6-5
User Guide for the Cisco Network Analysis Module (NAM) Traffic Analyzer, 5.0
OL-22617-01
Chapter 6 NAM Traffic Analyzer 5.0 Usage Scenarios
Troubleshooting

Using NAM to Evaluate Application-Level Performance Monitoring for UDP

Realtime Applications

The NAM Traffic Analyzer monitors RTP streams: When a phone call ends, the endpoints calculate the
information and send it to the Call Manager. If a NAM is along that path, it will intercept it.
The NAM monitors and analyzes RTP streams and voice calls statistics from the endpoint. The voice
calls statistics from the endpoint is used in conjunction with the RTP stream to correlate the phone
number with the IP address of the endpoint. Alerting is based on analysis of the RTP streams for MOS,
Jitter, and Packet Loss.
See Voice Signaling/RTP Stream Monitoring, page 2-2.
See Analyzing Traffic, RTP Streams, page 3-38.
See Table 2-37, Voice Monitor Setup Window.

Using NAM to Evaluate Potential Impact of WAN Optimization Prior to

Deployment

If an application that is supposed to be optimized is displayed in pass through traffic, check the WAN
acceleration device (WAE) configuration.
The NAM analyzes the traffic and identifies top talkers in Analyze > WAN Optimization > Top
Talkers, displaying applications and network links (Sites) that will benefit from deploying WAN
optimization. After the WAN optimization devices have been deployed, the WAAS can be directed to the
NAM for analysis to display the breakdown of the optimization regarding application response time. The
response times are broking down into client LAN and WAN segments, and server LAN and WAN
segments.
Troubleshooting

Using NAM for Problem Isolation

The alarm details (found in the NAM Traffic Analyzer Release 5.0 under Monitor > Overview > Alarm
Summary) provides information you can use to drill-down on the threshold that was violated. You may
also receive this alarm in e-mail (Setup > Alarms > E-mail). An example of the alarm is:
2010 SEPT 28 9:17:0:Application:Exceeded rising value(1000);packets;60653;Site(San Jose),
Application(http)
After receiving this alarm, you can access the NAM GUI to view the application in site San Jose to
determine why there was a spike. Click on Analyze > Traffic > Application; in the Interactive Report
window on the left, change Site to “San Jose,” Application to “HTTP,” and Time Range to the range when
the alert was received. This will display all the hosts using this protocol. You can see the Top hosts and
verify there are no unauthorized hosts accessing this application. You can also access Analyze > Traffic
> Host to view which conversations are chatty, and therefore causing the increase traffic for this
application.