Wright and his team were hitting their heads against the wall trying to discover the reason for the performance hit.
"We always found ourselves trying to prove that a problem wasn't coming from a particular technology silo," Holt says. "We'd start with the network team, who would burn a whole bunch of time proving the network was operating as expected, and then you'd move on to the next level of the stack. 'Well, it's not here, must be somewhere else.'"
Agents and network sniffer technologies were not an option Wright says (though he notes they wouldn't have worked either).
"I really wouldn't want to put an agent on a virtual desktop," he says. "Any application slows down performance (I don't even run antivirus -- these are nonpersistent images). It slows things down and it gives me jagged performance. When you start putting applications in your virtual desktop, then you don't know the performance characteristics of every virtual desktop. The agent on desktop A may be doing something that the agent on desktop B is doing differently. Then I lose my standardization."
Wire Data Analytics Provides Cross-Tier Visibility
Then one of Wright's senior engineers had a suggestion: bring in ExtraHop Networks, a Seattle firm that specializes in real-time wire data analytics. The ExtraHop Operational Intelligence platform analyzes all L2 to L7 communications, including full bidirectional transactional payloads.
ExtraHop is able to perform wire data analytics at line rate — up to a sustained 20Gbps. When it receives the wire data traffic, it recreates the TCP state machines for every endpoint and reconstructs sessions, flows and transactions. If the traffic is encrypted, it performs bulk decryption at line rate so that it can reassemble the full streams.
From there it analyzes the payload and content from L2 to L7, extracting application-level metrics and infrastructure, network and transaction metrics for all tiers. It discovers and classifies devices based on ongoing heuristic analysis of MAC addresses, IP addresses, naming protocols, transaction types and other elements. The metrics are then written to a purpose-built streaming datastore that powers trend-based alerts.
Wright made the call and asked ExtraHop to do a proof of concept for the hospital: He wanted ExtraHop to find the ghost in the machine that his team had spent months hunting. Almost immediately, ExtraHop proved its worth, Wright says. Every morning that a particular doctor logged in -- sometimes first thing in the morning, sometimes after performing tasks that didn't require a computer — it would cause severe contention at the storage tier.
It seemed the doctor had moved about 2GB of personal photos from his personal profile to his Citrix profile.
Sign up for Computerworld eNewsletters.