monitoring expert help needed

[KaptainKirk]

Inexperienced networker needing help:

The following network system setup is running now. Client sends transmission over Internet (TCP/IP) to networking center where it is usually first received by proxy or router, which directs it to a central server at networking center. Central server then does some processing, and depending on the data, directs the transmission out over Internet to one of many business entities. Business entity does some processing on it, and then sends it back to central server, which then forwards it back to client. That process exists now. And it is "mission critical."

We are working on a helper application which will reside inside the firewall at the networking center, and which does some additional processing on the data, beyond what the central server is doing. Helper application is running on a Windows server, dedicated to that app. (Let's call it "Helper Server".) So now the idea is to change the setup a little bit and make is so that transmissions come in from Internet through the proxy/router and then to Helper Server. The application on Helper Server then does some processing on it. Depending on the results of the processing, Helper Server will then either redirect the transmission back to the client (source) or on to Central Server, which is probably nearby in the same facility. The processing that happens on Helper Server is helpful, but not mission critical. That is to say, if we have to take Helper Server down for a few minutes or even hours, it would not be terrible. However, if it were to fail, and not be able to forward transmissions to Central Server, then that would be a big problem.

For every transmission that goes into Helper Server, one transmission should come out. So, what I would like is to be able to monitor the transmissions going to Helper Server, and be sure that an equal number of transmissions come out from Helper Server. Remember that when the transmissions come from (out of) Helper Server, they can go one of two ways: either on to Central Server or back to client. Also, if we can monitor ratios, then that would be good. Let's say that we know that for every 100 transmissions that go to Helper Server, normally 80 are forwarded immediately on to Central Server and 20 are bounced back to the client for correcting. If suddenly it changes to 50% being bounced back, then we would think that something is wrong. Basically, we want to be able to monitor to make sure that Helper Server is not causing problems. And if it is causing problem, we would take it offline temporarily, directing the traffic away from it and back to Central Server, just skipping the Helper Server. It would be great if it could be taken offline and traffic directed to Central Server automatically, based on an Event or similar.

We do not want to add additional processing load to Central Server or to Helper Server, if at all possible. I thought that there a way to do something like that with a Cisco or other switch that is running RMON or SNMP, but have not done it before, and am unsure of myself. What about that idea or any other ideas you have?

 

[commsguy]

you should deploy some sort of sniffer and monitor packets in/out to the server.



commsguy

http://www.convetech.com

 

[KaptainKirk]

How do you think we might best set that up? I don't really want to put a sniffer on the Helper Server, because it does not need any more load. And that would mean that the Helper Server would be monitoring itself. So my first thought is that it would be better to have another device monitoring it.

But if I have to put another computer in the traffic flow, what happens if it goes out?

Is there a way to copy the data from a router over to another computer that would do the monitoring. So in other words, whatever the router hands off or receives from the Helper Server, it copies or mirrors that to the Monitoring Server. By copying the data over from the router, rather than actually routing the data through the monitoring computer, it seems safer. Then whatever sniffer monitoring program we use would not affect the system in any way.

Is that a good thought? And do you know of any free or very cheap programs which would meet our needs exactly, with no coding?

 

[commsguy]

You have a lot of questions embedded in your last post as well as the original. I think there is even more that you realize.

Firstly, I am not a fan of "host-based" sniffers. I would use an appliance like Network Associates, or something. They are more accurate and reliable.

Secondly, it is important to know if you are in a switched or shared environment. If you are in a switched environment, what equipment? Cisco?

Steve

commsguy

http://www.convetech.com

 

[KaptainKirk]

thanks for taking time to respond to me. i have the problems of little know-how and less money. I am not sure about what appliance you are talking about or how it could be used, or the price. But I have a feeling that i will be knocked out by the price.

regarding the environment, it is not set. we are making an application to be used by other companies. we will set our server (the "Helper Server" described above) down inside their existing environment. most will probably be switched. i have been thinking that we would need to bring in a router, if they don't have one, because it seems to me that we need NAT to pull it off more easily. That will allow us to direct the transmissions to the Helper Server, even though they were originally addressed to the company's central server, which I described in the first post. That will keep the company (whatever client that might be) from having to fiddle with IP addresses in their software settings.

Hope I didn't confuse things.