Setting up traffic capture for a TS-4200

The system captures traffic from actual users as they interact with web applications. It does this by listening to a copy of traffic on the wire, without introducing delay or failure points.

At this point, you must connect at least one of the TS-4200 series's capture ports to the network segments where traffic is traveling between end-users and the monitored web application.

Traffic capture

For all use cases, the system can capture end-user traffic in the following ways:

  • Network tap — The preferred method, a network tap copies traffic for the purpose of monitoring. It is a passive device that, if it breaks, does not interrupt network traffic or the functioning of your application. A "smart" tap is better still, because it can filter on IP addresses and port numbers.

    BMC Real End User Experience Monitoring monitors only HTTP and HTTPS traffic, so you can configure a smart tap to copy only traffic on ports 80 and 443. Taps are fast and purpose-built for copying traffic. However, installing or replacing a tap forces you to take a segment of your network offline for a time.

  • Mirror port — Known as a SPAN port on Cisco devices and a RAP port on 3com devices, you can configure a mirror port on a switch to copy traffic. In many cases, a switch already has a spare port that you can set up as a mirror. However, the device considers mirroring a secondary function, and if the device becomes overloaded, it might suspend mirroring, and the system will experience packet drops.

    Note

    Ensure that the mirror port is copying traffic both to and from the application (bidirectional).

  • Mirror pool — You can invoke a mirror pool on a load balancer, which can be configured to filter traffic. In many cases, a load balancer already has a spare port that you can set up as a mirror. However, the device considers mirroring a secondary function, and if the device becomes overloaded, it might suspend mirroring, and the system will experience packet drops.

You can set up tapping "in front of" or "behind" the load balancer:

  • In front (in the following diagram, see 1) — The recommended method, tapping in front of the load balancer provides the best visibility of end-user traffic. To monitor HTTPS traffic, if the load balancer or web servers are performing encryption and decryption, you must upload a copy of SSL private keys to system.
  • Behind (in the following diagram, see 2) — You can also tap behind the load balancer, but you must tap incoming and outgoing traffic in the same place. To monitor HTTPS traffic, if encryption and decryption occur on the load balancer, you have no need to upload a copy of SSL private keys to the system. However, tapping in this way reduces visibility of end-user traffic, particularly between the end user and the load balancer.

Tapping points

deploy_tapping.png

Where to go from here

When you finish setting up traffic capture, you can connect to the network.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*