Many Web administrators live in a state of blissful ignorance, unaware of the true health and performance of a Web site until users complain. Coradiant's TrueSight 1100 appliance actively monitors actual Web site traffic, giving Web managers a heads-up on problems before their users do.

The TrueSight device needs to be strategically installed in the delivery network to capture the appropriate data. This data capture is accomplished via a network tap, a mirrored port on a switch, or similar feature on a load-balancing device. We were disappointed the device did not contain its own network tap for easy installation.

 

Initial setup -- done with a command line interface via a serial connection -- is minimal and requires basic network settings, port information to later administer the box via Web interface, and a master security officer password for the box. In spite of a relatively secure security posture of the appliance in general, you can set a relatively weak password here.

The Web interface lets you enable the device to begin logging traffic. Data collected can be downloaded to a local system for offline analysis or sent via SNMP to any monitoring system. Various session and user detection parameters can be set so captured traffic can be reassembled into a logical view of user activity. To do this you need to make sure your sites have distinguishing items to easily identify users.

However, because you might not always be fully aware of the range of changes in monitored Web applications, it would be helpful for the device to monitor traffic for new session-oriented cookies and URL patterns, and to alert you to apply them. If you are going to monitor static Web sites, you have to rely on timing and IP addresses to identify user patterns.

The TrueSight box collects potentially sensitive user data, and Coradiant does a reasonable job in securing the appliance. Access to the Web console is forced via SSL, and the box enforces very strong passwords. But we would have liked to see easily accessible usage reports and a richer ability to define access privileges for users.

Configured to monitor SSL traffic, TrueSight can decrypt user sessions when the appropriate keys are loaded. Even for approved users, decrypted traffic might be quite sensitive. To address this concern, TrueSight offers several confidentiality features. For example, captured data cookies, post parameters and Uniform Resource Identifier queries can be sanitized by hashing data into something less sensitive though still uniquely identifying. Values also can be deleted or the entire data item purged.

Once basic traffic capture is enabled, you set up what are called Watchpoints to monitor and filter out important events from the vast amount of data being captured. The box comes with dozens of predefined filters, such as those that look for certain types of browsers, error types, speed of users and content types. Setting up custom filters is a breeze through the nicely implemented expression editor. You can specify performance and error rates per filter, a good option if you manage several Web applications with different user expectations.

When we drilled down into the data collected, we developed our love/hate relationship with the TrueSight interface. It's got small polish points that kept us happy, such as a countdown timer that shows when the page is about to reload when actively monitoring; a bypass button that forces content to refresh; and a graphic capture of the LCD on the appliance available from the Web interface. We particularly liked the clean information layout found on session, page and object detail screens that brings clarity to the massive amount of request data found in a typical user session.

But we occasionally became frustrated when moving back through the system as it lost our place in the list of sessions. We also found it frustrating that we couldn't directly launch a browser to access various Web objects monitored to verify observed errors ourselves. Also, while reporting looked very nice, very often, we found the labeling in the system extremely hard to read when there was a lot of data in a graph.

The key benefit of TrueSight lies in its ability to isolate and help solve problems. We very clearly spotted intermittent performance problems, some occasional server hangs and the ever-common HTTP errors. However, the device does not yet offer deep insight into the application level or content issues that might occur in a Web site, so we were sometimes stymied by investigating problems. For example, we could not see full headers of transactions, which, in a few cases of dealing with ISAPI filters, would have resolved problems quickly. Furthermore, because we could not observe the actual HTML and other content returned, the box could clearly miss application logic where a page returns a 200 level HTTP status but is ruined datawise.

In capable hands, Coradiant's TrueSight acts as a smart microscope for Web administrators who want an in-depth look at their site's network traffic for incident resolution. While it does not yet offer everything that a Web administrator might eventually want, notably full insight into headers and response payload, what the appliance does, it does very well.

How we did it

We installed the Coradiant TrueSight 1100 in a Web farm collocated at the Inflow national collocation facility in San Diego. Data was collected passively via a generic network tap. The farm served approximately 200 different Web sites, including e-commerce sites; a few Web applications; and a variety of static, semidynamic and fully dynamic Web sites built with a multitude of technologies, including Active Server Pages, ColdFusion, PHP and Java Server Pages. We monitored live Web traffic off and on for approximately three months; and the device was used to diagnosis basic server problems, performance issues, broken links and a number of other errors. We ran both manual and synthetic tests to make sure the device captured sessions accurately.