Traffic discovery

The Discovery reports offer a variety of out-of-the-box views into your network, sites, and links.

In addition to the main view, you can click any of the Analyze... buttons to drill down to Traffic discovery analysis report for the selected context:


Overview

The Overview report is the dashboard for Traffic discovery. Use it to get a quick overview of discovered traffic and to drill down to focused discovery reports.

Network

The Network section of the Overview is based on insight into Layer 2 of the monitored traffic.

  • Click Analyze network to open Traffic discovery analysis to the Network tab.

The NAM Probe analyzes Layer 2 information by default, but this feature can be disabled. To make sure it's enabled:

  1. In the NAM Server, open Monitoring ► NAM Console.
  2. Select the NAM Probe and open its configuration.
  3. On the Global ► General screen, make sure Enable Layer 2 data generation is selected.

This must be enabled on all your NAM Probes to ensure you have insight into VLANs, tunnels, and QoS queues and services used in your network.

  • The Bandwidth usage chart shows bandwidth usage over time, with a one-hour resolution, so you can see the total bandwidth usage at a glance. The baseline (when data is available) enables you to compare current bandwidth usage to the same period the previous week. At a glance, you know whether today's usage is unusually low or high compared to a week ago. Values here can point to problems such as a probe being located in the wrong place or incorrect SPAN settings.

  • The Current VLANs tile shows the number of detected VLANs.

    At a glance, see how many active VLANs are in the environment. In most cases, you will know how many VLANs are supposed to be active in your environment. This value enables you to quickly check whether the correct number has been detected, and whether you are approaching the maximum number of VLANs. (On an Ethernet network, you can have 4096 VLANs, which is 4094 plus the two reserved values 0x000 and 0xFFF).

    • Verify that probes are positioned correctly.
    • Verify that the SPAN/Mirror has been set to read VLAN tags. (Remember that the VLAN tag is really only relevant within the domain. After a conversation exists, the tag is no longer needed, so by default a mirror/SPAN will strip the VLAN header.)
  • The Current tunnels tile shows the number of detected tunnels. This section indicates whether there are tunnel issues that need to be investigated.

    • At a glance, you can see how many tunnels are active in the environment. Verify that probes are positioned correctly.
    • Tunnels are reported relative to usage.
    • Each VLAN is reported separately. You might have, for example, seven GRE tunnels but with all reported as separate tunnels reporting type and end-points.

The Sites and links section charts active nodes over time.

  • Click Analyze sites and links to open Traffic discovery analysis to the Sites and links tab.

If this section is not populated, it is because the NAM Probe cannot see any IP traffic. Make sure the NAM Probe is connected to a tap, SPAN, or network packet broker, and that it receives the monitored traffic stream. The best way to diagnose issues with traffic acquisition or quality is to open Diagnostics ► Traffic diagnostics and follow the instructions shown there.

Application and network services

The Application and network services section is based on insight into Layer 3 of the monitored traffic. If the data is available, a line shows the value from a week ago for comparison.

If this section is empty, your NAM Probes apparently can't analyze the traffic. Common reasons:

  • The NAM Probes are not up and running.
  • The NAM Probes are running but there's no contact with them.

You may want to inspect the status of your NAM Probes in the NAM Console and view the Traffic diagnostics report for more details.

Click Analyze services to open Traffic discovery analysis to the Services tab.

  • Web shows the web usage during the monitored network over time, with a one-hour resolution.
  • Network services shows the network services usage during the monitored network over time, with a one-hour resolution.
  • Citrix shows the Citrix usage during the monitored network over time, with a one-hour resolution.
  • Other services chart

Citrix

This is displayed if Citrix is detected on the network.

  • Click Analyze Citrix to open Traffic discovery analysis to the Citrix tab.

If you expected Citrix (ICA) traffic and don't see any, review your SPAN/NPB configuration or consider changing the NAM Probe connection point.


Traffic discovery analysis

Network

The Network tab shows overall bandwidth usage and breaks it down to show VLANs, tunnels, QoS, and protocols currently consuming the most bandwidth.

  • Bandwidth usage
    This chart shows total bandwidth usage over time. If comparable data is available, an additional baseline is displayed.

    Click Analyze in Network explorer to open the Network explorer.

  • Top protocols

    Protocols currently consuming the most bandwidth. Click any point on a chart to see a numerical value for that point on the chart.

    • Top protocols offers a quick view of which analyzer (protocol) which is the most active in all of the monitored traffic.
    • Per protocol, the Top 20 Protocols drilldown report shows the balance between client and server bandwidth usage, and shows a breakdown of users affected and not affected by network performance problems.

    Click Analyze this protocol to open the Network explorer for the selected protocol.

  • Top VLANs

    VLANs currently consuming the most bandwidth. VLANs are reported in order of usage.

    VLANs are reported relative to the identifier found in the 802.1Q header, which is unique to each environment. For example, VLAN 601 will not be the same VLAN across two organizations.

    Click any point on a chart to see a numerical value for that point on the chart.

    • Are there too many VLANs for your configuration? If the VLAN count looks wrong on the Discovery - Overview report, drill down to the Discovery - VLANs report to review the list of VLANs, and possibly to the VLAN report for a selected VLAN to review the details.
    • VLAN reports offer a quick view to see which VLANs are taking up the most bandwidth. This can be used to see how evenly distributed the load is. For example, if VLAN 1 is carrying 58.3 Mbps and VLAN 601 is carrying 1.74 kbps, then you might want to look into the VLANs to see if you can redistribute the load by, for example, moving a server to a different VLAN. This doesn't necessarily mean that all VLANs have to be evenly loaded, but oversubscription can cause performance issues.

    Click Analyze this VLAN to open the Network explorer for the selected VLAN.

  • Top tunnels

    Tunnels currently consuming the most bandwidth.

    Click any point on a chart to see a numerical value for that point on the chart.

    • A change in the number of tunnels can be a quick indicator of a potential security problem. Has someone added a tunnel to gain unauthorized access to network resources?
    • If the tunnel count looks wrong on the Discovery - Overview report, drill down to the Discovery - Network report to review the list of tunnels, and possibly to the Tunnel report for a selected tunnel to review the details.
    • Use tunnel reports to understand which tunnels exist within the environment, where they originated, and the form they take. For an IPv6 tunnel, for example, it may be important to understand where it started and to differentiate between different tunnel types and see which is carrying the most load.
      • Tunnel oversubscription, like VLAN oversubscription, can be an issue.
      • For a more detailed view, drill down to details from the tunnel report.

    Click Analyze this tunnel to open the Network explorer for the selected tunnel.

  • Top QoS

    QoS currently consuming the most bandwidth. Click any point on a chart to see a numerical value for that point on the chart.

    If the QoS looks wrong on the Discovery - Overview report, drill down to the Discovery - Network report to review the top QoS list, and possibly to the Network Overview - QoS report for a selected QoS to review the details.

    • QoS is reported relative to the DSCP setting and reported relative to usage.
    • Use the QoS report to see whether any particular queue is carrying more traffic than is expected. This situation can create serialization issues, where, while the link does not appear as high, the virtual queue becomes overloaded, which results in drops.
    • CS0 (class selector 0) normally is the most heavily used.

    Click Analyze this QoS to open the Network explorer for the selected QoS.

Sites and links

Keep an eye on the number of nodes in your network. A change in the number of nodes can be a quick indicator of an infrastructure problem. A significant drop may indicate that you have lost a part of the network.

Top sites

These charts show sites currently consuming the most bandwidth.

For each of the top five sites, a chart shows the downstream and upstream bandwidth usage over time.

Click any point on a chart to see a numerical value for that point on the chart. Click the link in the pop-up to drill down for details.

Top links

These charts show links currently consuming the most bandwidth.

For each of the top five links, a chart shows the incoming and outgoing bandwidth usage over time.

Click any point on a chart to see a numerical value for that point on the chart. Click the link in the pop-up to drill down for details.

If nothing is displayed here, no links have been defined or detected from NetFlow records (if NetFlow data acquisition is enabled). Either create user-defined links (UDL) or inspect the NetFlow record feed configuration.

To create a user-defined link (UDL):

  1. Open Settings ► Monitoring ► NAM Console.
  2. In the list of devices, open the menu for your NAM Server and select Open configuration.
  3. Click Sites.
  4. The UDL check box displayed when you add a site enables you to designate a manually defined site as a UDL.

Having links defined, you can monitor link-specific bandwidth utilization and software service activity and their performance.

Services

This report is based on insight into Layer 3 of the monitored traffic. If it cannot detect traffic, it may be for any of several reasons, but it is most likely that the NAM Probes are not up and running or there is no contact with the NAM Probes. You may want to inspect the status of your NAM Probes and view the Traffic diagnostics report for more detail.

Top software services

Software services currently consuming the most bandwidth.

Top cloud services

Cloud services currently consuming the most bandwidth.

DNS Errors

DNS errors over time.

LDAP Errors

LDAP errors over time.

Netlogon slowdowns

Netlogon slowdowns over time.

SMB slowdowns

SMB slowdowns over time.

Citrix

Important
  • If you expected to see Citrix Appflow traffic but none was detected in the monitored stream, review your NetScaler configuration.
  • If you expected to see Citrix ICA traffic but none was detected in the monitored stream, review your SPAN/NPB configuration or consider changing the NAM Probe connection point.

Top 5 Appflow channels

Charts showing the Appflow channels currently consuming the most bandwidth.

Top 5 ICA published applications

Charts showing the ICA published applications currently consuming the most bandwidth.

The “All other” chart below these charts shows the total bandwidth consumption of other ICA applications.

Top 5 ICA channels

Charts showing the ICA channels currently consuming the most bandwidth.

The “All other” chart below these charts shows the total bandwidth consumption of other ICA channels.