Extrahop's out-of-band monitoring solution is pretty cool. Citrix Synergy 2013 video.

I stopped by ExtraHop at Citrix Synergy because I'd heard a lot about them, and while most monitoring solutions appear to be relatively similar (these were dubbed YAM for "Yet Another Monitor" years ago by Kevin Goodman), within about 30 seconds it seemed that ExtraHop's solution was quite a bit different than most of the other solutions out there. They use passive network monitoring via a spanned or tapped port (which, ironically, doesn't add an extra hop). With this method, they actually look inside the packets as they traverse the network, including ICA (which they've licensed). 

This is good, of course, for all those situations where a "Citrix problem" turns out to be caused by some other system, but that's something all comprehensive monitoring solutions can claim. What's cool is that because they can see everything going on and mine so much information out of packets, they have lots of insight into database and file server information, files accessed, stored procedures, users, processes, and so on. With this information in hand, ExtraHop can watch for problems and automatically identify trends, bottlenecks, and issues without any threshold tweaking by an admin. Best of all, they do this without an agent!

They even plug into Splunk, which may seem odd at first, but they've run into situations where a system might not log information that would be helpful, but the Extrahop solution can extract information directly from the packets. They can then forward that information via RSyslog to Splunk so that Splunk can work its magic.


For more information, check out the video below and visit ExtraHop.com.

View All Videos

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.


At the beginning of the video I really thought this would be YAAPM (Yet Another APM) ... :)

But at the instant where he showed the CIFS decode I knew this thing is cool!

And the "Freemium" distribution model is absolutely the right way to sell this!

Now I just need to be able to get a SPAN port in my network ........ Time to enable Openvswitch on the XenServer hosts ... :D


I am running this right now in a multi-tenant CSP environment.  It really is a nice innovation from what has been years of "Install an agent, go to a proprietary console to get metrics stored in a proprietary data set”.  After 10 years of APM madness I start to feel like a middle-school science fair judge looking at his 500th Vinager and Baking soda volcano….

The agentless comment is the real deal, the only prerequisite is an IP Address.  The integration with Splunk is fantastic!! Currently here is what I am logging with Splunk/Extrahop

- SQL Query Performance by Tenant (how one SP runs on one customer vs the same Stored Proc on other tenants)

- SQL Query performance by Database Table (tells me if we need to re-index)

- SQL/Oracle Database Errors by Server, by UserID, by Tenant

- ICA Launch time by Tenant

- ICA Launch time by Application

- ICA Latency by Tenant

- ICA Latency by Customer Subnet

- ICA Latency by Workstation ID

- ICA Client Retransmission timeouts by tenant

- REST/SOAP middle ware performance

- Slow Web Based URI’s

- DNS Errors by A Record by Tenant

- CIFS File Sizes/Errors

- Geospatial analysis of outgoing connections

This is a level of visibility that I have never had before, I think the combination of Splunk’s machine data,  parsing and big-data platform coupled with Extrahop’s own Big Data platform and wire data gives you total visibility into your environment.  We are able gather baselines of our applications across the tenant infrastructure which positions us to be able to set thresholds for performance of specific hosted applications.  We can also compare these to on-premise deployments to gauge our own delivery.

I think this is a great innovation in a space (APM) that has had minimal real change for a number of years now.