Global - general

For any given data collector device such as the NAM Probe, you can set a variety of options, such as time thresholds. The general settings affect the monitoring of default and user-defined software services. Some of these settings can then be overridden by settings for a particular analyzer, software service, or URL.


While some of the options control only general NAM Probe behavior, some options in the Advanced group affect more specific configurations in application monitoring. For example, if Inherit from global settings is selected in your other configurations while configuring user-defined software services, the global setting takes precedence over the specific monitoring configuration.

Monitoring interval

The monitoring interval in minutes. Increasing this value reduces the number of chunks of data that need to be transferred and processed.

Default: 5 minutes.

Verify that the monitoring interval is synchronized between the data collectors.

Slow page load or slow operation time threshold

The number of seconds after which an operation is considered to be “slow”. The global threshold value depends on the analyzer.

This threshold is used by the following analyzers:

  • Generic with transactions
  • HTTP
  • MS Exchange over HTTP
  • MS Exchange over HTTPS
  • Oracle Applications over HTTP
  • Oracle Applications over HTTPS
  • SAP GUI over HTTP
  • SAP GUI over HTTPS
  • SMTP
  • SSL
  • SSL Decrypted

Server time threshold

The Server time threshold relates to the server time portion of an overall operation time. Server times above the threshold limit are considered to be slow due to poor datacenter performance.

This threshold is used by the following analyzers:

  • HTTP
  • SAP GUI over HTTP
  • SAP GUI over HTTPS

IP address of the server authorized to set NAM Probe time

The IP address of the report server that has the authority to synchronize the time with this NAM Probe.

In an environment with a number of servers sharing the same NAM Probe, it is good practice to designate only one of these servers as a time synchronization server to make changes to NAM Probe settings. Otherwise, the server used for time synchronization will change inadvertently every time you save a NAM Probe configuration.


Default analyzer

The default setting for the TCP analyzer is Generic (with transactions). To change it, select another analyzer from the list.

Client RST packet timeout to mark session as CLOSED

If the time between the last ACK for data sent by the server and an RST packet sent by the client is greater than this value, the session is treated as closed instead of aborted.

Huge packet size

The upper size limit, in bytes, of an HTTP request to be processed successfully by the NAM Probe.

Maximum packet size

The NAM Probe is capable of processing packets of up to 16128 bytes, besides the Ethernet standard MTU (Maximum Transmission Unit) of 1536 bytes.

Choose one of the predefined values (2048, 4096, 8192, or 16132 bytes) to enable the NAM Probe to process non-standard MTU packets. When you have chosen the Maximum packet size value, make sure that you also set the Huge packet size to an applicable value.

Enabling the NAM Probe to process nonstandard MTU packets and leaving Data memory limit unchanged can cause an excessive packet loss. To avoid this, extend RAM and configure its usage as recommended in the tables below. For more information, see data memory limit.

Recommended RAM Configuration for Maximum Packet Size Values for NAM Probes:

  • 8192 B or less: 64 GB
  • 8192 B: 96 GB
  • 16132 B: 128 GB

Sampling enabled Supported in 64-bit customized NAM Probe drivers and all- native drivers. The sampling mechanism is beneficial when heavy traffic may negatively affect NAM Probe performance and there is a risk of losing IP session consistency. When this option is enabled, the NAM Probe tries to analyze the greatest possible portion of traffic. It drops packets in a controlled manner that preserves complete and consistent sessions. Note that statistics for dropped packets are not shown on the report server.

If packets are dropped because of sampling, the NAM Server shows notification messages. For percentages between 75 and 99, a warning icon is displayed; for values below 75, the report server issues error messages.

When this option is disabled and the network interface driver performance is degraded, random packets are dropped.

Default: enabled.

For more information, see Driver, Network, and Interface Configuration and NAM Probe Sampling.


When capturing packets on a NAM Probe with sampling disabled, if the NAM Probe experiences packet drop due to high traffic volume, the packet capture is not automatically canceled. If this occurs, select Tools ► Packet Data Mining Tasks on the NAM Server, find the task that was using the NAM Probe in question, and click

Stop task
Stop task

to cancel that task.

Packet deduplication

Deduplication method

You can choose one of four methods for eliminating duplicate packets:

  • Based on TCP checksum and IP ID – Using this method, duplicate packets are detected based on their TCP checksum and IP ID.
  • Based on TCP checksum and IP ID (excluded SEQ and ACK numbers) – Using this more complex, two-stage method, duplicate packets are detected based on a modified packet KCP checksum (SEQ and ACK numbers are excluded) and IP ID. This method is useful if the NAM Probe captures packets on various interfaces of the router, rewriting SEQ and ACK numbers. A packet is considered a duplicate when the modified checksum, IP ID, and SEQ and ACK numbers are identical. First, a packet checksum with SEQ and ACK numbers is created and compared to the packets stored in the detection buffer. If the comparison indicates that the packet is not a duplicate, it is checked to determine whether it matches the current session. A packet matches the current session when its SEQ and ACK numbers are different from processed and cached numbers by the value defined in TCP duplicate window. If the difference exceeds the defined value, the NAM Probe assumes the ACK and SEQ numbers were rewritten by the router and the packet is considered a duplicate.
  • TCP checksum, IP ID and MAC address (excluded SEQ and ACK) – Using this method, the deduplication process is similar to the one based on TCP checksum and IP ID (excluded SEQ and ACK numbers), but in addition to TCP checksum and IP ID, the source/destination MAC addresses are also taken into account for the calculation.
  • TCP checksum, IP ID and MAC address – Using this method, duplicate packets are identified based on their TCP checksum, IP ID and source/destination MAC addresses.

TCP duplicate window This setting is useful only if Deduplication method is set to Based on TCP checksum with excluded SEQ and ACK numbers. It is used for determining whether a packet, based on its SEQ and ACK numbers, belongs in the session. If a packet's SEQ and ACK numbers differ from the current session's SEQ and ACK numbers by a value larger than TCP duplicate window, the packet is considered a duplicate. Default: 65536.

Packet buffer size The number of packets to keep in the buffer for use as a basis for comparison in duplicate packet detection. Newly captured packets are sequentially compared to the packets in the buffer. A newly captured non-duplicate packet (all packets in the buffer are unique) is placed on the top of the stack and the oldest is removed. Range: 6 to 24 packets. Default: 16.

Reset duplicate detection time threshold Time of inactivity (in seconds) after which the duplicate packets elimination mechanism is reset. If Deduplication method is set to Based on TCP checksum with excluded SEQ and ACK numbers or TCP checksum, IP ID and MAC address (excluded SEQ and ACK), and the Reset duplicate detection time threshold should be greater than every response generation time (server time).