Share:|

TRAFFIC VERIFICATION:

 

There are many ways to send data to the Collector:

  1. Collector listens in with capture port on vSwitch that is in promiscuous mode.  Traffic that you wish to monitor is on the same vSwitch.
  2. Span to ip from Load balancer clone pool.  In this method the load balancer is set to span traffic that is being load balanced to a specific ip.
  3. GRETunnel/ERspan.  In this method, a switch that has the capability can span traffic to a destination ip.
  4. Cloud Probe.  This is an installable agent on the web application server (or any end point for HTTP/HTTPS traffic).  It passively captures traffic destined for the server and sends it to a EUEM Collector.
  5. CDN such as Akamai.  A CDN (Content Delivery Network) will package up timings on delivery content into a receipt file and post them to a server that EUEM Collector is capturing traffic on.  The Collector recognizes the receipt, opens it up and process the hits as if it were on the wire.

 

You EUEM Collector is now deployed and is setup using one or more of the above ways to capture the traffic– how do you verify that this traffic is being captured on the collector?

 

Ensure that the Analyzer and collector are sync’d up in time (NTP is set during setup wizard) and that the Analyzer is configured to properly communicate to the Collector.

 

From the UI of the Analyzer, navigate to Administration-->Data flow settings-->Analyzer & Collectors management and select Collectors feeds settings.  Click on ‘Add a collector feed’ and enter the information needed:

 

add_collector.png

 

Once the configuration is saved, click on the ON button.  You should the connection button turn green meaning there is a proper connection between the analyzer and collector.

 

collector connected.png

 

There are a few screens located in the UI of the collector that show stats on traffic capture.

 

Main screen --> HOME

 

This screen shows Traffic capture rate, Excluded traffic rate, sampling rate, Packet loss, SSL decryption status and Broken hits status.  If the collect is properly communicating with the Analyzer, you will see a Delivery rate.

 

Home collector screen.png

Administration -->Device status --> System information and licenses.

 

On the upper left hand side of this screen you can cycle through the LCD display and it will show you the Kbytes/second and packets/second.

 

lcd1.png

Clicking again on the ‘Cycle LCD’ will give you Traffic kilo-bytes/second, # of packets /second and hits/second:

 

lcd2.png

 

Administration --> Device status --> Traffic capture statistics:

 

This is another screen that shows more of a breakdown on the traffic that the collector is capturing over last 5 minutes:

 

traffic_capture_statistics.png

Broken traffic on this screen is explained more using the cli command:

 

CLI Commands:

The cli also has commands to show/troubleshoot traffic capture.  A customer can use a terminal program such as Putty (default username/password clisystem/coradiant) to ssh into the system to run these commands:

 

Trafficstatus:

(gives last 5 minute breakdown of traffic collected -the kknowledge article describing trafficstatus output: KA382501 (attached sample output)

trafficstatus.png

trafficstatus

********************************************************************************

Time period : 2012/10/31-13:05:35 - 2012/10/31-13:11:00

********************************************************************************

all IP traffic seen by Ethernet card:

Number of packets received and processed : 1452941       (100%)  TCP Packets

Number of packets dropped                   : 0                                 (0%) Should be zero - if not, too much traffic

Number of TCP-SYN packets                     : 15555                           Stats on tcp 3 way handshake

Number of TCP-SYN-ACK packets                             : 15013                           Stats on tcp 3 way handshake

Traffic direction check                             : PASS Check one direction traffic (tcp syn-syn/ack. if not full handshake - assumed to be one direction traffic)

********************************************************************************

Number of HTTP/HTTPS hits:               A hit is data from client to server with an HTTP method detected(not necessarily processed by system)

-> Succesfully processed                                            : 83583            (99%) 

-> Discarded because of sweeping                          : 0                     (0%)          Exclusion rules

-> Discarded because of sampling : 0                     (0%)          Excess in traffic

-> Discarded because of rate-limiting                     : 0                     (0%)          License limit on monolithic

-> Discarded because they are broken                   : 340                 (0%) (Breakdown below)

: --------

-> Total:                                             : 83923

********************************************************************************

Processed hits breakdown:

-> Number of HTTP (clear text) hits                        : 83583           (100%)      The sum of http(s) must add up to successfully processed hits above 

-> Number of HTTPS (SSL encrypted) hits             : 0                     (0%)

********************************************************************************

Broken hits breakdown per error type: (discarded because they are broken)

-> Broken packet detected                                       : 0            (0%)          System unable to parse packet properly at http(s) level

-> Chunked encoding numbering is wrong           : 2            (0%)          # of bytes don't match chunk length sent from server http(s)

-> Duplicate TCP session detected                         : 0            (0%)          System sees syn for existing tcp session

-> HTTP headers exceed our buffer size                : 0            (0%)           Information on headers exceed 9K (system limit)

-> Error in HTTP pipelining detected                      : 0            (0%)           Limit reached for requests in pipeline

-> IP fragmentation detected (unsupported)       : 3            (0%)            EUEM does not support IP fragmentation - tcp segmentation only

-> TCP session has no HTTP or HTTPS payload    : 80           (23%)         Syn-Syn/Ack-Syn--->Fin  (tcp session opened and closed with no data)

-> Traffic is not HTTP or HTTPS                                : 0            (0%)            'Other' traffic (FTP, SMTP ETC)

-> Packet loss detected                                   : 117 (34%)          Missing Packets (ie. client sends packet with sequence # 1, then 2 and (missing TCP sequence number)                                                                   server send response with Ack # 4 but not 1 or 2)

-> Wrong SSL key is configured for host              : 0            (0%)              System unable to decrypt using installed SSL key

-> Unsupported SSL version detected                  : 0            (0%)              Supported are:  SSLV2, SSLV3, TLS1.0, TLS1.1, TLS 1.2)

-> Decompression at SSL layer failed                   : 0            (0%)              SSL decompression failed for unknown reason

-> Ephemeral SSL session key detected               : 0            (0%)              System does not support server changing symetric session key (server                                                                                                            changes mid-session)

-> Error occurred during SSL decryption                : 0 (0%)             System fails when attempting decryption (unknown error)

-> Internal error occurred while processing SSL  : 0 (0%)             Mal-formed SSL record (corruption of SSL record)

-> SSL key is configured as OFF for host                 : 0            (0%)            System configuration

-> Resuming SSL session fail (not in cache)           : 0            (0%)             Information needed for SSL resume not available in system cache

-> Non-RSA key detected                                          : 0            (0%)             System only supports RSA keys

-> Missing SSL key for host                                        : 0 (0%)            System does not have key to decrypt traffic for a particular host

-> Unrecognized SSL handshake record detected  : 0 (0%)          System supports a set of SSL Handshake record types

-> Unrecognized SSL record detected                       : 0            (0%)          System supports a set of SSL record types

-> Unrecognized certificate format detected          : 0            (0%)          System fails when parsing certificate sent from server

-> Unsupported CipherSuite detected                      : 0            (0%)          System supports a set of ciphersuites.

-> TCP session was reused (ran out of TCP struct) : 138        (40%)        System can track 16K concurrent tcp sessions

-> Unknown HTTP version detected                           : 0            (0%)         System supports HTTP 0.9, 1.0 & 1.1

********************************************************************************

Number of POST from Akamai containing receipts      : 0      

Number of Akamai receipts:

-> Successfully Processed                                              : 0            (0%)  

-> Discarded because of sweeping                              : 0            (0%)          Exclusion rules

-> Discarded because of sampling                               : 0            (0%)          Excessive traffic

-> Discarded because of rate-limiting                         : 0            (0%)          License limited with monolithic

-> Discarded because they are proxied                      : 0            (0%)          System sees same hit from origin and in receipt

-> Discarded because they are cache refreshes       : 0            (0%)          System sees same hit from origin and in receipt

-> Discarded because they are broken                       : 0            (0%)           Parsing receipt string falis for a hit.

: --------

-> Total : : 0

 
Getstats:

Running this command from the cli will give you an output that is refreshed every 5 seconds

getstats.png

For you this command, you can verify that there is a feed Mbit/s, bytes/second, ring buffer drops, syn and synack/second.  You can also see if there are http and well as https packets.

 

Packettrace:

This command allows the customer to capture data being fed to the capture sports and give the ability to download and analyzer with an offline analyzer such as wireshark.  Syntax can be found packetrace –h

 

packettrace.png

 

Once the packetrace has completed, the customer can download it by clicking the link from the following screen:

Administrator-->Device status-->System information and license:

dl_packettrace.png