© SecurActive 2014 W HAT’ S N EW IN V ERSION 3.2 ?
Jul 04, 2015
© SecurActive 2014
WHAT’S NEW
IN VERSION 3.2?
© SecurActive 2014
PERFORMANCE VISION VERSION 3.2
CIFS Transaction Analysis
New Features & Improvements
Performance Vision 3.2
© SecurActive 2014
CIFS/SMBTRANSACTION ANALYSIS
© SecurActive 2014
CIFS TRANSACTION ANALYSIS: USER BENEFITS
Monitor CIFS/SMB Performance
Identify Slow Transactions
Correlate File Sharing Problems with Network Performance Issues
Access Rights Deleted or Corrupted Files Insufficient Resources All Errors and Warnings
Troubleshoot File Sharing Issues
© SecurActive 2014
IN-DEPTH CIFS/SMB PERFORMANCE ANALYSIS
CIFS/SMB in APS
Supported CIFS/SMB versions
SMB 1.0
SMB 2.0
SMB 3.0 (no encryption)
© SecurActive 2014 6
CIFS OVERVIEW
Overview of CIFS Commands
© SecurActive 2014
OVERVIEW OF CIFS COMMANDS
Display CIFS Overview per Command type:
Number of Queries
Number of Errors and Warnings
Performance Metrics (SRT, DTT)
Payload and Number of Packets (PDUs)
One-click drill down to more details
© SecurActive 2014 8
CIFS PERFORMANCE
Performance of CIFS Queries over Time
© SecurActive 2014
PERFORMANCE OF CIFS QUERIES OVER TIME
Display CIFS Performance metrics over time:
Data Transfer Time and Server Response Time
Number of OKs, Warnings and Errors
Payload for Queries, Responses and Metadata
One-click drill down to more details
© SecurActive 2014 10
CIFS CLIENTS
CIFS Most Active Clients
© SecurActive 2014
CIFS MOST ACTIVE CLIENTS
Display CIFS metrics for the most active clients:
Client IP
Number of Queries, Errors and Warnings
Performance Metrics (SRT, DTT)
Payloads and Number of Packets (PDUs)
One-click drill down to queries and errors
© SecurActive 2014 12
CIFS SERVERS
CIFS Most Active Servers
© SecurActive 2014
CIFS MOST ACTIVE SERVERS
Display CIFS metrics for the most active servers:
Server IP
Number of Queries, Errors and Warnings
Performance Metrics (SRT, DTT)
Payloads and Number of Packets (PDUs)
One-click drill down to queries and errors
© SecurActive 2014 14
CIFS FILES
CIFS Most Active Files
© SecurActive 2014
CIFS TOP FILES
Display queries aggregated by Files:
File Path
Number of Queries, Errors and Warnings
Performance Metrics (SRT, DTT)
Payloads and Number of Packets (PDUs)
One-click drill down to queries and errors
© SecurActive 2014 16
CIFS TREES
CIFS Most Active Trees
© SecurActive 2014
CIFS TOP TREES
Display queries aggregated by Trees:
Tree Path
Number of Queries, Errors and Warnings
Performance Metrics (SRT, DTT)
Payloads and Number of Packets (PDUs)
One-click drill down to queries and errors
© SecurActive 2014
DIFFERENCE BETWEEN TREE AND FILE
\\ WINSHARE \
DATA
\\ WINSHARE \ USR
Tree (Mount
Point)File
\ Private \ Users \ UC576 \ mailbox.pst
© SecurActive 2014 19
CIFS USERS
CIFS Most Active Users
© SecurActive 2014
CIFS TOP USERS
Display queries aggregated by Users:
Username
Number of Queries, Errors and Warnings
Performance Metrics (SRT, DTT)
Payloads and Number of Packets (PDUs)
One-click drill down to queries and errors
© SecurActive 2014
USER NOT ALWAYS AVAILABLE?
Why is the User not always available?
Secured authentication (Kerberos)
Potentially unsupported authentication
mechanism
Session initialization has not been captured
© SecurActive 2014 22
CIFS QUERIES
List of CIFS Queries
© SecurActive 2014
CIFS QUERIES
Available CIFS Data
Command, Subcommand and Status
File ID and Path
Number of Queries, Errors & Warnings
Performance Metrics (SRT, DTT)
Username
Domain name
Tree ID and Tree name
Data Payload: Reads, Writes
Metadata Payload: Reads, Writes
Number of Packets (PDUs)
© SecurActive 2014 24
CIFS RAW DATA
Details of all CIFS Transactions
© SecurActive 2014
CIFS RAW DATA: TRUE ROOT CAUSE ANALYSIS
CIFS transactions without any grouping
Useful for advanced troubleshooting
Application behavior auditing
Queries
Raw Data
© SecurActive 2014
USER FRIENDLY ROOT CAUSE ANALYSIS
User-friendly interface
Color highlighting for readability
One-click filtering facility
Inline CIFS protocol help
Resizable textboxes
© SecurActive 2014
CIFS DEDICATED FILTERS
Dedicated CIFS filters:
Refine search for specific issues
Search results by:
Port number
Command type
Status name
Path name and File ID
Subcommand type
Tree name and Tree ID
User and Domain
© SecurActive 2014
SEARCH FOR SPECIFIC CIFS ELEMENTS
Type text to automatically refine the list of available
options
CIFS Commands, Statuses and Subcommands organized into Categories
© SecurActive 2014
EASY DRILL-DOWN
One click to see Performance over time for these CIFS Transactions
One click drill-down to CIFS Queries or Raw data
One click drill-down to Flow Details associated to these Transactions
One click drill-down to CIFS Errors or Warnings
© SecurActive 2014
FOR POWER USERS: CUSTOM FILTERS FOR CIFS
Custom Filters for CIFS
Used to build advanced queries
See Custom Filters reference in Guide
© SecurActive 2014
FAST ANALYSIS: CIFS COMMON STATUSES
Common Statuses for CIFS:
STATUS_NO_SUCH_FILE,
STATUS_NO_SUCH_DEVICE,
STATUS_OBJECT_NAME_NOT_FOUND,
STATUS_OBJECT_PATH_INVALID,
STATUS_OBJECT_PATH_NOT_FOUND,
STATUS_OBJECT_PATH_SYNTAX_BAD,
STATUS_DFS_EXIT_PATH_FOUND,
STATUS_REDIRECTOR_NOT_STARTED,
STATUS_TOO_MANY_OPENED_FILES,
STATUS_ACCESS_DENIED,
STATUS_PORT_CONNECTION_REFUSED,
STATUS_FILE_DELETED,
STATUS_INSUFF_SERVER_RESOURCES,
STATUS_MORE_PROCESSING_REQUIRED,
STATUS_BUFFER_OVERFLOW,
STATUS_WRONG_PASSWORD,
STATUS_NETWORK_ACCESS_DENIED,
STATUS_TOO_MANY_SESSIONS.
Common statuses category contains the most common CIFS errors and warnings.
cifs.status = "common"
Note: We do not consider
SMB_STATUS_NO_MORE_FILES as a Warning
© SecurActive 2014
ACTIVATION: CONFIGURE CIFS ANALYSIS
Configuration > Zones
Activate CIFS transaction analysis
for the zone and its subzones
If not needed, do not add print servers to the scope of CIFS analysis.
© SecurActive 2014
IMPACT: CIFS ANALYSIS WORKLOAD
Configuration > Database Workload
Check impact of CIFS analysis on workload
© SecurActive 2014
PERFORMANCE SAVING: CIFS DATA MERGING
Datatype Zone Merging level Degraded metrics
Configuration > Data Merging
Adjust merging levels for more performance
or for more details
By default: maximum performance
© SecurActive 2014
CORRELATION BETWEEN
NETWORK ISSUES AND CIFS TRANSACTIONS
CIFS
© SecurActive 2014
ONE CLICK SWITCH: FROM TCP FLOWS TO CIFS TRANSACTIONS
DNS
SQL
ICMP
HTTP
Flows
CIFS
Already in 3.0
Switch from TCP Flows to CIFS Transactions
From TCP Details to CIFS Queries
From TCP Raw Data to CIFS Queries
© SecurActive 2014
ONE CLICK SWITCH: FROM CIFS TRANSACTIONS TO TCP FLOWS
CIFS
SQL
HTTP
Flows
Switch from CIFS Transactions to TCP Flows
From CIFS Queries to TCP Flow Details
From CIFS Raw Data to TCP Flow Details
DNS
Already in 3.0
© SecurActive 2014
CIFS DOCUMENTATION
User Guide update
CIFS Analysis
CIFS Status Categories (appendix)
Performance Vision 3.2
© SecurActive 2014
NEW FEATURES
& IMPROVEMENTS
© SecurActive 2014
LDAP INTEGRATION
LDAP Integration
Requires anonymous authorization
© SecurActive 2014
SORT BCN BY CRITICALITY
BCN can be sorted by criticality level
BCN with most alerting events are shown first
One Red > Any oranges
One Orange > Any greens
Note: For Business Critical Networks only (not yet for BCA)
© SecurActive 2014
#REQUESTS FOR DNS PAGES
For all DNS pages:
Add #Requests: Number of DRT
DRT: DNS Response Time
© SecurActive 2014
DNS TROUBLESHOOTING
For DNS Troubleshooting:
Add new Custom Filters
Bandwidth, Packets, IPs
3.0
3.2
© SecurActive 2014
ONE CLICK @ SWITCHING
New button to switch client/server values:
Zones, IP Addresses and MAC Addresses
© SecurActive 2014
HINTS FOR « NO RESULTS »
Hints added:
When search requests return “No results”
Data could be merged
Metric could be disabled at sniffer level
Metric might not be active on any zone
Examples:
© SecurActive 2014
HTTP DATA MERGING
3.0
3.2
For HTTP Transactions:
Added a new data merging level
© SecurActive 2014
DATABASE PERFORMANCE IMPROVEMENTS
Better usage of query multithreading:
Response times up to 20% faster
Example: BCN computations
© SecurActive 2014
BETTER HANDLING OF BUFFERED TCP PACKETS
Better handling of buffered TCP packets
Potential impact on DTT / EURT metrics
Note: already included in 3.0.17
© SecurActive 2014
SHELLSHOCK SECURITY UPDATE
Bash security update for
Shellshock vulnerability
http://en.wikipedia.org/wiki/Shellshock_(software_bug)
© SecurActive 2014
VERSION 3.2: IMPACTS SUMMARY
Major impacts compared to 3.0:
Database migration time: low
CIFS performance analysis
Potentially on DTT/EURT
Check impact of CIFS performance analysis on
workload & license limits
Potential impact on DTT/EURT metrics
Migration time is low
Update should take few minutes depending on
database size
© SecurActive 2014
SOMETHING BIG IS COMING
Q1 2015 Technical Update
TBD 2015 Something BIG is coming
© SecurActive 2014
REBOOT AFTER UPDATE
After the upgrade is completed
© SecurActive 2014
YOU'RE READY TO GO, ENJOY VERSION 3.2!
What’s New
in Version 3 .2 ?
© SecurActive 2014
THANK YOU!
For any [email protected]
Follow Us on@SecurActivePV
www.securactive.netblog.securactive.net