Traffic capture and tapping points

The following sections describe how to enable network-based traffic capture for end-user experience monitoring:

Traffic capture technologies

For all BMC-Real-End-User-Experience-Monitoring-deployment-use-cases, the system can capture end-user traffic in any of the following ways:

  • Network tap — The preferred method, a network tap copies traffic for the purpose of monitoring. It is a passive device that, if it breaks, does not interrupt network traffic or the functioning of your application.

    If you use a smart tap (from companies such Gigamon, Net Optics, Network Critical, and Network Instruments), you can filter on IP addresses and port numbers to reduce traffic. BMC Real End User Experience Monitoring monitors only HTTP and HTTPS traffic, so you can configure a smart tap to copy only traffic on ports 80 and 443. See also Sizing-Collector-instances.

  • Mirror port — You can configure a mirror port on a switch to copy traffic, and analyze the network traffic passing through the port. Port mirroring on Cisco switches is referred to as Switched Port Analyzer (SPAN), Remote SPAN (RSPAN), or Encapsulated Remote SPAN (ERSPAN), or Roving Analysis Port (RAP) port on 3Com switch. Most often, a switch already has a spare port that you can set up as a mirror. However, mirroring traffic is considered a secondary function. It is possible that a switch can become overloaded and suspend mirroring, which results in packet drops.

    Note

    You must be sure that the mirror port is copying egress and ingress traffic (bidirectional) from the application.

  • Mirror pool — You can invoke a mirror pool on a load balancer, which can be configured to filter traffic. In many cases, a load balancer already has a spare port that you can set up as a mirror. However, mirroring traffic is considered a secondary function. It is possible that a switch can become overloaded and suspend mirroring, and the Collector will experience packet drops.
Capture limitation in Hyper-V

Capture ports must have Promiscuous Mode/Accept enabled. However, passive (promiscuous) mode traffic capture is not possible in Hyper-V systems. The Virtual Switch (vSwitch) will not forward packets to a virtual machine unless it has the machine's MAC address as a destination. To deploy a Real User Collector on Hyper-V systems, you must use ERSPAN with a Generic Routing Encapsulation (GRE) tunnel protocol to encapsulate and carry the traffic.

For information, see Knowledge Base article KA395990 (Support logon ID required).

Tapping point best practices and metric reporting

You can set up tapping in front of or behind the load balancer, as shown in the following illustration.

Tapping points

deploy_tapping.png

The following table describes requirements for secure traffic and how the placement of tapping points affects the traffic data collected and the metrics reported by BMC Real End User Experience Monitoring.

Tapping point

Effect on traffic data

Secure traffic requirements

Effect on metrics

1

Tapping between the firewall and the load balancer is the recommended method because it provides the best visibility of end-user traffic. From this point, it is possible to collect SSL traffic.

Data collected in front of the load balancer is as close to the edge of your network as possible. You can consider all time spent after this point in the network as time the user spent in your infrastructure, including the load balancer, which is considered host latency. The time spent in the network before the load balancer contributes to the overall network latency. For a definition of the these latency metrics, see End-user-experience-metrics.

To see which server responded to a particular request, this information must be sent through the load balancer. Tapping in front of the load balancer means that the IP address of the web server handling the request is not visible. To see the IP adress, you must add an HTTP cookie, or an HTTP header, to either the load balancer or the web server so it can be parsed.

To monitor HTTPS traffic, you must upload a copy of SSL private keys to the Collector. For information, see Managing-SSL-server-certificates-on-components.

Tapping at Point 1 is recommended since this method provides all metrics reported by BMC Real End User Experience Monitoring, including SSL timing.

2

You can also tap behind the load balancer, but you must tap incoming and outgoing traffic in the same place. This method reduces the end-user traffic visibility, particularly between the end user and the load balancer.

 

In some cases for SSL decryption acceleration, the load balancer decrypts the data on behalf of the servers.

If the load balancer does the decryption on behalf of the servers, the SSL latency metric is lost.

Data fed from this point is closer to your servers. This means that the network time metric includes latencies that are contributed from your infrastructure.

1 and 2

Tapping both in front of and behind the load balancer is  complicated, and dependent upon being able to sessionize before and after the load balancer.

For more information on this tapping method, see the Customer Support website at http://www.bmc.com/support.

 

The recommendations are the same as 1 and 2.

 

In this case, you get the benefit of monitoring the end user experience from the customer’s point of view. You also have a tap that is closer to your servers so you can get a Host Latency metric that more closely represents only the request time spent in the server.

Note: Either tapping point does not change the end-to-end time of the request/response.

Related topics

End-user-experience-metrics

BMC-TrueSight-App-Visibility-Manager-architecture

BMC-Real-End-User-Experience-Monitoring-deployment-use-cases

Setting-up-traffic-collection-and-data-storage-for-end-user-experience-monitoring

 

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*