Traffic capture and tapping points
The following sections describe how to enable network-based traffic capture for end-user experience monitoring:
Traffic capture technologies
For all BMC-Real-End-User-Experience-Monitoring-deployment-use-cases, the system can capture end-user traffic in the following ways:
Network tap — The preferred method, a network tap copies traffic for the purpose of monitoring. It is a passive device that, if it breaks, does not interrupt network traffic or the functioning of your application.
If you use a smart tap (from companies such Gigamon, Net Optics, Network Critical, and Network Instruments), you can filter on IP addresses and port numbers to reduce traffic. BMC Real End User Experience Monitoring monitors only HTTP and HTTPS traffic, so you can configure a smart tap to copy only traffic on ports 80 and 443. See also Sizing-Collector-instances.
Taps are fast and purpose-built for copying traffic. However, installing or replacing a tap forces you to take a segment of your network offline for a time.
Mirror port — You can configure a mirror port on a switch to copy traffic, such as a SPAN, Remote SPAN (RSPAN), or Encapsulated Remote SPAN (ERSPAN) port on Cisco devices, or a RAP port on 3com devices. In many cases, a switch already has a spare port that you can set up as a mirror. However, the device considers mirroring a secondary function, and if the device becomes overloaded, it might suspend mirroring, and the Collector will experience packet drops.
- Mirror pool — You can invoke a mirror pool on a load balancer, which can be configured to filter traffic. In many cases, a load balancer already has a spare port that you can set up as a mirror. However, the device considers mirroring a secondary function, and if the device becomes overloaded, it might suspend mirroring, and the Collector will experience packet drops.
- Cloud Probe - For a description of the traffic capture scenarios, see Cloud-Probe-deployment-use-cases.
Tapping point best practices and the effect on traffic and metrics
You can set up tapping in front of or behind the load balancer, as shown in the following illustration.
Tapping points
The following table describes requirements for secure traffic and how the placement of tapping points affects the traffic data collected and the metrics reported by BMC Real End User Experience Monitoring.
Tapping point | Effect on traffic data | Secure traffic requirements | Effect on metrics |
|---|---|---|---|
1 | Tapping in front of the load balancer is the recommended method. It provides the best visibility of end-user traffic. From this point, it is possible to collect SSL traffic. Data collected in front of the load balancer is as close to the edge of your network as possible. You can consider all time spent after this point in the network as time the user spent in your infrastructure, including the load balancer, which is considered host latency. The time spent in the network before the load balancer is considered network latency. For a definition of the these latency metircs, see End-user-experience-metrics-and-attributes. In order to see which server responded to a particular request, this information will need to be sent through the load balancer. If you tap in front of the load balancer, the IP address of the web server handling the request will not be visible. To have that visibility, you must add an HTTP cookie or an HTTP header to either the load balancer or the web server so it can be parsed. | To monitor HTTPS traffic, if the load balancer or web servers are performing encryption and decryption, you must upload a copy of SSL private keys to the Collector. For information, see Managing-SSL-server-certificates-on-components. | To report back all metrics, including SSL time, tapping at point 1 is recommended. |
2 | You can also tap behind the load balancer, but you must tap incoming and outgoing traffic in the same place. Tapping in this way reduces the visibility of end-user traffic, particularly between the end user and the load balancer.
| To monitor HTTPS traffic, if encryption and decryption occur on the load balancer, you do not need to upload a copy of SSL private keys to the Collector. In some cases for SSL decryption acceleration, the load balancer will decrypt the data on behalf of the servers. The load balancer might also be the end point for the request and re-request it on behalf of the end user for increased security. | Data fed from this point is closer to your servers. This means that the network time metric will also include some latencies that are contributed from your infrastructure. If the load balancer does the decryption on behalf of the servers, the SSL latency metric will be lost. |
1 and 2 | Tapping both in front of and behind the load balancer is more complicated and is dependent upon being able to sessionize before and after the load balancer. For example, if you sessionize a cookie, the cookie will be detected on both sides of the load balancer, which results in duplicate reports of a hit in the same session.
| The recommendations are the same as 1 and 2.
| In this case, you get the benefit of monitoring the end user experience from the customer’s point of view. You also have a tap that is closer to your servers so you can get a Host Latency metric that more closely represents only the request time spent in the server. Note: Either tapping point does not change the end-to-end time of the request/response. |
Related topics
End-user-experience-metrics-and-attributes
BMC-TrueSight-App-Visibility-Manager-architecture
BMC-Real-End-User-Experience-Monitoring-deployment-use-cases
Setting-up-traffic-collection-and-data-storage-for-end-user-experience-monitoring