More and more managers and system admins feel challenged when dealing with the mass of information and volume of data that passes through their network each day. Network data visualization access tools help network admins keep an eye on what is always happening on their network. This means these tools play an important role in any complex IT environment.
Before choosing a network access tool, you should follow these basic rules for Network Data Visualization Access:
1. Any device or network structure that touches a frame has changed the frame — even if nothing more than changing its absolute timing reference to the network.
2. It is essential to keep all changes by a device, linear. If the frame offset was 10ms then all frames should have the same offset; if not, the device is interfering with the Real Time Analysis Capability of that access point. SPAN access is a great example of variable offset and the impossibility of doing authentic time-based analysis from a SPAN port.
3. All access devices can change the frame and its environment, as per Rule #1. However, as long as the company providing it and the operator understand this, then one can get relevant data and facts from the devices as long as they do not get into the weak areas of the access device.
4. A TAP is the ONLY device that will pass every bit, byte, nibble and octet, including the interframe gap, bad, large, small and other errors packets. Even if one uses a higher technology filtering device, I strongly suggest that you stick with using a TAP* as your media access. A stand alone TAP, not an integrated one!
*There is significant debate about the viability of passing bad packets for capture and post capture analysis. I feel that just counting the bad packets/types is acceptable for baselining analysis. Bad packet analysis is usually for developers who wish to see if their hardware is problematic, and not for the network engineer. Find out more about network access tools on TAP vs SPAN.
5. Before one deploys an access technology, one should do three things and know a lot more:
- Test more than one device to make sure you are getting what you really need for your tools and that you (and your company) can really use the device and the data it provides.
- Be sure to test the network before and after the access device to compare and get a REAL baseline of the access device's effects on the frames.
- Always purchase one that has growth potential and that you do not have to purchase all the ports until needed.
As you see, there are many factors to consider before you choose a device — CLI or a real GUI for maximum usability.
Can only one person use the device or can many, can there be layers of access, tiered secure access, a syslog of access and issues? Can filters be shared or not between access levels, how deep are the filters? Can you easily test a filter and get ingress and egress statistics? Can you reuse the packets in deep complex filters, including boolean filtering? Is there higher level filtering capability or is the filter restricted to a certain number of bytes? And the most important, does the device have Dynamic Filtering?
Also, don’t forget that any access device might be called into question in cases of using the data captured for evidence in employee misuse or for CALEA type situations.
It’s a lot to consider, and there is even more for you to know and evaluate. The higher the level of technology, the more questions that need to be asked and considered to make sure you are getting what you really need for today and tomorrow.
Read the white paper: The Reality of Meeting Your Data Visualization Demands (PDF)
This article is an extract from the "The Reality of Meeting Your Data Visualization Demands", a white paper by Tim O'Neill — Chief Contributing Editor for NetworkDataPedia.com and Packet Analysis Hero