The emergence of LLMs and AI, combined with escalating data transfer rates and the widespread use of cloud and container technologies, has made cyber attacks, ransomware, and cyber espionage everyday threats. These challenges now significantly impact the monitoring and analysis of modern IT infrastructures. These days, 100 Gbps connections are common, with 400 Gbps and 800 Gbps in backbones, and the first glimpses of 1.6 Tbps are already visible.
For most IT professionals, the need to increase visibility and monitor their networks effectively has become a necessity. But the diversity of technologies has not only not changed but has spread further, so the question of how to do this becomes even bigger.
There are three common approaches to collecting and reporting the data that traverses networks. Utilizing flow protocols (like the still used NetFlow, IPFIX, sFlow, or eBPF-based flow monitoring), packet data, and metadata. But which is right for you and the environment you are tasked with troubleshooting and protecting?
This article breaks down the monitoring approaches for each method, discuss their strengths and weaknesses, and offer best practices for when to use them. Let's start with what is often considered to be the golden standard of analysis: packet data.
Packets are the most detailed monitoring method available. In fact, the other two methods mostly use packet data to create the statistics they generate. With packet data, we can measure inter-packet timing and server response time, and, depending on the network configuration, decrypt the flow to examine the application payload.
It's all there in the packets. Every bit, byte, and header value available for a full picture of what really happened when the problem struck. Some problems can only be seen in the raw packet data, which truly allows the full picture to be analyzed. For example, if a problem is due to a low MSS value in a TCP connection, packet data enables the analyst not only to see this issue in the TCP conversation but also to correlate it with the expected ICMP messages from the network.
It is very easy to lose a needle in the haystack of packets. Especially when capturing on high-speed, high-capacity links, packet data can quickly become overwhelming. Consider this: capturing for 5 minutes on a 10 Gbps link at 50% utilization generates almost 200 GB of data.
Modern enterprise networks running at 20-40 Gbps produce 375 GB to 750 GB in the same timeframe, while data centers with 100 Gbps links can reach nearly 1.9 TB in just five minutes of capture. This exponential growth makes long-term packet storage increasingly impractical without intelligent filtering and tiered storage strategies. This makes troubleshooting in the past difficult, since it is hard to store enough data to see beyond the last few hours or days.
Additionally, most network traffic these days is encrypted. While companies used to rely on firewalls and proxies that enabled DPI for their internal traffic, with the ever-increasing adoption of TLS 1.3, these methods are becoming increasingly unavailable and less useful. Therefore, greater focus is needed on the analyst's experience to successfully monitor such networks.
Digging through packets takes skill, experience, and patience. While it is the most detailed method, a balance is needed based on the analysis goals.
Analyzing network traffic doesn't require digging deep into the weeds in every case. Sometimes high-level statistics are enough to help us achieve our goals. It just depends on what we are looking for. NetFlow and its successor, IPFIX, as well as various other flow-based protocols, provide a summary of IP traffic generated by network infrastructure devices, which is then sent to collectors to generate pretty graphs of traffic data.
Flows provide the necessary statistics to detect network intrusions, identify top talkers, and identify the causes of high utilization. To do that, however, we don't need the deep-dive detail of every packet in the flow. Most flow solutions provide the IP addresses, TCP or UDP port numbers, DiffServ values, the time of the flow, the length of the flow, and the amount of data in the flow. Many of these monitoring systems allow analysts to look at flows from days, weeks, and even months in the past.
Since Flow-analysis protocols view a stream of packets in one direction as a single statistic, they do not provide timing details to measure network round-trip time or inter-packet delay. Header details such as TCP flags, window size, and handshake options are not collected, which are critical when troubleshooting complex issues.
Also, they suffer the same limitations as packet analysis tools when analyzing encrypted traffic. Even more so, as they depend on packet details to purposefully generate their logfiles. With the adoption of techniques like IEEE 802.1AE (commonly referred to as MACsec), using such utilities for analysis becomes impossible.
In short, if the goal of monitoring traffic is to watch the network over an extended period for forensics and security, flow-based protocol analysis is the ideal tool, but it requires specific network configurations or demands that certain configurations and tools are not in use on the network.
This method provides a sweet spot between the other two options. Packet data is collected by an analyzer, which sorts, parses, indexes, and even stores it (in some cases). This allows graphs and statistics about network traffic, usage, bandwidth, and even application performance to be generated and stored long-term. It provides packet-level detail for most common troubleshooting exercises, without the complexity of digging through a huge pcapng file.
Statistics such as iRTT, application response, TCP retransmissions, and DNS response codes can be monitored and graphed over time, allowing an analyst to measure them and spot pain points. If, for any reason, more detail is needed than that provided by the metadata, such as traffic decryption, packets can be filtered and exported for a more focused deep dive.
Furthermore, even if the whole picture is no longer available due to encryption layers, because metadata analysis tools see the entire traffic and picture, they can still be used effectively to analyze congestion, overload, traffic bottlenecks, and other performance issues in modern networks. Modern tools also support standalone operations and API access, enabling seamless integration with existing dashboards and monitoring solutions.
The tool requires substantial resources to perform line-rate analytics, which is often very expensive.
Since so much is happening under the hood to turn packets into long-term metadata, the machine crunching them needs serious horsepower. There is also a clear risk of data loss or overprovisioning, especially on high-speed links.
Also, due to the physical limitations of data storage and memory bandwidth, not all future linear rates can be addressed by these tools yet. 100 Gbps seems to be the current maximum at this point.
Profitaps IOTA high-speed packet capture and analysis solution combines the strengths of these three analysis methods into a compact, portable, and cost-effective tool. It can harness the power of packet collection by streaming data to an internal, encrypted drive while simultaneously performing line-rate analytics on ingress data.
Key performance and forensic data can be accessed and analyzed using built-in dashboards. Bandwidth utilization, DNS performance, TCP metrics, Application Latency, User Experience, and much more can be monitored on custom screens that are built with the exact data needed to spotlight problems. This enables IT personnel of all experience levels to both proactively and reactively resolve network issues.
For forensic analysis, traffic can be viewed by conversation flow, GeoIP location, or bandwidth consumption when searching for intrusions or breaches. When troubleshooting slow performance, packet-level statistics, such as network latency, TCP metrics, and server response time, can point to the root cause. If packets become necessary for deeper digging, a filtered, exportable trace file is just a click away.
The IOTA family helps you harness the details of packets, the simplicity of flow-based analysis, and the power of metadata in a single pane of glass.