Showing results for 
Search instead for 
Did you mean: 
Create Post

Advanced Packet Analysis Sensor Deployment Considerations

Level 10

As the excitement builds for NPM 11 release, you should begin to consider the best options for sending data to your Network Packet Analysis Sensor (NPAS).  Highlighted in NPM 11 - Packet Analysis Sensor Deployment Considerations, we briefly discussed how to capture and export data over to the NPAS. Figure 1 shows the network packet analysis sensor installed on a dedicated server with dual NICs.  A primary NIC for management access and a secondary NIC to passively listen for all traffic.  When it comes to data collection, the secondary NIC is capable of accepting:


  • TCP packets from a SPAN(Mirror Port)
  • TCP packets from a network tap
  • TCP packets from Network Packet Broker


Figure 1


Things to consider for deployment options:

  • Where are my critical applications hosted?
  • What are the major aggregation points of my network?
  • What are the line rates at critical capture points?
  • Avoiding packet duplication


Connecting a NPAS directly to TAP and SPAN ports in a network is the simplest way to get data for analysis, but this approach has several pitfalls. The most immediate problem is that there are just not enough TAP and SPAN ports for all of the tools used by the typical IT or engineering team.  Modern network architectures provide multiple paths through the network, which helps increase network availability, but it also puts challenges on complete network visibility.  This redundant network design provides continuous access to data in the event that one or several links should fail.  However, the redundancy also means that data between two devices in the network may not travel in the exact same path through which may be missed if the network packet analysis sensor is not deployed properly.

In addition to determining the best location to place the NPAS, you will need to take measures not to oversubscribe  the output capacity of the mirror port.  In high-traffic situations, you can limit the amount of traffic on the SPAN or mirror port. For example, set an Access Control List (ACL) on the mirror port to forward only traffic from key servers. By leveraging an ACL, you can eliminate unnecessary traffic before it is sent out of the mirror port.  If you use an ACL, verify that all TCP traffic is forwarded to the monitor. Then add other protocols used by the critical applications you want to monitor. Specify the appropriate ports in the port mirroring statement.  You should avoid scenarios where a large capacity switch transmits data from all ports to one mirror port or SPAN.

Aside from your traditional techniques to mitigate the previous risks, the introduction of network packet brokers have made taken this capabilities to whole new level. Gigamon is one of a handful of vendors that offer products that provide enhancements in how data is sent to monitoring tools. Gigamon products  deliver Intelligent Traffic Visibility Networking Solutions to enhance network monitoring of data centers, service providers, and enterprises.  Figure 2 shows two network packet analysis sensors taking feeds directly from the GigaVUE - 420 appliance. 


Some of the feature and benefits include: 

  • Any-to-Any connectivity
  • Aggregate 10G links to 1G tools
  • Intelligently filter via Citrus™ web GUI or CLI
  • Replicate traffic to multiple monitoring tools
  • Solutions for monitoring asynchronously routed traffic



The GigaVUE-420 Traffic Visibility Node supports 10/100/1000 & 10Gig Ethernet. GigaVUE-420 aggregates, filters, and replicates traffic flows across multiple security and monitoring tools. Hardware filters based on any pattern in the 128-byte header may be enabled to eliminate unwanted packets. The GigVUE-420 modular design allows network professionals to deploy the exact number of ports necessary to fit their requirements.


The GigaVUE-420 enables the Traffic Visibility Network to unobtrusively monitor the production network. The GigaVUE-420 provides out-of-band ports for passive monitoring tools. Tools may be added without affecting the network, at any hour without configuration management review. Multiple GigaVUE-420 systems can be stacked to create a 222 port visibility fabric. All ports can be configured as network or tool ports.

So whether you are using legacy techniques for capturing data or have access to more advances NPBs, Solarwinds’ NPAS is a great way to determine whether it is the application or the network.  Now go sniff some packets!!