Initiate precision packet captures to analyze zero window conditions
In TCP metrics, window size specifies the amount of data that a device can receive and process during a flow. When the window size is zero, transmissions are halted until the device signals that it has the space to receive data again.
Zero window conditions that last 1 or 2 seconds are not too unusual, especially during periods of heavy traffic. However, longer-lasting zero window conditions can indicate a more serious problem and cause performance issues.
You can create a dashboard or configure alert notifications to track zero window occurrences, but the cause can be hard to determine. For example, CPU, memory, and NIC usage might be normal, and you don’t know if the issue is with the network, the servers, or the application. But you can always find the truth in the packet!
In this walkthrough, you will create a trigger that captures packets with zero window conditions on database response and request flows. Then, you will download the captures so that you can upload the data to a packet analyzer to help you determine the state of the client and server on a flow when zero window conditions occurred.
Prerequisites
- You must have access to an ExtraHop Discover appliance with a user account that has unlimited privileges.
- You must license and enable packet capture through the ExtraHop Admin UI.
- You must have a packet analyzer, such as WireShark or Microsoft Network Monitor.
- Familiarize yourself with Triggers concepts and the procedures in Build a trigger.
Write the precision capture trigger
In the following steps, you will write a trigger that initiates a precision packet capture each time a zero window condition occurs on a database transaction.
Assign the trigger to a source
In the following steps, you will assign a trigger to a data source. A trigger does not run until it is assigned to a source, and the trigger gathers data only from the sources to which it is assigned.
For the purposes of this walkthrough, the following procedure assigns the trigger to a device group called DB Servers. You should assign the triggers to the devices or device groups on your network that you want to monitor for zero window conditions.
Important: | Running triggers on unnecessary devices and networks exhausts system resources. Minimize performance impact by assigning a trigger only to the specific sources that you need to collect data from. |
View debug output in the runtime log
In the following steps, you will view the trigger debug output to confirm that the trigger is running and capturing packets. After you assign the trigger to your data sources, the system runs the trigger when database traffic occurs, and if any transactions contain a zero window, the system sends debug results to the runtime log.
Thank you for your feedback. Can we contact you to ask follow up questions?