Observer Analyzer : Analyzer : Network Trending : Configuring your network trending settings
   
Configuring your network trending settings
 
Page Contents
Choosing your network trending types
Scheduling your network trending data collection
How to determine disk space requirements for network trending
How to reduce the disk space consumed by network trending files
How to change where network trending is stored
Adding specific servers to network trending
Structure of an .ipsubnetrange file
Revised: 2016-04-07
Network trending can be configured to monitor only the kinds of statistics you want to store, thereby limiting resource consumption to the information that interests you.
Note: If you want the ability to view web reports, Network Trending must be configured using the steps in this section. Then, Network Trending must be running/collecting data.
There are two high-level tasks you must complete for network trending to function. First, you need to configure your network trending settings as described in this section. Network trending settings include trending types, specific servers to monitor (if any), and a schedule (if any). Second, you need to actually collect the network trending data.
To configure your network trending settings, follow these steps. These point to other locations in this section, which provide the steps you need to complete:
1. Choose the trending types you want to follow—see Choosing your network trending types.
2. Schedule the collection of data from those trending types—see Scheduling your network trending data collection.
3. Add specific servers to trend— Adding specific servers to network trending.
 
 
Choosing your network trending types
Revised: 2017-07-10
Trending types are categories of network traffic, and they loosely follow the OSI Layer model.
Trending data is saved to the operating system drive. Each mode requires a different amount of disk space based on data collected; however, all modes combined at running at maximum capacity could generate at most 1 TB of data per day.
To choose which network trending types you want to monitor, follow these steps:
Note: This section represents one of several steps required for configuring your network trending settings. To return to the overall list of steps, see Configuring your network trending settings.
1. On the Home tab, in the Capture group, click Network Trending > Network Trending.
2. Click the Settings button. The Network Trending Settings window appears. Change the Collection Settings.
Figure 51: Configure your network trending settings here
3. If you are using a NetFlow or sFlow single collector probe instance, you can use SNMP polling to automatically discover the NetFlow interfaces on your device, which will obtain one or more Interface Index, Interface Name, and Interface Speed values:
a. Click SNMP Settings.
b. Configure your SNMP IP address and credentials so that you can poll the device, and click OK
c. Click Edit Data Source Interfaces.
d. Click Retrieve Interface Names and Speed from Device.
4. Click OK to save your changes.
Trending type
Description
Application Transaction Analysis Trending
Application Transaction Analysis (ATA) is a feature of the Network Trending tool. Using Layers 5-7 of the OSI Model, ATA allows you to monitor response time, error, request and response trends for certain applications.
Application Performance Analysis Trending
Application Performance Analysis (APA) is a feature of the Network Trending tool. Analyzing Layer 4 of the OSI Model, APA allows you to monitor response time trends for any server or application with a known TCP port.
IP Subnet Ranges Trending
The IP Subnet Ranges Trending trending type does not monitor data unless one or more sub-types are enabled. These include Internet Patrol, IP Pairs, and Protocols by IP Address. Overall, this trending type is very important for long-term monitoring of IP-to-IP connections.
IPTV Trending
The IPTV trending type allows you monitor multicast issues on your network specifically related to video. The streams can track UDP sequence numbers, packets, multiple protocol data units (PDUs) within a UDP packet, and stream type or ID.
Microburst Trending
The Microburst trending type allows you to monitor for microbursts on your network just like you can from the GigaStor Control Panel, except that trending provides a couple of differences from the packet capture analysis for microbursts done in the GigaStor Control Panel. First, packet capture does not need to be running for Microburst trending to see any microbursts. Second, Microburst trending can also be pushed to Observer Reporting Server and aggregated with Microburst trending information from other probes in your network so that you have a fuller picture of where and when microbursts are occurring.
Trading Multicast Trending
The Trading Multicast trending type allows you monitor multicast issues on your network specifically related to stock exchanges. The streams can track UDP sequence numbers, multiple protocol data units (PDUs) within a UDP packet, and stream type or ID. There are several trading streams available by default, but you must import their definitions. Default stream definitions include:
 
Bats—BATS Global Markets
CME—Chicago Mercantile Exchange
Edge—Enhanced Data Rates for GSM Solutions
FTEN—FTEN
Generic FIX-FAST—Financial Information eXchange and FIX Adapted for Streaming
JSE—Johannesburg Stock Exchange
LSE—London Stock Exchange
MoldUDP 64—Mold UDP 64
SIAC—Securities Industry Automation Corporation, used by New York Stock Exchange and American Stock Exchange.
 
VoIP and Videoconferencing Trending
The VoIP and Videoconferencing trending type does not monitor data unless one or more sub-types are enabled. Overall, this trending type is essential for long-term monitoring of VoIP connections.
Sampling divider
The sampling divider means every Nth packet is used for statistical analysis where N is the value in the field. Due to the large number of packets on most networks, the default value of 10 is appropriate in many, but not all, cases. Setting the value higher or lower may also be appropriate1. Setting the value to 1 means that every packet contributes to statistical sampling, but may negatively affect performance. For more information about the sampling divider, see .
Delete oldest trending data
When selected, this option automatically deletes any trending data older than the specified time on a first in, first out basis. That is, the oldest data will always be deleted while keeping the newest data.
Use current filter
When selected, any filters that you applied to your probe instance are also applied to your network trending statistics.2

1 NetFlow probe instances always use a sampling divider of 1.

2 Filtering is not available on NetFlow probe instances.

 
You configured the Network Trending tool to monitor data from the trending types you enabled. This data does not appear until you actually start monitoring it. Continue to the next step of configuring your network trending settings: Scheduling your network trending data collection. You can import subnet ranges into network trending types using an ipsubnetrange file. See Structure of an .ipsubnetrange file.
 
Scheduling your network trending data collection
You can configure Observer to run network trending data collection continuously or at certain days and times.
To do this, complete the following steps:
Note: This section represents one of several steps required for configuring your network trending settings. To return to the overall list of steps, see Configuring your network trending settings.
1. On the Home tab, in the Capture group, click Network Trending > Network Trending.
2. Click the Settings button. The Network Trending Settings window appears.
3. Ensure the General group tab is selected, and click the Schedule tab.
4. Select a scheduling type for network trending data collection.
5. Click OK to save your changes.
 
The trending types you enable continue to be collected according to schedule.
 
 
You have configured your network trending settings and should continue on to Adding specific servers to network trending.
 
How to determine disk space requirements for network trending
Created: 2016-01-11   Revised: 2016-11-22
Because network trending can consume a lot of disk space, you need to know how much disk space to reserve.
Network trending data consumes hard disk space. Depending on where you store trending data and your storage requirements for network trending data, the network trending data could fill that drive to full capacity—this is a problem. Therefore, determine your typical 24-hour data rate and how many days of trending data you want to retain. The result indicates how much storage space is required.
To determine the amount of space required to store your desired amount of trending data:
1. Determine your typical 24-hour data rate.
Example: 15 MB or 20 GB.
The data rate is amount of trending data collected in one 24-hour period.
2. Multiply your typical 24-hour data rate by the number of days you want to retain.
Example: 15 MB x 365 days = 5.475 GB
Example: 20 GB x 30 days = 600 GB
 
The result is the amount of hard drive space required to retain the trending data.
 
 
You can use the numbers you calculated to inform your decisions when deleting network trending data.
 
How to reduce the disk space consumed by network trending files
Created: 2016-07-19   Revised: 2016-10-17
The size of your most recent network trending file increases whenever network traffic is seen. However, the file size is strongly affected by the volume of traffic (number of network connections), the network trending types you choose to track, and certain options within network trending settings. You can best reduce the disk space consumed by network trending files by limiting what you track.
Each network trending file is a summary of one day’s traffic as tracked by the Network Trending tool. In this way, the more network trending files you are able to retain in your storage directory—without sacrificing all of your available disk space to do so—the more days of historical data can be transferred to Apex or viewed using Apex Lite.
Unless you want to rely on scheduled deletions of trending data as your only disk space strategy, you can reduce the overall space consumed by network trending files by limiting what you track. This decreases the size of future network trending files, enabling you to retain more of them and for longer durations before deletions are necessary.
To reduce the disk space consumed by future network trending files, and your most recent in-progress file, perform any or all of the following steps:
Decide if some network trending types are not useful to collect in your network environment, and turn them off.
Choosing your network trending types
Set one or several options for Application Performance Analysis that limits tracking to protocols in the protocol list, server connections between defined subnets, or explicitly defined servers only.
How to configure Application Performance Analysis
 
By following any or all of these steps, you should see a reduction in the disk space consumed by future network trending files.
 
How to change where network trending is stored
Created: 2016-01-11
Network trending data can be stored anywhere. By default, the trending files are kept for each trending instance in C:\Program Files\Observer\NetworkTrending.
The storage limits for the network trending data files are limited only by the hard drive space available. Your GigaStor license only limits how much packet capture data you may have; it has no effect on limits for storing network trending data. You may collect a limitless amount of network trending so long as your hard drive (or RAID) supports it.
1. Click the File tab, and click Options > General Options.
2. Click the Folders tab.
3. Change the Network Trending Folder to a new location of your choice.
We do not recommend pointing to networked directories or mapped drives.
 
Network trending data will be saved to its new location.
 
 
Given the potential volume of data stored by network trending, you may need to consider a management strategy to delete older files.
 
Adding specific servers to network trending
When you add specific servers to the Network Trending tool, you are adding server applications that Application Transaction Analysis recognizes.
See Understanding Application Transaction Analysis for a complete list of applications you can add; you cannot add servers—using the method described in this section—that do not use an application appearing in Understanding Application Transaction Analysis.
Note: This section represents one of several steps required for configuring your network trending settings. To return to the overall list of steps, see Configuring your network trending settings.
Tip! More information about Observer’s address book can be found at Building and saving an address book.
Tip! If you have already created the server definition on a different Observer, you can import it here. See Importing or exporting a server profile.
1. On the Home tab, in the Capture group, click Network Trending > Network Trending.
2. Click the Settings button. The Network Trending Settings window appears.
3. Click OK to save your changes.
 
You successfully added a server to the Network Trending tool. Each added server is monitored for response time and other metrics, so, over time, you can see long-term trends in these areas.
 
Structure of an .ipsubnetrange file
Created: 2016-04-04   Revised: 2016-04-07
An .ipsubnetrange file can be imported into, and exported from, various network trending settings. These files have a specific structure and allow subnet designations to be maintained outside of Observer. There is an expectation that such a file be “round tripped” back into Observer after changes are made.
 
Some limitations exist in how many subnets can be explicitly tracked for each network trending type. Explicitly tracked means that additional network trending statistics are measured for each defined subnet as a whole; however, these limitations do not influence how many subnets can be observed by Observer. These maximum tracked subnet ranges also means that your ipsubnetrange file(s) cannot have more entries than a network trending type supports. If you import an ipsubnetrange file having more entries than is supported by the target network trending type, only the first N-number will be successfully imported. These tracking limitations are as follows:
Network trending type
Maximum tracked subnet ranges
Application Performance Analysis
4 subnet ranges
Application Transaction Analysis
4 subnet ranges
IP Trending
128 subnet ranges
Microburst
16 subnet ranges
VoIP and Videoconferencing
16 subnet ranges
Because IP Trending supports the largest number of maximum tracked subnet ranges, its ipsubnetrange file structure is the one you should mimic when maintaining your list of subnet ranges. The file structure of IP Trending’s ipsubnetrange file can be imported into the subnet tracking of any other network trending type. Be aware that if you have a list of 128 subnet ranges in an ipsubnetrange file and import it into a different trending type than IP Trending, only its first four entries will be imported into Application Performance Analysis or Application Transaction Analysis respectively; only its first 16 entries will be imported into Microburst; and only its first 16 entries will be imported into VoIP and Videoconferencing.
This is an example of an ipsubnetrange file exported from the IP trending network trending type. The file extension must always be ipsubnetrange and the spacing between commas is can be space characters or tabs. The use and positions of commas in these examples is important. This is how the file is structured, and multiple examples are shown of the same file to examine different pieces of the whole.
 
 
The version number of the file format is highlighted. Always keep this at version 1.
1,4,4(IP Trending)
subnet 16 1,0,100000000,0,0,0,0, 10.0.16.1, 10.0.16.254, 0.0.0.0, 0.0.0.0
s48 to 64 1,3,100000000,0,0,0,0, 10.0.48.1, 10.0.48.254, 10.0.64.1, 10.0.64.254
subnet 64 1,0,100000000,0,0,0,0, 10.0.64.1, 10.0.64.254, 0.0.0.0, 0.0.0.0
subnet 23 1,0,250000000,0,0,0,0, 10.1.23.1, 10.1.23.254, 0.0.0.0, 0.0.0.0
 
 
The number of entries in this file is highlighted. Change it to match your list length.
1,4,4(IP Trending)
subnet 16 1,0,100000000,0,0,0,0, 10.0.16.1, 10.0.16.254, 0.0.0.0, 0.0.0.0
s48 to 64 1,3,100000000,0,0,0,0, 10.0.48.1, 10.0.48.254, 10.0.64.1, 10.0.64.254
subnet 64 1,0,100000000,0,0,0,0, 10.0.64.1, 10.0.64.254, 0.0.0.0, 0.0.0.0
subnet 23 1,0,250000000,0,0,0,0, 10.1.23.1, 10.1.23.254, 0.0.0.0, 0.0.0.0
 
 
The “original” type of ipsubnetrange structure is highlighted. Keep as is.
1,4,4(IP Trending)
subnet 16 1,0,100000000,0,0,0,0, 10.0.16.1, 10.0.16.254, 0.0.0.0, 0.0.0.0
s48 to 64 1,3,100000000,0,0,0,0, 10.0.48.1, 10.0.48.254, 10.0.64.1, 10.0.64.254
subnet 64 1,0,100000000,0,0,0,0, 10.0.64.1, 10.0.64.254, 0.0.0.0, 0.0.0.0
subnet 23 1,0,250000000,0,0,0,0, 10.1.23.1, 10.1.23.254, 0.0.0.0, 0.0.0.0
 
 
The configurable name of this subnet entry is highlighted. Keep these short.
1,4,4(IP Trending)
subnet 16 1,0,100000000,0,0,0,0, 10.0.16.1, 10.0.16.254, 0.0.0.0, 0.0.0.0
s48 to 64 1,3,100000000,0,0,0,0, 10.0.48.1, 10.0.48.254, 10.0.64.1, 10.0.64.254
subnet 64 1,0,100000000,0,0,0,0, 10.0.64.1, 10.0.64.254, 0.0.0.0, 0.0.0.0
subnet 23 1,0,250000000,0,0,0,0, 10.1.23.1, 10.1.23.254, 0.0.0.0, 0.0.0.0
 
 
The IP version type of ipsubnetrange entry is highlighted. 1=IPv4, 2=IPv6.
1,4,4(IP Trending)
subnet 16 1,0,100000000,0,0,0,0, 10.0.16.1, 10.0.16.254, 0.0.0.0, 0.0.0.0
s48 to 64 1,3,100000000,0,0,0,0, 10.0.48.1, 10.0.48.254, 10.0.64.1, 10.0.64.254
subnet 64 1,0,100000000,0,0,0,0, 10.0.64.1, 10.0.64.254, 0.0.0.0, 0.0.0.0
subnet 23 1,0,250000000,0,0,0,0, 10.1.23.1, 10.1.23.254, 0.0.0.0, 0.0.0.0
 
 
The scope of the subnet range is highlighted. 0=one subnet, 3=analyze traffic between two subnets.
1,4,4(IP Trending)
subnet 16 1,0,100000000,0,0,0,0, 10.0.16.1, 10.0.16.254, 0.0.0.0, 0.0.0.0
s48 to 64 1,3,100000000,0,0,0,0, 10.0.48.1, 10.0.48.254, 10.0.64.1, 10.0.64.254
subnet 64 1,0,100000000,0,0,0,0, 10.0.64.1, 10.0.64.254, 0.0.0.0, 0.0.0.0
subnet 23 1,0,250000000,0,0,0,0, 10.1.23.1, 10.1.23.254, 0.0.0.0, 0.0.0.0
 
 
Network speed in bits per second for this subnet is highlighted. Change accordingly, or set to '0' to use defaults.
1,4,4(IP Trending)
subnet 16 1,0,100000000,0,0,0,0, 10.0.16.1, 10.0.16.254, 0.0.0.0, 0.0.0.0
s48 to 64 1,3,100000000,0,0,0,0, 10.0.48.1, 10.0.48.254, 10.0.64.1, 10.0.64.254
subnet 64 1,0,100000000,0,0,0,0, 10.0.64.1, 10.0.64.254, 0.0.0.0, 0.0.0.0
subnet 23 1,0,250000000,0,0,0,0, 10.1.23.1, 10.1.23.254, 0.0.0.0, 0.0.0.0
 
 
The first address of the first subnet range is highlighted.
1,4,4(IP Trending)
subnet 16 1,0,100000000,0,0,0,0, 10.0.16.1, 10.0.16.254, 0.0.0.0, 0.0.0.0
s48 to 64 1,3,100000000,0,0,0,0, 10.0.48.1, 10.0.48.254, 10.0.64.1, 10.0.64.254
subnet 64 1,0,100000000,0,0,0,0, 10.0.64.1, 10.0.64.254, 0.0.0.0, 0.0.0.0
subnet 23 1,0,250000000,0,0,0,0, 10.1.23.1, 10.1.23.254, 0.0.0.0, 0.0.0.0
 
 
The last address of the first subnet range is highlighted.
1,4,4(IP Trending)
subnet 16 1,0,100000000,0,0,0,0, 10.0.16.1, 10.0.16.254, 0.0.0.0, 0.0.0.0
s48 to 64 1,3,100000000,0,0,0,0, 10.0.48.1, 10.0.48.254, 10.0.64.1, 10.0.64.254
subnet 64 1,0,100000000,0,0,0,0, 10.0.64.1, 10.0.64.254, 0.0.0.0, 0.0.0.0
subnet 23 1,0,250000000,0,0,0,0, 10.1.23.1, 10.1.23.254, 0.0.0.0, 0.0.0.0
 
 
The first address of the second subnet range is highlighted.
1,4,4(IP Trending)
subnet 16 1,0,100000000,0,0,0,0, 10.0.16.1, 10.0.16.254, 0.0.0.0, 0.0.0.0
s48 to 64 1,3,100000000,0,0,0,0, 10.0.48.1, 10.0.48.254, 10.0.64.1, 10.0.64.254
subnet 64 1,0,100000000,0,0,0,0, 10.0.64.1, 10.0.64.254, 0.0.0.0, 0.0.0.0
subnet 23 1,0,250000000,0,0,0,0, 10.1.23.1, 10.1.23.254, 0.0.0.0, 0.0.0.0
 
 
The last address of the second subnet range is highlighted.
1,4,4(IP Trending)
subnet 16 1,0,100000000,0,0,0,0, 10.0.16.1, 10.0.16.254, 0.0.0.0, 0.0.0.0
s48 to 64 1,3,100000000,0,0,0,0, 10.0.48.1, 10.0.48.254, 10.0.64.1, 10.0.64.254
subnet 64 1,0,100000000,0,0,0,0, 10.0.64.1, 10.0.64.254, 0.0.0.0, 0.0.0.0
subnet 23 1,0,250000000,0,0,0,0, 10.1.23.1, 10.1.23.254, 0.0.0.0, 0.0.0.0