You display system reports and user and system logs to evaluate performance or troubleshoot, including:

This section describes the report format basics, before describing individual reports.

All of the time-series reports are clear, interactive, and easy to navigate. The statistics presented in this report format are readily accessible, and all updates to the report window appear in real time. This section describes the report format in detail.

The time-series report format not only makes data easily accessible, but also enhances your ability to explore data in context. An example of a typical report appears in Figure: A Time-Series report, with the key areas labeled. For details about individual reports, see the report description.

The plot area is where the data visualization occurs. Reports can display either a single-pane or dual-pane layout. In a dual-pane layout, both panes remain synchronized with respect to the x-axis. Each pane is capable of having two y-axes (a primary one on the left and a secondary one on the right).

The reports present the majority of data series as simple line series graphs, but some reports display area series graphs where appropriate. The types of area series graphs are:

Mouse over a specific data point to see what the y values and exact time stamp are in relation to peaks.

To view the time stamp and value of each data series at that time, mouse over the plot area.

A tool tip displays the time stamp and the value of each data series at that time. The plot area colors the series names appropriately, and the data values have their associated units.

The plot area also displays subtle shading to denote work hours (white background) and nonwork hours (gray background). RiOS defines work hours as 8:00 AM to 5:00 PM (0800 to 1700) on weekdays. You can’t configure the work hours.

To zoom the plot area, mouse over the plot area, and then click and hold the left mouse button. Move the mouse left or right and release the left mouse button to zoom in.

Use the control panel to control how much data the chart displays, chart properties, and whether to view or hide the summary statistics.

To change the chart interval. Click a link: 5m (5 minutes), 1h (1 hour), 1d (1day), 1w (1 week), or All (all data). All data includes statistics for the last 30 days

If the current size of the chart window matches any of the links, that link appears in bold black text; the system ignores any clicks on that link. If the time duration represented by any of the links is greater than the total data range of the chart, those links are dimmed.

More window-related controls appear below the chart window interval links. These controls offer more precise control of the window and also display various window properties. From top to bottom:

All three text fields validate your input; if you enter text in an invalid format, an error message appears. If you enter valid text that is logically invalid (for example, an end time that comes before the current start time), an error message appears. With all three text fields, if the focus leaves the field (either because you click outside the field or press Tab), the chart window updates immediately with the new value. Pressing Enter while in one of these fields has the same effect.

Below the chart window controls is an optional section of custom, report-specific controls. The custom controls vary for each report. In Figure: A Time-Series report, the Bandwidth Optimization report displays Port and Direction drop-down lists.

When you change the value of a custom control, the system sends a new request for data to the server. During this time, the control panel is unavailable and an updating message appears on the chart. When the report receives a response, the system replaces the chart, populates it with the new data, and makes the control panel available again.

The chart legend correlates the data series names with line colors and contains a few other features.

You can hide or show individual data series. When a white check box icon appears next to the data series name, you can hide the series from the plot area.

To hide individual series from the plot area, clear the check box next to the data series name.

To display individual series in the plot area, select the check box next to the data series name.

You can’t toggle the visibility of all series, because it doesn’t always make sense to hide a series (for example, if there’s only one data series in the chart). For these series, a white check box doesn’t appear next to the series name. In Figure: A Time-Series report, you can hide the LAN Throughput and WAN Throughput series, but you can’t hide the Data Reduction series.

The legend also displays statistics. Each report defines any number of statistics for any of the data series in the chart. The system bases the statistics computation on the subset of each data series that is visible in the current chart window. The statistics display changes immediately if you change the chart window. The plot area reflects the changing chart window, as do the associated controls in the control panel.

The reports also support nonseries statistics (for example, composite statistics that incorporate the data from multiple data series); these statistics appear at the bottom of the legend, below all the series.

The three most popular statistics calculations are:

Directly above the scroll bar is the navigator, which shows a much smaller and simpler display of the data in the plot area. The navigator displays only one data series.

Use the navigator to navigate the entire range of chart data. The scroll bar at the bottom shows you which portion of the total data range is displayed in the plot area.

The navigator display can appear very different from the plot area display when an interesting or eye-catching series in the plot area isn’t the series in the navigator.

To resize the current chart window, move the handles on either side of the chart window in the navigator.

The charts have a minimum chart window size of five minutes, so if you resize the chart window to something smaller, the chart window springs back to the minimum size.

You can also click the data display portion of the navigator (not the scroll bar) and the chart window moves to wherever you clicked.

You can change report default settings to match your preferred style. When you customize any report-specific settings, the system immediately writes them to disk on the SteelHead. The system saves all of your custom settings, even after you log out, clear your browsing history, or close the browser. When you view the report again, your custom settings are intact.

The system saves the chart window. Whenever you change the chart window, the next time you view any report, the chart window is set to the last chart window used.

The Current Connections report displays the connections the SteelHead detects, including the connections that are passing through unoptimized.

You can search and customize the display using filters to list connections of interest. When you click Update, the report retrieves a listing of up to 500 real-time current connections. Navigating to the report or refreshing the page automatically updates the connections display.

The Current Connections report answers these questions:

You view the Current Connections report under Reports > Networking: Current Connections.

The summary gives you an at-a-glance hierarchical overview of the traffic the SteelHead detects. It displays the total connection numbers for various types of optimization, pass-through, and forwarding. It categorizes the optimized, established connections by type and displays the portion of the total connections each connection type represents.

When you click a connection type such as established, you select it and also drive the show statement in the query area to search for established connections and exclude the other types.

The connections summary displays these connection types:

The connections summary and the connections table convey a lot of information about connections the SteelHead is detecting. The best way to narrow your search is to filter and sort the report. The query area is where you select a simple or compound connection type for your search and optionally filter the results. The Show search control defines the contents of the connection summary and the connections table.

The simple connection search uses a match against a connection type to display only that type, and excludes the others. If you want to use more advanced criteria, such as including all connections that were started after a certain date, you can add one or more filters to achieve this.

To display a simple connection type, select a connection type from the drop-down list after Show:

Displays the total number of connections the SteelHead detects, including the connections that are passed through unoptimized. This selection removes any previous selections or filters.

Displays the total optimized, active connections.

Displays the total connections that were optimized packet-by-packet with SDR bandwidth optimization. These connections include TCP IPv4, TCP IPv6, and UDP IPv4, and UDP IPv6 connections.

In RiOS 8.5, you must enable packet-mode optimization to view UDP flows. To enable packet-mode optimization, choose Optimization > Network Services: General Service Settings.

In RiOS 8.5.x and later, you must enable path selection and packet-mode optimization to view optimized UDP flows. To enable path selection, choose Networking > Network Services: Path Selection.

Displays the total half-open active connections. A half-open connection is a TCP connection in which the connection has not been fully established. Half-open connections count toward the connection count limit on the SteelHead because, at any time, they might become a fully opened connection.

If you are experiencing a large number of half-open connections, consider a more appropriately sized SteelHead.

Displays the total half-closed active connections. Half-closed connections are connections that the SteelHead has intercepted and optimized but are in the process of becoming disconnected. These connections are counted toward the connection count limit on the SteelHead. (Half-closed connections might remain if the client or server doesn’t close its connections cleanly.)

If you are experiencing a large number of half-closed connections, consider a more appropriately sized SteelHead.

Displays the total number of connections forwarded by the connection-forwarding neighbor managing the connection.

Displays the total number of connections that were passed through unoptimized. You can view and sort these connections by intentional and unintentional pass-through in the individual connections table that follows the connections summary.

Displays the total number of terminated connections that were passed through unoptimized.

Displays the total number of packet-mode flows that were passed through unoptimized.

Displays the total number of connections that were intentionally passed through unoptimized.

Click Update.

Filters provide a powerful way to drill down into large numbers of connections by specifying either simple or complex filter criteria. Each filter further restricts the display.

When you customize filters, the system immediately writes them to disk on the SteelHead. The system saves all of your custom settings even after you log out, clear your browsing history, or close the browser. When you view the report again, your custom settings are intact. The system saves report settings on a per-user basis.

To filter the display, click Add. Select a filter from the drop-down list. Selecting some filters expands the query with a text input field for additional information. For example, selecting for application from the drop-down list displays a text input field for the application name. RiOS validates the text input fields as you enter the text (except when you enter a regular expression).

You can select any combination of these filters:

To add another filter, click add filter again. You can add up to eight filters; they’re logically ANDed together and are all active at any given time. Continue adding filters until your query is complete.

Click Update.

To delete a filter, click the delete filter icon.

The connections table displays more information about each connection, filtered by the show statement and any filters in the query area. The connections table can show up to 500 connections at a time; it lists the total of all matching connections in the upper-right corner. From this table, you can view more details about each connection and perform operations on it. For example, you can reset connections or send a keepalive message to the outer remote machine for an optimized connection (the machine that is connected to the SteelHead).

For details about the query area, see 2 - Query area.

Connections with IPv6 addresses are split into two rows to accommodate the long address. The report encloses IPv6 addresses in square brackets, and the source address, destination address, and other information appear in different columns.

Icons in the CT and Notes columns indicate the connection type and attributes. Mouse over an icon and reveal a tooltip identifying its meaning.

The individual connections table displays additional information about each connection. Because this report can list hundreds of transient connections, you can sort the table by column heading (except for the Notes column). For example, you can sort the connections by source IP address.

To sort the table by row, click the table column heading. The table contents reload, if necessary. Click the heading again to reverse the order. A small up or down triangle reflects the current bidirectional sort order.

The table contents reappear in the original display. For example, if you sort the display by a particular type, and there are more than 500 connections of that type, click the dice icon to return to the original display.

The connections table displays this information:

For information on removing an unknown SteelHead from the current connections list, see Preventing unwanted peering.

The Current Connections report displays details about the connected appliances, such as the source and destination IP address, the peer SteelHead, the inner local port, and so on. You can also perform these operations:

The report doesn’t allow the connection details to refresh automatically, because doing so could slow down the SteelHead; however, the connection age updates when you manually refresh the page.

You can view current connection details under Reports > Networking: Current Connections.

Click the arrow next to the connection in the connections table to see more details about an individual connection and perform operations on it. Because this report is a snapshot in time, by the time you click it, the connection could be gone or in a different state. Click Update to refresh the display.

To close the connection details report, click the close icon.

The expanded connection details vary, depending on the nature of the connection.

These fields summarize details about individual optimized connections. The fields that appear are dependent on the type of connection.

Shows the connection type icon and whether the connection is established, opening, or closing.

Shows the time since the connection was created.

Shows the application corresponding to the connection (for example, NFS). When Application Visibility is enabled, more detailed protocol information is shown for some applications. For example, HTTP-SharePoint appears as the WebDAV or FPSE protocols and Office 365 appears as MS-Office-365 instead of HTTP.

Displays the application protocol error, if one exists.

Shows the transport protocol name: for example, SSL inner.

Displays the transport protocol error, if one exists.

Shows the SSO user ID for Office 365 users.

Shows the SSO user domain for Office 365 users.

Displays whether this appliance is on the client side.

Shows the low-level protocol that RiOS is using inside the packet-mode channel. The protocol can be UDP, TCP, or variants.

Shows the SaaS application name, if one exists.

Shows the SaaS connection state, if a SaaS application is running (with the legacy cloud acceleration service).

Shows the QoS outbound class the connection is associated with when shaping is enabled. When the connection carries multiple classes, the report displays Variable.

Shows the DSCP marking value for the connection when marking is enabled, even if it is zero. The report displays the value from the inner ToS. When the connection carries multiple values, the report displays Variable.

When relevant, the Notes section displays several details that are binary in nature.

Shows the GeoDNS IP address that the SteelHead is using to optimize Office 365. The connection summary displays the original destination IP address.

Optimized connections might show the following notes:

Packet-mode optimized connections might show the following note:

Optimized, nonpacket mode connections might show the following notes:

SCPS connections show at least one of the following notes:

Optionally, to print the report, choose File > Print in your web browser to open the Print dialog box.

This list summarizes details about optimized and pass-through TCP connections using path selection. It displays the history of the three recent uplinks, in case the connection switches uplinks after an uplink goes down. This summary includes only nonpacket-mode flows.

You can filter based on connections for a specific path selection uplink name by entering the name into the matching regular expression filter.

Displays the number of bytes relayed if all uplinks are down.

Displays the number of bytes dropped if all uplinks are down.

Displays the number of bytes bypassed if all uplinks are down.

Displays the number of bytes reflected.

Displays the uplink name.

Displays the remote uplink name.

Displays whether the uplink is reachable (Up) or unreachable (Down).

Displays the time the connection started using the uplink.

Displays the total number of bytes transferred through the uplink.

The LAN kB value and this number don’t match. This value displays only the bytes using path selection on the WAN.

Displays the DSCP marking set for the uplink.

For details, see .

This list summarizes details about individual pass-through or forwarded connections:

Displays a connection type icon and whether the pass-through was intentional or unintentional. Displays the forwarded reduction percentage bar for forwarded connections.

Displays the time since the connection was created.

Displays the transport protocol name: for example, SSL inner.

Displays the application corresponding to the connection: for example, NFS.

Displays whether the connection is on the client side.

Displays whether the connection existed before the last restart of the optimization service.

Displays the reason for passing through or forwarding the connection.

This table shows the connection pass-through reasons.

This table shows the SaaS connection details.

This table lists the connection pass-through reasons for SaaS connections with the Legacy Cloud Accelerator service.

This section provides buttons that perform an operation on a single connection. It also provides a link to log information.

You can perform these operations:

For an optimized connection, sends a keepalive message to the outer remote machine (the machine that is connected to this appliance). This operation isn’t available for a pass-through connection. This button is dimmed for users logged in as a monitor user.

Retrieves the most recent data for the connection.

Sends an RST packet to both the client and server to close the connection. You can reset both optimized and pass-through connections. You can’t reset a forwarded connection.

If no data is being transferred between the client and server when you click Reset Connection, the connection isn’t reset immediately. It resets the next time the client or server tries to send a message. Therefore, when the application is idle, it might take a while for the connection to disappear.

This button is dimmed for users logged in as a monitor user.

Takes you to the System Logs page.

This section shows a graphical representation of the connection source-to-destination network topology and information associated with the different elements. This graphic varies depending on the connection type and is only relevant for optimized connections. It doesn’t appear for pass-through connections.

The topology shows this information:

This table shows raw tallies for LAN and WAN connections to summarize data about channel processing for a specific connection. The table varies by type of connection.

Use this table to answer questions such as:

This list provides an explanation for some of the fields:

Displays the total of transmitted LAN and WAN bytes.

Displays the total of transmitted WAN and LAN packets.

Displays the total of retransmitted WAN and LAN packets.

Displays the total fast-retransmitted packets. Fast retransmit reduces the time a sender waits before retransmitting a lost segment. If an acknowledgment isn’t received for a particular segment within a specified time (a function of the estimated round-trip delay time), the sender assumes the segment was lost in the network, and retransmits the segment.

Displays the number of packet transmissions that timed out because no ACK was received.

Displays number of unACKed packets permitted, adjusted automatically by the SteelHead, depending on WAN congestion.

The Connection History report summarizes connection history and shows connection counts for a variety of connection types for the time period specified.

Displays the total connections, including half-open, half-closed (where half-open and half-closed are TCP connection states), idle, established, and optimized.

Displays the total active connections that are established and optimized.

Displays the total connections passed through unoptimized.

Displays the total number of connections forwarded by the connection-forwarding neighbor managing the connection.

Displays the percentage of half-opened connections represented in the optimized connection total. A half-open connection is a TCP connection that has not been fully established. Half-open connections count toward the connection count limit on the SteelHead because, at any time, they might become a fully open connection.

If you are experiencing a large number of half-opened connections, consider a more appropriately sized SteelHead.

Displays the percentage of half-closed active connections represented in the optimized connection total. Half-closed connections are connections that the SteelHead has intercepted and optimized but are in the process of being disconnected. These connections are counted toward the connection count limit on the SteelHead. (Half-closed connections might remain if the client or server doesn’t close its connections cleanly.)

If you are experiencing a large number of half-closed connections, consider a more appropriately sized SteelHead.

The navigator shadows the optimized series.

The Connection History report answers these questions:

Mouse over a specific data point to see the values and exact time stamp.

The Riverbed system reports on performance for periods up to one month. Due to performance and disk space considerations, the display granularity decreases with time passed since the data was sampled. The data is collected at a 5-minute granularity for the entire month.

You view the Connection History report under Reports > Networking: Connection History.

This option is available to customize the report:

Specifies a report time interval of 5 minutes (5m), 1 hour (1h), 1 day (1d), 1 week (1w), All, or type a custom date. All includes statistics for the last 30 days.

Time intervals that don’t apply to a particular report are dimmed.

For a custom time interval, enter the start time and end time using this format: yyyy/mm/dd hh:mm:ss

You can view the newest data and see data points as they’re added to the chart dynamically. To display the newest data, click Show newest data.

The Connection Forwarding report summarizes the data throughput between the SteelHead and a specified neighbor (or all neighbors).

Displays the throughput in bits per second. The navigator shadows the throughput series.

You configure neighbors when you enable connection forwarding.

The Connection Forwarding report answers this question:

Mouse over a specific data point to see what the y values and exact time stamp were in relation to peaks.

The Riverbed system reports on performance for periods up to one month. Due to performance and disk space considerations, the display granularity decreases with time passed since the data was sampled. The data is collected at a 5-minute granularity for the entire month.

You view the Connection Forwarding report under Reports > Networking: Connection Forwarding.

Use these options to customize the report:

Specifies a report time interval of 5 minutes (5m), 1 hour (1h), 1 day (1d), 1 week (1w), All, or type a custom date. All includes statistics for the last 30 days. Time intervals that don’t apply to a particular report are dimmed. For a custom time interval, enter the start time and end time using this format: yyyy/mm/dd hh:mm:ss

You can view the newest data and see data points as they’re added to the chart dynamically. To display the newest data, click Show newest data.

Specifies a neighbor from the drop-down list or All to display all neighbors.

The Outbound QoS report summarizes the number of bits per second or packets per second transmitted for either a set of QoS classes (up to seven) or an aggregate total of all classes for the time period specified.

Upgrading from RiOS 8.0.x (or earlier) to version 9.0 or later changes the QoS statistics data. The Outbound QoS report will not show any statistics from a previous configuration. The Outbound QoS report answers these questions:

The Outbound QoS report might display this message for a traffic class even when QoS is shaping it.

This is because the report limits the data sample display to only the first 1000 classes. When a class falls beyond the first 1000 lines of classes, the report displays no data.

Mouse over a specific data point to see what the y values and exact time stamp were in relation to peaks.

The Riverbed system reports on performance for periods up to one month. Due to performance and disk space considerations, the display granularity decreases with time passed since the data was sampled with a granularity of 5 minutes for the day, 1 hour for the last week, and 2 hours for the rest of the month.

You view the Outbound QoS report under Reports > Networking: Outbound QoS.

These options are available to customize the report:

Specifies a report time interval of 5 minutes (5m), 1 hour (1h), 1 day (1d), 1 week (1w), All, or type a custom date. All includes statistics for the last 30 days. Time intervals that don’t apply to a particular report are dimmed. For a custom time interval, enter the start time and end time using this format: yyyy/mm/dd hh:mm:ss

Because the system aggregates data on the hour, request hourly time intervals. For example, setting a time interval to 08:30:00 to 09:30:00 from 2 days ago doesn’t create a data display, whereas setting a time interval to 08:00:00 to 09:00:00 from 2 days ago will display data.

When you request a custom time interval to view data beyond the aggregated granularity, the data is not visible because the system is no longer storing the data. For example, the following custom time intervals don’t return data because the system automatically aggregates data older than 7 days into 2-hour data points:

You can view the newest data and see data points as they’re added to the chart dynamically. To display the newest data, click Show newest data.

Specifies either packets/sec or bps from the drop-down list.

Specifies Total or Selected classes from the drop-down list. Selected classes lets you narrow the report by choosing from drop-down lists of classes and remote sites (up to seven). You can’t select a class or a class @ site more than once.

Click Update to change the QoS class selection without updating the chart.

When the report display includes the total classes, the data series appear as translucent; selected classes appear as opaque.

When the report display includes the total classes, the navigator shadows the total sent series. When the report display includes selected classes and remote sites, the navigator shadows the first nonempty sent series. A data series can be empty if you create a QoS class but it has not seen any traffic yet.

Selecting a parent class displays its child classes. For example, the report for an HTTP class with two child classes named WebApp1 and WebApp2 displays statistics for HTTP, WebApp1, and WebApp2.

When a selected class has descendant classes, the report aggregates the statistics for the entire tree of classes. It displays the aggregated tree statistics as belonging to the selected class.

The Top Talkers report displays the top talking hosts on a per-port basis for the time period specified. The traffic flows that generate the heaviest use of WAN bandwidth are known as the Top Talkers. This report provides WAN visibility for traffic analysis, security monitoring, accounting, load balancing, and capacity planning. It can include both optimized and pass-through traffic.

A traffic flow consists of data sent and received from a first single IP address and port number to a second single IP address and port number over the same protocol. Only traffic flows that start in the selected time period are shown in the report.

The Top Talkers report doesn’t include IPv6 traffic.

The Top Talkers report includes bytes used for packet headers and is an approximation based on various assumptions.

The Top Talkers report contains these statistics that summarize Top Talker activity:

Displays the relative position of the traffic flow WAN bandwidth use.

Displays the first IP address and port for the connection.

Displays the second IP address and port for the connection.

Displays the total number of bytes sent and received by the first IP address.

You can export this report in CSV format in the Export report. The CSV format allows you to easily import the statistics into spreadsheets and databases. You can open the CSV file in any text editor. For details, see Exporting performance statistics.

Flow Export must be enabled before viewing the Top Talker report.

The Top Talkers report answers this question:

The Riverbed system reports on performance for periods up to one month. Due to performance and disk space considerations, the display granularity decreases with time passed since the data was sampled. The data is collected at a 5-minute granularity for the entire month.

You view the Top Talkers report under Reports > Networking: Top Talkers.

Use these options to customize the report:

Specifies the report display from the drop-down list: By Conversation, By Sender, By Receiver, By Host, or By Application Port. The default setting is By Conversation.

Displays the traffic statistics for the past hour, the past 24 hours, or all available hours. All is the default setting, which displays statistics for the entire duration the SteelHead has gathered statistics. This duration can be up to 2 days, depending on how long the service has been up and the traffic volume. Select All, Last Hour, or Last Day from the drop-down list. The default setting is All.

Top Talker statistics aren’t persistent between service restarts.

Specifies y how many top pairs of IP addresses and ports with the highest total traffic (sent and received) appear in the report. Each pair shows the number of bytes and packets sent and received at IP address 1. The default value is 50.

You can export the complete list of top talkers to a file in CSV format using the Export report.

Specifies Both, TCP, or UDP from the drop-down list. The default value is Both.

Specifies Both, Optimized, or Passthrough from the drop-down list. The default value is Both.

Displays the report.

The Top Talkers data doesn’t exactly match the Traffic Summary data, the Bandwidth Optimization data, or specific connection data that appears when you select a particular connection in the Current Connections report. This variation is due to packet headers, packet retransmits, and other TCP/IP effects that flow export collectors see, but RiOS doesn’t. Consequently, the reports are proportional but not equivalent.

Select a Top Talkers report column heading to sort the column in ascending or descending order.

The Traffic Summary report provides a percentage breakdown of the amount of TCP traffic going through the system. For details about setting ports to be monitored, see About monitored ports.

The SteelHead automatically discovers all the ports in the system that have traffic. The discovered port and its label (if one exists) are added to the report. If a label doesn’t exist, an unknown label is added to the discovered port.

You can view optimization statistics for SaaS applications. This report lists the optimized traffic by SaaS application instead of by port number, and the ID for the SaaS application is listed in the Port column.

SaaS application statistics are not included with the overall statistics for port 443 and port 80.

When using a role-based management (RBM) user, ensure that the RBM user has at least Read-Only permissions for the Cloud Optimization role, or the user will not be able to view the SaaS application names.

To find the definition of the application ID that is listed in the Port column, open the Optimization > SaaS Accelerator page. The ID (for example, SFDC) and application name (for example, Salesforce.com) are listed in the Application ID and SaaS Application Control fields.

If you want to change the unknown label to a name representing the port, you must readd the port with a new label. All statistics for this new port label are preserved from the time the port was discovered.

The Traffic Summary report displays a maximum of 16 ports and pie slices for the traffic types comprising more than 0.005 percent of the total traffic (by destination port). When there are more than 16 ports, the report displays 15 individual ports and aggregates the remaining ports into the 16th slice. The 16th slice is always gray. Any ports aggregated into the 16th slice are also gray. Any traffic that comprises less than 0.005 percent of the total isn’t included in the Traffic Summary report, but is aggregated into the Bandwidth Optimization report.

The Traffic Summary report provides these statistics that describe data activity for the application and the time period you specify:

Displays the TCP/IP port number and application for each row of statistics. For SaaS applications, the word “Custom” and the application name is displayed instead of a port number.

Displays the amount of application data reduction.

Displays the amount of application data on the LAN.

Displays the amount of application data on the WAN.

Calculates LAN-side data to indicate the percentage of the total traffic each port represents.

The Traffic Summary report answers these questions:

The Riverbed system reports on performance for periods up to one month. Due to performance and disk space considerations, the display granularity decreases with time passed since the data was sampled. The Traffic Summary report displays these data granularities:

You view the Traffic Summary report under Reports > Networking: Traffic Summary.

These options are available to customize the report:

Specifies a period of Last Minute, Last 5 Minutes, Last Hour, Last Day, Last Week, Last Month, or Custom from the drop-down list. For Custom, enter the Start Time and End Time and click Go. Use this format: yyyy/mm/dd hh:mm:ss

Specifies a traffic type of Optimized, Pass Through, or Both from the drop-down list.

Specifies a traffic direction from the drop-down list:

Specifies a refresh rate from the drop-down list:

Go displays the report.

The WAN Throughput report summarizes the WAN throughput for the time period specified. In standard in-path and virtual in-path deployments, the throughput is an aggregation of all data the system transmits out of all WAN interfaces. In a server-side out-of-path configuration, the report summarizes all data the system transmits out of the primary interface. You must choose Networking > Network Services: Flow Statistics and enable WAN Throughput Statistics to view data in this report. WAN throughput statistics are enabled by default.

The WAN Throughput report doesn’t include any traffic that is hardware bypassed, either by an in-path interface in hardware bypass, or the portion of traffic that is bypassed by hardware-assist rules on supported Fiber 10 Gigabit-Ethernet in-path cards.

The WAN Throughput report includes a WAN link throughput graph that provides these statistics describing data activity for the time period you specify:

Displays the peak data activity.

Displays the average and total throughput. RiOS calculates the WAN average at each data point by taking the number of bytes transferred, converting that to bits, and then dividing by the granularity. For instance, if the system reports 100 bytes for a data point with a 10-second granularity, RiOS calculates:

100 bytes * 8 bits/byte / 10 seconds = 80 bps

This calculation means that 80 bps was the average throughput over that 10-second period.

The total throughput shows the data amount transferred during the displayed time interval.

The average that appears below the Average Throughput is an average of all displayed averages.

The navigator shadows the Peak throughput series.

In some configurations, RiOS transmits LAN traffic out of WAN interfaces: for example, virtual in-path deployments and deployments using the default gateway on the WAN side without simplified routing. In such deployments, you can configure subnet side rules to decide which channel traffic isn’t destined for the WAN.

The WAN Throughput report answers these questions:

Mouse over a specific data point to see what the y values and exact time stamp were in relation to peaks.

The Riverbed system reports on performance for periods up to one month. Due to performance and disk space considerations, the display granularity decreases with time passed since the data was sampled with a granularity of 5 minutes for the day, 1 hour for the last week, and 2 hours for the rest of the month.

You view the WAN Throughput report under Reports > Optimization: WAN Throughput.

This option is available to customize the report:

Specifies a report time interval of 5 minutes (5m), 1 hour (1h), 1 day (1d), 1 week (1w), All, or type a custom date. All includes statistics for the last 30 days.

Time intervals that don’t apply to a particular report are dimmed.

For a custom time interval, enter the start time and end time using this format: yyyy/mm/dd hh:mm:ss

Because the system aggregates data on the hour, request hourly time intervals. For example, setting a time interval to 08:30:00 to 09:30:00 from 2 days ago doesn’t create a data display, whereas setting a time interval to 08:00:00 to 09:00:00 from 2 days ago will display data.

When you request a custom time interval to view data beyond the aggregated granularity, the data is not visible because the system is no longer storing the data. For example, these custom time intervals don’t return data because the system automatically aggregates data older than 7 days into 2-hour data points:

You can view the newest data and see data points as they’re added to the chart dynamically. To display the newest data, click Show newest data.

The Application Statistics report provides a tabular summary or a graph of the traffic flowing through a SteelHead for the time period specified. You can view up to seven applications in a stacked view.

You must enable application visibility on the Networking > Network Services: Flow Statistics page before the Application Statistics report can gather and display statistics.

RiOS collects application statistics for all data transmitted out of the WAN and primary interfaces and commits samples every 5 minutes. Let the system collect statistics awhile to view the most meaningful data display. The Application Statistics report includes these statistics for each listed application, traffic direction, and the time period you specify:

Displays the average data activity in all flows of an application in bits per second. The minimum sample granularity is 5 minutes.

Displays the average trended throughput in all traffic flows of an application in bits per second. This data series indicates how bandwidth intensive an application is per user or flow.

RiOS calculates the WAN average at each data point by taking the number of bytes transferred, converting that to bits, and then dividing by the granularity.

For instance, if the system reports 100 bytes for a data point with a 10-second granularity, RiOS calculates:

100 bytes * 8 bits/byte / 10 seconds = 80 bps

This calculation means that 80 bps was the average throughput over that 10-second period.

Displays the peak data activity in bits per second. For larger granularity data points, this represents the largest 5 minute average within. For 5 minutes, this is the same as the average.

Displays the peak trended data activity per traffic flow in bits per second. This peak is the largest per flow 5-minute bps within a larger sample.

This report displays applications within their protocol hierarchy. For example, Facebook appears as TCP > HTTP > Facebook.

This report lists unrecognized applications by their server port. For example, TCP > Unknown (port 5001).

The Application Statistics report answers this question:

While viewing the application statistics in a graph, mouse over a specific data point to see what the y values and exact time stamp were in relation to peaks.

The Riverbed system reports on performance for periods up to one month. Due to performance and disk space considerations, the display granularity decreases with time passed since the data was sampled. The data is collected at a 5-minute granularity for the entire month.

You view the Application Statistics report under Reports > Networking: Application Statistics

Click View graphs of the applications selected below to switch from a tabular display to a graph.

These options are available to customize the report:

Specifies a period of Last 5 Minutes, Last Hour, Last Day, Last Week, Last Month, or Custom from the drop-down list. For Custom, enter the Start Time and End Time and click Go. Use this format:
yyyy/mm/dd hh:mm:ss

Specifies a protocol or application name (for example, TCP, LDAP, SharePoint) to show only the selection. You can select only one filter at a time. For example, if the report is filtering on UDP and you click TCP, the report displays all TCP entries and clears the UDP filter.

Specifies the traffic direction from the drop-down list. The default is outbound LAN > WAN traffic.

Specifies an interface from the drop-down list. The default is all WAN and primary interfaces.

Updates the chart without updating the application selection.

The Application Visibility report summarizes the traffic flowing through a SteelHead classified by the application for the time period specified. This report provides application level visibility into layer-7 and shows the application dynamics for pass-through and optimized traffic.

You must enable application visibility on the Networking > Network Services: Flow Statistics page before the Application Visibility report can gather and display statistics. Application Visibility is enabled by default. For details, see About flow statistics. This report doesn’t include IPv6 traffic.

The Application Visibility report includes these statistics for each listed application, traffic direction, and the time period you specify:

Displays the throughput for all traffic flows in bits per second. The minimum sample granularity is 5 minutes.

Displays the throughput per traffic flow in bits-per-second.

RiOS calculates the WAN average at each data point by taking the number of bytes transferred, converting that to bits, and then dividing by the granularity.

For instance, if the system reports 100 bytes for a data point with a 10-second granularity, RiOS calculates:

100 bytes * 8 bits/byte / 10 seconds = 80 bps

This calculation means that 80 bps was the average throughput over that 10-second period.

The navigator shadows the Per-flow throughput series.

The Application Visibility report answers this question:

Mouse over a specific data point to see what the y values and exact time stamp were in relation to peaks.

The Riverbed system reports on performance for periods up to one month. Due to performance and disk space considerations, the display granularity decreases with time passed since the data was sampled. The data is collected at a 5-minute granularity for the entire month.

You view the Application Visibility report under Reports > Networking: Application Visibility.

These options are available to customize the report:

Specifies a report time interval of 5 minutes (5m), 1 hour (1h), 1 day (1d), 1 week (1w), All, or type a custom date. All includes statistics for the last 30 days. Time intervals that don’t apply to a particular report are dimmed. For a custom time interval, enter the start time and end time using this format: yyyy/mm/dd hh:mm:ss

You can view the newest data and see data points as they’re added to the chart dynamically. To display the newest data, click Show newest data.

Specifies an interface from the drop-down list. The default is all interfaces.

Specifies the traffic direction from the drop-down list. The default is outbound LAN > WAN traffic.

Specifies the application name. Type the first characters in the application name. When the application name and definition appears, select it from the list. You can select up to seven applications.

Click Update Chart to update the chart without changing the application selection.

The Interface Counters report summarizes the statistics for the interfaces. It also displays the IP address, speed, duplex, MAC address, and current status of each interface.

This report includes interfaces configured with IPv6 addresses.

For automatically negotiated speed and duplex settings, the Interface Counters report displays the speed at which they’re negotiated.

Interface statistics display the data accumulated since the last reboot.

The Interface Counters report displays these statistics:

Displays the IP address (if application) for the interface.

Displays the MAC address, speed, and duplex setting for interface. Use this information to troubleshoot speed and duplex problems. Make sure the speed for the SteelHead matches the WAN or LAN interfaces. We recommend setting the speed to 100 and duplex to full.

Displays true or false to indicate whether the link is up or down.

Displays the total number of packets, packets discarded, errors encountered, packets overrun, frames sent, and multicast packets sent.

Displays the total number of packets, packets discarded, errors encountered, packets overrun, carriers used, and collisions encountered.

If you have multiple two-port or four-port bypass cards installed, the Reports > Networking: Interface Counters report displays the interface statistics for each LAN and WAN port.

The Interface Counters report answers these questions:

You view interface counters under Reports > Networking: Interface Counters.

To print the report, choose File > Print in your web browser to open the Print dialog box.

The TCP Statistics report summarizes TCP statistics for the appliance.

The TCP Statistics report contains these statistics that summarize TCP activity:

Displays the total packets received.

Displays the total TCP packets sent.

Displays the total TCP packets retransmitted.

Displays the total TCP packets fast retransmitted. Fast retransmit is an enhancement to TCP which reduces the time a sender waits before retransmitting a lost segment. If an acknowledgment isn’t received for a particular segment within a specified time (a function of the estimated round-trip delay time), the sender assumes the segment was lost in the network, and retransmits the segment.

Displays the number of time-outs.

Displays the total number of loss events.

The TCP Statistics report answers these questions:

You view the TCP Statistics report under Reports > Networking: TCP Statistics.

To print the report, choose File > Print in your web browser to open the Print dialog box.

The Latency Detected Peers report displays the connections that are optimized and the connections that are passed through due to latency detection for peers of the appliance.

You can view the following information about peer appliances with low-latency connections:

Displays the hostname or IP address of the latency-detected peer appliance.

Displays the amount of latency between the selected appliance and the peer in milliseconds.

Displays the number of optimized connections between the selected appliance and the peer.

Displays the number of passthrough connections between the selected appliance and the peer.

Displays the state of the peer (Optimized or Passthrough) based on the current latency between the selected appliance and the peer.

The Latency Detected Peers report answers these questions:

You view the Latency Detected Peers report under Reports > Networking: Latency Detected Peers.

To print the report, choose File > Print in your web browser to open the Print dialog box.

The Optimized Throughput report summarizes the throughput for the port, traffic direction, and time period specified. You can view optimization statistics for SaaS applications. This report lists the optimized traffic by SaaS application instead of by port number, and the ID for the SaaS application is listed in the Port column.

SaaS application statistics are not included with the overall statistics for port 443 and port 80.

When using a role-based management (RBM) user, ensure that the RBM user has at least Read-Only permissions for the Cloud Optimization role, or the user will not be able to view the SaaS application names.

To find the definition of the application ID that is listed in the Port column, open the Optimization > SaaS Accelerator page. The ID (for example, SFDC) and application name (for example, Salesforce.com) are listed in the Application ID and SaaS Application Control fields.

The Optimized Throughput report includes LAN and WAN link throughput graphs that include these statistics describing data activity for the port, traffic direction, and the time period you specify:

Displays the peak data activity.

Displays the 95th percentile for data activity. The 95th percentile is calculated by taking the peak of the lower 95 percent of inbound and outbound throughput samples.

Displays the average throughput.

RiOS calculates the LAN average at each data point by taking the number of bytes transferred, converting that to bits, and then dividing by the granularity.

For instance, if the system reports 100 bytes for a data point with a 10-second granularity, RiOS calculates:

100 bytes * 8 bits/byte / 10 seconds = 80 bps

This calculation means that 80 bps was the average throughput over that 10-second period.

The average that appears below the LAN Average is an average of all displayed averages.

Displays the peak data activity.

Displays the 95th percentile for data activity. The 95th percentile is calculated by taking the peak of the lower 95 percent of inbound and outbound throughput samples.

Displays the average throughput. RiOS calculates the WAN average at each data point by taking the number of bytes transferred, converting that to bits, and then dividing by the granularity. For instance, if the system reports 100 bytes for a data point with a 10-second granularity, RiOS calculates:

100 bytes * 8 bits/byte / 10 seconds = 80 bps

This calculation means that 80 bps was the average throughput over that 10-second period.

The average that appears below the WAN Average is an average of all displayed averages.

The navigator shadows the WAN Peak series.

The Optimized Throughput report answers these questions:

Mouse over a specific data point to see what the y values and exact time stamp were in relation to peaks.

The system reports on performance for periods up to one month. However, due to performance and disk space considerations, data representation in reports for periods longer than the last 5 minutes are interpolated from aggregate data points. The Optimized Throughput report displays these data granularities:

You view the Optimized Throughput report under Reports > Optimization: Optimized Throughput.

These options are available to customize the report:

Specifies a report time interval of 5 minutes (5m), 1 hour (1h), 1 day (1d), 1 week (1w), All, or type a custom date. All includes statistics for the last 30 days.

Time intervals that don’t apply to a particular report are dimmed.

For a custom time interval, enter the start time and end time using this format: yyyy/mm/dd hh:mm:ss

Because the system aggregates data on the hour, request hourly time intervals. For example, setting a time interval to 08:30:00 to 09:30:00 from 2 days ago doesn’t create a data display, whereas setting a time interval to 08:00:00 to 09:00:00 from 2 days ago will display data.

When you request a custom time interval to view data beyond the aggregated granularity, the data is not visible because the system is no longer storing the data. For example, these custom time intervals don’t return data because the system automatically aggregates data older than 7 days into 2-hour data points:

You can view the newest data and see data points as they’re added to the chart dynamically. To display the newest data, click Show newest data.

Specifies a traffic direction from the drop-down list:

Specifies a port or All to display all of the TCP ports on which the SteelHead has seen traffic. The list appends the port name to the number where available.

If your SteelHead appliance is SaaS-enabled, select the SaaS application from the drop-down list. To see the definition of the SaaS application (for example, SFDC in the drop-down list refers to Salesforce.com), log in to the Cloud Portal. The application names and acronyms are listed in the SaaS Services Summary pane.

The Bandwidth Optimization report summarizes the overall inbound and outbound bandwidth improvements on your network. You can create reports according to the time period, port, and traffic direction of your choice.

Starting with RiOS 9.5, you can view optimization statistics for SaaS applications. This report lists the optimized traffic by SaaS application instead of by port number, and the ID for the SaaS application is listed in the Port column.

SaaS application statistics are not included with the overall statistics for port 443 and port 80.

When using a role-based management (RBM) user, ensure that the RBM user has at least Read-Only permissions for the Cloud Optimization role, or the user will not be able to view the SaaS application names.

To find the definition of the application ID that is listed in the Port column, open the Optimization > SaaS Accelerator page. The ID (for example, SFDC) and application name (for example, Salesforce.com) are listed in the Application ID and SaaS Application Control fields.

The Bandwidth Optimization report includes these statistics describing bandwidth activity for the time period you specify:

Displays the peak and total decrease of data transmitted over the WAN, according to this calculation:

which displays the capacity increase x-factor below the peak and total data reduction percentages.

Depending on which direction you select, specifies one of these traffic flows:

The navigator shadows the data reduction series.

The Bandwidth Optimization report answers these questions:

Mouse over a specific data point to see what the y values and exact time stamp were in relation to peaks.

The Riverbed system reports on performance for periods up to one month. Due to performance and disk space considerations, the display granularity decreases with time passed since the data was sampled with a granularity of 5 minutes for the day, 1 hour for the last week, and 2 hours for the rest of the month.

You view the Bandwidth Optimization report under Reports > Optimization: Bandwidth Optimization.

These options are available to customize the report:

Specifies a report time interval of 5 minutes (5m), 1 hour (1h), 1 week (1w), All, or type a custom date. All includes statistics for the past 30 days. Time intervals that don’t apply to a particular report are dimmed. For a custom time interval, enter the start time and end time using this format:
yyyy/mm/dd hh:mm:ss

Because the system aggregates data on the hour, request hourly time intervals. For example, setting a time interval to 08:30:00 to 09:30:00 from 2 days ago doesn’t create a data display, whereas setting a time interval to 08:00:00 to 09:00:00 from 2 days ago will display data.

When you request a custom time interval to view data beyond the aggregated granularity, the data is not visible because the system is no longer storing the data. For example, these custom time intervals don’t return data because the system automatically aggregates data older than 7 days into 2-hour data points:

You can view the newest data and see data points as they’re added to the chart dynamically. To display the newest data, click Show newest data.

Specifies a port or All to select all ports from the drop-down list.

If your SteelHead appliance is SaaS-enabled, select the SaaS application from the drop-down list. To see the definition of the SaaS application (for example, SFDC in the drop-down list refers to Salesforce.com), log in to the Cloud Portal. The application names and acronyms are listed in the SaaS Services Summary pane.

Specifies a traffic direction (Bi-Directional, WAN to LAN, or LAN to WAN) from the drop-down list.

The Peer Optimization report summarizes the statistics tracked for each peer SteelHead. This report isolates measurements to a specific SteelHead peer or can show an aggregate of all peers.

You view the Peer Optimization report under Reports > Optimization: Peer Optimization.

These options are available to customize the report:

Specifies a report time interval of 5 minutes (5m), 1 hour (1h), 1 week (1w), All, or type a custom date. All includes statistics for the past 30 days. Time intervals that don’t apply to a particular report are dimmed. For a custom time interval, enter the start time and end time using this format:
yyyy/mm/dd hh:mm:ss

Selection can range from an individual peer to an aggregate of all peer SteelHeads. The available selections are composed from the individual peers that have statistics recorded.

After a system restart, the hostnames of connected peers may display as “Peer-nnn” for a short amount of time before the hostnames refresh.

Shows LAN and WAN measurements of connected peers.

Is the value computed during the inner channel TCP setup. It reflects the “ping” time of the inner channel at that time.

Is a derived value constructed to present a time based measurement reflecting how the data reduction provided by a SteelHead can translate into user time savings. The number divides the measured RTT by the data reduction factor, like so: ERTT = RTT * (WAN_Bytes/LAN_Bytes)

The Peers report summarizes the peer SteelHeads. You can view peer SteelHead Mobile appliances as well. The Peers report contains these statistics that summarize connection peer activity:

Displays the name of the peer appliance.

Displays the IP address of the peer appliance.

Displays the appliance model.

Displays the appliance version.

Displays the current appliance licenses.

The report includes both connected and unconnected peers. The connected icon appears next to a connected peer. A dimmed icon indicates that the peer is disconnected.

For details about configuring peering, see About Peering, Autodiscovery, In-Path Rules, and Service Ports.

The Peers report answers these questions:

You view the Peers report under Reports > Optimization: Peers.

To view only connected peers, select the Hide Disconnected Peers check box. To view only SteelHead peers and hide the SteelHead Mobile peers, select the Hide SteelHead Mobile Controller Peers check box.

Select a report column heading to sort the column in ascending or descending order.

To open the Management Console for a peer, click the peer name or IP address.

To print the report, choose File > Print in your web browser to open the Print dialog box.

The NFS report shows the rates of responses for NFS optimizations for the time period specified. The NFS report contains these statistics that summarize NFS activity:

Displays the number of NFS calls that were responded to locally.

Displays the number of NFS calls that were responded to remotely (that is, calls that traversed the WAN to the NFS server).

Displays the delayed calls that were responded to locally but not immediately (for example, reads that were delayed while a read ahead was occurring and that were responded to from the data in the read ahead).

The NFS report answers these questions:

Mouse over a specific data point to see what the y values and exact time stamp were in relation to peaks.

The Riverbed system reports on performance for periods up to one month. Due to performance and disk space considerations, the display granularity decreases with time passed since the data was sampled. The data is collected at a 5-minute granularity for the entire month.

You view the NFS report under Reports > Optimization: NFS.

This option is available to customize the report:

Specifies a report time interval of 5 minutes (5m), 1 hour (1h), 1 day (1d), 1 week (1w), All, or type a custom date. All includes statistics for the last 30 days. Time intervals that don’t apply to a particular report are dimmed. For a custom time interval, enter the start time and end time using this format: yyyy/mm/dd hh:mm:ss

You can view the newest data and see data points as they’re added to the chart dynamically. To display the newest data, click Show newest data.

The SSL report displays the SSL requested and established connection rate for the time period specified. The SSL report contains the information listed in this table.

The SSL report contains this information:

Displays the rate of requested SSL connections.

Displays the rate established SSL connections.

The navigator shadows the requested connection rate series.

The SSL report answers these questions:

Mouse over a specific data point to see what the y values and exact time stamp were in relation to peaks.

The Riverbed system reports on performance for periods up to one month. Due to performance and disk space considerations, the display granularity decreases with time passed since the data was sampled. The data is collected at a 5-minute granularity for the entire month.

You view the SSL report under Reports > Optimization: SSL.

This option is available to customize the report:

Specifies a report time interval of 5 minutes (5m), 1 hour (1h), 1 day (1d), 1 week (1w), All, or type a custom date. All includes statistics for the last 30 days. Time intervals that don’t apply to a particular report are dimmed. For a custom time interval, enter the start time and end time using this format: yyyy/mm/dd hh:mm:ss

You can view the newest data and see data points as they’re added to the chart dynamically. To display the newest data, click Show newest data.

This report is available under Reports > Optimization: HTTP Cache.

This report shows the hit rates for cacheable requests, requests served from the cache, cacheable responses, and responses saved to cache. This report applies only to client-side appliances.

The Data Store Status report summarizes the current status and state of the RiOS data store synchronization process.

If you have enabled data store synchronization, this report summarizes the state of the replication process. For details, see About data store synchronization.

The Data Store Status report contains these statistics that summarize data store activity:

Indicates the status of the connection between the synchronized SteelHeads.

Indicates the status of transferring data between the synchronized SteelHeads. Catch-Up is used for synchronizing data that was not synchronized during the Keep-Up phase.

Indicates the status of transferring new incoming data between the synchronized SteelHeads.

Data Store Percentage Used (Since Last Clear) displays the percentage of the RiOS data store that is used.

The Data Store Status report answers these questions:

You view the Data Store Status report under Reports > Optimization: Data Store Status.

These options are available to customize the reports:

Specifies a refresh rate from the drop-down list:

Displays the report.

To print the report, choose File > Print in your web browser to open the Print dialog box.

The Data Store SDR-Adaptive report summarizes:

You must enable the SDR-Adaptive setting before creating this report.

The report contains these statistics that summarize RiOS data store adaptive compression activity, shown as a percent of total SDR data:

Displays the adaptive compression occurring due to disk/CPU pressure.

Displays the adaptive compression occurring due to the in-path rule.

Displays the in-memory SDR due to disk/CPU pressure.

Displays the maximum in-memory SDR due to the in-path rule.

The navigator shadows the compression-only due to disk/CPU pressure series.

The Data Store SDR-Adaptive report answers this question:

You view the Data Store SDR-Adaptive report under Reports > Optimization: Data Store SDR-Adaptive.

This option is available to customize the report:

Specifies a report time interval of 5 minutes (5m), 1 hour (1h), 1 day (1d), 1 week (1w), All, or type a custom date. All includes statistics for the last 30 days. Time intervals that don’t apply to a particular report are dimmed. For a custom time interval, enter the start time and end time using this format: yyyy/mm/dd hh:mm:ss

You can view the newest data and see data points as they’re added to the chart dynamically. To display the newest data, click Show newest data.

The Data Store Disk Load report summarizes the RiOS data store disk load due to SDR only as related to the benchmarked capacity of the RiOS data store. Consider any value under 90 as healthy. Any value higher than a sustained load over 90 is considered high and might indicate disk pressure. A red line with shading appears at the top of the report to indicate the threshold of 90 and above. When a value is consistently higher than 90, contact Support for guidance on reconfiguring the RiOS data store to alleviate disk pressure. The report contains this statistic that summarizes the RiOS data store disk load:

Displays the RiOS data store disk load.

The Data Store Disk Load report answers these questions:

You view the Data Store Disk Load report under Reports > Optimization: Data Store Disk Load.

The Alarm Status report provides status for the SteelHead alarms.

The SteelHead tracks key hardware and software metrics and alerts you of any potential problems so you can quickly discover and diagnose issues.

RiOS groups certain alarms into top-level categories, such as the SSL Settings alarm. When an alarm triggers, its parent expands to provide more information. For example, the System Disk Full top-level alarm aggregates over multiple partitions. If a specific partition is full, the System Disk Full alarm triggers and the Alarm Status report displays more information regarding which partition caused the alarm to trigger.

The health of an appliance falls into one of these states:

The Alarm Status report includes this alarm information.

The Alarm Status report answers this question:

You view the Alarm Status report under Reports > Diagnostics: Alarm Status. Alternately, you can select the current system status that appears in the status box in the upper-left corner of each page (Healthy, Admission Control, Degraded, or Critical) to display the Alarm Status page.

To print the report, choose File > Print in your web browser to open the Print dialog box.

The CPU Utilization report summarizes the percentage of all of the CPU cores used in the system within the time period specified. You can display individual cores or an overall average, or both. Typically, a SteelHead operates on approximately 30 to 40 percent CPU capacity during nonpeak hours and approximately 60 to 70 percent capacity during peak hours. No single SteelHead CPU usage should exceed 90 percent.

The CPU Utilization report answers these questions:

Mouse over a specific data point to see the values and exact time stamp.

You view the CPU Utilization report under Reports > Diagnostics: CPU Utilization.

These options are available to customize the report:

Specifies a report time interval of 5 minutes (5m), 1 hour (1h), 1 day (1d), 1 week (1w), All, or type a custom date. All includes statistics for the last 30 days. Time intervals that don’t apply to a particular report are dimmed. For a custom time interval, enter the start time and end time using this format: yyyy/mm/dd hh:mm:ss

You can quickly see the newest data and see data points as they’re added to the chart dynamically. To display the newest data, click Show newest data.

Specifies one of these displays from the drop-down menu:

The Memory Paging report provides the rate at which memory pages are swapped out to disk. The Memory Page report includes this statistic that describes memory paging activity for the time period you specify:

Specifies the total number of pages swapped per second. If 100 pages are swapped approximately every two hours, the SteelHead is functioning properly. If thousands of pages are swapped every few minutes, contact Support.

The Memory Paging report answers this question:

Mouse over a specific data point to see the values and exact time stamp.

You view the Memory Paging report under Reports > Diagnostics: Memory Paging.

This option is available to customize the report:

Specifies a report time interval of 5 minutes (5m), 1 hour (1h), 1 day (1d), 1 week (1w), All, or type a custom date. All includes statistics for the last 30 days. Time intervals that don’t apply to a particular report are dimmed. For a custom time interval, enter the start time and end time using this format: yyyy/mm/dd hh:mm:ss.

You can quickly see the newest data and see data points as they’re added to the chart dynamically. To display the newest data, click Show newest data.

The TCP Memory report simplifies the analysis of unexplainable throughput degradations, stalled and timed-out connections, and other network-related problems by providing the history of the TCP memory consumption and any TCP memory pressure events detected during network traffic processing. Use this report to gather preliminary information before calling Support to troubleshoot an issue. The TCP Memory report includes two graphs. The TCP usage graph provides the absolute number of memory bytes allocated by the TCP subsystem. This graph includes these statistics that describe TCP memory activity for the time period you specify:

Displays the maximum amount of memory bytes that the TCP stack can allocate for its needs.

Displays the number of memory bytes allocated until the TCP memory allocation subsystem doesn’t apply memory-saving mechanisms and rules. As soon as the TCP memory consumption reaches the cutoff limit, the TCP stack enters a “memory pressure” state. This state applies several important limitations that restrict memory use by incoming and transmitted packets. In practice, this means that part of the incoming packets can be discarded, and user space code is limited in its abilities to send data.

Displays the lower boundary of TCP memory consumption, when the memory pressure state is cleared and the TCP stack can use the regular memory allocation approach again.

Displays the average memory consumption by the TCP/IP stack.

Displays the maximum percentage of time that the kernel has spent under TCP memory pressure.

The navigator shadows the memory usage series.

In many cases, even an insignificant increase in network traffic can cause TCP memory pressure, leading to negative consequences. There are many conditions that can cause TCP memory pressure events. However, all of them can be sorted into these two categories to identify the bottleneck in the data transfer chain:

The TCP Memory report answers these questions:

Mouse over a specific data point to see the values and exact time stamp.

The Riverbed system reports on performance for periods up to one month. Due to performance and disk space considerations, the display granularity decreases with time passed since the data was sampled with a granularity of 5 minutes for the day, 1 hour for the last week, and 2 hours for the rest of the month.

You view the TCP Memory report under Reports > Diagnostics: TCP Memory.

This option is available to customize the report:

Specifies a report time interval of 5 minutes (5m), 1 hour (1h), 1 day (1d), 1 week (1w), All, or type a custom date. All includes statistics for the last 30 days. Time intervals that don’t apply to a particular report are dimmed. For a custom time interval, enter the start time and end time using this format: yyyy/mm/dd hh:mm:ss

You can quickly see the newest data and see data points as they’re added to the chart dynamically. To display the newest data, click Show newest data.

The Disk Status report appears on Fault Tolerant Storage (FTS) enabled SteelHead models to alert you to a disk failure or recovery. SteelHeads using Solid-State Disk (SSD) technology to store optimization data also use FTS. FTS technology is a high-performance alternative to RAID and has these benefits:

A disk failure or recovery can occur when the optimization service is:

The Disk Status report includes this information:

Displays the disk number.

Displays the disk status:

Displays the system component the disk is used for: either data store or management. If the disk is used for both, the task column doesn’t appear.

The Disk Status report answers these questions:

You view the Disk Status report under Reports > Diagnostics: Disk Status to display the Disk Status page. This menu item appears only on SteelHead models using Solid State Disks (SSDs).

To print the report, choose File > Print in your web browser to open the Print dialog box.

The System Details report takes a current snapshot of the system to provide a one-stop report you can use to check for any issues with the SteelHead. The report examines key system components. For example, the CPU and memory. Use this report to gather preliminary system information before calling Support to troubleshoot an issue.

To view the reports, choose Reports > Diagnostics: System Details.

Displays the SteelHead module. Select a module name to view details. A right arrow to the left of a module indicates that the report includes detailed information about a submodule. Click the arrow to view submodule details.

This report examines these modules:

Displays one of these results:

The System Details report answers this question:

You view the System Details report under Reports > Diagnostics: System Details.

To print the report, choose File > Print in your web browser to open the Print dialog box.

You can run diagnostic tests on SteelHead connectivity under Reports > Diagnostics: Network Health Check.

The network health check provides a convenient way to troubleshoot connectivity issues by running a set of general diagnostic tests. Viewing the test results can pinpoint any issues with appliance connectivity and significantly speed problem resolution.

These configuration options are available:

Determines if each configured gateway is connected correctly. Run this test to ping each configured gateway address with 4 packets and record the number of failed or successful replies. The test passes if all 4 packets are acknowledged. The default packet size is 64 bytes.

If the test fails and all packets are lost, ensure the gateway IP address is correct and the SteelHead is on the correct network segment. If the gateway is reachable from another source, check the connections between the SteelHead and the gateway.

If the test fails and only some packets are lost, check your duplex settings and other network conditions that might cause dropped packets.

Ensures that the WAN and LAN cables on the SteelHead are connected to the LAN and WAN of the network. The test enumerates the results by interface (one row entry per pair of bypass interfaces). By default, this test is disabled.

Certain network topologies might cause an incorrect result for this test. For the following topologies, we recommend that you confirm the test result manually:

If the test fails, ensure a straight-through cable is not in use between an appliance port and a router, or that a crossover cable is not in use between an appliance port and a switch.

Determines if the speed and duplex settings match on each side of the selected interface. If one side is different from the other, then traffic is sent at different rates on each side, causing a great deal of collision. This test runs the ping utility for 5 seconds with a packet size of 2500 bytes against the interface.

The test passes if the system acknowledges 100 percent of the packets and receives responses from all packets. If any packets are lost, the test fails.

If the test fails, ensure the speed and duplex settings of the appliance's Ethernet interface matches that of the switch ports to which it’s connected.

The test output records the percentage of any lost packets and number of collisions.

For accurate test results, traffic must be running through the SteelHead.

Sends a test probe to a specified peer and await the probe response. If a response is not received, the test fails.

To view the current peer appliances, choose Reports > Optimization: Peers.

Notes:

If the test fails, ensure that there are no firewalls, IDS/IPS, VPNs, or other security devices that might be stripping or dropping connection packets between SteelHeads.

Determines whether a specified IP address and optional port is correctly connected. If you specify only an IP address, the test sends an ICMP message to the IP address. If you specify a port number, the test telnets to the port.

If the test fails, ensure that dynamic or static routing on your network is correctly configured and that the remote network is reachable from hosts on the same local subnet as this appliance.

Runs the selected tests.

Displays or hides the test results.

The Last Run column displays the time and date the last test was run.

The Status column displays Initializing temporarily while the page loads. When the test starts, the Status column displays Running, and then the test result appears in the Results column.

The Results column displays one of these test results:

You view diagnostic test results under Reports > Diagnostics: Network Health Check.

Under the test name, click View Test Output.

To print the test results, click View Test Output and choose File > Print in your web browser to open the Print dialog box.

You run Windows domain diagnostic tests on a SteelHead in the Reports > Diagnostics: Domain Health Check page.

The RiOS Windows domain health check executes a variety of tests that provide diagnostics about the status of domain membership, both manual and automatic constrained delegation, and DNS resolution. This information enables you to resolve issues quickly.

Before running domain diagnostic delegation tests, choose Optimization > Active Directory: Auto Config or Optimization > Active Directory: Service Accounts to configure a Windows user account that you can use for delegation purposes. The Windows domain health check on the SteelHead doesn’t create the delegate user; the Windows domain administrator must create the account in advance. For details, see About Active Directory easy configuration.

You run domain health tests under Reports > Diagnostics: Domain Health Check.

Checks SteelHead DNS settings, which must be correct for Windows domain authentication, SMB signing, SMB2/3 signing, and encrypted MAPI optimization. A test status appears for the most recent test run: Passed, Failed, or Undetermined.

Confirms that the SteelHead is correctly joined to the Windows domain by verifying that the domain join configuration of the SteelHead is valid on the backend domain controller in Active Directory. A test status appears for the most recent test run: Passed, Failed, or Undetermined.

Checks whether an account has the necessary Active Directory privileges for delegation or automatic delegation. A test status appears for the most recent test run: Passed, Failed, or Undetermined.

Confirms delegation privileges for a particular server by verifying that the correct privileges are set to perform constrained delegation. Within SMB signing, SMB2/3 signing, and encrypted MAPI in delegation mode, the SteelHead and the AD environment must have correct privileges to obtain Kerberos tickets for the CIFS or Exchange Server and perform the subsequent authentication. A test status appears for the most recent test run: Passed, Failed, or Undetermined.

Tests whether NTLM can successfully authenticate a user to the joined domain. A test status appears for the most recent test run: Passed, Failed, or Undetermined.

This section describes common problems that can occur when joining a Windows domain.

The number one cause of failing to join a domain is a significant difference in the system time on the Windows domain controller and the SteelHead. When the time on the domain controller and the SteelHead don’t match, this error message appears:

We recommend using NTP time synchronization to synchronize the client and server clocks. It is critical that the SteelHead time is the same as on the Active Directory controller. Sometimes an NTP server is down or inaccessible, in which case there can be a time difference. You can also disable NTP if it isn’t being used and manually set the time. You must also verify that the time zone is correct. For details, see About the date and time settings.

Select the primary DNS IP address to view the Networking > Networking: Host Settings page.

A domain join can fail when the DNS server returns an invalid IP address for the Domain Controller. When a DNS misconfiguration occurs during an attempt to join a domain, these error messages appear:

Additionally, the Domain Join alarm triggers and messages similar to these appear in the logs:

When you encounter this error, choose Networking > Networking: Host Settings and verify that the DNS settings are correct.

After you deploy a SteelHead, you might want to verify its optimization and disk usage performance before using it in a production environment. You can run tests that benchmark the SteelHead performance against that of other Riverbed products from the Reports > Diagnostics: Benchmarks page. Test results indicate the highest model SteelHead that can run on the hardware supporting the tested appliance.

This performance test appears only on SteelHead appliances.

A group is a collection of one or more tests. You can only select and run a group of tests but not individual tests. The tool provides two groups, one for benchmarking the storage devices (sequential writes, random reads), and one for benchmarking the RiOS optimization service (mixed traffic).

The Sequential Write or Random Read benchmark tests emulate common disk use on the storage devices. Running these tests clears all data from the RiOS data store.

For details on SteelHead, see the SteelHead User Guide.

You view hardware capabilities under Reports > Diagnostics: Benchmarks.

If the optimization service is running, click Stop. Alternatively, you can stop the optimization service on the Administration > Maintenance: Reboot/Shutdown page.

Select the tests that you want to run. Click Run Selected Tests.

The tool runs only one test at a time, and queues the others. When a test completes, the tool pulls the next test from the queue and starts it.

When every test in a group completes, you can put the group back into the queue immediately without having to wait for any running test from another group to complete.

While the test runs, you can freely navigate to another page and come back to view the test results. You can also start the tests using the CLI and then return to the Benchmarks page to monitor the results.

The Last Run column displays the time and date the last test was run. The Duration column displays how long, from start to finish, it took to run the test.

When the test starts, the Status column displays Running, and then Done. The test result appears in the Results column.

The Status column might also show Queued for test that will run according to their sequence in the queue, Error for tests that encountered an error while running, and Timed Out, which indicates the test was stopped before it completed.

The Results column displays a list of Riverbed product models that this appliance qualifies; that is, it matches or exceeds performance. The list sorts the qualified models in descending order (best to worst)

An empty list indicates that the hardware under performs all Riverbed models, and this message appears:

This appliance is out performed by all similar appliances in Riverbed's product line.

SteelHead log reports provide a high-level view of network activity. You can view both user and system logs.

You can view user logs in the Reports > Diagnostics: User Logs page. The user log filters messages from the system log to display messages that are of immediate use to the system administrator.

View user logs to monitor system activity and to troubleshoot problems. For example, you can monitor who logged in, who logged out, and who entered particular CLI commands, alarms, and errors. The most recent log events are listed first.

You view and customize user logs under Reports > Diagnostics: User Logs.

These options are available to customize the report:

Specifies one of the archived logs or Current Log from the drop-down list.

Specifies the number of lines you want to display in the page.

Specifies one of these options from the drop-down list:

Specifies one of these filtering options from the drop-down list:

Displays the report.

To print the report, choose File > Print in your web browser to open the Print dialog box.

You can continuously display new lines as the log grows and appends new data.

You view a continuous log under Reports > Diagnostics: User Logs.

Click Launch Continuous Log in the upper-right corner of the page.

If the continuous log doesn’t appear after clicking Launch Continuous Log, a pair of SteelHeads might be optimizing HTTP traffic between the user's web browser and the primary or auxiliary interface of the SteelHead for which the user is viewing the log, and they’re buffering the HTTP response.

To display the continuous log, you can switch to HTTPS because the SteelHeads will not optimize HTTPS traffic. Alternatively, you can configure the other SteelHeads to pass-through traffic on the primary or auxiliary interfaces for port 80.

You can view system logs in the Reports: Diagnostics: System Logs page. View System logs to monitor system activity and to troubleshoot problems. The most recent log events are listed first.

You customize system logs under Reports > Diagnostics: System Logs.

The options are available to customize the report:

Specifies one of the archived logs or Current Log from the drop-down list.

Specifies the number of lines you want to display in the page.

Specifies one of these options from the drop-down list:

Specifies one of these filtering options from the drop-down list:

Displays the report.

To print the report, choose File > Print in your web browser to open the Print dialog box.

You view a continuous log under Reports > Diagnostics: System Logs.

Click Launch Continuous Log in the upper-right corner of the page.

If the continuous log doesn’t appear after clicking Launch Continuous Log, a pair of SteelHeads might be optimizing the HTTP traffic between the user's web browser and the primary or auxiliary interface of the SteelHead for which the user is viewing the log, and they’re buffering the HTTP response.

To display the continuous log, you can switch to HTTPS because the SteelHeads will not optimize HTTPS traffic. You might want to configure the other SteelHeads to pass-through traffic on the primary or auxiliary interface

This section describes how to download user and system log files.

You can download both user and system logs.

You can download user logs under Reports > Diagnostics: User Logs Download. Download user logs to monitor system activity and to troubleshoot problems.

The User Logs Download page displays up to 10 archived log files plus the current day log file. By default, the system rotates each file every 24 hours or if the file size reaches one Gigabyte uncompressed. You can change this to rotate every week or month in the Administration: System Settings > Logging page. Additionally, you can rotate the files based on file size.

The automatic rotation of system logs deletes your oldest log file, labeled as Archived log #10, pushes the current log to Archived log # 1, and starts a new current-day log file.

Click the log name in the Download Plain Text column or the Download Compressed column.

Open or save the log (these procedures vary depending on which browser you are using).

Click Rotate Logs to manually archive the current log to a numbered archived log file and then clear the log so that it is empty again.

When you click Rotate Logs, your archived file #1 contains data for a partial day because you are writing a new log before the current 24-hour period is complete.

You can download system logs under Reports > Diagnostics: System Logs Download. Download system logs to monitor system activity and to troubleshoot problems.

The System Logs Download page displays up to 10 archived log files plus the current day log file. By default, the system rotates each file every 24 hours or if the file size reaches one Gigabyte uncompressed. You can change this to rotate every week or month in the Administration: System Settings > Logging page. Additionally, you can rotate the files based on file size.

The automatic rotation of system logs deletes your oldest log file, labeled as Archived log #10, pushes the current log to Archived log # 1, and starts a new current-day log file.

Click the log name in the Download Plain Text column or the Download Compressed column.

Open or save the log (these procedures vary depending on which browser you are using).

Click Rotate Logs to manually archive the current log to a numbered archived log file and then clear the log so that it is empty again.

When you click Rotate Logs, your archived file #1 contains data for a partial day because you are writing a new log before the current 24-hour period is complete.

You can generate, display, and download system dumps under Reports > Diagnostics: System Dumps. A system dump contains a copy of the kernel data on the system. System dump files can help you diagnose problems in the system.

Under Generate System Dump, select the type of information to include in the report:

Click Generate System Dump.

Because generating a system dump can take a while, a spinner appears during the system dump creation. When the system dump is complete, its name appears in the list of links to download.

You view system dump files under Reports > Diagnostics: System Dumps.

Click Download to view a previously saved system dump.

Select the filename to open a file or save the file to disk.

To remove a log, select the check box next to the name and click Remove Selected.

To print the report, choose File > Print in your web browser to open the Print dialog box.

You can upload a system dump file to Riverbed Support under Reports > Diagnostics: System Dumps.

Select the filename. Optionally, specify a case number that corresponds to the system dump. We recommend using a case number: for example, 194170. You can also enter the CLI command file debug dump upload URL to specify a URL instead of a case number. When you specify a URL, the dump file goes directly to the URL.

If the URL points to a directory on the upload server, it must have a trailing forward slash (/).

For example:

ftp://ftp.riverbed.com/incoming/

(not ftp://ftp.riverbed.com/incoming)

The filename as it exists on the appliance will then match the filename on the upload server.

For details, see the Riverbed Command-Line Interface Reference Guide.

Click Upload.

Because uploading a system dump can take a while, the status appears during the upload. When the system dump finishes uploading, the date, time, and a status of either uploaded (appears in green) or failed (appears in red). An explanation appears for uploads that fail.

You can display and download process dumps under Reports > Diagnostics: Process Dumps. A process dump is a saved copy of memory including the contents of all memory, bytes, hardware registers, and status indicators. Process dumps are written for any process that crashes, on both physical and virtual appliances.

Process dumps aren’t written with any specific frequency during normal operation, they’re only written on demand, should a process crash for some reason.

Process dump files can help you diagnose problems in the system.

Select the filename to open a file or save the file to disk.

To remove an entry, select the check box next to the name and click Remove Selected.

To download a process dump file, choose Reports > Diagnostics: Process Dumps

Click Download to receive a copy of the previously saved process dump.

To upload a process dump file to Riverbed Support, choose Reports > Diagnostics: Process Dumps. Optionally, specify a case number that corresponds to the process dump. We recommend using a case number: for example, 194170. You can also enter the CLI command file process dump upload URL to specify a URL instead of a case number. When you specify a URL, the dump file goes directly to the URL.

If the URL points to a directory on the upload server, it must have a trailing forward slash (/).

For example:

ftp://ftp.riverbed.com/incoming/

(not ftp://ftp.riverbed.com/incoming)

The filename as it exists on the appliance will then match the filename on the upload server.

For details, see the Riverbed Command-Line Interface Reference Guide.

Click Upload.

Because uploading a process dump can take a while, a progress bar appears during the upload. When the process dump finishes uploading, the date, time, and a status of either uploaded (appears in green) or failed (appears in red) are indicated. An explanation appears for uploads that fail.

You can create, download, and upload TCP dump (capture) files under Reports > Diagnostics: TCP Dumps.

Capture files contain summary information for every internet packet received or transmitted on the interface to help diagnose problems in the system.

RiOS provides an easy way to create and retrieve multiple capture files from the Management Console. You can create capture files from multiple interfaces at the same time, limit the size of the capture file, and schedule a specific date and time to create a capture file. Scheduling and limiting a capture file by time or size allows unattended captures.

You can’t upload a capture file to the SteelHead using Packet Analyzer.

The top of the TCP Dumps page displays a list of existing capture files and the bottom of the page displays controls to create a capture file. The bottom of the page also includes the capture files that are currently being generated, and the controls to create a trigger that stops a capture when a specific event occurs. The Running Capture Name list includes captures running at a particular time. It includes captures started manually and also any captures that were scheduled previously and are now running.

Starting with RiOS 9.6, the SteelHead appliance detects Interceptors in your network, and automatically customizes the displays nder Reports > Diagnostics: TCP Dumps to make them specific to Interceptor deployments. Instead of entering IP addresses and ports to capture traffic flows between a client-side and server-side SteelHead, enter information for either the client-side or server-side SteelHead only. When TCP dumps are generated, the SteelHead appliance creates a dump file for the traffic flows on the SteelHead connections you specify.

You can enter additional parameters to limit the size of the dump; the other fields on this page are unchanged.

If there are IPv6 extension headers in the original data packet that originated from the client or server, IPv6 packets are not captured.

These configuration options are available. (Some choices appear only if you have a Interceptor in your network deployment.)

Displays the controls for creating a capture file.

Specifies the name of the capture file. Use a unique filename to prevent overwriting an existing capture file. The default filename uses this format:

hostname_interface_timestamp.cap

hostname is the hostname of the SteelHead, interface is the name of the interface selected for the trace (for example, lan0_0, wan0_0), and timestamp is in this format: yyyy-mm-dd-hh-ss

If this capture file relates to an open Riverbed Support case, specify the capture filename case_number where number is your Riverbed Support case number: for example, case_12345.

The .cap file extension isn’t included with the filename when it appears in the capture queue.

Specifies IP addresses and port numbers to capture packets between them:

—and—

To capture traffic flowing in only one direction or to enter a custom command, use the CLI tcpdump command. For details, see the Riverbed Command-Line Interface Reference Guide.

Select Interceptor Location—Select either Client or Server. Your choice determines the endpoints you can specify. The endpoints are IP addresses and port numbers in your network.

If you select Client:

If you select Server:

Capture Inner Channel Data—Select this check box to capture all inner and redirected traffic between the Interceptor and SteelHead for the specified IP address and port. This check box is deselected by default.

Appliance IP address—Specify the in-path IP address of the local SteelHead.

Service Port—Specify the service port of the local SteelHead. The default service port number is 7800.

To capture traffic flowing in only one direction or to enter a custom command, use the CLI tcpdump command. For details, see the Riverbed Command-Line Interface Reference Guide.

Captures packet traces on the selected interfaces. You can select all interfaces or a base or in-path interface. The default setting is none. You must specify a capture interface.

If you select several interfaces at a time, the data is automatically placed into separate capture files.

When path selection is enabled, we recommend that you collect packet traces on all LAN and WAN interfaces.

Captures information about dot1q VLAN traffic. You can match traffic based on VLAN-tagged or untagged packets, or both. You can also filter by port number or host IP address and include or exclude ARP packets. Select one of these parameters for capturing VLAN packets:

Specifies a positive integer to set how long the capture runs, in seconds. The default value is 30. Specify 0 or continuous to initiate a continuous trace.

For continuous capture, we recommend specifying a maximum capture size and a nonzero rotate file number to limit the size of the TCP dump.

Specifies the maximum capture file size in megabytes. The default value is 100. After the file reaches the maximum capture size, TCP dump starts writing capture data into the next file, limited by the Number of Files to Rotate field. We recommend a maximum capture file size of 1024 MB (1 GB).

Specifies the maximum amount of data, in kilobytes, allowed to queue while awaiting processing by the capture file. The default value is 154 kilobytes.

Specifies the snap length value for the capture file or specify a custom value. The snap length equals the number of bytes the report captures for each packet. Having a snap length smaller than the maximum packet size on the network enables you to store more packets, but you might not be able to inspect the full packet content.

Select 65535 for a full packet capture (recommended for CIFS, MAPI, and SSL captures). The default value is 1518 bytes.

When using jumbo frames, we recommend selecting 9018. The default custom value is 16383 bytes.

Specifies how many capture files to keep for each interface before overwriting the oldest file. To stop file rotation, you can specify 0; however, we recommend rotating files, because stopping the rotation can fill the disk partition.

This control limits the number of files created to the specified number and begins overwriting files from the beginning, thus creating a rotating buffer.

The default value is 5. The maximum value is 2147483647.

Specifies custom flags as additional statements within the filter expression. Custom flags are added to the end of the expression created from the Endpoints fields and the Capture Parameters radio buttons (pertaining to VLANs).

If you require an “and” statement between the expression created from other fields and the expression that you are entering in the custom flags field, you must include the “and” statement at the start of the custom flags field.

Do not use host, src, or dst statements in the custom flags field. Although it is possible in trivial cases to get these statements to start without a syntax error, they don’t capture GRE-encapsulated packets that some modes of SteelHead communications use, such as WCCP deployments or Interceptor connection-setup traffic. We recommend using bidirectional filters by specifying endpoints.

For complete control of your filter expression, use the CLI tcpdump command. For details, see the Riverbed Command-Line Interface Reference Guide.

For examples, see Custom flag use examples.

Schedule Dump

Schedules the capture to run at a later date and time.

Start Date

Specifies a date to initiate the capture, in this format: yyyy/mm/dd

Specifies a time to initiate the capture, in this format: hh:mm:ss

If the tcpdump command results in a syntax error with an immediate or scheduled TCP dump, this message appears:

Review the system log to see the full tcpdump command attempt. Check the expression for issues such as a missing “and” statement as well as contradictory instructions such as looking for VLAN-tagged traffic and nontagged traffic.

The examples in this table focus on the custom flag entry but rely on other fields to create a complete filter.

The examples in this table focus on the custom flag entry but rely on other fields to create a complete filter.

To build expressions for TCP dump, IPv6 filtering doesn’t currently support the TCP, UDP, and other upper-layer protocol types that IPv4 does. Also, these IPv6 examples are based on the assumption that only a single IPv6 header is present.

Capture files offer visibility into intermittent network issues, but the amount of traffic they capture can be overwhelming. Also, because rotating logs is common, after a capture logs an event, the SteelHead log rotation can overwrite debugging information specific to the event.

RiOS 8.5.x and later make troubleshooting easier because they provide a trigger that can stop a continuous capture after a specific log event occurs. The result is a smaller file to help pinpoint what makes the event happen.

The stop trigger continuously scans the system logs for a search pattern. When it finds a match, it stops all running captures.

You can stop a capture after a specific log event under Reports > Diagnostics: TCP Dumps.

Schedule a capture.

In the Pattern text box, enter a Perl regular expression (regex) to find in a log. RiOS compares the Perl regex against each new line in the system logs and the trigger stops if it finds a match.

The simplest regex is a word or a string of characters. For example, if you set the pattern to “Limit,” the trigger matches the line “Connection Limit Reached.”

Notes:

Specify the amount of time to pause before stopping all running captures when RiOS finds a match. The time delay gives the system some time to log more data without abruptly cutting off the capture. The default is 30 seconds. Specify 0 for no delay; the capture stops immediately.

After a trigger has fired, the capture can stop by itself before the delay expires. For example, the capture duration can expire.

Click Start Scan.

When the scan stops, RiOS sends an email to all email addresses on the Administration: System Settings > Email page appearing under Report Events via Email. The email notifies users that the trigger has fired.

The page indicates “Last Triggered: Never” if a TCP Dump stop trigger has never triggered on the SteelHead. After the delay duration of the stop trigger, RiOS displays the last triggered time.

Before changing the Perl regular expression or amount of delay, you must first stop the process.

To stop a running scan, click Stop Scan to halt the background process that monitors the system logs. RiOS dims this button when the stop trigger is idling.

These limitations apply to the stop trigger:

The top of the TCP Dumps page displays a list of existing captures.

You can view a capture file under Reports > Diagnostics: TCP Dumps.

Under Stored TCP Dumps, select the capture name to open the file.

Click Download to view a previously saved capture file.

To remove a capture file, select the check box next to the name and click Remove Selected.

You can print a capture file under Reports > Diagnostics: TCP Dumps.

Under Download Link, select the capture filename to open the file.

When the file opens, choose File > Print in your web browser to open the Print dialog box.

You can stop a running capture under Reports > Diagnostics: TCP Dumps.

Select the capture filename in the Running Capture Name list.

Click Stop Selected Captures.

Riverbed offers a way to upload capture files to the support server for sharing with the support team while diagnosing issues.

You can upload the capture file to Support in continuous mode on the TCP Dumps page. Select the running capture and click Stop Selected Captures.

For timed captures that are complete, skip to Step 2.

The capture appears as a download link in the list of Stored TCP Dumps.

Select the capture filename.

Optionally, specify a case number that corresponds to the capture. We recommend using a case number: for example, 194170.

To specify a URL instead of a case number, you must use the CLI. You can enter the CLI command file tcpdump upload url. When you specify a URL, the capture file goes directly to the URL.

If the URL points to a directory on the upload server, it must have a trailing forward slash (/).

For example:

ftp://ftp.riverbed.com/incoming/

(not ftp://ftp.riverbed.com/incoming)

The filename as it exists on the appliance will then match the filename on the upload server.

For details, see the Riverbed Command-Line Interface Reference Guide.

Click Upload.

Because uploading a capture file can take a while, a progress bar displays the percentage of the total upload completed, the case number (if applicable), and the date and time the upload began. When the capture file finishes uploading, the date, time, and a status of either uploaded (appears in green) or failed (appears in red) are indicated.

Successful uploads show the status, the case number (if applicable), and the date and time the upload finished.

For uploads that fail, an explanation, the case number (if applicable), and the upload starting date and time appear.

You export performance statistics in CSV format under Reports > Report Data: Export. The CSV format allows you to easily import the statistics into spreadsheets and databases. You can open the CSV file in any text editor.

The CSV file contains commented lines (comments beginning with the # character) at the beginning of the file. These comments report what host generated the file, the report that was generated, time boundaries, the time the export occurred, and the version of the SteelHead the file was exported from. The statistical values are provided in columns: the first column is the date and time of the statistic sample, and the columns that follow contain the data.

These options are available to customize the report:

Specifies the type of report you want to export from the drop-down list.

Specifies a report time interval of custom, last five minutes, last hour, last day, last week, or last month.

Sends the report to an email address.

Specifies the email address of the recipient.

Exports the report data.

The In-Path Rule Statistics report displays statistics for in-path rules.

The In-Path Rule Statistics report answers these questions:

This report provides you with the following data:

You can view the In-Path Rule Statistics report under Reports > Rules Statistics: In-Path Rule Statistics.

These statistics summarize the in-path rule activity:

Indicates the in-path rule ID. This ID corresponds to the Rule ID in the Optimization > Network Services: In-Path Rules page.

Provides a summary of the rule's attributes.

Provides a description that corresponds to the optional Description field for the rule in the Optimization > Network Services: In-Path Rules page.

Indicates the number of hits the rule has received.

Indicates the last time the in-path rule was matched.

Indicates the last time the counter was cleared.

Indicates the time that the rule was created.

Indicates the hostname of the machine from where the user has logged in.

Indicates the SteelHead user ID of the user that created the rule (for example, admin).

Clears the statistics.

(Applies only if you specify a pass-through in-path rule.) Indicates whether emails are sent when one or more pass-through in-path rules are configured. Reminder emails are also sent every 15 days.

To enable email notifications, verify the following additional changes:

Indicates if the rule applies latency-detection passthrough.

Optionally, select Clear Stats to clear statistics for a single in-path rule. To clear all in-path rule statistics, select the Clear All Statistics check box, and then click Submit.