Many organisations struggle with effective problem investigation and remediation, due to shortages of skills, time and incomplete visibility of the network, making it a slow, painful and often inconclusive task.
When it comes to Investigating security threats, network performance issues and application slowdowns, a full packet-level network history is an essential resource for your SecOps, NetOps and DevOps staff.
Network packets transmitted across networks are the fundamental basis of communication across all computer systems – without data packets, there is no network. Capturing and analysing these packets provides a detailed view of what, when and how systems have communicated. Once captured, analysis tools can be used to interpret and analyse the details of these communications.
Captured traffic is typically used for two functions. One is to feed into other tool(s) for immediate analysis, such as Deep Packet Inspection (DPI) for security or performance requirements, or the generation of flow data. The other function is more related to the historical or retrospective analysis of traffic, again, usually for security or network performance related issues.
The issues surrounding the effective capture of these network packets tends to relate to two areas:
- Speed / volumes of traffic
- Retention requirements
With current network speeds being vastly higher than in the past (speeds of 40Gbps, 100Gbps and higher are now not unusual), huge volumes of traffic traverse modern networks. Increasing speed brings with it the challenge of writing to disk at sufficient speeds to capture 100% of network traffic, caused by the physical limitations of disk write capabilities, and the costs of solid state disks.
In conjunction with this, many customers have regulatory, or internal policy requirements concerned with how long data should be retained. Again, due to the large volumes of data, this can bring challenges around the amount of storage required. For example, at 100Gb/s (if a link is fully saturated) then more than 1PB (petabyte) of disk space is required, just to store the traffic for one day.
Capturing and/or storing traffic, allows you to drill down into the detail of what has caused a given security, network or application issue. This allows your teams to determine how best to mitigate against a re-occurrence, with maximum efficiency.