Today's computer networks are extremely complex, with hundreds or more of applications, thousands or more of servers, hundreds or more of locations, hundreds of thousands of clients, and network traffic routed by numerous switches and routers on the computer networks. Network and application data collected from various parts of the network can provide insight into network conditions, but the enormous amount of data present a challenge for data storage, processing, and retrieval.
Network problems typically manifest themselves to end users as degradation of application performance. To detect such network problems, Sniffers™ and other devices are used to trace individual packets passing through the network to identify bottlenecks, routing problems, packet loss, etc.
Some techniques used to analyze the performance of a multi-tier applications include operating such an application in a controlled testing environment, where one client request is being processed by the application at a time. But such techniques may not be able to accurately ascertain that the downstream activity is actually caused by the observed client requests. Moreover, many problems associated with multi-tier applications do not appear except in a high-volume production environment, where many client requests are being processed at a time. Thus, processing one client request at a time may not be a feasible solution for analyzing a multi-tier application's performance. Other techniques establish the relationships between the transactions observed on both sides of an application based on knowledge of the application's complete model or internal structure. However, the feasibility of such techniques is usually limited to simple applications. A multi-tier application is an application that includes multiple interrelated sessions between multiple servers using multiple protocols.
More sophisticated troubleshooting techniques of network problems involves tracing packet paths, delays and transformations across the network as well as correlating multiple segments (legs) of complex sessions involving multiple interdependent servers, such as Web servers, database servers, authentications servers, etc. all cooperating in servicing a client request. Such network captures frequently need to be performed by multiple capture agents whose clocks can not be synchronized to the precision needed to reliably put the packets captured by different agents in the correct temporal sequence and evaluate time delays.
Conventional troubleshooting systems require a user input in the form of a clock difference between capture agents' (engines′) clocks. This solution is not adequate however because (1) the user does not have a reliable way of determining the parameters, and (2) it does not address the differences in clock speeds, i.e., it only addresses (albeit poorly) the differences in clock offsets.
One conventional technique involves an automated method for correcting timelines in the specific situation where traffic (data in any form, e.g., packets, frames) traverses multiple segments. In that situation, the timestamp of each packet seen on two or more segments is constrained by its timestamps on other segments, so that if the order of traversal can be determined, a system of inequalities for timestamps can be built and solved. However, this solution does not address the case of multi-tier traffic where each leg of the application flow has no common packets with other legs.