Autodiscovered software services

NAM Console ► NAM Probe Configuration ► Software Services ► Autodiscovered Software Services

Monitoring default software services is aimed at users who are new to the concept of software service monitoring. You can quickly enable traffic monitoring based on well-known ports, regardless of server or client IP addresses, and you can define IP address ranges for monitored servers, clients, or both. In order to specify IP address ranges you must select the Enable monitoring of autodiscovered services option.

You can select the Enable monitoring of autodiscovered software services checkbox to enable monitoring of traffic on well-known ports.

  1. In NAM Console ► Deployment ► Manage devices, select NAM Probe Configuration ► Open configuration.
  2. Navigate to Configuration ► Software Services ► Autodiscovered Software Services.

Autodiscovered software services

Software services tab

On the Software Services tab, you can change the sort order by clicking the table column headings or right-click a software service to open the context menu and choose:

  • Select Add (or click Console add) to create a new software service definition.
  • Select Open to review or edit an existing software service definition.
  • Delete (or click Console clear) to remove the selected existing software service from the list. Deletion does not require additional confirmation.

To quickly navigate to an entry in the Software Services table, click in the table and then type the first letters of a software service name. Click the magnifying glass icon or press [CTRL+F] to open a search box to limit the table view to only those rows that contain a match (in any column) to the search string.

The NAM Probe comes with a comprehensive list of software services on well-known ports. You can add services that are present on your network or delete unneeded existing software services. To configure a software service on well-known ports and using the default settings right-click anywhere in the Software Services table, select Add from the context menu and provide the autodiscovered software service details.

Server ranges tab

Server Ranges can be used to filter default software services:

  • Detected based on packet content rules – the rule specifies which IP address is the server, and if the address is not in the server ranges the traffic is reported as filtered out.
  • Detected based on well-known port – the side with the well-known port is the server, and if the address is not in the server ranges the traffic is reported as filtered out.
  • Unknown – see the rules outlined above. The traffic filtered out due to server ranges is reported as “All Other” on the NAM Server report.

To narrow the range of monitored servers:

Click the Server Ranges tab on the Default Software Services pane.

In the table of IP addresses, right-click to open the context menu and choose Add.
You can add as many ranges as needed.

Note

Ranges defined in this section apply to monitoring Default Software Services only.

Edit the IP addresses of the newly added range.
Note that the range is inclusive: the specified addresses and all of the addresses between them will be monitored.

Publish the draft configuration on the monitoring device.

Warning

When you define server and client ranges, be sure not to filter everything out or there will be no data in your reports.

Data generation tab

Click the Data Generation tab to specify the options that should be enabled.

This controls the scope of data generated by the NAM Probe that is used in reporting.

  • Generate NAM Server Data

    • Enabled
      Default setting.
      In normal circumstances, you should not disable NAM Server data generation.
    • Disabled
      When this is selected, the NAM Probe will stop saving the data used in most NAM Server reports.
  • Report SSL handshakes in NAM Server data

    When checked, NAM Server generated data will contain all defined operations including SSL handshakes. You can turn off the SSL handshake operations globally per NAM Probe or individually per software service for the NAM Server. When Inherit from global setting is selected, the global setting is used. To edit the global setting, open the NAM Probe configuration, select Global ► Front-End Monitoring ► SSL and set the Report defined operations in NAM Server data.

  • Generate ADoD Data
    When controlling ADoD data generation, you can either disable it completely or decide on the depth of available data.

    • Disabled
      Default setting.
      Turns off ADoD data generation.
    • Operation loads
      The NAM Probe will generate data enabling you to access essential operation-level information.
    • Operation loads and hits
      The NAM Probe will generate data enabling you to access a deep drilldown report that represents an HTTP page hit broken down into specific HTTP elements.
    • Operation loads, hits, and header
      The NAM Probe will generate data enabling you to access even deeper drilldown information retrieved from related request and response headers for the hit.
  • Report SSL handshakes in ADoD data

    When checked, ADoD generated data will contain SSL handshakes data. You can turn off the SSL handshake operations globally per NAM Probe or individually per software service for the NAM Server. When Inherit from global setting is selected, the global setting is used. To edit the global setting, open the NAM Probe configuration, select Global ► Front-End Monitoring ► SSL and set the Report SSL handshakes in ADoD data.

  • Report only errors in ADoD data

    When checked, ADoD generated data will contain only errors and slow operations. You can turn off the SSL handshake operations globally per NAM Probe or individually per software service for the NAM Server. When Inherit from global setting is selected, the global setting is used. To edit the global setting, open the NAM Probe configuration, select Global ► Front-End Monitoring ► SSL and set the Report only errors in ADoD data.

Autodiscovered software service details

You can add a new autodiscovered software service if you intend to monitor your network traffic based on default settings.

To add a new default software service:

Click in the Software Services table and select Add from the pop-up menu.
The Autodiscovered Software Service Details window is displayed.

In the Name field, type the name of the new software service.

In the Protocol section, select TCP, UDP, or Other (IP).
This determines the associated base protocol analyzer.

In the Analyzer list, select an analyzer.
The list here depends on the Protocol you selected. For example, UDP-based transactionless software services can be analyzed using analyzers corresponding to UDP traffic only. IP-based software service traffic can be analyzed using ICMP or IP analyzers. The largest selection of analyzers available is for the TCP-based software services.

In the Content rules section, specify content rules to match against the traffic.

Note

If there is a rule not assigned to any protocol (for example, it was removed from one protocol and not added to any other), the matching traffic will be reported as unknown.

Click  to add a row to the list of rules.

The row is a list from which you can select a relevant protocol.

In the new row, select a protocol from the list.

In the Port rules section, specify port numbers that define the traffic.

Click  to enter a port number (or a range of port numbers) on which the software service is served.

Right-click an existing row to Edit or Delete as needed.

Click Advanced settings to display advanced settings that most often do not need to change.

Choose whether to give priority to content rules or to port rules.

  • If Content rules first is selected (the default setting), rules based on the content of the packet are given higher priority than rules based on well-known port numbers, so even if the given port is almost always used by a single service defined by a well-known port (for example, port 25 and SMTP), the NAM Probe will still apply content-based recognition rules on all new TCP sessions.
  • If Port rules first is selected and a session's port is a well-known port, content-based rules are not applied. To limit performance impact, content-based recognition rules are applied only for a specified number of first packets on each session (8 by default) and time (a single monitoring interval), and if none of them are positive the well-known port is used.

Choose whether to aggregate data.

Choose whether to stop further autodiscovery if the definition matches.

For some protocols (HTTP and SOAP, for example) and content-based rules, it is possible that a general rule (transport protocol) will be detected first and then, in a subsequent packet, a more detailed rule (application protocol) will be detected. To give the detailed rule a chance for detection, rule recognition does not stop after detection of the general rule and continues until a detailed rule is found or until a packet or time limit is exceeded.

Click OK to record your changes and return to the Autodiscovered Software Services screen.

On the Server Ranges tab, you can narrow the range of monitored servers and clients.

Publish the draft configuration.