What is the difference between Discarded and Dropped Packets in SuperAgent?
All ADA versions .
A dropped packet is a packet that arrived at the NIC, but that we were not able to look at because we were too busy processing other packets and the packet capture driver's buffer was at a full state before it could be emptied.
A discarded packet is one that we obtained properly from the packet capture driver, but which was outside of our configuration, so we made no use of the packet.
There is no notification of this in the SuperAgent GUI The discarded packet count is in many ways a measurement of misconfiguration. Either the router is mirroring the wrong traffic (or too much traffic), or SuperAgent's configuration is set up to monitor different data than what is being mirrored.
For the Master Console (and/or GUI): Discarded is the same as dropped.
We just call it discarded in the GUI (collector incident). This data is recorded in the dropped_history table on the master console as dropped. You can add details to the SuperAgentErrors log using this procedure: Restart the SuperAgent service on the collector Navigate to D:\netqos\bin on a Collector or StandAlone unit. Open satstconsole.exe In the Debug section, click Dump. Close the sastconsole.exe window.
Navigate to D:\netqos\logs and open the most recent SuperAgentServiceErrors.log file.
This will output something like the following: 09:58:37 Severity 2 - 6 servers 09:58:37 Severity 2 - Total sessions 0. Total transactions 0 09:58:37 Severity 2 - Open transaction memory pool: 0 segments, 0 free objects 09:58:37 Severity 2 - Session record memory pool: 0 segments, 0 free objects 09:58:37 Severity 2 - Sequence block memory pool: 0 segments, 0 free objects 09:58:37 Severity 2 - Permanent memory allocator: 11 segments, 2720 free bytes 09:58:37 Severity 2 - Adapter 0 received 144739 packets, dropped 0. 09:58:37 Severity 2 - SuperAgent accepted 0 packets, discarded 127940 packets The last 2 lines of this output contains the information we want to take a closer look at: Dropped means that the NIC is physically dropping packets and/or SuperAgent does not have enough time/resources to scan the packet.
This is a clear indication of spanning too much data. Accepted means that the packets that arrived on the NIC were scanned by SuperAgent and the packet matched SuperAgent's current configuration of what to capture. Discarded means that SuperAgent has scanned the packet, but the packet did not match SuperAgent's current configuration, and thus was ignored.
This is a clear indication of over-spanning or a misconfigured span. You may have also noticed the difference in the packet counts between the 144739 received and 127940 processed/discarded. The number is generated by the packet capture library and the latter is generated by the SuperAgent service. Both the packet capture library and SuperAgent filter out unwanted packets (i.e. non-TCP/IP packets).