August 2009 Archives

Packet analysis, protocol analysis, six of one, half a dozen of another, right? You might think so. Just do a web search on either term and you'll find them used interchangeably by just about everyone out there, including the "experts." But packet analysis is quite different from protocol analysis, and far more complete. Let me explain.

Protocol analysis is a subset of packet analysis. Protocol analyzers interrogate packet headers to first of all determine which protocol is being used for communication, like HTTP (always a well-understood example), and then to ensure that the rules of the protocol are being adhered to. Valuable, and somewhat complicated, analysis for sure, but this is strictly at the communication layer.

But what about when the protocol is absolutely correct, yet users are still raging about poor network performance? That's when we need to get to deeper layers of analysis, or true packet analysis. Packet headers, which contain the information about the protocol, aren't the only sources of information for network analysis. Packet payloads also contain critical information regarding the workings of your network, and when you include payload analysis with protocol analysis you get packet analysis - the complete solution. Packet analyzers can now address more complex network issues, like is it the network or a specific application that is causing a problem.

The answers lie in the packet payloads, and in packet, not just protocol, analysis.

Network forensics is the capture, recording, and analysis of network events. Typically, network forensics' tools employ simple and complex filters to mine stored data to reveal anomalies (what caused them and what the results were on a network performance). The common perception is that network forensics is used to discover the source of security attacks. The recent denial-of-service attacks on Twitter is a recent headline example where network forensics was used to help identify the perpetrator. So while security attacks get the most attention, network forensics can be used for other problem incidents. Even beyond problem incidents, network forensics can even be used for things like business analysis. Below are three network forensics use cases, not including security attacks, for consideration.

 

1) Monitoring User Activity  

 

Social networking sites like Facebook and Twitter have been shown to sap productivity in the workplace. As a result, many organizations have user policies that prohibit, or at least curtail such activities. Recently,  the U.S. Marine Corp. banned marines from using Twitter for a year, as well as Facebook. Additionally, policies prohibiting non-work related "bandwidth sucking" download activities (music, videos, games, etc) are common. Lastly, users may not be going though a proxy server opening up the network to various malware. Network forensics allows all these "rogue" activities to be monitored revealing details as to who broke policy, what policy infraction was committed, and at what time it occurred.

 

2) Business transaction analysis

 

For transactions that take place in clear text like SQL, http request, FTP, or telnet, network forensics allows the network administrator to create the ultimate audit trail for business transactions. Not just server activity, but the business transactions enacted by clients and servers. Additionally, network forensics can serve to troubleshoot the transaction problems that server logs miss.

 

3) Pinpointing the source of intermittent performance issues 

 

On a practical level, here's where network forensics' tools really come in handy - the capturing and handling intermittent network problems, especially those problems that occurred hours or days ago. Traditional "reactive" ad hoc troubleshooting can miss patterns that indicate network problems, so network forensics can be used to catch things that were originally missed.

 

As the SANS Institute notes, "Network forensics can reveal who communicated with whom, when, how, and how often. It can uncover the low-level addresses of the systems communicating, which investigators can use to trace an action or conversation back to a physical device. The entire contents of e-mails, IM conversations, Web surfing activities and file transfers can be recovered and reconstructed to reveal the original transaction. More importantly, the protocol data that surrounded each conversation is often extremely valuable...."

 

Network forensics can be a powerful tool to unlock mysteries found within the network. Make sure you have a network forensics tool best suited for your organization's particular needs.

100 gig networks are on the way.  The Department of Energy (DoE) has just awarded $62 million to build one.  

Just like any other network, visibility into the network, and the ability to monitor and troubleshoot it must also be taken into consideration.   Even with 1 gig and 10 gig networks, special hardware and software is often needed to capture and analyze all of the traffic.  And even that is not sufficient when these networks are fully saturated, or experience large spikes, small packets, and other anomalies.  

In some ways, the network monitoring industry is still working to catch up with 10 gig networks, so yes, developing new technologies and tools for 100 gig is going to be expensive and not ready for prime-time for a good while.  But this forthcoming innovation is good for everybody downstream as it will push the envelope, and drive the next generation of networking tools and corporate revenues.  

The types and number of issues surrounding the development and deployment of a 100 gig Ethernet network will depend on how deep into the network the 100 gig needs to go.  Currently, there are a few options for 100 gig core routers, but beyond that available commercial hardware stops at around 10 gigs.   A quick search on network cards greater than 10 gig came up empty.  And even if you found the cards, current twisted pair cable only goes up to 20 gigs.   To go higher than 20 gigs means re-cabling with fiber.

If the 100 gig network is just a big pipe between the major carriers, and everything in between is 1 gig and less, then the scope of the problem is pretty well defined.   The cost then is a matter of rolling out 100 gig fiber if necessary, but maybe not if multiple existing smaller capacity lines can be aggregated.  

If the project is more ambitious, and is attempting to go end to end, then there are a lot of problems and expense right out of the shoot.  Namely, everything has to be replaced in between the core router and the PC's.  Even the network card in the PC has to be upgraded to 100 gig, which has not been invented yet.  

Finally, this still leaves the challenge of monitoring a 100 gig network.  Currently, there is no single network analyzer that can capture at 100 gigs.  One way to achieve this is with a series of load balancing taps that break the traffic down into smaller 10 gig lines, which then feed into separate analyzers working in parallel.   Interesting idea, but I don't think anyone has invented it yet.   

Perhaps we need some town hall meetings to discuss?