<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2975524&amp;fmt=gif">
BLOG

What Is a Packet Analyzer?

October 8, 2020

Imagine this: one of the applications running on your network is performing poorly, and you have no idea why. You've checked out all the usual suspects and can't find the issue that needs to be repaired. You're going crazy trying to understand where your bug is.

Until you remember that you can go to the source to investigate data transmission.

That's right, I'm talking about getting your hands dirty and diving into the minutiae of your network.

To investigate the root cause of your application's poor performance, you need to access the packet data.

What is packet data?

Network packets are a granular unit of data used to distribute information across the internet and network. These packets are broken down into two general sections — a header or control information and the payload or user data. 

The header contains information for delivering the data in the payload, like Ethernet ll segments, where the DMAC and SMAC addresses are defined; if there is a VLAN or not; and IPv4 or IPv6 protocols where the Source IP and destination IP address are defined — these are considered layer 2-3 data.

The payload is the data that is the actual intended information, the end user videos, phone audio, images and information data — like the page you are reading right now. This layer 4 data can include user data protocol (UDP).

Depending on the service, TV, computer, or mobile device, millions of packets are transmitted in a certain sequence and need to arrive in the same sequence. Receiving packets out of sequence or experiencing dropped packets, leads to network latency, slow service, interrupted or pixelated experience.

But sending data over a network is just like shipping a package: you have to follow certain rules and go through a specific process before your final product gets delivered. You can think of this process as the import/export laws of the internet.

This set of rules, known as the Transmission Control Protocol/Internet Protocol (TCP/IP), is called a protocol stack. It's composed of four layers:

  1. Application protocol is the first TCP/IP layer. It defines and standardizes how data gets sent over your network. 
  2. Transmission control protocol (TCP) is where your data packet is assigned port and sequence numbers to ensure that it arrives at the correct application, in the correct order.
  3. Internet protocol (IP) assigns source and destination IP addresses to your data packets. It also determines the best route for your data to travel over your network so it can reach its final destination efficiently. 
  4. Hardware is the machine that receives all this information to reassemble your data packets in the correct order. 

To interpret what's happening with your data packets as they travel through these layers over your network, pinpointing network latency or dropped packets, you need a packet analyzer.

Learn How to Improve Your Network Connectivity Strategy DOWNLOAD NOW


What is a packet analyzer?

Packet analyzers, also known as packet sniffers or network analyzers, are a network monitoring tool that examines data traffic moving in and out of the network. These tools analyze network performance issues that can lead to traffic bottlenecks, network downtime, and other common performance issues that ultimately effect end-user experience and a companies productivity.

Continuing with our shipping analogy, you can think of packet analyzers as the gate agents and security scanners in the data transportation process. They work behind the scenes to ensure everything runs smoothly on your network.

Packet sniffers are a go-to tool for everything from making sure network traffic is routed correctly, to ensuring employees aren’t using company internet time for inappropriate websites. Packet analyzers also help detect potential network intrusion by looking for network access patterns inconsistent with standard usage.

In a process known as packet capture (PCAP), analyzers snag packet data as it moves over your network. It saves a copy of this data as a file on your monitoring device. You can analyze these copies of your packet data, to detect usage spikes, suspicious data transfer, and inconsistent network performance.

What are the advantages of packet sniffing?

Aside from achieving network visibility by having all your data on hand, there are a handful of other huge benefits you can achieve through packet sniffing.

Find the root cause of various issues to secure your network
When you have access to your packet data, you can dig into the root cause of network issues. Thinking like a good threat hunter, you can familiarize yourself with typical traffic patterns and use your knowledge to identify inconsistencies.

When you understand your standard network performance, you can also use packet analyzer data to detect network vulnerabilities. When you know where you can improve, you can bolster your network security to prevent future threats, issues, or attacks.

Better understand your network speed
Armed with your PCAP analysis, you can figure out the average time it takes for a packet to travel across your network. Using these numbers, you can more quickly and easily figure out the source of any network slowdowns. When you understand the source, you can determine which applications are impacted and take action to fix any issues.

Identify inefficient network usage
Packet analyzers can help you categorize the traffic on your network. With this data, you can identify non-business uses of your network, like visits to social media sites, that might slow your network performance.

How do Packet Sniffers access the Packets?

There are two different methods you can use to access packet data: network TAPs (test access points) and port mirroring or switch port analyzers (SPAN).

We’ve already covered the differences between network TAPs and SPANs; but to recap how each functions to perform PCAP analysis. 


Network TAPs

TAP-v-SPAN-Diagram-TAPNetwork TAPs sit between devices in a network and send complete copies of data packets to your analyzer device in real time. Unlike SPAN, TAPs don't alter data when they make copies to send to your monitoring device. This lack of alteration means TAPs can provide accurate timestamps and errors, which makes analysis and auditing much easier.

Considered the industry best practice for packet visibility, “EMA recommends that enterprises use TAPs as much as possible in the access layer to avoid network performance impacts and assure packet fidelity.” -EMA [Enterprise Management Associates]

SPAN Ports
TAP-v-SPAN-Diagram-SPANThe SPAN method also creates a copy of data sent from one port to another of a network segment. However, SPAN is not recommended for networks with high throughput, as it was designed for lower volume spot checks. If your designated SPAN port is overutilized, it can drop and duplicate packets. These dropped and duplicate packets can make thorough, accurate analysis difficult or impossible.


Looking to add network TAP visibility to your packet analysis, but not sure where to start?  Join us for a brief network Design-IT consultation or demo. No obligation - it’s what we love to do.

Network TAPS 101 Basics for IT Security engineers

See Everything. Secure Everything.

Contact us now to secure and optimized your network operations
Contact Us

Heartbeats Packets Inside the Bypass TAP

If the inline security tool goes off-line, the TAP will bypass the tool and automatically keep the link flowing. The Bypass TAP does this by sending heartbeat packets to the inline security tool. As long as the inline security tool is on-line, the heartbeat packets will be returned to the TAP, and the link traffic will continue to flow through the inline security tool.

If the heartbeat packets are not returned to the TAP (indicating that the inline security tool has gone off-line), the TAP will automatically 'bypass' the inline security tool and keep the link traffic flowing. The TAP also removes the heartbeat packets before sending the network traffic back onto the critical link.

While the TAP is in bypass mode, it continues to send heartbeat packets out to the inline security tool so that once the tool is back on-line, it will begin returning the heartbeat packets back to the TAP indicating that the tool is ready to go back to work. The TAP will then direct the network traffic back through the inline security tool along with the heartbeat packets placing the tool back inline.

Some of you may have noticed a flaw in the logic behind this solution!  You say, “What if the TAP should fail because it is also in-line? Then the link will also fail!” The TAP would now be considered a point of failure. That is a good catch – but in our blog on Bypass vs. Failsafe, I explained that if a TAP were to fail or lose power, it must provide failsafe protection to the link it is attached to. So our network TAP will go into Failsafe mode keeping the link flowing.

Glossary

  1. Single point of failure: a risk to an IT network if one part of the system brings down a larger part of the entire system.

  2. Heartbeat packet: a soft detection technology that monitors the health of inline appliances. Read the heartbeat packet blog here.

  3. Critical link: the connection between two or more network devices or appliances that if the connection fails then the network is disrupted.

NETWORK MANAGEMENT | THE 101 SERIES