6 reasons to take a new approach to packet capture
Traditionally network administrators have learnt to use packet analysis for troubleshooting complex problems. Some invested in expensive traffic capture appliance to capture and retain the traffic for later analysis; in case they get reports for a performance degradation, they can extract trace files and load them into a network analyzer (Wireshark or commercial) and look at packets.
The evolution of IT systems is challenging this way of undertaking network diagnostics.
Traffic data analysis will remain a main source of troubleshooting data, but network teams need to take another perspective on it.
What are these trends that make it more complex for network administrators to diagnose performance issues fast enough with stream to disk appliances and network analyzers ?
The 6 reasons traditional packet capture will not work anymore
1- Overall system complexity
- IT systems are getting more and more redundant, there are multiple paths for data streams.
- The number of applications is now in hundreds or thousands.
- The complexity of each application chain is such that defining where to tap traffic is in itself a challenge.
2- Traffic volumes
Volumes are increasing very fast. We used to measure actual usage in hundreds of Mbps. We are now talking about over 10Gbps usage in corporate networks.
When we consider trace files of 100MB to be loaded into a software sniffer, this corresponds to 80ms of a 10Gbps traffic. Can you really make a diagnostic on such a short time extract?
3- History: Throughput and data Retention
Stream to disk appliances work on the basis of storing the production traffic for later analysis. There is a direct relationship between the throughput to be analyzed, the storage available and the retention time of data. As an example, for a 500Mbps average traffic, if you need to keep 7 days of history of that traffic, you will need an appliance with approx. 12TB of storage. Running on a 10Gbps fully loaded link, your history will be no more than 1 hour and a half.
There are several challenges raised by the lack of sufficient time retention:
- Events are not reported in real time and they are often intermittent: if you do not get the chance to look at them during the short retention windows, you cannot diagnose it.
- Drawing conclusions on response times without being in a position to compare to a baseline where the application is running properly does not allow to understand if there is a degradation and where it comes from.
4- "It’s not the network" isn’t enough of an answer anymore
The number of applications which are mission critical for the business has grown in proportion. A performance degradation has business consequences like never before. Having tools which are sufficient to show that the network performance is fine and is not the cause of the degradation is not sufficient anymore.
Only solutions which can help locate the root cause of the degradation end-to-end (wherever it comes from) actually bring enough value now.
5- Change in the data center topology
- Data centers have changed radically with the need for redundancy and resilience: network flows can use different paths to be distributed. Most applications include load balancing and HA mechanism and it is hard to make sure you capture the right traffic without having a very wide (and voluminous) traffic capture.
- New technologies have brought new challenges:
- Virtualizationis now broadly used. It also means that most of the key traffic may not go through any physical cable or switch at any point of time.
- The dynamism (e.g. Motion) and the automation of deployments create any additional challenge for legacy NPM solutions based on capturing traffic on a limited set of physical network segments.
6- Human resource and expertise
IT resources have not grown so that there is not more time and expertise available to look at trace files…
Manual handling of packet data cannot be taken at the scale of new datacenter.
Here is the challenge! What can be the new approach which brings a solution and enables network teams to maintain their ability to troubleshoot and monitor efficiently the performance of applications on their infrastructure?
Take a new approach to network traffic analysis
To make the most of network traffic to troubleshoot performance degradations and monitor end user response times, you need to take a new approach at how you analyse and gather information from your network traffic.
We have summarised our vision of how you can overcome these challenges in a short guide; download it now!