ExtraHop's New Take on App Monitoring

Extrahop's view of network trafficDespite decades of effort, troubleshooting applications is still hard. ExtraHop, which comes out of stealth today with the launch of its Application Delivery Assurance Appliance, thinks it’s got the answer. Backed with $1.5 million from Madrona Venture Partners, the 10-person company is capitalizing on recent increases in switch and processing capacity that make it possible to analyze all the traffic on a network.

Traditional IT wisdom says there are three basic ways to see what applications are doing: Put agents everywhere; ask the switches and routers what they see; or sniff the traffic on the wire. None is perfect. Agents consume CPU, and need care and feeding.  Switches are too busy forwarding packets to interpret what’s going on. And sniffing traffic means plugging in everywhere on the network, and drinking from a fire hose of bytes.

But networks and processors have come a long way. Now, switches are powerful enough to make a copy of all the traffic on a network without skipping a beat.

Companies like NetQOS and NetScout make products that capture and analyze traffic, but they mostly stop at the TCP layer. That can result in misleading diagnoses — such as thinking a server is responding quickly when in fact it’s returning an application error that the analyzer can’t see. “I think real-time visibility beyond L4 is the primary differentiator,” ExtraHop’s founder and CEO, Jesse Rothstein, told me.

Interpreting application conversations in real time takes powerful computation. ExtraHop’s team, whose skills were honed at F5 Networks (s ffiv), seems up to the task: John Tharp, a strategic monitoring engineer at spend management SaaS firm Concur, has been trying a beta of the product on a network with 650 devices and 500 Mbps of traffic. “We’ve been able to see problems easily — things like virtual switches dropping packets internally,” said Tharp.

To pull this off, ExtraHop’s appliance creates a “Cliff’s Notes” of each transaction it sees. For example, it might see a database query and record how long it took, what table was accessed, and any errors. These transactions are kept for 30 days in a data store custom-built for the job. “We had to rebuild it from scratch several times before we got it right,” said Rothstein.

The company still has work to do. Its appliance is missing some key features, like expert systems, better auto-configuration, and the ability to read encrypted data. And the number of protocols is limited. “I wish it had VoIP and iSCSI support,” said Tharp. But ExtraHop may be on to something: Networks that can create a copy of everything without slowing down change how we think about data capture, and as a result, about how we monitor applications.