Some users are reporting slowness with an online service we use, they complained to that service and were instantly told it was their computers. I saw this and rubbed my hands at the thought of using ExtremeAnalytics to prove them wrong, but everything looked alright.
So I fired up wireshark and saw that sometimes the webserver would just stop responding after SSL was negotiated; from what I can tell, these flows never made it into the Analytics flows. Is this expected behaviour?
Additionally, the server (which is actually a DDoS prevention front-end I believe) keeps the connection alive for a few minutes, so subsequent HTTPS requests go over the same connection, thus hiding a 2.5 second response time as it's not a new flow, but I doubt there's much way to identify this programmatically.