The Evolution of Portable Packet Capture Solutions

by Profitap | Apr 23, 2018 | ProfiShark, Field Service, Network Security, Network Monitoring

The future is here, some say. And we can hardly contradict them if we look at the outstanding IoT technologies developed in the last decade. The 21st-century technological boom has changed our life and the way we communicate with each other.

We can even say we’re witnessing history in the making, if, let's say, we look at the MAREA project. This is an ultra-fast fiber-optic network laid under the sea from America to Spain, boasting high speeds of  160Tbit/s.

Unfortunately, all of these innovations opened the door to new and unexplored ways for hackers to infiltrate a network. The latest ransomware or DDoS attacks revealed security vulnerabilities that weren’t there in the past years.

 MainImage_Portable

To keep up with this ever-changing world, companies have created a handful of monitoring and security tools meant to give you peace of mind. Among them, packet capture solutions are the basis for a highly secured IT infrastructure.

A network crisis can occur when you least expect it, that’s why the world of network monitoring had to also evolve. We can now choose a network analyzer that is quick to deploy, fast in capturing your packets, and powerful enough to counter the crisis, even when you are on the field.

Companies like Profitap created powerful portable TAPs (like the ProfiShark series) that are among the best and fastest tools in field packet capture. These are the perfect devices to help you dive right into your network, parse the traffic and identify the packets that are creating all the trouble.

But how did we get where we are today? How did portable TAPs become powerful enough to take on 100% of traffic, but, at the same time, simple and easy to deploy in the field?

Let’s have a look at how did portable network tapping evolve along the way.

 

Portable Full-Duplex TAPs

 

At first, there were Copper and Fiber TAPs, that were originally designed to be used in a data center environment only. Read more about all these types of network monitoring tools.

 

Full Duplex TAPs_Portability
Soon enough, manufacturers understood the need for a field tool, so they’ve created a basic version of a full-duplex TAP and sold it as a portable model. However, these were smaller versions of the rack-mount models and still contained rack-mount screw holders.

This full-duplex TAP, also known as a Breakout TAP, captured traffic streams from two network ports and copied them onto two output or monitoring ports. This was what complicated things in the field. Besides the full-duplex TAP itself, you also needed to have a lunch-box PC containing dual network-interface cards (NIC). In addition to this, the PC hosting the monitoring application would also have to perform interface-bonding or link-aggregation, to see the two interfaces as one single stream of traffic.

 

They did capture the traffic at full line-rate without any packet loss or timing delay. So, the performance was there, but it was still difficult for IT engineers to carry around this ‘portable’ TAP in the field because they still needed additional hardware.

 

All in all, the first approach to portable tapping wasn’t really portable, because you can’t carry a desktop around in field locations and neither do you have dual NICs on your laptop.

 

Portable Aggregation TAPs

 

Another way TAP manufacturers tried to address the portability issue was by introducing Aggregator TAPs, also known as Aggregation TAPs. This type of TAP device combined the two incoming traffic streams into a single flow of outgoing traffic. That meant there was a single monitoring port which received the aggregated traffic of both network ports.

Aggregation TAPs_Portability

 

It, therefore, resolved the need for dual NIC's in the analysis PC. In fact, it removed the lunch-box PC altogether, making way for your laptop to be easily connected to the TAP. True portability, but without performance.

We all know that network trunks can be at Gigabit rate (1 Gbps), at least. That's why, to troubleshoot any of your network trunks, you have to place a TAP with Gigabit network ports. However, when the output – or monitoring port – is also a Gigabit port, then it will not be possible to completely transport 2 Gbps of combined traffic stream over a 1Gbps output.

 

So, the traffic capture was inconsistent. As soon as the network interface utilization shoot beyond 50% and the buffer was full, your packets started to fall off the bridge. As much as 50% of the total traffic could be lost if both the input network ports throttle traffic at its full capacity.

 

The best way to overcome this bottleneck was to transport the aggregated traffic to a higher data rate output. It would not be feasible for TAP manufacturers to use a 10GE NIC as an output in a portable TAP. Furthermore, laptops do not possess 10GE NICs and may not for some time. The whole point was to have portability and performance packed into one small kit.

 

Advanced Field Packet Capture Tools

 

Then, a few years ago, it finally happened. Specially developed portable network TAPs were released. Pocket-sized and power-packed, they could deal with any kind of troubleshooting -  ideal for companies looking to ensure their networks are robust, scalable and secure. 

These advanced field troubleshooting tools were unique and different than their predecessors due to their ability to be connected and start capturing packets in minutes without special requirements.

They were also able to capture and transfer packets directly to any host computer’s disk. All packets were captured in real-time with nanosecond time-stamping at the hardware level, on each packet as it enters the TAP. This allowed real-time protocol analysis of captured traffic with nanosecond resolution.

ProfisharksSeries_Portability

Our best-selling portable network TAP, ProfiShark 1G, was built to do exactly that, without using a Gigabit NIC as monitoring port. Instead, it utilizes the power of USB 3.0, which can transfer data at up to 5 Gbps. It, therefore, easily transports 2 Gbps of aggregated traffic stream (1G each from ports A and B) over a USB 3.0 link.

This means that the buffer memory doesn’t need to drop any packets and does not have to store packets long enough to impact their timing. Also, it connects to your laptop’s USB port and has a unique plug-&-play feature that it’s not dependent on an external power source.

 

Portable capture devices go even further these days than giving you full access to a network line in a portable package. They can now be used as a long-term capture solution and are accessed remotely. For example, if you combine ProfiShark 1G with a NAS, its long-term capture feature will help you catch intermittent problems in the act.
 

As you can see, we come a long way. Advanced portable tapping tools can already be used in many situations and are expected to provide successful results. They can be perfect when assessing temporary, intermittent problems, like unexpected protocol interactions (traditional monitoring tools are unable to assess these).

 

 

Portable packet capture devices are very useful against cyber attacks, like phishing or other types of security threats. With the help of these tools, network admins can reconstruct web sessions, e-mails and 'chat line' conversations in a chronological order to investigate security incidents and make an accurate forensic analysis.

Finally, maybe the most exciting fact about portable network tapping is that this is just the beginning. So, a whole new world of possibilities in the field network monitoring world awaits for us.

More about the Power of a Portable Network TAP you can read here.

 

New Call-to-action

 

Recent Posts