Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

When it comes to troubleshooting and threat detection, NetFlow AND packet capture trump all

Jay Botelho, Director of Product Management at WildPackets | Oct. 31, 2013
NetFlow is great for providing application usage information and can fulfill most organizations' needs for understanding application and service activity, but packet capture solves the most granular end-user problems and is essential when it comes to compliance and transactional analysis.

NetFlow is primarily used for overall network monitoring, trending and reporting, giving users a general view of the network, and to some degree, application performance. Since the data comes from existing network equipment, it seems "free" to the user (no appliances required to capture network data), although generation of flow-based data does put a strain on network equipment and can lead to problems when the data are most needed. It is great for solving problems like identifying bandwidth hogs and providing network usage reports to management, and because of its excellent reporting capabilities, net-flow based monitoring has become entrenched in enterprise networking.

When does NetFlow fall short?  Generally in three ways:

* NetFlow, and other flow-based analysis solutions, generate additional network traffic with the volume of traffic proportional to the size of the network segment being monitored. The typical packet size is around 1,500 bytes. These packets come in spurts that can range from tens of kilobytes to tens of megabytes for each reporting interval and each reporting device.

Communication takes place over UDP, so dropped packets can sometimes be a problem on busy network segments, and dropped packets cause holes in your analysis. These additional packet streams can put a strain on your network, especially when your network is most vulnerable, and most in need of high quality statistics. With a packet capture solution, all analysis is done within the packet capture appliance, so no additional demand is placed on the network and the network statistics hold their accuracy because packets aren't lost.

* Flow-based analysis also competes for hardware resources on the router or switch. If your router or switch is heavily used, it will focus first on the prime directive, then network routing, and this can compromise your flow-based reporting. This, of course, creates intermittent inaccuracies in your monitoring and reporting, and you lose essential data when you need it the most, i.e. when your network is experiencing heavy traffic, possibly due to an error.

If you are constantly pushing the limits of your network bandwidth, a flow-based solution generates an additional and unnecessary network load. In this situation, it is best to switch to packet capture, as it is entirely passive while still providing you with details needed to help discover why a problem is occurring on the network.

* Sampling is another important factor to consider with flow-based solutions. The default configuration for NetFlow is to monitor and develop flow records for 100 percent of the packets no sampling. However, it can be configured to "1 out of k" static sampling or the network device can simply switch to sampling mode if the network traffic gets heavy. If sampling is employed, it does not provide the full picture that you need to understand what is happening to your network and how to solve problems.


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.