Although most network analysis packages concentrate on the network fault-finding task, there's a common problem with corporate application performance issues – namely that although the first reaction to a performance issue is that there's a "network problem", the fault often lies somewhere above ISO layer 3. Yet the guy who looks after the switches and routers gets the call. SuperAgent (actually an OEM version of an application by the same name from NetQoS, who have chosen not to market direct to European buyers) is an application performance monitor and analyser whose aim is to help organisations trace the real cause of their application performance problems.
SuperAgent comes as an appliance, on a familiar-looking 1U Dell server. It has both fibre and copper Gigabit adaptors, plus a pair of power sockets for resilience. The user interface is entirely browser-based, so there's no need to install anything on your PC to get going. Although useful in standalone applications, you can also have a number of SuperAgent "collector" devices scattered around various sites, which the SuperAgent master console can interrogate for information as is required.
Although you can insert SuperAgent via a tap into a key network connection, most people will instead use a mirrored port on their main server switch – not least because this gives visibility to all of the traffic going through the switch. This is not just to the packets on the cable they've chosen to tap into (think about it: if you hook into the cable that connects the server farm to your world, you'll see incoming and outgoing traffic but not inter-server stuff).
The device listens passively and so it won't get in the way of your network traffic – though of course it may miss some packets if the aggregate throughput on the switch exceeds the capacity of the link between it and the SuperAgent collector. Once you've turned it on, the device will simply soak up packets, ready for you to start examining them, either proactively, or in response to a user's fault report.
Once it's started to collect data, you can look at it from a number of angles – by overall performance, by device (you can collect clients and servers into groups – server farms, user groups, physical offices, and such like) or by application. The system understands a few common applications, such as Microsoft Exchange or Oracle, but defining your own is simply a case of giving it a name and telling it what TCP port(s) it uses. Whichever you pick, you begin with some kind of graph showing behaviour in a very high-level overview. You can customise the time period you want to look at, or if you're looking at a "show all" view you can refine the criteria to concentrate on one or more specific devices or sites.
So, if you're looking at a particular application, it'll show you a stacked graph of round-trip time, retransmission levels, data volumes, server response times and overall connection times. You're also given individual graphs of each item so you can see what's going on a little better. If you've chosen to aggregate a group of servers (e.g. a clump of Web or email servers) together, you can drill down from each graph to see what's going on with each server (so, if you had an unusually high response time for your Web servers, you could drill down and check whether your load balancer was allocating work evenly or whether one or two machines were getting an unfair load and were slowing things down).
As well as monitoring activity, SuperAgent can do some proactive work in the event that behaviour exceeds some kind of threshold (it will work out its own thresholds based on what it thinks is "normal" behaviour, but of course you can set your own if you wish). If a threshold is exceeded, the package can alert you. It is also able to perform some investigation work on your behalf, such as making an SNMP connection to an apparently dodgy server and asking for CPU usage figures.
Although straightforward to use, SuperAgent users should have a reasonable understanding of how TCP/IP and certain network applications work, in order to make sense of what the package is telling them. For instance, you might worry that an HTTP connection was hogging your server if you didn't understand what a persistent HTTP connection was and that it was meant to stay active for minutes instead of seconds. Not rocket science, but like anything in networking, it's easy to misinterpret what you're being told if you don't understand it properly.
Although impressed with what SuperAgent does, in terms of monitoring and collating some very useful information and presenting it in the right way, we're a little disappointed by what it doesn't do. For instance, because it's TCP only, it doesn't do UDP traffic – DNS requests, that kind of thing. While this is understandable because of the way it works (much of the timing data is based on the SYN/ACK/FIN packets of TCP transmissions), it means that you can't do things like noticing that the DNS lookup part of the application is at fault. This is a shame, because it's not hard to figure out that a particular incoming DNS datagram is related to a particular outgoing one, and since other application performance analysers (notably CompuWare's Application Expert) can do this kind of stuff Fluke (and NetQoS) are missing a trick.
The other main drawback is that because it's a passive unit that doesn't rely on client software, it's not able to understand how communications might be grouped together into a single application session. For example, access to a Web Service might include a DNS request from A to B, an HTTPS access from A to C, a directory service lookup from C to D, a database request from C to E, a database response from E to C, then an HTTPS response from C to A. This said, though, it's not the end of the world, because at least all the information you'll need is there in SuperAgent – it's just not grouped together and so you'll need to understand your applications in order to find what you need.
Downsides apart, though, SuperAgent is a useful package that is straightforward to use. Although not as versatile as its peers in some respects, it does have some benefits that other applications don't – not least that it's completely passive and you don't have to muck about installing client software on all your servers and workstations in order to monitor traffic.
No network analysis package should be purchased by someone who doesn't properly understand what the program is telling them. Ensure, therefore, that you combine the purchase of your monitoring tools with appropriate training courses in order that you get the best from them.