Network traffic analysis is actually a set of methods and processes and can include a few different key technologies but I can't imagine wrapping up a "Top 10" list on technologies for network administrators without talking about it. I wish I had a nickel for every time where, as a network engineer, I've had to resort to a protocol analyzer, or "Sniffer" as many folks call them, to solve an issue with the network, an application, or a set of servers. Protocol analyzers have come a long, long way since I first got started in networking. Back then, we all pretty much had special, purpose-built laptops that acted as our analyzers. We'd plug them into one of our LAN hubs and begin to look at the traffic, packet by packet, to try and see what was causing the problem.

Nowadays things are a lot different. First of all, few of us pay for our protocol analyzers. Wireshark has become the industry standard when it comes to capturing and decoding packets and it's free - a great example of an open source community initiative that got it right. Second, we don't install it on a dedicated laptop or system, we just install it on our regular old systems and use it whenver we need it. Most of don't have layer 2 "hubs" nowadays and have replaced them with intelligent, manageagle layer 3 switches so we have to span or mirror the traffic to our port to be able to see it, but once it's there the analysis features built into Wireshark make diagnosing the problems a whole lot simpler.

Another key technology when it comes to analyzing network traffic is NetFlow. The problems with a protocol analyzer are that you need a physical connection to the network and that they are typically only used to capture traffic in real-time during troubleshooting. NetFlow allows you to capture traffic from all over the network at the same time and to collect it for long periods of time. Whereas a protocol analyzer can tell you if an application is using the wrong settings and causing network issues, NetFlow can tell you how much of the traffic on your links is being generate by each IP, each application, protocol distribution, by AS, and more.

There are some great webcasts and whitepapers on the SolarWinds.com website that go over each of these technologies in detail, explain the different types of NetFlow (sFlow, JFlow, IPFix, etc), walk you through how to set them up, how to use a sniffer, and more. Check them out and as always, ping me if I can help...

 

Flame on...
Josh
Follow me on Twitter