Network Burst Analysis

How can you use the Allegro Network Multimeter to quickly and easily detect network bursts and find the related sender and receiver?
In our example, users are complaining about sudden slow application load times at certain points of the day.
To close in on the problem, we can use the Allegro Packets Network Multimeter and measure the TCP handshake time.

Since network bursts appear at random hours of the day the Allegro Network Multimeter has the option to create rules to automatically capture the incidents and notify the user.

To create a new rule first navigate to ‘Incidents’ under ‘Generic’ Tab.

Now continue to the ‘Incident rules’ Tab.

Here you will find all your already created rules with option of editing or deleting them.

To create a new rule simply press the green ‘Add rule’ button.

Meaning of each setting:

Rule name: Name of the to be created rule.

Severity: Type of severity your new rule is looking out for.

Trigger: List of possible Triggers your rule could surveil.

Attributes: Attributes of the new rule. Possible attributes depend on the selected trigger.

Virtual link group: if enabled, can detect end-to-end failure between two physical Ethernet interfaces. It allows the switch to detect unidirectional or bi-directional link failures irrespective of intermediary devices and enables link recovery.

Time Profile: Select when the rule is active and surveying.

Report channel: When the rule is triggered the user will be notified on the selected channel.

Aggregation of recurring incidents: Groups incidents with the same rule trigger if enabled.

Rule description: Every rule can get its own description.

Traffic capturing: Select which kind of traffic the rule is capturing from.

For our example, we will create a rule to check if the TCP handshake time stays below 0.2 seconds.

Note: For our example it would not be wise to enable a notification, because this rule will trigger a lot on a daily basis and fill up the inbox.

After creating a rule, if ‘Traffic capturing’ is enabled, with the ‘Capture settings’ you can customize the saving of the capture.

Meaning of each setting:

Capture cooldown period: Cooldown prevents additional capture for given time for each rule separately.

Storage Device: Select the storage device the capture is saved to.

Storage directory: Insert the directory of the storage device here.

Select packet ring buffer to capture from: List of all possible packet ring buffer to capture from.

Capture profile: List of all created capture profiles.

If you want to be notified about a rule triggering, first a notification channel needs to be created.

To create more reporting channels, visit the ‘Notification channels’ tab.

Firstly, you will see a list of all created channels with the options of sending a test to the given recipient, editing the channel or the option to delete it.

With the green ‘Add channel’ button a new channel can be created.

Meaning of each field:

Name: Name of the channel

Type: Type of message that should be send in case of an incident.

Severity threshold: what kind of incident severity does the channel need to report the incident?

Handle incidents for: what kind of traffic incidents does the channel handle?

Email recipient address: name of the email address the incident should be reported to.

If you want to see a live view of all the data your rules are checking, under ‘Incident statistics’ tab you can get short statistics for all your created rules.

Finally, under the ‘Occurred incidents’ tab you will see a list of all past incidents.

Clicking on the subject of an incident will open a new window with more information for the specific occurrence.

Should a further investigation of the IP statistics be necessary, click on the given link in the subject. It will open an analysis of the IP address of the timeframe when the incident occurred.
These statistics can also be downloaded as a PCAP for further analysis.