 2 Alert 3 NA 4 Nothing 5 NotEnough 6 R EnumVal SPVBCNStatusBtoA 6 Values Ok 1 Warning 2 Alert 3 NA 4 Nothing 5 NotEnough 6 Gauge SPVBCNRttAtoB 7 pee R Gauge SPVBCNRttBtoA 8 R Gauge SPVBCNRrAt oB 9 R Gauge SpvBCNRrBtoA 10 Counter SpvBCNRetransCountSumAtoB 11 R Counter SpvBCNRetransCountSumBtoA 12 R Gauge spvBCNBandwidthAtoB 13 Tee R Gauge spvBCNBandwidthBtoA 14 R Counter SpvBCNTrafficSumAtoB 15 R Counter SpvBCNTrafficSumBtoA 16 B Counter SpvBCNPacketsCountSumAtoB 17 R Counter SpvBCNPacketsCountSumBtoA 18 t R EnumVal SpvBCNThresholdSymetricLink 19 Values True 1 False 2 R Gauge SpvBCNThresholdBandwAvailableAtoB 20 R Gauge SpvBCNThresholdBandwAvailableBtoA 21 R Gauge SpvBCNThresholdBandwMinAtoB 22 Gauge SpvBCNThresholdBandwMinBtoA 23 R Gauge SpvBCNThr
249. pplication it may of course be due to network congestion retransmission issues but also to TCP errors like 0 Windows By looking at specific conversations you can view whether the TCP window is being reduced and by whom client server IP Application Traffic Payload Packets Conn attempts Conn established 0 Win Y Web test 1 1 MiB 828 6 KiB 5042 228 228 255 39 https 320 5 KiB 192 1 KiB 1 885 126 246 35 ftp 12 4 KiB 1 3 KiB 187 42 82 32 https 47 44 4 640 51 00 https 42MiB 3 9 MiB 4487 51 m NO ten 7101 1 amp 8n 7 WIR an an Abnormal behaviors by sorting the events by number of SYN packets you can easily view which ma chines are generating a very high volume of TCP session start which eventually do not drive to a complete TCP session setup If you see machines with large volume of SYN packets and few no session setup these machines are either misconfigured or infected This view can be accessed through Diagnostic TCP events 2 13 ICMP Errors Performance Vision provides an in depth view of ICMP errors ICMP errors will report the volume of flows which cannot be set up either because the network host or port is unreachable This can reveal An unavailable host A network which is not reachable either it does not exist which reveals a configuration infection issue on the source host or it is not available configuration issue A port which is n
250. ptures and evaluates the data without any impact on the original traffic The port mirroring is the most commonly used solution to capture traffic because it is inexpensive flexible in terms of how much traffic can be captured at once and remotely configurable Please note that a port mirroring may have some drawbacks such as t can consume significant CPU resources while active There is a risk of not receiving some packets like media errors n the case of traffic congestion at the switch level the port mirroring is likely to drop some traffic because the SPAN process does not have priority In some cases a better solution for long term monitoring may be a passive TAP or an Ethernet repeater hub Advantages Low cost this feature is embedded in most switches Can be configured remotely through IP or Console port The only way to capture intra switch traffic A good way to capture traffic on several ports at once Drawbacks Not adequate for fully utilized full duplex links packets may be dropped Filters out physical errors mpact on the switch s CPU Can alter the timing of the frame with an impact on response time analysis SPAN has a lesser priority than port to port data transfer 40 Chapter 5 Deployment PV User Guide Documentation Release 3 3 5 2 2 Network TAP A network TAP Terminal Access Point is a hardware device which can passively capture traffic on a network It is commo
251. quired to use Performance Vision the following definitions are required to understand the follow ing description HTTP message as defined by RFC it is an HTTP header optionally followed by a body Sniffing gives us some of the headers the relevant timestamps sizes and so on We may not see everything but the beginning of the header is mandatory in order to recognize an HTTP message HTTP query HTTP message with a command GET POST HEAD etc and the URL HTTP response HTTP message with a response code sometimes called status code or status hit or transaction HTTP query with optionally its associated HTTP response note a response with no associated query is ignored for this metric user the HTTP client software browser or whatever that has sent the query under consideration It s identified by his IP address and user agent field page set of transactions that are supposed to be perceived as a single query implying a single delay for the user Notice how subjective this definition is The intent is to include in a single page all the hits required for a typical browser to display enough content for the typical user to think his query 18 fulfilled For websites or browsers that delay download of content until it becomes visible or for websites that display intermediary content the only objective is to behave in a way that s understandable root of a page the transaction that triggers other transactions for
252. r the CIFS commands like move Number of metadata bytes read Number of metadata bytes written CIFS Path to the file related to this command Number of queries Query packets at applicative level PDU Sum of query payload Number of bytes to be written Date and time Date and time SMB command Byte quantity String Decimal or hexa Decimal or hexa Byte quantity Byte quantity Byte quantity Wildcard or regex Decimal or hexa Decimal or hexa Byte quantity Byte quantity Continued on next page 143 PV User Guide Documentation Release 3 3 Table 13 5 continued from previous page Operand Type cits cits cifs cifs cifs cifs cifs cifs cifs cits response response response response Status Subcommand tree user packets payload read write warning count device ip Tot ED lw V mac mac clt Nac er poller name protostaox Srt Src lt Count vlan zone zone zone 13 2 6 ICMP Response packets at applicative level PDU Sum of response payload Number of bytes read Number of bytes effectively written CIFS Status CIFS Subcommand CIFS Tree related to this command CIFS Tree ID CIFS User Number of warnings mostly client side Either client or server IP or subnet IP which demand a connection to a server IP which replied to a connection demand Client or Server MAC address Client MAC physical address Server MAC physi
253. r virtual switches may have different more features 5 6 Virtual Performance Vision 4g PV User Guide Documentation Release 3 3 5 6 7 Data storage Virtual appliances come with no data disk thus everything traffic data as well as pcaps and reports will be written to the system disk only If you plan to keep a long history of data then a dedicated data disk is mandatory To create one attach a new drive to your VM and then run the format data disk command from pulsar Notice that you will not be able to resize this data disk hereafter the required size depends on the traffic you plan to monitor but anything below 500GB seams dubious the data previously acquired will be lost you are required to reboot the appliance once done 5 Netflow 5 7 1 Overview Any SPV poller can be sent netflow v5 The pollers will add volumetry informations of every netflow in the traffic statistics so that these flows will be visible from the GUI In this case IP address of the sending equipment will be displayed next to the receiving poller name 5 7 2 Configuration By default pollers listen to UDP ports 2055 9555 and 9995 These ports can be changed in sniffer configuration from the GUI Clear this list of ports to disable the feature Note that the sniffer must be restarted after this change 5 7 3 Limitation regarding reception Netflow export transported by UDP datagram is a best effort service A switch may skip sendi
254. ress or netmask mac Client or Server MAC address MAC address mac clt Client MAC physical address MAC address mac srv Server MAC physical address MAC address pkt eoount Number of IP packets Decimal or hexa poller name Poller name distributed probe String Sry Port number vlan Tagged Link 802 1Q Decimal or hexa zone Server or Client Zone Zone name zone Zone of the client IP Zone name zone Zone of the server IP Zone name 142 Chapter 18 Appendix 13 2 4 SQL PV User Guide Documentation Release 3 3 Operand Type capture begin capture end device ip mac Srv poller name sql dbname sql dbuser sql error code Sdql error counc sql error msg sql error rate Sql werror status sql query command sql query count sql query packets sql query payload sql response dtt sql response packets sql response payload sql system Srt Sr rE Count vlan zone zone zone 13 2 5 CIFS Capture begin time Capture end time Either client or server IP or subnet IP which demand a connection to a server IP which replied to a connection demand Client or Server MAC address Client MAC physical address Server MAC physical address Poller name distributed probe Protocols stack Average query transfert time The database or instance name which is used to execute the Authenticated username who exec
255. ring Port number Wildcard or regex Duration Duration Decimal or hexa Duration Duration Duration Rate Rate Rate Rate Duration Decimal or hexa Duration Byte quantity Byte quantity Byte quantity Decimal or hexa Decimal or hexa Decimal or hexa Continued on next page 13 2 Custom Filters 147 PV User Guide Documentation Release 3 3 Table 13 8 continued from previous page Sum of RTTin both directions Duration RIT for data from server to client Duration CLE Number of RTT for data from server to client Decimal or hexa DEDE D IESUS P Number of RTT for data from client to server Decimal or hexa rtt sign Sum of signalization RTT in both directions Duration EE ut s CLE RTT for signalization data from server to client Duration rtt sign count clt Number of RTT for signalization data from server to client Decimal or hexa rtt sign count srv Number of RTT for signalization data from client to server Decimal or hexa 80 RTT for signalization data from client to server Duration 22 2 RIT for data from client to server Duration srt Server response time Duration srt count Number of SRT computed in a time interval Decimal or hexa srt sign Server response time for signalization Duration srt sign count Number of signalization transactions in a time interval Decimal or hexa timeout Number of timeout sent Decimal or hexa vlan Tagged Link 802 1Q Decimal or
256. rovements LDAP Authentication Second data merging level for http transactions for users with mirrored internet traffic User interface improvements like the switcher widget for IP or Zones PV User Guide Documentation Release 3 3 Performance improvements for queries on large data range Shellshock security update 1 3 What s New in 3 0 Database Transactions Analysis Supported Databases in Performance Vision for SQL Performance Analysis Oracle Microsoft SQL MySQL and derivatives PostgreSQL Multi Node Analysis Schedule packet captures on multiple nodes at once Create triggered PCAPs at any time Links between Flows amp Transactions Switch from Flows to Transactions Switch from Transactions to Flows New Features amp Improvements Top Protocol Stack Top Source IP Top Destination IP Support For IEEE 802 1ah Improvements in HTTP for IP origin address servers amp proxies Enrichment of existing views Ability to cancel queries Warning when a new version is available New menu interface User interface improvements Database summary Performance improvements on BCNs 1 4 Whats New in 2 18 Sniffer Support beta of the skinny protocol CSV dumper is now multi core better performances capture all HTTP traffic The page reconstruction can be activated by flagging zones Applications New button to remove unu
257. rser supports only protocol version 10 This should cover most of the installed base though TNS parser for Oracle databases was roughly reverse engineered from various sources especially the wireshark source code It should thus not be expected to understand all messages in all situations SIP parser implements no proprietary extensions however prevalent As there are no concept of connections for UDP UDP conversations are ended after a timeout period of 2 minutes without any packet in any direction This might not match the underlying protocol 42 Chapter 5 Deployment PV User Guide Documentation Release 3 3 VoIP dialogs are identified by their call id only which imply that if the sniffer listens to various independent SIP proxys or servers then call id collisions can not be ruled out this choice was made because it proven useful in practice 5 4 Port mirroring and duplicated packets 5 4 1 Introduction The configuration of a port mirroring session has to respect some specific rules and standards The main goals of a port mirroring session are to Gain insight into the highest number of flows which are seen as strategic by the IT manager And ensure that all collected flows are appropriately analysed It is crucial to ensure that a minimum number of flows are duplicated to the interfaces 5 4 2 Detail SPV solution can manage any level of traffic duplication dropping packets received in excess this howe
258. rsions Free NPS Express NPS APS Demo APS Audit APS Express APS License VMware APS exists in flows limit Small Medium Large and Unlimited GUI New chart that displays the Number of Flows Data Export data of graphics or tables as CSV files GUI New advanced filters which all support with and without criteria GUI New zone selector design in forms to show the zone tree Sniffer Infinite loop of PCAP reading from pcap replay loop directory 1 11 What s New in 2 11 Matrix Client Server matrix available metrics Traffic Packet Count Server Response Time SRT Connection Time CT Round Trip Time RTT Data Transfer Time DTT End User Response Time EURT License VMWare per flow license model Limitation is set on central database sizing Reports Added global and per page description GUI Report Logo is customisable and displayed in both HTML and PDF Report Enhanced design GUI IP Summary Improved filtering Charts are filtered according to the zone filter GUI New matrix design GUI Rework the menu to better suit the workflow Sniffer Reduce memory consumption Sniffer Huge disk IO reducing for autopcap 1 12 Whats New in 2 10 Matrix Performance Mapping Breakthrough new Matrix views Select the metric of your choice and visualize at a glance where the issues are located Matrix Source Destination matrix available metrics
259. s Client MAC physical address Server MAC physical address Ethernet Type Decimal or hexa Address or netmask Address or netmask Port number Zone name Zone name Decimal or hexa Address or netmask Address or netmask Address or netmask Address or netmask MAC address MAC address MAC address Continued on next page icmp err icmp err icmp err icmp type ip ipc It ip netflow 10 5107 mac Sry 144 Chapter 13 Appendix PV User Guide Documentation Release 3 3 Table 13 6 continued from previous page Operand Type 7 pEL coumt poller name proto protostack vlan volp trartrio zone zone clt zone srv 13 2 7 DNS Client MTU Maximum Transmission Unit Server MTU Maximum Transmission Unit Number of IP packets Number of packets sent from client Number of packets sent from server Poller name distributed probe Protocol a Protocols stack Tagged Link 802 1Q Total traffic in both directions Server or Client Zone Zone from the ICMP packet was sent Zone of the server IP Decimal or hexa Decimal or hexa Decimal or hexa Decimal or hexa Decimal or hexa String Wildcard or regex Decimal or hexa Byte quantity Zone name Zone name Zone name Operand Type capture begin capture end device dns bandw dns bandw clt dns bandw srv Ons pkt couHc dnes kes COUNT dnis p
260. s ji 26m amp j ms 1 Qg O 72485 eae 435 Ui 4uB 7960 80425 ms h 1 54513 1903 8 68 72985 80ms 3 ms 22 26 081 90 Mi 67 MB 26 39 26 168 12m H Sams Sp O mnam 19014 20836 ims 48 OO i 3451 3063 KB 5 3429 40ms 48188 an Q 108776 1757 2848 1965 59 8 1 4 Qa 1 1224 1657 17 uB 2 1258 ms aa 1 92 863 KB 9 2988 8 18 Bytes esms 0 O 4 858 Bytes 666 Bytes ems i 3 53 KB 71298 aa 2 Sms 2 2 369 KB Am 2 187 4 2 46KB i aa 2 28 p 1 44 Anam 28 2 Sms Aaa 2908 ag Ims aa 36195 Aan fms Figure 2 8 jo Ques sens SAT Y Query OTF Resco sme 4 FROM m tes soo sm 00 Stms a 3m soms d NTO 20 INTO 2008 2211 2 0 marmo DEH wx 0 DELETE 29m sa 0 mmr nao 2m 0 marr mo 29m 71 0 stem 118 Ej 0 2208 j 208 wx 0 2Wm jj ms 2 2ms 0 sar mo 21m 171 sx 0 Fw 01 sims 1 a 2711 2ims a NTO 2tm
261. sed applications and increase performance 2 Chapter 1 Release notes 1 5 1 6 PV User Guide Documentation Release 3 3 Help to create applications from NC flows New default applications more coherent simpler and updated Applications NC tcp et NC have been removed Send an email if the license 15 invalid or the data disk is almost full Advanced filters are multi selectable New flow degradation configuration ICMP The configuration page has better inner documentation Kinetic Matrix drag with the mouse to scroll throw matrices New inline help in search forms for complex input like regex or custom filters New page in HTTP Top URL SPV For Developpers Whats New in 2 17 New applications Application configuration Applications can be defined with much more criteria Applications can be exported to and imported from a CSV file A new configuration page allows to check application rules Webpattern and DynPort pages were no longer in use and were removed New data field Protocol Stack which can be used to define an application Deprecated URL pages were removed and replaced with new HTTP pages Reports are automatically migrated Non IP flows are now integrated in all non specific views from the Application and Network menus Non IP flows now have source and destination zones New Raw Data pages to display data point to point chronologically ie the way they are stored in the database without a
262. see Pulsar documentation The SNMP objects that are thus made available are twofold First there are the standard SNMP objects then SPV specific objects Version 2c of the protocol is supported System MIB The probe uses the UNIX Net SNMP daemon which serves standard MIB So you can monitor your probe from your SNMP console as you would normally monitor any UNIX server For instance the usual statistics about network interface usage file system available spaces I O operations etc are available Monitoring specific MIB In addition to these default information the probe provides various statistics under iso org dod internet private enterprises securactive The comprehensive MIB files are available from our web site so this section only sketches what kind of infor mation 18 available You are encouraged to download the actual MIB for use with your common purpose SNMP console This will give you access to nterface statistics for each network interface such as the count of received packets dropped packets and duplicated packets 2 http www net snmp org 3 http www securactive net en documents 250 securactive mibs download 7 3 SPV Functional Configuration 77 PV User Guide Documentation Release 3 3 Protocol statistics for each recognized protocol which can give a good impression on the realtime compo sition of the whole network stream Various CPU RAM information that are destined to troubleshoot an SPV more t
263. siness Critical Application 12 Chapter 2 Use The PV Graphical Interface PV User Guide Documentation Release 3 3 You can access this view in the graphical interface in Dashboards Critical Applications 2 3 2 Application Performance Dashboard A simple click from the Business Critical Application Dashboard takes you to the Application Performance Dash board It shows you the evolution of the End User Response Time through time along with the volume of transactions and its breakdown in Round Trip Time Server Response Time and Data Transfer Time At a glance you can understand the origin of a change in the End User response time Underneath this first graph you find two additional bar charts which help you understand which server s and Client Zone s are performing better worse and due to what component of the End User Response Time The servers and zones are always presented from the one that corresponds to the highest volume of transactions to the lowest You can drill down and display either the Client Application Dashboard or the Server Application Dashboard by clicking on a specific server or client zone This drives you to a specific application dashboard focusing on the same application for that specific server or client zone 0 14 00 1500 16 00 17 00 18 00 2012 03 21 13 15 2012 03 21 19 00 10000 Transactions sum 182 293 8000 16 000 000 ma 14 00 1500 16 00 17 00 18 00 Breakdown by serv
264. ss MAC address MAC address Decimal or hexa Decimal or hexa Decimal or hexa OS name OS name OS name Byte quantity Byte quantity Decimal or hexa Decimal or hexa Decimal or hexa Byte quantity Byte quantity Byte quantity Byte quantity Decimal or hexa Decimal or hexa Decimal or hexa String Port number Wildcard or regex Duration Duration Decimal or hexa Duration Duration Duration Rate Rate Rate Duration Byte quantity Continued on next page 13 2 Custom Filters 141 PV User Guide Documentation Release 3 3 Operand Type ret ret rst FSE rst rtt rtt rtt rtt rtt rtt srt Sri Count timeout vian VOLO st tall zone zone dst zone src 13 2 3 HTTP Operand Type capture begin capture end device httpnbrb coumnt httphlt err count 111211 Help Table 13 2 continued from previous page Retransmission traffic from client to server Retransmission traffic from server to client Total Number of RST sent Number of RST sent by client IP Number of RST sent by server IP Oriented RTT RTT for data from server to client Number of RTT for data from server to client Number of RTT for data from client to server RTT for data from client to server Server response time Number of SRT computed in a time interval Number of timeout sent Tagged Link 802 1Q Total traffic in both directions Source or Destination Zone Zone name to w
265. stination treatment For example traffic from A to B takes into account all traffic coming from a host in A to a host in B regardless of the role they played client or server The above graphs take into account the communications from A to B only in one direction Client Server In a client server conversation all flows between two hosts will be classified following the concepts of client and server This means that the flows will group data exchanges to and from a client IP address from and to a server IP address For instance a traffic from A to B for an application provided both A and B can be a server for a single application will be broken down in two conversations a conversation for client A amp server B with traffic from A to Band from B to conversation from client B to server with traffic from A to Band from B to A PV User Guide Documentation Release 3 3 Clt Srv corresponds to a view of network flows for performance analysis When reviewing data for performance analysis purposes an administrator wants to view flows in function of the role of each host client or server Indeed the role of a host has an impact on the metrics displayed and the clients and servers cannot be mixed m E TCP 15445 80 MEM TCP 445 25665 F UDP 53 44521 m 17465 443 Performance between clients x Performance between clients In A to servers in B in B and servers in A
266. strators Yes admin Administrators Yes 4 Figure 7 5 User account John is about to be deleted 7 3 2 Zone configuration The aim of this chapter 18 to help the administrator of the platform to configure zones When you change or create a zone the modifications will be effective within a short delay for future integrated data but not to the already captured data which keep their old zone attribute How to access the configuration menu After clicking on the top right configuration button you will observe a tree configuration menu with different items SPV Settings Zones Business Critical Networks Applications Web Applications Dynamic Protocols Reports Probe Settings Users Pollers Status Dump Restore Figure 7 6 Configuration menu Zones management using the GUI Pleaser refer to Zones for Zone tree and Fallback explanations You can reach the zone configuration page by clicking on the Zones label of the menu The illustration below lists the zones and their corresponding definitions This page allows you to add a zone edit a zone move some zones around or delete a zone In order to edit a zone or add a new child you need to click on the zone block to expand it its filters will then be available for edition Each filter is composed of a subnet field a MAC address field a Vlan field and device and poller select boxes Any of these filters can be left blank in which case no tests are p
267. struct pages 38 the process is very sensible to missing TCP fragments retransmitted fragments cause no problem but frag ments that are not mirrored to the probe do the bigger the proxies the less reliable client isolation will be some heuristics regarding AJAX content types and timing does not necessarily match your sites some client may successfully hide the referrer or worse we may guess a wrong referrer HTTP analysis may consumes more resources than what s available or configured any small inaccuracy in HTTP message reassembly or in transaction pairing will lead to much bigger inac curacy of page load time Chapter 4 Metrics Computation CHAPTER FIVE DEPLOYMENT 5 1 How to integrate Performance Vision in your network 5 1 1 Preliminary steps Performance Vision is dedicated to analyzing the performance of business critical applications in a corporate network Hence the very first step before considering integrating Performance Vision in your network is identifying an up to date list of business critical applications including applications directly supporting business processes but also applications on which these may rely e g DNS Microsoft DS etc locating the servers hosting these applications defining which network devices clients are using to access these applications 5 1 2 Positioning the probe Performance Vision appliance will be installed as close as possible to to the servers to prov
268. t rows or by a configuration page In both cases the administrator rights are requested The setup is very easy because the capture filters are preset with the wanted flow characteristics but the main advantage of triggered PCAP is that it is possible to set a date and time to start the capture Q 2014 03 12 15 30 18 2014 03 12 16 30 19 19 ie Q 2014 03 12 15 30 04 2014 03 12 16 29 41 vprobe19 o 2 2014 03 12 15 30 26 1 2014 03 12 16 30 29 vprobe19 2014 03 12 15 34 07 2014 03 12 16 25 07 19 03 12 16 29 42 19 reate a triggered PCAP capture roS 94 7 03 12 16 26 37 vprobel9 2014 03 12 16 11 19 2014 03 12 16 13 18 19 2014 03 12 15 32 54 2014 03 12 16 29 16 vprobe19 Figure 8 20 Load the form to trigger a new the flow data will be used to preset the filters New Triggered PCAP x Start Date 2018 01 01 00 00 00 Name 08 midnight issue Metric TCP M Port 5432 IP 1 192 168 10 3 IP 2 Pollers vprobe19 gt Advanced options Add Figure 8 21 Trigger a PCAP for midnight By default only the local poller is selected to trigger the capture but all known pollers are available If multiple pollers are selected for a capture then one PCAP will be created for each one All added triggered PCAPs are referenced in the dedicated page in the config menu Is is possible to delete and download them regardl
269. t the mean time between the client request is significantly higher than the average on a LAN it should remain close to 1 ms we may face three kinds of issue the client is not requesting the correct DNS server DHCP misconfiguration for example You can check this out in the interface by looking at the Server IP fields it means that the DNS server has an issue with regards to the caching of DNS names The cache system makes it possible to resolve a name without requesting the DNS server which has authority for the DNS zone the IP address corresponding to the name Hence if the response time is high first the application will be slow from the user s point of view and secondly it will incude an unnecessary consumption of bandwidth This bandwidth will be wasted both on the LAN and on the Internet link if we make the hypothesis that the authority server sits on the Internet If we consider the case of a fairly large organization the bandwidth used by the DNS traffic will not be negligeable and will represent an additional charge e the DNS server may have system issues If the server is overloaded it cannot hold all the requests and delay or drop some which leads to a general slowdown of the network perfomances You can easily cast a glance at these issues go in the Analysis DNS Messages menu and fill the form with appropriate values especially the Requester Zone to verify if the requests are correctly answered and in an a
270. ted RTT Server would be impacted on the server side and RTT Client client side RTT should then be analyzed in parallel to CT Connection Time because the treatment of new session by the IP stack has a higher priority Some values are averaged measures For each conversation two kinds of values are reported counters for instance packets or byte counters which are the sum over all connections aggregated for this conversation performance metrics for instance RTT SRT DTT and the likes which are average values over all samples aggregated for this conversation EURT EURT stands for End User Response Time This metric is an aggregate of various other measures meant to give an idea of the perceived overall end user experience It is taken as the sum of RTT SRT and DTT EURT has no meaningful physical counterpart Only its evolution makes sense and allow the system administrator to check at a glance whether a network zone is behaving as usual or not Notice that expected correct values for both SRT and DTT depend on the protocol at hand As a consequence you should not try to compare two EURT of different applications RTT RTT stands for Round Trip Time RTT gives an approximation of the time required for a packet to reach its destination and can be further decom posed into a RTT Server delay between a data packet send by the client and its ACK from the server and a RTT Client in the other way around As a typ
271. th cacti resource metrics Once you have done this if you reload any of the Data Query you should see the error message replaced by a success indication N console graphs Console Data Queries Edit Logged in as admin Logout Data Queries edit Junkie Muxer Stats New Graphs Nat ime A name for this data query unkie Muxer Stats for this data query Statistics about multiplexers parsers that route payload Graph Trees XML Path The full path to the XML file containing definitions for this data query Data Input Method Data Sources Choose the input method for this Data Query This input method defines how data is Collection collected for each Host associated with the Data Query Methods Data Input Methods Associated Graph Templates Graph Templates junkie Multiplexers stats Host Templates Data Templates Import Export moo path cacti resource junkie muxerTable xml Get SNMP Data Indexed Graph Template Name Junkie Muxer Stats Return Save Figure 13 4 Success XML files found You can now proceed with device and graph creation 132 Chapter 13 Appendix PV User Guide Documentation Release 3 3 Creating a device for your central collector When choosing a host template select PV Central Collector from the drop down box Also take a close look to the SNMP settings for this host You should choose SNMP versi
272. that a single click drives on more detailed information on the object you are most interested in If you click on the EURT graph in any of these three dashboards you make a focus on a shorter period of 90 Chapter 8 Interpreting the results PV User Guide Documentation Release 3 3 time for example a SRT peak depending on the aggregation level you either reach a lower aggregation level for a shorter period or the corresponding performance conversations see Data Aggregation At the same time you will get the server and zone breakdown for that more specific period of time f you click on a server you reach the Server application dashboard f you click on a client zone you reach the Client zone application dashboard 8 5 TCP Errors Events 8 5 1 Objectives These two tables expose to the user many TCP statistics in order to reveal dysfunctions or unusual events 8 5 2 TCP Errors For each TCP conversation the following fields are displayed RD Server Client Duplicate acks number of SYNs number of handshakes number of session ends number of FINs from client number of FINs from server number of RSTs from client number of RSTs from server number of timeouts By sorting on the RD or duplicate ack fields one can quickly check the worst conversations in term of TCP performance Also number of reset packets are usually noteworthy One can then jump to the IP summary page of either the client or
273. that was required to build a whole HTML page including its images scripts stylesheets and other related resources This might also include the resources used to update the page dynamically through AJAX that is Javascript or from other means Initial Sequence Number The sequence number used in the SYN packet of a TCP connection Jitter Packet delay variation The Jitter 18 defined as the variance of RTT average difference between RTT measures and the average RTT For more details this equation is used Sqrt Average RTT1 2 RTTn 2 1 RTTn 2 Maximum Transfert Unit MTU The MTU that s reported by the probe is the size of the biggest Ethernet frame that was seen in this conversation It is thus distinct from the physical MTU although for a large number of packets the observed MTU is expected to converge toward the physical MTU Media Access Control MAC address Identifier assigned to each network adapter and used for addressing in the lowest physical layer As in practice only Ethernet devices are supported then these will always be Ethernet addresses Observation period all reports defines the observation time window Observation Period is based on starting time and an ending time provided by the user These user defined boundaries will automatically be moved to the closest previous aggregation boundary for the starting time and to the next aggregation boundary for the ending time this m
274. tion Release 3 3 eoo ftp 10 1 0 110 FileZilla LANDAR Sota Host 10 1 0 110 Username ftp Password sesese Port Quickconnect Response 200 Type set to I Command Response 227 Entering Passive Mode 10 1 0 110 187 12 Command LIST Response 150 Opening ASCII mode data connection for file list Response 226 Transfer complete Status Directory listing successful Local site Users franckolivier SECURACTIVE Generic_Licences 3 Remote site 3 Pictures Ii Public Y 5 2 APS Archi Clients Doc VM J Generic Licences Filename Y Filesize Filetype Last modif Filename 5 202 20 450 12 12 20 License app GE Upload Binary 12 12 20 Empty directory listing 4 Add files to queue Open Edit Create directory Refresh Delete Rename Selected 1 file Empty directory Server Local file Direction Remote file Size Priority Status Queued files Failed transfers Successful transfers Figure 9 7 Filezilla uploading a license file Warning It is STRONGLY recommended to reboot all the probes after upgrading use the reboot com mand in Pulsar Note Security The FTP access is writable only no read It allows only to put a Securactive signed and encrypted file This file will be automatically moved checked and executed by an internal process ServicePack In rare cases it
275. tion MAC Address Source MAC Address Oriented Max Tranfert Unit Client MTU Maximum Transmission Unit Server MTU Maximum Transmission Unit Source or Destination OS Source OS Destination OS Total payload from source to destination Total payload from source to destination Number of IP packets with a payload Number of packets with payload sent from client Number of packets with a payload sent from server Total retransmission payload Retransmission payload from client to server Retransmission payload from server to client Payload from server to client Total number of IP packets Number of packets sent from client Number of packets sent from server Poller name distributed probe Server Port Protocol Protocols stack Retransmission delay Retransmission delay from client to server Retransmission count both directions Total retransmission delay indic Retransmission delay indic client to server Retransmission delay indic server to client Oriented retransmission rate Retransmission rate client to server Retransmission rate server to client Retransmission delay from server to client Total retransmission traffic Duration Duration Decimal or hexa Decimal or hexa Decimal or hexa Duration Decimal or hexa Decimal or hexa Decimal or hexa Decimal or hexa Ethernet Type Duration Decimal or hexa Decimal or hexa Decimal or hexa Address or netmask Address or netmask Address or netmask Address or netmask MAC addre
276. ually consists of communications between the IP phone and a call manager IPBX The 2 signalization protocols supported are SIP Session Initiation Protocol and MGCP Media Gateway Control Protocol Please note that SIP may follow the same route as the RTP traffic or not while MGCP follows the same route as RTP e Media protocol the role of this protocol is to carry the voice signal from one IP phone to the other IP phone it can eventually go through the call manager RTP is the only media protocol supported by Performance Vision It stands for Real Time Protocol it usually runs over UDP Control protocol the role of this protocol 18 to carry quality and control information from one phone to the other phone RTCP is the only control protocol supported It stands for Real Time Control Protocol 8 3 3 Quality of service amp MOS MOS stands for Mean Opinion Score It is a numeric indication of the perceived quality of service of VoIP It is expressed by a number ranging from 1 to 5 1 corresponding to the lowest quality and 5 to the highest close humain voice 8 3 VoIP Module 83 PV User Guide Documentation Release 3 3 MOS Rating Excellent Good Fair Poor Bad Please note that in real network a MOS note of over 4 4 is unachievable A low MOS will translate into echo and degraded signal MOS is in principle the result of a series of subjective tests in the context of network analysis MOS will be estimate
277. ute the queries The system specific error code Number of errors The SQL error message Errors rate The SQL error status Type of SQL command Number of queries Query packets at applicative level PDU Sum of query payload Average response transfert time Response packets at applicative level PDU Sum of response payload Database system Server response time Number of SRT computed in a time interval Tagged Link 802 1Q Server or Client Zone Zone of the client IP Zone of the server IP Date and time Date and time Decimal or hexa Address or netmask Address or netmask Address or netmask MAC address MAC address MAC address String Wildcard or regex Duration Wildcard or regex Wildcard or regex String Decimal or hexa String Rate String SQL command Decimal or hexa Decimal or hexa Byte quantity Duration Decimal or hexa Byte quantity SOL system Duration Decimal or hexa Decimal or hexa Zone name Zone name Zone name Operand Type capture begin capture end cifs command cifs data payload cifs domain ocOifs error count cifs fileid cifs meta payload cifs meta read cifs meta written cifs path cifs query count cifs query packets cifs query payload cifs query write 13 2 CustomFilters Capture begin time Capture end time CIFS Command Payload of data files transfered without CIFS meta infor CIFS Domain Number of errors mostly server side CIFS File ID Metadata payload used fo
278. ver Server response time Number of SRT computed in a time interval Number of timeout sent Tagged Link 802 1Q Total traffic in both directions Server or Client Zone Zone of the client IP Zone of the server IP 13 2 2 Source Destination String Port number Wildcard or regex Duration Duration Decimal or hexa Duration Duration Duration Rate Rate Rate Duration Byte quantity Byte quantity Byte quantity Decimal or hexa Decimal or hexa Decimal or hexa Duration Duration Decimal or hexa Decimal or hexa Duration Duration Decimal or hexa Decimal or hexa Decimal or hexa Byte quantity Zone name Zone name Zone name Operand Type Owin count 020 Owin count srv app bandw bandw clt bandw srv begin capture begin capture end ETE Cl comin delta session device diffserv dilrtserv olt diffserv srv Zero Window Size in both direction Zero Window Size from client Zero Window Size from server Total traffic from source to destination Total traffic from source to destination Traffic from server to client Number of SYN packets Capture begin time Capture end time Connection time Number of successful handshakes Difference between created session and finished sessions Client or Server Diffserv Client Diffserv Server Diffserv Decimal or hexa Decimal or hexa Decimal or hexa Application name Byte quantity Byte quantity Byte quantity Decimal or hexa Date and time Date
279. ver involves a significant loss of performance There are two main rules Basic port mirroring sessions also called 1 to 1 port mirroring session This configuration does not generate duplicated packets However increasing the number of 1 to 1 port mirroring sessions could produce this phenomenon Switch Server Appliance SecurActive Performance Figure 5 5 1 to 1 port mirroring session Multiple port mirroring sessions also called N to 1 port mirroring session In this specific event the dupli cated packets phenomenon can occur Switch Server Figure 5 6 N to 1 port mirroring Warning According to the number of listening points in a multi switch mode this phenomenon can occur despite the use of a 1 to 1 port mirroring session A VLAN is a definition of a set of ports this means that the port mirroring session is a N to 1 port mirroring session 5 4 Port mirroring and duplicated packets 43 PV User Guide Documentation Release 3 3 5 4 3 Some examples of duplicated packets non duplicated packets In a standard port mirroring configuration N to 1 it is highly likely that some transmitted packets to the appliance are duplicated In the following example configuring a port mirroring session on both the IN traffic and the OUT traffic of the switch means that the appliance will receive twice the same traffic Appliance SecurActive Performance Figure 5 7 Example with duplicate
280. what is a good or a bad response time with no experience of the impact it has on users For example indicating that the Network Round Trip Time from site Atoasite Bis 200ms does not mean you have a measure which is acceptable or not In the same way a Server Response Time SRT of an application Aof100ms may be very bad when the same value would be excellent for an application B As consequence it is important to consider performance metrics as relative values one of the key to a good interpretation of performance metrics is to compare systematically performance metric value to another time period to another users group Mixing up performance metrics for several applications does not make sense When looking at application performance metrics you should be very careful of isolating applications for analysis As a consequence the metrics which very much depend on the application s specific behaviour should not be considered altogether this is true for metrics such as EURT End User Response Time SRT Server Response Time and DTT Data Transfer Time RTT measurements can marginally be impacted by the behaviour of the operating system Network Round Trip Times for TCP are based the TCP acknowledgment mechanism This means that although RTT is generally a good measurement of round trip latency if the operating system of one of the parties is so overloaded that the acknowledgment process becomes slower RTT values will be impac
281. which are the same tables with more information Even if both tables are alike there is a subtle difference By displaying more information MAC addresses detected OS server port protocol stack the flow details may split a conversation in different rows and then the network and applicative metrics are split as well Conversations is a more synthetic view whereas Flow Details 18 a troubleshooting one The Raw Data pages are different the results show the data as stored in the database The results are sorted chronologically by default For instance it is useful for troubleshooting to know in a global conversation where exactly the packets with a high metric value are 2 6 HTTP Analysis In the Protocols section the set of pages for HTTP performance allows you to analyze HTTP traffic From these pages you can easily find the most solicited servers or hosts according to the number of hits by payload or by response time Top Server IP Begin 2013 03 18 04 00 End 201303180800 Q Q Client Zone Server Zone Client Server IP Client or server IP Srv Port VLAN Device id HTTP Status Host Poller zl 13 03 18 04 00 Aggregate Level 15 minutes 2013 03 18 08 00 Number of collected results 10 Sync Server IP Server Zone Page Count Y Total Hit Count Hits in Error 4 8 5 Resp Content Length Page LT Load Time HIT RT Response Time r 4 ms 3 ms 17 5 KiB 32 ms 31 ms 9 4 KiB 32 ms 31 ms
282. ystem Utilities Figure 13 2 Imported Items Junkie Muxer Stats Junkie Parser Stats PV BCN If you select one of these you will face an error message such as console graphs Console gt Data Queries gt Edit Logged in as admin Logout Data Queries edit Junkie Muxer Stats New Graphs Nam e T A name for this data query unkie Muxer Stats Graph Description Statistics about multiplexers parsers that route payload Management A description for this data query Statistics about multiplexers parsers that route payload Graph Trees XML Path lt path_cacti gt resource junkle muxeriblexml The full path to the XML file containing definitions for this data query path cacti resource junkie muxerTable xml DEAE Data Input Method 4 Choose the input method for this Data Query This input method defines how data is Get SNMP Data Indexed COMM CHOR collected for each Host associated with the Data Query jethods Data Queries Could not locate XML file Data Input Methods Return Save Templates Save Graph Templates Figure 13 3 Error XML files not found You must manually copy the remaining xml files in the expected path or change the XML Path in each of the data queries definition muxerTable xml parserTable xml and sourceTable xml in lt path_cacti gt resource junkie e bcaTable xml bcnTable xmlandmetricTable xmlin pa
283. yte of the frame or less if the frame is smaller excepting the TOS TTL and IP checksum fields are taken into account The rational behind skipping Ethernet header is that we want to pair two packets if only their Ethernet addresses or VLan tag differ one is a copy of the other merely one switch away from it The rational behind excluding TOS TTL and checksum fields of the IP header is to be able to pair two packets when one is a copy of the other only one hop away from the first one after traversing one or several routers Then a packet digest is build from the remaining bytes and compared to those of previously received packets If one is found with same signature the new packet is dropped If one is found that is older than the older expected duplicate then the packet 1s allowed to proceed The age of the oldest expected duplicate is set by a runtime parameter which default value 15 100ms This default value should fit most settings 5 5 Distributed Architecture 5 5 1 How does the distributed infrastructure work Appliances hosting only the sniffer component of SPV are called pollers The appliance hosting the components in charge of collecting merging and integrating the data from the pollers into a single database is called collector The collector appliance may also host one sniffer component Poller G LI SSH TCP 22 TIT gt Sniffer Data a oo 77 7 2
Download Pdf Manuals
Related Search