Garland Technology ensures complete network visibility by delivering a full platform of network test access point (TAPs) and packet broker products.
Garland Technology is committed to educating the benefits of having a strong foundation of network visibility and access. By providing this insight we protect the security of data across your network and beyond.
Garland Technology's resource library offers free use of white papers, eBooks, use cases, infographics, data sheets, video demos and more.
The TAP into Technology blog provides the latest news and insights on network access and visibility, including: network security, network monitoring and appliance connectivity and guest blogs from Industry experts and technology partners
Our extensive technology partnership ecosystem solves critical problems when it comes to network security, monitoring, application analysis, forensics and packet inspection.
Garland Technology is dedicated to high standards in quality and reliability, while delivering the greatest economical solutions for enterprise, service providers, and government agencies worldwide.
Packet capture is the ultimate tool for troubleshooting your network and protecting it from cyber threats. As important as your advanced security and monitoring tools are, there are two primary reasons why they make incident response and root cause analysis as efficient as possible with packet capture best practices.
First, security and monitoring tools can’t get a complete view of your network activity without strong packet capture capabilities. Without 100% visibility of packets, your tools aren’t getting enough details about activity to accurately identify when issues occur or tell you where those issues occur.
And second, gaps in packet capture limit the amount of historical data you can collect, making it difficult to understand network events. Responding to data breaches, for example, isn’t just about mitigating the immediate threat. It’s also about applying digital forensics after the fact to understand what happened, how your network was exploited, and what attackers were able to compromise. Without packet capture best practices, you won’t be able to achieve accurate forensics.
Ultimately, the truth about your network lies in the packets. Just because you have NetFlow summaries doesn’t mean you have the full picture necessary for deep root cause analysis or security incident reconstruction. Even though it’s a simple concept, so many networking teams fall short on packet capture.
That’s why we have to go back to basics. To maximize your network visibility and get the most out of security and monitoring tools, you need to cover your bases on packet capture best practices.
By definition, packet capture refers to the real-time interception of a data packet that crosses or moves over a specific portion of a computer network. Doing this effectively requires you to understand the basics in two separate categories—the network side and the capture side.
Executing packet capture isn’t necessarily difficult. However, the evolution of Ethernet traffic has made it a bit more complicated than it once was. Compared to the days of Layer 2 network protocols and hubs, packet capture on switch-based networks isn’t straightforward.
Switches allow network devices to send and receive packets at the same time. This kind of full duplex traffic makes it difficult to maintain visibility because packets are sent directly to their destinations, bypassing packet capture devices that aren’t directly between two nodes that are communicating.
Further complicating the matter is the fact that not all devices communicate in full duplex mode. You also have devices that communicate in half duplex mode, which can cause mismatches that result in collisions and minimal throughput.
Setting yourself up for packet capture best practices means matching the speed of your Ethernet links to the bandwidth and throughput capabilities of your capture devices. For example, just because you have a 1Gbps full duplex capture device doesn’t mean you can properly collect data from a fully saturated 1Gbps full duplex link. Because full duplex links send and receive packets, you have to account for 2Gbps total bandwidth when considering packet capture scenarios.
When you have mismatches in Ethernet speed, bandwidth, throughput, and capture capabilities, you risk dropping packets. Dealing with dropped packets means you’re limiting network visibility and diminishing the effectiveness of critical security and monitoring devices.
So, once you understand the speed and duplex modes of the links across your network, you can start to consider which capture devices will work best for your visibility needs.
There’s a wide variety of tools and techniques you can use for packet capture and the reality is that there aren’t many hard-and-fast rules to success. Your specific needs will depend on your unique network design and business requirements.
However, there are still a few basic devices that you should consider when planning your approach to packet capture. The three main options are:
Once you’ve captured packets, they are stored temporarily to be analyzed by either another tool or the network administrator. By comparing captured packets from the same point in a network over time, you can determine and observe normal behavior, making it easier to identify deviations from the baseline.
Combining network analyzers with full packet capture can help you execute key tasks, such as:
Often called network or packet sniffers, these analyzers intercept data flowing across your network and collect data from capture devices. Network sniffer tools record data packets, decodes those packets and formats them for administrative view, analyze errors in communication, and give you information necessary to troubleshoot network connections.
Wireshark is the most popular network analysis tool available. This free, open source software offers an easy way to view data packets and the protocols used to transmit them. Ultimately, Wireshark makes it easy to see what kind of traffic is coming into and going out of your network, the volume of traffic on your network, and how much latency exists. For the most part, you’ll analyze TCP, UDP, and ICMP packets in Wireshark.
When you set yourself up for full packet capture, you need tools to help you sift through all of that data and find information that will help you support performance and security tasks. Wireshark and other network analyzers let you search through packet data to find anomalies in behavior.
The packet capture basics covered here—from networking elements to capture devices and analyzer tools—only scratch the surface of what it takes to monitor your network effectively.
Looking to add packet capture visibility to your deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.
Chris Bihary has been in the network performance industry for over 20 years. Bihary has established collaborative partnerships with technology companies to complement product performance through the integration of network test access points. Previously, Bihary was Managing Partner at Network Critical.