Packet Captures - The ABCs of Network Visibility
2020-05-01 | 5 min read
Enterprises, service providers, and network equipment manufacturers (NEMs) waste valuable time and resources trying to replicate production network traffic conditions for fault analysis or to validate architectures and devices before and during deployment. Packet captures (PCAPs) can be a very useful tool for debugging network problems. This is because they provide detailed information that can be used for all sorts of purposes like troubleshooting, location of packet loss, and deep packet analysis.
What Are Packet Captures?
A packet capture is simply the creation of a copy of a packet as it traverses a certain point in the network. Various devices, including network packet brokers, can make a copy of these packets. The copied packets are then forwarded to specific monitoring tools, like Wireshark, for decoding and analysis of the data.
Typical Use Cases
Here are some specific situations in which packet captures are particularly useful:
- Troubleshooting – PCAPs are often used to see what happened to data packets. For instance, when did the event start and what pre-event information is available. Useful pre-event information includes items like was this an instantaneous event or was there prior degradation/damage to packets before the “event?”
- Application Aware inspection – Data captured can be used by monitoring tools for in-depth analysis. Examples include where the packet came from, where it was sent to, the contents of the payload, etc.
- Location of security threats – IP address information can be analyzed to see where captured malicious traffic came from.
- Location of packet loss – By capturing packets along your network and geolocation of data propagation to see exactly where packets are being dropped or loss on your network.
The following are some things to keep in mind about using PCAPs:
Packet capture details – Capture details of the product are important. For instance, you’ll want to know how big the packet capture window is, buffer size (so that you can capture pre-event information), where the packets will stored, the maximum size of a packet capture, maximum line rate for data captures, the types of trigger fields, etc.
Ease of creating packet captures – Packet captures can be created by different devices. The question is, “How easy is it to create the packet capture?” Also, do you have to install a new tool or can an existing device create the PCAP? For instance, a good network packet broker (NPB) can take a snapshot of the packets traversing through the device. There is no need to install or program other types of equipment.
Ease of packet capture decoding – How do you plan to view the PCAP? For instance, do you want an onboard decoder so that as soon as you capture the packet you can read it, or do you simply want to forward the capture devices to another device for analysis at a later date?
Playback of packet captures – Where do you plan to analyze the data? This can be an important consideration if you want to observe what actually happened in the field by performing a detailed analysis in the lab and stepping through the packet captures. Otherwise, you can simply forward the PCAPs to purpose built devices for monitoring analysis purposes, like troubleshooting.
Application level information – Do you need this type of information in addition to the basic Layer 2 through Layer 4 information? NetFlow metadata includes a wide array of network activities along with application and device behavior seen in production networks. This creates a solution that can improve fault analysis or be used to validate architectures and devices before deployment.
More Information on Packet Captures
More information about Ixia network performance, network security and network visibility solutions and how they can help generate the insight needed for your business is available on the Keysight website.