Even Cisco offers a dedicated blade that does packet capture, which is more proof that NetFlow alone is simply not enough to give you the rich data you need for troubleshooting and threat protection.
Packet capture to the rescue
Although there are several scenarios where using NetFlow will come in handy, you simply can't address 100% of your network issues with a flow-based solution. So, if you're going to put a packet-based solution in place for compliance, transaction validation and network and application troubleshooting, why not make it your primary solution for all levels of monitoring and reporting?
Compliance is essential for most, if not all, businesses. We all work under some level of oversight, whether it is corporate-imposed policies or government regulations requiring periodic reporting. Maybe your HR department has policies regarding inappropriate network usage, or you're in the medical field and periodically have to audit network traffic for HIPPA compliance. Packet-based network analysis analyzes each and every packet, from the header through the payload, and can archive each packet for post-capture analysis, providing the most granular level of data available for compliance verification.
Packet-based network analysis solutions can also be used to solve specific application issues. Some application issues are so granular that they may not rise to the top of the alerts or alarms that you have configured with your flow-based solution. Or, if you do get an alert, it will indicate that the user experience is poor, but does not provide the detail needed to analyze the issue.
For example, let's say a help-desk worker is experiencing long latencies when trying to access the web-based phone support application. Every time the user inputs a response to a question, it takes 1015 seconds for the application to respond, and oftentimes the response is simply a return to the input screen for the question that was just answered.
A sophisticated flow-based solution may report the long latencies (and some will not!), but determining the root-cause of this issue requires detailed, packet-based analysis. Using packet analysis, the network engineer can quickly isolate the packet traffic for the specific user and the specific application, look for the packets reporting slow server response time, and dig into the payloads to see that the database is reporting contention issues. The network engineer now has all the data needed to first prove that this is not a network problem, and then to help the application engineer figure out exactly what is wrong in the application logic that would cause a contention issue.
In terms of transaction validation, let's say you need to go back in time and determine if a specific transaction transpired between a server and a user. NetFlow technologies cannot determine this, since the specific transaction might be part of an overall flow between this client and server, and the system only has visibility down to the flow, not the particular transaction.
Sign up for CIO Asia eNewsletters.