Darragh Delaney

Packet capture made simple

April 18, 2012 6:00 AM EDT

Capturing packets from computer networks can sometimes sound like an activity reserved for hackers and geeks. Looking at a stream of raw packets is not for the fainthearted, but thankfully there are a number of technologies out there that can make the task easier.

Before you can consider packet capture you need to look at how you can implement it on your network. Almost all networks nowadays are based on network switches, no more hubs thankfully. One of the reasons we use network switches is that they are good at only sending packets where they are needed. If I copy some files from a server, my data won't be sent to every network port, which is what happens with hubs. Instead, the switch will send my data though a path that it figures out by communicating with other switches. There are some exceptions to this with broadcast and multicast traffic but normally levels of those types of traffic are low.

Hubs had an advantage over switches when it came to troubleshooting problems. If you connected to one port you saw all traffic on the network, and data was replicated across all ports. In order to keep this useful functionality, switch manufacturers include a feature called port mirroring. Port mirroring allows you to take a copy of the data going to and from one or more ports. This type of feature is sometimes called passive or out-of-band monitoring as it does not impact network operations.

Port mirroring on its own is of little use, though. You need to connect something to the mirror port that can take the data and present it in a human readable way.

Wireshark and handheld packet capture devices

One of the most basic forms of packet capture involves the installation of an application that can take packets from a network interface and display their contents. The most common example of this is Wireshark. This application allows you to see all traffic visible on a network interface, not just traffic addressed to one of the interface's configured addresses and broadcast/multicast traffic

It is still very hard to read the output of these applications but they can still be very useful for troubleshooting application problems with a single system.

There are also handheld packet capture devices on the market. These plug into a mirror port and provide real time visibility into what is happening. Most types of systems in this space don't store much information so you need to be watching the screen to spot the issue. If you have problems like a general network slow-down that are on-going, then they can be useful.

Application monitoring and IDS

Some application monitoring and intrusion detection systems (IDS) use a mirror port as a source of data. Most will look at the content of each packet (DPI) and extract certain data. In the case of IDS it could be a suspicious text string that suggests the presence of a virus. For application monitoring, information such as filenames or usernames are captured and stored in a database. 

By only storing the information you are interested in you can get a historical record of what's been happening on your network. Systems in this space are often used for data compliance reasons as they are a viable alternative to systems that use log files as a source of data. 

Packet recorders

Packet recorders are like the CCTV cameras for your network as they record everything. They take each packet from a network and store its entire content within a database. Because of this, they can be expensive and consume vast amounts of disk space. The output of these systems will mirror what users on the network experienced. For example, a complete web page can be rebuilt from the packet data so you can see exactly what the end user accessed. 

This all sounds a bit big-brother but they do have their uses. If you have a problem on your network, you can replay what happened, just like you would replay CCTV footage if there was a problem on the premises you are monitoring. Because of this, I see them used a lot for monitoring applications used for financial transactions, online banking or ticket sales being examples. 

There are more and more systems becoming available which use network packets as their source data. The main thing to watch out for is that you get something that extracts the right level of information for you and stores it for a time to meet your requirements.

Do you use packet capture on your network? If so I would be interested in hearing your comments on how useful you find it.

Darragh

Darragh Delaney is head of technical services at NetFort.  As Director of Technical Services and Customer Support, he interacts on a daily basis with NetFort customers and is responsible for the delivery of a high quality technical and customer support service. Follow Darragh on Twitter @darraghdelaney