XML | Console Display | Description |
---|---|---|
<TcpTotalPacketsRcvd> |
Total packets rcvd |
The count of TCP packets received by the TCP reassembler. |
<TcpTotalPacketsRcvdPerSec> |
Total packets rcvd per second |
Rate of TCP packets received per second |
<TcpTotalConnections> |
Total connections |
The count of new TCP connections that are formed by the TCP reassembler. |
<TcpTotalConnectionsPerSec> |
Total connections per second |
Rate of new TCP connections that are formed per second |
<TcpTotalClosedConnections> |
Total closed connections |
The count of TCP connections closed by the TCP reassembler |
<TcpTotalRstConnections> |
Total reset connections |
The count of TCP connections that are reset. A high number of reset connections can indicate a connection issue. |
<TcpSyn_waitConnections> |
SYN/WAIT connections |
Current count of TCP connections that only received the first SYN handshake packet. This number must track with the "Current connections" value, under 50 percent, depending on network traffic activity. If the value consistently exceeds it by a large margin, there can be a problem with the span port traffic. |
<TcpSyn_waitConnectionsMax> |
SYN/WAIT connections max |
The high water mark for above. |
<TcpTotalSyn_waitConnectionsAged> |
Total SYN/WAIT connections aged |
Shows how many SYN/WAIT connections are deleted due to aging. |
<TcpTotalSyn_waitConnectionsDestroyed> |
Total SYN/WAIT connections destroyed |
Count of SYN/WAIT connections destroyed due to the max limit that is being reached. This occurs to allow room for new connections to be created. If this count rises rapidly within a short period (5 minutes), it can indicate that the default max limits are set too low for the volume of network traffic captured. Adjust the max limit to a higher value to minimize loss. A rapidly rising count can also indicate a problem with the network infrastructure not providing relatively complete network traffic. |
<TcpTotalOutsyncSyn_waitConnections> |
Total out-of-sync SYN/WAIT connections |
Total count of connections where the SYN handshake packets, SYN1 and SYN2, are reversed. Received the SYN packet from server to client before the client to server SYN packet. |
<TcpCurrentConnections> |
Current connections |
Current count of completed SYN handshake connections (connections established). |
<TcpCurrentConnectionsMax> |
Current connections max |
The high water mark for above. |
<TcpTotalCurrentConnectionsAged> |
Total Current connections aged |
Shows how many current connections are deleted because of aging. |
<TcpTotalCurrentConnectionsDestroyed> |
Total Current connections destroyed |
Count of connections destroyed because of the max limit being reached. This occurs to allow room for new connections to be created. If this count rises rapidly within a short time (5 minutes), it can indicate that the default max limits are set too low for the volume of network traffic captured. Adjust the max limit to a higher value to minimize loss. A rapidly rising count can also indicate a problem with the network infrastructure not providing relatively complete network traffic. |
<TcpTotalConnectionsReaped> |
Total Connections reaped |
Connections per second that cannot be decrypted because of a missing key |
<TcpTime_waitConnections> |
TIME_WAIT connections |
Current count of connections that is in a closed/wait state but not closed, received the FIN packets. |
<TcpTime_waitConnectionsMax> |
TIME_WAIT connections max |
The high water mark for above. |
<TcpTotalOooConnectionsDeleted> |
Total out-of-order connections deleted |
Indicates how many out-of-order connection deletions are occurred. The count value of this statistic automatically resets when it exceeds 5,000,000. |
<TcpTotalOooConnections> |
Total out-of-order connections |
Indicates how many total out of order packet connections are occurring. If this number is high or approaching the "Total connections" number, then the network infrastructure that is providing traffic to the Capture ports cannot be clean, and some hits cannot properly reassemble because of excessive packet reordering required. This can be CPU-intensive for the Capture process. |
<TcpTotalRolloverConnections> |
Total rollover connections |
Total connections where the TCP sequence number is rolled over to 0 |
<TcpTotalMissingPktConnections> |
Total missing packet connections |
Total connections where a missing packet condition are detected |
<TcpCurrentStreamingConnections> |
Current streaming connections |
Not implemented or used |
<TcpTotalStreamingConnections> |
Total streaming connections |
Not implemented or used |
<TcpTotalAckedButUnseenPackets> |
Total ACKed but unseen packets |
A count of TCP ACK packets that were received but did not have a corresponding TCP data packet that it ACKed for the TCP connection. |
<TcpTotalAckRollbacks> |
Total ACK rollbacks |
A count of ACK packet sequence numbers that are less than the expected ACK packet sequence number in the TCP reassembler. |
<TcpAlienPacketsRcvd> |
Alien packets rcvd |
A count of any TCP packet where a corresponding TCP connection is not found in
the TCP reassembler table of current known TCP connections. The alien packet count must be measured
against the Total packets captured value. Expect to see this count below 10
percent. |
<TcpTotalChecksumErrors> |
Total checksum errors |
Count of bad TCP packet checksum errors. If you are getting error counts for
this value, then your network infrastructure is spanning traffic to the Passive Capture host machine
with bad packet checksum values. Note: If you are encountering a high number of checksum errors, the
problem can be caused by a number of factors. It includes checksum offloading that are performed at
the NIC. To verify, you must contact your network IT department to identify if this feature is
enabled and, if so, to disable it and then recheck the value of this statistic.
|
<TcpErrors> |
Errors |
Not implemented or used. |
<TcpErrorsperSec> |
TCP Errors per Second |
Not implemented or used. |
<TcpTotalDuplicatePackets> |
Total back-to-back duplicate packets |
Indicates how many back-to-back duplicate packets are occurring in the filtered
capture traffic. A high number indicates that the network switch span ports are not properly
configured and are providing duplicate traffic. In this case, the stat approaches one half the value
that is specified in the Total packets rcvd value. While the Capture processes can
handle duplicate traffic packets, it is an unnecessary usage that can impact performance when the
system is already close to its maximum level. This also is an issue where available bandwidth for
the Capture NICs is needlessly wasted. |