Network World recently posted an article on how NetFlow beats packet capture when it comes to network troubleshooting and threat detection. Although the article had many good points, it missed the mark on some important aspects of packet capture.
NetFlow is great for providing application usage information and can fulfill most organizations' needs for understanding application and service activity, but packet capture solves the most granular end-user problems and is essential when it comes to compliance and transactional analysis.
Packet-based analysis provides network engineers with a complete record of network activity, while NetFlow records only a finite, and often limited, set of statistics.
For example, let's say you suspect that inappropriate documents are being emailed out of the building. With a flow-based solution, you can see that the suspect is using email, and with a more sophisticated flow-based system you may even know that attachments are being sent. But the only way to verify the contents of the attachments is to have a recording of packets, both header and payload. Armed with packet-based details, you have the proof needed to confront the suspect.
As Gartner notes, flow analysis should be done 80% of the time and packet capture should be done 20% of the time. But if your enterprise needs both, why pick a product that only incorporates NetFlow? Wouldn't it be better to choose a product that shows summary level information (like that from flow-based systems) and detailed, packet-based analysis that can be used for root-cause network analysis?
The more comprehensive packet-based solution is always a better choice when it comes to network monitoring, analysis and troubleshooting.
When asked about the absence of packet-based analysis in an enterprise network, Jim Frey of Enterprise Management Associates, a leading industry analyst and consulting firm, said, "Teams will be faced with the increasingly likely reality that the data they need to definitively troubleshoot performance problems, particularly the more subtle/complex problems, will be missing, thus causing them to fall short of best practices in supporting those depending on quality IT services."
Before we discuss why a combined solution is better, let's first look at when NetFlow is most appropriate to use and where packet capture comes into play.
When should you implement NetFlow?
NetFlow, and other flow-based technologies like sFlow, JFlow and IPFIX, are simply specifications for collecting certain types of network data for monitoring and reporting. They use the existing infrastructure of network devices to gather this data. Flows, or unidirectional communications between network elements, are the basic data structure of all flow-based systems. Flow records are collected periodically, typically every minute, from supported network devices and are processed and stored by third-party flow collectors.
Sign up for CIO Asia eNewsletters.