Protocol Metrics Reference - Extrahop Networks · If you see a large number of incoming RTOs, a device did not send an acknowledgement to the server quickly enough, or the network

© 2020 ExtraHop Networks, Inc. All rights reserved.

Protocol Metrics ReferencePublished: 2020-03-05

This reference provides descriptions for all metrics that appear on built-in ExtraHop protocol pages. You canaccess a protocol page in the ExtraHop system by logging into the Web UI, clicking Assets and then clickingProtocols in the left pane. Click the name of a protocol or group to see all the available protocol pages in theleft column.

AAAExtraHop appliances collect metrics about Authentication, Authorization, and Accounting (AAA) activity.

AAA application page

FAQs about protocol pages

• How do I export to Excel or CSV? • How do I create a PDF? • How do I sort metric values? • How do I modify this page? • How do I create an activity map? • How do I find peer devices? • How do I find detections?

Learn about charts on this page

• AAA Summary• AAA Details• AAA Performance• AAA Network Data• AAA Metric Totals

AAA SummaryTransactions

This chart shows you when AAA errors and responses were associated with the application. Thisinformation can help you see how active the application was at the time the errors occurred.

https://docs.extrahop.com/7.9/export-datahttps://docs.extrahop.com/7.9/create-pdfhttps://docs.extrahop.com/7.9/eh-web-ui-guide/#sort-metricshttps://docs.extrahop.com/7.9/eh-web-ui-guide/#create-a-chart-from-a-protocol-pagehttps://docs.extrahop.com/7.9/generate-activity-maphttps://docs.extrahop.com/7.9/find-devicehttps://docs.extrahop.com/7.9/detections-overview/#find-detections-in-the-web-ui

Protocol Metrics Reference 2

In a healthy environment, the number of requests and responses should be roughly equal. For moreinformation, see Requests and Responses.

Metric Description

Responses The number of AAA responses.

Errors The number of AAA response errors.

Total TransactionsThis chart displays the total number of AAA responses that were associated with the application andhow many of those responses contained errors.

Metric Description



Performance (95th Percentile)This chart shows the 95th percentile of timing metrics. The transfer and processing time metrics showparts of a complete transaction. The request transfer time shows how long clients took to transmitrequests onto the network; the server processing time shows how long the servers took to processrequests; and the response transfer time shows how long the servers took to transmit responses ontothe network.

Transfer and processing times are calculated by measuring the time between when the first and lastpackets of requests and responses are seen by the ExtraHop system, as shown in the following figure:


It can be difficult to tell whether an issue is caused by a network or a device from looking only attransfer and processing times, because these metrics alone provide an incomplete picture. Thereforethe round trip time (RTT) metric is also included in this chart. RTT metrics are a good indicator of howyour network is performing. If you see high transfer or processing times, but the RTT is low, the issueis probably at the device-level. However, if the RTT, processing, and transfer times are all high, networklatency might be affecting the transfer and processing times, and the issue might be with the network.

The RTT metric can help identify the source of the problem because it only measures how long animmediate acknowledgement takes to be sent from the client or server; it does not wait until all packetsare delivered.

The ExtraHop system calculates the RTT value by measuring the time between the first packet of arequest and the acknowledgement from the server, as shown in the following figure:


The request transfer time might be high because the client took a long time to transmit the request(possibly because the request was very large); however, the transfer time could also be high becausethe request took a long time to travel on the network (possibly because of network congestion).

Learn more about how the ExtraHop system calculates round trip time on the ExtraHop forum .

Metric Description

Request Transfer Time The time between the ExtraHop system detectingthe first packet and the last packet of an AAArequest. A high number might indicate a largerequest or network delay.

Server Processing Time The time between the ExtraHop system detectingthe last packet of an AAA request and the firstpacket of the corresponding response.

Response Transfer Time The time between the ExtraHop system detectingthe first packet and the last packet of an AAAresponse. A high value might indicate a largeresponse or network delay.

Round Trip Time The time between when an AAA client orserver sent a packet that required immediateacknowledgment and when the acknowledgmentwas received.

The Performance (95th percentile) chart shows the highest value for a time period while filteringoutliers; the 95th percentile is the highest value that falls below 95% of the values for a sample period.By displaying the 95th value, rather than the true maximum, the chart gives you a more accurate viewof the data:

https://forums.extrahop.com/


Performance (95th)If an application is acting slow, performance summary metrics can help you figure out whether thenetwork or servers are causing the issue. These metrics show the 95th percentile of time that serverstook to process requests from clients versus the 95th percentile time that packets from those requests(and their respective responses) took to be transmitted across the network. High server processingtimes indicate that clients are contacting slow servers. High TCP round trip times indicate that clientsare communicating over slow networks.

Metric Description

Server Processing Time The time between the ExtraHop system detectingthe last packet of an AAA request and the firstpacket of the corresponding response.


AAA DetailsTop Methods

This chart shows which AAA methods were associated with the application by breaking out the totalnumber of AAA requests by method.

Top Error TypesThis chart shows which AAA error types were associated with the application the most by breaking outthe number of responses by error type.


AAA PerformanceServer Processing Time Distribution

This chart breaks out server processing times in a histogram to show the most common processingtimes.

Metric Description

AAA Server Processing Time The time between the ExtraHop system detectingthe last packet of an AAA request and the firstpacket of the corresponding response.

Server Processing TimeThis chart shows the median processing time for the application.

Metric Description

AAA Server Processing Time The time between the ExtraHop system detectingthe last packet of an AAA request and the firstpacket of the corresponding response.

Round Trip Time DistributionThis chart breaks out round trip times in a histogram to show the most common round trip times.

Metric Description


Round Trip TimeThis chart shows the median round trip time for the application.

Metric Description


AAA Network Data

This section shows you TCP information that is related to the current protocol. In general, host stalls indicatethat there is an issue with either a server or a client, and network stalls indicate that there is an issue with thenetwork.

Host StallsThis chart shows the number of zero windows that were associated with an application. Devicescontrol the amount of data they receive by specifying the number of packets that can be sent to themover a given time period. When a device is sent more data than it can process, the device advertises azero window to ask its peer device to stop sending packets completely until the device catches up. Ifyou see a large number of zero windows, a server or client might not be not fast enough to support theamount of data being received.


Metric Definition

Request Zero Windows The number of zero window advertisements thatwere sent by AAA clients. A device advertises aZero Window when incoming data is arriving tooquickly to be processed.

A large number of incoming Zero Windowsindicates that a peer device was too slow toprocess the amount of data received.

Response Zero Windows The number of zero window advertisements sentby servers while receiving AAA requests. A deviceadvertises a Zero Window when incoming data isarriving too quickly to be processed.

A large number of outgoing Zero Windowsindicates that a client was too slow to process theamount of data received.

Total Host StallsThis chart shows the median number of zero window advertisements sent by devices.

Network StallsThis chart shows the number of retransmission timeouts that occurred. Retransmission timeouts (RTOs)occur when a network drops too many packets, usually due to packet collisions or buffer exhaustion.If a device sends a request or response and does not receive confirmation within a specified amountof time, the device retransmits the request. If too many retransmissions are unacknowledged, an RTOoccurs. If you see a large number of RTOs, the network might be too slow to support the current levelof activity.

Metric Definition

RTOs In The number of retransmission timeouts causedby congestion when clients were sendingAAA requests. An RTO is a 1-5 second stallin the TCP connection flow due to excessiveretransmissions.

If you see a large number of incoming RTOs, adevice did not send an acknowledgement to theserver quickly enough, or the network might betoo slow to support the current level of activity.Depending on the timeout value configured inthe operating system, this delay can be anywherefrom 1 to 8 seconds.

RTOs Out The number of retransmission timeouts causedby congestion when servers were sendingAAA responses. An RTO is a 1-5 second stallin the TCP connection flow due to excessiveretransmissions.

If you see a large number of outgoing RTOs,a device did not receive an acknowledgementfrom the server quickly enough, or the networkmight be too slow to support the current levelof activity. Depending on the timeout value


Metric Definitionconfigured in the operating system, this delay canbe anywhere from 1 to 8 seconds.

Total Network StallsThis chart shows the median number of retransmission timeouts caused by congestion when clientsand servers were sending requests.

Metric Definition

RTOs In The number of retransmission timeouts causedby congestion when clients were sendingAAA requests. An RTO is a 1-5 second stallin the TCP connection flow due to excessiveretransmissions.

If you see a large number of incoming RTOs, adevice did not send an acknowledgement to theserver quickly enough, or the network might betoo slow to support the current level of activity.Depending on the timeout value configured inthe operating system, this delay can be anywherefrom 1 to 8 seconds.

RTOs Out The number of retransmission timeouts causedby congestion when servers were sendingAAA responses. An RTO is a 1-5 second stallin the TCP connection flow due to excessiveretransmissions.

If you see a large number of outgoing RTOs,a device did not receive an acknowledgementfrom the server quickly enough, or the networkmight be too slow to support the current levelof activity. Depending on the timeout valueconfigured in the operating system, this delay canbe anywhere from 1 to 8 seconds.

AAA Metric TotalsTotal Requests and Responses

Requests and responses represent the conversation taking place between clients and servers. If thereare more requests than responses, clients might be sending more requests than servers can handle orthe network might be too slow. To identify whether the issue is with the network or a server, checkRTOs and zero windows in the Network Data section.

Note: It is unlikely that the total number of AAA requests and responses will be exactlyequal, even in a healthy environment. For example, you might be viewing a timeperiod that captures a response to a request that was sent before the start of thetime period. In general, the greater the difference between responses and errors, thegreater the chance that there is an issue with those transactions.

Metric Description

Requests The number of AAA requests that were sent.



Metric Description


Diameter Request The number of Diameter requests that were sent.Diameter is an updated version of the RADIUSAAA protocol.

RADIUS Request The number of RADIUS (Remote AuthenticationDial-In User Service) requests that were sent.

Aborts The number of AAA protocol sessions that wereaborted.

AAA Network Metrics

Metric Description

Request Zero Windows The number of zero window advertisements thatwere sent by AAA clients. A device advertises aZero Window when incoming data is arriving tooquickly to be processed.

Response Zero Windows The number of zero window advertisements sentby servers while receiving AAA requests. A deviceadvertises a Zero Window when incoming data isarriving too quickly to be processed.

Request RTOs The number of retransmission timeouts causedby congestion when clients were sending AAArequests. An RTO is a 1-5 second stall in the TCPconnection flow due to excessive retransmissions.

Response RTOs The number of retransmission timeouts causedby congestion when servers were sendingAAA responses. An RTO is a 1-5 second stallin the TCP connection flow due to excessiveretransmissions.

Request L2 Bytes The number of L2 bytes sent that wereassociated with AAA requests.

Response L2 Bytes The number of L2 bytes sent that wereassociated with AAA responses.

Request Goodput Bytes The number of goodput bytes associated withAAA requests. Goodput refers to the throughputof the original data transferred and excludesother throughput such as protocol headers orretransmitted packets.

Response Goodput Bytes The number of goodput bytes associatedwith AAA responses. Goodput refers to thethroughput of the original data transferred andexcludes other throughput such as protocolheaders or retransmitted packets.

Request Packets The number of packets sent that were associatedwith AAA requests.


Metric Description

Response Packets The number of packets sent that were associatedwith AAA responses.

Where to look next• Drill down on a metric: You can get more information about a metric by clicking the metric value or nameand selecting an option from the Drill down by menu. For example, if you are looking at the total number oferrors, click the number and select Servers to see which servers returned the errors.• Search the Metric Explorer: Built-in protocol pages include the most commonly referenced metrics for aprotocol, but you can see additional metrics in the Metric Explorer. Click any chart title on a protocol pageand select Create chart from.... When the Metric Explorer opens, click Add Metric in the left pane to displaya drop-down list of comprehensive metrics for the device. If you find an interesting metric, click Add toDashboard to add the metric to a new or existing dashboard.• Create a custom metric: If you want to view a metric that is not included in the Metric Explorer, you cancreate a custom metric through a trigger. For more information, see the following resources:

• Trigger walkthrough: Track HTTP 404 errors

• Triggers • Check the Solution Bundles Gallery: Many bundles on the Solution Bundles Gallery contain custommetrics. Before you create your own custom metric, check to see if someone has already created a similarmetric.

AAA client page




• AAA Summary• AAA Details• AAA Performance• Network Data• AAA Metric Totals


This chart shows you when AAA errors occurred and how many responses the AAA client received.This information can help you see how active the client was at the time it received the errors.


https://docs.extrahop.com/7.9/walkthrough-trigger/https://docs.extrahop.com/7.9/triggers-overviewhttps://www.extrahop.com/customers/community/bundles/https://docs.extrahop.com/7.9/export-datahttps://docs.extrahop.com/7.9/create-pdfhttps://docs.extrahop.com/7.9/eh-web-ui-guide/#sort-metricshttps://docs.extrahop.com/7.9/eh-web-ui-guide/#create-a-chart-from-a-protocol-pagehttps://docs.extrahop.com/7.9/generate-activity-maphttps://docs.extrahop.com/7.9/find-devicehttps://docs.extrahop.com/7.9/detections-overview/#find-detections-in-the-web-ui


Metric Description

Responses The number of AAA responses that were receivedwhen the device was acting as an AAA client.

Errors The number of AAA response errors that werereceived when the device was acting as an AAAclient.

Total TransactionsThis chart displays the total number of AAA responses the client received and how many of thoseresponses contained errors.

Metric Description



Performance (95th Percentile)This chart shows the 95th percentile of timing metrics. The server processing time shows how longservers took to process requests from clients. Processing times are calculated by measuring the timebetween when the first and last packets of requests and responses are seen by the ExtraHop system,as shown in the following figure:


It can be difficult to tell whether an issue is caused by a network or a device from looking only at theprocessing time, because this metric alone provides an incomplete picture. Therefore the round triptime (RTT) metric is also included in this chart. RTT metrics are a good indicator of how your networkis performing. If you see high processing times, but the RTT is low, the issue is probably at the device-level. However, if the RTT and processing times are both high, network latency might be affecting thetransfer and processing times, and the issue might be with the network.

RTT only measures how long an immediate acknowledgement takes to be sent; it does not wait untilall packets are delivered. Therefore, RTT is a good indicator of how your network is performing. If yousee high processing times, but the TCP RTT is low, the issue is probably at the device-level. Check thenetwork for latency issues if the TCP RTT and processing times are all both.



The processing time might be high because the server took a long time to transmit the response(possibly because the response was very large); however, the processing time could also be highbecause the response took a long time to travel on the network (possibly because of networkcongestion).


Metric Description

Server Processing Time The time between the ExtraHop system detectingthe last packet of a sent AAA request and the firstpacket of the corresponding response when thedevice was acting as an AAA client.

Round Trip Time The time between when an AAA client sent apacket that required immediate acknowledgmentand when the acknowledgment was received.Round trip time (RTT) is a measurement ofnetwork latency.




Performance Summary (95th Percentile)If a client is acting slow, performance summary metrics can help you figure out whether the network orservers are causing the issue. These metrics show the 95th percentile amount of time that servers tookto process requests from the client versus the 95th percentile time that packets from those requests(and their respective responses) took to be transmitted across the network. High server processingtimes indicate that the client is contacting slow servers. High TCP round trip times indicate that theclient is communicating over slow networks.

Metric Description




This chart shows which AAA methods the client called the most by breaking out the total number ofrequests the client sent by method.


Top Error TypesThis chart shows which AAA error types the client received the most by breaking out the number ofresponses returned to the client by error type.



Metric Description

AAA Client Server Processing Time The time between the ExtraHop system detectingthe last packet of a sent AAA request and the firstpacket of the corresponding response when thedevice was acting as an AAA client.

Server Processing TimeThis chart shows the median processing time for the client.

Metric Description

AAA Client Server Processing Time The time between the ExtraHop system detectingthe last packet of a sent AAA request and the firstpacket of the corresponding response when thedevice was acting as an AAA client.


Metric Description


Round Trip TimeThis chart shows the median round trip time for the client.

Metric Description


Network Data

This section shows you TCP information that is related to the current protocol. In general, host stalls indicatethat there is an issue with either the server or the client, and network stalls indicate that there is an issue withthe network.


Host StallsThis chart shows the number of zero windows that were advertised or received by the device. Devicescontrol the amount of data they receive by specifying the number of packets that can be sent to themover a given time period. When a device is sent more data than it can process, the device advertises azero window to ask its peer device to stop sending packets completely until the device catches up. Ifyou see a large number of zero windows, a server or client might not be not fast enough to support theamount of data being received.

Metric Definition

Zero Windows In The number of zero windows that were sentto the device to stop the flow of data over theconnection. A device advertises a Zero Windowwhen incoming data is arriving too quickly to beprocessed.

A large number of zero windows in indicatesthat a peer device was too slow to process theamount of data received.

Zero Windows Out The number of zero windows that were sentfrom the device to stop the flow of data. A deviceadvertises a Zero Window when incoming data isarriving too quickly to be processed.

A large number of zero windows out indicatesthat the client was too slow to process theamount of data received.


Metric Definition

RTOs In The number of retransmission timeouts (RTOs)caused by network congestion as peers weresending data to the current device. An RTO is a1-5 second stall in the TCP connection flow dueto excessive retransmissions.

If you see a large number of RTOs in, the devicedid not send an acknowledgement to the serverquickly enough, or the network might be too slowto support the current level of activity. Dependingon the timeout value configured in the operatingsystem, this delay can be anywhere from 1 to 8seconds.

RTOs Out The number of retransmission timeouts (RTOs)caused by network congestion as the device wassending data to its peers. An RTO is a 1-5 secondstall in the TCP connection flow due to excessiveretransmissions.


Metric DefinitionIf you see a large number of RTOs out, the devicedid not receive an acknowledgement from theserver quickly enough, or the network might betoo slow to support the current level of activity.Depending on the timeout value configured inthe operating system, this delay can be anywherefrom 1 to 8 seconds.

AAA Metric TotalsRequests and Responses

Requests and responses represent the conversation taking place between clients and servers. If thereare more requests than responses, the client might be sending more requests than the servers canhandle or the network might be too slow. To identify whether the issue is with the network or theserver, check RTOs and zero windows in the Network Data section.


Metric Description

Requests The number of AAA requests that were sentwhen the device was acting as an AAA client.



Diameter Request The number of Diameter requests that were sentwhen the device was acting as an AAA client.Diameter is an updated version of the RADIUSAAA protocol.

RADIUS Request The number of RADIUS (Remote AuthenticationDial-In User Service) requests that were sentwhen the device was acting as an AAA client. .

Aborts The number of aborted sessions that occurredwhen the device was acting as an AAA client.

Where to look next• Drill down on a metric: You can get more information about a metric by clicking the metric value or nameand selecting an option from the Drill down by menu. For example, if you are looking at the total number oferrors, click the number and select Servers to see which servers returned the errors.• Search the Metric Explorer: Built-in protocol pages include the most commonly referenced metrics for aprotocol, but you can see additional metrics in the Metric Explorer. Click any chart title on a protocol pageand select Create chart from.... When the Metric Explorer opens, click Add Metric in the left pane to display


a drop-down list of comprehensive metrics for the device. If you find an interesting metric, click Add toDashboard to add the metric to a new or existing dashboard.• Create a custom metric: If you want to view a metric that is not included in the Metric Explorer, you cancreate a custom metric through a trigger. For more information, see the following resources:



AAA server page




• AAA Summary• AAA Details• AAA Performance• Network Data• AAA Metric Totals


This chart shows you when AAA errors occurred and how many AAA responses the server sent. Thisinformation can help you see how active the server was at the time it returned the errors.


Metric Description

Responses The number of AAA responses that were sentwhen the device was acting as an AAA server.

Errors The number of AAA response errors that weresent when the device was acting as an AAAserver.

Total TransactionsThis chart displays the total number of AAA responses the server sent and how many of thoseresponses contained errors.



Metric Description



Performance (95th Percentile)This chart shows the 95th percentile of timing metrics. The server processing time shows how longservers took to process requests from clients. Processing times are calculated by measuring the timebetween when the first and last packets of requests and responses are seen by the ExtraHop system,as shown in the following figure:

It can be difficult to tell whether an issue is caused by a network or a device from looking only at theprocessing time, because this metric alone provides an incomplete picture. Therefore the round triptime (RTT) metric is also included in this chart. RTT metrics are a good indicator of how your networkis performing. If you see high processing times, but the RTT is low, the issue is probably at the device-level. However, if the RTT and processing times are both high, network latency might be affecting thetransfer and processing times, and the issue might be with the network.

RTT only measures how long an immediate acknowledgement takes to be sent; it does not wait untilall packets are delivered. Therefore, RTT is a good indicator of how your network is performing. If you


see high processing times, but the TCP RTT is low, the issue is probably at the device-level. Check thenetwork for latency issues if the TCP RTT and processing times are all both.


The processing time might be high because the server took a long time to transmit the response(possibly because the response was very large); however, the processing time could also be highbecause the response took a long time to travel on the network (possibly because of networkcongestion).


Metric Description

AAA Server Server Processing Time The time between the ExtraHop system detectingthe last packet of a received AAA request and thefirst packet of the corresponding response whenthe device was acting as an AAA server.

Round Trip Time The time between when an AAA serversent a packet that required an immediateacknowledgment and when the acknowledgmentwas received. Round trip time (RTT) is ameasurement of network latency.




Performance Summary (95th Percentile)If a server is acting slow, performance summary metrics can help you figure out whether the networkor the server is causing the issue. The performance summary metrics show the 95th percentile amountof time the server took to process requests from clients versus the 95th percentile time that packetsfrom those requests (and their respective responses) took to be transmitted across the network.High server processing times indicate that the server is slow. High RTTs indicate that the server iscommunicating over slow networks.

Metric Description

AAA Client Server Processing Time The time between the ExtraHop system detectingthe last packet of a received AAA request and thefirst packet of the corresponding response whenthe device was acting as an AAA server.



This chart shows which AAA methods were called on the server the most by breaking out the totalnumber of requests the server received by method.


Top Error TypesThis chart shows which AAA error types the server returned the most by breaking out the total numberof responses the server sent by error type.



Metric Description


Server Processing TimeThis chart shows the median processing time for the server.

Metric Description



Metric Description


Round Trip TimeThis chart shows the median round trip time for the server.

Metric Description


Network Data




Metric Definition






Metric Definition





Metric DefinitionIf you see a large number of RTOs out, the devicedid not receive an acknowledgement from theserver quickly enough, or the network might betoo slow to support the current level of activity.Depending on the timeout value configured inthe operating system, this delay can be anywherefrom 1 to 8 seconds.

AAA Metric TotalsRequests and Responses

Requests and responses represent the conversation taking place between clients and servers. If thereare more requests than responses, clients might be sending more requests than the server can handleor the network might be too slow. To identify whether the issue is with the network or the server,check RTOs and zero windows in the Network Data section.


Metric Description

Requests The number of AAA requests that were receivedwhen the device was acting as an AAA server.



Diameter Request The number of Diameter requests that werereceived when the device was acting as an AAAserver. Diameter is an updated version of theRADIUS AAA protocol.

RADIUS Request The number of RADIUS requests that the devicereceived when acting as an AAA server.

Aborts The number of aborted sessions that occurredwhen the device was acting as an AAA server.

Where to look next• Drill down on a metric: You can get more information about a metric by clicking the metric value or nameand selecting an option from the Drill down by menu. For example, if you are looking at the total number oferrors, click the number and select Servers to see which servers returned the errors.• Search the Metric Explorer: Built-in protocol pages include the most commonly referenced metrics for aprotocol, but you can see additional metrics in the Metric Explorer. Click any chart title on a protocol pageand select Create chart from.... When the Metric Explorer opens, click Add Metric in the left pane to displaya drop-down list of comprehensive metrics for the device. If you find an interesting metric, click Add toDashboard to add the metric to a new or existing dashboard.


• Create a custom metric: If you want to view a metric that is not included in the Metric Explorer, you cancreate a custom metric through a trigger. For more information, see the following resources:



AAA client group page




• AAA Summary for Group• AAA Details for Group• AAA Metrics for Group

AAA Summary for GroupTransactions

This chart shows you when AAA errors occurred and how many responses the AAA clients received.This information can help you see how active the clients were at the time they received the errors.

In a healthy environment, the number of requests and responses should be roughly equal. For moreinformation, see the Metrics for Group section below.

Metric Description



Total TransactionsThis chart shows you how many AAA responses the clients received and how many of those responsescontained errors.

Metric Description




Metric Description


AAA Details for GroupTop Group Members (AAA Clients)

This chart shows which AAA clients in the group were most active by breaking out the total number ofAAA requests the group sent by client.

Top MethodsThis chart shows which AAA methods the group called the most by breaking out the total number ofrequests the group sent by method.

Top Error TypesThis chart shows which AAA error types the group received the most by breaking out the number ofresponses returned to the group by error type.

AAA Metrics for GroupTotal Requests and Responses

Requests and responses represent the conversation taking place between clients and servers. If thereare more requests than responses, the clients might be sending more requests than servers can handleor the network might be too slow.

Note: It is unlikely that the total number of requests and responses will be exactly equal,even in a healthy environment. For example, you might be viewing a time period thatcaptures a response to a request that was sent before the start of the time period.In general, the greater the difference between responses and errors, the greater thechance that there is an issue with those transactions.

Requests The number of AAA requests that were sentwhen the device was acting as an AAA client.



Diameter Request The number of Diameter requests that were sentwhen the device was acting as an AAA client.Diameter is an updated version of the RADIUSAAA protocol.

RADIUS Request The number of RADIUS (Remote AuthenticationDial-In User Service) requests that were sentwhen the device was acting as an AAA client. .

Aborts The number of aborted sessions that occurredwhen the device was acting as an AAA client.

Server Processing TimeIf a client group is acting slow, the server processing time can help you figure out whether the issue iswith the servers. The Server Processing Time chart shows the median amount of time servers took to


process requests from the clients. High server processing times indicate that the clients are contactingslow servers.

Metric Description





AAA server group page




• AAA Summary for Group• AAA Details for Group• AAA Metrics for Group

AAA Summary for GroupTransactions

This chart shows you when AAA errors occurred and how many AAA responses the servers sent. Thisinformation can help you see how active the servers were at the time they returned the errors.




Metric Description



Total TransactionsThis chart shows you how many AAA responses servers in the group sent and how many of thoseresponses contained errors.

Metric Description



AAA Details for GroupTop Group Members (AAA Servers)

This chart shows which AAA servers in the group were most active by breaking out the total number ofAAA responses the group sent by server.

Top MethodsThis chart shows which AAA methods were called on servers in the group the most by breaking out thetotal number of requests the group received by method.

Top Error TypesThis chart shows which AAA error types the groups returned the most by breaking out the totalnumber of responses the group sent by error type.

AAA Metrics for GroupTotal Requests and Responses

Requests and responses represent the conversation taking place between clients and servers. If thereare more requests than responses, clients might be sending more requests than the servers can handleor the network might be too slow.


Metric Description

Requests The number of AAA requests that were receivedwhen the device was acting as an AAA server.



Metric Description


Diameter Request The number of Diameter requests that werereceived when the device was acting as an AAAserver. Diameter is an updated version of theRADIUS AAA protocol.

RADIUS Request The number of RADIUS requests that the devicereceived when acting as an AAA server.

Aborts The number of aborted sessions that occurredwhen the device was acting as an AAA server.

Server Processing TimeThe Server Processing Time chart shows the median amount of time the servers took to processrequests from clients. High server processing times indicate that the servers in a group are slow.

Metric Description

AAA Client Server Processing Time The time between the ExtraHop system detectingthe last packet of a received AAA request and thefirst packet of the corresponding response whenthe device was acting as an AAA server.




AJPExtraHop appliances collect metrics about Apache JServ Protocol () activity.

Note: ExtraHop appliances do not include any built-in metric pages for AJP. However, you can viewAJP metrics by adding them to a custom page or dashboard.

https://docs.extrahop.com/7.9/walkthrough-trigger/https://docs.extrahop.com/7.9/triggers-overviewhttps://www.extrahop.com/customers/community/bundles/


AMFExtraHop appliances collect metrics about Hypertext Transfer Protocol (HTTP) Action Message Format (AMF)activity.

AMF client page




• AMF Summary• AMF Performance• Network Data• AMF Metric Totals

AMF SummaryTransactions

This chart shows you when AMF errors occurred and how many responses the AMF client received.This information can help you see how active the client was at the time it received the errors.


Metric Description

Responses The number of responses that the devicereceived when acting as an HTTP-AMF client.

Errors The number of response errors that the devicereceived when acting as an HTTP-AMF client.

Total TransactionsThis chart displays the total number of AMF responses the client received and how many of thoseresponses contained errors.

Metric Description



Performance (95th Percentile)This chart shows the 95th percentile of timing metrics. The transfer and processing time metrics showparts of a complete transaction. The request transfer time shows how long the client took to transmit

https://docs.extrahop.com/7.9/export-datahttps://docs.extrahop.com/7.9/create-pdfhttps://docs.extrahop.com/7.9/eh-web-ui-guide/#sort-metricshttps://docs.extrahop.com/7.9/eh-web-ui-guide/#create-a-chart-from-a-protocol-pagehttps://docs.extrahop.com/7.9/generate-activity-maphttps://docs.extrahop.com/7.9/find-devicehttps://docs.extrahop.com/7.9/detections-overview/#find-detections-in-the-web-ui


requests onto the network; the server processing time shows how long servers took to process therequests; and the response transfer time shows how long servers took to transmit responses onto thenetwork.








AMF Client Request Transfer Time When the device is acting as an HTTP-AMFclient, the time between the ExtraHop systemdetecting the first packet and last packet of sentrequests. A high number might indicate a largerequest or network delay.

AMF Client Server Processing Time When the device is acting as an HTTP-AMFclient, the time between the ExtraHop systemdetecting the last packet of the sent request andthe first packet of the received response.

AMF Client Response Transfer Time When the device is acting as an HTTP-AMFclient, the time between the ExtraHop systemdetecting the first packet and last packet ofreceived responses. A high number might indicatea large response or network delay.

Round Trip Time The time between when a AMF clientsent a packet that required an immediateacknowledgment and when the client receivedthe acknowledgment. Round trip time (RTT) is ameasurement of network latency.




Performance (95th)If a client is acting slow, performance summary metrics can help you figure out whether the network orservers are causing the issue. These metrics show the 95th percentile amount of time that servers tookto process requests from the client versus the 95th percentile time that packets from those requests(and their respective responses) took to be transmitted across the network. High server processingtimes indicate that the client is contacting slow servers. High TCP round trip times indicate that theclient is communicating over slow networks.



AMF PerformanceServer Processing Time Distribution



Metric Description


Server Processing TimeThis chart shows the median processing time for the client.

Metric Description


Round Trip DistributionThis chart breaks out round trip times in a histogram to show the most common round trip times.

Metric Description


Round Trip TimeThis chart shows the median round trip time for the client.

Metric Description


Network Data




Metric Definition






Metric Definition




If you see a large number of RTOs out, the devicedid not receive an acknowledgement from theserver quickly enough, or the network might betoo slow to support the current level of activity.Depending on the timeout value configured in


Metric Definitionthe operating system, this delay can be anywherefrom 1 to 8 seconds.

AMF Metric TotalsTotal Requests and Responses

Requests and responses represent the conversation taking place between clients and servers. If thereare more requests than responses, the client might be sending more requests than the servers canhandle or the network might be too slow. To identify whether the issue is with the network or theserver, check RTOs and zero windows in the Network Data section.

Note: It is unlikely that the total number of AMF requests and responses will be exactlyequal, even in a healthy environment. For example, you might be viewing a timeperiod that captures a response to a request that was sent before the start of thetime period. In general, the greater the difference between responses and errors, thegreater the chance that there is an issue with those transactions.

Metric Description

Requests The number of requests that the device sentwhen acting as an HTTP-AMF client.


Responses Without Length The number of responses that had no length, thatthe device received when acting as an HTTP-AMF client.


Requests Without Length The number of requests that had no length, thatthe device sent when acting as an HTTP-AMFclient.

Request and Response SizeThis chart shows the average size of requests and responses.

Metric Description

Request Size The distribution of sizes (in bytes) of requests thatthe device sent when acting as an HTTP-AMFclient.

Response Size The distribution of sizes (in bytes) of responsesthat the device received when acting as an HTTP-AMF client.

Where to look next• Drill down on a metric: You can get more information about a metric by clicking the metric value or nameand selecting an option from the Drill down by menu. For example, if you are looking at the total number oferrors, click the number and select Servers to see which servers returned the errors.


• Search the Metric Explorer: Built-in protocol pages include the most commonly referenced metrics for aprotocol, but you can see additional metrics in the Metric Explorer. Click any chart title on a protocol pageand select Create chart from.... When the Metric Explorer opens, click Add Metric in the left pane to displaya drop-down list of comprehensive metrics for the device. If you find an interesting metric, click Add toDashboard to add the metric to a new or existing dashboard.• Create a custom metric: If you want to view a metric that is not included in the Metric Explorer, you cancreate a custom metric through a trigger. For more information, see the following resources:



AMF server page




• AMF Summary• AMF Performance• Network Data• AMF Metric Totals

AMF SummaryTransactions

This chart shows you when AMF errors occurred and how many AMF responses the server sent. Thisinformation can help you see how active the server was at the time it returned the errors.


Metric Description



Total TransactionsThis chart displays the total number of AMF responses the server sent and how many of thoseresponses contained errors.



Metric Description

Responses The number of responses that the device sentwhen acting as an HTTP-AMF server.

Errors The number of response errors that the devicesent when acting as an HTTP-AMF server.

Performance Summary (95th Percentile)This chart shows the 95th percentile of timing metrics. The transfer and processing time metrics showparts of a complete transaction. The request transfer time shows how long clients took to transmitrequests onto the network; the server processing time shows how long the server took to processrequests; and the response transfer time shows how long the server took to transmit responses ontothe network.








AMF Server Request Transfer Time When the device is acting as an HTTP-AMFserver, the time between the ExtraHop systemdetecting the first packet and last packet ofreceived requests.A high number might indicate alarge request or network delay.

AMF Server Server Processing Time When the device is acting as an HTTP-AMFserver, the time between the ExtraHop systemdetecting the last packet of the received requestand first packet of the sent response.

AMF Server Response Transfer Time When the device is acting as an HTTP-AMFserver, the time between the ExtraHop systemdetecting the first packet and last packet of sentresponses. A high number might indicate a largeresponse or network delay.

Round Trip Time The time between when an AMF serversent a packet that required an immediateacknowledgment and when the server received



the acknowledgment. Round trip time (RTT) is ameasurement of network latency.


Performance (95th Percentile)If a server is acting slow, performance summary metrics can help you figure out whether the networkor the server is causing the issue. The performance summary metrics show the 95th percentile amountof time the server took to process requests from clients versus the 95th percentile time that packetsfrom those requests (and their respective responses) took to be transmitted across the network.High server processing times indicate that the server is slow. High RTTs indicate that the server iscommunicating over slow networks.

Metric Description

AMF Server Server Processing Time When the device is acting as an HTTP-AMFclient, the time between the ExtraHop systemdetecting the last packet of the sent request andthe first packet of the received response.

Round Trip Time The time between when an AMF serversent a packet that required an immediateacknowledgment and when the server receivedthe acknowledgment. Round trip time (RTT) is ameasurement of network latency.


AMF PerformanceServer Processing Time Distribution


Metric Description

AMF Server Server Processing Time When the device is acting as an HTTP-AMFserver, the time between the ExtraHop systemdetecting the last packet of the received requestand first packet of the sent response.

Server Processing TimeThis chart shows the median processing time for the server.

Metric Description

Server Processing Time When the device is acting as an HTTP-AMFserver, the time between the ExtraHop systemdetecting the last packet of the received requestand first packet of the sent response.


Metric Description


Round Trip TimeThis chart shows the median round trip time for the server.

Metric Description


Network Data


Host StallsThis chart shows the number of zero windows that were advertised or received by the device. Devicescontrol the amount of data they receive by specifying the number of packets that can be sent to themover a given time period. When a device is sent more data than it can process, the device advertises azero window to ask its peer device to stop sending packets completely until the device catches up. If


you see a large number of zero windows, a server or client might not be not fast enough to support theamount of data being received.

Metric Definition






Metric Definition




If you see a large number of RTOs out, the devicedid not receive an acknowledgement from theserver quickly enough, or the network might betoo slow to support the current level of activity.Depending on the timeout value configured in


Metric Definitionthe operating system, this delay can be anywherefrom 1 to 8 seconds.

AMF Metric TotalsTotal Requests and Responses

Requests and responses represent the conversation taking place between clients and servers. If thereare more requests than responses, clients might be sending more requests than the server can handleor the network might be too slow. To identify whether the issue is with the network or the server,check RTOs and zero windows in the Network Data section.

Note: It is unlikely that the total number of AMF requests and responses will be exactlyequal, even in a healthy environment. For example, you might be viewing a timeperiod that captures a response to a request that was sent before the start of thetime period. In general, the greater the difference between responses and errors, thegreater the chance that there is an issue with those transactions.

Metric Description

Requests The number of requests that the device receivedwhen acting as an HTTP-AMF server.

Responses The number of responses that the device sentwhen acting as an HTTP-AMF server.

Responses Without Length The number of responses that had no length, thatthe device sent when acting as an HTTP-AMFserver.

Errors The number of response errors that the devicesent when acting as an HTTP-AMF server.

Requests Without Length The number of requests that had no length, thatthe device received when acting as an HTTP-AMF server.

Request and Response SizeThis chart shows the average size of requests and responses.

Metric Description

Request Size The distribution of sizes (in bytes) of requeststhat the device received when acting as an HTTP-AMF server.

Response Size The distribution of sizes (in bytes) of responsesthat the device sent when acting as an HTTP-AMF server.

Where to look next• Drill down on a metric: You can get more information about a metric by clicking the metric value or nameand selecting an option from the Drill down by menu. For example, if you are looking at the total number oferrors, click the number and select Servers to see which servers returned the errors.


• Search the Metric Explorer: Built-in protocol pages include the most commonly referenced metrics for aprotocol, but you can see additional metrics in the Metric Explorer. Click any chart title on a protocol pageand select Create chart from.... When the Metric Explorer opens, click Add Metric in the left pane to displaya drop-down list of comprehensive metrics for the device. If you find an interesting metric, click Add toDashboard to add the metric to a new or existing dashboard.• Create a custom metric: If you want to view a metric that is not included in the Metric Explorer, you cancreate a custom metric through a trigger. For more information, see the following resources:



AMF client group page




• AMF Summary for Group• AMF Details for Group

AMF Summary for GroupTransactions

This chart shows you when AMF errors occurred and how many responses the AMF clients received.This information can help you see how active the clients were at the time they received the errors.


Metric Description



Total TransactionsThis chart shows you how many AMF responses the clients received and how many of those responsescontained errors.

Metric Description




Metric Description


AMF Details for GroupTop Group Members (AMF Clients)

This chart shows which AMF clients in the group were most active by breaking out the total number ofAMF requests the group sent by client.

AMF Metrics for GroupTotal Requests and Responses

Requests and responses represent the conversation taking place between clients and servers. If thereare more requests than responses, the clients might be sending more requests than servers can handleor the network might be too slow.


Metric Description

Requests The number of requests that the device sentwhen acting as an HTTP-AMF client.


Responses Without Length The number of responses that had no length, thatthe device received when acting as an HTTP-AMF client.


Requests Without Length The number of requests that had no length, thatthe device sent when acting as an HTTP-AMFclient.

Server Processing TimeIf a client group is acting slow, the server processing time can help you figure out whether the issue iswith the servers. The Server Processing Time chart shows the median amount of time servers took toprocess requests from the clients. High server processing times indicate that the clients are contactingslow servers.



Where to look next• Drill down on a metric: You can get more information about a metric by clicking the metric value or nameand selecting an option from the Drill down by menu. For example, if you are looking at the total number oferrors, click the number and select Servers to see w

Documents

Protocol Metrics Reference - Extrahop Networks · If you see a large number of incoming RTOs, a device did not send an acknowledgement to the server quickly enough, or the network