Comparing packet and flow capture

Applications which use SNMP as a source of data are very popular way of keeping tabs on what is running on your network. Most of these types of applications can also send alerts when things go down or get too busy. But what if you want to get more information about what is happening on your network?  

In my experience packet or flow capture is the next logical upgrade to SNMP. Packet capture allows you to take a mirror image of network packets as they move through a network. Flow data usually contains a summary of what connections are been setup on a network. Both are really useful technologies for troubleshooting and finding out what is happening on a network. The question is, can you get by with one of these technologies or is there a requirement for both?

Flow data

Most routers and switches which operate at layer 3 of the OSI model will have flow export options. There are many flow standards around and they include NetFlow, sFlow and IPFIX. You just need to install a flow connector which can process whatever flow standard your network equipment uses.  Flow based analysis can be a great way to find out what traffic is traversing across certain parts of your network.

Pros:

  • Easy to setup on devices which operate at layer 3
  • No cabling required
  • No software clients or agents needed on end user systems

Cons:

  • No flow options on some switches
  • Lacks detail when you want to troubleshoot a problem
  • Not ideal for monitoring at the edge of your network where applications piggy back on other protocols

Packet capture

Packet capture involves capturing a mirror image of network packets as they move through a network. Most switches allow for the setup of mirror ports which do not impact network performance. Typically, a deep packet inspection (DPI) application is connected to a mirror port and certain information is extracted from the packets so you can find out what is happening on your network. DPI solutions range from free stuff like Wireshark to commercial applications which take the hard work out of the analysis.

Pros:

  • Better for analysis of application and user behaviour.  Detect bad vs. good use of bandwidth
  • Ideal for monitoring important applications, servers or Internet connections where low level information is critical
  • You get a lot more ‘names’. Application, file, website and host names.
  • No software clients or agents needed on end user systems

Cons:

  • You need to connect cables between mirror ports and your DPI application
  • Need to watch that mirror ports don’t get overloaded on busy networks
  • Free tools may need a high level of technical expertise to interpret the output

So, which technology should you leverage on your network? In some cases the answer is both. Flow analysis can be great if you have a lot of WAN links and need an easy way to get top level visibility without the need for cables. Packet capture will give you a lot more detail at certain points on your network. A combination of both can mean you detect bandwidth hogs easier, as well as reporting on what applications are in use and by whom.

What do you use on your network? Is it possible to get by with one of these technologies? Comments welcome

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon