Initiate precision packet captures to analyze zero window conditions

Similar documents
Monitor website performance in a dashboard

Dashboard walkthrough: monitoring website performance

Monitor database health in a dashboard

Monitor load balancer performance in a dashboard

Monitor DNS errors in a dashboard

Explore metrics in the ExtraHop system to investigate DNS failures

ExtraHop 7.3 ExtraHop Trace REST API Guide

Drill down. Drill down on metrics from a dashboard or protocol page

vrealize Operations Management Pack for NSX for vsphere 3.5.0

vcenter Operations Management Pack for vcns

BIG-IP Analytics: Implementations. Version 13.1

Deploy the ExtraHop Discover Appliance with VMware

Deploy the ExtraHop Explore Appliance on a Linux KVM

Configuring IP SLAs TCP Connect Operations

vrealize Operations Management Pack for NSX for vsphere 3.0

ExtraHop 6.0 ExtraHop REST API Guide

vrealize Operations Management Pack for NSX for Multi-Hypervisor

Install the ExtraHop session key forwarder on a Windows server

Install the ExtraHop session key forwarder on a Windows server

Install the ExtraHop session key forwarder on a Windows server

Packet Forwarding with RPCAP

Deploy the ExtraHop Discover Appliance with VMware

Packet Forwarding with RPCAP

ExtraHop 6.2 Web UI Guide

Example: Packet Logging Workflow. Using Packet Captures. Enabling Packet Capture in Security Policy Rules

Packet Forwarding with RPCAP

vrealize Operations Management Pack for NSX for vsphere 2.0

Configuring Dashboards

Deploy the ExtraHop Discover Appliance in Azure

Configure RSPAN with VMware

Deploy the ExtraHop Discover Appliance with Hyper-V

ESET REMOTE ADMINISTRATOR PLUG-IN FOR KASEYA. Technical Setup and User Guide

Deploy the ExtraHop Discover Appliance with Hyper-V

Deploy the ExtraHop Trace 6150 Appliance

ExtraHop 7.2 Admin UI Guide

Configure RSPAN with VMware

SOURCEFIRE 3D SYSTEM RELEASE NOTES

Introduction to Wireshark

Using the vrealize Orchestrator Operations Client. vrealize Orchestrator 7.5

ExtraHop 7.1 Admin UI Guide

Copyright 2012 Pulse Systems, Inc. Page 1 of 33

Viewing Logs. CIMC Log. Viewing the CIMC Log. Procedure. This chapter includes the following sections: CIMC Log, page 1 System Event Log, page 4

Add Munchkin Tracking Code to Your Website

Deploy the ExtraHop Explore Appliance on a Linux KVM

Deploy the ExtraHop Discover 3100, 6100, 8100, or 9100 Appliances

Deploy the ExtraHop Explore Appliance in Azure

Reset the Admin Password with the ExtraHop Rescue CD

ExtraHop 7.5 Admin UI Guide

vcenter Support Assistant User's Guide

ExtraHop 6.1 ExtraHop Explore Admin UI Guide

FortiTester Handbook VERSION 2.4.1

Deploy the ExtraHop Trace 6150 Appliance

OpenManage Management Pack for vrealize Operations Manager Version 1.1. Installation Guide

California Naturalist Volunteer Portal. A Quick Administrators Guide to the New Volunteer Management System 3.1

Install the ExtraHop session key forwarder on a Windows server

Intrusion Detection and Prevention IDP 4.1r4 Release Notes

vcenter Operations Manager for Horizon View Administration

Overview on CMS presentation sharing with Skype for Business using Expressway-E as TURN server - Cisco

VMware vrealize Operations for Horizon Installation. VMware vrealize Operations for Horizon 6.3

McAfee Security Connected Integrating epo and MFECC

SOURCEFIRE 3D SYSTEM RELEASE NOTES

Enabling and Configuring Outbound API Notifications

Configuring IP SLAs DLSw+ Operations

vrealize Automation Management Pack 2.0 Guide

Lenovo ThinkAgile XClarity Integrator for Nutanix Installation and User's Guide

Configuring IP SLAs TCP Connect Operations

1 Introduction to MARS

ExtraHop Rest API Guide

Deploy the ExtraHop Discover Appliance 1100

Forescout. Configuration Guide. Version 2.4

VMware vrealize Operations for Horizon Installation

uc0401a0 : Wireframe 02a : View the Dashboard

FortiTester Handbook VERSION 2.4.0

Contents GUIDE TO INTEGRATION IMPLEMENTATION

ExtraHop Command-line Reference

FortiTester Handbook VERSION 2.5.0

vrealize Operations Management Pack for vsan 1.0 Guide

Deploy the ExtraHop Discover 3000, 6000, or 8000 Appliances

BIG-IP Analytics: Implementations. Version 12.1

ExtraHop 7.5 ExtraHop REST API Guide

VMware vrealize Operations for Horizon Installation. VMware vrealize Operations for Horizon 6.5

Deploy the ExtraHop Discover EDA 6100, EDA 8100, or EDA 9100 Appliances

Lab 4: Network Packet Capture and Analysis using Wireshark

Node-RED dashboard User Manual Getting started

ExtraHop 6.2 Admin UI Guide

Integration with McAfee DXL

VMWARE VREALIZE END POINT OPERATIONS FOR. Apache HTTP Server. User Guide

ForeScout CounterACT. Configuration Guide. Version 1.2

D&B Web Visitor ID for Adobe Analytics Deployment Guide

Diagnostic Manager. User Guide VERSION August 22,

Exinda How To Guide: Application Performance Scores (APS) Exinda ExOS Version Exinda Networks Inc.

Quick Start Guide. Version R92. English

Emergency Monitoring for SAP Solution Manager SAP Solution Manager 7.1 SP14 or 7.20 SP01 and higher

AppDefense Getting Started. VMware AppDefense

edocs Client Installation Guide for Macintosh

QLean for IBM Security QRadar SIEM: Admin Guide QLEAN FOR IBM SECURITY QRADAR SIEM ADMIN GUIDE ScienceSoft Page 1 from 18

Packet Capture Wireshark Fakrul Alam

Integrate Cisco IronPort Security Appliance (ESA)

Riverbed AirPcap software AirPcapReplay

vapp Deployment and Configuration Guide

Transcription:

Initiate precision packet captures to analyze zero window conditions Published: 2018-10-27 In TCP metrics, window size specifies the amount of data that a device can receive and process during a flow. When the window size is zero, transmissions are halted until the device signals that it has the space to receive data again. Zero window conditions that last 1 or 2 seconds are not too unusual, especially during periods of heavy traffic. However, longer-lasting zero window conditions can indicate a more serious problem and cause performance issues. You can create a dashboard or configure alert notifications to track zero window occurrences, but the cause can be hard to determine. For example, CPU, memory, and NIC usage might be normal, and you don t know if the issue is with the network, the servers, or the application. But you can always find the truth in the packet! In this walkthrough, you will create a trigger that captures packets with zero window conditions on database response and request flows. Then, you will download the captures so that you can upload the data to a packet analyzer to help you determine the state of the client and server on a flow when zero window conditions occurred. Prerequisites You must have access to an ExtraHop Discover appliance with a user account that has full system privileges. You must license and enable packet capture through the ExtraHop Admin UI. You must have a packet analyzer, such as WireShark or Microsoft Network Monitor. Familiarize yourself with Triggers concepts and the procedures in Build a trigger. Write the precision capture trigger In the following steps, you will write a trigger that initiates a precision packet capture each time a zero window condition occurs on a database transaction. 1. Log into the Web UI on the ExtraHop Discover or Command appliance. 2. Click the System Settings icon and then click Triggers. 3. Click New to open the Trigger Configuration window. 4. On the Configuration tab, specify the following trigger configuration settings: a) Type Zero Window PCAP into the Name field. b) Select the Enable Debugging checkbox. c) From the Events list, select DB_REQUEST and DB_RESPONSE. 2018 ExtraHop Networks, Inc. All rights reserved.

d) Click Advanced Options and type 128 in the Bytes per packet to capture field. Tip: The default value is 0. Keep this value to capture all the bytes in each packet. 5. Click the Editor tab. 6. In the Trigger Script text box, type the following code to initiate the packet capture when a zero window condition occurs: //The packet capture name, which includes the client and server //IP addresses and port numbers var pcapname = 'Zero Windows_' + Flow.client.ipaddr + ':' + Flow.client.port + '-' + Flow.server.ipaddr + ':' + Flow.server.port; //Initiate packet capture each time a zero window occurs on //the client or the server if ( Flow.zeroWnd1 > 0 Flow.zeroWnd2 > 0 ) { var opts = { maxpackets: 30, // Capture up to 30 packets maxpacketslookback: 15 // Capture up to 15 lookback packets }; Flow.captureStart(pcapName, opts); //Show capture activity in runtime log debug('start Zero PCAP: ' + pcapname); } 7. Click Save Changes. Assign the trigger to a source In the following steps, you will assign a trigger to a data source. A trigger does not run until it is assigned to a source, and the trigger gathers data only from the sources to which it is assigned. For the purposes of this walkthrough, the following procedure assigns the trigger to a device group called DB Servers. You should assign the triggers to the devices or device groups on your network that you want to monitor for zero window conditions. exclude_from_doc_site Initiate precision packet captures to analyze zero window conditions 2

Important: Running triggers on unnecessary devices and networks exhausts system resources. Minimize performance impact by assigning a trigger only to the specific sources that you need to collect data from. 1. Click Metrics from the top menu. 2. Click Device Groups in the left pane, and then select DB Servers. 3. Click the Assign Trigger icon from the top of the page. 4. Select the trigger you just created named Zero Window PCAP. 5. Click Assign Triggers. View debug output in the runtime log In the following steps, you will view the trigger debug output to confirm that the trigger is running and capturing packets. After you assign the trigger to your data sources, the system runs the trigger when database traffic occurs, and if any transactions contain a zero window, the system sends debug results to the runtime log. 1. Click the System Settings icon, and then click Triggers. 2. Click the Zero Window PCAP trigger you just created. exclude_from_doc_site Initiate precision packet captures to analyze zero window conditions 3

3. Click the Runtime Log tab. The runtime log displays results similar to the following figure: Download and view packet captures In the following steps, you will download packet captures from the ExtraHop Admin UI. 1. Click the System Settings icon, and then click Administration. 2. From the Packet Captures section, click View and Download Packet Captures. The Packet Capture List displays results similar to the following figure: Each packet capture in the list represents a flow of data between devices, and provides information about the devices, ports, and time range to help you narrow down which captures to download. 3. Select any capture named Zero Windows_ and click Download Selected Captures. The capture is saved to your local machine with the.pcap file extension. 4. Open the capture file with a packet analyzer, such as Wireshark. exclude_from_doc_site Initiate precision packet captures to analyze zero window conditions 4

The output will look similar to the following figure: 5. Open packets that indicate a zero window occurrence. You will see details such as TCP flags, when zero window conditions occurred, the length of each occurrence, and which devices were involved. Look for patterns in the data and investigate the state of the client and server devices to help you narrow down and resolve the cause. exclude_from_doc_site Initiate precision packet captures to analyze zero window conditions 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback