Packet Capture for the Masses
I spend a good amount of time talking to people about computer networks, their company’s networks, their customers’ networks, telco providers, etc, and the most common question that comes up is “What is using up all my network capacity.” For such a fundamental question this is surprising difficult to answer for the vast majority of companies.
Any network engineer worth his Cisco Certifications will be well aware that there are two primary methods of identifying who exactly is using all that capacity: Packet Capture and Flow Analysis. Each of these technologies has tradeoffs that can limit their appeal. Flow Analysis, developed by Cisco as a proprietary format under the name NetFlow is in the process of becoming an IEFT standard with the name IPFIX, and is specifically designed to answer the key questions about capacity usage, that is the who, what, when, where and why (no one ever really knows why) of your network. While information helps to answer the original question, there are two main challenges:
- A Flow enabled device in conjunction with a flow analysis tool is required to generate this information and analyze the data. This infrastructure requirement prevents the majority of small companies and Service Providers from knowing what is impacting performance of service on customer networks.
- Although Flow is a great summary of activity, it lacks the details necessary to dig deeper and find exactly what is going on in the network do so.
Packet Capture generates more infrastructure load than Flow Analysis, but completely covers the depth of information needed to answer the hairiest of network questions. Free tools like WireShark are clearly the go-to analysis tool for most of the network engineers that I know. However, the challenge with Packet Capture is that the tools utilized are expert tools designed for expert users. I have spoken with dozens of smart individuals who are responsible for critical applications running over the network such as VoIP, SharePoint and various database systems that are intimidated by utilizing WireShark.
Unfortunately, there isn’t a tool that marries the simplicity of Flow Analysis with the depth and complexity Packet Capture, providing a clear view of activity that is easy for non-network engineers to understand while still maintaining the ability for experts to get the granular details when needed. This is a tall order, but the latest enhancements to FlowView Plus combine both of these requirements into a single, n easy to deploy, affordable and secure solution for networks of all sizes and configurations.
FlowView Plus provides an easy to understand summary of activity with the ability to download a complete packet capture for WireShark analysis. Non-engineers can view a simple summary of the top users, top applications and any warnings seen in the packet capture right within the web user interface; and expert users can download the capture to get a full forensic playback of the activity on the network. Although there is still work to do before the right balance is struck between simplicity and detail in the realm of packet analysis, this is a big step in the right direction.