ExtraHop Web UI Guide

Version 5.0

About This Guide

The Web UI Guide provides detailed information about the system features and functionality of the ExtraHop Discover and Command appliances.

This guide provides an overview of the global navigation and information about the controls, fields, and options available throughout the UI.

For additional documentation, visit https://docs.extrahop.com.

We value your feedback. Please let us know how we can improve this document. Send your comments or suggestions to documentation@extrahop.com.

ExtraHop Discover Appliance Overview

ExtraHop Networks is the leader in the operational intelligence market, delivering innovative solutions to ensure that business-critical transactions do not fail. The Discover appliance provides real-time analysis of applications to improve customer experience and quality of service while reducing IT costs.

Combining the capabilities of network performance managers with the superior application-level visibility of user experience monitors, the highly scalable Discover appliance provides the following benefits:

  • End-to-end visibility across networks, applications, databases, and storage arrays
  • Simultaneous real-time analysis of all transactions
  • Trend-based alerting and proactive early warning for potential problems

Discover Appliance Architecture

The Discover appliance leverages recent gains in processing power and storage capacity to perform full-stream reassembly and full content analysis, processing tens of thousands of transactions simultaneously and in real time.

The Discover appliance processes traffic at network speed both in terms of throughput and transactions per second. This level of analysis is delivered by a proprietary network micro-kernel and real-time dynamic datastore. The Discover appliance also includes a rich web UI that provides workflows designed to facilitate the troubleshooting process.

Alerting Engine

The Discover appliance also includes a built-in alerting engine that supports both simple threshold-based alerts and sophisticated trend-based alerts. Trend-based alerts use historical context to learn normal behavior and send notifications when anomalies are detected. Alerts can be configured for most metrics that the Discover appliance records, including web server errors, database errors, payload length, and slow transactions. Trend-based alerts for web server and database errors are applied automatically to all discovered web servers and databases with no configuration.

Lightweight Deployment

You can deploy the Discover appliance as a physical or virtual appliance. Using a network tap, SPAN port, VACL capture, packet forwarding (RPCAP), or ERSPAN technology, the Discover appliance analyzes a copy of the production network traffic in real time, extracting the valuable performance information. Rather than sample a portion of network traffic, the Discover appliance processes every packet at wire speed.

With the Discover appliance’s full-stream reassembly approach, traffic flows are reconstructed to analyze the payload from L2 to L7. The Discover appliance is designed for production enterprise environments, supporting real-world traffic patterns such as IP fragments, out-of-order segments, and microbursts. When packet loss occurs on the monitoring link, the Discover appliance synchronizes and recovers.

ExtraHop Modules

The Discover appliance provides metrics through the following types of modules:

Module Type Protocols
L2-L3 Metrics
  • Multicast
  • IP
  • IPv6
  • ICMP
  • ICMPv6
L4 Metrics
  • TCP
  • UDP
Naming DNS
Directory Services LDAP
Web
  • HTTP/HTTPS
  • AMF
  • SSL
Middleware
  • MS-RPC
  • Memcache
  • IBMMQ
Database
  • IBM DB2
  • IBM Informix
  • Microsoft SQL Server
  • MongoDB
  • MySQL
  • Oracle
  • PostgreSQL
  • Sybase ASE
  • Sybase IQ
Storage
  • iSCSI
  • CIFS
  • NFS
File Transfer FTP
Mail SMTP
Citrix VDI
  • ICA
  • CGP
Industry-Specific Protocols
  • Diameter
  • FIX
  • HL7
  • RADIUS
  • SMPP
  • Telnet
Decryption Any protocol encrypted over end-to-end SSL channel, can be decrypted using the SSL decryption module.

For more information about ExtraHop modules, visit extrahop.com.

Browser Compatibility

The following browsers are compatible with all ExtraHop appliances.

  • Chrome 45
  • Firefox 41
  • Internet Explorer 10 and 11
  • Safari 9

The Discover appliance Web UI is dynamic and highly customizable. The global navigation provides a framework of elements that remain static as you move around the Web UI. The information and options in the left and content panes of the Web UI change based on your selections in the top menu.

The following figure identifies both global navigation elements and the areas of the Web UI that change based on your selection.

Top Menu

The following elements are located across the top of the Web UI.

  • Dashboards: Provides both built-in system dashboards that give you an instant view of the activity on your network. You can also create and share dashboards with other users. For more information, see Navigating Dashboards.
  • Metrics: Provides access to system metrics sources, group metrics, and record queries. For more information, see Navigating Metrics.
  • Alerts: Provides access to the Alerts pages. For more information, see Navigating Alerts.
  • Global Search field: Enables you to type any object or search criteria and find a match on your Discover appliance. If you have an ExtraHop Explore Appliance appliance configured, you can also search for saved records.
  • Community icon: Launches a new tab in your web browser with information about ExtraHop forums and other external resources.
  • Help icon: Launches documentation for the page that you are currently viewing.
  • System Settings icon: Provides access to system configuration options.
  • User icon: Enables you to log in and log out of your Discover appliance, change your password, and access API options.

The following elements are located across the top of the Web UI, below the top menu.

  • Pane toggle: Enables you to collapse or expand the left pane.
  • Global Time Selector: Enables you to determine the global time interval that is applied to all system metrics.
  • Recent Pages: Enables you to see the most recent pages you visited. Repeated pages are deduplicated and condensed to save space.
  • Navigation Path: Shows you where you are in the system and provides available pivot points so you can search for the same metrics across multiple protocols, devices, or other swappable criteria.
  • Command menu drop-down: Appears throughout the UI and contains context-sensitive commands for the area you are in. For example, when you click the Dashboards top menu, the command menu at the end of the navigation bar provides options to view dashboard properties and to create a new dashboard.

Left Pane

The left pane changes based on your selection in the top menu and navigation bar.

Content Pane

The content pane changes based on a combination of your top menu and left pane selections.

 

Click Dashboards to view built-in system dashboards that give you an instant view of the activity on your network. You can also create and share dashboards with other users.

Left Pane

When you select Dashboards from the top menu, the left pane displays a dashboard Dock. The dashboard Dock is composed of folders, such as the Dashboard Inbox, System Dashboards, and My Dashboards. These folders contain system dashboards or any dashboards that you create or share. You can create additional folders as needed.

The following fields and controls are available in the Dashboard left pane.

  • Type to filter field: Enables you to limit the displayed list of items.
  • Dashboard sort buttons: Enables you to switch between ascending, descending, and custom sort views.
  • Dashboard Inbox: Contains dashboards that other users have sent you.
  • My Dashboards: Contains dashboards that you create.
  • System Dashboards: Contains the two default system dashboards, which are Network and Activity.
  • New Dashboard: Enables you to create a new dashboard.
  • Command menu button: Enables you to edit the dashboard dock and create a new, empty folder.

Content Pane

When you select Dashboards from the top menu, the content pane displays the selected dashboard.

Command Menu

When you select Dashboards from the top menu, a command menu appears on the far right of the navigation bar.

The following fields and controls are available in the Dashboard command menu.

  • Edit Layout: Customize your dashboards.
  • Dashboard Properties: Edit your dashboard name and access rights.
  • Share: Share your dashboard with another user.
  • Print: Send the dashboard you are viewing to a printer.
  • Modify Sources: Modify the metric sources used in the dashboard.
  • Copy: Save a duplicate of your dashboard.
  • Delete: Remove a dashboard from the system.
  • New Dashboard: Create a new dashboard.
  • Show Descriptions: Hover tooltips where available.
  • Presentation Mode: Displays a full-screen view of the metrics on the currently selected dashboard.
  • Widget Slideshow: Displays a slideshow of widgets within the current window.
  • Metric Explorer: Enables you to configure widgets to add to a dashboard.

For more information, see Dashboards.

Click the Metrics to view all metric sources, group metrics, and saved record queries.

Left Pane

When you select Metrics from the top menu, the left pane displays all of the types of available metrics sources in the system.

The following fields and controls are available in the Metrics left pane.

  • Type to filter field: Enables you to limit the displayed list of items.
  • Sources: Enables you to select metrics for Applications, Devices, and Networks.
  • Groups: Enables you to select metrics for Activity Groups or to create a Custom Group.
  • Records: Enables you to query records and save queries for future use.

Content Pane

When you select Metrics from the top menu, the content pane displays the last metric source that you viewed. As you continue to select options from the left pane, the content pane displays lists, charts, and metrics for your selection.

For more information, see Metrics.

The Alerts top menu enables you to view system alerts information.

Left Pane

When you select Alerts from the top menu, the left pane displays available alert information in the system

The following fields and controls are available in the Metrics left pane.

  • Alert History: Enables you to view detected system alerts
  • Trouble Groups: Enables you to view built-in metrics groups that have been identified as having problems.

Content Pane

When you select Alerts from the top menu, the content pane displays the latest alerts that you viewed.

For more information, see Alerts.

Time Selector

The Time Selector enables you to specify a time interval for the collection and presentation of network data. There are two types of Time Selectors: a Global Time Selector for specifying global time intervals, and a Region Time Selector for specifying region time intervals.

The Global Time Selector is located at the top-left of the navigation bar. The Region Time Selector is located to the top-right of the dashboard region header. For more information, see the Navigation section.

A global time interval is applied across the Discover appliance. Navigating from one area to another will not change the time interval for the metrics you are viewing. This means that the same time interval applies whether you are viewing different metrics across the Web UI or if you are drilling-down to view detailed metrics.

Note: Global time interval information is included at the end of the URL. When copying a URL, make sure that the entire URL is copied to maintain the specified global time interval.

A region time interval is applied by dashboard region and you can set different time intervals per-region. When you add a widget to an existing region, the widget inherits the time interval for that region.

You can apply either a global time interval or a region time interval to a dashboard region. To toggle between time intervals, start by clicking the command menu in the region header. To apply a region time interval, select Use Region Time Selector. To apply a global time interval, select Use Global Time Selector. When the Region Time Selector disappears from the region header, this indicates that the global time interval is applied to the region.

To specify a global or region time interval:

  1. Click the Global Time Selector or the Region Time Selector.
  2. From the Time Interval tab, select one of the following options:
    • Last 30 minutes: Displays the last 30 minutes of data collected.
    • Last 6 hours: Displays the last six hours of data collected.
    • Last day: Displays the last 24 hours of data collected.
    • Last week: Displays the last seven days of data collected.
    • Last: Displays the data collected within a custom time window. For more information, see the Specifying a Time Window section.
    • Custom time range: Displays the data collected within a fixed time range. For more information, see the Specifying a Custom Time Range section.
  3. Click Save.

You can view metrics with different levels of granularity based on the time interval that you specify. For example, if you specify a time interval of 120 minutes or less you will see metrics in aggregations of 30-seconds, if available. (If 30-second aggregation metrics are unavailable, five-minute or 60-minute aggregation metrics will be displayed depending on availability.) If you specify a time interval between 121 minutes and 24 hours, you will see metrics in aggregations of five-minutes, if available. A time interval that is greater than 24 hours will display 60-minute metrics. If you have an extended datastore that is configured for 24-hour aggregation metrics, a specified time interval of 30 days or longer will display 24-hour metrics. One-second metrics are available for specific network and device-level data when the specified time interval is less than six minutes. For more information, see the Network > L2 and Device > L2 sections.

Time intervals are preserved across login sessions. The five most recent unique time intervals are also saved in the Time Selector History tab.

To select a previous time interval:

  1. Click the Global Time Selector or Region Time Selector.
  2. Click the History tab.
  3. Select a time interval. You selection will be applied to the options on the Time Interval tab.
  4. Click Save.

Displaying Running Time and Snapshot Time Intervals

For Dashboards and top-level Metrics pages—where metrics are polled automatically—you will see the running time for the global time interval displayed in the Global Time Selector.

For a detailed metric page or a records query results page—where metrics are not polled automatically—you will see the snapshot of the global time interval, which includes a blue refresh icon and gray text that indicates when the metric or record query was last polled. To reload the metrics or query for the specified time interval, click the refresh icon in the Global Time Selector display.

Specifying a Time Window

To view metrics that occurred at a specific time, you can use the custom time window option in the Time Selector to specify the number of minutes, hours, days, or years from the present.

To specify a custom time window for a global or region time interval:

  1. Click the Global or Region Time Selector and select the Last radio button in the Time Interval tab.
  2. Type the number of units of time.
  3. Click the drop-down list and select minutes, hours, days, weeks, months, or years.
  4. Click Save.

Specifying a Custom Time Range

To view metrics that occurred during a specific time, you can specify a custom time range or you can zoom in on a chart. For more information, see the Zooming in on a Time Range section.

To specify a custom time range:

  1. Click the Global Time Selector or Region Time Selector.
  2. From the Time Interval tab, and select Custom Time Range. The drop-down field will display a default time range.
  3. Click the drop-down field. A calendar dialog box opens.
  4. Click a day to specify the start date for the range. One click will specify a single day. Clicking another day will specify the end date for the range.
    Note: Use the back and forward arrows on the calendar to change the month displayed on the calendar.
  5. Click Save.

Comparing Metric Deltas

From the Dashboards page, you can compare a single metric across two time intervals.

Note: Delta comparison is only available for Dashboards. If you save a comparison and navigate to another area of the Discover appliance, the comparison will be disabled temporarily. When you return to the Dashboards area, the delta comparison you saved will be enabled again.

To create a delta comparison for a dashboard region:

  1. Locate the dashboard region containing the metrics you want to compare.
  2. Click the Time Selector. If you applied a global time interval to the dashboard region, click the Global Time Selector in the navigation bar. If you applied a region time interval to the dashboard region, click the Region Time Selector in the upper right corner of the region. For more information, see the Time Selector topic.

  3. Click Compare in the Time Interval tab.
  4. In the Delta Comparison pane, select the time interval to use in the comparison or enter your own custom ending time.

  5. Click Save. On the dashboard, a new chart is overlaid onto the previous chart displaying the metrics for the new time interval.

 

Zooming in on a Time Range

You can click-and-drag across a region in a line chart to zoom in and specify a custom time range in the Time Selector. For example, if you observe a spike in a chart, you can click-and-drag across the spike to zoom in on the activity that occurred in that time range.

Note: This option is only available for time-series charts. It is not available for bar charts, text widgets, or tables.

If you are zooming in on a chart within a dashboard region that has a region time interval applied to it, this time range will become the region time interval for every widget in that region (unless you have applied a global time interval to that dashboard region). The ability to zoom in on a time range is useful for observing other metric activity that occurred in that same time range. For more information, see the Time Selector section.

If the specified time range is valid it appears gree. If the specified time range is less than one minute, the range is invalid and appears red.

Note: Data might not be available for the zoomed time range.

To zoom in and specify a time range in a line chart:

  1. Click and drag your mouse across the chart to select a time range.
  2. Release the mouse button. The graph is redrawn to the specified time range.

The scales on the chart’s axes update to reflect the range of values in the zoomed time range. In addition, the Custom Time Range value in the Time Selector adjusts to reflect the time range in the chart.

If you want to revert from the zoomed time range back to your original time interval, click the undo icon—a magnifying glass with a minus sign—in the Time Selector. For example, if you originally specified "Last 30 minutes" as your time interval, and then perform a series of zoom operations on a chart, you can revert back to your original 30-minute time interval with one click on the undo icon.

Note: The zoomed time ranges are not permanently saved and they will be cleared when you click the undo icon.

User Account

The Discover appliance Web UI requires a user name and a password to access the interface. Before logging in for the first time, contact your Discover appliance administrator to obtain your login credentials.

To log in to the Discover appliance Web UI:

  1. In your browser, navigate to the Discover appliance Web UI at https://[IP address]/extrahop, where [IP address] is the IP address displayed on the LCD at the front of the Discover appliance.
  2. On the login page, in the Username field, enter your Discover appliance user name.
  3. In the Password field, enter your Discover appliance password.
  4. Click Log In.
Note: After deploying the Discover appliance, to log in to the system for the first time, the default user name is admin and the password is admin. You can modify the default credentials with the Discover appliance web administration utility.
Note: The default password for Amazon Web Services (AWS) users is the string of numbers after the -i in the instance ID.

To change your Discover appliance password:

  1. Click Change Password in either of the following locations:
    • Login page
    • The User menu on the navigation bar
  2. In the New password field, type a new password.
  3. In the Confirm password field, retype the new password.
  4. Click Save.

The new password takes effect immediately.

To view your unique user API keys in the Discover appliance Admin UI, click the User icon on the navigation bar, and then click API Access. The page redirects users with administrator privileges to the Discover appliance Admin UI where you can view and create API keys.

To end your current Discover appliance Web UI session, click your user name on the navigation bar, and then click Logout. The Discover appliance Web UI ends the current session and redirects the browser to the login page.

Metric Display

Some pages that display metrics also allow you to do the following:

  • Export Data: Right-click any table, chart, or tile on the page and select Export to Excel or Export to CSV.
  • Sort Metrics: Click the gear icon on the right side of the section to sort the metrics.
    • Sort by Key: Sorts the metrics in that section by the name of the metric.
    • Sort by Value: Sorts the metrics in that section by the number following the name of the metric.
  • Toggle Chart Views: Click the Linear or Log radio button to view the chart with a linear vertical axis or a logarithmic vertical axis.

Drill-Down Functionality

The Discover appliance enables you to drill-down on metrics, so you can track information, such as errors or spikes in traffic, to identify the root causes at the application, network, or device level.

For example, metrics on the Dashboards page display the types of traffic in the network capture. If you see a spike in network traffic, you can isolate the protocol in a chart and navigate to the Networks page to drill-down on the protocol and examine devices associated with the spike in network traffic.

Note: If you have the ExtraHop Explore appliance connected to your network, you can also drill-down on a protocol or metric using Records. For more information, see the Records section.

To drill-down from Dashboards to the application or network level:

  1. Select a dashboard with metrics that you want to view. If you see unusual activity associated with a protocol in a chart, select the protocol in the chart legend to isolate or filter the metrics.
  2. To drill-down to the application or network-level metrics, do one of the following:
    • Click the Go button on a widget.
    • Click the command menu next to the Go button. Hover over Go to network... and click the expanded menu option, which will take you to the associated application or network page for the protocol.
  3. On the application or network page, click the protocol that is causing a spike in network traffic. The Protocols table at the bottom of the page shows the list of devices associated with the protocol activity.
  4. In the Device column of the Protocols table, click the name of the device that is causing the spike in network traffic. The Devices page appears with additional information.

You can also drill-down into metrics on individual Metrics pages. The following example explores top-talking protocols at the network level.

To drill-down from individual Web UI pages to find the top talkers for a protocol (in this example, the L7 protocol):

  1. Click Metrics and then click Networks.
  2. Select a network and click L7 Protocols in the left pane.
  3. Hover over the charts to view any metrics that appear outside the normal range.
  4. Click the legend on the graph to isolate the network-level metrics that you are interested in. The Protocols table at the bottom of the page shows the list of applications associated with the selected protocol. From this list of devices, you can see which device is causing the spike in network traffic.
  5. In the Device column of the table, click the name of the device that is causing the spike in network traffic. The Devices page appears with additional information.

Keyboard Shortcuts

Keyboard shortcuts enable you to quickly navigate across the Discover appliance or perform specific actions with a few keystrokes.

The following keyboard shortcuts apply across the entire Discover appliance.

Key Action
? Show or hide a hot key help menu
G then S Go to Dashboard
G then A Go to Alerts
G then P Go to Application Metrics
G then N Go to Network Metrics
G then D Go to Device Metrics
G then G Go to Group Metrics
/ Global Search
O then M Open Metric Explorer
G then E Go to Settings
G then T Go to Trigger Editor
G then H Open Help
O then Q View system information
Ctrl+S Save widget configuration

The following keyboard shortcuts only apply to Dashboards.

Key Action
O then L Toggle edit layout mode
O then P Show dashboard properties
C then D Copy the current dashboard
D then D Delete the current dashboard
O then S Toggle descriptions
Ctrl+Shift+F Toggle presentation mode
N then D Create a new dashboard
N then F Create a new folder
O then D Toggle dock edit mode

Dashboards

The Dashboards page contains default and customizable dashboards that show information to a particular user. Dashboards are stored separately for each user that accesses the Discover appliance. You can share the dashboards you create with other users.

Dashboards are configured primarily with widgets, which link to the full data pages that they represent. For more information, see the Configure a Dashboard section.

The command menu button in the upper right corner of the page contains options for configuring dashboards, specifying the display, and viewing metrics.

The Dashboards page contains a set of keyboard shortcuts to perform common actions. For more information, refer to Keyboard Shortcuts.

To drill-down into metrics from the Dashboards page, click the Go button on a widget or click the command menu button next to the Go button. For more information, see the Drill-Down Functionality section. In addition, you can double-click a widget to navigate to the application, device, or capture page that contains the chart.

You can add flex grids and custom pages to the dashboard dock on the Dashboards page through the Settings section. For more information, see the Flex Grids and Pages sections.

The Dashboards page contains the following types of dashboards:

  • My Dashboards: Displays a list of dashboards that you created. These are the dashboards that you can share with other users.
  • Built-In Dashboards: Displays default system dashboards. These dashboards cannot be deleted, modified, or shared.
  • Dashboard Inbox: Displays a list of dashboards that have been shared with you by other users.
Show or Hide Descriptions

Click the command menu button in the upper right corner of the page, and select Show Descriptions to display highlighting for available descriptions. Hover your mouse over the highlighted box to display the description. Select Hide Descriptions to hide the highlighted boxes.

You can also view descriptions in charts that display traffic from individual ports. Descriptions are provided for protocols that the Discover appliance parses.

View in Presentation Mode

Click the command menu button in the upper right corner of the page, and select Presentation Mode to enter a full-screen display of the metrics on the currently selected dashboard. Click the Exit Presentation Mode button to return to the previous display.

To open a dashboard in presentation mode directly, append /presentation to the URL. For example:

https://<extrahop_ip>/extrahop/#/Dashboard/437/presentation

View in Widget Slideshow

Click the command menu button in the upper right corner of the page, select Widget Slideshow, and select a time increment to view a slideshow of widgets within the current region. Click the X in the upper right corner of the screen to return to the previous display.

View Status Widgets

Status widgets, or service availability widgets, are based on alerts. The service status is displayed in a bar graph with red, orange, yellow, or green bars based on the severity and type of configured alerts.

A user-defined, detailed alert can be associated with a device, group, or application widget. When you configure an alert for a specific metric, any alert of that metric type will appear on the widget. For example, if you configure an alert to fire on HTTP responses, HTTP errors, and HTTP response times, all three metrics appear on the widget. When an alert fires, the bar on the widget associated with that alert is colored based on the severity level set in the alert. If multiple alerts fire on the same widget, the color of the bar reflects the most severe alert. For more information, see the Notifications section.

To display a list of all alerts related to the widget, click Show Related Alerts.

Configure a Dashboard

The Discover appliance Web UI allows you to create and configure dashboards. In addition, you can create and share dashboards for teams or for individual users.

The built-in Activity dashboard contains an overview of network traffic and a group of charts for active protocols. The Command appliance Activity dashboard contains a list of nodes ordered by device count. The Command appliance active protocol charts measure activity for the top seven nodes for each licensed protocol.

To create a dashboard:

  1. Click New Dashboard at the bottom of the left pane (dashboard dock) or from the command menu in the upper right corner of the page.
  2. In the Dashboard Properties pop-up window, review the following:
    • Title: Type a name for the dashboard
    • Author: Type your name
    • Description: Type a brief description of the dashboard
    • Permalink: (Optional) To change the five-character unique identifier in the permalink, click the link and type a meaningful name.

      Note: The permalink name can have up to 100 characters combining letters, numbers, and the following symbols: ._-+)[]. The name cannot contain spaces.

    • Editors: Add editors to your dashboard. For more information, see "Change the Dashboard Properties" in the Dashboard Page Activities section.
    • Theme: Select a radio button to specify a style for the dashboard
  3. Click Create. The new dashboard is populated with a region that contains an unconfigured chart widget and Text Box widget.
  4. To configure the first chart, click inside the Chart area. For more information, see "Configure a Chart" in the Dashboard Configuration Activities section.
  5. To edit text in the text box widget, click inside the Text Box area.
  6. Click Exit Layout Mode when you are satisfied with your changes.

You can expand the region lengthwise to include a maximum of 20 charts that are of minimum height. You can expand the region crosswise to include a maximum of six charts that are of minimum width.

Dashboard Configuration Activities

Add Regions

To add a new region to a dashboard:

  1. Click the command menu button in the upper right corner of the page and select Edit Layout.
  2. From the bottom of the page, click and drag a Region onto the dashboard.
  3. Click Region in the upper left corner of the region and type a new name in the Title field. Click Save.
  4. Click the Exit Layout Mode button in the upper right corner of the dashboard to return to the Dashboards page.
Add Widgets to a Region

To add a widget to a dashboard region:

  1. Click the command menu button in the upper right corner of the page and select Edit Layout.
  2. Drag-and-drop one of the following widget types onto the region.
    • Chart: This widget is user-defined. For information, see "Configure a Chart" in the Dashboard Configuration Activities section.
    • Alert History: This widget shows the alert history information about the objects in the list. Click Add metric source to customize the alert history.
    • Activity Groups: This widget shows a list of all activity during the selected time interval and cannot be configured.
    • Text Box: This widget provides a space for typing and displaying custom text in a dashboard region. You can format text with the Markdown syntax. For more information, see the Configuring a Text Box Widget in Markdown section.
    Note: If you place a widget on top of another widget, it will appear red, indicating that widgets are overlapping and will not display properly when you click Exit Layout Mode. To create more space in the region for the new widget, expand the region size and then move the widget to a new location until it is no longer red.
  3. Click Save. The widget appears in the region.
  4. Note: If an error message appears, another user might be making changes. It is best practice for each ExtraHop user to have an individual account.
  5. Click the Exit Layout Mode button in the upper right corner of the dashboard to return to the Dashboards screen.
Configure a Chart

As you configure a chart, you can refer to a complete list of built-in and custom metrics.

To configure a chart:

  1. Click the command menu button in the upper right corner of the page and select Edit Layout. Then click anywhere in the chart to open the Widget Configuration dialog.  If you do not select Edit Layout, you can also open the Widget Configuration dialog by clicking the command menu in the chart header, and then click Edit.
  2. In the Widget Configuration dialog, select a chart type to change the appearance of the chart.
    • Area displays the metrics in an area chart showing the count over time.
    • Bar shows the count of the metrics as horizontal bars.
    • Column displays the count of the metrics in tabular form over time.
    • Candlestick displays a dataset or sampleset metric (for example, HTTP server processing time). Viewing options include Summary and Percentile. Drill-downs for Client IP, URI, and Server IP are also available.
    • Heatmap displays a dataset metric as a matrix of frequency, where the median value is expressed as a percentile. For example, a higher percentile (represented by a darker color on the heatmap) indicates a higher value that occurred over time. The heatmap legend shows which color is mapped to specific percentiles:
      • Light: 0-50th percentile
      • Medium-Light: 50-75th percentile
      • Medium-Dark: 75-90th percentile
      • Dark: 90-100th percentile
    • List displays the metrics in a list.
    • Single Value is configured to display one metric only. Set up additional widgets side by side to create multiple tiles.
    • Status displays the count of the metrics in tabular form over time with status information overlaid onto the data.
  3. Click the Add metric source button.
  4. Begin your metric source search for a metric source by typing all or part of a protocol, device, network, or metric of interest. A list of objects that match your search entry will appear, including suggestions listed by Recent Objects, Popular Objects, and Networks. Click the object you want to select as a metric source. A preview chart appears on the right and a metric search field opens.
  5. Begin your metric search by typing all or part of a protocol or metric. A list of built-in and custom metrics that match your search entry will appear. Click to select a metric to display on the chart.
    • (Optional) Click Drilldown to search for detailed metrics such as by host, client IP, server IP, or by URI.
    • (Optional) For dataset metrics, click the drop-down list to display your data as the following statistic values:
      • Summary
      • Percentile
      • Minimum
      • Median
      • Maximum
      • Mean
  6. If you want to remove a metric, click the x button in the upper left corner in the metric field. Or, if you want to replace a metric, click the metric name to open a new search.
  7. (Optional) Click Add Metricto continue adding metrics to display on the chart.
  8. (Optional) Click Add Metric Source to continue adding metric sources to display on the chart.
  9. Click Options In the upper left corner to change the units, show the metric as a rate, change the suffix notation, or change the labels.
  10. Click Save when you are satisfied with your chart.
  11. Click Exit Layout Mode in the upper right corner.
Remove Widgets

To remove widgets from a dashboard:

  1. Click the command menu in the upper right corner of the page and select Edit Layout.
  2. Click the command menu in the upper right corner of the widget and select Delete.
  3. Click Delete Widget.
  4. Click Exit Layout Mode in the upper right corner of the dashboard to return to the Dashboards page.
Copy Widgets

To copy a widget to another dashboard, right-click any table, chart, or tile on the widget, select Copy to, and select the dashboard to place the widget. The widget appears in the next available slot on the target dashboard.

Print Widgets

To print a widget:

  1. Right-click any table, chart, or tile on the widget and select Print. The print preview appears in a new window.
  2. Click the Theme drop-down list and select a theme.
  3. Click Print Widget.
Remove Regions

To remove a region and all of its widgets from a dashboard:

  1. Click the command menu in the upper right corner of the page and select Edit Layout.
  2. Click the command menu in the upper right corner of the region and select Delete.
  3. Click Delete Region.
  4. Click Exit Layout Mode in the upper right corner of the dashboard to return to the Dashboards page.
Modify Sources in Regions

To modify metric sources:

  1. Click the command menu in the upper right corner of the page and select Edit Layout.
  2. Click the command menu in the upper right corner of the region and select Modify Sources.
  3. In the Modify Sources window, select the object that you want to change from the list on the right and choose a new metric source. You can also change the title of the region by clicking the region name on the right.
  4. Click Save Region.
  5. Click Exit Layout Mode in the upper right corner of the dashboard to return to the Dashboards page.
Add a Metrics Page to a Dashboard

You can create a dashboard from a metrics page view by clicking the Pin to Dashboard toolbar icon on the top-level metric pages.

To add a new metrics page dashboard to the Dashboards page:

  1. Browse to the metrics page that contains the data you want to add to the dashboard.
  2. Click Pin to Dashboard.
  3. Click OK to confirm. The Discover appliance creates a new dashboard to display the page and adds it to My Dashboards.

Dashboard Page Activities

Edit the Layout

Click the command menu in the upper right corner of the screen, and select Edit Layout to edit a custom dashboard. After making changes, click Exit Layout Mode.

Note: If an error message appears, another user might be making changes. It is best practice for each ExtraHop user to have an individual account.
Change the Dashboard Properties

Click the command menu in the upper right corner of the page, and select Dashboard Properties to configure a new or existing custom dashboard.

Copy a Dashboard
  1. Click the command menu in the upper right corner of the page, and then select Copy.
  2. Select Keep sources if you want an exact copy of the current metrics for the dashboard.
  3. Select Modify sources if you want the same regions as the current dashboard, but with different metric sources. The Discover appliance Web UI creates a copy of the dashboard.
Delete a Dashboard
  1. Click the command menu in the upper right corner of the page, and select Delete.
  2. Click Delete Dashboard in the Are you sure? dialog box.
Organize Dashboards

To organize your dashboards by creating folders:

  1. At the bottom of the left pane, click the configuration button to the right of New Dashboard.
  2. Select New Folder.
  3. Type a name for the folder and click Save.

To add dashboards to a folder:

  1. At the bottom of the left pane, click the command menu to the right of New Dashboard.
  2. Click Edit Dock. In Edit mode, you can organize, edit, and create new dashboards.
  3. Drag-and-drop any of the dashboards you created into a folder.
  4. Note: If dashboards are sorted in ascending or descending order, the drag-and-drop functionality is disabled. To enable this functionality again, click the sort icon in the upper right header of the dashboard dock until the custom sort icon displays.

  5. Click the right-most button in the panel to save and Exit Edit Mode.

Configure a Text Box Widget in Markdown

The Text Box widget enables you to type and display custom text in a dashboard region. It is a helpful tool for adding notes about a chart or data in a dashboard.

The text widget supports the Markdown syntax, which enables you to format text and add metric variables that display updated metric data dynamically. Markdown is a simple formatting syntax that converts plain text into HTML with non-alphabetic characters, such as “#” or “*”.

A new Text Box widget contains example text that is already formatted in Markdown. To view the applied Markdown format and edit the text, open the Widget Configuration dialog by either:

  1. Clicking anywhere within the text box widget when Edit Layout is selected from the dashboard command menu.
  2. Clicking the text widget command menu and selecting Edit when Edit Layout is not selected.

In the Widget Configuration dialog, as you type in the left Editor pane, the text will dynamically display the HTML output in the right Preview pane.

When you are satisfied with your edits, click Save to keep changes and close the Widget Configuration dialog. Click Cancel to discard changes and close the Widget Configuration dialog.

Formatting Text in Markdown Syntax

The following examples show common Markdown formats that are supported in the Text Box widget. Additional Markdown format examples are provided in the GitHub Guides: Mastering Markdown.

Note: Not all Markdown syntax formatting options are supported in the text widget. For example, adding emojis in Markdown is unsupported. However, adding Unicode block emoticons is supported in the text widget. For more information, see Wikipedia: Emoticons (Unicode block).

Headings

Pound signs (#) format headings. The level of heading is determined by the number of pound signs.

####Example H4 heading.

Unordered lists

A single asterisk (*) before your text formats bulleted lists.

* Example 1

* Example 2

Ordered lists

A single number and period (1.) before your text formats numbered lists.

1. Example 1

2. Example 2

Bold

Double asterisks before and after your text format **bold text**.

Italics

An underscore before the first and last characters formats _italicized text_.

Adding images in Markdown syntax

An exclamation point before the filepath enclosed in parenthesis formats images. You can add alternative text in square brackets after the exclamation point. You can add images by linking or converting them. Linked images must be on the network and accessible to the Discover appliance.

For example: ![Alt text](/path/to/img.jpg)

Adding Metrics in Markdown Syntax

You can add metric variables to a text widget by writing metric queries in Markdown.

The Markdown format for writing metric queries is: %%metric:<definition>%%, where <definition> is replaced with a json-defined structure that is based on the ExtraHop REST API query structure.

Note: The following metric queries are unsupported in the Text Box widget:

  • Time-series queries
  • Multiple object_ids
  • Multiple metric_spec
  • Multiple percentiles

A metric query must contain the following parameters:

  • object_type
  • object_ids
  • metric_category
  • metric_spec

Note: To retrieve the metric_spec value for a metric name, go to Settings > Metric Catalog and search for the metric name. Select the metric, and look for the value in the Spec field in the Parameters pane. For more information, see the Metric Catalog section.

The following examples show you how to write metric queries for application, device, and network objects.

Application queries

To specify the All Activity object, the object_ids is “0.”

This example query shows how you can retrieve HTTP metrics from the All Activity object, and displays the following output: “Getting [value] HTTP requests and [value] HTTP responses from All Activity.”

Getting
%%metric:{
"object_type": "application",
"object_ids": [0],
"metric_category": "http",
"metric_specs": [{"name":"req"}]
}%%
HTTP requests and
%%metric:{
"object_type": "application",
"object_ids": [0],
"metric_category": "http",
"metric_specs": [{"name":"rsp"}]
}%%
HTTP responses from All Activity.

Device queries

You must specify either a client (“_client”) or server (“_server”) in the metric_category. To retrieve metrics for a specific device, specify the device object ID number in object_ids. To retrieve the device object ID (deviceOid), search for the device object in the ExtraHop global search. Select the device from your search results. The “deviceOid=” value will be embedded in the URL query string.

This example query shows how to retrieve metrics from a device client object, and displays the following output: “Getting [value] CLIENT DNS response errors from a specific device.”

Getting
%%metric:{
"object_type": "device",
"object_ids": [8],
"metric_category": "dns_client",
"metric_specs": [{"name":"rsp_error"}]
}%%
CLIENT DNS response errors from a specific device.

This example query shows how to retrieve metrics from a device server object, and displays the following output: “Getting [value] SERVER DNS response errors from a specific device.”

Getting
%%metric:{
"object_type": "device",
"object_ids": [156],
"metric_category": "dns_server",
"metric_specs": [{"name":"rsp_error"}]
}%%
SERVER DNS response errors from a specific device.

Network queries

To specify All Networks, the object_type is “capture” and the object_ids is “0.” To specify a specific VLAN, the object_type is “vlan” and the object_ids is the VLAN number.

This example query shows how to retrieve metrics for all networks, and displays the following output: “Getting [value] broadcast packets from all networks.”

Getting
%%metric:{
"object_type": "capture",
"object_ids": [0],
"metric_category": "net",
"metric_specs": [{"name":"frame_cast_broadcast_pkts"}]
}%%
broadcast packets from all networks.

This example query shows how to retrieve metrics for a specific VLAN and displays the following output: “Getting [value] broadcast packets from VLAN 3.”

Getting
%%metric:{
"object_type": "vlan",
"object_ids": [3],
"metric_category": "net",
"metric_specs": [{"name":"frame_cast_broadcast_pkts"}]
}%%
broadcast packets from VLAN 3.

Group queries

To specify a group, the object_type is “activity_group” or “custom_group.” You must specify either a client (“_client”) or server (“_server”) in the metric_category. The object_ids for the specific group must be retrieved from the REST API Explorer. For more information, see the REST API Explorer section.

This example query shows how to retrieve metrics for all networks, and displays the following output: “Getting [value] HTTP responses from the HTTP Client Activity Group.”

Getting
%%metric:{
"object_type": "activity_group",
"object_ids": [17],
"metric_category": "http_client",
"metric_specs": [{"name":"req"}]
}%%
HTTP responses from the HTTP Client Activity Group.

Detail metric queries

If you want to retrieve detail metrics, your metric query must contain the following parameters:

  • object_type
  • object_ids
  • metric_category
  • metric_spec
    • name
    • key1

Note: The metric_specs must include name and key1 parameters. The name specifies the type of metric, such as “custom_count,” “custom_dset,” and “custom_sset,” and key1 specifies the name of the metric.

The following examples show you how to write detail metric queries.

This example query shows how to retrieve count metrics for all networks and displays the following output: “Getting [value] detail ICA metrics on all networks.”

Getting
%%metric:{
"object_type": "capture",
"object_ids": [0],
"metric_category": "custom_detail",
"metric_specs": [{
"name":"custom_count",
"key1":"network-app-byte-detail-ICA"
}],
}%%
detail ICA metrics on all networks.

This example query shows how to retrieve a custom dataset statistic with topn keys and percentiles, and displays the following output: “The fifth percentile is: [value].”

The fifth percentile is:
%%metric:{
"object_type": "vlan",
"object_ids": [1],
"metric_category": "custom_detail",
"metric_specs": [{
"name": "custom_dset",
"key1": "myCustomDatasetDetail",
"key2": "/10.10.7/",
"calc_type": "percentiles",
"percentiles": [5]
}],
}%%
.

 

Share a Dashboard

You can share custom dashboards with other ExtraHop users and decide whether to give them view or edit access.

  1. Click Dashboards.
  2. In the left pane, under My Dashboards, click the name of a dashboard.
  3. Click the command menu button in the Navigation bar and select Share.
  4. Specify which users can view the dashboard.
    • To allow all users to view the dashboard, click All users can view; only specified users can edit.
    • To allow only specified users to view the dashboard, click Only specified users can view or edit. Then, in the Specify users area, type the name of a user. Then, in the dropdown list, select Can view. Repeat this process for any additional users.
  5. To allow other users to edit the dashboard, follow the following steps:
    1. In the Specify users area, type the name of a user.
    2. In the dropdown list, select Can edit.
    3. To specify additional users, click the plus sign and then repeat the process.
    Note: Users that can edit a dashboard can also view the dashboard.
  6. Click Save.

Metrics

You can display metrics through the following views:

  • Sources: Displays metrics about applications, devices, and networks.
  • Groups: Displays a select group of devices, filtering out the devices that are not likely to be related to the traffic being examined. Group metrics are aggregated and viewable by all ExtraHop users on the network.
  • Records: Displays record results that are filtered for a protocol page and its associated record formats and objects.

Sources

You can view metrics about the following sources:

  • Applications: This section describes applications. Some applications use multiple devices, and some devices host multiple applications. The Discover appliance provides a set of default applications based on all traffic. You can modify the default application template to suit the needs of your organization, and you can add your own applications.
  • Devices:This section provides information about viewing device metrics to troubleshoot network issues at the device level.
  • Networks: This section describes the network capture attributes, network alerts, and network traffic details. Networks is the entry point into the network capture. The metrics that are collected provide a summary of all network activity retrieved in the capture.

Applications

ExtraHop provides a set of default applications based on all traffic. You can modify the default application template to suit the needs of your organization, and you can add your own applications.

Applications do not always adhere to device boundaries. Some applications use multiple devices, and some devices host multiple applications. You can use Application Inspection Triggers to define application boundaries based on criteria other than a list of devices (for example, URIs or database table names). Defining an application allows you to report on an application based on the subset of network traffic that comprises it, regardless of the devices associated with it. For information about using triggers to define applications, refer to Triggers.

The All Applications page includes a table that lists all devices discovered on your networks. The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information. The counter at the bottom of the table identifies the number of applications currently displayed in the table. The table can show up to 100 applications per page.

The All Applications page contains the following information:

  • Name: Specifies the name of the application.
  • Capture: Specifies the capture point for which the application was defined.
  • Description: Provides a space for an optional, user-defined description.
Overview

The Applications Overview sub-page includes interactive charts that provide an overview of a selected application.

Each chart shows an overview of activity for all active protocols. You can also view details for only certain protocols as well as a summary of a specific time or date.

To show overall details for only certain protocols, select those protocols in the chart legend.

To show a summary of activity for a specific time or date, mouse over the time period of interest.

  • For statistical charts, a pop-up dialog showing a five-number summary appears, including the minimum, lower quartile, median, upper quartile, and maximum values.
  • For area charts, a pop-up dialog showing total count and time appears.
Note: Because area charts are stacked, the total count represented by the number on the left side of the chart is a sum of the count for each individual protocol.

To show a particular region of the chart, click and drag across that region.

To show only a specific protocol in the chart, mouse over the protocol in the chart legend.

To view details for a specific protocol, click it in the chart. The protocol's application page appears.

For more information about working with the charts, refer to Drill-Down Functionality. For information about a specific protocol, refer to that protocol's application topic.

Transactions: Shows the total number of transactions (requests and their responses) for the active protocols excluding SSL and ICA, which are not transactional protocols.

Errors: Shows the total number of errors for the active protocols excluding SSL and ICA.

Processing Time: Shows the total server processing time for the active protocols.

L2 Bytes: Shows the total count of request bytes and response bytes transferred for the active protocols.

Packets: Shows the total count of request packets and response packets transferred for the active protocols.

Custom Page

If a custom page has been assigned to an application, the name of the custom page appears in the left pane.

Edit Page

Click the Edit Page button to perform one of the following actions.

Alert History

The Alert History sub-page provides an alert summary for application-level alerts. The Discover appliance can be configured to generate both threshold and trend-based alerts for any metric in the system. Alerts can be configured to send email notifications or SNMP traps as proactive early warnings for potential performance problems.

The application Alert History page displays all alerts, including alerts that have been acknowledged previously, and the corresponding time for each alert for the current application. The Alert History page also includes additional information about trend alerts that have fired.

To use the Alert History page, you must first create alerts. For more information, refer to Alert Configuration.

The Alert History page includes the following information:

Alert History: Displays alerts that have been generated.

  • Time: Displays the time that the alert was generated.
  • Alert: Displays the name of the alert.

For threshold-based alerts, clicking the name of the alert displays the following information:

  • Name: The name of the alert.
  • Expression: The metric, time interval, operator, and sensitivity that were defined when the alert was created.
  • Value: The value of the metric at the time the alert fired. This is used for comparison against the alert expression.
  • Description: The optional user-defined description of the alert.

For trend alerts, clicking the name of the alert displays the following information:

  • Name: The name of the alert.
  • Alert Conditions: The type of alert, time interval, operator, and/or percentage of the trend that were defined when the alert was created.
  • View at Time of Alert: The alert graph from when the alert was fired.
  • View Current State: The alert graph of the current trend state of the alert.

Current Trend State: Displays a list of trend alerts assigned to the application.

  • Trend: Displays the name of the trend alert.
  • Stat: Displays the metric that the trend alert is based on.
  • Description: Displays a description of the trend alert.

You can sort the table by the following parameters:

  • All Alerts: Displays alerts created on the Command appliance and the node.
  • Command appliance Alerts: Displays alerts created on the Command appliance only.
  • Local Alerts: Displays alerts created on the node only.

Click the name of the trend alert to view the following information about the alert:

Alert Graphs: Displays the trend alert over time and whether or not it has fired.

  • Alert Condition Nominal: Indicates the metrics being gathered have not reached an alert state.
  • Alert Firing: Indicates the metrics being gathered have met the alert criteria.

Alert Rules: Displays the rules of the trend alert and whether or not it has fired.

  • Alert Condition Nominal: Displays the alert rules in green.
  • Alert Firing: Displays the alert rules in red.
Geomaps

The Geomaps sub-page lists the geomaps associated with the application. Geomaps display worldwide activity based on the metrics defined in that geomap. For more information about geomap settings, refer to Geomaps.

The Geomaps sub-page displays the following information:

  • Geomap: displays the name of the geomap.
  • Metric: displays the metric displayed in the geomap.
  • Description: displays a description of the geomap.

For more information about the geomap interface, refer to Geomap Interface.

L4

The L4 application toolbar includes the following controls:

  • Clients: The chart shows the total round-trip time. Mouse over the points to view a five-number summary of round-trip time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, and the round-trip time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total round-trip time. Mouse over the points to view a five-number summary of round-trip time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, and the round-trip time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Connections: Displays the TCP connection metrics for the selected time interval.

  • Connected: Specifies the number of connections initiated by the current device. Click to display the peer devices to which the connections were established and the associated round-trip time.
  • Closed: Specifies the number of connections closed to or from the current device. Closed connections are explicitly shut down by at least one of the endpoints. Click to display the peer devices for which the connections were closed.
  • Aborted: Specifies the number of connections aborted by the current device. Aborted connections are reset explicitly by one of the endpoints. In some cases, this indicates that an error occurred. Click to display the peer devices to which the current device aborted the connections.
  • Expired: Specifies the number of connections to or from the current device no longer tracked due to inactivity. Click to display the peer devices with which the connections were associated.
  • Established: Number of connections currently open to or from the current application. Click to display the server IP addresses, hosts, and devices with which connections have been established.
  • Established Max: Maximum number of established connections observed at any point within the selected time interval.

Request Metrics: Displays the request metrics for the selected time interval.

  • L2 Bytes: Displays request bytes for the application within the selected time interval.
  • Packets: Displays request packets for the application within the selected time interval.
  • RTOs: Displays request RTOs for the application as a function of time within the selected time interval. Request RTOs are transmitted out of the client and into the server.
  • Nagle Delays: Indicates connection delays due to a bad interaction between Nagle's Algorithm and delayed ACKs. In some cases, disabling Nagle's Algorithm can mitigate the problem. On the BIG-IP Application Delivery Controller, the Nagle setting in the TCP profile should be disabled and ack_on_push should be enabled.
  • Rcv Wnd Throttles: Number of times the advertised receive window limits the throughput of the connection. In some cases, the read socket buffer size can be increased or receive window scaling can be enabled on the current device to resolve this problem.
  • Zero Window: Number of zero window advertisements sent by the current device. A zero window indicates that the connection has stalled and the current device is unable to keep up with the rate of data sent. In some cases, the read socket buffer size can be increased on the current device to resolve this problem. On the BIG-IP Application Delivery Controller, the proxy_buffer_high setting in the TCP profile should be increased.

Response Metrics: Displays the response metrics for the specified time interval.

  • L2 Bytes: Displays response bytes for the application within the selected time interval.
  • Packets: Displays response packets for the application within the selected time interval.
  • RTOs: Displays response RTOs for the application as a function of time within the selected time interval. Response RTOs are transmitted out of the server and into the client.
  • Nagle Delays: Indicates connection delays due to a bad interaction between Nagle's Algorithm and delayed ACKs. In some cases, disabling Nagle's Algorithm can mitigate the problem. On the BIG-IP Application Delivery Controller, the Nagle setting in the TCP profile should be disabled and ack_on_push should be enabled.
  • Rcv Wnd Throttles: Number of times the advertised receive window limits the throughput of the connection. In some cases, the read socket buffer size can be increased or receive window scaling can be enabled on the current device to resolve this problem.
  • Zero Window: Number of zero window advertisements sent by the current device. A zero window indicates that the connection has stalled and the current device is unable to keep up with the rate of data sent. In some cases, the read socket buffer size can be increased on the current device to resolve this problem. On the BIG-IP Application Delivery Controller, the proxy_buffer_high setting in the TCP profile should be increased.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Web

The Web sub-page provides HTTP information about an application.

The Web application toolbar includes the following controls:

  • Errors: The chart shows the number of HTTP errors (5xx level responses). Mouse over the points to view a summary of a specific time or date. The table lists HTTP URIs in error and the number of times an error occurred.

  • URIs: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists HTTP URIs, number of responses, total time (ms), and processing time (ms) associated with each URI. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Referers: The chart shows the number of HTTP referer URIs identified. Mouse over the points to view a summary of a specific time or date. The table lists the HTTP referer URIs and the count associated with each referer.

  • Clients: The chart shows the total number of client responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses by each client, and total processing time. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of server responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By URI: Displays application metrics by URI.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with HTTP requests.
  • Response L2 Bytes: The number of L2 bytes associated with HTTP responses.
  • Request Packets: The number of packets associated with HTTP requests.
  • Response Packets: The number of packets associated with HTTP responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending HTTP requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending HTTP responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by HTTP clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving HTTP requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

HTTP Metrics: Contains the following metrics:

  • Requests: The number of HTTP requests.
  • Requests Aborted: The number of HTTP requests that began transmission but were not sent completely.
  • Responses: The number of HTTP responses.
  • Responses Aborted: The number of HTTP responses that began transmission but were not sent completely.
  • Response Errors: The number of HTTP response errors.

Status Codes: The status code section displays the HTTP status codes for the selected time interval. Click the number next to each status code to display a list of URIs associated with each status code.

Methods: Displays the HTTP request methods for the selected time interval. The HTTP request methods include GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT, and OPTIONS, as well as dynamic method names. Click to display additional per-URI, per-client IP, or per-server IP details.

Transaction Metrics: Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.

  • ReqXfer: The time between the Discover appliance processing the first packet and last packet of HTTP requests. A high value may indicate a large request or network delay.
  • Process: The time between the Discover appliance processing the last packet of HTTP requests and the first packet of their corresponding responses.
  • RspXfer: The time between the Discover appliance processing the first packet and last packet of HTTP responses. A high value may indicate a large response or network delay.
  • RTT: The time between when an HTTP client or server sent a packet requiring immediate acknowledgment and when the acknowledgment was received.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

Response Time Breakdown: Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

SSL

The SSL sub-page provides SSL information about an application.

The SSL application toolbar includes the following controls:

  • Certificates: The chart shows the total number of certificates assigned compared with the request and response bytes. Mouse over points to view a summary of a specific time or date.
  • Clients: The chart shows round-trip time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of launches by each client, and round trip time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows round-trip time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of launches by each server, and round trip time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By Certificate: Displays application metrics by certificate.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with SSL requests.
  • Response L2 Bytes: The number of L2 bytes associated with SSL responses.
  • Request Packets: The number of packets associated with SSL requests.
  • Response Packets: The number of packets associated with SSL responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending SSL requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending SSL responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by SSL clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving SSL requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

Session Metrics: Contains the following metrics:

  • Connected: The number of times an SSL handshake was successfully completed.
  • Resumed: The number of times an SSL session was resumed successfully by reusing a session ID or session ticket.
  • Decrypted: The number of SSL sessions decrypted.
  • Aborted: The number of SSL sessions that did not proceed past the SSL handshake.
  • Renegotiated: Specifies the number of times an SSL session was renegotiated successfully after SSL connection setup.
  • Compressed: The number of SSL sessions using compression.
  • SSLv2 Compatible Hello: The number of SSL sessions for which the private key was available, enabling their decryption.

Sessions by Version: The number of times a session used a particular SSL version.

Cipher Suites: Displays the number of times various cryptographic ciphersuites for SSL data transfer have been negotiated by the application.

For example, TLS_RSA_WITH_AES_256_CBC_SHA indicates:

  • TLS (Transport Layer Security) is used as the cryptographic encapsulation transport
  • RSA (the Rivest-Shamir-Adelman Public Key method RSA) is used for the asymmetric cryptographic session setup
  • AES (Advanced Encryption Standard, formerly Rijndael) block cipher is used in 256-bit blocks
  • CBC (Cipher Block Chaining) is used between subsequent AES-256 blocks
  • SHA (Secure Hash Algorithm) is used in the HMAC (Hash Message Authentication Code) to ensure SSL record integrity

For each cipher suite, click the counter to break it down by group members in the table below.

Alerts: Displays the breakdown of alert types sent or received by the current application during the SSL connection. This section displays unencrypted alerts gathered during the SSL handshake and any alerts that were decrypted by the Discover appliance. Alert messages can be exchanged during other stages of the SSL connection. The handshake metrics display the number of times alerts were exchanged during the SSL handshake. The Warning-Close Notify metric displays the number of times various alert types were sent or received by the application.

SSL Metrics: The SSL Metrics line chart displays the rate of new and resumed SSL connections as a function of time over the selected time interval. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Database

The Database sub-page provides database information about an application.

The Database application toolbar includes the following controls:

  • Errors: The chart shows the total count for DB errors. Mouse over the points to view a summary of a specific time or date. The table lists DB error messages and the number of occurrences.
  • Methods: The chart shows responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists methods, number of responses, total time, and processing time (ms) associated with each method. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Users: The chart shows the number of responses and errors for all users. Mouse over the chart to view a summary of a specific time or date. The table displays the list of users, and the number of responses and errors associated with each user.
  • Clients: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By Method: Displays application metrics by method.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics: contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with database requests.
  • Response L2 Bytes: The number of L2 bytes associated with database responses.
  • Request Packets: The number of packets associated with database requests.
  • Response Packets: The number of packets associated with database responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending database requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending database responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by database clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving database requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

DB Metrics: contains the following metrics:

  • Requests: The number of database requests.
  • Responses: The number of database responses.
  • Response Errors: The number of database response errors.

Transaction Metrics: Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.

  • ReqXfer: Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
  • Process: Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
  • RspXfer: Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
  • RTT: TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

Response Time Breakdown: Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

LDAP

The LDAP sub-page provides LDAP information about an application.

The LDAP application toolbar includes the following controls:

  • Errors: The chart shows the number of LDAP errors. Mouse over the chart to view a summary of a specific time or date. The table lists LDAP error messages and the number of times each occurred.
  • DNs: The chart shows the number of Distinguished Name (DN) messages transferred. The table displays the list of DN messages and the count associated with each DN message.
  • Users: The chart shows the number of requests from all users. Mouse over the chart to view a summary of a specific time or date. The table lists users and the request count associated with each user.
  • Clients: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with LDAP requests.
  • Response L2 Bytes: The number of L2 bytes associated with LDAP responses.
  • Request Packets: The number of packets associated with LDAP requests.
  • Response Packets: The number of packets associated with LDAP responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending LDAP requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending LDAP responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by LDAP clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving LDAP requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

LDAP Metrics: Contains the following metrics:

  • Requests: The number of LDAP requests.
  • Responses:The number of LDAP requests.
  • Errors: The number of LDAP errors for the selected time interval.
  • Plain: The number of plain-text LDAP messages exchanged.
  • SASL:The number of encrypted LDAP messages exchanged.
  • Messages: Displays the LDAP messages for the selected time interval, such as BindRequest, BindResponse, UnbindRequest, SearchRequest, SearchResultDone and others. In the LDAP Server view, click the message counter to display clients that issued these messages. In the LDAP Client view, click the message counter to display servers that returned these messages.
  • Error Codes: Displays the LDAP errors for each LDAP error code within the selected time interval, such as invalidCredentials for LDAP error 49. Click the error counter to display devices that experienced these errors. For detailed error information, click Errors.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

Transaction Metrics: Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.

  • ReqXfer: Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
  • Process: Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
  • RspXfer: Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
  • RTT: TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

Response Time Breakdown: Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

DNS

The DNS sub-page provides DNS information about an application.

The DNS application toolbar includes the following controls:

  • Errors: The chart shows the number of DNS query errors (5xx level responses). Mouse over the points to view a summary of a specific time or date. The table lists hosts and the number of query errors associated with each host.
  • Host Queries: The chart shows the total number of host queries compared to processing time during the selected time interval. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.
  • The table lists DNS hosts, number of host queries, and the processing time.

  • Clients: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By Host Query: Displays application metrics by host query.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with DNS requests.
  • Response L2 Bytes: The number of L2 bytes associated with DNS responses.
  • Request Packets: The number of packets associated with DNS requests.
  • Response Packets: The number of packets associated with DNS responses.

DNS Metrics: Contains the following metrics:

  • Requests: The number of DNS requests.
  • Request Timeouts: The number of DNS request timeouts. A request timeout occurs when there is a repeated request without a response to the first request.
  • Truncated Requests: The number of DNS requests that were sent but were truncated in transit. A truncated request is indicated by the truncated bit in the message and occurs when the message is larger than the underlying transmission channel allows.
  • Responses: The number of DNS responses.
  • Response Errors: The number of DNS response errors.
  • Truncated Responses: The number of DNS responses that were sent but were truncated in transit. A truncated request is indicated by the truncated bit in the message and occurs when the message is larger than the underlying transmission channel allows.

Requests by Opcode: Displays all request opcode types sent or received by the current application. For each field, click to display the devices to or from which these requests were sent or received.

  • Query: Number of DNS QUERY Opcodes sent or received by the current application. DNS Queries are the most-frequently encountered DNS Opcode type.

Responses by Response Code: Displays all response codes broken down by request opcode and request record type sent (if server) or received (if client) by the current device. The format of the entry is ERROR/REQUEST_OPCODE:REQUEST_RECORD. For each field, click to display the devices to or from which these requests were sent or received.

The response code bar categories include the following:

  • NOERROR: Successful transaction; no error.
  • FORMERROR: Format Error.
  • SERVFAIL: DNS Server Failed.
  • NXDOMAIN: No such domain.
  • NOTIMPL: No handler implemented for this query type.
  • REFUSED: Query administratively refused.
  • UPDATEERR: Error in handling UPDATE request.
  • TSIGERR: Error in handling TSIG request.
  • OTHER: All other response code types.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

Processing Time: Displays the mean processing time in milliseconds as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the processing time metrics. Click and drag across the chart to select a particular region.

Click the graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

ICA

The ICA sub-page provides ICA information about an application.

The ICA application toolbar includes the following controls:

  • Users: The chart shows the total number of launches compared to load time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists users, the number of launches by each user, and the login time, load time, network latency, and round-trip time for each user. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Applications: The chart shows the total number of launches compared to load time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists applications, the number of launches by each application, and the login time, load time, network latency, and round-trip time for each application. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Clients: The chart shows the total number of launches compared to load time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of launches by each client, and the login time, load time, network latency, and round-trip time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of launches compared to load time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of launches by each server, and the login time, load time, network latency, and round trip time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Auth Domains: The chart shows the total number of launches compared to load time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists domains, the number of launches by each domain, and the login time, load time, network latency, and round-trip time for each domain. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By User: Displays application metrics by user.
  • By Application: Displays application metrics by application. When a Citrix flow is opaque to analysis, whether because of lost segments or RC5 encryption, the reported application name is ICA or CGP.
  • By Auth Domain: Displays application metrics auth domain.

For example, Client Bytes is a top-level metric showing how many client bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Client Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Client L2 Bytes: The number of L2 bytes transmitted by the Citrix ICA client.
  • Server L2 Bytes: The number of L2 bytes transmitted by the Citrix ICA server.
  • Client Packets: The number of packets transmitted by Citrix ICA clients.
  • Server Packets: The number of packets transmitted by the Citrix ICA server.
  • Client RTOs: The number of retransmission timeouts caused by congestion when clients were sending Citrix ICA messages. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Server RTOs: The number of retransmission timeouts caused by congestion when servers were sending Citrix ICA messages. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Client Nagle Delays: The number of connection delays due to a bad interaction between Nagle's Algorithm and delayed ACKs. In some cases, disabling Nagle's Algorithm can mitigate the problem. On the BIG-IP Application Delivery Controller, the Nagle setting in the TCP profile should be disabled and ack_on_push should be enabled.
  • Server Nagle Delays: The number of connection delays due to a bad interaction between Nagle's Algorithm and delayed ACKs. In some cases, disabling Nagle's Algorithm can mitigate the problem. On the BIG-IP Application Delivery Controller, the Nagle setting in the TCP profile should be disabled and ack_on_push should be enabled.
  • Client Zero Window: The number of zero window advertisements sent by clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Server Zero Window: The number of zero window advertisements sent by servers. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

ICA Metrics: Contains the following metrics:

  • Client Messages: The number of Citrix ICA client messages transmitted.
  • Server Messages: The number of Citrix ICA server messages transmitted.
  • Client CGP Messages: The number of CGP messages sent by the Citrix ICA client. The Client Gateway Protocol (CGP) encapsulates Citrix ICA traffic in support of Session Reliability.
  • Server CGP Messages: The number of CGP messages sent by the Citrix ICA server. The Client Gateway Protocol (CGP) encapsulates Citrix ICA traffic in support of Session Reliability.
  • Launches: The number of Citrix ICA sessions that were launched. This count includes encrypted sessions.
  • Aborts: The number of Citrix ICA sessions that were initiated but closed before a Citrix application finished loading.
  • Encrypted: The number of Citrix ICA sessions that used an encryption method other than Basic. Certain metrics are not available for these sessions.

Screen Updates Per Second: Displays the number of screen updates per second as a function of time over the selected time interval.

Load Time (ms): The amount of time from the beginning of the flow until the Discover appliance detects traffic on one of the following virtual channels: Clipboard, Citrix Windows Multimedia Redirection, Citrix Control Virtual Channel, or Zero Latency Font and Keyboard. Subsequent application data launched over the same session is recorded as a launch but does not factor into the load time. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the load time metrics. Click the chart to display a statistical distribution of load time per application for the selected time interval.

Network Latency (ms): Displays the detected network latency between the ICA client and server as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the network latency metrics. Click the chart to display a statistical distribution of client latency per application for the selected time interval.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Application Launches: Displays the number of ICA launches as a function of time over the selected time interval. The chart is annotated with red data points to indicate aborts. The volume of aborts is denoted by the height of red bars under the chart. Click the red dot to see per-server or per-client details for errors associated with that dot. Click and drag across the chart to select a particular region.

App Client Bytes: Click the chart to display the total bytes per application transmitted within the selected time interval. Click the legend next to the application name to filter the information by application in the Bytes by Virtual Channels table below.

App Server Bytes: Click the chart to display the total bytes per application transmitted within the selected time interval. Click the legend next to the application name to filter the information by application in the Bytes by Virtual Channels table below.

Bytes by Virtual Channel: Displays the breakdown of ICA throughput by virtual channel. If a specific application is selected in the App Client Bytes and App Server Bytes charts above, virtual channel information is displayed specific to the selected application.

  • Name: Name of the application.
  • Client Bytes: Represents the client byte count for the currently selected application in the above chart.
  • Server Bytes: Represents the server byte count for the currently selected application in the above chart.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Storage - NAS

The Storage - NAS sub-page provides storage information about an application.

The NAS application toolbar includes the following controls:

  • Errors: The chart shows the number of Storage - NAS errors. Mouse over the points to view a summary of a specific time or date.

    The table lists Storage - NAS error messages and the number of times each occurred.

  • Warnings: The chart shows the number of Storage - NAS warnings.
  • Files: The chart shows responses compared with access time. Mouse over the points to view a five-number summary of access time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists files, number of responses, and the access time (ms) associated with each file.

  • Users: The chart shows responses compared with request and response bytes. Mouse over the chart to see summaries of a specific date or time. The table lists users and the number of responses, request bytes, response bytes, and access time associated with each user.

  • Clients: The chart shows access time. Mouse over the points to view a five-number summary of access time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, and access time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows access time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, and access time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By File: Displays application metrics by file name.
  • By User: Displays application metrics by user.

For example, Client Bytes is a top-level metric showing how many client bytes were transmitted in and out of the application within the selected time interval. Selecting By Client IP in the drop-down list while mousing over the Client Bytes counter shows which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with NAS requests.
  • Response L2 Bytes: The number of L2 bytes associated with NAS responses.
  • Request Packets: The number of packets associated with NAS requests.
  • Response Packets: The number of packets associated with NAS responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending NAS requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending NAS responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by NAS clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving NAS requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

Storage - NAS Metrics: Contains the following metrics:

  • Responses: The number of NAS responses.
  • Response Errors: The number of NAS response errors.
  • Response Warnings:
  • Reads: The number of NAS read operation requests.
  • Writes: The number of NAS write operation requests.
  • FS Info: The number of NAS file system metadata queries.
  • Locks: The number of NAS lock operation requests.

Access Time (ms): The time to access a file on a CIFS or NFS partition. For CIFS, the access time is measured by timing the first READ or WRITE on every flow. For NFS, the access time is measured by timing non-pipelined commands for every READ and WRITE.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

Read, Write, and FSInfo Bytes: Displays the total bytes per application transmitted within the selected time interval. Mouse over the graph to see the byte count for each metric at a specific moment in time.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Memcache

The Memcache sub-page provides Memcache information about an application.

The Memcache application toolbar includes the following controls:

  • Errors: The chart shows the number of Memcache errors. Mouse over the chart to view a summary of a specific time or date. The table lists Memcache error messages and the number of times each occurred.
  • Hits: The chart shows the total count for Memcache hits (values returned from the server to the client in response to "get" requests). Mouse over the chart to view a summary of a specific time or date. The table lists Memcache keys and the total count associated with each.
  • Misses: The chart shows the total count for Memcache misses ("get" requests for which the specified key was not found). Mouse over the chart to view a summary of a specific time or date. The table lists Memcache keys and the total count associated with each.
  • Clients: The chart shows round-trip time. Mouse over the points to view a five-number summary of round-trip time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, and round-trip time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows round-trip time. Mouse over the points to view a five-number summary of load time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, and round-trip time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with Memcache requests.
  • Response L2 Bytes: The number of L2 bytes associated with Memcache responses.
  • Request Packets: The number of packets associated with Memcache requests.
  • Response Packets: The number of packets associated with Memcache responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending Memcache requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending Memcache responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by Memcache clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving Memcache requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

Memcache Metrics: Contains the following metrics:

  • Requests: The number of Memcache requests.
  • No-Replies: The number of Memcache requests for which a response was not necessarily expected, and none was received.
  • Responses: The number of Memcache responses.
  • Hits: The number of items matched and returned in response to Memcache GET requests.
  • Misses: The number of items requested but not received in response to Memcache GET requests. Misses are counted even if the server did not explicitly inform the client of the miss (for example, if the GET was a quiet request).
  • Errors: The number of errors sent by the Memcache server in response to client requests. Some responses other than the default response are not considered errors because they are usually expected to occur during normal operation. For example, the NOT_FOUND status code is not considered an error. In the Memcache text protocol analysis, only ERROR, CLIENT_ERROR, and SERVER_ERROR responses are considered errors.

Methods: Displays the Memcache methods for the selected time interval.

Status Codes: The status code section displays the HTTP status codes for the selected time interval. Click the number next to each status code to display a list of URIs associated with each status code.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

Cache Hits and Misses: Displays the number of hits and misses as a function of time over the selected time interval.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

AAA

The AAA sub-page provides AAA information about an application.

The AAA application toolbar includes the following controls:

  • Errors:: The chart shows the number of AAA errors. Mouse over the points to view a summary of a specific time or date. The table lists the AAA error messages and number of occurrences.
  • Clients: The chart shows processing time for all clients. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client as well as total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows processing time for all servers. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each client as well as total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with AAA requests.
  • Response L2 Bytes: The number of L2 bytes associated with AAA responses.
  • Request Packets: The number of packets associated with AAA requests.
  • Response Packets: The number of packets associated with AAA responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending AAA requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending AAA responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by AAA clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving AAA requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

AAA Metrics: Contains the following metrics:

  • Requests: The number of AAA requests.
  • Responses: The number of AAA responses.
  • Errors: The number of AAA errors for the selected time interval.
  • Aborts: The number of aborted AAA sessions.
  • RADIUS Requests: The number of RADIUS requests.
  • Diameter Requests: The number of Diameter requests.

Methods: Displays the selected method types for the AAA client or server.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

Response Time Breakdown: Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

MongoDB

The MongoDB sub-page provides MongoDB database information about an application.

The MongoDB application toolbar includes the following controls:

  • Errors: The chart shows the number of MongoDB errors. Mouse over the chart to view a summary of a specific time or date. The table lists MongoDB error messages and the number of times each occurred.
  • Methods: The chart shows the total count compared to the mean time (ms). Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists methods, count, total time, and mean time (ms) associated with each method. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Users: The chart shows the number of responses and errors from all users. Mouse over the chart to view a summary of a specific time or date. The table lists users and the number of responses and errors associated with each user.
  • Clients: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By Database: Displays application metrics by database.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted from the application within the selected time interval. Selecting By Client IP in the drop-down list while mousing over the Request Bytes counter shows which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with MongoDB requests.
  • Response L2 Bytes: The number of L2 bytes associated with MongoDB responses.
  • Request Packets: The number of packets associated with MongoDB requests.
  • Response Packets: The number of packets associated with MongoDB responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending MongoDB requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending MongoDB responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by MongoDB clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving MongoDB requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

MongoDB Metrics: Contains the following metrics:

  • Requests: The number of MongoDB requests.
  • Responses:The number of MongoDB responses.
  • Errors: The number of errors sent or received within the selected time interval.

Methods: Displays the methods MongoDB uses to authenticate clients. Click the counter to display additional per-client or per-server IP address details.

The Transaction Metrics graph displays the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Move the cursor over each component to display a five-number statistical summary.

  • ReqXfer: Specifies the request transfer time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
  • Process: Specifies the server processing time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
  • RspXfer: Specifies the response transfer time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

IBMMQ

The IBMMQ sub-page provides information about the IBM WebSphere MQ protocol in an application.

The IBMMQ application toolbar includes the following controls:

  • Errors: The chart shows the number of IBMMQ errors. Mouse over the chart to view a summary of a specific time or date. The table lists IBMMQ error messages and the number of times each occurred.
  • Warnings: The chart shows the IBMMQ warnings (4xx error messages) transferred. The table lists IBMMQ warning messages and the number of times each occurred.
  • PUT/GET Ratio: The chart shows the total PUT and GET counts for all server IPs. Mouse-over the chart to view a summary of a specific time or date. The table lists server IP addresses, the host and device associated with each server, and PUT and GET count for each server.
  • Clients: The chart shows round-trip time for all clients. Mouse over the points to view a five-number summary of round-trip time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, and round-trip time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows round-trip time for all servers. Mouse over the points to view a five-number summary of round-trip time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, and round-trip time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By Queue: Displays application metrics by queue name.
  • By Channel: Displays application metrics by channel.

For example, Request Bytes is a top-level metric showing how many request bytes were transmitted in and out of the application within the selected time interval. Select By Client IP in the drop-down list while mousing over the Request Bytes counter to view which client IP addresses originated these requests.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with IBMMQ requests.
  • Response L2 Bytes: The number of L2 bytes associated with IBMMQ responses.
  • Request Packets: The number of packets associated with IBMMQ requests.
  • Response Packets: The number of packets associated with IBMMQ responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending IBMMQ requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending IBMMQ responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by IBMMQ clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving IBMMQ requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

IBMMQ Metrics: Contains the following metrics:

  • Requests: The number of IBMMQ requests.
  • Responses: The number of IBMMQ responses.
  • Client Messages: The number of IBMMQ client messages sent or received.
  • Server Messages: The number of IBMMQ server messages transferred.
  • Errors: Number of IBMMQ errors for the selected time interval.
  • Warnings: Number of IBMMQ warnings for the selected time interval.
  • Server to Server: The number of IBMMQ server-to-server message types transferred.
  • Client to Server: The number of IBMMQ client-to-server message types transferred.

Methods: Displays the IBMMQ methods for the selected time interval.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

MQGET and MQPUT: Displays the GET and PUT count for the current device over the selected time interval.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

Note: When the system detects only server-to-server traffic, the metrics that are gathered for client-to-server transactions only are zero or blank.
SMTP

The SMTP sub-page provides SMTP information about an application.

The SMTP application toolbar includes the following controls:

  • Senders: The chart shows bytes transferred compared with message size. Mouse over points to view a summary of message size. The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists sender domains (HELO or EHLO command argument), bytes transferred, and mean message sizes.

  • Recipients: The chart shows bytes transferred compared with message size. Mouse over points to view a summary of message size. The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists recipient email addresses (RCPT TO command argument), bytes received, and mean message sizes.

  • Sender Domains: The chart shows bytes transferred. Mouse over the points to view a summary of a specific time or date. The table lists sender domains and the bytes transferred for each.
  • Errors: The chart shows the number of SMTP errors that occurred. Mouse over the points to view a summary of a specific time or date. The table lists SMTP error messages and the number of times each occurred.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with SMTP requests.
  • Response L2 Bytes: The number of L2 bytes associated with SMTP responses.
  • Request Packets: The number of packets associated with SMTP requests.
  • Response Packets: The number of packets associated with SMTP responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending SMTP requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending SMTP responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by SMTP clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving SMTP requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

SMTP Metrics: Contains the following metrics:

  • Requests: The number of SMTP requests.
  • Responses: The number of SMTP responses.
  • Errors: The number of responses by error for the application.
  • Sessions: The number of SMTP sessions.
  • Encrypted Sessions: The number of encrypted SMTP sessions.

Methods: Contains metrics for SMTP commands.

Transaction Metrics: Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.

  • ReqXfer: Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
  • Process: Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
  • RspXfer: Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
  • RTT: TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

FTP

The FTP sub-page provides FTP information about an application.

The FTP application toolbar includes the following controls:

  • Errors: The chart shows the number FTP errors. Mouse over the points to view a summary of a specific time or date. The table lists FTP error messages and the number of times each occurred.
  • Warnings: The chart shows the FTP warnings (4xx error messages) transferred. The table lists the FTP warning messages and the number of times each occurred.
  • Users: The chart shows the number of responses and errors for all users. Mouse over the chart to view a summary of a specific time or date. The table lists users and the number of responses and errors associated with each user.
  • Clients: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By User: Displays application metrics by user.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with FTP requests.
  • Response L2 Bytes: The number of L2 bytes associated with FTP responses.
  • Request Packets: The number of packets associated with FTP requests.
  • Response Packets: The number of packets associated with FTP responses.
  • Request RTOs: The number of retransmission timeouts caused by congestion when clients were sending FTP requests. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: The number of retransmission timeouts caused by congestion when servers were sending FTP responses. A retransmission timeout is a one-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: The number of zero window advertisements sent by FTP clients. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.
  • Response Zero Window: The number of zero window advertisements sent by servers while receiving FTP requests. A device advertises a zero window when it cannot process incoming data as quickly as it is arriving.

FTP Metrics: Contains the following metrics:

  • Requests: The number of FTP requests.
  • Responses: The number of FTP responses.
  • Response Warnings: The number of responses with an FTP status code of 4xx.
  • Response Errors: The number of FTP response errors.

Methods: Displays the FTP commands for the selected time interval. Click the counter to display additional per-client or per-server IP address details.

Examples of FTP commands:

  • CWD: Allows the user to work with a different directory or dataset for file storage or retrieval without altering his log on or accounting information.
  • DELE: Causes the file specified in the path name to be deleted at the server site.
  • EPSV: Puts connection into extended passive mode.
  • LIST: Gets information for a specific working directory, if explicitly specified, or the current one if none is specified.
  • MDTM: Gets last-modified time of a file.
  • MLSD: Gets the contents of a directory.
  • PASS: Is a Telnet string specifying the user's password. This command must be immediately preceded by the user name command.
  • PASV: Requests the server-DTP to "listen" on a data port (which is not its default data port) and to wait for a connection rather than initiate one on receipt of a transfer command.
  • PORT: Is a HOST-PORT specification for the data port to be used in data connection.
  • PWD: Causes the name of the current working directory to be returned in the reply.
  • QUIT: Terminates a USER, and if file transfer is not in progress, the server closes the control connection. If file transfer is in progress, the connection will remain open for the result response, and the server will then close it.
  • RETR: Causes the server-DTP to transfer a copy of the file, specified in the path name, to the server.
  • SIZE: Gets the size of a file.
  • STOR: Causes the server-DTP to accept the data transferred via the data connection, and to store the data as a file at the server site.
  • SYST: Used to find out the type of operating system at the server.
  • TYPE: Puts the transfer mode into ASCII or Binary mode.

Status Codes: Displays the FTP reply codes for the selected time interval. Click the counter to display additional per-client or per-server IP address details.

Examples of FTP reply codes:

  • 1xx: Positive Preliminary reply
  • 2xx: Positive Completion reply
  • 3xx: Positive Intermediate reply
  • 4xx: Transient Negative Completion reply
  • 5xx: Permanent Negative Completion reply
  • 6xx: Protected reply

Examples of specific reply codes:

  • 200: OK
  • 221: Service closing control connection
  • 225: Data connection open
  • 226: Closing data connection
  • 227: Entering passive mode
  • 230: User logged in – proceed
  • 250: Requested file action okay
  • 500: Syntax error, command unrecognized. This may include errors such as command line too long.
  • 501: Syntax error in parameters or arguments
  • 502: Command not implemented
  • 503: Bad sequence of commands
  • 504: Command not implemented for that parameter
  • 530: Not logged in
  • 550: Requested action not taken – file not available
  • 553: Requested action not taken – filename not allowed

The Transaction Metrics graph displays the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Move the mouse pointer over each component to display a five-number statistical summary.

  • ReqXfer: Specifies the request transfer time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
  • Process: Specifies the server processing time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
  • RspXfer: Specifies the response transfer time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
  • RTT: Specifies TCP round trip time in milliseconds. Large round-trip time indicates that network latency is high.

On the charts below, you can click and drag across the chart to zoom in on a particular region. When you zoom in this way, the value in the Time Interval control adjusts automatically to reflect the selected interval. For more information about zooming in, see Zooming in on a Time Range.

The Transactions Per Second graph displays the number of FTP protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red data points to list the peer devices associated with the errors at this point in time. Click and drag across the chart to select a particular region.

Response Time Breakdown: Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

FIX

The FIX sub-page provides FIX information about an application.

The FIX application toolbar includes the following controls:

  • Errors: The chart shows the number of FIX errors. Mouse over the points to view a summary of a specific time or date. The table lists FIX error messages and the number of times each occurred.
  • Senders: The chart shows showing the number of FIX senders. Mouse over the points to view a summary of a specific time or date. The table lists senders and the count associated with each sender.
  • Targets: The chart shows the number of FIX targets. Mouse over the points to view a summary of a specific time or date. The table lists targets and the count associated with each target.
  • Clients: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses from each client, and the total time and processing time for each client. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and the total time and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By Target: Displays application metrics by target.
  • By Sender: Displays application metrics by sender.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: Displays request bytes for the application as a function of time over the selected time interval.
  • Response L2 Bytes: Displays response bytes for the application as a function of time over the selected time interval.
  • Request Packets: Displays request packets for the application as a function of time over the selected time interval.
  • Response Packets: Displays response packets for the application as a function of time over the selected time interval.
  • Request RTOs: Specifies the number of times the client delayed TCP retransmissions and missed server acknowledgments. A retransmission timeout is a 1-second stall in the TCP connection flow due to excessive retransmissions.
  • Response RTOs: Specifies the number of times the server delayed TCP retransmissions and missed client acknowledgments. A retransmission timeout is a 1-second stall in the TCP connection flow due to excessive retransmissions.
  • Request Zero Window: Specifies the number of client-side zero window advertisements. A zero window indicates the connection has stalled because the client cannot handle the rate of data the server is sending.
  • Response Zero Window: Specifies the number of server-side zero window advertisements. A zero window indicates the connection has stalled because the server cannot handle the rate of data the client is sending.

FIX Metrics: Contains the following metrics:

  • Requests: Specifies the number of requests for the application.
  • Responses: Specifies the number of responses for the application.
  • Response Errors: Specifies the number of responses by error for the application.

Methods: Methods exchanged by device over the selected time interval. Click the counter to display additional per-client or per-server IP address details.

Transaction Metrics: Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.

  • ReqXfer: Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
  • Process: Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
  • RspXfer: Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.
  • RTT: TCP round-trip time in milliseconds. Large round-trip time indicates that network latency is high.

Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

Response Time Breakdown: Displays the area chart containing median round-trip time, request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

VoIP

The VoIP sub-page provides VoIP information about an application.

SIP Invites: Displays the number of SIP invites as a function of time over the selected time interval.

RTP Messages by Codec: Displays the number of RTP messages by codec as a function of time over the selected time interval. Click the chart to view a table with the total number of messages broken down by codec.

VoIP Throughput: Displays the number of VoIP packets transmitted as a function of time over the selected time interval.

SIP

The SIP sub-page provides SIP information about an application.

The SIP application toolbar includes the following controls:

  • Errors: The chart shows the number of SIP errors. Mouse over the points to view a summary of a specific time or date. The table lists the URIs in error and the number of times an error occurred.
  • Initiators: Displays the list of initiators establishing connections over the selected time interval.
  • URIs: The chart shows the total number of responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists the URIs, number of responses, total time (ms), and processing time (ms) associated with each URI. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Methods: The chart shows the total count compared to the processing time (ms). Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists methods, total time (ms), and processing time (ms) associated with each method. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Clients: The chart shows the total number of client responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists client IP addresses, the host and device associated with each client, the number of responses by each client, and total processing time. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

  • Servers: The chart shows the total number of server responses compared to processing time. Mouse over the points to view a five-number summary of processing time (minimum, lower quartile, median, upper quartile, and maximum values). The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

Application Details: Specifies the type of additional application information displayed. IP detail views display directly monitored IP addresses and IP addresses that appear via routed traffic. IP addresses that appear via routed traffic are preceded by the word via. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Client IP: Displays application metrics by the client IP addresses.
  • By Server IP: Displays application metrics by the server IP addresses.
  • By Initiator: Displays application metrics by initiator.
  • By URI: Displays application metrics by URI.

L2-L4 Metrics: Contains the following metrics:

  • Request L2 Bytes: The number of L2 bytes associated with SIP requests.
  • Response L2 Bytes: The number of L2 bytes associated with SIP responses.
  • Request Packets: The number of packets associated with SIP requests.
  • Response Packets: The number of packets associated with SIP responses.

SIP Metrics: Contains the following metrics:

  • Requests: The number of SIP requests.
  • Responses: The number of SIP responses.
  • Response Errors: The number of SIP errors for the selected time interval.

Methods: Displays the SIP methods for the selected time interval.

Status Codes: The status code section displays the HTTP status codes for the selected time interval. Click the number next to each status code to display a list of IP addresses associated with each status code.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

Server Processing Time: Displays the median server processing time in milliseconds as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the processing time metrics. Click and drag across the chart to select a particular region.

RTP

The RTP sub-page provides RTP information about an application.

Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Sender IP: Displays application metrics by the sender IP addresses.
  • By Receiver IP: Displays application metrics by the receiver IP addresses.
  • By Codec: Displays application metrics by codec.

L2-L4 Metrics: Contains the following metrics:

  • L2 Bytes: The number of L2 bytes associated with RTP transactions.
  • Packets: The number of packets associated with RTP transactions.

RTP Metrics: Contains the following metrics:

  • Messages: The number of messages associated with RTP transmissions.
  • Drops: The number of packets associated with RTP transmissions which were lost in transit.
  • Duplicates: The number of duplicate messages associated with RTP transmissions.
  • Out of Order: The number of packets associated with RTP transmissions where the sequence number did not match the sequence number that the Discover appliance was expecting. The reordering may have been introduced at the point of origin or an intermediary. This may result in decreased call quality.

RTP Messages by Codec: The number of RTP messages broken down by codec.

Throughput: The throughput (in bits per second) over the selected time interval.

Message Metrics: The number of drops, duplicates, and out of order messages associated with RTP transmissions over the selected time interval.

Jitter: An estimate of the statistical variance of the RTP packets' interarrival time, measured in timestamp units and expressed as an unsigned integer.

MOS: The mean opinion score calculated for packets associated with RTP transmissions.

RTCP

The RTCP sub-page provides RTCP information about an application.

Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

  • By Sender IP: Displays application metrics by the sender IP addresses.
  • By Receiver IP: Displays application metrics by the receiver IP addresses.
  • By Canonical Name: Displays device metrics by canonical name.

L2-L4 Metrics: Contains the following metrics:

  • L2 Bytes: The number of L2 bytes associated with RTCP transactions.
  • Packets: The number of packets associated with RTCP transactions.

RTCP Messages: Contains the following metrics:

  • Sender Report Messages: The number of packets transmitted by the sender from the beginning of the transmission to the time this sender report packet was generated.
  • Sender Report Drops: The number of packets that were lost by the sender since the beginning of reception.
  • Receiver Report Messages: The number of packets transmitted by the receiver from the beginning of the transmission to the time this receiver report packet was generated.
  • Receiver Report Drops: The number of packets that were lost by the receiver since the beginning of reception.

Message Types: The number of RTCP records broken down by message type.

Packets Lost: The number of packets lost broken down by sender and receiver.

Sender Report Jitter: An estimate of the statistical variance of the RTP packets' interarrival time, measured in timestamp units and expressed as an unsigned integer.

Receiver Report Jitter: An estimate of the statistical variance of the RTP packets' interarrival time, measured in timestamp units and expressed as an unsigned integer.

DHCP

The Applications DHCP page provides the following metrics and controls about applications that are sending or receiving DHCP traffic.

  • Errors: Displays a chart that shows the number of DHCP errors.

  • Clients: Displays chart and table information about DHCP client activity. The chart shows the total number of client responses compared to processing time.

    The table lists client IP addresses, the host and device associated with each client, the number of requests by each client, and total processing time.

  • Servers: Displays chart and table information about DHCP server activity. The chart shows the total number of server responses compared to processing time. The orange bars represent a confidence interval around the median value bounded by the 25th and 75th percentile values.

    The table lists server IP addresses, the host and device associated with each server, the number of responses from each server, and processing time for each server. Mouse over the orange bars to view the mean time, standard deviation, and count for each metric.

For each of the following metrics, you can hover over the count number and view the information by Server IP or by Client IP.

L2 - L4 Metrics:

  • Request L2 Bytes: Displays the number of L2 bytes associated with DHCP requests.
  • Response L2 Bytes: Displays the number of L2 bytes associated with DHCP responses.
  • Request Packets: Displays the number of packets associated with DHCP requests.
  • Response Packets: Displays the number of packets associated with DHCP requests.

DHCP Metrics:

  • Requests: Displays the number of DHCP requests.
  • Responses: Displays the number of DHCP responses.
  • Errors: Displays the number of DHCP errors.

Requests by Message Type: Displays the number of DHCP requests broken out by the message type.

Responses by Message Type: Displays the number of DHCP requests broken out by the message type.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

Processing Time: Displays the median processing time in milliseconds as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the processing time metrics.

Devices

This section provides information about viewing device metrics to troubleshoot network issues at the device level.

The Devices page includes a table that lists all devices discovered on your networks. The counter at the bottom of the table identifies the number of devices currently displayed in the table. The table can show up to 1,000 devices per page.

The Devices table contains the following columns:

  • Name: The primary name the device uses to communicate on the network. Names are discovered by passively monitoring a variety of naming protocols, including DNS, DHCP, NETBIOS, and Cisco Discovery Protocol. If no name is discovered, a NIC manufacturer based identifier is assigned by looking at the MAC address. If the MAC address range is not registered or belongs to a private MACs address space, the name echoes the MAC address (for example, Device 00000c0789b1). To the left of the device name, a device type icon identifies activity primarily associated with this device. Mousing over the device name shows a description of the device type, such as:
    • WWW server
    • DB (database) server
    • File server
    • Load balancer
    • Gateway
    • Custom device
  • MAC Address: The MAC address is a unique identifier of the device network interface. For physical devices that have multiple interfaces, one entry per interface is maintained. The vendor icon as determined by the MAC OID lookup displays to the left of the MAC address.
  • VLAN: The Virtual Local Area Network (VLAN) of the device. VLAN information is extracted from VLAN tags, if the traffic mirroring process preserves them on the mirror port.
  • IP Address: The last IP address the device used to communicate on the network. By default, ARP traffic is used to determine the mapping from MAC addresses to IP addresses. In the absence of such traffic, IP packet header information is used. If there is no ARP traffic, the IP address field is left blank.
  • Discovery Time: The time when the device was first discovered. The day of the week, the calendar date, and time is displayed in the following format: Wed Feb 23 09:01.
  • Description: Provides a space for an optional, user-defined description.

The Devices page also includes a search feature that uses plain text or regular expressions to locate the metrics for specific devices on the network. For more information, refer to Device Search.

Viewing Device Details

To view information about a specific device:

  1. On the Devices page, click a device to view its details.

    The device L2 page appears.

  2. Click the name of the device in the left panel to manage the device's assignments.

If a device is licensed for limited analysis, the device details page displays a yellow bar that denotes which metrics may be incomplete or unavailable. For more information about controlling which devices receive limited analysis and which devices are added to the whitelist, refer to Device Limits.

Edit the Name

To edit the device name:

  1. Click on the device in the Devices table. On the device page, click the edit icon to the right of the Name field.

  2. In the Name text box, enter a new name for the device.
  3. Click OK.
Edit the Vendor

To edit the device vendor:

  1. On the device page, click the icon to the right of the Vendor field.
  2. In the Edit Device Vendor dialog box, click a vendor icon.
    OR
    Click Custom and enter a new name in the Vendor text box.
  3. Click OK.
Add a Description

To add an optional description for the device:

  1. On the device page, click the edit icon to the right of the Description field.
  2. In Description text box, enter a description for the device.
  3. Click OK.
Assign Alerts

To assign alert types to the list of active device alerts:

  1. On the device page, click the add icon to the left of the Alerts field.

  2. In the Assign Alerts dialog box, select the device alerts that you want to show in the network capture.
  3. In the Filter text box, provide an optional filter string to filter the list of alerts by name.
  4. Click OK.
Remove Alerts

To remove alerts from the list of active device alerts:

  1. Go to the device page and click the Alerts tab.
  2. Click the delete icon to the left of the alert that you want to delete.

To remove an alert assignment:

  1. Click Settings and then click the Alerts icon.
  2. Click the name of the alert that you want to remove, click the Assignments tab, and then click the delete icon to the left of the name of the device.
Assign a Tag

To assign a tag to a device:

  1. Go to the device page and click the Tags tab.
  2. Click the + icon next to Tags and enter a name in the text box.
  3. Click OK.
Remove a Tag

To remove a tag:

  1. Go to the device page and click the Tags tab.
  2. Click the delete icon to the left of the tag that you want to remove.
Assign a Device to a Group

To assign a device to a custom group:

  1. Go to the device page and click the Groups tab.
  2. Click the + icon next to Groups.
  3. Click the drop-down list to select a custom group, or enter a different name to create a new custom group.
  4. Click OK.
Remove a Device from a Group

To remove a device from a custom group:

  1. Go to the device page and click the Groups tab.
  2. Click the delete icon to the left of the group.
Assign a Trigger

To assign a trigger to a device:

  1. Go to the device page and click the Triggers tab.
  2. Click the + icon next to Triggers and select the checkbox next to each trigger you want to associate with the device.
  3. Click OK.
Remove a Trigger

To remove a trigger:

  1. Go to the device page and click the Triggers tab.
  2. Click the delete icon to the left of the trigger that you want to remove.
Assign Custom Pages

To assign custom pages to a device:

  1. On the device page, click the Pages tab to see the pages assigned to the device.
  2. Click the add icon to the left of the Pages field to assign previously defined pages that you want to show in the device.
  3. In the Assign Pages dialog box, select the device custom page(s) that you want to show in the network capture.
  4. In the Filter text box, provide an optional filter string to filter the list of pages by name.
  5. Click OK.
Remove Custom Pages

To remove pages from the list of active device custom pages:

  1. On the device page, click the Pages tab to see the pages assigned to the device.
  2. Click the delete icon to the left of the page to remove it from the list.

Assign a Device to a Flex Grid

To assign the device to a flex grid:

  1. Go to the device page and click the Flex Grids tab.
  2. Click the + icon next to Flex Grids and select the checkbox next to the grid(s) where you want the device to appear.
  3. Click OK.
Remove a Device from a Flex Grid

To remove the device from a flex grid:

  1. Go to the device page and click the Flex Grids tab.
  2. Click the delete icon to the left of the flex grid.
Assign a Geomap

To assign a geomap:

  1. Go to the device page and click the Geomaps tab.
  2. Click the + icon next to Geomaps and select the checkbox next to each geomap you want to associate with the device.
  3. Click OK.
Remove a Geomap

To remove a geomap:

  1. Go to the device page and click the Geomaps tab.
  2. Click the delete icon to the left of the geomap.
View All Assignments

Click the All tab to view all assignments to the device.

A network capture collects data on numerous network entities. The Discover appliance can automatically discover devices, virtual machines, applications, and device containers. The ExtraHop auto-discovery feature includes the following methods for discovering devices:

  • By-IP device discovery that allows for better device management in environments that make heavy use of IP aliasing

  • Layer-2 device discovery that discovers devices by MAC address (default)

  • Layer-3 device discovery that simplifies deployment by allowing users to specify a range of IP addresses behind routers to be discovered as devices

  • Layer-3 device container discovery that allows the definition of devices consisting of one or more IP addresses behind routers

You can filter searches to find specific devices or network entities. For example, the Devices page includes Find controls, which are located below the toolbar, to help you locate specific devices in the network capture.

By default, the search feature performs a substring search on the value entered in the Find text box. For example, if you submit the letter z for a name search, then the list of devices returned by the search includes all devices that have a letter z in the name, regardless of position.

If the search string value starts and ends with a forward slash (/), the portion of the input between the slashes is interpreted as a regular expression. The regular expression must use PostgreSQL syntax. Refer to PostgreSQL documentation for more information.

Searches can also be filtered by the following device attributes:

  • any: Matches a substring in any device element.
  • ip address: Matches a substring in the device IP address. The IP address criteria can include CIDR notation in IP address/subnet prefix length format. For example, 10.10.0.0/16 for IPv4 networks or 2001:db8::/32 for IPv6 networks.
  • name: Matches a substring in the device name. The name criteria can include the DHCP name, NETBIOS name, or DNS name.
  • node: Matches a substring in the node name.
  • mac address: Matches a substring in the device MAC address.
  • tag: Matches a substring in the user-defined device tag.
  • type: Matches a substring to a specified device attribute type. When you select type, the Find text box becomes a drop-down list. In the Find drop-down list, select from the following:
    • Activity: Includes the metric types that were active in the selected time interval. For example, selecting HTTP Server returns devices with HTTP server metrics, and any other device with the custom type set to HTTP Server.
    • Device type: Includes Gateway, Firewall, Load Balancer, File Server, and Custom Device.
    • Class: Includes Node, Remote, Custom, and Pseudo.
  • vendor: Matches a substring in the device vendor name as determined by the MAC object ID (OID) lookup.
  • vlan: Matches a substring in the device Virtual Local Area Network (VLAN) tag. VLAN information is extracted from VLAN tags, if the traffic mirroring process preserves them on the mirror port.

To use the Find controls to create a filtered search:

  1. Go to a page that includes a device list, such as Networks, Devices, or Groups.

  2. In the Find field, enter search string characters.

  3. Note: The device attribute filter is set to any by default, which applies the search string to all device attributes. You can adjust the search string to apply to a particular device attribute, such as the device name or the MAC address.
  4. In the by drop-down list, select the device attribute that you want to use in the search.
    Note: If you use the type attribute in your search, the Find field becomes a drop-down list that is populated with attributes to choose from.
  5. Click Search.

    The device list is populated with the devices that match the search criteria.

Overview

The Devices Overview sub-page includes interactive charts that provide an overview of a selected device.

Each chart shows an overview of activity for all active protocols. You can also view details for only certain protocols as well as a summary of a specific time or date.

To show overall details for only certain protocols, select those protocols in the chart legend.

To show a summary of activity for a specific time or date, mouse over the time period of interest.

  • For statistical charts, a pop-up dialog showing a five-number summary appears, including the minimum, lower quartile, median, upper quartile, and maximum values.
  • For area charts, a pop-up dialog showing total count and time appears.
Note: Because area charts are stacked, the total count represented by the number on the left side of the chart is a sum of the count for each individual protocol.

To show a particular region of the chart, click and drag across that region.

To show only a specific protocol in the chart, mouse over the protocol in the chart legend.

To view details for a specific protocol, click it in the chart. The protocol's application page appears.

For more information about working with the charts, refer to Drill-Down Functionality. For information about a specific protocol, refer to that protocol's application topic.

Transactions: Shows the total number of transactions (requests and their responses) for the active protocols excluding SSL and ICA, which are not transactional protocols.

Errors: Shows the total number of errors for the active protocols excluding SSL and ICA.

Processing Time: Shows the total server processing time for the active protocols.

Custom Page

If a custom page has been assigned to an device, the name of the custom page appears in the left panel.

Edit Page

Click the Edit Page button to perform one of the following actions.

Alert History

The Alert History sub-page provides an alert summary for network-level alerts. The Discover appliance can be configured to generate both threshold and trend-based alerts for any metric in the system. Alerts can be configured to send email notifications or SNMP traps as proactive early warnings for potential performance problems.

The device Alert History page displays all alerts, including alerts that have been acknowledged previously, and the corresponding time for each alert for the current device. The Alert History page also includes additional information about trend alerts that have fired.

To use the Alert History page, you must first create alerts. For more information, refer to Alert Configuration.

The Alert History page includes the following information:

Alert History: Displays alerts that have been generated.

  • Time: Displays the time that the alert was generated.
  • Alert: Displays the name of the alert.

For threshold-based alerts, clicking the name of the alert displays the following information:

  • Name: The name of the alert.
  • Expression: The metric, time interval, operator, and sensitivity that were defined when the alert was created.
  • Value: The value of the metric at the time the alert fired. This is used for comparison against the alert expression.
  • Description: The optional user-defined description of the alert.

For trend alerts, clicking the name of the alert displays the following information:

  • Name: The name of the alert.
  • Alert Conditions: The type of alert, time interval, operator, and/or percentage of the trend that were defined when the alert was created.
  • View at Time of Alert: The alert graph from when the alert was fired.
  • View Current State: The alert graph of the current trend state of the alert.

Current Trend State: Displays a list of trend alerts assigned to the application.

  • Trend: Displays the name of the trend alert.
  • Stat: Displays the metric that the trend alert is based on.
  • Description: Displays a description of the trend alert.

You can sort the table by the following parameters:

  • All Alerts: Displays alerts created on the Command appliance and the node.
  • Command appliance Alerts: Displays alerts created on the Command appliance only.
  • Local Alerts: Displays alerts created on the node only.

Click the name of the trend alert to view the following information about the alert:

Alert Graphs: Displays the trend alert over time and whether or not it has fired.

  • Alert Condition Nominal: Indicates the metrics being gathered have not reached an alert state.
  • Alert Firing: Indicates the metrics being gathered have met the alert criteria.

Alert Rules: Displays the rules of the trend alert and whether or not it has fired.

  • Alert Condition Nominal: Displays the alert rules in green.
  • Alert Firing: Displays the alert rules in red.
L3 Devices

The L3 Devices sub-page lists the L3 devices associated with the device.

The table contains the following columns:

  • Name: The primary name the device uses to communicate on the network. Names are discovered by passively monitoring a variety of naming protocols, including DNS, DHCP, NETBIOS, and Cisco Discovery Protocol. If a device name is not discovered, a NIC manufacturer-based identifier is assigned to the device by looking at the MAC address. If the MAC address range is not registered, or if it belongs to a private MAC address space, the name includes the last six characters of the MAC address (for example, Device 00000c0789b1).

    The device-type icon to the left of the device name identifies the activity primarily associated with this device. The device name and type can be edited by clicking on the name and using the edit tools on the Device page.

  • MAC Address: The MAC address is a unique identifier of the device network interface. For physical devices that have multiple interfaces, one entry per interface is maintained. The vendor icon displays to the left of MAC Address as determined by the MAC OID lookup.
  • VLAN: The VLAN tag of the device.
  • IP Address: The Primary IP address the device uses to communicate on the network. By default, Address Resolution Protocol (ARP) traffic is used to determine the mapping from MAC addresses to IP addresses. In the absence of such traffic, IP packet header information is used. If there is no ARP traffic, the IP address 0.0.0.0 is assigned to routing devices, such as gateways, firewalls, and load balancers, to indicate that it handles packets from many sources.
  • Discovery Time: The time when the device was first discovered. The day of the week, the calendar date, and time are displayed in the following format: Wed Feb 23 09:01.
  • Description: A user-defined description of the device. To edit the device description, click the device name and use the edit tools on the Device page.
Geomaps

The Geomaps sub-page lists the geomaps associated with the device. Geomaps display worldwide activity based on the metrics defined in that geomap. For more information about geomap settings, refer to Geomaps.

The Geomaps sub-page displays the following information:

  • Geomap: displays the name of the geomap.
  • Metric: displays the metric displayed in the geomap.
  • Description: displays a description of the geomap.

For more information about the geomap interface, refer to Geomap Interface.

Multicast

The Multicast sub-page for a device displays metrics for multicast and broadcast traffic on the network.

Well-known multicast groups include:

  • IEEE Spanning Tree (STP
  • Address Resolution Protocol (ARP
  • IPv6 Neighbor Discovery Protocol (NDP)
  • Cisco Discovery Protocol (CDP)
  • Cisco Shared Spanning Tree Protocol (CSSTP)
  • Alternate Spanning Multicast (ALTSM)
  • Router Information Protocol (RIP)
  • Network Time Protocol (NTP)
  • OSPF
  • MPLS
  • Inter Switch Link (ISL)
  • Cisco VLAN Bridge (CVB)
  • DHCP client (DHCP_CLIENT)
  • DHCP server (DHCP_SERVER)
  • NETBIOS Name Service (NETBIOS_NS)
  • NETBIOS Datagram Service (NETBIOS_DGM)
  • Multicast DNS (MDNS)
  • Hot Standby Router Protocol (HSRP)
  • Uncategorized L2 broadcast (L2BCAST)

Other multicast groups are represented using the numeric form of the group address, protocol, and L4 port.

  • Packet Count by Group: The Packet Count by Group bar chart displays the packet count for each of the top-ten multicast groups in which the selected device participates.
  • Byte Count by Group: The Byte Count by Group bar chart displays the byte count for each of the top-ten multicast groups in which the selected device participates.
  • Multicast Groups: The Multicast Groups table displays the multicast group, packet group, and byte count for the selected device.
L2

For device and group metrics, the L2 page includes the following data:

  • VLAN Tagged: The number of frames containing VLAN tags observed over the selected time interval. In reflects number of VLAN tagged frames received by the device. Out reflects number of VLAN tagged frames sent by the device.
  • Packets: The Packets line chart displays the incoming and outgoing packet rate (packets per second) over the selected time interval. Current and Max identify the current and maximum packet rates for the given time period, respectively. Total identifies the total number of packets for the selected time interval. To view specific statistics for each data point, hover the mouse across the chart to see the packets per second value for each unit on the x-axis of the graph.
  • Throughput: The Throughput line chart displays the incoming and outgoing throughput (bits per second) over the selected time interval. Current and Max identify the current and maximum throughputs. Total identifies the total number of bytes transferred over the selected time interval. To view specific statistics for each data point, move the mouse pointer across the chart to see the throughput in megabits per second for each unit on the x-axis of the graph.
  • Frame Count by Size: The Frame Count by Size bar chart displays a logarithmic-scale histogram of the distribution of incoming and outgoing Ethernet frame size.
  • Frame Count by Type: The Frame Count by Type bar chart displays a logarithmic-scale histogram of the distribution of frames by L2 Ethertype (ipv4, ipv6, arp, ipx, mpls, lacp, stp, 802.1X, and other).
  • Frame Count by Distribution: The Frame Count by Distribution bar chart displays a logarithmic-scale histogram of the distribution of frames by L2 type (unicast, multicast, and broadcast).

Note: One-second aggregation metrics are available when the specified time interval is six minutes or less. For more information, see the Time Selector section.

Packets

The Packets In and Packets Out line charts display the packet rate (in packets per second) for the selected device over the given time interval.

Note: One-second aggregation metrics are available when the specified time interval is six minutes or less. For more information, see the Time Selector section.

Throughput

The Throughput In and Throughput Out line charts display the throughput (in bits per second) over the selected time interval.

Note: One-second aggregation metrics are available when the specified time interval is six minutes or less. For more information, see the Time Selector section.

L3

For device and group metrics, the L3 page includes the following data:

  • IP Fragments: Displays the IP fragments in and out for the device or group.
  • Packet Count by Protocol: the Packet Count by Protocol bar chart displays the incoming and outgoing packet count for each L3 protocol type. Click a bar in the chart to display the table of devices transmitting or receiving the selected L3 protocol.
  • Byte Count by Protocol: the Byte Count by Protocol bar chart displays the incoming and outgoing byte count for each L3 protocol type. Click a bar in the chart to display the table of devices transmitting or receiving the selected L3 protocol. IP types include TCP, UDP, ICMP, SCTP, IPSEC, GRE, ICMP6, VRRP, and OTHER.
  • Devices and Peer Devices: Displays IP addresses and host names with which the device or group communicates, packet in/out count, and byte in/out count for the currently selected L3 protocol. If no L3 protocol is selected, the packet count and byte count is the sum of all L3 protocol counts for the device or group. Click the device name to navigate to the device.

The table at the bottom of the page lists the devices associated with this group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

ICMP Details

The ICMP Details page includes the following data:

  • ICMP Packets In: Displays a list of ICMP response types and associated packet counts received by the current device in the selected time interval.
  • ICMP Packets Out: Displays a list of ICMP response types and associated packet counts sent by the current device in the selected time interval.
  • ICMPv6 Packets In: Displays a list of ICMPv6 response types and associated packet counts received by the current device in the selected time interval.
  • ICMPv6 Packets Out: Displays a list of ICMPv6 response types and associated packet counts sent by the current device in the selected time interval.

The following is a list of ICMP types and codes recognized by the Discover appliance:

  • Destination Unreachable:
    • Dest Unreach - Network
    • Dest Unreach - Host
    • Dest Unreach - Protocol
    • Dest Unreach - Port
    • Dest Unreach - Fragmentation Needed
    • Dest Unreach - Source Route
  • Time Exceeded:
    • Time Exceeded - Transit
    • Time Exceeded - Fragment Reassembly
  • Redirection:
    • Redirect - Network
    • Redirect - Host
    • Redirect - ToS Network
    • Redirect - ToS Host
  • Miscellaneous:
    • Bad Param
    • Source Quench
    • Echo
    • Echo Reply
    • Timestamp
    • Timestamp Reply
    • Info Request
    • Info Reply
  • ICMPv6 Destination Unreachable:
    • Dest Unreach - No route
    • Dest Unreach - Prohibited
    • Dest Unreach - Bad scope
    • Dest Unreach - Host
    • Dest Unreach - Port
  • ICMPv6 Time Exceeded:
    • Time Exceeded - Transit
    • Time Exceeded - Fragment Reassembly
  • ICMPv6 Parameter Problem:
    • Bad Param - Header Error
    • Bad Param - Unknown Next Header
    • Bad Param - Unknown Option
  • ICMPv6 Miscellaneous:
    • Packet Too Big
    • Echo
    • Echo Reply
    • MLD Query
    • MLD Report
    • MLD Done
    • ND Router Solicit
    • ND Router Advert
    • ND Neighbor Solicit
    • ND Neighbor Advert
    • ND Redirect
    • Router renumber
    • FQDN Query
    • FQDN Reply
    • MLDv2 Listener Report
    • MLD Mtrace Rsp
    • MLD Mtrace
DSCP

The DSCP sub-page displays the number of packets containing differentiated services code point (DSCP) values.

Packets In by DSCP: The Packets In by DSCP area chart displays the number of incoming packets containing DSCP values on the network within the selected time interval. The legend lists the DSCP values with the highest count.

Packets Out by DSCP: The Packets Out by DSCP area chart displays the number of outgoing packets containing DSCP values on the network within the selected time interval. The legend lists the DSCP values with the highest count.

L4 TCP

The TCP device toolbar includes the following controls:

The TCP Details drop-down list specifies what type of additional TCP information is displayed when a counter is clicked next to each top-level metric. The user can choose between the following options: By IP for IP addresses and By L7 Protocol. For example, the top-level metric, TCP Closed connections, shows how many connections were closed by the current device during the selected time frame. Selecting By IP and clicking on the closed counter will show which IP addresses originated these connections. Selecting By L7 Protocol and clicking on the closed counter will show which applications were accessed by the requestor.

For device metrics, the TCP page includes the following data:

Connections: The TCP connection metrics for the specified time interval.

  • Accepted: Number of inbound connections accepted by the device. Click to display the peer devices from which the connections originated and the associated round-trip time.

  • Connected: Number of outbound connections initiated by the device. Click to display the peer devices to which the connections were established and the associated round-trip time.

  • Closed: Number of connections explicitly shut down by the device or its peer. Closed connections are explicitly shut down by at least one of the endpoints. Click to display the peer devices for which the connections were closed.

  • Aborted: The total number of TCP connections that were forcibly ended between the selected device and another device on the network. Aborted connections might indicate that an error occurred. For more information about the number of aborts for incoming and outgoing connections, click Details.

  • Expired: Number of connections involving the device for which tracking was stopped due to inactivity. Click to display the peer devices with which the connections were associated.

  • Established: For a given time interval, the number of open connections involving the device at end of the interval. Click to display the peer devices with which connections have been established.

  • Established Max: Maximum number of established connections observed at any point within the selected time interval.

  • Desync: Number of times synchronization was lost when processing TCP connections for the device. Large numbers might indicate dropped packets on the monitoring interface, SPAN, or network tap.

  • TCP Flow Stalls: Number of events in which the device was not responsive.

The Connections Chart displays the number of accepted, connected, closed, and aborted connections as a function of time over the selected time interval. Click the chart to display a larger version. Date represents the date and time for the currently moused-over point on the graph. Connects, Accepts, Closes, and Aborts represent the number of outgoing, incoming, closed, and aborted connections respectively for the currently moused-over point in the graph. Click and drag across the chart to select a particular region.

The Round-Trip Time line chart displays the median round-trip time in milliseconds from the current device to all peer devices as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

Congestion Requests: Goodput (bps) and RTOs: Displays goodput and RTOs into the object as a function of time over the selected time interval.

Congestion Responses: Goodput (bps) and RTOs: Displays goodput and RTOs out of the object as a function of time over the selected time interval.

Goodput is application-level throughput (the number of useful information bits) and RTOs are retransmission timeouts. The Congestion In and Out graphs show the relationship over time between the rate of good application throughput and RTOs. An increase in RTOs theoretically leads to a decrease in goodput due to TCP back-off and packet retransmissions. It is best to view these charts in a smaller window of time so the metrics taken over time are not rolled up or smoothed out. In a small timeframe (30 minutes or less), one could see a decrease in goodput associated with a large number of RTOs, assuming that most flows on the server during this time frame experience this behavior. If only one or two flows are affected by RTOs, then the decreased goodput correlation may be masked by superficially healthy flows.

The Throttling In: Receive Windows and Zero Windows line chart represents the incoming receive and zero windows of the current device as a function of time over the selected time interval. Click and drag across the chart to select a particular region.

The Throttling Out: Receive Windows and Zero Windows line chart represents the outgoing receive and zero windows of the current device as a function of time over the selected time interval. Click and drag across the chart to select a particular region.

More Information about L4 TCP
How TCP Works

TCP divides data into segments and does the following:

  1. Routes segments through the network.
  2. Reassembles segments at the destination.
  3. Verifies accuracy and correct assembly order.
  4. Streams data to the application.

TCP segments include a header section that contains the destination IP address and a data section that includes message data.

TCP flow control works as follows:

  1. The client tells the server the number of bytes it is willing to receive at one time.
  2. The client’s receive window becomes the server's send window.
  3. Likewise, the server tells the client how many bytes of data it is willing to take.
  4. The server's receive window becomes the client's send window.
How Throttling Works

The following process describes a receive window throttle condition:

  1. The Discover appliance sees the rcv window from the receiver come in at 16KB.
  2. The Discover appliance sees the sender drop 16KB on the wire, and then stops sending data.
  3. A few milliseconds later, the Discover appliance sees another ACK come in from the receiver, advancing the window another 16KB.
  4. The Discover appliance sees the sender drop another 16KB on the wire.
Details

Specifies what type of additional TCP information is displayed, when a counter is clicked next to each top-level metric. You can choose between the following options: By IP for IP addresses and By L7 Protocol. For example, TCP Closed connections is a top-level metric showing how many connections were closed by the current device during the selected time frame. Selecting By IP and clicking on the closed counter will show which IP addresses originated these connections. Selecting By L7 Protocol and clicking on the closed counter will show which applications were accessed by the requestor.

The L4 TCP Details page includes the following data:

  • Connections: The TCP connection metrics for the current device.

    • Accepted: Number of inbound connections accepted by the device. Click to display the peer devices from which the connections originated and the associated round-trip time.

    • Connected: Number of outbound connections initiated by the device. Click to display the peer devices to which the connections were established and the associated round-trip time.

    • Closed: Number of connections explicitly shut down by the device or its peer. Closed connections are explicitly shut down by at least one of the endpoints. Click to display the peer devices for which the connections were closed.

    • Expired: Number of connections involving the device for which tracking was stopped due to inactivity. Click to display the peer devices with which the connections were associated.

    • Established: For a given time interval, the number of open connections involving the device at end of the interval. Click to display the peer devices with which connections have been established.

    • Established Max: Maximum number of established connections observed at any point within the selected time interval.

    • Desync: Number of times synchronization was lost when processing TCP connections for the device. Large numbers might indicate dropped packets on the monitoring interface, port mirror, or network tap.

  • In: The incoming connection metrics for the current device.

    • Aborts: Number of connections aborted by the peer of the current device. Aborted connections are reset explicitly by one of the endpoints. In some cases, this indicates that an error occurred. Click to display the peer devices that aborted the connections.

    • Resets: Number of RSTs received by the current device. TCP resets indicate that a reset packet was sent to forcibly end the TCP connection, and can be used in a variety of situations. Sometimes resets are sent when the receiving device failed to ACK the SYN packet, or it failed to acknowledge another packet sent and retransmitted later in the transaction. Other times, resets may be used to quickly and efficiently end an existing connection to free up resources for more traffic. High volumes of outbound resets should be investigated to determine if they are expected behavior or indicative of a larger issue.

    • SYNs Received: Number of SYNs received by the current device.

    • SYNs Unanswered: Number of SYNs received by the device for which there were no corresponding ACKs.

    • Stray Segments: Number of unexpected TCP packets received by the current device. Stray segments are likely to be recorded when the Discover appliance is first started. Continued large numbers of stray segments could indicate a misconfiguration or deployment problem.

    • Dropped Segments: Number of episodes in which a segment or a series of segments were lost on the way to the current device and required retransmission. Large values of this counter may indicate network congestion or link reliability problems.

    • Zero Window: Number of zero window advertisements received by the current device. A zero window indicates that the connection has stalled and the peer device is unable to keep up with the rate of data sent. In some cases, the read socket buffer size can be increased on the peer device to resolve this problem. On the BIG-IP Application Delivery Controller, the proxy_buffer_high setting in the TCP profile should be increased.

    • Rcv Wnd Throttles: Number of times the advertised receive window of the peer device limits the throughput of the connection. In some cases, the read socket buffer size can be increased or receive window scaling can be enabled on the peer device to resolve this problem.

    • Snd Wnd Throttles: Number of send window throttles. This indicates that the TCP congestion avoidance on the peer device might be too conservative. In some cases, a different congestion avoidance algorithm can be selected or send window scaling can be enabled on the peer device.

    • SYNs w/o Timestamps: Number of SYNs without the TCP timestamp option received by the current device.

    • SYNs w/o SACK: Number of SYNs without the TCP SackOK option received by the current device. This option is necessary to use selective acknowledgments.

    • RTOs: Number of retransmission timeouts caused by congestion as peers were sending data to the current device. This indicates a relatively long stall in the connection due to packet loss. Enabling selective acknowledgments and fast recovery might reduce such stalls.

    • PAWS-Dropped SYNs: Number of PAWS-dropped SYNs. This indicates that a connection failed to initiate because the current device interpreted the SYN as belonging to a previous connection. This problem is often due to network address translation and specifically the timestamp affixed to packets that traverse a network address translation device. PAWS-dropped SYNs may cause a stall in connection setup since the dropped SYN is typically retransmitted after a three-second timer expires. In some cases, increasing the connection linger time on the NAT device or decreasing connection linger time on the current device can mitigate this problem.

    • Bad Congestion Control: Number of events with bad congestion control, which occurs when the system receives RTOs with in-flight data greater than twice the prior congestion window. This indicates that the peer device is sending too much data, resulting in network congestion and dropped packets.

    • TCP Flow Stalls: Number of events in which a peer device was not responsive.

  • Out: The outgoing connection metrics for the current device.

    • Aborts: Number of connections aborted by the current device. Aborted connections are reset explicitly by one of the endpoints. In some cases, this indicates that an error occurred. Click to display the peer devices to which the current device aborted the connections.

    • Resets: Number of RSTs sent by the current device. TCP resets indicate that a reset packet was sent to forcibly end the TCP connection, and can be used in a variety of situations. Sometimes resets are sent when the receiving device failed to ACK the SYN packet, or it failed to acknowledge another packet sent and retransmitted later in the transaction. Other times, resets may be used to quickly and efficiently end an existing connection to free up resources for more traffic. High volumes of outbound resets should be investigated to determine if they are expected behavior or indicative of a larger issue.

    • SYNs Sent: Number of SYNs sent by the current device.

    • SYNs Unanswered: Number of SYNs sent by the device for which there were no corresponding ACKs.

    • Dropped Segments: Number of episodes in which a segment or a series of segments were lost on the way to the current device and required retransmission. Large values of this counter may indicate network congestion or link reliability problems.

    • Tinygrams: Number of tinygrams sent by the current device. This indicates that the TCP payload is being segmented inefficiently, resulting in more packets on the network.

    • Nagle Delays: Number of Nagle delays sent by the current device. This indicates connection delays due to a bad interaction between Nagle's Algorithm and delayed ACKs.

    • Zero Window: Number of zero window advertisements sent by the current device. A zero window indicates the connection has stalled because the current device cannot handle the rate of data sent.

    • Slow Starts: Number of slow starts sent by the current device. This indicates that TCP slow start congestion avoidance has reduced connection throughput. The application on the current device might benefit from connection pooling or persistent connections.

    • Rcv Wnd Throttles: Number of times the advertised receive window of the current device limits the throughput of the connection. In some cases, the read socket buffer size can be increased or receive window scaling can be enabled on the current device to resolve this problem.

    • Snd Wnd Throttles: Number of send window throttles. This indicates that the TCP congestion avoidance on the current device might be too conservative. In some cases, a different congestion avoidance algorithm can be selected or send window scaling can be enabled on the current device.

    • SYNs w/o Timestamps: Number of SYNs without the TCP timestamp option sent by the current device.

    • SYNs w/o SACK: Number of SYNs without the TCP SackOK option sent by the current device. This option is necessary to use selective acknowledgments.

    • RTOs: Number of retransmission timeouts caused by congestion as the current device was sending data to a peer. This indicates a relatively long stall in the connection due to packet loss. Enabling selective acknowledgments and fast recovery might reduce such stalls.

    • Retransmissions: Number of times data is resent by the current device.

    • Out of Order: Number of packets sent by the device where the TCP sequence number did not match the sequence number that the Discover appliance was expecting. The reordering may have been introduced at the device itself or by an intermediate device. This can result in reduced connection throughput, increased processing load on the peer device, and additional ACK packets on the network.

    • Bad Congestion Control: Number of events with bad congestion control, which occurs when the system receives RTOs with in-flight data greater than twice the prior congestion window. This indicates that the current device is sending too much data, resulting in network congestion and dropped packets.

    • TCP Flow Stalls: Number of events in which the current device was not responsive.

L7 Protocols

The L7 Protocol Metric Type drop-down list specifies what type of additional L7 protocol information is displayed on the sub-page.

For device metrics, the L7 Protocols page includes the following data:

  • Packets In: The Packets In area chart displays how applications contribute to the total incoming packet count for the device. Click the chart to display a larger version. Click an application listed in the legend to list the devices sending or receiving the traffic for that protocol in the table at the bottom of the page. Click the chart to zoom into and select a particular region.
  • Packets Out: The Packets Out area chart displays how applications contribute to the total outgoing packet count for the device. Click the chart to display a larger version. Click an application listed in the legend to list the devices sending or receiving the traffic for that protocol in the table at the bottom of the page. Click the chart to zoom into and select a particular region.
  • Bytes In: The Bytes In area chart displays how applications contribute to the total incoming byte count for the device. Click the chart to display a larger version. Click an application listed in the legend to list the devices sending or receiving the traffic for that protocol in the table at the bottom of the page. Click the chart to zoom into and select a particular region.
  • Bytes Out: The Bytes Out area chart displays how applications contribute to the total outgoing byte count for the device. Click the chart to display a larger version. Click an application listed in the legend to list the devices sending or receiving the traffic for that protocol in the table at the bottom of the page. Click the chart to zoom into and select a particular region.
  • Peer Devices: Click an application listed in the legend to list the devices sending or receiving the traffic for that protocol in the table at the bottom of the page. The protocol metrics appear in a table with the following headings:
    • IP Address: The IP address of the corresponding device.
    • Host: The host of the corresponding device.
    • Device: A link to the corresponding device. For local devices, the link leads to that device. For remote devices, the link leads to the gateway device through which the requests were routed.
    • Packets In: The number of packets sent from the peer device to the current device for the selected protocol in the area chart.
    • Packets Out: The number of packets sent from the current device to the peer device for the selected protocol in the area chart.
    • Bytes In: The number of bytes sent from the peer device to the current device for the selected protocol in the area chart.
    • Bytes Out: The number of bytes sent from the current device to the peer device for the selected protocol in the area chart.
      Note: A category labeled OTHER may appear in the legend to represent traffic that is not TCP/UDP and fails to classify as an L7 protocol. The OTHER category may also represent TCP/UDP traffic that fails to classify as an L7 protocol and fails to add an L4 p:port identifier.

The Bytes In and Bytes Out charts display activity for the top 10 protocols. To view information about other protocols, click the Details node in the page navigation panel.

To isolate a single protocol, mouse over the protocol in the legend or click the protocol to select it. When you select a protocol, the table displays a list of devices with activity from that protocol. Click a device in the table to view detailed L7 protocol metrics for that device.

To deselect the protocol and view all the top protocols in the chart again, click the selection in the legend again or click the table title below the charts.

Table Actions

The table at the bottom of the page lists the devices associated with this device. You can filter the list of devices and manage the assignments for a device or group of devices.

Packets

The Packets In and Packets Out area charts display the packet rate (in packets per second) for the selected device over the given time interval.

You can click and drag across the chart to zoom in on a particular region. When you zoom in this way, the value in the Time Interval control adjusts automatically to reflect the selected interval. For more information about zooming in, see Zooming in on a Time Range.

Throughput

The Bytes In and Bytes Out area chart displays the throughput rate (in bits per second) over the selected time interval.

You can click and drag across the chart to zoom in on a particular region. When you zoom in this way, the value in the Time Interval control adjusts automatically to reflect the selected interval. For more information about zooming in, see Zooming in on a Time Range.

Turn Timing

A TCP turn is a complete change in direction of TCP payload data being delivered. In order to clearly detect this, the change in data direction must occur only after the TCP ACK is received for all the data in the prior direction, either by a bare TCP ACK or by a TCP ACK within returned data (a "piggybacked" ACK).

If the TCP ACK is not received for all the data, it is less likely to be a true application-level turn and is not counted as a turn. This means if a turn does not appear in the Discover appliance, data sent and received is likely to be overlapping.

The Protocols table displays the timing components for all application turns associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.

  • Protocol: Auto-classified L7 protocol or a TCP/UDP port.

  • Turns: Number of TCP turns observed due to this protocol in the selected time period. Click the number of turns to display turn timing information over time for a specific protocol.

  • Network In (ms): The time in milliseconds before the payload was received by the server. A large Network In value relative to the average application turn time indicates network delay. If the request size is large, some network delay due to transfer time is expected.

  • Processing Time (ms): The time in milliseconds between the time the payload was received by the server and the time the payload was sent back. A large server processing time relative to the average application turn time indicates application delay.

  • Network Out (ms): The time in milliseconds before the server finished sending the payload back. A large Network Out value relative to the average application turn time indicates network delay. If the response size is large, some network delay due to transfer time is expected.

Breakdown

Click a value in the Turns column. If the Response Time drop-down list is set to Breakdown, the dialog box displays the overtime view of the following components:

  • Network In: The time in milliseconds before the payload was received by the server.

  • Processing Time: The time in milliseconds between the time the payload was received by the server and the time the payload was sent back.

  • Network Out: The time in milliseconds before the server finished sending the payload back.

Distribution

Click a value in the Turns column. If the Response Time drop-down list is set to Distribution, the dialog box displays the overtime view of the following components:

  • Network In: The time in milliseconds before the payload was received by the server.

  • Process: The time in milliseconds between the time the payload was received by the server and the time the payload was sent back.

  • Network Out: The time in milliseconds before the server finished sending the payload back.

  • Payload Size In: Displays the range of request sizes for all application turns associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values.

  • Payload Size Out: Displays the range of response sizes for all application turns associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values.

  • Turns: Number of TCP turns observed due to this protocol in the selected time period. Click the number of turns to display turn timing information over time for a specific protocol.

Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.

Details

The Protocols table lists all the protocols detected on this device and associated packet and byte counts. Click a protocol in the table to see the list of devices associated with that protocol.

To filter the list of protocols visible in the table, enter a search string in the Filter text box. The list filters automatically as search characters are entered.

AAA

The AAA device toolbar includes the following controls:

  • AAA Metric Type: Display metrics for devices acting as an AAA client or AAA server.
  • Errors: Click the Errors button to display the list of error messages sent to or received by the current device over the time interval. Errors are formatted as follows: Results-Code-Description:Session-Id:Error-Reporting-Host:Subscription-ID-Data.
    • Session-Id frequently contains multiple semicolon-separated records.
    • Error-Reporting-Host is not always present.
  • Records: Displays results for records that match the selected metric source and protocol.

For device metrics, the AAA page includes the following data:

  • AAA Client: If you select Client for the AAA Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
    • Requests: Number of total requests that the device sent when acting as an AAA client.
    • Responses: Number of responses that the device received when acting as an AAA client.
    • Errors: Number of AAA errors for the selected time interval.
    • Aborts: Number of aborted sessions that occurred when the device is acting as an AAA client.
  • AAA Server: If you select Server for the AAA Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
    • Requests: Number of total requests that the device received when acting as an AAA server.
    • Responses: Number of responses that the device sent when acting as an AAA server.
    • Errors: Number of AAA errors for the selected time interval.
    • Aborts: Number of aborted sessions that occurred when the device is acting as an AAA server.
  • Messages: Selected message types for the AAA server.
  • Status Codes: The AAA status codes for the selected time interval.
  • Processing Time Distribution: Displays a histogram of times it took the server to process requests. Move the mouse pointer over each bar to display the time range it represents and the number of requests in this bin.

Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

The Response Time Breakdown graph displays the area chart containing median request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

CIFS

The CIFS device page toolbar includes the following controls:

  • CIFS Metric Type: Displays metrics for the current device acting as a CIFS client or CIFS server.
  • Errors: Displays the list of error messages sent to or received by the current device over the selected time interval.
  • Warnings: Displays the list of warning messages sent to or received by the current device over the selected time interval.
  • Methods: Displays the list of methods and associated bytes sent and received by the current device for the selected time interval. Methods are broken out by key parameters, such as the accessed file name and file access time.
  • Users: Displays the list of users accessing the file server and associated bytes sent and received for the selected time interval.
  • Files: Displays the list of files accessed and associated bytes sent and received for the selected time interval. The access time indicates the time to access a file on a CIFS partition and is measured by timing the first READ or WRITE on every flow.
  • Records: Displays results for records that match the selected metric source and protocol.

Where file name detail is presented, the Discover appliance displays both the file path and mount point, if available. The prefix '...' indicates that either the mount point or part of the path is not available. This may occur in instances when the capture process was restarted after the "mount" or a "cd" command was issued, or when the commands were lost due to desyncs.

Click the counters next to individual CIFS metrics to show the IP Address CIFS Metrics details for CIFS peer devices. For CIFS servers, the peer devices are CIFS clients. For CIFS clients, the peer devices are CIFS servers.

  • IP Address: Represents the IP address of the peer device.
  • Host: Represents the DNS host name of the peer device determined by passive analysis of the DNS traffic.
  • Device: Provides a link to the corresponding peer device. For local peer devices, the link leads to that device. For remote peer devices, the link leads to the gateway device through which the requests were routed.

For device-level metrics, the CIFS page includes the following data:

  • CIFS Server: Displays additional IP address details.
    • Responses: Specifies the number of responses that the device sent when acting as a CIFS server.
    • Errors: Specifies the number of errors sent by the CIFS server.
    • Warnings:
    • Reads: Specifies the number of read operation requests that the device received when acting as a CIFS server.
    • Writes: Specifies the number of write operation requests that the device received when acting as a CIFS server.
    • Locks: Specifies the number of lock operation requests that the device received when acting as a CIFS server.
    • FSInfo: Specifies the number of file system metadata queries that the device received when acting as a CIFS server.
  • CIFS Client: Displays additional IP address details.
    • Responses: Specifies the number of responses that the device received when acting as a CIFS client.
    • Errors: Specifies the number of errors sent by the CIFS client.
    • Warnings:
    • Reads: Specifies the number of read operation requests that the device sent when acting as a CIFS client.
    • Writes: Specifies the number of write operation requests that the device sent when acting as a CIFS client.
    • Locks: Specifies the number of lock operation requests that the device sent when acting as a CIFS client.
    • FSInfo: Specifies the number of file system metadata queries that the device sent when acting as a CIFS client.
  • Methods: Displays the CIFS methods for the selected time interval. Methods will vary by device.

Read, Write, and FSInfo Bytes: Displays the total bytes per device transmitted within the selected time interval. Mouse over the graph to see the byte count for each metric at a specific moment in time.

The Transactions Per Second: Displays the number of CIFS protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red data points to list the peer devices associated with the errors at this point in time. Click and drag across the chart to select a particular region.

The File Access Time Breakdown line chart displays the median file access time in milliseconds from the current device to all peer devices as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics.

The File Access Time Distribution chart displays a histogram of file access times. Move the mouse pointer over each bar to display the time range it represents and the number of requests in this bin.

Database

The Database device toolbar includes the following controls:

  • Database Metric Type: Displays statistics for the current device acting as a database client or database server.
  • Errors: Displays the list of error messages sent to or received by the current device over the time interval.
  • Methods: Displays the list of names and the associated number of responses and errors.
  • Users: Displays the list of users accessing the database server and associated bytes sent and received for the selected time interval.
  • Clients or Servers: Displays the associated client IP addresses when the device is acting as a server, and the associated server IP addresses when acting as a client.

For device metrics, the Database page includes the following data:

Click the counters next to individual database metrics to show the IP Address Database Metrics for database peer devices. For database servers, the peer devices are database clients. For database clients, the peer devices are database servers.

  • By IP: Displays database metrics by IP address.
  • By Database: Displays database metrics by database. For local peer devices, the link leads to that device. For remote peer devices, the link leads to the gateway device through which the requests were routed.

To break down a metric by database, shift-click the counter next to the metric and select By Database. A table displays all databases pertaining to that metric and the number of times it appeared in associated transactions.

  • Database Client: If you select Client for the Database Metric Type, the Discover appliance displays the following metrics:
    • Responses: Specifies the number of responses that the device received when acting as a database client. Click to display the list of servers from which responses were sent.
    • Errors: Specifies the number of database protocol errors for the selected time interval. Click to display the list of servers for which there were errors.
    • Requests Aborted: Specifies the number of requests that the device began to send but did not send completely when acting as a database client.
    • Responses Aborted: Specifies the number of responses that the device began to receive but did not receive completely when acting as a database client.
  • Database Server: If you select Server for the Database Metric Type, the Discover appliance displays the following metrics:
    • Responses: Specifies the number of responses that the device sent when acting as a database server. Click to display the list of clients to which responses were sent.
    • Errors: Specifies the number of database protocol errors for the selected time interval. Click to display the list of clients for which there were errors.
    • Requests Aborted: Specifies the number of requests that the device began to receive but did not receive completely when acting as a database server.
    • Responses Aborted: Specifies the number of responses that the device began to send but did not send completely when acting as a database server.
  • Methods: Displays the database methods for the selected time interval. Methods will vary for each specific device.

    Click to display additional per-client or per-server details. Shift-click and select By Database to display the list of associated databases.

The Transaction Metrics graph displays the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Move the mouse pointer over each component to display a five-number statistical summary.

  • ReqXfer: The request transfer time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
  • Process: The server processing time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
  • RspXfer: The response transfer time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.

The Request Size graph displays the range of request sizes for all transactions associated with the current device. Mouse over the chart to see the five-number summary. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device, database, or IP address.

The Response Size graph displays the range of response sizes for all transactions associated with the current device. Mouse over the chart to see the five-number summary. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean response size for each peer device, database, or IP address.

The Transactions Per Second graph displays the number of database protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red data points to list the peer devices associated with the errors at this point in time. Click and drag across the chart to select a particular region. Select a database from the Databases drop-down list and then click the red data points to display results associated with that database only. For detailed error information, click Errors.

The Response Time Breakdown graph displays the area chart containing median request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

All Methods

The Database groups toolbar includes the following controls:

  • Database Metric Type: Displays metrics for members in the current group acting as a database client or server, respectively.
  • Records: Displays results for records that match the selected metric source and protocol.

The All Methods page contains the following information:

  • Methods: This section displays the database methods for the selected time interval. Click to display additional per-client or per-server details.
  • Database Client: This table lists the peer members associated with the database client.
  • Database Server: This table lists the peer members associated with the database server.
Timing

The timing charts draw data from the Time Selector drop-down list on the navigation toolbar. The events observed during this interval are used to fill the bins of a histogram that displays a distribution of timing data. Timing charts use a logarithmic horizontal axis that simultaneously displays events that took milliseconds and those that took seconds.

The Timing node includes the following metrics:

  • Request Transfer Time: Displays a histogram of times it took to transfer requests from the client to the server. Mouse over each bar to display the time range it represents and the number of requests in this bin.
  • Processing Time: Displays a histogram of times it took the server to process requests. Mouse over each bar to display the time range it represents and the number of requests in this bin.
  • Response Transfer Time: Displays a histogram of times it took to transfer the response from the server to the client. Mouse over each bar to display the time range it represents and the number of requests in this bin.
DNS

The DNS device toolbar includes the following controls:

  • DNS Metric Type: Displays metrics for the current device acting as a DNS client or DNS server.
  • Errors: Displays the number of query errors by host.
  • Host Queries: Displays the list of DNS queries made to or from this device, sorted by Host Query frequency. Click the Query Errors header to sort the list by the number of DNS errors encountered.
  • Servers: When acting as a DNS client, displays a chart showing the total number of responses compared to processing time during the selected time interval.
  • Clients: When acting as a DNS server, displays a chart showing the total number of requests compared to processing time during the selected time interval.
  • Records: Displays results for records that match the selected metric source and protocol.

For device metrics, the DNS page includes the following data:

DNS Client: If you select Client for the DNS Metric Type, the Discover appliance displays the following metrics. For each field, click to display the devices to which these requests were made.

  • Requests: Specifies the number of requests that the device sent when acting as a DNS client.
  • Request Timeouts: Specifies the number of request timeouts when the device is acting as a DNS client. A request timeout occurs when there is a repeated request without a response to the first request. A high number here may indicate server unresponsiveness or a client misconfiguration.
  • Truncated Requests: Specifies the number of requests that were sent, but were truncated in transit, when the device is acting as a DNS client. A truncated request is indicated by the truncated bit in the message and occurs when the message is larger than the underlying transmission channel allows.
  • Responses: Specifies the number of responses that the device received when acting as a DNS client.
  • Response Errors: Specifies the number of responses received with a code other than NOERROR, when the device is acting as a DNS client.
  • Truncated Responses: Specifies the number of truncated responses that the device received when acting as a DNS client. A truncated response is indicated by the truncated bit in the message and occurs when the message is larger than the underlying transmission channel allows.
  • DNS Server: If you select Server for the DNS Metric Type, the Discover appliance displays the following metrics. For each field, click to display the devices from which these requests were received.

    • Requests: Specifies the number of requests that the device received when acting as a DNS server.
    • Request Timeouts: Specifies the number of request timeouts when the device is acting as a DNS server. A request timeout occurs when there is a repeated request without a response to the first request. A high number here might indicate a problem with this DNS server.
    • Truncated Requests: Specifies the number of requests that were received, but were truncated in transit, when the device is acting as a DNS server. A truncated request is indicated by the truncated bit in the message and occurs when the message is larger than the underlying transmission channel allows.
    • Responses: Specifies the number of responses that the device sent when acting as a DNS server.
    • Response Errors: When the device is acting as a DNS server, specifies the number of responses sent with a code other than NOERROR.
    • Truncated Responses: Specifies the number of responses sent, but later truncated, when the device is acting as a DNS server. A truncated response is indicated by the truncated bit in the message and occurs when the message is larger than the underlying transmission channel allows.
  • Requests by Opcode: Displays all request opcode types sent or received by the current device. For each field, click to display the devices to or from which these requests were sent or received.

    • Query: Specifies the number of DNS QUERY Opcodes sent or received by the current device. DNS Queries are the most-frequently encountered DNS Opcode type.
    • Notify: Specifies the number of DNS NOTIFY Opcodes sent or received by the current device. DNS Notify is used as a synchronization method between DNS servers.
    • Update: Specifies the number of DNS UPDATE Opcodes sent or received by the current device. DNS Update is used as a synchronization method between DNS servers.
    • Other: Specifies the number of other miscellaneous DNS Opcodes sent or received by the current device.
  • Responses by Response Code: Displays all response codes broken down by request opcode and request record type sent (if server) or received (if client) by the current device. The format of the entry is ERROR/REQUEST_OPCODE:REQUEST_RECORD. For each field, click to display the devices to or from which these requests were sent or received.

    The response code bar categories include:

    • NOERROR: Successful transaction; no error.
    • FORMERROR: Format Error.
    • SERVFAIL: DNS Server Failed.
    • NXDOMAIN: No such domain.
    • NOTIMPL: No handler implemented for this query type.
    • REFUSED: Query administratively refused.
    • UPDATEERR: Error in handling UPDATE request.
    • TSIGERR: Error in handling TSIG request.
    • OTHER: All other response code types.

    The Transactions Per Second graph displays the number of DNS transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red data points to list the peer devices associated with the errors at this point in time. Click and drag across the chart to select a particular region.

    The Server Processing Time graph displays the median server processing time in milliseconds as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the processing time metrics. Click and drag across the chart to select a particular region.

    The Processing Time Distribution graph displays a histogram of times it took the server to process requests. Move the mouse pointer over each bar to display the time range it represents and the number of requests in this bin.

    The Requests by Record Type bar chart shows the categorization of all request types sent or received by the current device. Click a bar to display the device to which (if client) or from which (if server) the query was sent.

    The request query bar categories displayed include:

    • A. Address
    • NS. Name Server
    • CNAME. Canonical Name
    • SOA. Start Of Authority
    • PTR. Pointer Record
    • MX. Mail Exchanger
    • TXT. Text
    • AAAA. IPv6 Address
    • SRV. Service
    • TSIG. Secured Signed Request class
    • IXFR. Incremental Zone Transfer
    • AXFR. Zone Transfer
    • ANY. Any available
    • Other. All other categories

    The Responses by Record Type bar chart shows the categorization of all response types sent or received by the current device. Click a bar to display the device from which (if client) or to which (if server) the response was sent.

    The response query bar categories displayed include:

    • A. Address
    • NS. Name Server
    • CNAME. Canonical Name
    • SOA. Start Of Authority
    • PTR. Pointer Record
    • MX. Mail Exchanger
    • TXT. Text
    • AAAA. IPv6 Address
    • SRV. Service
    • TSIG. Secured Signed Request class
    • IXFR. Incremental Zone Transfer
    • AXFR. Zone Transfer
    • Other. All other categories

    It is possible for multiple answers to be sent in response to a single query.

    FIX

    The FIX device toolbar includes the following controls:

    • FIX Metric Type: Displays metrics for devices acting as a FIX client or FIX server.
    • Errors: Click the Errors button to display the list of FIX session-level reject reasons (error messages) sent to or received by the current device over the selected time interval. These metrics do not include the processing of order and trade errors.
    • Senders: Click the Senders button to display a list of institutions sending the FIX message as it appears in the SenderCompID field.
    • Targets: Click the Targets button to display a list of institutions receiving the FIX message as it appears in the TargetCompID field.
    • Records: Displays results for records that match the selected metric source and protocol.

    For device metrics, the FIX page includes the following data:

    FIX Details specifies the type of additional FIX information displayed. Moving the cursor over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

    • By IP: Displays FIX metrics by IP addresses.
    • By Sender: Displays FIX metrics by sender.
    • By Target: Displays FIX metrics by target.

    For example, FIX Responses is a top-level metric showing how many responses were received by the FIX server during the selected time frame. Selecting By IP in the drop-down list while moving the cursor over the FIX Responses counter shows which IP addresses originated these responses.

    Selecting By IP from the drop-down list while moving the cursor over the FIX Responses counter shows the IP addresses of the responses.

    FIX Metrics by IP Address: Click By IP in the drop-down list to display the following information in the details table.

    • IP Address: Represents the FIX server's IP address.
    • Host: Represents the DNS host name of the FIX server determined by passive analysis of the DNS traffic.
    • Device: Provides a link to the corresponding FIX server device.
    • <Metric value>: Displays the value for the selected metric.

    FIX Metrics by Sender: Click By Sender in the drop-down list to display the following information in the details table.

    • Sender: Displays a list of senders.
    • <Metric value>: Displays the value for the selected metric.

    FIX Metrics by Target: Click By Target in the drop-down list to display the following information in the details table.

    • Target: Displays a list of targets.
    • <Metric value>: Displays the value for the selected metric.

    FIX Client: Click the counter next to the metric to break it down by group members in the table at the bottom of the page.

    • Requests: Number of requests received.
    • Requests: Number of responses received.
    • Errors: Number of errors sent.
    • POS Duplicate: Number of POS duplicates received.
    • POS Resend: Number of POS resends received.

    FIX Server: Click the counter next to the metric to break it down by group members in the table at the bottom of the page.

    • Requests: Number of requests received.
    • Requests: Number of responses received.
    • Errors: Number of errors sent.
    • POS Duplicate: Number of POS duplicates received.
    • POS Resend: Number of POS resends received.

    Methods: Methods exchanged by device over the selected time interval. Click the counter to display additional per-client or per-server IP address details.

    Versions: FIX versions used over the selected time interval. Click the counter to display additional per-client or per-server IP address details.

    Transaction Metrics: Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.

    • ReqXfer: Request transfer time. The time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
    • Process: Server processing time. The time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
    • RspXfer: Response transfer time. The time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.

    Click the Transaction Metrics graph to display a chart showing responses compared to mean processing time during the selected time interval. The table below contains the total and mean time for each response.

    Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

    FTP

    The FTP metrics toolbar includes the following controls:

    • FTP Metric Type: Displays metrics for the current device acting as an FTP client or server.
    • Errors: Displays the list of 5xx error messages sent to or received by the current device over the selected time interval.
    • Warnings: Displays the list of 4xx error messages sent to or received by the current device over the selected time interval.
    • Files: Displays the list of files accessed, associated bytes sent and received, and associated errors for the selected time interval.
    • Clients or Servers: Displays the associated client IP addresses when the device is acting as a server, and the associated server IP addresses when acting as a client.
    • Records: Displays results for records that match the selected metric source and protocol.

    Where file name detail is presented, the Discover appliance displays both the file path and mount point, if available. The prefix '...' indicates that either the mount point or part of the path is not available. This may occur in instances when the capture process was restarted after the "mount" or a "cd" command was issued, or when the commands were lost due to desyncs.

    For device metrics, the FTP page includes the following data:

    • FTP Details: Specifies the type of additional FTP information displayed. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:
      • By IP: Displays FTP metrics by IP addresses.
      • By User: Displays FTP metrics by user name.

        For example, FTP Requests is a top-level metric showing how many requests were received by the FTP server during the selected time frame. Selecting By IP in the drop-down list while mousing over the FTP Requests counter shows which IP addresses originated these requests. Selecting By User in the drop-down list while mousing over the FTP Requests counter shows which FTP user names originated these requests.

    • IP Address FTP Metrics: Click By IP in the drop-down list to display the following information in the details table.
      • IP Address represents the HTTP server's IP address.
      • Host represents the DNS host name of the FTP server determined by passive analysis of the DNS traffic.
      • Device provides a link to the corresponding FTP server device. For local FTP servers, the link leads to the FTP server device. For remote FTP servers, the link leads to the gateway device through which the requests were routed.
      • <Metric Value> displays the value of the selected metric
    • FTP Metrics by User: Click By User in the drop-down list to display the following information in the details table.
      • Users represents FTP user names that originated these requests.
      • <Metric Value> displays the value of the selected metric
    • IP Address FTP Metrics: When you click the counters next to individual FTP metrics, the IP Address FTP Metrics table shows details about FTP peer devices. For FTP servers, the peer devices are FTP clients. For FTP clients, the peer devices are FTP servers.
      • IP Address represents the IP address of the peer device.
      • Host represents the DNS host name of the peer device determined by passive analysis of the DNS traffic.
      • Device provides a link to the corresponding peer device. For local peer devices, the link leads to that device. For remote peer devices, the link leads to the gateway device through which the requests were routed.
    • FTP Server: Displays additional IP address details.
      • Requests: Specifies the total number of FTP requests received on the command connection when the device is acting as an FTP server.
      • Responses: Specifies the number of responses that the device sent when acting as an FTP server.
      • Errors: Specifies the number of errors sent by the FTP server.
    • FTP Client: Displays additional IP address details.
      • Requests: Specifies the total number of FTP requests sent on the command connection when the device is acting as an FTP client.
      • Responses: Specifies the number of responses that the device received when acting as an FTP client.
      • Errors: Specifies the number of errors received by the FTP client.
    • Data Channel: Displays additional IP address details.
      • Requests: Specifies the number of data channel requests sent or received by the current device.
      • Connects: Specifies the number of responses sent or received by the current device.
    • Methods: Displays the FTP commands for the selected time interval. Click the counter to display additional per-client or per-server IP address details.

      Examples of FTP commands:

      • CWD: Allows the user to work with a different directory or dataset for file storage or retrieval without altering his log on or accounting information.
      • DELE: Causes the file specified in the path name to be deleted at the server site.
      • EPSV: Puts connection into extended passive mode.
      • LIST: Gets information for a specific working directory, if explicitly specified, or the current one if none is specified.
      • MDTM: Gets last-modified time of a file.
      • MLSD: Gets the contents of a directory.
      • PASS: Is a Telnet string specifying the user's password. This command must be immediately preceded by the user name command.
      • PASV: Requests the server-DTP to "listen" on a data port (which is not its default data port) and to wait for a connection rather than initiate one on receipt of a transfer command.
      • PORT: Is a HOST-PORT specification for the data port to be used in data connection.
      • PWD: Causes the name of the current working directory to be returned in the reply.
      • QUIT: Terminates a USER, and if file transfer is not in progress, the server closes the control connection. If file transfer is in progress, the connection will remain open for the result response, and the server will then close it.
      • RETR: Causes the server-DTP to transfer a copy of the file, specified in the path name, to the server.
      • SIZE: Gets the size of a file.
      • STOR: Causes the server-DTP to accept the data transferred via the data connection, and to store the data as a file at the server site.
      • SYST: Used to find out the type of operating system at the server.
      • TYPE: Puts the transfer mode into ASCII or Binary mode.
    • Status Codes: Displays the FTP reply codes for the selected time interval. Click the counter to display additional per-client or per-server IP address details.

      Examples of FTP reply codes:

      • 1xx: Positive Preliminary reply
      • 2xx: Positive Completion reply
      • 3xx: Positive Intermediate reply
      • 4xx: Transient Negative Completion reply
      • 5xx: Permanent Negative Completion reply
      • 6xx: Protected reply

      Examples of specific reply codes:

      • 200: OK
      • 221: Service Closing control connection
      • 225: Data connection open
      • 226: Closing data connection
      • 227: Entering passive mode
      • 230: User logged in – proceed
      • 250: Requested file action okay
      • 500: Syntax error, command unrecognized. This may include errors such as command line too long.
      • 501: Syntax error in parameters or arguments
      • 502: Command not implemented
      • 503: Bad sequence of commands
      • 504: Command not implemented for that parameter
      • 530: Not logged in
      • 550: Requested action not taken – file not available
      • 553: Requested action not taken – filename not allowed

    The Transaction Metrics graph displays the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary.

    • ReqXfer: Specifies the request transfer time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
    • Process: Specifies the server processing time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
    • RspXfer: Specifies the response transfer time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.

    The Request Size graph displays the range of request sizes for all transactions associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device.

    The Response Size graph displays the range of response sizes for all transactions associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device.

    The Transactions Per Second graph displays the number of FTP protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red data points to list the peer devices associated with the errors at this point in time. Click and drag across the chart to select a particular region.

    The Response Time Breakdown graph displays the area chart containing median request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

    The Read and Write Bytes graph displays the area chart containing the breakdown of bytes by reads and writes over time. Click and drag across the chart to select a particular region.

    You can click and drag across the chart to zoom in on a particular region. When you zoom in this way, the value in the Time Interval control adjusts automatically to reflect the selected interval. For more information about zooming in, see Zooming in on a Time Range.

    Timing

    The timing charts draw data from the Time Selector drop-down list on the navigation toolbar. The events observed during this interval are used to fill the bins of a histogram that displays a distribution of timing data. Timing charts use a logarithmic horizontal axis that simultaneously displays events that took milliseconds and those that took seconds.

    The Timing node includes the following metrics:

    • Request Transfer Time: Displays a histogram of times it took to transfer requests from the client to the server. Mouse over each bar to display the time range it represents and the number of requests in this bin.
    • Processing Time: Displays a histogram of times it took the server to process requests. Mouse over each bar to display the time range it represents and the number of requests in this bin.
    • Response Transfer Time: Displays a histogram of times it took to transfer the response from the server to the client. Mouse over each bar to display the time range it represents and the number of requests in this bin.
    HTTP

    The HTTP device toolbar includes the following controls:

    • HTTP Metric Type: Displays metrics for the current device acting as an HTTP client or HTTP server.
    • Errors: Displays the list of error messages sent to or received by the current device over the selected time interval.
    • URIs: Displays the list of HTTP URIs, number of responses, total time (ms), and processing time (ms) associated with each URI.
    • Referers: Displays the list of HTTP referer URLs and the count associated with each referer.
    • Clients or Servers: Displays the associated client IP addresses when the device is acting as a server, and the associated server IP addresses when acting as a client.
    • Records: Displays results for records that match the selected metric source and protocol.

    For device metrics, the HTTP page includes the following data:

    Moving the mouse pointer over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

    • By IP: Displays HTTP metrics by IP addresses.
    • By Host: Displays HTTP metrics by host name.
    • By URI: Displays HTTP metrics by URI.

    For example, HTTP Requests is a top-level metric showing how many requests were received by the HTTP server during the selected time frame. Selecting By IP in the drop-down list while moving the mouse pointer over the HTTP Requests counter shows which IP addresses originated these requests.

    Selecting By URI from the drop-down list while moving the mouse pointer over the HTTP Requests counter shows which URIs were accessed by the requestors.

    • HTTP Metrics by IP Address: Click By IP in the drop-down list to display the following information in the details table.

      • IP Address: Represents the HTTP server's IP address.
      • Host: Represents the DNS host name of the HTTP server determined by passive analysis of the DNS traffic.
      • Origin Address: Represents the origin address of a client that is connected through a proxy or load balancer.
      • Device: Provides a link to the corresponding HTTP server device. For local HTTP servers, the link leads to the HTTP server device. For remote HTTP servers, the link leads to the gateway device through which the requests were routed.
      • <Metric value>: Displays the value for the selected metric.
    • HTTP Metrics by Host: Click By Host in the drop-down list to display the following information in the details table.

      • HTTP Host: Represents the virtual host as defined in the Host attribute of the HTTP request header.
      • <Metric value>: Displays the value for the selected metric.
    • HTTP Metrics by URI: Click By URI in the drop-down list to display the following information in the details table.

      • URI: Represents the full HTTP URI.
      • <Metric value>: Displays the value for the selected metric.
      • Processing Time: Represents the time in milliseconds it took to process URIs requested by the currently selected HTTP client. Timing information is expressed as a confidence interval around the mean value bounded by one standard deviation. This metric is available for successful HTTP responses only.
    • HTTP Client: If you select Client for the HTTP Metric Type, the Discover appliance displays the following metrics:

      • Requests: Specifies the number of requests that the device sent when acting as an HTTP client. Click to display the list of servers to which requests were sent.
      • Requests Aborted: Specifies the number of requests that the device began to send but did not send completely when acting as an HTTP client. Click to display the list of servers to which incomplete requests were sent.
      • Pipelined Requests: Specifies the number of pipelined requests that the device sent when acting as an HTTP client. Pipelined requests consist of multiple requests written to the same connection without waiting for the corresponding responses. Click to display the list of servers to which pipelined requests were sent.
      • Responses: Specifies the number of responses that the device received when acting as an HTTP client. Click to display the list of servers from which the responses were received and per-server response times. This metric also provides the detailed per-server and per-URI processing time information.
      • Responses Aborted: Specifies the number of responses that the device began to receive but did not receive completely when acting as an HTTP client. Click to display the list of servers from which incomplete responses were sent.
      • Chunked Transfers: Specifies the number of responses received that used chunked transfer coding when the device is acting as an HTTP client. Click to display the list of servers from which chunked responses were sent.
      • Compressed Transfers: Specifies the number of responses received that used 'gzip' or 'deflate' content coding when the device is acting as an HTTP client. Click to display the list of servers from which compressed responses were received.
      • Authed Requests: Specifies the number of HTTP requests that provided an Authorization request header and did not receive a 401 status code in the response. Click to display the list of servers to which authorized requests were sent.
    • HTTP Server: If you select Server for the HTTP Metric Type, the Discover appliance displays the following metrics:

      • Requests: Specifies the number of requests that the device received when acting as an HTTP server. Click to display the list of clients from which requests were received.
      • Requests Aborted: Specifies the number of requests that the device began to receive but did not receive completely when acting as an HTTP server. Click to display the list of clients from which incomplete requests were sent.
      • Pipelined Requests: Specifies the number of pipelined requests that the device received when acting as an HTTP server. Pipelined requests consist of multiple requests written to the same connection without waiting for the corresponding responses.
      • Responses: Specifies the number of responses that the device sent when acting as an HTTP server. Click to display the list of clients to which the responses were sent and per-client response times. This metric also provides the detailed per-server and per-URI processing time information.
      • Responses Aborted: Specifies the number of responses that the device began to send but did not send completely when acting as an HTTP server. Click to display the list of clients to which incomplete responses were sent.
      • Chunked Transfers: Specifies the number of responses sent that used chunked transfer coding when the device is acting as an HTTP server. Click to display the list of clients to which chunked responses were sent.
      • Compressed Transfers: Specifies the number of responses sent that used 'gzip' or 'deflate' content coding when the device is acting as an HTTP server. Click to display the list of clients to which compressed responses were sent.
      • Authed Requests: Specifies the number of HTTP requests that provided an Authorization request header and did not receive a 401 status code in the response. Click to display the list of clients from which authorized requests were sent.
    • Status Codes: Displays the HTTP response status codes for the selected time interval. Click to display additional per-client or per-server details.

    • Methods: Displays the HTTP request methods for the selected time interval. The HTTP request methods include GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT, and OPTIONS, as well as dynamic method names. Click to display additional per-client or per-server details.

    The Transaction Metrics graph displays the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Move the mouse pointer over each component to display a five-number statistical summary.

    • ReqXfer: Shows the request transfer time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
    • Process: Shows the server processing time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
    • RspXfer: Shows the response transfer time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.

    The Request Size graph displays the range of request sizes for all transactions associated with the current device. The Request Size metric does not take into account the HTTP header and only counts the number of bytes in the body in the request. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device, host, or URI.

    The Response Size graph displays the range of response sizes for all transactions associated with the current device. The Response Size metric does not take into account the HTTP header and only counts the number of bytes in the body in the response. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean response size for each peer device, host, or URI.

    The Transactions Per Second graph displays the number of HTTP transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Errors include HTTP response status codes greater than or equal to 500. Click the red dot to see per-server or per-client details for errors associated with that dot. Click and drag across the chart to select a particular region.

    The Response Time Breakdown graph displays the area chart containing median request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

    The Content Types graph displays the relative frequencies of HTTP response content types. Click to display relative frequencies within a content-type category.

    Timing

    The timing charts draw data from the Time Selector drop-down list on the navigation toolbar. The events observed during this interval are used to fill the bins of a histogram that displays a distribution of timing data. Timing charts use a logarithmic horizontal axis that simultaneously displays events that took milliseconds and those that took seconds.

    The Timing node includes the following metrics:

    • Request Transfer Time: Displays a histogram of times it took to transfer requests from the client to the server. Mouse over each bar to display the time range it represents and the number of requests in this bin.
    • Processing Time: Displays a histogram of times it took the server to process requests. Mouse over each bar to display the time range it represents and the number of requests in this bin.
    • Response Transfer Time: Displays a histogram of times it took to transfer the response from the server to the client. Mouse over each bar to display the time range it represents and the number of requests in this bin.
    HTTP-AMF

    The HTTP-AMF device toolbar includes the following controls:

    • The HTTP-AMF Metric Type drop-down list displays metrics for the current device acting as an HTTP-AMF client or HTTP-AMF server.
    • Clients or Servers: Displays the associated client IP addresses when the device is acting as a server, and the associated server IP addresses when acting as a client.

    For device metrics, the HTTP-AMF page includes the following data:

    HTTP-AMF Details specifies the type of additional HTTP-AMF information displayed. Moving the mouse pointer over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

    • By IP: Displays HTTP-AMF metrics by IP addresses.
    • By Target URI: Displays HTTP-AMF metrics by Target URI.

    For example, HTTP-AMF Requests is a top-level metric showing how many requests were received by the HTTP server during the selected time frame. Selecting By IP in the drop-down list while moving the mouse pointer over the Requests counter shows which IP addresses originated these requests. Selecting By Target URI from the drop-down list while moving the mouse pointer over the HTTP-AMF Requests counter shows which URIs were accessed by the requestors.

    • IP Address HTTP-AMF Metrics: Click By IP in the drop-down list to display the following information in the details table.
      • IP Address represents the HTTP-AMF server's IP address.
      • Host represents the DNS host name of the HTTP-AMF server determined by passive analysis of the DNS traffic.
      • Device provides a link to the corresponding HTTP-AMF server device. For local HTTP-AMF servers, the link leads to the HTTP server device. For remote HTTP-AMF servers, the link leads to the gateway device through which the requests were routed.
      • <Metric value>: Displays the value for the selected metric.
      • Processing Time represents the time in milliseconds it took for HTTP servers to process requests for the currently selected HTTP client. Timing information is expressed as a confidence interval around the mean value bounded by one standard deviation. This metric is available for successful HTTP Responses only.
    • HTTP-AMF Metrics by Target URI: Click By Target URI in the drop-down list to display the following information in the details table.
      • Target URI represents the full HTTP target URI.
      • <Metric value>: Displays the value for the selected metric.
      • Processing Time represents the time in milliseconds it took to process URIs requested by the currently selected HTTP client. Timing information is expressed as a confidence interval around the mean value bounded by one standard deviation. This metric is available for successful HTTP Responses only.

    Click the Metric Type drop-down list and select either Client or Server to display metrics for devices acting as an HTTP-AMF client or server, respectively.

    HTTP-AMF Client: If you select Client for the HTTP-AMF Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.

    • Requests: Number of requests that the device sent when acting as an HTTP-AMF client.
    • Responses: Number of responses that the device received when acting as an HTTP-AMF client.
    • Errors: Number of HTTP-AMF errors for the selected time interval.
    • Requests w/o Length: Number of requests that had no length, that the device received when acting as an HTTP-AMF client.
    • Responses w/o Length: Number of responses that had no length, that the device sent when acting as an HTTP-AMF client.

    HTTP-AMF Server: If you select Server for the HTTP-AMF Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.

    • Requests: Number of requests that the device received when acting as an HTTP-AMF server.
    • Responses: Number of responses that the device sent when acting as an HTTP-AMF server.
    • Errors: Number of HTTP-AMF errors for the selected time interval.
    • Requests w/o Length: Number of requests that had no length, that the device received when acting as an HTTP-AMFs server.
    • Responses w/o Length: Number of responses that had no length, that the device sent when acting as an HTTP-AMF server.
    IBMMQ

    The IBMMQ device toolbar includes the following controls:

    • IBMMQ Metric Type: Displays statistics for the current device acting as a IBMMQ client or server.
    • Errors: Displays the list of 5xx error messages sent to or received by the current device over the selected time interval.
    • Warnings: Displays the list of 4xx error messages sent to or received by the current device over the selected time interval.
    • PUT/GET Ratio: Displays the PUT and GET counts for each IBMMQ device.

    For device metrics, the IBMMQ page includes the following data about both client-to-server and server-to-server transactions:

    IBMMQ details specify the type of additional IBMMQ information displayed. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

    • By IP: Displays IBMMQ metrics by IP addresses.
    • By Channel: Displays IBMMQ metrics by channel.
    • By Queue: Displays IBMMQ metrics by queue name.

    For example, IBMMQ Requests is a top-level metric showing how many requests were received by the IBMMQ server during the selected time frame. Selecting By IP in the drop-down list while mousing over the IBMMQ Requests counter shows which IP addresses originated these requests.

    IP Address IBMMQ Metrics: Move the mouse pointer over the counter, and click By IP in the drop-down list to display the following information in the details table.

    • IP Address: Represents the IBMMQ server's IP address.
    • Host: Represents the DNS hostname of the IBMMQ server determined by passive analysis of the DNS traffic.
    • Device: Provides a link to the corresponding IBMMQ server device. For local IBMMQ servers, the link leads to the IBMMQ server device. For remote IBMMQ servers, the link leads to the gateway device through which the requests were routed.
    • Counter Name: Identifies the metric name and count by device associated with the counter that was clicked to open this table.
    • Processing Time: Represents the time in milliseconds it took for IBMMQ servers to process requests for the currently selected IBMMQ client. Timing information is expressed as a confidence interval around the mean value bounded by one standard deviation. This metric is available for successful IBMMQ Responses only.

    IBMMQ Metrics by Channel: Move the mouse pointer over the counter, and click By Channel in the drop-down list to display the following information in the details table.

    • IBMMQ Channel: Represents the channel on which the IBM MQ communication is occurring.
    • Counter Name: Identifies the metric name and count by device associated with the counter that was clicked to open this table.

    IBMMQ Metrics by Queue: Move the mouse pointer over the counter, and click By Queue in the drop-down list to display the following information in the details table.

    • IBMMQ Queue: Represents the queue name on which the IBM MQ communication is occurring.
    • Counter Name: Identifies the metric name and count by device associated with the counter that was clicked to open this table.

    Click the Metric Type drop-down list and select either Client or Server to display statistics for device acting as an IBMMQ client or server, respectively.

    IBMMQ Client: If you select Client for the Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.

    • Requests: Number of requests that the device sent when acting as an IBM MQ client.
    • Responses: Number of responses that the device received when acting as an IBM MQ client.
    • Client Messages: Number of client messages that the device sent or received when acting as an IBM MQ client.
    • Server Messages: Number of server messages that the device sent or received when acting as an IBM MQ client.
    • Errors: When the device is acting as an IBM MQ client, the number of responses indicating an error, broken down by specific error.
    • Warnings: When the device is acting as an IBM MQ client, the number of responses received, broken down by IBM MQ warning message.
    • PCF Errors: When the device is acting as an IBM MQ client, the number of PCF error responses, broken down by specific error. Programmable command formats (PCFs) provide a way to manipulate queue manager objects, such as queues, namelists, and channels.
    • PCF Warnings: When the device is acting as an IBM MQ client, the number of responses received indicating a PCF warning, broken down by specific warning message. Programmable command formats (PCFs) provide a way to manipulate queue manager objects, such as queues, namelists, and channels.

    IBMMQ Server: If you select Server for the Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table below.

    • Requests: Number of requests that the device received when acting as an IBM MQ server.
    • Responses: Number of responses that the device sent when acting as an IBM MQ server.
    • Client Messages: Number of client messages that the device sent or received while acting as an IBM MQ server.
    • Server Messages: Number of server messages that the device sent or received when acting as an IBM MQ server.
    • Errors: When the device is acting as an IBM MQ server, the number of responses indicating an error, broken down by specific error.
    • Warnings: Number of IBMMQ warnings for the selected time interval.
    • PCF Errors: Number of IBMMQ PCF errors sent or received within the selected time interval.
    • PCF Warnings: When the device is acting as an IBM MQ server, the number of responses sent indicating a PCF warning, broken down by specific warning message. Programmable command formats (PCFs) provide a way to manipulate queue manager objects, such as queues, namelists, and channels.

    Methods: Displays the IBMMQ methods for the selected time interval.

    Message Formats: Displays the IBMMQ message formats for the selected time interval.

    Note: When the system detects only server-to-server traffic, the metrics that are gathered for client-to-server transactions only are zero or blank.

    Transaction Metrics: Transaction metrics display the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Mouse over each component to display a five-number statistical summary. (Client-to-server transactions only.)

    Request Size: Displays the range of request sizes for all transactions associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device. (Client-to-server transactions only.)

    Response Size: Displays the range of response sizes for all transactions associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device. (Client-to-server transactions only.)

    The MQGET/MQPUT displays the GET and PUT count for the current device over the selected time interval. (Client-to-server transactions only.)

    PCF Details

    Click the PCF Details node to display information specific to the administrative PCF channel.

    Click the Metric Type drop-down list and select either Client or Server to display statistics for device acting as an IBMMQ client or server, respectively.

    IBMMQ Client: If you select Client for the Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.

    • Requests: Number of IBMMQ requests sent or received within the selected time interval.

    • Responses: Number of IBMMQ responses sent or received within the selected time interval.

    • Errors: Number of IBMMQ errors for the selected time interval.

    • Warnings: Number of IBMMQ warnings for the selected time interval.

    IBMMQ Server: If you select Server for the Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table below.

    • Requests: Number of IBMMQ requests sent or received within the selected time interval.

    • Responses: Number of IBMMQ responses sent or received within the selected time interval.

    • Errors: Number of IBMMQ errors for the selected time interval.

    • Warnings: Number of IBMMQ warnings for the selected time interval.

    PCF Methods: Displays the IBMMQ PCF methods for the selected time interval.

    PCF Errors: Displays the IBMMQ PCF errors for the selected time interval.

    Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

    Error Details

    Click the Error Details node to display additional IBMMQ warnings and error details.

    ICA

    The ICA device toolbar includes the following controls:

    • ICA Metric Type: Displays metrics for devices acting as an ICA client or ICA server.

    • Users: Click the Users button to display the ICA Server or Client: Users information for that device.

      • All Names: The load time for each user over the selected time interval.
      • Name: The Citrix user ID.
      • Load Time (ms): The amount of time to load the application, including the login time. Load time is measured only for the first application that is loaded. Subsequent application data launched over the same session is recorded as a launch but does not factor into the load time.
      • Login Time (ms): The amount of time to log in to the application. Login time is a sub-component of the load time. When the user has gained access through a previous launch, there is no login, so login time for that user is 0.
      • Network Latency (ms): Displays the detected network latency between the ICA client and server as a function of time over the selected time interval.
      • Session Duration (sec): The duration of each user's session.
    • Sessions: Click the Sessions button to display the ICA Client or Server: Sessions table for the device.

      • Name: The application name.
      • Duration (s): The session duration by application.
    • Client Types: Click the Client Types button to display the ICA Client or Server: Client Types information for the device.

      • All Names: The number of launches for Citrix receivers over the selected time interval.
      • Name: The name and version of the Citrix receiver.
      • Count: Number of launches from that particular version of the receiver.
    • Auth Domain: Click the Auth Domain button to display the ICA Server or Client: Auth. Domain information for that device.

      • All Names: The load time for each user over the selected time interval.
      • Name: The device name.
      • Load Time (ms): The time from the beginning of the flow until the Discover appliance detects traffic on one of the following virtual channels:
        • Clipboard
        • Citrix Windows Multimedia Redirection
        • Citrix Control Virtual Channel
        • Zero Latency Font and Keyboard
      • Login Time (ms): The time between the transmission of the Citrix ICA packet that the client sends to the server with its credentials and the Citrix ICA packet that the server sends back to the client with the user name.
      • Network Latency (ms): Displays the detected network latency between the ICA client and server as a function of time over the selected time interval.
      • Session Duration (sec): The duration of each authentication session.

    For device metrics, the ICA page includes the following data:

    ICA details specify the type of additional ICA information displayed. Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

    • By User: Displays ICA device information by user.
    • By Application: Displays ICA device information by application. When a Citrix flow is opaque to analysis, whether because of lost segments or RC5 encryption, the reported application name is ICA or CGP.
    • By IP: Displays ICA device information by IP address.
    • By Auth Domain: Displays ICA device information by auth domain.

    For example, ICA Requests is a top-level metric showing how many requests were received by the ICA server during the selected time frame. Selecting By IP in the drop-down list while mousing over the ICA Requests counter shows which IP addresses originated these requests.

    Applications: Contains the following metrics:

    • Launches: Total number of Citrix ICA launch commands within the selected time interval.
    • Aborts: Total number of Citrix ICA sessions that were initiated but closed before a Citrix application finished loading within the selected time interval.
    • Encrypted Sessions: Number of encrypted sessions within the selected time interval.

    ICA Client or Server: If you select Client or Server for the ICA Metric Type, the Discover appliance displays the following metrics:

    • Client Messages: Number of ICA client messages sent or received within the selected time interval.
    • Server Messages: Number of ICA server messages sent or received within the selected time interval.
    • Client CGP Messages: Number of client CGP messages sent by the client within the selected time interval. The Client Gateway Protocol (CGP) encapsulates ICA traffic.
    • Server CGP Messages: Number of CGP messages sent by the server within the selected time interval. The Client Gateway Protocol (CGP) encapsulates ICA traffic.
    iSCSI

    The iSCSI device toolbar includes the following controls:

    • iSCSI Metric Type: Displays metrics for the current device acting as an iSCSI client or iSCSI server.
    • Errors: Displays the list of error messages broken down by iSCSI initiator sent to or received by the current device over the selected time interval.
    • OpCodes: Displays the list of iSCSI operation codes broken down by iSCSI initiator sent to or received by the current device over the selected time interval.
    • Initiators: Displays the list of iSCSI initiators establishing connections to or from the current device over the selected time interval.

    For device metrics, the iSCSI page includes the following data:

    • IP Address iSCSI Metrics: Click the counters next to individual iSCSI metrics to show the IP Address iSCSI Metrics for iSCSI peer devices. For iSCSI servers, the peer devices are iSCSI clients. For iSCSI clients, the peer devices are iSCSI servers.

      • IP Address represents the IP address of the peer device.
      • Host represents the DNS host name of the peer device determined by passive analysis of the DNS traffic.
      • Device provides a link to the corresponding peer device. For local peer devices, the link leads to that device. For remote peer devices, the link leads to the gateway device through which the requests were routed.
      • Target displays corresponding iSCSI targets.
    • iSCSI Server: Click the counter next to each metric to display additional IP address details.

      • Responses: Specifies the number of responses that the device sent when acting as an iSCSI target.
      • Errors: Specifies the number of errors sent by the iSCSI server.
      • Sessions: Specifies the number of iSCSI sessions that the device began when acting as an iSCSI target.
      • Reads (DataOut): Specifies the number of read operation requests that the device received when acting as an iSCSI target.
      • Writes (DataIn): Specifies the number of write operation requests that the device received when acting as an iSCSI target.
      • Header Digest: Specifies the number of operations that included optional header digests when the device is acting as an iSCSI target.
      • Data Digest: Specifies the number of operations that included optional data digests when the device is acting as an iSCSI target.
    • iSCSI Client: Click the counter next to each metric to display additional IP address details.

      • Responses: Specifies the number of responses that the device received when acting as an iSCSI initiator.
      • Errors: Specifies the number of errors sent by the iSCSI client.
      • Sessions: Specifies the number of iSCSI sessions that the device began when acting as an iSCSI initiator.
      • Reads (DataOut): Specifies the number of read operation requests that the device sent when acting as an iSCSI initiator.
      • Writes (DataIn): Specifies the number of write operation requests that the device sent when acting as an iSCSI initiator.
      • Header Digest: Specifies the number of operations that included optional header digests when the device is acting as an iSCSI initiator.
      • Data Digest: Specifies the number of operations that included optional data digests when the device is acting as an iSCSI initiator.
    • OpCodes: Displays the list of iSCSI OpCodes sent to or received by the current device over the selected time interval. Click the counter to display additional per-client or per-server IP address details. Click the OpCodes button to get OpCodes broken down by iSCSI initiator. OpCodes include:

      • Login Request
      • Login Response
      • Logout Request
      • Logout Response
      • SCSI Command
      • SCSI Response
      • Text Request
      • Text Response
      • SCSI Data-In
      • SCSI Data-Out
      • SCSI Task Management Response
      • SCSI Task Management Function Request
      • Ready To Transfer
      • Asynchronous Message
      • SNACK Request
      • Reject
      • Last
      • NOP-In
      • NOP-Out
      • Vendor-<hex>
    • Rejects: Displays the list of reject reasons sent to or received by the current device over the selected time interval. Click the counter to display additional per-client or per-server IP address details. Click the Errors button to get errors broken down by iSCSI initiator. Reject reasons include:

      • Zero
      • Reserved
      • Data Digest Error
      • SNACK Reject
      • Protocol Error
      • Command not supported
      • Protocol Error
      • Immediate Command Reject
      • Task in progress
      • Invalid Data ACK
      • Invalid PDU field
      • Long Operation Reject
      • Negotiation Reset
      • Waiting for Logout
    • Logins: Displays the iSCSI login errors for the selected time interval. Click the counter to display additional per-client or per-server IP address details. Click the Errors button to get errors broken down by iSCSI initiator.

      • Login failures
      • Target moved temporarily
      • Target moved permanently
      • Initiator error
      • Authentication failure
      • Authorization failure
      • Not found
      • Target removed
      • Unsupported version
      • Too many connections
      • Missing parameter
      • Can't include in session
      • Session type not supported
      • Session does not exist
      • Invalid request during login
      • Target error
      • Service unavailable
      • Out of resources

    The Transactions Per Second graph displays the number of iSCSI protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red data points to list the peer devices associated with the errors at this point in time. Click and drag across the chart to select a particular region.

    The Read and Write Bytes graph displays the area chart containing the breakdown of bytes by reads and writes over time. Click and drag across the chart to select a particular region.

    LDAP

    The LDAP device toolbar includes the following controls:

    • LDAP Metric Type: Displays metrics for the current device acting as a LDAP client or LDAP server.
    • Errors: Displays a detailed list of error messages sent to or received by the current device over the specified time interval.
    • Servers: When acting as a LDAP client, displays a chart showing the total number of responses compared to processing time during the selected time interval.
    • Clients: When acting as a LDAP server, displays a chart showing the total number of requests compared to processing time during the selected time interval.
    • Records: Displays results for records that match the selected metric source and protocol.

    For device metrics, the LDAP page includes the following data:

    • LDAP Client: If you select Client for the LDAP Metric Type, the Discover appliance displays the following metrics. Click to display the list of servers from which responses were sent.
      • Requests: Specifies the number of LDAP requests for the selected time interval.
      • Responses: Specifies the number of responses that the device received when acting as an LDAP client.
      • Errors: Specifies the number of LDAP errors for the selected time interval.
      • Plain: Specifies the number of plain-text messages exchanged when the device is acting as an LDAP client.
      • SASL: Specifies the number of encrypted messages exchanged when the device is acting as an LDAP client.
    • LDAP Server: If you select Server for the LDAP Metric Type, the Discover appliance displays the following metrics. Click to display the list of servers from which responses were sent.
      • Requests: Specifies the number of requests that the device received when acting as an LDAP server.
      • Responses: Specifies the number of responses that the device sent when acting as an LDAP server.
      • Errors: Specifies the number of LDAP errors for the selected time interval.
      • Plain: Specifies the number of plain-text messages exchanged when the device is acting as an LDAP server.
      • SASL: Specifies the number of encrypted messages exchanged when the device is acting as an LDAP server.
    • Messages: Displays the LDAP messages for the selected time interval, such as BindRequest, BindResponse, UnbindRequest, SearchRequest, SearchResultDone and others. In the LDAP Server view, click the message counter to display clients that issued these messages. In the LDAP Client view, click the message counter to display servers that returned these messages.
    • Error Codes: Displays the LDAP errors for each LDAP error code within the selected time interval, such as invalidCredentials for LDAP error 49. Click the error counter to display devices that experienced these errors. For detailed error information, click Errors.

    The Transactions Per Second graph displays the number of LDAP protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red data points to list the peer devices associated with the errors at this point in time. Click and drag across the chart to select a particular region.

    The Server Processing Time graph displays the median transaction time in milliseconds as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the processing-time metrics. Click and drag across the chart to select a particular region.

    The Processing Time Distribution graph displays a histogram of times it took the server to process requests. Move the cursor over each bar to display the time range it represents and the number of requests in this bin.

    Timing

    The timing charts draw data from the Time Interval drop-down list on the navigation toolbar. The LDAP Timing page contains the following:

    • LDAP Metric Type: Select Client or Server to display statistics for the current device acting as an LDAP client or server, respectively.
    • Records: Displays results for records that match the selected metric source and protocol.
    • SearchResultDone: This chart displays the median transaction time in milliseconds for SearchResultDone LDAP messages as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the transaction-time metrics.
    Memcache

    The Memcache device toolbar includes the following controls:

    • Memcache Metric Type: Displays metrics for the current device acting as a Memcache client or server.
    • Errors: Displays the list of error messages sent to or received by the current device over the selected time interval.

    For device metrics, the Memcache page includes the following data:

    • IP Address Memcache Metrics: Click the counters next to individual Memcache metrics to show the IP Address Memcache Metrics for Memcache peer devices. For Memcache servers, the peer devices are Memcache clients. For Memcache clients, the peer devices are Memcache servers.
      • IP Address represents the IP address of the peer device.
      • Host represents the DNS hostname of the peer device determined by passive analysis of the DNS traffic.
      • Device provides a link to the corresponding peer device. For local peer devices, the link leads to that device. For remote peer devices, the link leads to the gateway device through which the requests were routed.
    • Memcache Server: Click the counter next to each metric to display additional IP address details.
      • Requests: Specifies the number of requests that the device received when acting as a Memcache server.
      • No-Replies: Specifies the number of requests sent for which a response was not necessarily expected, and none was received when the device is acting as a Memcache server.

        In the Memcache text protocol, when a client sends a request with the "noreply" keyword, the server performs the requested action but never sends a reply, and the Discover appliance records a no-reply.

        In the Memcache binary protocol, some kinds of requests are known as "quiet" requests. One example is the "get quietly" (getq) command: if the specified key is found, the server sends a response containing the corresponding value and the Discover appliance records a response; otherwise, the server sends nothing and the Discover appliance records a no-reply.

        If the server is responding and the Discover appliance is receiving a high-quality data feed, the number of requests should equal the number of responses plus the number of no-replies.

      • Responses: Specifies the number of responses that the device sent when acting as a Memcache server.
      • Hits: Specifies the number of items matched and that the device sent in response to "get" commands when acting as a Memcache server.
      • Misses: Specifies the number of items requested but not sent in response to get commands when the device is acting as a Memcache server. Misses are counted even if the server did not explicitly inform the client of the miss (for example, if the get was a quiet request).
      • Errors: Specifies the number of errors sent by the Memcache server in response to client requests. Some responses other than the default response are not considered errors because they are usually expected to occur during normal operation. For example, the NOT_FOUND reply code is not considered an error. In the Memcache text protocol analysis, only ERROR, CLIENT_ERROR, and SERVER_ERROR responses are considered errors.
    • Memcache Client: Click the counter next to each metric to display additional IP address details.
      • Requests: Specifies the number of requests that the device sent when acting as a Memcache client.
      • No-Replies: Specifies the number of requests sent for which a response was not necessarily expected, and none was received when the device is acting as a Memcache client.

        In the Memcache text protocol, when a client sends a request with the "noreply" keyword, the server performs the requested action but never sends a reply, and the Discover appliance records a no-reply.

        In the Memcache binary protocol, some kinds of requests are known as "quiet" requests. One example is the "get quietly" (getq) command: if the specified key is found, the server sends a response containing the corresponding value and the Discover appliance records a response; otherwise, the server sends nothing and the Discover appliance records a no-reply.

        If the server is responding and the Discover appliance is receiving a high-quality data feed, the number of requests should equal the number of responses plus the number of no-replies.

      • Responses: Specifies the number of responses that the device received when acting as a Memcache client.
      • Hits: Specifies the number of items matched and that the device received in response to "get" commands when acting as a Memcache client.
      • Misses: Specifies the number of items requested but not received in response to get commands when the device is acting as a Memcache client. Misses are counted even if the server did not explicitly inform the client of the miss (for example, if the get was a quiet request).
      • Errors: Specifies the number of errors sent by the Memcache server in response to client requests. Some responses other than the default response are not considered errors because they are usually expected to occur during normal operation. For example, the NOT_FOUND reply code is not considered an error. In the Memcache text protocol analysis, only ERROR, CLIENT_ERROR, and SERVER_ERROR responses are considered errors.
    • Commands: Breakdown of individual commands, organized into meaningful groups. For example, in this area the reply code "get" represents the get and gets commands in the Memcache text protocol and the get, getq, getk, and getkq commands in the Memcache binary protocol. In the Memcache text protocol analysis, if a single get or gets command includes multiple keys, a "get" is counted for each of those keys.
    • Reply Codes: Breakdown of reply codes. In the Memcache binary protocol analysis, for reply codes other than the default NO_ERROR, the command that produced the reply is also provided here as part of the reply code.

      EH_DIAG_* reply codes are present in early access deployments of Memcache to allow ExtraHop engineers to gather additional information about the performance of the module.

    The Transactions Per Second graph displays the number of Memcache protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red data points to list the peer devices associated with the errors at this point in time. Click and drag across the chart to select a particular region.

    The Value Sizes graph displays statistical summaries of size distributions for the following values:

    • Stored: Displays the range of stored value sizes for all transactions associated with the current device. Mouse-over to display the five-number summary, which includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean stored value size for each peer device.
    • Retrieved: Displays the range of retrieved value sizes for all transactions associated with the current device. Mouse-over to display the five-number summary, which includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean retrieved value size for each peer device.

    The Cache Hits and Misses area chart displays the number of hits and misses as a function of time over the selected time interval.

    The Key Access Time Breakdown chart shows key access time as a function of time over the selected time interval. Key access time is the time from the last byte of the client's "get" command to the first byte of the corresponding value returned from the server. Therefore, this metric is recorded only for cache hits. The line chart displays the median and first/third quartiles of the key access time over time.

    The Key Access Time Distribution chart shows a histogram distribution of key access time over the selected time period. Key access time is the time from the last byte of the client's "get" command to the first byte of the corresponding value returned from the server. Therefore, this metric is recorded only for cache hits.

    MongoDB

    The MongoDB device toolbar includes the following controls:

    • MongoDB Metric Type: Displays metrics for the current device acting as a MongoDB client or MongoDB server.
    • Errors: Displays the list of error messages sent to or received by the current device over the selected time interval.
    • Methods: Displays the list of methods and associated bytes sent and received by the current device for the selected time interval. Methods are broken out by key parameters, such as the accessed file name.
    • Users: Displays the list of users accessing the MongoDB server and associated bytes sent and received for the selected time interval.

    For device metrics, the MongoDB page includes the following data:

    MongoDB Details specifies the type of additional MongoDB information displayed. Moving the cursor over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

    • By IP: Displays MongoDB metrics by IP address.
    • By Database: Displays MongoDB metrics by database.

    For example, MongoDB Requests is a top-level metric showing how many requests were received by the MongoDB server during the selected time frame. Selecting By IP in the drop-down list while moving the cursor over the HTTP Requests counter shows which IP addresses originated these requests. Selecting By Database from the drop-down list while moving the cursor over the HTTP Requests counter shows which databases were accessed by the requestors.

    • IP Address MongoDB Metrics: Click the counters next to individual MongoDB metrics to show the IP Address MongoDB Metrics for MongoDB peer devices. For MongoDB servers, the peer devices are MongoDB clients. For MongoDB clients, the peer devices are MongoDB servers.

      • IP Address: Represents the IP address of the peer device.
      • Host: Represents the DNS host name of the peer device determined by passive analysis of the DNS traffic.
      • Device: Provides a link to the corresponding peer device. For local peer devices, the link leads to that device. For remote peer devices, the link leads to the gateway device through which the requests were routed.
    • MongoDB Server: Click the counter next to each metric to display additional IP address details.

      • Requests: Specifies the number of requests that the device received when acting as a MongoDB server.
      • Responses: Specifies the number of responses that the device sent when acting as a MongoDB server.
      • Errors: Specifies the number of errors sent by the MongoDB server.
      • Requests Aborted: Specifies the number of requests that the device began to receive but did not receive completely when acting as a MongoDB server.
      • Responses Aborted: Specifies the number of responses that the device began to send but did not send completely when acting as a MongoDB server.
    • MongoDB Client: Click the counter next to each metric to display additional IP address details.

      • Requests: Specifies the number of requests that the device sent when acting as a MongoDB client.
      • Responses: Specifies the number of responses that the device received when acting as a MongoDB client.
      • Errors: Specifies the number of errors sent by the MongoDB client.
      • Requests Aborted: Specifies the number of requests that the device began to send but did not send completely when acting as a MongoDB client.
      • Responses Aborted: Specifies the number of responses that the device began to receive but did not receive completely when acting as a MongoDB client.
    • Methods: Displays the methods MongoDB uses to authenticate clients. Click the counter to display additional per-client or per-server IP address details.

    The Transaction Metrics graph displays the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Move the cursor over each component to display a five-number statistical summary.

    • ReqXfer: Specifies the request transfer time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
    • Process: Specifies the server processing time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
    • RspXfer: Specifies the response transfer time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.

    The Request Size graph displays the range of request sizes for all transactions associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device.

    The Response Size graph displays the range of response sizes for all transactions associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device.

    The Transactions Per Second graph displays the number of NFS protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red data points to list the peer devices associated with the errors at this point in time. Click and drag across the chart to select a particular region.

    The Response Time Breakdown graph displays the area chart containing median request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

    Timing

    The timing charts draw data from the Time Selector drop-down list on the navigation toolbar. The events observed during this interval are used to fill the bins of a histogram that displays a distribution of timing data. Timing charts use a logarithmic horizontal axis that simultaneously displays events that took milliseconds and those that took seconds.

    The Timing node includes the following metrics:

    • Request Transfer Time: Displays a histogram of times it took to transfer requests from the client to the server. Mouse over each bar to display the time range it represents and the number of requests in this bin.
    • Processing Time: Displays a histogram of times it took the server to process requests. Mouse over each bar to display the time range it represents and the number of requests in this bin.
    • Response Transfer Time: Displays a histogram of times it took to transfer the response from the server to the client. Mouse over each bar to display the time range it represents and the number of requests in this bin.
    MSRPC

    The MSRPC device toolbar includes the following controls:

    • RPC Metric Type: Display metrics for devices acting as an MSRPC client or server.

    For device metrics, the MSRPC page includes the following data:

    Packets: The Packets line chart displays the incoming and outgoing RPC packet rate (packets per second) over the selected time interval. Current and Max are the current and maximum packet rates. Total is the total number of packets over the selected time interval.

    Throughput: The Throughput line chart displays the incoming and outgoing RPC throughput (bits per second) over the selected time interval. Current and Max are the current and maximum throughputs. Total is the total number of bytes transferred over the selected time interval.

    RPC Metrics: Click the RPC Metrics section to display the list of RPC-specific metrics for the selected time interval. Click the counter to display additional per-client or per-server IP address details.

    Examples of RPC-specific metrics include:

    • Rejected Binds (naks): Number of binds rejected by the server. Rejected binds occur when a server sends and receives bind updates from a peer server out of order.
    • Failed EPM Binds: Number of failed End-Point Mapper binds.
    • Orphaned: Number of times when client aborts request in progress.
    • Faults: Number of "fault" PDUs returned.
    • Canceled Operation: Number of canceled operations.
    • Fragmented Responses: Number of fragmented responses.

    Authentication Types: The Authentication Types section displays the authentication methods and protection levels in format "AuthMethod - ProtLevel". Click the counter to display additional per-client or per-server IP address details.

    Protection levels include:

    • None: No protection level
    • Connect: Authenticates only when the client establishes a relationship with a server.
    • Call: Authenticates only at the beginning of each remote procedure call when the server receives the request.
    • Packet: Authenticates only that all data received is from the expected client. Does not validate the data itself.
    • Packet Integrity: Authenticates and verifies that none of the data transferred between client and server has been modified.
    • Packet Privacy: Includes all previous levels, and ensures clear text data can only be seen by the sender and the receiver.
    Interfaces

    The MSRPC Interfaces sub-page displays throughput information broken out by RPC interface.

    The MSRPC device toolbar includes the following controls:

    • RPC Metric Type: Display metrics for devices acting as an MSRPC client or server.

    The MSRPC Interfaces sub-page displays the following metrics:

    • Packets In by Interface: The Packets In by Interface area chart displays the incoming RPC packet rate (packets per second) over the selected time interval.
    • Packets Out by Interface: The Packets Out by Interface area chart displays the outgoing RPC packet rate (packets per second) over the selected time interval.
    • Bytes In by Interface: The Bytes In by Interface area chart displays the incoming RPC throughput (bits per second) over the selected time interval.
    • Bytes Out by Interface: The Bytes Out by Interface area chart displays the outgoing RPC throughput (bits per second) over the selected time interval.

    RPC interfaces include:

    • AD Setup
    • Netlogon
    • Exchange MAPI
    • AD Replication
    • AD Backup
    • LSA (Local Security Authority)
    • DCOM RIUnknown
    • DCOM RIUnknown2
    • System.Activator
    • ID Resolver
    • SAMR (Security Account Manager Remote)
    • SCM (Service Control Manager)
    • Srvsvc
    • Remote Registry
    • Exchange NSPI (Name Service Provider Interface)
    • AD XDS (Active Directory Exchange Directory Service)
    • EPM (Endpoint Mapper)
    • Exchange RFR (Exchange Referral)
    • File Replication
    • File Replication Ex
    • File Replication v1.0
    • RPC Management

    Packets

    The MSRPC Interfaces Packets sub-page displays the packet rates (in packets per second) for the selected device over the given time interval.

    The MSRPC device toolbar includes the following controls:

    • RPC Metric Type: Display metrics for devices acting as an MSRPC client or server.

    The MSRPC Interfaces Packets sub-page displays the following metrics:

    • The Packets In: displays the incoming RPC packet rate (in packets per second) for the selected device over the given time interval
    • The Packets Out: displays the incoming RPC packet rate (in packets per second) for the selected device over the given time interval.

     

    Throughput

    The MSRPC Interfaces Throughput sub-page displays the packet rates (in packets per second) for the selected device over the given time interval.

    The MSRPC device toolbar includes the following controls:

    • RPC Metric Type: Display metrics for devices acting as an MSRPC client or server.

    The MSRPC Interfaces Throughput sub-page displays the following metrics:

    • The Bytes In: displays the incoming RPC throughput (in bits per second) for the selected device over the given time interval.
    • The Bytes Out: displays the outgoing RPC throughput (in bits per second) for the selected device over the given time interval.
    NFS

    The NFS device toolbar includes the following controls:

    • NFS Metric Type: Displays metrics for the current device acting as a NFS client or NFS server. a
    • Errors: Displays the list of error messages sent to or received by the current device over the selected time interval.
    • Methods: Displays the list of methods and associated bytes sent and received by the current device for the selected time interval. Methods are broken out by key parameters, such as the accessed file name.
    • Users: Displays the list of users accessing the NFS server and associated bytes sent and received for the selected time interval.
    • Files: Displays the list of files accessed and associated bytes sent and received for the selected time interval. The access time indicates the time to access a file on an NFS partition and is measured by timing non-pipelined commands for every READ and WRITE.
    • Records: Displays results for records that match the selected metric source and protocol.

    Where file name detail is presented, the Discover appliance displays both the file path and mount point, if available. The prefix '...' indicates that either the mount point or part of the path is not available. This may occur in instances when the capture process was restarted after the "mount" or a "cd" command was issued, or when the commands were lost due to desyncs.

    For device metrics, the NFS page includes the following data:

    • IP Address NFS Metrics: Click the counters next to individual NFS metrics to show the IP Address NFS metrics for NFS peer devices. For NFS servers, the peer devices are NFS clients. For NFS clients, the peer devices are NFS servers.

      • IP Address represents the IP address of the peer device.
      • Host represents the DNS host name of the peer device determined by passive analysis of the DNS traffic.
      • Device provides a link to the corresponding peer device. For local peer devices, the link leads to that device. For remote peer devices, the link leads to the gateway device through which the requests were routed.
      • <Metric value> displays the value for the selected metric.
    • NFS Server: Click the counter next to each metric to display additional IP address details.

      • Responses: Specifies the number of responses that the device sent when acting as an NFS server.
      • Errors: Specifies the number of errors sent by the NFS server.
      • Retransmissions: Specifies the number of NFS requests for which the retransmission timer expired and the request was retried when the device is acting as an NFS server.
      • Reads: Specifies the number of NFS read requests that the device received when acting as an NFS server.
      • Writes: Specifies the number of NFS write requests that the device received when acting as an NFS server.
      • TCP: Specifies the number of NFS requests that the device made over TCP when acting as an NFS server. All versions of NFS can use TCP, and NFSv4 requires it.
      • UDP: Specifies the number of NFS requests that the device made over UDP when acting as an NFS server. NFSv2 and NFSv3 can use the User Datagram Protocol (UDP) to provide a stateless network connection between the client and server.
      • Aborts: Specifies the number of incomplete requests that the device received when acting as an NFS server.
    • NFS Client: Click the counter next to each metric to display additional IP address details.

      • Responses: Specifies the number of responses that the device received when acting as an NFS client.
      • Errors: Specifies the number of errors sent by the NFS client.
      • Retransmissions: Specifies the number of NFS requests for which the retransmission timer expired and the request was retried when the device is acting as an NFS client.
      • Reads: Specifies the number of NFS read requests that the device sent when acting as an NFS client.
      • Writes: Specifies the number of NFS write requests that the device sent when acting as an NFS client.
      • TCP: Specifies the number of NFS requests that the device made over TCP when acting as an NFS client. All versions of NFS can use TCP, and NFSv4 requires it.
      • UDP: Specifies the number of NFS requests made over UDP when the device is acting as an NFS client. NFSv2 and NFSv3 can use the User Datagram Protocol (UDP) to provide a stateless network connection between the client and server.
      • Aborts: Specifies the number of incomplete requests that the device sent when acting as an NFS client.
    • Authentication Methods: Displays the methods NFS uses to authenticate clients. Click the counter to display additional per-client or per-server IP address details.

    • Versions: Displays the versions of NFS traffic being processed over the selected time interval.

    • Status Codes: Displays the list of status codes sent to or received by the current device over the selected time interval.

    • Methods: Displays the NFS methods for the selected time interval.

    The Transaction Metrics graph displays the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Move the cursor over each component to display a five-number statistical summary.

    • ReqXfer: Specifies the request transfer time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
    • Process: Specifies the server processing time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
    • RspXfer: Specifies the response transfer time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.

    The Request Size graph displays the range of request sizes for all transactions associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device.

    The Response Size graph displays the range of response sizes for all transactions associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device.

    The Transactions Per Second graph displays the number of NFS protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red data points to list the peer devices associated with the errors at this point in time. Click and drag across the chart to select a particular region.

    The Response Time Breakdown graph displays the area chart containing median request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

    Read, Write, and FSInfo Bytes: Displays the total bytes per device transmitted within the selected time interval. Mouse over the graph to see the byte count for each metric at a specific moment in time.

    Timing

    The timing charts draw data from the Time Interval drop-down list on the navigation toolbar. The events observed during this interval are used to fill the bins of a histogram that displays a distribution of timing data. Timing charts use a logarithmic horizontal axis that simultaneously displays events that took milliseconds and those that took seconds.

    The Timing node includes the following metrics:

    • Request Transfer Time: Displays a histogram of times it took to transfer requests from the client to the server. Mouse over each bar to display the time range it represents and the number of requests in this bin.
    • Access Time: Displays a histogram of file access times. Move the mouse pointer over each bar to display the time range it represents and the number of requests in this bin.
    • Response Transfer Time: Displays a histogram of times it took to transfer responses from the client to the server. Mouse over each bar to display the time range it represents and the number of requests in this bin.
    PCoIP

    The PCoIPdevice toolbar includes the following controls:

    Metric Type: Displays metrics for devices acting as a PCoIP client or PCoIPserver.

    For device metrics, the PCoIP page includes the following data:

    Messages In: Inbound PCoIP messages.

    • Audio: Number of audio messages received in the selected time interval.
    • Other: Number of other messages received in the selected time interval.
    • USB: Number of USB messages received in the selected time interval.
    • Video: Number of video messages received in the selected time interval.

    Messages Out: Outbound PCoIP messages.

    • Audio: Number of audio messages sent in the selected time interval.
    • Other: Number of other messages sent in the selected time interval.
    • USB: Number of USB messages sent in the selected time interval.
    • Video: Number of video messages sent in the selected time interval.

    Launches: Displays the number of launches for the selected time interval.

    Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics. Click and drag across the chart to select a particular region.

    Bytes In by Channel: Displays the breakdown of incoming throughput by virtual channel.

    Bytes Out by Channel: Displays the breakdown of outgoing throughput by virtual channel.

    SMPP

    The SMPP device toolbar includes the following controls:

    • SMPP Metric Type: Displays statistics for devices acting as an SMPP client or server.
    • Errors: Click the Errors button to display the list of error messages sent to or received by devices over the selected time interval.

    For device metrics, the SMPP page includes the following data:

    • IP Address SMPP Metrics: Click the counters next to individual SMPP metrics to show the IP Address SMPP Metrics for SMPP peer devices. For SMPP servers, the peer devices are SMPP clients. For SMPP clients, the peer devices are SMPP servers.
      • IP Address represents the IP address of the peer device.
      • Host represents the DNS host name of the peer device determined by passive analysis of the DNS traffic.
      • Device provides a link to the corresponding peer device. For local peer devices, the link leads to that device. For remote peer devices, the link leads to the gateway device through which the requests were routed.

    SMPP Server: Click the counter next to each metric to break it down by devices in the table at the bottom of the page.

    • Requests: Number of requests that the device received when acting as an SMPP server (SMSC).
    • Responses: Number of responses that the device sent when acting as an SMPP server (SMSC).
    • Errors: Number of SMPP errors for the selected time interval.

    SMPP Client: Click the counter next to each metric to break it down by device in the table at the bottom of the page.

    • Requests: Number of requests that the device sent when acting as an SMPP client (ESME).
    • Responses: Number of responses that the device received when acting as an SMPP client (ESME).
    • Errors: Number of SMPP errors for the selected time interval.

    Inbound Messages: The Inbound Messages section displays the inbound SMPP message types for the selected time interval. Refer to the SMPP specification for a comprehensive list of message types.

    Outbound Messages: The Outbound Messages section displays the outbound SMPP message types for the selected time interval. Refer to the SMPP specification for a comprehensive list of message types.

    Transaction Status: Displays the status codes returned by the SMPP server (SMSC) for requests sent to it by the SMPP client (ESME).

    Transactions Per Second: Displays the number of SMPP protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red data points to list the peer devices associated with the errors at this point in time. Click and drag across the chart to select a particular region.

    Response Time Breakdown (ms): Displays the area chart containing median request transfer time, server processing time, and response transfer time over time in milliseconds. Click and drag across the chart to select a particular region.

    Timing

    The timing charts draw data from the Time Selector drop-down list on the navigation toolbar. The events observed during this interval are used to fill the bins of a histogram that displays a distribution of timing data. Timing charts use a logarithmic horizontal axis that simultaneously displays events that took milliseconds and those that took seconds.

    The Timing node includes the following metrics:

    • Request Transfer Time: Displays a histogram of times it took to transfer requests from the client to the server. Mouse over each bar to display the time range it represents and the number of requests in this bin.
    • Processing Time: Displays a histogram of times it took the server to process requests. Mouse over each bar to display the time range it represents and the number of requests in this bin.
    • Response Transfer Time: Displays a histogram of times it took to transfer the response from the server to the client. Mouse over each bar to display the time range it represents and the number of requests in this bin.
    SMTP

    The SMTP device toolbar includes the following controls:

    • SMTP Metric Type: Displays metrics for the current device acting as an SMTP client or SMTP server.
    • Senders: Displays the list of sender email addresses (MAIL FROM command argument), bytes sent, and mean message sizes for the selected time interval.
    • Recipients: Displays the list of recipient email addresses (RCPT TO command argument), bytes received, and mean message sizes for the selected time interval.
    • Sender Domains: Displays the list of sender domains (HELO or EHLO command argument) and bytes transferred for the selected time interval.
    • Errors: Displays the list of error messages sent to or received by the current device over the selected time interval. 4xx and 5xx SMTP responses are considered errors.
    • Records: Displays results for records that match the selected metric source and protocol.

    For device metrics, the SMTP page includes the following data:

  • IP Address SMTP Metrics: Click the counters next to individual SMTP metrics to show the IP Address SMTP Metrics for SMTP peer devices. For SMTP servers, the peer devices are SMTP clients. For SMTP clients, the peer devices are SMTP servers.

    • IP Address represents the IP address of the peer device.
    • Host represents the DNS host name of the peer device determined by passive analysis of the DNS traffic.
    • Device provides a link to the corresponding peer device. For local peer devices, the link leads to that device. For remote peer devices, the link leads to the gateway device through which the requests were routed.
  • SMTP Client: Click the counter next to each metric to display additional IP address details.

    • Requests: Specifies the number of requests that the device sent when acting as an SMTP client.
    • Responses: Specifies the number of responses that the device received when acting as an SMTP client.
    • Errors: Specifies the number of 4xx and 5xx SMTP responses received by the SMTP client.
    • Sessions: Specifies the number of sessions that the device participated in when acting as an SMTP client.
    • Encrypted Sessions: Specifies the number of encrypted sessions that the device participated in when acting as an SMTP client.
    • Requests Aborted: Specifies the number of requests that the device began to send but did not send completely when acting as an SMPT client. Click to display the list of servers to which incomplete requests were sent.
    • Responses Aborted: Specifies the number of responses that the device began to receive but did not receive completely when acting as an SMTP client. Click to display the list of servers from which incomplete responses were sent.
  • SMTP Server: Click the counter next to each metric to display additional IP address details.

    • Requests: Specifies the number of requests that the device received when acting as an SMTP server.
    • Responses: Specifies the number of responses that the device sent when acting as an SMTP server.
    • Errors: Specifies the number of 4xx and 5xx SMTP responses sent by the SMTP server.
    • Sessions: Specifies the number of sessions that the device participated in when acting as an SMTP server.
    • Encrypted Sessions: Specifies the number of encrypted sessions that the device participated in when acting as an SMTP server.
    • Requests Aborted: Specifies the number of requests that the device began to receive but did not receive completely when acting as an SMTP server. Click to display the list of clients from which incomplete requests were sent.
    • Responses Aborted: Specifies the number of responses that the device began to send but did not send completely when acting as an SMTP server. Click to display the list of clients to which incomplete responses were sent.
  • Methods: Displays the SMTP methods for the selected time interval. Methods include standard SMTP methods as well as Microsoft Exchange specific methods. Click the counter to display additional per-client or per-server IP address details.

  • The Transactions Per Second graph displays the number of SMTP protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors (4xx and 5xx SMTP responses are considered errors). The volume of errors is denoted by the height of red bars under the chart. Click on the red data points to list the peer devices associated with the errors at this point in time. For detailed error information, click Errors. Click and drag across the chart to select a particular region.

    The Transaction Metrics graph displays the timing components for all transactions associated with the current device. Timing components are expressed as a confidence interval around the median value bounded by the 25th and 75th percentile values. Move the mouse pointer over each component to display a five-number statistical summary.

    • ReqXfer: Shows the request transfer time in milliseconds before the request was received by the server. A large ReqXfer value relative to the total transaction time indicates network delay. If the request size is large, some network delay due to transfer time is expected.
    • Process: Shows the server processing time in milliseconds between the time the request was received by the server and the time the response was sent. A large server processing time indicates application delay.
    • RspXfer: Shows the response transfer time in milliseconds before the server finished sending the response. A large RspXfer relative to the total transaction time indicates network delay. If the response size is large, some network delay due to transfer time is expected.

    The Request Size graph displays the range of request sizes for all transactions associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean request size for each peer device, host, or URI.

    The Response Size graph displays the range of response sizes for all transactions associated with the current device. The five-number summary includes the minimum, lower quartile, median, upper quartile, and maximum values. Click to display the mean response size for each peer device, host, or URI.

    The SMTP Throughput line chart displays the incoming and outgoing SMTP throughput (bytes per second) over the selected time interval. Click and drag across the chart to select a particular region.

    SSL

    The SSL device toolbar includes the following controls:

    • SSL Metric Type: Displays metrics for the current device acting as an SSL client or server.
    • Certificates: Displays the X.509 subject field, key type, key size, expiration dates, and number of times each certificate has been accessed.
    • Records: Displays results for records that match the selected metric source and protocol.

    For device metrics, the SSL page includes the following data:

    • Session Details: Displays the session details.

      • Connected: Specifies the number of times current device successfully completed an SSL handshake.
      • Resumed: Specifies the number of times a prior SSL session was resumed successfully by reusing a previously negotiated session ID.
      • Decrypted: Specifies the number of SSL decrypted records encountered.
      • Aborted: Specifies the number of times the current device did not proceed past an SSL handshake.
      • Renegotiated: Specifies the number of times an SSL session was renegotiated successfully after SSL connection setup.
      • Compressed: Specifies the number of SSL compressed records encountered.
      • SSLv2 Compatible Hello: Specifies the number of times an SSLv2 hello was sent by a client.
    • Sessions by Version: Displays the number of times a particular SSL version was used in communication.

    • Cipher Suites: Displays the number of times various cryptographic ciphersuites for SSL data transfer have been negotiated by this device.

      For example, TLS_RSA_WITH_AES_256_CBC_SHA indicates:

      • TLS (Transport Layer Security) is used as the cryptographic encapsulation transport.
      • RSA (the Rivest-Shamir-Adelman Public Key method RSA) is used for the asymmetric cryptographic session setup.
      • AES (Advanced Encryption Standard, formerly Rijndael) block cipher is used in 256-bit blocks.
      • CBC (Cipher Block Chaining) is used between subsequent AES-256 blocks.
      • SHA (Secure Hash Algorithm) is used in the HMAC (Hash Message Authentication Code) to ensure SSL record integrity.
    • Records by Content Type: Displays the number of records for each content type in the specified time interval.

      • Alert: Specifies the number of messages with an Alert content type (21), used to signal unexpected events.
      • Application Data: Specifies the number of messages with an Application content type (23), used to send SSL data.
      • Change Cipher: Specifies the number of messages with a ChangeCipherSpec content type (20), used to signal the beginning and end of encrypted content.
      • Handshake: Specifies the number of messages with a Handshake content type (22), used to establish the SSL connection.
    • Alerts: Displays the breakdown of alert types sent or received by the current device. This section displays unencrypted alerts gathered during the SSL handshake and any alerts that were decrypted by the Discover appliance. Alert messages can be exchanged during other stages of the SSL connection. The total number of alert messages exchanged is recorded in the Records by Content Type section, Alert metric.

    The SSL Metrics line chart displays the rate of new SSL connections initiated to (if SSL server) or from (if SSL client) the current device over the selected interval, and the rate of resumed connections. Click and drag across the chart to select a particular region.

    The Record Size candlestick chart displays the five-number summary (low, twenty-fifth percentile, median, seventy-fifth percentile, and high) of the size of SSL records being sent by the current device. The SSL specification mandates a maximum 14KB record size; however certain commercial SSL stacks are known to violate this limit, sometimes resulting in compatibility problems.

    VoIP

    The VoIP device toolbar includes the following controls:

    • VoIP Metric Type: Displays metrics for the current device acting as an VoIP client or server.

    SIP Invites: Displays the number of SIP invites as a function of time over the selected time interval.

    RTP In by Codec: Displays the number of RTP messages in by codec as a function of time over the selected time interval. Click the chart to view a table with the total number of messages broken down by codec.

    RTP Out by Codec: Displays the number of RTP messages out by codec as a function of time over the selected time interval. Click the chart to view a table with the total number of messages broken down by codec.

    VoIP Throughput: Displays the number of VoIP packets transmitted as a function of time over the selected time interval.

    SIP

    This SIP device toolbar includes the following controls:

    • SIP Metric Type: Displays metrics for the current device acting as a SIP client or SIP server.
    • Errors: Displays a detailed list of error messages sent to or received by the current device over the specified time interval.
    • Clients or Servers: Displays the associated client IP addresses when the device is acting as a server, and the associated server IP addresses when acting as a client.
    • Records: Displays results for records that match the selected metric source and protocol.

    Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

    • By IP: Displays device metrics by IP address.
    • By URI: Displays device metrics by URI.

    For device metrics, the SIP page includes the following data:

    • SIP Client: If you select Client for the SIP Metric Type, the Discover appliance displays the following metrics:

      • Requests: Specifies the number of requests that the device sent when acting as a SIP client. Click the counter to display the list of servers to which requests were sent.
      • Responses: Specifies the number of responses that the device received when acting as a SIP client. Click the counter to display the list of servers from which the responses were received.
      • Response Errors: Specifies the number of response errors for the selected time interval when acting as a SIP client. Click the counter to display the list of servers associated with the errors.
    • SIP Server: If you select Server for the SIP Metric Type, the Discover appliance displays the following metrics:

      • Requests: Specifies the number of requests that the device received when acting as a SIP server. Click the counter to display the list of clients from which requests were received.
      • Responses: Specifies the number of responses that the device sent when acting as a SIP server. Click the counter to display the list of clients to which the responses were sent.
      • Response Errors: Specifies the number of response errors for the selected time interval when acting as a SIP server. Click the counter to display the list of clients associated with the errors.
    • Methods: Displays the SIP methods for the selected time interval.

    • Status Codes: The status code section displays the HTTP status codes for the selected time interval. Click the number next to each status code to display a list of URIs associated with each status code.

    Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

    Server Processing Time: Displays the median server processing time in milliseconds as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the processing time metrics. Click and drag across the chart to select a particular region.

    RTP

    Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

    • By IP: Displays device metrics by IP address.
    • By Codec: Displays device metrics by codec.

    For device metrics, the RTP page includes the following data:

    RTP In: Contains the following metrics:

    • Messages: The number of incoming messages associated with RTP transmissions.
    • Drops: The number of incoming packets associated with RTP transmissions which were lost in transit.
    • Duplicates: The number of incoming duplicate messages associated with RTP transmissions.
    • Out of Order: Number of incoming packets associated with RTP transmissions where the sequence number did not match the sequence number that the Discover appliance was expecting. The reordering may have been introduced at the point of origin or an intermediary. This may result in decreased call quality.

    RTP Out: Contains the following metrics:

    • Messages: The number of outgoing messages associated with RTP transmissions.
    • Drops: The number of outgoing packets associated with RTP transmissions which were lost in transit.
    • Duplicates: The number of outgoing duplicate messages associated with RTP transmissions.
    • Out of Order: Number of outgoing packets associated with RTP transmissions where the sequence number did not match the sequence number that the Discover appliance was expecting. The reordering may have been introduced at the point of origin or an intermediary. This may result in decreased call quality.

    RTP In by Codec: Displays the number of RTP packets in by codec as a function of time over the selected time interval.

    RTP Out by Codec: Displays the number of RTP packets out by codec as a function of time over the selected time interval.

    Throughput: Displays the number of RTP packets transmitted as a function of time over the selected time interval.

    Message Metrics In: The number of incoming drops, duplicates, and out of order messages associated with RTP transmissions over the selected time interval.

    Message Metrics Out: The number of outgoing drops, duplicates, and out of order messages associated with RTP transmissions over the selected time interval.

    Jitter In: An estimate of the statistical variance of the incoming RTP packets' interarrival time, measured in timestamp units and expressed as an unsigned integer.

    Jitter Out: An estimate of the statistical variance of the outgoing RTP packets' interarrival time, measured in timestamp units and expressed as an unsigned integer.

    MOS In: The mean opinion score calculated for incoming packets associated with RTP transmissions.

    MOS Out: The mean opinion score calculated for outgoing packets associated with RTP transmissions.

    RTCP

    Mousing over the counter next to each top-level metric opens a context menu that includes the following options in the drop-down list:

    • By IP: Displays device metrics by IP address.
    • By Canonical Name: Displays device metrics by canonical name.

    For device metrics, the RTCP page includes the following data:

    RTCP In: Contains the following metrics:

    • Sender Report Messages: The number of incoming packets transmitted by the sender from the beginning of the transmission to the time this sender report packet was generated.
    • Sender Report Drops: The number of incoming packets that were lost by the sender since the beginning of reception.
    • Receiver Report Messages: The number of incoming packets transmitted by the receiver from the beginning of the transmission to the time this receiver report packet was generated.
    • Receiver Report Drops: The number of incoming packets that were lost by the receiver since the beginning of reception.

    RTCP Out: Contains the following metrics:

    • Sender Report Messages: The number of outgoing packets transmitted by the sender from the beginning of the transmission to the time this sender report packet was generated.
    • Sender Report Drops: The number of outgoing packets that were lost by the sender since the beginning of reception.
    • Receiver Report Messages: The number of outgoing packets transmitted by the receiver from the beginning of the transmission to the time this receiver report packet was generated.
    • Receiver Report Drops: The number of outgoing packets that were lost by the receiver since the beginning of reception.

    Message Types In: The number of incoming RTCP records broken down by message type.

    Message Types Out: The number of outgoing RTCP records broken down by message type.

    Packets Lost: The number of packets that were lost since the beginning of reception.

    Sender Report Jitter In: An estimate of the statistical variance of the incoming packets' interarrival time, measured in timestamp units and expressed as an unsigned integer.

    Sender Report Jitter Out: An estimate of the statistical variance of the outgoing packets' interarrival time, measured in timestamp units and expressed as an unsigned integer.

    Receiver Report Jitter In: An estimate of the statistical variance of the incoming packets' interarrival time, measured in timestamp units and expressed as an unsigned integer.

    Receiver Report Jitter Out: An estimate of the statistical variance of the outgoing packets' interarrival time, measured in timestamp units and expressed as an unsigned integer.

    DHCP

    The Devices DHCP page provides the following metrics and controls about devices that are sending or receiving DHCP traffic.

    • DHCP Metric Type: From the drop-down menu, select the type of metrics for the current device.
    • Errors: Displays the list of error messages sent or received by the current device over the selected time interval.
    • Clients or Servers: Displays the associated client IP addresses when the device is acting as a server, and the associated server IP addresses when acting as a client.
    • Records: Displays results for records that match the selected metric source and protocol.

    For each of the following metrics, you can hover over the count number and view information by the DHCP Metric Type you selected above.

    DHCP Server

    • Requests: Displays the number of requests that the device received.
    • Responses: Displays the number of responses that the device sent.
    • Response Errors: Displays the number of response errors.

    Requests by Message Type: Displays the number of requests that the device received for the message type.

    Responses by Message Type: Displays the number of requests that the device received for the message type.

    Transactions Per Second: Displays the number of protocol transactions per second as a function of time over the selected time interval. The chart is annotated with red data points to indicate errors. The volume of errors is denoted by the height of red bars under the chart. Click the red dot to see the number of errors that occurred at that time. Click and drag across the chart to select a particular region.

    Server Processing Time: Displays the median server processing time in milliseconds as a function of time over the selected time interval. Vertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the processing time metrics.

    Processing Time Distribution: Displays a histogram of the server time taken to process requests.

    Requests by Record Type: Displays the categorization of all request types sent or received by the current device.

    Responses by Record Type: Displays the categorization of all response types sent or received by the current device.

    Toolbar and Metric Display

    Networks

    This section describes the network capture attributes, network alerts, and network traffic details. The Network page is the entry point into the network capture. The metrics that are collected and displayed here provide a summary of all network activity retrieved in the capture.

    Note: When using the Network page as the starting point for data analysis, remember that the information collected on network devices is determined by the port mirror configuration. The device is only aware of the traffic passed to it.

    In addition, if your organization uses the Command appliance to manage multiple network capture points, the Networks page displays a table of all capture points for your entire networking environment. You can click a specific network listed in the table to open the detailed Network page with metrics for that network. Otherwise, clicking the Networks button leads directly to the capture point on the local system.

    The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information.

    The network capture provides the following information about the capture itself as well as the Discover appliance that initiated the capture:

    • Name: The name of the network capture. The name attribute includes an icon that opens a text box to edit the name of the network capture. This text area can be used to provide a more user friendly name for the capture.
    • Devices: The number of devices in the network capture.
    • MAC Address: The MAC address of the Discover appliance responsible for the network capture.
    • IP Address: The IP address of the Discover appliance responsible for the network capture.
    • Description: An optional detailed description of the network. This attribute includes an icon that opens a text box for a user-entered description of the network capture. This text area can be used to provide additional information about this particular network capture.
    • Alerts: A list of alerts assigned to the network. This list includes controls to add or remove network-level alerts from the network capture.
    • Pages: A list of all custom pages assigned to the network. This list includes controls to add or remove network-level custom pages from the network capture.

    The Network page is the starting point to review the capture-level metrics collected by the Discover appliance.

    To view capture-level metrics:

    1. On the Networks page, click a capture node in the list to view the capture details. The network capture details page appears.
    Edit the Name

    To edit the network capture name:

    1. On the Network page, click the edit icon to the right of the Name field.

    2. In the Name text box, enter a new name for the network capture.
    3. Click OK.

    Add a Description

    To add an optional description for the network capture:

    1. On the Network page, click the edit icon to the right of the Description field.
    2. In the Description text box, enter a description for the network capture.
    3. Click OK.
    Assign Alerts

    To assign alerts to the list of active network alerts:

    1. On the Network page, click the green add icon to the left of the Alerts field.

    2. In the Assign Alerts dialog box, select the checkbox next to the network-level alerts that you want to show in the network capture.
    3. In the Filter text box, enter an optional filter string to filter the list of alerts by name.
    4. Click OK.
    Remove Alerts

    To remove alerts from the list of active network alerts:

    1. Go to the Network page and click the Alerts tab.
    2. Click the delete icon to the left of the alert that you want to delete.

    To remove an alert assignment:

    1. On the navigation bar, click Settings and then click the Alerts icon.
    2. Click the name of the alert that you want to remove, click the Assignments tab, and then click the delete icon to the left of the name of the network.
    Assign Custom Pages

    To assign custom pages to a network:

    1. On the Network page, click the Pages tab to see the pages assigned to this capture point.
    2. Click the add icon to the left of the Pages field to assign previously defined pages that you want to show in the network capture.
    3. In the Assign Pages dialog box, select the network-level custom pages that you want to show in the network capture.
    4. In the Filter text box, enter an optional filter string to filter the list of pages by name.
    5. Click OK.
    Remove Custom Pages

    To remove pages from the list of active network custom pages:

    1. On the Network page, click the Pages tab to see the pages assigned to this capture point.
    2. Click the delete icon to the left of the page that you want to remove from the list.
    Custom Page

    If a custom page has been assigned to a network, the name of the custom page appears in the left pane.

    To view a custom page for a network:

    1. In the left pane of the Networks page, click the name of the custom page.

    Edit Page

    Click the Edit Page button to perform one of the following actions.

    Alert History

    The Alert History sub-page provides an alert summary for network-level alerts. The Discover appliance can be configured to generate both threshold and trend-based alerts for any metric in the system. Alerts can be configured to send email notifications or SNMP traps as proactive early warnings for potential performance problems.

    The network capture Alert History page displays all alerts, including alerts that have been acknowledged previously, and the corresponding time for each alert for the current network capture. The Alert History page also includes additional information about trend alerts that have fired.

    To use the Alert History page, you must first create alerts. For more information, refer to Alert Configuration.

    To check the network capture alert history:

    1. In the left pane in the Networks functional area, click the Alert History.

    2. Find a specific alert in the table.

      To sort the table by time, click the Time column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

      To sort the table by alert entry, click the Alerts column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

    3. Click the alert to view more information. The Alert Details window includes the following:

      • Name: The name of the alert.
      • Expression: The metric, time interval, operator, and sensitivity that were defined when the alert was created.
      • Value: The value of the metric at the time the alert fired. This is used for comparison against the alert expression.
      • Description: The optional user-defined description of the alert.

      For trend alerts, the Trend Alert Details window includes the following:

      • Name: The name of the alert.
      • Alert Conditions: The type of alert, time interval, operator, and/or percentage of the trend that were defined when the alert was created.
      • View at Time of Alert: The alert graph from when the alert was fired.
      • View Current State: The alert graph of the current trend state of the alert.

    To view trend alerts:

    1. On the Alert History page, click the Current Trend State tab to view a list of trend-based alerts assigned to the network.

    2. Find a specific trend in the table.

      (Command appliance Only) Click the Show drop-down list and select one of the following options:

      • All Alerts: Displays alerts created on the Command appliance and the node.
      • Command appliance Alerts: Displays alerts created on the Command appliance only.
      • Local Alerts: Displays alerts created on the node only.

        To sort the table by trend, click the Trend column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

        To sort the table by metric, click the Stat column heading, and then click the arrow in the right corner of the column to sort in ascending or descending order.

    3. Click the trend name to view more information about the trend alert.

    4. Click the Alert Graphs tab to view the trend alert over time and whether or not it has fired.

      • Alert Condition Nominal: Indicates the metrics being gathered have not reached an alert state.

      • Alert Firing: Indicates the metrics being gathered have met the alert criteria.

    5. Click the Alert Rules tab to view the rules of the trend alert and whether or not it has fired.

      • Alert Condition Nominal: Displays the alert rules in green.

      • Alert Firing: Displays the alert rules in red.

    6. Click Back to Trend Alerts to return to the Current Trend State table.

    VLANs

    The VLANs sub-page displays metrics for top VLANs in packets and bytes.

    The Top VLANs (Packets) area chart displays how VLANs contribute to the total packet count for the network.

    The Top VLANs (Bytes) area chart displays how VLANs contribute to the total byte count for the network.

    Click a VLAN in the legend to view an isolated graph of its activity over time.

    VLANs Table

    The VLANs table at the bottom of the page lists the devices sending or receiving the traffic on the VLAN. You can filter the list of devices and manage the assignments for a device or group of devices. The table lists the following information for each device in the network capture:

    • Packets In: Represents the incoming packet rate.
    • Packets Out: Represents the outgoing packet rate.
    • Bytes In: Represents the incoming byte count.
    • Bytes Out: Represents the outgoing byte count.
    Details

    Click a VLAN listed in the table to list the devices sending or receiving the traffic for that VLAN. The VLAN groups appear in a table with the following headings:

    • Group: Provides a link to a list of devices in the corresponding VLAN group.
    • Packets: Represents the total packet count for the currently selected VLAN group.
    • Bytes: Represents the total byte count for the currently selected VLAN group.

    When you click a VLAN group, the VLAN device metrics appear in a table with the following headings:

    • Device: Provides a link to the corresponding device. For local devices, the link leads to that device. For remote devices, the link leads to the gateway device through which the requests were routed.
    • Packets In: Represents the incoming packet rate for the currently selected VLAN in the area chart.
    • Packets Out: Represents the outgoing packet rate for the currently selected VLAN in the area chart.
    • Bytes In: Represents the incoming byte count for the currently selected VLAN in the area chart.
    • Bytes Out: Represents the outgoing byte count for the currently selected VLAN in the area chart.
    Select Action

    Click the checkbox next to one or more devices in the table and then click the Select Action drop-down list to do the following:

    • Open in Metric Explorer: Opens the Metric Explorer to display detailed metrics for a network, application, device, or group.
    • Assign Tag: Applies a user-defined tag to a device. This tag is shown in the Tags section of the device top-level page.
    • Add to Group: Adds a device to a group. In the Add to Group dialog box, click the drop-down list and select the group to add the device to, or enter a new name to create a group.
    • Assign Alert: Applies a selected alert to a set of devices. In the Assign Alerts dialog box, you can filter by alert name and select one or more alerts to assign.
    • Assign Trigger: Applies a selected trigger to a set of devices. In the Assign Triggers dialog box, you can filter by trigger name and select one or more triggers to assign.
    • Assign Page: Applies a selected custom page to a set of devices. In the Assign Pages dialog box, you can filter by page name and select one or more pages to assign.
    • Assign to Flex Grid: Adds a selected device or set of devices to a flexible grid. In the Assign to Flex Grids dialog box, you can filter by flex grid name and add the device(s) to one or more flex grids.
    • Assign Geomap: Applies a selected geomap to a set of devices. In the Assign Geomaps dialog box, you can filter by geomap name and select one or more geomaps to assign.
    Filter

    The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information.

    Devices

    The Devices sub-page within the Networks functional area lists the devices discovered on the network in the current network capture.

    The table contains the following columns:

    • Name: The primary name the device uses to communicate on the network. Names are discovered by passively monitoring a variety of naming protocols, including DNS, DHCP, NETBIOS, and Cisco Discovery Protocol. If a device name is not discovered, a NIC manufacturer-based identifier is assigned to the device by looking at the MAC address. If the MAC address range is not registered, or if it belongs to a private MAC address space, the name includes the last six characters of the MAC address (for example, Device 00000c0789b1).

      The device-type icon to the left of the device name identifies the activity primarily associated with this device.

      The device name and type can be edited by clicking on the name and using the edit tool on the Device page.

    • MAC Address: The MAC address is a unique identifier of the device network interface. For physical devices that have multiple interfaces, one entry per interface is maintained. The vendor icon displays to the left of MAC Address as determined by the MAC OID lookup.
    • VLAN: The ID of the VLAN the device is connected to.
    • IP Address: The Primary IP address the device uses to communicate on the network. By default, Address Resolution Protocol (ARP) traffic is used to determine the mapping from MAC addresses to IP addresses. In the absence of such traffic, IP packet header information is used. If there is no ARP traffic, the IP address 0.0.0.0 is assigned to routing devices, such as gateways, firewalls, and load balancers, to indicate that it handles packets from many sources.
    • Discovery Time: The time when the device was first discovered. The day of the week, the calendar date, and time are displayed in the following format: Wed Aug 06 09:01.
    • Description: A user-defined description of the device. To edit the device description, click the device name and use the edit tool on the Device page.
    Multicast

    The Multicast sub-page displays metrics for multicast and broadcast traffic on the network. Well-known multicast groups include:

    • IEEE Spanning Tree (STP)
    • Address Resolution Protocol (ARP)
    • IPv6 Neighbor Discovery Protocol (NDP)
    • Cisco Discovery Protocol (CDP)
    • Cisco Shared Spanning Tree Protocol (CSSTP)
    • Alternate Spanning Multicast (ALTSM)
    • Router Information Protocol (RIP)
    • Network Time Protocol (NTP)
    • Open shortest path first (OSPF)
    • Multiprotocol Label Switching (MPLS)
    • Inter Switch Link (ISL)
    • Cisco VLAN Bridge (CVB)
    • Dynamic Host Configuration Protocol (DHCP) client
    • Dynamic Host Configuration Protocol (DHCP) server
    • NETBIOS Name Service
    • NETBIOS Datagram Service
    • Multicast DNS (MDNS)
    • Uncategorized L2 broadcast (L2BCAST)

    Other multicast groups are represented using the numeric form of the group address, protocol, and L4 port.

    • Packet Count by Group: Displays the packet count for each of the top-ten multicast groups.
    • Byte Count by Group: Displays the byte count for each of the top-ten multicast groups.
    • Multicast Groups: Displays the multicast group, packet group, and byte count for the selected device.
    Top Groups

    The Multicast Top Groups sub-page displays the following information:

    • The Top Groups (Packets) area chart displays how multicast groups contribute to the total packet count on the network. Click a multicast group listed in the legend to list the devices sending or receiving the traffic for that protocol in the Multicast table below.
    • The Top Groups (Bytes) area chart displays how multicast groups contribute to the total byte count on the network. Click a multicast group listed in the legend to list the devices sending or receiving the traffic for that protocol in the Multicast table below.
    • The Multicast table displays the devices sending or receiving the traffic for the selected protocols.
    Details

    The Multicast Details sub-page displays the following information:

    • The Multicast table lists all multicast groups detected on the network and associated packet and byte counts. Click a multicast group to view the devices sending or receiving the traffic for that multicast group.
    L2

    The L2 network traffic page displays metrics for OSI Layer 2 traffic by packet rate (packets per second) and throughput (in bits per second). It also provides metrics on frame count by L2 Ethertype and by frame size.

    Note: One-second aggregation metrics are available when the specified time interval is six minutes or less. For more information, see the Time Selector section.

    The L2 network traffic sub-page includes the following charts:

    • The Packets line chart displays the packet rate (in packets per second) for the selected time interval. On the line chart, Current and Max identify the current and maximum packet rates for the given time period. Total identifies the total number of packets for the selected time interval. The gray bands represent the 5th to 95th percentile of the packet rate historically observed for the specific time of day and day of the week.
    • The Throughput line chart displays the throughput (in bits per second) over the selected time interval. In the chart, Current and Max identify the current and maximum throughputs. Total identifies the total number of bytes transferred over the selected time interval. The gray bands represent the 5th to 95th percentile of the throughput historically observed for this time of day and day of the week.
    • The Frame Count by Size bar chart displays a logarithmic-scale histogram of the distribution of Ethernet frame size. The values on the x-axis (64, 128, 256, 512, 1024, 1513, 1518, and Jumbo) indicate the maximum size of the frame for the category. For example, 256 represents a frame size between 129 and 256 bytes, inclusive.
    • The Frame Count by Type bar chart displays a logarithmic-scale histogram of the distribution of frames by L2 Ethertype (IPv4, IPv6, ARP, IPX, MPLS, LACP, STP, 802.1X, and other).
    • The Frame Count by Distribution bar chart displays a logarithmic-scale histogram of the distribution of frames by L2 type (Unicast, Multicast, and Broadcast).
    Packets

    The Packets line chart displays the packet rate (in packets per second) for the selected time interval.

    Note: One-second aggregation metrics are available when the specified time interval is six minutes or less. For more information, see the Time Selector section.

    Throughput

    The Throughput line chart displays the throughput (in bits per second) over the selected time interval.

    Note: One-second aggregation metrics are available when the specified time interval is six minutes or less. For more information, see the Time Selector section.

    Frame Details

    The Frame Details page provides bar charts to show the frame count by size and type. The Frame Details page displays the following information:

    • The Frame Count by Size bar chart displays a logarithmic-scale histogram of the distribution of Ethernet frame size. The values on the x-axis (64, 128, 256, 512, 1024, 1513, 1518, and Jumbo) indicate the maximum size of the frame for the category. For example, 256 represents a frame size between 129 and 256 bytes, inclusive.
    • The Frame Count by Type bar chart displays a logarithmic-scale histogram of the distribution of frames by L2 Ethertype (IPv4, IPv6, ARP, IPX, MPLS, LACP, STP, 802.1X, and other).
    • The Frames table displays a list of devices and the frame count in and out for a specified frame type. To select a frame type, click a bar in the Frame Count by Size or Frame Count by Type tables.
    L3

    The L3 network traffic sub-page displays metrics for OSI Layer 3 traffic by packet count per L3 network protocol and byte count per protocol. The page includes the following information:

    • IP Fragments: displays the number of IP fragments identified in the network capture.
    • Packet Count by Protocol: displays the packet count for each L3 protocol type. The values on the x-axis (ICMP6, TCP, UDP, and Other) identify the common L3 protocol types.
    • Byte Count by Protocol: displays the byte count for each L3 protocol type. The values on the x-axis (ICMP6, TCP, UDP, and Other) identify the common L3 protocol types.
    • Devices: displays the device name, packet in/out count, byte in/out count, and IP fragment in/out count for the currently selected L3 protocol. If no L3 protocol is selected, the packet count and byte count is the sum of all L3 protocol counts for the device. Click the device name to navigate to the device details page.
    DSCP

    The DSCP sub-page displays the number of packets containing differentiated services code point (DSCP) values. The page includes the following charts:

    • Packets by DSCP: displays the number of packets containing DSCP values on the network within the selected time interval. The legend lists the DSCP values with the highest count.
    • Bytes by DSCP: displays the number of bytes containing DSCP values on the network within the selected time interval. The legend lists the DSCP values with the highest count.
    L7 Protocols

    The L7 Protocols sub-page displays metrics for OSI Layer 7 traffic by packet count and throughput (total bytes). It also provides metrics on the top devices sending or receiving network traffic. The page includes the following information:

    • Packets by Protocol: displays the packet rates for the top 10 protocols on the network.
    • Bytes by Protocol: displays the throughput for the top 10 protocols on the network.
    • Protocols: displays the devices sending and receiving traffic for the specified protocol.
    Packets

    The Packets area chart displays how applications contribute to the total packet count on the network. In the chart, Date identifies the date and time for the data point on the graph that is currently being viewed. Packets displays the packet rate for the protocol at the given data point on the area chart, and the color block identifies the associated protocol name.

    Throughput

    The Bytes by Application area chart displays how applications contribute to the total byte count on the network. In the chart, Date identifies the date and time for the data point on the graph that is currently being viewed. Bytes identifies the throughput for the data point that is currently being viewed in the area chart, and the color block identifies the associated protocol name.

    Details

    The L7 Protocols Details page provides a complete list of protocols, and the packet and byte count for each.

    Groups

    The Groups page provides access to all defined device groups in the system. Groups display a select group of members, filtering out the members that are not likely to be related to the traffic being examined. Group metrics are aggregated and viewable by all ExtraHop users on the network. Analyzing by group assists in troubleshooting when the problem is isolated to communication between just a few of the members on the network.

    Groups are organized into the following categories:

    • Activity Groups: Displays the activity groups that are defined automatically for the Discover appliance. The list of activity groups varies depending on the protocols in use within the network environment.
    • Custom Groups: Displays user-defined device groups configured in the Discover appliance.

    Activity Groups

    Discover appliance automatically generates activity groups based on network traffic. A member might appear in more than one activity group if it has multiple types of traffic.

    Click All in the navigation bar drop-down list to display all activity groups. Select Client or Server to filter activity groups by devices acting as a client or server, respectively.

    The table includes the following group information:

    • Name: Specifies the name of the activity group.
    • Count: Identifies the number of devices that belong to this activity group.

    To view details about the members in an activity group:

    1. In the Name column, click the activity group name to view the group metrics.
    2. On the group metrics page, click any of the metrics in blue to view device-level statistics.
    3. In the table at the bottom of the page, click a name to view metrics about the member.

      When a name is clicked from this page, the Discover appliance Web UI redirects to the Devices functional area and opens the device statistics page for the protocol specified by the activity group. For example, when the TCP activity group is active and you click a device name, the UI opens the TCP protocol metrics page for that device.

    Custom Groups

    The Custom Groups table lists all user-defined device groups in the Discover appliance. There are two types of custom groups:

    • Static: Add devices to the group manually and modify the list of devices associated with the group. For more information, see the Static Custom Groups section.
    • Dynamic: Specify a rule that automatically adds and removes devices from the group. You can modify the criteria that defines the group, but you cannot manually add or remove devices from the group. For more information, see the Dynamic Custom Groups section.

    The Filter text box above the table uses ActionScript regular expressions. Refer to ActionScript documentation for more information.

    The Custom Groups table includes the following device group information:

    • Name: Specifies the name of the device group. The icon next to the name indicates whether the device group is a static or dynamic group.

    • Count: Identifies the number of devices that belong to the device group.
    • Description: Provides a space for an optional, user-defined description.

    To view the detail page of a custom group:

    1. In the Custom Groups table, click the custom group that you want to view. The custom group details page appears.

    To view the detail page of a custom group on an Command appliance or a local node:

    1. On the Custom Groups page, click the All Groups drop-down list and select one of the following options:
      • All Groups: Displays custom groups that were created on both the Command appliance and the node.
      • Command appliance Groups: Displays custom groups that were created on the Command appliance.
      • Local Groups: Displays custom groups that were created on the node.
      Note: Custom groups created on the Command appliance automatically sync with all of its nodes, but custom groups created on individual nodes do not sync with the Command appliance.
    2. In the Custom Groups table, click the custom group that you want to view. The details page of the custom group appears.
    Table Actions

    The Custom Groups table lists the active device groups. You can filter the list of devices and manage the assignments for a device or group of devices.

    More Custom Group Page Activities
    Edit the Name

    To edit the custom group name:

    1. On the Custom Group page, click the edit icon to the right of the Name field.
    2. In the text area, enter a new name for the custom group.
    3. Click OK.
    Change the Criteria

    To change the criteria to organize the custom group:

    1. On the Custom Group page, click the edit icon to the right of the Criteria field.

    2. Click the Criteria drop-down list and select one of the following options:
      • any: Matches a substring in any device element.
      • ip address: Matches a substring in the device IP address. The IP address criteria can include CIDR notation in IP address/subnet prefix length format. For example, 10.10.0.0/16 for IPv4 networks or 2001:db8::/32 for IPv6 networks.
      • name: Matches a substring in the device name. The name criteria can include the DHCP name, NETBIOS name, or DNS name.
      • node: Matches a substring in the node name.
      • mac address: Matches a substring in the device MAC address.
      • tag: Matches a substring in the user-defined device tag.
      • type: Matches a substring to a specified device attribute type. When you select type, the Find text box becomes a drop-down list. In the Find drop-down list, select from the following:
        • Activity: Includes the metric types that were active in the selected time interval. For example, selecting HTTP Server returns devices with HTTP server metrics, and any other device with the custom type set to HTTP Server.
        • Device type: Includes Gateway, Firewall, Load Balancer, File Server, and Custom Device.
        • Class: Includes Node, Remote, Custom, and Pseudo.
      • vendor: Matches a substring in the device vendor name as determined by the MAC object ID (OID) lookup.
      • vlan: Matches a substring in the device Virtual Local Area Network (VLAN) tag. VLAN information is extracted from VLAN tags, if the traffic mirroring process preserves them on the mirror port.

    3. In the text box, enter the characters that you want to use for the substring match. If the search string value starts and ends with a forward slash (/), the portion of the input between the slashes is interpreted as a regular expression. The regular expression must use PostgreSQL syntax. Refer to PostgreSQL documentation for more information.
    4. Click OK.
    Add a Description

    To add an optional description for the custom group:

    1. On the Custom Group page, click the edit icon to the right of the Description field.
    2. In the text area, enter a description for the custom group.
    3. Click OK.
    Assign Alerts

    To assign alert types to the list of active custom group alerts:

    1. On the Custom Group page, click the add icon to the left of the Alerts field.

    2. In the Assign Alerts dialog box, select the custom group alerts that you want to show in the network capture.

    3. In the Filter text box, provide an optional filter string to filter the list of alerts by name.
    4. Click OK.
    Remove Alerts

    To remove alerts from the list of active custom group alerts:

    1. Go to the Custom Group page and click the Alerts tab.
    2. Click the delete icon to the left of the alert that you want to delete.

    To remove an alert assignment:

    1. Click Settings page and click the Alerts icon.
    2. Click the name of the alert that you want to remove, click the Assignments tab, and then click the delete icon to the left of the name of the custom group.
    Assign a Trigger

    To assign a trigger to a custom group:

    1. Go to the Custom Group page and click the Triggers tab.
    2. Click the + icon next to Triggers and select the checkbox next to the trigger(s) you want to associate with the application.
    3. Click OK.
    Remove a Trigger

    To remove a trigger:

    1. Go to the Custom Group page and click the Triggers tab.
    2. Click the delete icon to the left of the trigger that you want to remove.
    Assign Custom Pages

    To assign custom pages to a custom group:

    1. On the Custom Group page, click the Pages tab to see the pages assigned to the custom group.
    2. Click the add icon to the left of the Pages field to assign previously defined pages that you want to show in the custom group.
    3. In the Assign Pages dialog box, select the custom page(s) that you want to show in the network capture.

    4. In the Filter text box, provide an optional filter string to filter the list of pages by name.
    5. Click OK.
    Remove Custom Pages

    To remove pages from the list of active custom group custom pages:

    1. On the Custom Group page, click the Pages tab to see the pages assigned to the custom group.
    2. Click the delete icon to the left of the page to remove it from the list.

    Assign to Flex Grid

    To assign the custome group to a flex grid:

    1. Go to the Custom Group page and click the Flex Grids tab.
    2. Click the + icon next to Flex Grids and select the checkbox next to the grid(s) where you want the custom group to appear.
    3. Click OK.
    Remove from Flex Grid

    To remove the custom group from a flex grid:

    1. Go to the Custom Group page and click the Flex Grids tab.
    2. Click the delete icon to the left of the flex grid to remove the custom group from it.
    Assign a Geomap

    To assign a geomap:

    1. Go to the Custom Group page and click the Geomaps tab.
    2. Click the + icon next to Geomaps and select the checkbox next to the geomap(s) you want to associate with the custom group.
    3. Click OK.
    Remove a Geomap

    To remove a geomap:

    1. Go to the Custom Group page and click the Geomaps tab.
    2. Click the delete icon to the left of the geomap that you want to remove.
    View All Assignments

    Click the All tab to view all assignments to the custom group.

    Static Custom Groups

    A static custom group is a user-defined grouping of devices. Once you create a static custom group, you must manually add devices to it.

    To create a new static custom group:

    1. Click Metrics.
    2. Click Custom Groups.
    3. Click the Select Action drop-down list and select Add.
    4. In the Add Custom Group dialog box, in the Name text box, enter a name for the new static custom group.
    5. For the Group Type option, select Static.
    6. In the Description text box, add a brief description for the new custom group.
    7. Click OK.

    The new static custom group does not have any devices assigned to it. To populate this new group with devices, you must select the devices to add. For information about adding a device to a group, refer to Devices.

    Dynamic Custom Groups

    Dynamic custom groups manage the collection of devices programmatically based on the criteria specified by the user. The criteria used to populate the dynamic group is a substring match. The substring can be a host name, IP address, MAC address, or any of the other defined device criteria.

    For example, it is possible to define a dynamic custom group that includes all devices in which the host name contain the substring extrahop. For this rule, devices with names such as www.extrahop.com and extrahop.net match the criteria specified in the rule and are included in the dynamic group, if they are present on the network.

    To create a new dynamic custom group:

    1. Click Metrics.
    2. Click Custom Groups.
    3. Click the Select Action drop-down list and select Add.
    4. In the Add Custom Group dialog box, in the Name text box, enter a name for the new dynamic custom group.
    5. For the Group Type option, select Dynamic with criteria.
    6. Click the drop-down list and select one of the following options:
      • ip address: Specify the device IP address. The IP address criteria can include CIDR notation in IP address/subnet prefix length format. For example, 10.10.0.0/16 for IPv4 networks or 2001:db8::/32 for IPv6 networks.
      • name: Specify the device name. Criteria can include the DHCP name, NETBIOS name, or DNS name.
      • mac address: Specify the device MAC address.
      • tag: Specify the user-defined device tag.
      • type: Specify a device type from the drop-down list. Criteria for each device type includes the following:
        • Activity: Includes the metric types that were active in the selected time interval. For example, the HTTP server metric a search for "http_server" returns devices with HTTP server metrics and any other device with the custom type set to http_server.
        • Device type: Includes Gateway, Firewall, Load Balancer, File Server, and Custom Device.
        • Class: Includes Node, Remote, Custom, and Pseudo.
      • vendor: Matches a substring in the device vendor name as determined by the MAC OID lookup.
      • vlan: Matches a substring in the device Virtual Local Area Network (VLAN) tag. VLAN information is extracted from VLAN tags, if the traffic mirroring process preserves them on the mirror port.
    7. In the text box, enter the characters that you want to use for the substring match. If the search string value starts and ends with a forward slash (/), the portion of the input between the slashes is interpreted as a regular expression. The regular expression must use PostgreSQL syntax. Refer to PostgreSQL documentation for more information.

      If you are using the criteria type, select a type from the drop-down list.

    8. In the Description text box, add a brief description for the new custom group.
    9. Click OK.

    The new dynamic custom group is populated automatically with devices that match the device criteria.

    Devices

    The Devices sub-page lists the devices in the group. You can filter the list of devices and manage the assignments for a device or group of devices. You can click a device to open a detailed metrics page for that device. To return to the list of devices, click the back button in your browser.

    For information about searching for a device, refer to Device Search.

    Select Action

    Click the checkbox next to one or more devices in the table and then click the Select Action drop-down list to do the following:

    • Open in Metric Explorer: Opens the Metric Explorer to display detailed metrics for a network, application, device, or group.
    • Assign Tag: Applies a user-defined tag to a device. This tag is shown in the Tags section of the device top-level page.
    • Add to Group: Adds a device to a group. In the Add to Group dialog box, click the drop-down list and select the group to add the device to, or enter a new name to create a group.
    • Assign Alert: Applies a selected alert to a set of devices. In the Assign Alerts dialog box, you can filter by alert name and select one or more alerts to assign.
    • Assign Trigger: Applies a selected trigger to a set of devices. In the Assign Triggers dialog box, you can filter by trigger name and select one or more triggers to assign.
    • Assign Page: Applies a selected custom page to a set of devices. In the Assign Pages dialog box, you can filter by page name and select one or more pages to assign.
    • Assign to Flex Grid: Adds a selected device or set of devices to a flexible grid. In the Assign to Flex Grids dialog box, you can filter by flex grid name and add the device(s) to one or more flex grids.
    • Assign Geomap: Applies a selected geomap to a set of devices. In the Assign Geomaps dialog box, you can filter by geomap name and select one or more geomaps to assign.

    Geomaps

    The Geomaps sub-page lists the geomaps associated with the group. Geomaps display worldwide activity based on the metrics defined in that geomap. For more information about geomap settings, refer to Geomaps.

    The Geomaps sub-page displays the following information:

    • Geomap: displays the name of the geomap.
    • Metric: displays the metric displayed in the geomap.
    • Description: displays a description of the geomap.

    For more information about the geomap interface, refer to Geomap Interface.

    L2

    For device and group metrics, the L2 page includes the following data:

    • VLAN Tagged: The number of frames containing VLAN tags observed over the selected time interval. In reflects number of VLAN tagged frames received by the device. Out reflects number of VLAN tagged frames sent by the device.
    • Packets: The Packets line chart displays the incoming and outgoing packet rate (packets per second) over the selected time interval. Current and Max identify the current and maximum packet rates for the given time period, respectively. Total identifies the total number of packets for the selected time interval. To view specific statistics for each data point, hover the mouse across the chart to see the packets per second value for each unit on the x-axis of the graph.
    • Throughput: The Throughput line chart displays the incoming and outgoing throughput (bits per second) over the selected time interval. Current and Max identify the current and maximum throughputs. Total identifies the total number of bytes transferred over the selected time interval. To view specific statistics for each data point, move the mouse pointer across the chart to see the throughput in megabits per second for each unit on the x-axis of the graph.
    • Frame Count by Size: The Frame Count by Size bar chart displays a logarithmic-scale histogram of the distribution of incoming and outgoing Ethernet frame size.
    • Frame Count by Type: The Frame Count by Type bar chart displays a logarithmic-scale histogram of the distribution of frames by L2 Ethertype (ipv4, ipv6, arp, ipx, mpls, lacp, stp, 802.1X, and other).
    • Frame Count by Distribution: The Frame Count by Distribution bar chart displays a logarithmic-scale histogram of the distribution of frames by L2 type (unicast, multicast, and broadcast).
    Packets

    The L2 Packets sub-page displays the following information:

    • Packets In: displays how members contribute to the total incoming packet count for the group.
    • Packets Out: displays how members contribute to the total incoming packet count for the group.
    Throughput

    The L2 Throughput sub-page displays the following information:

    • Bytes In: displays how members contribute to the total incoming byte count for the group.
    • Bytes Out: displays how members contribute to the total incoming byte count for the group.

    L3

    For device and group metrics, the L3 page includes the following data:

    • IP Fragments: Displays the IP fragments in and out for the device or group.
    • Packet Count by Protocol: the Packet Count by Protocol bar chart displays the incoming and outgoing packet count for each L3 protocol type. Click a bar in the chart to display the table of devices transmitting or receiving the selected L3 protocol.
    • Byte Count by Protocol: the Byte Count by Protocol bar chart displays the incoming and outgoing byte count for each L3 protocol type. Click a bar in the chart to display the table of devices transmitting or receiving the selected L3 protocol. IP types include TCP, UDP, ICMP, SCTP, IPSEC, GRE, ICMP6, VRRP, and OTHER.
    • Devices and Peer Devices: Displays IP addresses and host names with which the device or group communicates, packet in/out count, and byte in/out count for the currently selected L3 protocol. If no L3 protocol is selected, the packet count and byte count is the sum of all L3 protocol counts for the device or group. Click the device name to navigate to the device.
    Table Actions

    The table at the bottom of the page lists the devices associated with this group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

    L4 TCP

    For group metrics, the TCP page includes the following data:

    • Connections: The TCP connection metrics for all members in the current group.

      • Accepted: Number of connections accepted by all members in the current group. Click to break down the number of outgoing connections by each group member in the table at the bottom of the page.
      • Connected: Number of connections initiated by all members in the current group. Click to break down the number of incoming connections by each group member in the table at the bottom of the page.
      • Closed: Number of connections closed to or from any member in the current group. Closed connections are explicitly shutdown by at least one of the endpoints. Click to break down the number of closed connections by each group member in the table at the bottom of the page.
      • Expired: Number of connections to or from any member in the current group no longer tracked due to inactivity. Click to break down the number of expired connections by each group member in the table at the bottom of the page.
      • Desync: Number of times synchronization was lost when processing TCP connections from or to any member in the current group. Click to break down the number of desyncs by each group member in the table at the bottom of the page.
    • In: The incoming connection metrics for all members in the current group.

      • Aborts: Number of connections aborted by the peer of any member in the current group. Click to break down the number of aborts received by each group member in the table at the bottom of the page.

      • Resets: Number of RSTs received by all members in the current group. Click to break down the number of RSTs received by each group member in the table at the bottom of the page.

        TCP resets indicate that a reset packet was sent to forcibly end the TCP connection, and can be used in a variety of situations. Sometimes resets are sent when the receiving member failed to ACK the SYN packet, or it failed to acknowledge another packet sent and retransmitted later in the transaction. Other times, resets may be used to quickly and efficiently end an existing connection to free up resources for more traffic. High volumes of outbound resets should be investigated to determine if they are expected behavior or indicative of a larger issue.

      • SYNs Received: Number of SYNs received by all members in the current group. Click to break down the number of SYNs received by each group member in the table at the bottom of the page.

      • SYNs Unanswered: Number of SYNs received by all members in the current group for which there were no corresponding ACKs. Click to break down the number of SYNs sent by each group member in the table at the bottom of the page.

      • Stray Segments: Number of unexpected TCP packets received by all members in the current group. Click to break down the number of stray segments received by each group member in the table at the bottom of the page.

      • Dropped Segments: Number of episodes in which a segment or a series of segments were lost on the way to the current member and required retransmission. Large values of this counter may indicate network congestion or link reliability problems. Click to break down the number of inbound dropped segments by each group member in the table at the bottom of the page.

      • Zero Window: Number of zero window advertisements received by all members in the current group. A zero window indicates the connection has stalled because the peer member cannot handle the rate of data sent. Click to break down the number of inbound zero window advertisements by each group member in the table at the bottom of the page.

      • Rcv Wnd Throttles: Number of times the advertised receive window of the peer member limits the throughput of the connection. Click to break down the number of inbound receive window throttles by each group member in the table at the bottom of the page.

      • Snd Wnd Throttles: Number of send window throttles. This indicates that the TCP congestion avoidance on the peer member might be too conservative. Click to break down the number of inbound send window throttles by each group member in the table at the bottom of the page.

      • SYNs w/o Timestamps: Number of SYNs without the TCP timestamp option received by all members of the current group. Click to break down the number of inbound SYNs without timestamps by each group member in the table at the bottom of the page.

      • SYNs w/o SACK: Number of SYNs without the TCP SackOK option received by all members of the current group. Click to break down the number of inbound SYNs without the TCP SackOK option by each group member in the table at the bottom of the page.

      • RTOs: Number of retransmission timeouts caused by congestion as peers were sending data to the members of the current group. Click to break down the number of inbound RTOs by each group member in the table at the bottom of the page.

      • PAWS-Dropped SYNs: Number of PAWS-dropped SYNs. This indicates that a connection failed to initiate because the current member interpreted the SYN as belonging to a previous connection. Click to break down the number of inbound PAWS-Dropped SYNs by each group member in the table at the bottom of the page.

      • Bad Congestion Control: Number of events with bad congestion control, which occurs when the system receives RTOs with in-flight data greater than twice the prior congestion window. This indicates that the peer member is sending too much data, resulting in network congestion and dropped packets. Click to break down the number of bad congestion control events by each group member in the table at the bottom of the page.

      • TCP Flow Stalls: Number of events in which the group was not responsive. Click to break down the number of non-responsive events by each group member in the table at the bottom of the page.

    • Out: The outgoing connection metrics for all members in the current group.

      • Aborts: Number of connections aborted by any member in the current group. Aborted connections are reset explicitly by one of the endpoints. In some cases, this indicates that an error occurred. Click to display the number of aborts each group member initiated in the table at the bottom of the page.

      • Resets: Number of RSTs sent by all members in the current group. Click to break down the number of RSTs sent by each group member in the table at the bottom of the page.

        TCP resets indicate that a reset packet was sent to forcibly end the TCP connection, and can be used in a variety of situations. Sometimes resets are sent when the receiving member failed to ACK the SYN packet, or it failed to acknowledge another packet sent and retransmitted later in the transaction. Other times, resets may be used to quickly and efficiently end an existing connection to free up resources for more traffic. High volumes of outbound resets should be investigated to determine if they are expected behavior or indicative of a larger issue.

      • SYNs Sent: Number of SYNs sent by all members in the current group. Click to break down the number of SYNs sent by each group member in the table at the bottom of the page.

      • SYNs Unanswered: Number of SYNs sent by all members in the current group for which there were no corresponding ACKs. Click to break down the number of SYNs received by each group member in the table at the bottom of the page.

      • Dropped Segments: Number of episodes in which a segment or a series of segments were lost on the way to the current member and required retransmission. Large values of this counter may indicate network congestion or link reliability problems. Click to break down the number of outbound dropped segments by each group member in the table at the bottom of the page.

      • Tinygrams: Number of tinygrams sent by the current member. This indicates that the TCP payload is being segmented inefficiently, resulting in more packets on the network. Click to break down the number of outbound tinygrams by each group member in the table at the bottom of the page.

      • Nagle Delays: Number of Nagle delays sent by the current member. This indicates connection delays due to a bad interaction between Nagle's Algorithm and delayed ACKs. Click to break down the number of outbound Nagle's delays by each group member in the table at the bottom of the page.

         Learn more about Nagle delays on the ExtraHop Forum

      • Zero Window: Number of zero window advertisements sent by all members in the current group. A zero window indicates the connection has stalled because the peer member cannot handle the rate of data sent. Click to break down the number of outbound zero window advertisements by each group member in the table at the bottom of the page.

      • Slow Starts: Number of slow starts sent by the current member. This indicates that TCP slow start congestion avoidance has reduced connection throughput. Click to break down the number of outbound slow starts by each group member in the table at the bottom of the page.

      • Rcv Wnd Throttles: Number of times the advertised receive window of the current member limits the throughput of the connection. Click to break down the number of outbound received window throttles by each group member in the table at the bottom of the page.

      • Snd Wnd Throttles: Number of send window throttles. This indicates that the TCP congestion avoidance on the current member might be too conservative. Click to break down the number of outbound send window throttles by each group member in the table at the bottom of the page.

      • SYNs w/o Timestamps: Number of SYNs without the TCP timestamp option sent by all members of the current group. Click to break down the number of outbound SYNs without timestamps by each group member in the table at the bottom of the page.

      • SYNs w/o SACK: Number of SYNs without the TCP SackOK option sent by all members of the current group. Click to break down the number of outbound SYNs without the TCP SackOK option by each group member in the table at the bottom of the page.

      • RTOs: Number of retransmission timeouts caused by congestion as members of the current group were sending data to their peers. Click to break down the number of outbound RTOs by each group member in the table at the bottom of the page.

      • Retransmissions: Number of times data is resent by the current member. Click to break down the number of outbound retransmissions by each group member in the table at the bottom of the page.

      • Out of Order: Number of packets sent by the member where the TCP sequence number did not match the sequence number that the Discover appliance was expecting. The reordering may have been introduced at the member itself or by an intermediate member. This can result in reduced connection throughput, increased processing load on the peer member, and additional ACK packets on the network. Click to break down the number of outbound retransmissions by each group member in the table at the bottom of the page.

      • Bad Congestion Control: Number of events with bad congestion control, which occurs when the system receives RTOs with in-flight data greater than twice the prior congestion window. This indicates that the current member is sending too much data, resulting in network congestion and dropped packets. Click to break down the number of outbound bad congestion control events by each group member in the table at the bottom of the page.

      • TCP Flow Stalls: Number of events in which the group was not responsive. Click to break down the number of non-responsive events by each group member in the table at the bottom of the page.

      • Round-Trip Time (ms): Displays the median round-trip time (RTT) in milliseconds (ms) from the current objects to clients as a function of time over the selected time interval. The barVertical dotted lines indicate the upper and lower quartiles (75th and 25th percentiles) of the round-trip time metrics.
    Table Actions

    The table at the bottom of the page lists the devices associated with this group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

    L7 Protocols

    For group-level metrics, the L7 Protocols page includes a table with the following data:

    • Protocol: The name of the protocol present in the group.
    • Packets In: The total incoming packet count for the protocol.
    • Packets Out: The total outgoing packet count for the protocol.
    • Bytes In: The total incoming byte count for the protocol.
    • Bytes Out: The total outgoing byte count for the protocol.
    Table Actions

    The table at the bottom of the page lists the devices associated with this group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

    AAA

    The AAA groups toolbar includes the following controls:

    • Metric Type: Click the Metric Type drop-down list and select either Client or Server to display metrics for devices in the current group acting as an AAA client or AAA server, respectively.
    • Errors: Click the Errors button to display the list of error messages sent to or received by the current member over the time interval. Errors are formatted as follows: Results-Code-Description:Session-Id:Error-Reporting-Host:Subscription-ID-Data.

      Session-Id frequently contains multiple semicolon-separated records. Error-Reporting-Host is not always present.

    • Records: Displays results for records that match the selected metric source and protocol.

    For group metrics, the AAA page includes the following data:

    AAA Client: If you select Client for the AAA Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.

    • Requests: Number of AAA requests for the selected time interval.
    • Responses: Number of AAA responses for the selected time interval.
    • Errors: Number of AAA errors for the selected time interval.
    • Aborts: Number of AAA aborted requests for the selected time interval.
    • Diameter Requests: Number of Diameter requests for the selected time interval.
    • Radius Requests: Number of RADIUS requests for the selected time interval.

    AAA Server: If you select Server for the AAA Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.

    • Requests: Number of AAA requests for the selected time interval.
    • Responses: Number of AAA responses for the selected time interval.
    • Errors: Number of AAA errors for the selected time interval.
    • Aborts: Number of AAA aborted requests for the selected time interval.
    • Diameter Requests: Number of Diameter requests for the selected time interval.
    • Radius Requests: Number of RADIUS requests for the selected time interval.

    Messages: Selected message types for the AAA server.

    Table Actions

    The table at the bottom of the page lists the devices associated with this group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

    CIFS

    The CIFS groups toolbar includes the following controls:

    • CIFS Metric Type: Displays metrics for devices in the current group acting as a CIFS client or server, respectively.
    • Errors: Displays the list of error messages sent to or received by devices in the current group over the selected time interval.
    • Warnings: Displays the list of warning messages sent to or received by devices in the current group over the selected time interval.
    • Methods: Displays the list of methods and associated bytes sent and received by devices in the current group during the selected time interval. Methods are broken out by key parameters, such as the accessed file name.
    • Users: Displays the list of users accessing the file server and associated bytes sent and received for the selected time interval.
    • Files: Displays the list of files accessed and associated bytes sent and received for the selected time interval. Access Time indicates the time it took for the server to access a file on disk.
    • Records: Displays results for records that match the selected metric source and protocol.

    Where file name detail is presented, the Discover appliance displays both the file path and mount point, if available. The prefix '...' indicates that either the mount point or part of the path is not available. This may occur in instances when the capture process was restarted after the "mount" or a "cd" command was issued, or when the commands were lost due to desyncs.

    For group metrics, the CIFS page includes the following data:

    • CIFS Server: Click the counter next to the metric to break it down by group members in the table at the bottom of the page.

      • Responses: Specifies the number of responses sent by the CIFS server.
      • Errors: Specifies the number of errors sent by the CIFS server.
      • Warnings:
      • Reads: Specifies the number of read operations requested from the CIFS server.
      • Writes: Specifies the number of write operations requested from the CIFS server.
      • Locks: Specifies the number of lock operations requested from the CIFS server.
    • CIFS Client: Click the counter next to the metric to break it down by group members in the table at the bottom of the page.

      • Responses: Specifies the number of responses received by the CIFS client.
      • Errors: Specifies the number of errors sent by the CIFS client.
      • Warnings:
      • Reads: Specifies the number of read operations requested by the CIFS client.
      • Writes: Specifies the number of write operations requested by the CIFS client.
      • Locks: Specifies the number of lock operations requested by the CIFS client.
    • Methods: Displays the CIFS methods for the selected time interval.

      Click the counter next to the method to break it down by group members in the table.

    Table Actions

    The table at the bottom of the page lists the devices associated with this group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

    Database

    The Database groups toolbar includes the following controls:

    • Database Metric Type: Displays metrics for members in the current group acting as a database client or server, respectively.
    • Errors: Displays the list of error messages sent to or received by members in the current group over the time interval.
    • Methods: Displays the list of names and the associated processing times for the stored procedures executed within the databases belonging to the current group during the selected time interval.
    • Users: Displays the list of users accessing the database servers in this group and associated bytes sent and received for the selected time interval.

    For group metrics, the Database page includes the following data:

    • Database Client: If you select Client for the Database Metric Type, the Discover appliance displays the following metrics. Click the counter to break down the responses by group members in the table at the bottom of the page.
      • Responses: Specifies the number of database protocol responses received by all members of the current group during the selected time interval.
      • Errors: Specifies the number of database protocol errors received by all members of the current group during the selected time interval.
      • Requests Aborted: Specifies the number of requests that members of the group began to send but did not send completely when acting as a database client.
      • Responses Aborted: Specifies the number of responses that members of the group began to receive but did not receive completely when acting as a database client.
    • Database Server: If you select Server for the Database Metric Type, the Discover appliance displays the following metrics. Click the counter to break down the responses by group members in the table at the bottom of the page.
      • Responses: Specifies the number of database protocol responses sent by all members of the current group during the selected time interval.
      • Errors: Specifies the number of database protocol errors sent by all members of the current group during the selected time interval.
      • Requests Aborted: Specifies the number of requests that members of the group began to receive but did not receive completely when acting as a database server.
      • Responses Aborted: Specifies the number of responses that members of the group began to send but did not send completely when acting as a database server.
    • Methods: Displays the database methods for the selected time interval.

      Click the counter next to the method to break it down by group members in the table.

    Table Actions

    The table at the bottom of the page lists the devices associated with this group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

    All Methods

    The Database groups toolbar includes the following controls:

    • Database Metric Type: Displays metrics for members in the current group acting as a database client or server, respectively.
    • Records: Displays results for records that match the selected metric source and protocol.

    The All Methods page contains the following information:

    • Methods: This section displays the database methods for the selected time interval. Click to display additional per-client or per-server details.
    • Database Client: This table lists the peer members associated with the database client.
    • Database Server: This table lists the peer members associated with the database server.
    Processing Time

    The Database groups toolbar includes the following controls:

    • Database Metric Type: Displays metrics for members in the current group acting as a database client or server, respectively.
    • Records: Displays results for records that match the selected metric source and protocol.

    The Processing Time page contains the following information:

    The Server Processing Time bar graph shows median server processing time over the selected time interval for each member in the group. The five-number summary, which includes the minimum, lower quartile, median, upper quartile, and maximum values, is displayed by hovering over a bar.

    DNS

    The DNS groups toolbar includes the following controls:

    • DNS Metric Type: Displays metrics for members in the current group acting as a DNS client or DNS server, respectively.
    • Errors: Displays the number of query errors by host.
    • Host Queries: Displays the list of DNS queries made to or from any member in the current group. The list is sorted by Host Query frequency. Click the Query Errors header to sort the list by the number of DNS errors encountered.
    • Records: Displays results for records that match the selected metric source and protocol.

    For group metrics, the DNS page includes the following data:

    • DNS Client: If you select Client for the DNS Metric Type, the Discover appliance displays the following metrics. Click the metric to break down DNS requests by group members in the table at the bottom of the page.

      • Requests: Specifies the number of DNS requests made by all members of the group.
      • Request Timeouts: Specifies the number of DNS requests made by any member of the group to which no response was received.
      • Truncated Requests: Specifies the number of malformed, truncated DNS requests sent by any member of the group.
      • Responses: Specifies the number of DNS responses received by all members of the group.
      • Response Errors: Specifies the number of DNS response errors received by all members of the group.
      • Truncated Responses: Specifies the number of malformed, truncated DNS responses received by all members of the group.
    • DNS Server: If you select Server for the DNS Metric Type, the Discover appliance displays the following metrics. Click the metric to break down DNS requests by group members in the table at the bottom of the page.

      • Requests: Specifies the number of DNS requests received by all members of the group.
      • Request Timeouts: Specifies the number of DNS requests received by any member of the group to which no response was sent.
      • Truncated Requests: Specifies the number of malformed, truncated DNS requests received by all members of the group.
      • Responses: Specifies the number of DNS responses sent by all members of the group.
      • Response Errors: Specifies the number of DNS response errors sent by all members of the group.
      • Truncated Responses: Specifies the number of malformed, truncated DNS responses sent by all members of the group.
    • Requests by Opcode: Shows the breakdown of all opcodes sent (if server) or received (if client) by members in the selected group. For each opcode, click to break down by group members in the table at the bottom of the page.

      • Query: Specifies the number of DNS QUERY Opcodes sent or received by all members of the group. DNS Queries are the most-frequently encountered DNS Opcode type.
      • Notify: Specifies the number of DNS NOTIFY Opcodes sent or received by all members of the group. DNS Notify is used as a synchronization method between DNS servers.
      • Update: Specifies the number of DNS UPDATE Opcodes sent or received by all members of the group. DNS Update is used as a synchronization method between DNS servers.
      • Other: Specifies the number of other miscellaneous DNS Opcodes sent or received by all members of the group.
    • Requests by Record Type: Shows the breakdown of all request types sent or received by members in the selected group. For each query type, click to break down by group members in the table at the bottom of the page.

      The request query bar categories displayed include:

      • A. Address
      • NS. Name Server
      • CNAME. Canonical Name
      • SOA. Start Of Authority
      • PTR. Pointer Record
      • MX. Mail Exchanger
      • TXT. Text
      • AAAA. IPv6 Address
      • SRV. Service
      • TSIG. Secured Signed Request class
      • IXFR. Incremental Zone Transfer
      • AXFR. Zone Transfer
      • ANY. Any available
      • Other. All other categories
    • Responses by Record Type: Shows the breakdown of all record types sent (if server) or received (if client) by members in the selected group. For each query type, click to break down by group members in the table at the bottom of the page.

      The request query bar categories displayed include:

      • A. Address
      • NS. Name Server
      • CNAME. Canonical Name
      • SOA. Start Of Authority
      • PTR. Pointer Record
      • MX. Mail Exchanger
      • TXT. Text
      • AAAA. IPv6 Address
      • SRV. Service
      • TSIG. Secured Signed Request class
      • IXFR. Incremental Zone Transfer
      • AXFR. Zone Transfer
      • ANY. Any available
      • Other. All other categories
    • Responses by Response Code: Shows the categorization of all response codes broken down by request opcode and request record type sent (if server) or received (if client) by members in the selected group. The format of the entry is ERROR/REQUEST_OPCODE:REQUEST_RECORD.

      The response code bar categories include:

      • NOERROR. Successful transaction; no error.
      • FORMERROR. Format Error.
      • SERVFAIL. DNS Server Failed.
      • NXDOMAIN. No such domain.
      • NOTIMPL. No handler implemented for this query type.
      • REFUSED. Query administratively refused.
      • UPDATEERR. Error in handling UPDATE request.
      • TSIGERR. Error in handling TSIG request.
      • OTHER. All other response code types.
    • Click the counter next to the response code to break it down by group members in the table.

    Table Actions

    The table at the bottom of the page lists the devices associated with this group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

    Processing Time

    The Server Processing Time bar graph shows median server processing time over the selected time interval for each member in the group. The five-number summary, which includes the minimum, lower quartile, median, upper quartile, and maximum values, is displayed by hovering over a bar.

    FIX

    The FIX groups toolbar includes the following controls:

    • FIX Metric Type: Click the Metric Type drop-down list and select either Client or Server to display statistics for members in the current group acting as a FIX client or server, respectively.
    • Errors: Click the Errors button to display the list of FIX session-level reject reasons (error messages) sent to or received by members in the current group over the selected time interval. These metrics do not include the processing of order and trade errors.
    • Senders: Click the Senders button to display a list of institutions sending the FIX message, as it appears in the SenderCompID field.
    • Targets: Click the Targets button to display a list of institutions receiving the FIX message, as it appears in the TargetCompID field.
    • Records: Displays results for records that match the selected metric source and protocol.

    For group metrics, the FIX page includes the following data:

    FIX Client: Click the counter next to the metric to break it down by group members in the table at the bottom of the page.

    • Requests: Number of requests received.
    • Responses: Number of responses received.
    • Errors: Number of errors sent.
    • POS Duplicate: Number of POS duplicates received.
    • POS Resend: Number of POS resends received.

    FIX Server: Click the counter next to the metric to break it down by group members in the table at the bottom of the page.

    • Requests: Number of requests received.
    • Responses: Number of responses received.
    • Errors: Number of errors sent.
    • POS Duplicate: Number of POS duplicates received.
    • POS Resend: Number of POS resends received.

    Methods: Methods exchanged by members in the current group over the selected time interval. Click the counter next to the metric to break it down by group members in the table at the bottom of the page.

    Table Actions

    The table at the bottom of the page lists the devices associated with this group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

    FTP

    The FTP metrics toolbar includes the following controls:

    • FTP Metric Type: Display metrics for the current device acting as an FTP client or server, respectively.
    • Errors: Displays the list of 5xx error messages sent to or received by the current device over the selected time interval.
    • Warnings: Displays the list of 4xx error messages sent to or received by the current device over the selected time interval.
    • Files: Displays the list of files accessed, associated bytes sent and received, and associated errors for the selected time interval.
    • Records: Displays results for records that match the selected metric source and protocol.

    Where file name detail is presented, the Discover appliance displays both the file path and mount point, if available. The prefix '...' indicates that either the mount point or part of the path is not available. This may occur in instances when the capture process was restarted after the "mount" or a "cd" command was issued, or when the commands were lost due to desyncs.

    For group metrics, the FTP page includes the following data:

    • FTP Client: Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
      • Requests: Specifies the number of data requests sent by the FTP client.
      • Responses: Specifies the number of responses received by the FTP client.
      • Errors: Specifies the number of errors received by the FTP client.
      • Warnings: Specifies the number of warnings received by the FTP client.
    • FTP Server: Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
      • Requests: Specifies the number of data requests received by the FTP server.
      • Responses: Specifies the number of responses sent by the FTP server.
      • Errors: Specifies the number of errors sent by the FTP server.
      • Warnings: Specifies the number of warnings received by the FTP server.
    • Data Channel: Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
      • Requests: Specifies the number of data channel requests sent or received by the current device.
      • Connects: Specifies the number of responses sent or received by the current device.
    • Methods: Displays the FTP methods for the selected time interval. Commands include RETR (get), STOR (put), and more. Click the counter next to each method to break it down by group members in the table at the bottom of the page.
    • Status Codes: Displays the FTP status codes for the selected time interval. Click the counter next to each status code to break it down by group members in the table.

    The table at the bottom of the page lists the devices associated with this group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

    Processing Time

    The Server Processing Time bar graph shows median server processing time over the selected time interval for each member in the group. The five-number summary, which includes the minimum, lower quartile, median, upper quartile, and maximum values, is displayed by hovering over a bar.

    HTTP

    The HTTP groups toolbar includes the following controls:

    • HTTP Metric Type: Displays metrics for members in the current group acting as an HTTP client or HTTP server, respectively.
    • Errors: Displays the list of error messages sent to or received by the current member over the selected time interval.
    • URIs: Displays the list of HTTP URIs, number of responses, total time (ms), and processing time (ms) associated with each URI.
    • Referers: Displays the list of HTTP referer URLs and the count associated with each referer.
    • Records: Displays results for records that match the selected metric source and protocol.

    For group metrics, the HTTP page includes the following data:

    • HTTP Client: If you select Client for the HTTP Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
      • Requests: Specifies the number of HTTP requests sent from all members of the current group.
      • Requests Aborted: Specifies the number of incomplete HTTP requests sent from all members of the current group.
      • Pipelined Requests: Specifies the number of HTTP/1.1 pipelined requests sent from all members of the current group. Pipelined requests consist of multiple requests written to the same connection without waiting for the corresponding responses.
      • Responses: Specifies the number of HTTP responses received by all members of the current group.
      • Responses Aborted: Specifies the number of incomplete HTTP responses received by all members of the current group.
      • Chunked Transfers: Specifies the number of HTTP/1.1 responses that made use of chunked transfer-coding received by all members of the current group.
      • Compressed Transfers: Specifies the number of HTTP/1.1 responses that made use of gzip or deflate content coding.
      • Authed Requests: Specifies the number of HTTP requests that provided an Authorization request header and did not receive a 401 status code in the response.
    • HTTP Server: If you select Server for the HTTP Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.
      • Requests: Specifies the number of HTTP requests received by all members of the current group.
      • Requests Aborted: Specifies the number of incomplete HTTP requests received by all members of the current group.
      • Pipelined Requests: Specifies the number of HTTP/1.1 pipelined requests received by all members of the current group. Pipelined requests are when multiple requests are written to the same connection without waiting for the corresponding responses.
      • Responses: Specifies the number of HTTP responses sent from all members of the current group.
      • Responses Aborted: Specifies the number of incomplete HTTP responses sent from all members of the current group.
      • Chunked Transfers: Specifies the number of HTTP/1.1 responses that made use of chunked transfer-coding sent from all members of the current group.
      • Compressed Transfers: Specifies the number of HTTP/1.1 responses that made use of gzip or deflate content coding.
      • Authed Requests: Specifies the number of HTTP requests that provided an Authorization request header and did not receive a 401 status code in the response.
    • Status Codes: Displays the HTTP response status codes for the selected time interval. Click the counter next to each status code to break it down by group members in the table at the bottom of the page.
    • Methods: Displays the HTTP request methods for the selected time interval. The HTTP request methods include GET, HEAD, POST, PUT, DELETE, TRACE, CONNECT, and OPTIONS, as well as dynamic method names. Click the counter next to each status code to break it down by group members in the table at the bottom of the page.
    Table Actions

    The table at the bottom of the page lists the devices associated with this group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

    Processing Time

    The HTTP group toolbar includes the following controls:

    • HTTP Metric Type: Displays metrics for members in the current group acting as an HTTP client or HTTP server, respectively.
    • Records: Displays results for records that match the selected metric source and protocol.

    The Server Processing Time bar graph shows median server processing time over the selected time interval for each member in the group. The five-number summary, which includes the minimum, lower quartile, median, upper quartile, and maximum values, is displayed by hovering over a bar.

    HTTP-AMF

    Click the Metric Type drop-down list and select either Client or Server to display metrics for members in the current group acting as an HTTP-AMF client or server, respectively.

    HTTP-AMF Client: If you select Client for the HTTP-AMF Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.

    • Requests: Number of HTTP-AMF requests for the selected time interval.
    • Responses: Number of HTTP-AMF responses for the selected time interval.
    • Errors: Number of HTTP-AMF errors for the selected time interval.
    • Requests w/o Length: Number of HTTP-AMF requests without length.
    • Responses w/o Length: Number of HTTP-AMF responses without length.

    HTTP-AMF Server: If you select Server for the HTTP-AMF Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.

    • Requests: Number of HTTP-AMF requests for the selected time interval.
    • Responses: Number of HTTP-AMF responses for the selected time interval.
    • Errors: Number of HTTP-AMF errors for the selected time interval.
    • Requests w/o Length: Number of HTTP-AMF requests without length.
    • Responses w/o Length: Number of HTTP-AMF responses without length.
    Table Actions

    The table at the bottom of the page lists the devices associated with this group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

    IBMMQ

    The IBMMQ groups toolbar includes the following controls:

    • IBMMQ Metric Type: Displays metrics for members in the current group acting as an IBMMQ client or IBMMQ server, respectively.
    • Errors: Displays the list of 5xx error messages sent to or received by the current member over the selected time interval.
    • Warnings: Displays the list of 4xx error messages sent to or received by the current member over the selected time interval.

    For group metrics, the IBMMQ page includes the following data about both client-to-server and server-to-server transactions:

    Click the Metric Type drop-down list and select either Client or Server to display statistics for members in the current group acting as an IBMMQ client or server, respectively.

    IBMMQ Client: If you select Client for the Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.

    • Requests: Number of IBMMQ requests sent or received within the selected time interval.
    • Responses: Number of IBMMQ responses sent or received within the selected time interval.
    • Client Messages: Number of IBMMQ client messages sent or received within the selected time interval.
    • Server Messages: Number of IBMMQ server messages sent or received within the selected time interval.
    • Errors: Number of IBMMQ errors for the selected time interval.
    • Warnings: Number of IBMMQ warnings for the selected time interval.
    • PCF Errors: Number of IBMMQ PCF errors sent or received within the selected time interval.
    • PCF Warnings: Number of IBMMQ PCF requests sent or received within the selected time interval.

    IBMMQ Server: If you select Server for the Metric Type, the Discover appliance displays the following metrics. Click the counter next to each metric to break it down by group members in the table at the bottom of the page.

    • Requests: Number of IBMMQ requests sent or received within the selected time interval. (Client-to-server transactions only.)
    • Responses: Number of IBMMQ responses sent or received within the selected time interval. (Client-to-server transactions only.)
    • Client Messages: Number of IBMMQ client messages sent or received within the selected time interval.
    • Server Messages: Number of IBMMQ server messages sent or received within the selected time interval.
    • Errors: Number of IBMMQ errors for the selected time interval.
    • Warnings: Number of IBMMQ warnings for the selected time interval.
    • PCF Errors: Number of IBMMQ PCF errors sent or received within the selected time interval.
    • PCF Warnings: Number of IBMMQ PCF requests sent or received within the selected time interval.

    Methods: Displays the IBMMQ methods for the selected time interval.

    Message Format: Displays the IBMMQ message formats for the selected time interval.

    Note: When the system detects only server-to-server traffic, the metrics that are gathered for client-to-server transactions only are zero or blank.
    Table Actions

    The table at the bottom of the page lists the devices associated with this group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

    ICA

    The ICA groups toolbar includes the following controls:

    • ICA Metric Type: Click the Metric Type drop-down list, and select either Client or Server to display metrics for members in the current group acting as an ICA client or ICA server, respectively.
    • Applications: Click the Applications button to display the ICA Client or Server: Applications table.
      • Name: The Citrix user ID.
      • Launches: Number of Citrix ICA launch commands within the selected time interval.
      • Aborts: Number of Citrix session aborts within the selected time interval.
    • Sessions: Click the Sessions button to display the ICA Client or Server: Sessions table.
      • Name: The Citrix user ID.
      • Duration (sec): The session duration by application.
    • Client Types: Click the Client Types button to display the ICA Client or Server: Client Types table.
      • Name: The name and version of the Citrix receiver.
      • Count: Number of launches from that particular version of the receiver.

    For group metrics, the ICA page includes the following data:

    • Launches: Total number of Citrix ICA launch commands within the selected time interval.
    • Aborts: Total number of Citrix session aborts within the selected time interval.

    ICA Client or Server: If you select Client or Server for the ICA Metric Type, the Discover appliance displays the following metrics:

    • Client Messages: Number of ICA client messages sent or received within the selected time interval.
    • Server Messages: Number of ICA server messages sent or received within the selected time interval.
    • Client CGP Messages: Number of ICA client CGP messages sent or received within the selected time interval.
    • Server CGP Messages: Number of ICA server CGP messages sent or received within the selected time interval.
    Table Actions

    The table at the bottom of the page lists the devices associated with this group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

    iSCSI

    The iSCSI groups toolbar includes the following controls:

    • iSCSI Metric Type: Displays metrics for members in the current group acting as an iSCSI client or server, respectively.
    • Errors: Displays the list of error messages sent to or received by members in the current group over the selected time interval.
    • OpCodes: Displays the list of iSCSI operation codes broken down by iSCSI initiator sent to or received by members in the current group over the selected time interval.
    • Initiators: Displays the list of iSCSI initiators establishing connections to or from members in the current group over the selected time interval.

    For group metrics, the iSCSI page includes the following data:

    • iSCSI Server: Click the counter next to the metric to break it down by group members in the table at the bottom of the page.
      • Responses: Specifies the number of responses sent by the iSCSI server.
      • Errors: Specifies the number of errors sent by the iSCSI server.
      • Sessions: Specifies the number of iSCSI sessions received by the iSCSI server.
      • Reads (DataOut): Specifies the number of read operations requested from the iSCSI server.
      • Writes (DataIn): Specifies the number of write operations requested from the iSCSI server.
      • Header Digest: Specifies the number of iSCSI operations with optional header digests included.
      • Data Digest: Specifies the number of iSCSI operations with optional data digests included.
    • iSCSI Client: Click the counter next to the metric to break it down by group members in the table at the bottom of the page.
      • Responses: Specifies the number of responses received by the iSCSI client.
      • Errors: Specifies the number of errors sent by the iSCSI client.
      • Sessions: Specifies the number of iSCSI sessions received by the iSCSI server.
      • Reads (DataOut): Specifies the number of read operations requested from the iSCSI server.
      • Writes (DataIn): Specifies the number of write operations requested from the iSCSI server.
      • Header Digest: Specifies the number of iSCSI operations with optional header digests included.
      • Data Digest: Specifies the number of iSCSI operations with optional data digests included.
    • OpCodes: Displays the list of iSCSI OpCodes sent to or received by members in the current group over the selected time interval. Click the counter next to the metric to break it down by group members in the table at the bottom of the page. Click the OpCodes button to get OpCodes broken down by iSCSI initiator. OpCodes include:
      • Login Request
      • Login Response
      • Logout Request
      • Logout Response
      • SCSI Command
      • SCSI Response
      • Text Request
      • Text Response
      • SCSI Data-In
      • SCSI Data-Out
      • SCSI Task Management Response
      • SCSI Task Management Function Request
      • Ready To Transfer
      • Asynchronous Message
      • SNACK Request
      • Reject
      • Last
      • NOP-In
      • NOP-Out
      • Vendor-<hex>
    • Rejects. Displays the list of reject reasons sent to or received by the current member over the selected time interval. Click the counter next to the metric to break it down by group members in the table at the bottom of the page. Click the Errors button to get errors broken down by iSCSI initiator. Reject reasons include:
      • Zero
      • Reserved
      • Data Digest Error
      • SNACK Reject
      • Protocol Error
      • Command not supported
      • Protocol Error
      • Immediate Command Reject
      • Task in progress
      • Invalid Data ACK
      • Invalid PDU field
      • Long Operation Reject
      • Negotiation Reset
      • Waiting for Logout
    • Logins: Displays the iSCSI login errors for the selected time interval. Click the counter next to the metric to break it down by group members in the table at the bottom of the page. Click the Errors button to get errors broken down by iSCSI initiator.
      • Login failures
      • Target moved temporarily
      • Target moved permanently
      • Initiator error
      • Authentication failure
      • Authorization failure
      • Not found
      • Target removed
      • Unsupported version
      • Too many connections
      • Missing parameter
      • Can't include in session
      • Session type not supported
      • Session does not exist
      • Invalid request during login
      • Target error
      • Service unavailable
      • Out of resources
    Table Actions

    The table at the bottom of the page lists the devices associated with this group and totals where applicable. You can filter the list of devices and manage the assignments for a device or group of devices.

    LDAP

    The LDAP groups toolbar includes the following controls:

    • LDAP Metric Type: Displays metrics for members in the current group acting as a LDAP client or server, respectively.
    • Errors: Displays a detailed list of error messages sent to or received by members in the current group over the specified time interval.
    • Records: Displays results for records that match the selected metric source and protocol.

    For group metrics, the LDAP page includes the following data:

    • LDAP Client: If you select Client for the LDAP Metric Type, the Discover appliance displays the following metrics. Click the counter to break down the responses by group members in the table at the bottom of the page.
      • Requests: Specifies the number of LDAP requests for the selected time interval.
      • Responses: Specifies the number of LDAP responses for the selected time interval.
      • Errors: