Reimagining Packet Capture in Light of Riverbed’s Opnet Acquisition

November 15, 2012 | By Tyson Supasatit | Add a Comment

ExtraHop recently announced a method of packet capture that enables network and security teams to capture packets of interest with surgical precision. This capability preserves all the benefits of packet capture—namely, an exact record of what caused a performance slowdown or policy breach—without the downsides of traditional methods.

Scroll down to the bottom of this post to watch a video of ExtraHop Senior Systems Engineer Dan Greer demonstrating this capability. 

Fittingly, ExtraHop’s packet capture announcement coincides with Riverbed’s recently announced acquisition of Opnet. Both of these vendors offer traditional packet capture tools. Riverbed’s tool is called Cascade Shark (acquired through the 2010 purchase of CACE Technologies) and Opnet’s tool is called AppTransaction Xpert. These products are technically sound and often justify their expense compared to open-source alternatives, depending on an organization’s requirements.

That said, the difference between ExtraHop’s approach to packet capture and that of Riverbed and Opnet is telling. With the ExtraHop system, you have a more simple method that arguably works better and costs significantly less. With Riverbed and Opnet, you have entrenched vendors selling a highly refined version of decades-old technology. Please allow us to explain.…

“You’ll Have to Pry It from My Cold, Dead Hands”

It’s been 25 years since Van Jacobson wrote tcpdump. Since then, packet capture and analysis has become an essential tool for network and security professionals, enabling them to obtain a definitive record of application and end-user activity. For many network administrators, “You’ll have to pry it from my cold, dead hands” aptly describes the loyalty inspired by packet-capture tools.

When networks carried data at 10Mbps or 100Mbps, packet capture worked great as the captures were not too large. Now, with datacenter networks at 10Gbps speeds, even the most ardent defenders of packet capture must admit that the traditional method of recording, storing, and analyzing terabytes of packet data is slow and inefficient. In a typical troubleshooting scenario, the network team makes an educated guess as to where they think errors are occurring, records traffic from those segments, and then sifts through the data with an analysis tool—a reactive and time-consuming process. And sometimes, these teams need to collect multiple packet captures and then correlate the results. An alternative to piecing together packet captures is to invest in an enterprise-grade packet capture solution that continuously captures and indexes packets. However, continuous packet capture seems like an extravagant and expensive solution for everyday use, especially as today’s 10Gbps network links can fill up to 100TB of storage in a day!

Even when the correct packets are captured, it requires skill and effort to decipher the data—a tedious task for even the most competent network engineer. Searching even a couple gigabytes of packet data for the root cause of a performance issue is analogous to scanning the complete works of Charles Dickens to find a single conversation. Fortunately, there is now a better way to do packet capture.

Reimagining Packet Capture

The new policy-based, precision packet-capture feature in the ExtraHop system eliminates the guesswork, the time-consuming analysis, and the expensive storage requirements associated with conventional packet-capture methods. Here’s how it works:

  1. Continuous analysis. Using a copy of network traffic, the ExtraHop system reassembles millions of application flows in real time.
  2. Automatic triggers. IT teams set policies for anomalous or suspicious events they would like to record using ExtraHop’s Application Inspection Triggers (AI Triggers) technology, such as when a malformed request causes an application error or when a user writes to a sensitive storage partition.
  3. Immediate replay. When a policy-defined event occurs, the ExtraHop system automatically extracts the application flow that caused the event from the packet buffer. IT teams will have the pcap file available immediately for analysis, effectively enabling them to look back in time to see the user or application behavior preceding an event. The ExtraHop system can offer this immediate replay without resorting to continuous packet capture because of its real-time, full-stream reassembly of multiple packets into complete flows.

What IT Operations Teams Really Need

Although other vendors offer triggered packet capture, only the ExtraHop system offers unprecedented intelligence and precision with AI Triggers technology and L2—L7 transaction analysis at wire speed, a sustained 10Gbps. No other performance-monitoring vendor offers a similar framework for real-time analysis.

Here’s the kicker: The granularity of detail available is not the problem plaguing IT Operations teams today. Rather, the problem is that disparate tools do not provide holistic visibility or adapt to dynamically changing IT environments. Read about a recent study by TRAC Research on APM data overload.

data Resources

TRAC Research white papers on APM data usability.

Download the white papers (requires free registration).

 

The ExtraHop system provides a platform for operational intelligence that spans technology silos. With an elegant, non-intrusive deployment, IT organizations gain correlated, real-time visibility for all their applications in production as well as the supporting infrastructure—the underlying network, desktop and application virtualization, load balancers and firewalls, directory services, domain name services, and storage systems. AI Triggers technology adds incredible flexibility to this platform, enabling IT teams to define and implement new metrics within minutes. With the ability to answer questions about what is happening in real time across the entire environment, IT teams can streamline application rollouts, mitigate risk, manage infrastructure changes, and proactively resolve performance problems.

Interested? You can try out the ExtraHop system for free with our Discovery Edition download. This is an easy, no-obligation way to see for yourself how the ExtraHop system can quickly gather meaningful data for agile IT operations. If you are already an ExtraHop customer, contact us to get access to version 3.8 and learn about the benefits of precision packet-capture in your environment.

0

Filed in: ExtraHop Analysis, ExtraHop News, Good Reads, Industry Trends | Tags: , , , , ,

About the Author (Author Profile)

Tyson helps to educate the IT Operations Management community about what is possible with real-time analysis of wire data. Prior to ExtraHop, Tyson worked as a technical marketing writer for Microsoft, Seagate, and the Association of Computing Machinery, where he wrote for and edited the TechNews e-mail newsletter from 2000 to 2005. You can find him on Twitter under @tsupasat.

Leave a Reply

Trackback URL | RSS Feed for This Entry