back caretBlog

Why Nobody Monitors Web Services Like ExtraHop Does

A year or so ago, I was doing a demo for the sales engineering team at one of our channel partners. As I began to explain how ExtraHop parses HTTP transactions, the VP of Engineering interrupted me and said, "Every vendor does HTTP. Show me something different."

My response: I don't know of anyone that does HTTP analysis the way that ExtraHop does. Let me explain what I mean.

A Quick, Non-Technical HTTP Overview

The definition of "protocol" is simply this: A protocol is an well defined way for two systems to talk to each other. HTTP is a great example, and it drives most of the web. However, HTTP is not just for web browsers talking to servers; it underlies many web services and has become a common and reliable way to move data between two applications, regardless of what they do behind the scenes.

ExtraHop can monitor any protocol built on top of HTTP.

ExtraHop can monitor any protocol built on top of HTTP.

One reason for the popularity of HTTP for web services stems from how easy it is to extend and customize. This leads to new and unique protocols that are written on top of HTTP. This is where ExtraHop distinguishes itself from other vendors that offer passive analysis of HTTP transactions, such as Riverbed's Opnet, Compuware, Visual Networks, and NetScout.

ExtraHop can monitor any protocol built on HTTP because of our unique ability to statefully analyze the entire transactional payload. Very often, these custom protocols are blind spots in an organization despite driving business-critical functions.

Here is a list of just some of the HTTP-driven protocols that IT organizations monitor with ExtraHop.

  • Most Amazon Web Services (AWS) are driven by HTTP (hence the term), including Simple Storage Service (S3), Simple Queuing Service (SQS), and Elastic Load Balancer (ELB) API calls.
  • The X12 protocol used in electronic data interchange (EDI) and payment processing. There are X12 XML schemas available for the healthcare, insurance, government, transportation, finance, and other industries.
  • Speaking of X12, there's AS2, which defines a formal protocol to exchange business data between two peers. Like many others, AS2 is based on HTTP.
  • The CICS protocol is commonly used with IBM mainframes. Learn more in this article on the long-lived CICS protocol and its use from 1969 to today.
  • Riak, an up-and-coming NoSQL database from Basho is all HTTP-based on the front end.
  • The media industry makes heavy use of HTTP-based services to move assets around for encoding/decoding and delivery to end users.
  • IBM WebSphere, SAP, PeopleSoft, Oracle E-Business Suite, and many other enterprise software suites make heavy use of HTTP-based web services.
  • Traditional web APIs such as JSON and XML usually use HTTP as a transport protocol.
  • Custom, organization-specific protocols built on HTTP: from devices sending RFID sensor data, health care data wrapped in XML, to the upgrade list at your favorite airline's gate, chances are good that there's some HTTP involved.

Monitoring Web Services with Depth, Flexibility, and Scale

These web services transactions are often closely tied to specific business functions, which means that analyzing them can provide crucial business intelligence. ExtraHop can do this in a meaningful way, not just by analyzing HTTP status codes and processing time, but by digging deep into the transactional payload to, for example, show how CICS handles transactions and connections. Moreover, we can do this flexibly and at scale (up to a sustained 20Gbps) with our Context and Correlation Engine (CCE). Through the programmatic interface to the CCE, IT organizations can define and implement new analysis in minutes instead of creating custom code hooks, configuring logging, or requesting a product enhancement. Traditional passive HTTP monitoring cannot provide this depth, flexibility, and scale, which is why I insist that nobody does HTTP analysis and web services monitoring the way that we do.

A few use cases get to the heart of why we're so different.

  • ExtraHop has been used to track transactions from ticketing kiosks, turnstiles, point-of-sale systems, and other functions in the entertainment and retail industries.
  • ExtraHop can correlate a specific transaction to an error. This really matters, because in the web services world, error descriptions vary widely and are often served with a "200 OK" status from the server. After all, it's the business transaction that failed for some reason, not the server. So context matters, and our context-driven intelligence is unrivaled.
  • A merchant credit card processing firm uses ExtraHop to parse the HTTP-based Orbital protocol and extract information such as new payments, refunds, and card activations.
  • And, of course, the ability to customize HTTP analysis helps when monitoring ordinary web users, mobile phones, etc.
A natural question is this: Why has it taken so long for someone to develop such deep analysis? Well, HTTP analysis can be tricky. There are many variants: compression, data sent (and consumed) in chunks, synchronous transactions, asynchronous transactions, encrypted transactions, custom header specifications, custom payloads, and many others.

In order to really understand what is going on, you need stateful, payload-aware analysis, which can be challenging—particularly across environments with thousands of servers, millions of connections, and high transaction rates.

Alone, our HTTP analysis is amazing. But it's worth noting that when you take this wire data and feed it into a Big Data analysis engine like MongoDB or Splunk, you can build trends to use with machine data, which gives a whole new dimension to Operational Intelligence. And, of course, we also do a tremendous job of analyzing database, storage, and other protocols.

Our CEO gave a great demonstration on how powerful custom HTTP analysis can be at Splunk .conf last year, which you can watch below. Try it for yourself by exploring our free, interactive demo.


ExtraHop Reveal(x) Live Activity Map

Stop Breaches 87% Faster

Investigate a live attack in the full product demo of ExtraHop Reveal(x), network detection and response, to see how it accelerates workflows.

Start Demo

Sign Up to Stay Informed