How does NAM work?

Let's make things simple. Here's how it all works.

The NAM Probe sniffs the mirrored traffic and makes it available in its memory for analyzers. We do not save the payload on the disk, unless you want the system to do it for diagnosis and troubleshooting. Analyzers dive into the packets, recognize the traffic type, identify operations, and collect the performance measurements. The result of this process is the monitoring data sent at the frequency of the defined monitoring interval (1 min minimum) to the report server (NAM Server) for further processing and presentation.

The NAM Server lets you look at the data from many different angles using a number of highly customizable presentation elements. From simple tables, through charts, tiles, and donuts to diagrams based on your custom graphics. The NAM Server filters the data, aggregates it, calculates trends, and issues alert based on your own definitions.

The details:

Agentless network sniffing

NAM passively collects data from a switch port or tap in your data center using a NAM Probe. The NAM Probe is a crucial element of the NAM system. However, to draw the right conclusion, you need to make sure your NAM Probe gets the right data. See Obtain good traffic.

Analyzer / decode

An "analyzer" (sometimes called a "decode") is a software component that monitors, parses, and analyzes a network protocol detected in the monitored traffic. Some analyzers monitor operations: they can recognize exchanges of information where there is a recognizable question-and-answer dialog. See Introduction to protocol analyzers.

Software service

A "software service" is a service that is (1) implemented by a specific piece of software, (2) offered on a TCP or UDP port of one or more servers, and (3) identified by a particular TCP port number. Software services are identified on reports by either port numbers or assigned names.

A software service is parsed by a single analyzer. NAM discovers software services automatically and based on the known patterns and intelligent analysis chooses the right analyzer to monitor the service. You can also define your own software services with an aid of wizards available in the NAM Console.

Transaction

A transaction consists of operations that are grouped as steps. Transactions are built out of a single step or a number of steps. For example:

  • A simple, single-step transaction may consist of a single operation such as a web page load.
  • An extended transaction may consist of a collection of non-sequenced operations (an unstructured transaction).
  • A more complex transaction may consist of sequences of operations, each operation being a single step. NAM monitors sequences of web page loads and sequences of XML calls, and it reports on these sequences (as transactions) and on individual operations within sequences.

A transaction defines a logical business goal such as registration in an online store. One or more transactions constitute an application. Note that a transaction can have only one parent application.

Data for a transaction can come from:

  • NAM Probe
  • Enterprise Synthetic agent

The same transaction can contain data from different data sources at the same time (for example, data from NAM Probe and from Enterprise Synthetic). However, metrics for each data source are aggregated separately.

Application

An application is a universal container that can accommodate transactions. Each application can contain one or more transactions; those transactions can originate from different sources. An application defined on the NAM Server is a cohesive container that helps you organize information about the application delivery chain.

Applications organize the data traveling through your network into logical units or tasks. These tasks are performed over the network. You can distinguish each web application running on a single web server.

Users

NAM can report on the system performance experienced by your users. You can teach the system very sophisticated methods of user recognition. The granularity and the detail of the reporting depends on the size of your deployment, the number of users and your monitoring needs.

Location

A location or a site is an IP network from which users log in to a monitored network. NAM automatically detects sites based on the network mask. You can also define sites yourself by a range of IP addresses set manually (referred to as a class-C IP network) or by an automatically set class-B network, or it can be a range of addresses defined by a customized network mask, or by a set of IP networks based on the BGP routing table analysis. Sites can be grouped together into areas, which in turn can be grouped together into regions.