How Application Intelligence Works

Application Intelligence is an essential aspect of modern network management, enabling organizations to gain valuable insights into the behavior and performance of their applications. In the following sections, we will explore the key features and processes that make Application Intelligence an indispensable tool for managing today’s complex network environments.

Deep Packet Inspection (DPI) Engine

Gigamon Application Intelligence uses the Deep Packet Inspection (DPI) engine to classify and filter applications and export application metadata. When packets arrive, the DPI engine analyzes the first few packets for each flow to classify the application. It then collects and exports the application statistics to GigaVUE-FM (destination port 2056) using the management interface by default.

Application Filtering Intelligence (AFI) relies on application classification to filter relevant applications.AFI can be combined with other GigaSMART Operations to further optimize the traffic before forwarding to the tools.

Configuring AFI is optional for AMI. In the GigaVUE HC Series, if customers only install the AMI license, AFI will automatically be configured to pass all traffic. When AFI and AMI are combined, all applications passed by AFI are sent to AMI for generating NetFlow (v5, v9)/IPFIX records or application metadata in IPFIX and CEF formats. IPFIX is suitable for flow correlation tools such as NPM, APM and NDR, while CEF is suitable for log aggregation tools such as SIEM and Observability tool.

The types of traffic that DPI can identify are as follows:

■   Raw Network Traffic- The DPI engine can identify thousands of commercially available applications. The various classification methods are provided under top menu > Help > Classification Methods. Refer to View Application Protobook .However, there can be instances where an application could be identified as follows:
o   Unknown: Application is reported as unknown when some packets in the flow are missing or when the DPI Engine can identify a packet as valid but does not identify any protocols in the packet flow e.g. non-IP packets.
o   Unknown-TCP/UDP/SSL:Lack of packet heuristics may prevent the DPI Engine from identifying an application. In which case, it can tag the application based on its known lower layer, such as unknown-TCP, unknown-UDP, and unknown-SSL.
o   Classification-unknown: Application is reported as classification-unknown when the DPI Engine is unable to identify any valid packets in the packet flow.
■   Tunneled Traffic-The DPI engine can identify applications in overlay networks like GRE, VXLAN, MPLS, and GTP. It can analyze up to 16 outer headers to identify protocols and export their metadata based on the innermost packet header.
■   Encrypted Traffic - DPI uses various techniques to identify applications over TLS, DTLS and QUIC.

User Defined Application

To monitor proprietary or internal applications, the DPI engine supports user-defined application signatures that can be created to define rules for identifying the applications (up to 120).This feature allows you to identify unclassified TCP, UDP, HTTP, and HTTPS applications, and extract their application name and the lower layer protocol attributes.

Fast Mode

The DPI engine supports a performance optimization functionality called “fast mode”. In this mode the performance is increased by the use of light parsers for processing the HTTP and DNS traffic. This affects the classification of applications over HTTP. Only limited applications based on HTTP can be classified. This affects the attribute extraction. For example, only some attributes are extracted for the HTTP traffic and no attributes are extracted for the DNS traffic. When the fast mode is enabled, the GigaVUE‑FM automatically displays only the attributes that are supported. This is supported only in GigaVUE HC Series.

Note:   In the protobook, you can check if a specific application supports the fast mode or not, by navigating to the Attributes tab of the specific application. If the Basic DPI Support field is yes, then the application supports the fast mode option.