We are looking to update our Network Vantage probes - no longer supported - with AMD Express (AMD-E) devices. I understand the AMD-E's have limited decodes available. However, I was unable to find further documentation on the AMD-E's. With the Network Vantage application there was a utility called "Packet Manager", which we used to run packet traces and analyze then in Wireshark. Or, we would use Probe Manager and run a capture from the probe, import into Transaction Trace, and run Transaction Expert.
Are there similar packet capture utilities with AMD Express?
Thanks and God bless,
Thanks @Jaroslaw Orlowski.
Remote packet capture: Packet Manager was replaced with smart packet capture.
When I search for Smart Packet Capture this led me to https://community.dynatrace.com/community/display... which states "Before you can capture traffic for Smart Packet Capture, configure an
AMD and an
EndaceProbe to report to the same
CAS." Isn't EndaceProbe a third party piece of hardware (an interface card or a network appliance)?
With the Network Vantage probes, all we had was the onboard NIC for management and a RealTek NIC running at 1 Gbit in promiscuous mode. Can the EndaceProbe be installed on AMD-E? Doesn't this additional EndaceProbe hardware mean additional cost for each of my current NV probes.
I hope I am misreading this.
Thanks and God bless,
Endace hardware* is not required for smart packet capture.
It's prime benefit is that it provides "always on" capturing, so you can go back in time (as long as it has disk space to store your traffic) to retreive a packet capture from something you may have missed.
With only an AMD/AMD Express, you can perform the same captures, but only on real time traffic - there's no history available.
*Endace hardware is a seperate appliance device, that includes custom NICs, and lots of storage to provide the history capability.
Now I remember my other question.
With NV, not only could I run a real-time capture through either Probe Manager, or Transaction Trace Analysis; PDB files would be uploaded on scheduled basis for later viewing and analysis. With AMD Express, and Smart Packet Capture I will no longer be able to preform the summary level collection (if you will) that the PDB files consisted of without an Endace appliance. Correct?
And because the AMD Express only uses a limited set of decodes, we will lose the granularity the NV probes gave us. Is this also an accurate statement?
Thanks and God bless,
PS I reserve the right to have follow up questions. 😉
No that's not accurate, you could still run a trace file through an AMD if you wish to, but this isn't specifically a use case replaced or solved with smart packet capture, but one of the use cases for doing so in NV was to overcome some data retention limitations within in IV which meant that in order to view data historically, you would simply retrieve a pdb and/or trace file for your archives and upload and analyses etc. You also have to remember that NV even when taking from the probes would have you upload the pdbs and regular intervals meaning that the data you were viewing would be specifically for that previous time period, typically the past 24 hours, of course you could load in multiple pdbs going back over a period of time, but eventually you'd hit database limitations within IV as well as experiences slowness when viewing the reports. Now that functionality can be achieved by simply selecting the relevant calendar selection within the CAS to view different periods.
Under smart packet capture you have three options to collect that packet level data, that is from right now for the following time period (ad hoc), at a point in the future (scheduled) or at a previous point in time (retrospective packet retrieval). the first two options are available on AMDs and it is currently only the third option where you'd require an Endace device to be present. Remembering though that the "summary" reporting data you used to get by retrospectively loading up trace files to create pdbs can be achieved natively in the CAS without the need to upload trace files.
In terms of decodes the AMD express has the same decode level and capacity that NV had, but in terms of smart packet capture you are actually capturing raw packet and so the level of visibility and/or decode is going to be dependent on what device and dissector/decode you apply to it.
I take it these two statements refer to migrating to 12.4; or are they currently available in 12.3? .
"Now that functionality can be achieved by simply selecting the relevant
calendar selection within the CAS to view different periods."
"Remembering though that the "summary" reporting data you used to get by
retrospectively loading up trace files to create pdbs can be achieved
natively in the CAS without the need to upload trace files."
I apologize for my confusion. In our current environment, there appears
to be so many different ways to see data and capture traces, that I
cannot keep them straight. I am discussing with my management about
migrating to 12.4. I just need to be able to explain what functionality
we would be losing/gaining/changing.
Thanks for your help and God bless,
No need to apologize, I'm more than happy to explain how NV functionality has been incorporated into DC RUM.
This is a core feature of DC RUM and is available in 12.3. Easiest way to think about this is that this is essentially core NV functionality but instead of scheduling pdb uploads form the probes, and then viewing blocks of time in IV, or isolated real tie reports through the EPM, you can view the "probe" data collected in real time in the CAS (Consider this an IV replacement) and then previous intervals (or groups of) that are in the CAS database without having to load in archived pdbs.
The packet capture then is something different and actually should be considered an enhancement to the packet capture functionality available in NV. This is addressed in DC RUM by a feature called smart packet capture and instead of capturing by starting the capture on the NV probe (with or without a manually defined filter), you can simultaneously capture from all your probes (AMDs), using an automatically defined filter built from the view/data in the CAS. You can then choose to view this packet level data in whatever analyzer you chose (e.g. DNA, wireshark etc) or even (in 12.4) on board in the trace trimmer (see
https://community.dynatrace.com/community/display/... for details on trace trimmer) but this is then separate form that on-going summary collection and viewing that carries on.