Unit utilization and inspection core performance
This section presents details about Unit utilization and Buffer usage monitor reports so you can learn to identify problems. It includes troubleshooting tips for queue overflow scenarios, and managing utilization thresholds.
The Inspection Core (sniffer) is the heart of the Guardium collector. It receives all data that
is sent from S-TAPs, Network TAPs, and SPAN ports. It is composed of the following components that
perform various tasks of transforming network packets into data that can be stored in the internal
MySQL database of the collector:
- Sniffer Engine: The sniffer engine reassembles packets that are coming from a SPAN port or Network TAP, or from S-TAPs that are using the packet capture (pcap) driver to capture data. It is not used to process data that is captured by the native S-TAP drivers, such as KTAP (in the case of UNIX S-TAP).
- Analyzer/Parser: The analyzer determines the database type, protocol, and packet structure that is used for each monitored session. It then passes this information to the Parser, which, as the name implies, parses the SQL statements into their constituent parts (VERB, OBJECT, FIELD, and so on).
- Logger: The parsed data is then passed to the logger, which stores this data into the collector’s database.
The sniffer can restart because of logger queue overflow. Any data that is stored in any of the sniffer buffers during a restart is lost.
Open the unit utilization reports by going to
, and then selecting one of the reports.Using aliases is recommended when using unit utilization data in custom and predefined reports. Otherwise, utilization levels display with the values: 1, 2, 3, instead of Low, Medium, High.