Packet capture is the ultimate tool for troubleshooting your network and protecting it from cyber threats. As important as your advanced security and monitoring tools are, there are two primary reasons why they make incident response and root cause analysis as efficient as possible with packet capture best practices.
First, security and monitoring tools can’t get a complete view of your network activity without strong packet capture capabilities. Without 100% visibility of packets, your tools aren’t getting enough details about activity to accurately identify when issues occur or tell you where those issues occur.
And second, gaps in packet capture limit the amount of historical data you can collect, making it difficult to understand network events. Responding to data breaches, for example, isn’t just about mitigating the immediate threat. It’s also about applying digital forensics after the fact to understand what happened, how your network was exploited, and what attackers were able to compromise. Without packet capture best practices, you won’t be able to achieve accurate forensics.
Ultimately, the truth about your network lies in the packets. Just because you have NetFlow summaries doesn’t mean you have the full picture necessary for deep root cause analysis or security incident reconstruction. Even though it’s a simple concept, so many networking teams fall short on packet capture.
That’s why we have to go back to basics. To maximize your network visibility and get the most out of security and monitoring tools, you need to cover your bases on packet capture best practices.
The Two Sides of Packet Capture Best Practices
By definition, packet capture refers to the real-time interception of a data packet that crosses or moves over a specific portion of a computer network. Doing this effectively requires you to understand the basics in two separate categories—the network side and the capture side.
Network Basics for Packet Capture
Executing packet capture isn’t necessarily difficult. However, the evolution of Ethernet traffic has made it a bit more complicated than it once was. Compared to the days of Layer 2 network protocols and hubs, packet capture on switch-based networks isn’t straightforward.
Switches allow network devices to send and receive packets at the same time. This kind of full duplex traffic makes it difficult to maintain visibility because packets are sent directly to their destinations, bypassing packet capture devices that aren’t directly between two nodes that are communicating.
Further complicating the matter is the fact that not all devices communicate in full duplex mode. You also have devices that communicate in half duplex mode, which can cause mismatches that result in collisions and minimal throughput.
Setting yourself up for packet capture best practices means matching the speed of your Ethernet links to the bandwidth and throughput capabilities of your capture devices. For example, just because you have a 1Gbps full duplex capture device doesn’t mean you can properly collect data from a fully saturated 1Gbps full duplex link. Because full duplex links send and receive packets, you have to account for 2Gbps total bandwidth when considering packet capture scenarios.
When you have mismatches in Ethernet speed, bandwidth, throughput, and capture capabilities, you risk dropping packets. Dealing with dropped packets means you’re limiting network visibility and diminishing the effectiveness of critical security and monitoring devices.
So, once you understand the speed and duplex modes of the links across your network, you can start to consider which capture devices will work best for your visibility needs.
Capture Basics for Network Visibility
There’s a wide variety of tools and techniques you can use for packet capture and the reality is that there aren’t many hard-and-fast rules to success. Your specific needs will depend on your unique network design and business requirements.
However, there are still a few basic devices that you should consider when planning your approach to packet capture. The three main options are:
- Network Cards: These devices can calculate network checksums, separate large datasets into sizes that fit the physical network, and merge packets for more efficient transfer. The problem is that network cards will discard frames when the destinations don’t match MAC addresses or if checksums are broken. You can upgrade to professional network cards, but they’re still not specifically designed for packet capture. Some network cards won’t capture VLAN tags, have strict requirements for frame sizes, offload certain packets in the capture process, and show packets out of order.
- SPAN Ports: The rise of switch-based networking came with SPAN port features. Switch Port Analyzers (SPAN) provides port mirroring, which promises a copy of all network packets on one port (or an entire VLAN) to another port. However, SPAN ports can create bandwidth bottlenecks and stress the switch CPU while, at times, providing insufficient precision in packet capture that won’t work in high bandwidth environments or when you need to pinpoint the location of packet loss.
- Network TAPs: These are hardware tools that allow you to access and monitor your network by capturing both send and receive data streams simultaneously on separate dedicated channels. This ensures that all data arrives at monitoring or security devices in real time. Because TAPs do not alter the time relationships of frames, they give you a complete picture of packet truth across your network without suffering from the same bandwidth and throughput issues that SPAN ports struggle with.
Analysis: What to Do with Packets Once They’re Captured
Once you’ve captured packets, they are stored temporarily to be analyzed by either another tool or the network administrator. By comparing captured packets from the same point in a network over time, you can determine and observe normal behavior, making it easier to identify deviations from the baseline.
Combining network analyzers with full packet capture can help you execute key tasks, such as:
- Identifying security threats proactively
- Troubleshooting network behavior anomalies
- Spotting congestion that could hinder network performance
- Detecting areas of packet loss across the network
- Conducting forensic analysis to gather information after a security incident
Often called network or packet sniffers, these analyzers intercept data flowing across your network and collect data from capture devices. Network sniffer tools record data packets, decodes those packets and formats them for administrative view, analyze errors in communication, and give you information necessary to troubleshoot network connections.
Wireshark is the most popular network analysis tool available. This free, open source software offers an easy way to view data packets and the protocols used to transmit them. Ultimately, Wireshark makes it easy to see what kind of traffic is coming into and going out of your network, the volume of traffic on your network, and how much latency exists. For the most part, you’ll analyze TCP, UDP, and ICMP packets in Wireshark.
When you set yourself up for full packet capture, you need tools to help you sift through all of that data and find information that will help you support performance and security tasks. Wireshark and other network analyzers let you search through packet data to find anomalies in behavior.
The packet capture basics covered here—from networking elements to capture devices and analyzer tools—only scratch the surface of what it takes to monitor your network effectively.
Looking to add packet capture visibility to your deployment, but not sure where to start? Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.