Manual Chapter : Troubleshooting Applications by Capturing Traffic

Applies To:

Show Versions Show Versions


  • 13.0.1, 13.0.0


  • 13.0.1, 13.0.0

BIG-IP Link Controller

  • 13.0.1, 13.0.0

BIG-IP Analytics

  • 13.0.1, 13.0.0


  • 13.0.1, 13.0.0


  • 13.0.1, 13.0.0


  • 13.0.1, 13.0.0


  • 13.0.1, 13.0.0


  • 13.0.1, 13.0.0
Manual Chapter

Overview: Troubleshooting applications by capturing traffic

This implementation describes how to set up the BIG-IP® system to collect application traffic so that you can troubleshoot problems that have become apparent by monitoring application statistics. For example, by examining captured requests and responses, you can investigate issues with latency, throughput, or reduced transactions per second to understand what is affecting application performance.

When Application Visibility and Reporting (AVR) is provisioned, you can create an Analytics profile that includes traffic capturing instructions. The system can collect application traffic locally, remotely, or both. If the system is already monitoring applications, you can also update an existing Analytics profile to make it so that it captures traffic.

If logging locally, the system logs the first 1000 transactions and displays charts based on the analysis of those transactions. For VIPRION® systems, the local logging consists of the first 1000 transactions multiplied by however many blades are installed. If logging remotely, the system logs information on that system; log size is limited only by any constraints of the remote logging system. To see updated application statistics, you can clear the existing data to display the current statistics.

Task Summary

About prerequisites for capturing application traffic

After you finish a basic networking configuration of the BIG-IP® system, you must complete these prerequisites for setting up application statistics collection:

  • Provision Application Visibility and Reporting (AVR): System > Resource Provisioning .
  • Create an iApps® application service (go to iApp > Application Services ), or configure at least one virtual server with a pool pointing to one or more application servers.

You can set up the system for capturing application traffic either locally or remotely (or both).

Tip: Before setting up, clear the captured transaction log. On the Captured Transactions screen, click Clear All to clear all previously captured data records.

Capturing traffic for troubleshooting

You typically use traffic capturing if you notice an application issue, such as trouble with throughput or latency, discovered when examining application statistics, and want to troubleshoot the system by examining actual transactions.

You can configure the BIG-IP® system to capture application traffic and store the information locally or remotely (on Syslog servers or SIEM devices, such as Splunk). To do this, you create an Analytics profile designed for capturing traffic. The profile instructs the BIG-IP system to collect a portion of application traffic using the Application Visibility and Reporting (AVR) module.

  1. On the Main tab, click Local Traffic > Profiles > Analytics > HTTP Analytics .
    Tip: If Analytics is not listed, this indicates that Application Visibility and Reporting (AVR) is not provisioned, or you do not have rights to create profiles.
    The HTTP Analytics screen opens.
  2. In the Profile Name column, click analytics (the name of the default profile).
  3. In the General Configuration area, clear the Transaction Sampling check box.
    The system analyzes all traffic to the associated virtual servers.
  4. Above the menu bar, click the Profiles: Analytics link to return to the Analytics list screen.
  5. Click Create.
    The New HTTP Analytics profile screen opens.
  6. In the Profile Name field, type a unique name for the Analytics profile.
  7. Select the Custom check box.
  8. For Traffic Capturing Logging Type, specify where to store captured traffic.
    • To store traffic locally, click Internal. You can view details on the Captured Transactions screen. This option is selected by default.
    • To store traffic on a remote logging server, click External and provide the requested information.
  9. In the Associated Virtual Servers area, specify the virtual servers for which to capture application statistics:
    1. For the Virtual Servers setting, click Add.
    2. From the Select Virtual Server popup that displays, select the virtual servers to include and then click Done.
    Note: Only virtual servers previously configured with an HTTP profile display in the list (because the data being collected applies to HTTP traffic). Also, you can assign only one HTTP Analytics profile to a virtual server; therefore, the list displays only virtual servers that have not been assigned an Analytics profile.
    Special considerations apply if using Analytics on a BIG-IP system with both Application Security Manager™ and Access Policy Manager®, where security settings (in Portal Access webtop or an iRule) redirect traffic from one virtual server to another. In this case, you need to attach the HTTP Analytics profile to the second virtual server to ensure that the charts show accurate statistics.
  10. If you want to make changes to any of the selections, above the Statistics Gathering Configuration area, select the Custom check box.
  11. In the Statistics Gathering Configuration area, for Collected Metrics, select additional statistics you want the system to collect from the requests:
    Option Description
    Max TPS and Throughput Collects statistics showing the maximum number of transactions occurring per second and the amount of traffic moving through the system (maximum request and response throughput is collected and recorded separately).
    Page Load Time Tracks how long it takes an application user to get a complete response from the application, including network latency and completed page processing.
    Note: End-user response times and latencies can vary significantly based on geography and connection types.
    User Sessions Stores the number of unique user sessions. For Timeout, select the number of minutes of user inactivity to allow before the system considers the session to be over.

    For Cookie Secure Attribute, specify whether to secure session cookies. Options are Always, the secure attribute is always added to the session cookie; Never, the secure attribute is never added to the session cookie; or Only SSL, the secure attribute is added to the session cookie only when the virtual server has a client SSL profile (the default value).

    By default, the system collects many metrics, including TPS, throughput, server latency, response time, network latency, and so on. You can select the ones here in addition to the ones already collected once the Analytics profile is attached to one or more virtual servers.
  12. In the Statistics Gathering Configuration area, for Collected Entities, select additional entities to collect statistics for each request.
    Option Description
    URLs Collects the requested URLs.
    Countries Saves the name of the country where the request came from, and is based on the client IP address criteria.
    Client IP Addresses Saves the IP address where the request originated. The address saved also depends on whether the request has an XFF (X-forwarded-for) header and whether the HTTP profile accepts XFF headers.
    Client Subnets Saves statistics for predefined client subnets. Client subnets can be added in the Subnets area of the default HTTP Analytics profile.
    Response Codes Saves HTTP response codes that the server returned to requesters.
    User Agents Saves information about browsers making the request.
    Methods Saves HTTP methods in requests.
    By default, the system collects many entity statistics, including virtual servers, pool members, browser names, operating system, and so on. You can select the ones here in addition to the ones already collected once the Analytics profile is attached to one or more virtual servers.
  13. In the Capture Filter area, from the Capture Requests and Capture Responses lists, select the options that indicate the part of the traffic to capture.
    Option Description
    None Specifies that the system does not capture request (or response) data.
    Headers Specifies that the system captures request (or response) header data only.
    Body Specifies that the system captures the body of requests (or responses) only.
    All Specifies that the system captures all request (or response) data.
  14. Depending on the application, customize the remaining filter settings to capture the portion of traffic to that you need for troubleshooting.
    Tip: By focusing in on the data and limiting the type of information that is captured, you can troubleshoot particular areas of an application more quickly. For example, capture only requests or responses, specific status codes or methods, or headers containing a specific string.
  15. Click Finished.
The BIG-IP system captures the application traffic described by the Analytics profile for 1000 transactions locally (or until system limits are reached). If logging remotely, the system logs information on that system; log size is limited only by constraints of the remote logging system.
Note: System performance is affected when traffic is being captured.

Reviewing captured traffic

Before you can review captured traffic details on the BIG-IP® system, you need to create an HTTP Analytics profile that is capturing application traffic locally. The settings you enable in the Capture Filter area of the profile determine what information the system captures. You need to associate the Analytics profile with one or more virtual servers, or with an iApps® application service.
The system starts capturing application traffic as soon as you enable it on the HTTP Analytics profile. You can review the captured transactions locally on the BIG-IP system. The system logs the first 1000 transactions. On a VIPRION® system, the system logs the first 1000 transactions multiplied by however many blades are installed.
  1. On the Main tab, click System > Logs > Captured Transactions .
    The Captured Transactions screen opens and lists all of the captured transactions.
  2. Optionally, use the time period and filter settings to limit which transactions are listed.
  3. In the Captured Traffic area, click any transaction that you want to examine.
    Details of the request display on the screen.
  4. Review the general details of the request.
    Tip: The general details, such as the response code or the size of the request and response, help with troubleshooting.
  5. For more information, click Request or Response to view the contents of the actual transaction.
    Review the data for anything unexpected, and other details that can help troubleshoot the application.
  6. On the Captured Transactions screen, click Clear All to clear all previously captured data records (including those not displayed on the screen) and start collecting transactions again.
    The system captures up to 1000 transactions locally and displays them on the screen. Captured transactions are visible a few seconds after they occur.