Sharkmon – deep packet monitoring
- dive deep into the contents of thousands of PCAP trace files in a single dashboard.
- using Shark syntax for enabling more than 100,000 protocolfields
- Masses of data easy to organize, aggregate, analyze and prioritize.
- Grouped into 3 main categories – application – connection or network
- allows quick assignment of errors and incidents
- data saved in Database – long history
why sharkMon
IT Data is network data – network packets travel the whole IT delivery chain – and transport the information about status and performance between endpoints: DNS und LDAP codes and times, Network and Application Performance, Server Responsetimes & Return Codes, Frontend / Backend Performance – or any content of a readable packet.
If Application is slow, Service not reachable, Error codes — infos about these symptoms – and often about the causes – can be found in packets.
sharkMon
– imports network packet data – and does provide required performance and status metrics conained in such packets.
– is using pcap files generated everywhere in the network – in the cloud on servers, at user PCs, firewalls, capture appliances etc. and can aggregate distributed capture sources into a single monitoring pane.
It can create incidents for root cause analysis and incident correlation and forward those incidents into central event correlation systems.
sharkMon – at a glance
– longtime data – import realtime large numbers of pcap files for hours, days, weeks – created by various trace tools like Tcpdump, Tshark, or a capture appliance
– Auto-Analysis – analyze thousands of sequential files automatically on the fly by using customizable deep packet expert profiles – also per object – including custom metrics and thresholds
– Incidents – create incidents based on variable thresholds per object
– longtime perspective – visualize incidents and raw data in smart dashboards over hours, days , weeks or months
– Incident correlation – Export incidents into service management management, becoming part of correlation framework
– Automation – Automate the analysis workflows step by step – avoiding time and efforts for recurring tasks
Longtime monitoring – or single tracefile analysis ?
Tracefiles are usually manually analysed in single steps – just one at a time, covering a few minutes. For hours multiple files must be generated – for a day 100 or 1000 of files. This can not be done manually. with sharkMon user can import a large number of files from servers, cloud or datacenter appliances – assign an analysis profiles including the relevant metrics – and sharkMon creates required statistics and over the whole span of time – just monitoring.
smart dashboards
Just with a glance a user can understand:
- Are there any issues in my trace files
- To what category they belong too (network, application, connection)
- Which exact metric was causing that?
- What threshold was crossed
- Direct access to the trace file
- Drilldowns and category specific
- views (here application view) allow deep insights- continuously over time – for days, hours or seconds
Deep analysis
With Deep analysis InterTrace is utilizing Wireshark display filters – which can do a lot more than most other analysis solutions. Thousands of protocol-dependent prefilters are defined, analysis expert exist for a wide range of protocols. By using each possible Wireshark-Display filter in sharkMon – user can pretty much use every byte in the packet flow – as monitoring and incident condition.
sharkMon under the Hood
Analysis Profiles
Analysis profiles are pre-configured customizable filter and threshold definitions which will be applied to a trace analysis. A profile is a configuration of defined filters and symptoms - pretty much each byte in a packet or a Wireshark-expert-analysis (like tcp_out_of_order) can be configured as symptom. Files will be analyzed very deeply according to these profiles - and symptoms are generated based on the analysis. Eg. if SSL uses TLS1.2 can be defined as condition, an occurrence on non-TLS1.2 packets can be seen and defined as symptom. Same can be done with performance metrics like LDAP.time, DNS.Time, DNS. response codes, HTTP return codes etc. - which can be included in a specific profile and symptoms created if a threshold is exceeded.
The front-end and back-end server systems are listed or shown in an architecture chart.
Since the service discovery is carried out daily, the architecture charts are always up-to-date.
Changes within a service chain, e.g. new servers, are recorded and reported.
Scenarios
User define their analysis objects and metrics as an analysis scenario:
- Object – What I need to analyze
- Conditions – filter conditions, time (backward or future)
- Data source – PCAP files, active Wireshark/tcpdump srtewam , capture appliance
- Options – for analysis purpose (like de-duplication, merging).
- Intelligence – What analysis profile should be used, which includes metrics thresholds etc.
Such a scenario gives the user the ability to start a longtime-monitoring process on a deepest level - focus on this scenario and create scenario-related incidents and events. Many scenarios can be defined and processed parallel - so one scenario can work on the web shop using deep SSL and HTTP metrics, another can monitor SAP services and another the DNS replies - same time.
Trace-based events can be correlated with other existing management data, if coming from network, systems, log files or security devices in a single dashboard-like SLIC Correlation insight. They can create the significant data - which can feed a service management platform with the intelligence to create complete cause & effect chains for complex IT services.