Packet Sniffing Primer: The State of Packet Sniffing in 2018

Introduction

For many years packet sniffers and packet sniffing have occupied a special place in network troubleshooting. If you want to analyze network traffic for signs of performance degradation then packet sniffers are one of the core tools at an administrator’s disposal. Packet sniffing is the process of capturing data that is transferred throughout a network and analyzing it for further insights. The intention is to monitor network performance.

Packet sniffing has been a staple part of monitoring legacy networks but this practice is starting to change dramatically. The growth in enterprise networks has forced administrators to adopt a more strategic approach to packet sniffing. The reason is that the networks are becoming too bloated to be monitored using the same old techniques. By the end of 2018, it is expected that more than 50% of enterprises will be adopting platforms and services driven by cloud services.

The Challenge of Maintaining Visibility in SDN Environments

The growth of cloud services is not the least of the challenges facing packet sniffing either. The growth of Software Defined Networking (SDN) threatens to erode the very visibility that packet sniffing is so dependent on. SDN is a virtualized network through which network traffic is forwarded based on advanced policies. This makes monitoring network traffic more difficult because the routes have changed from the physical to the intangible virtual realm.

The global SDN market was valued at $1.62 billion in 2015 and is anticipated to balloon to $23.95 billion in 2025. The meteoric rise of this market has the potential to sideline packet sniffing in a number of organizations. Most tools simply aren’t ready to monitor virtualized networks on this scale. The adoption of a more targeted approach has become necessary to monitor network traffic in this fast approaching era.

Hybrid Solutions: The Key to Monitoring Modern Networks?

While packet sniffing still has its place now, there is a need to embrace new forms of traffic analysis to reconcile with the incoming age of SDN-driven networks. We’re starting to see this now with the growth of hybrid traffic analysis solutions. One of the most promising traffic monitoring solutions has arisen from the partnership between Arista and Extrahop.

Arista and Extrahop: The ExtraHop-Arista Persistent Monitoring Architecture

Extrahop have recognized that legacy monitoring tools are unprepared for the onset of SDN. The reason is that there is no single point where a legacy monitoring tool can capture all traffic, particularly when virtual provisioning of resources create new blind spots that can’t be monitored.

Arista and ExtraHop have designed their own unique strategy for addressing these challenges. The response of these companies has been to launch a hybrid service called the ExtraHop-Arista Persistent Monitoring Architecture. This architecture combines Arista’s EOS (a network operating system) with the data analytics of the ExtraHop Context and Correlation Engine.

Data ANalyZer (DANZ) offers single-hop packet processing and data capture before passing it to ExtraHop where it is processed up to 40 Gbps. Data is aggregated and timestamped so it can be accessed within an SDN environment. This solution has shown that there are plenty of opportunities for new strategies to work around the complexities of virtualized technologies like SDN.

It is clear that the disruptive effect of these emerging technologies and other forms of virtualization need to be met head-on with new solutions. Enterprises will need to reconsider their approach to packet sniffing if they are to keep up with the next generation of networking. There are many important factors that will influence these new strategies as well.

Here are some of the most important trends that will impact the Packet Sniffing Space:

• Increases in traffic volumes - It is no secret that global traffic is consistently decreasing as personal and business traffic increases consistently. It is anticipated that annual global IP traffic will reach 3.3 ZB (Zettabytes) by 2021. In the confines of corporate networks, this growth in traffic is going to make it increasingly difficult to capture packets due to the magnitude of information available. Administrators are going to need a much more robust approach to filtering than is provided by tools like Wireshark to process all of this information.
• Changes in Data Center Topology - In recent years, data centers have begun to have a much greener focus as solution providers have aimed to move towards sustainability and energy efficiency. The complexity of the paths that packets are traveling through and the growth of load balancing and high availability functions has meant that it is difficult to capture useful packets and examine network performance.
• Encryption - As organizations become more security conscious there has been a growth in encryption. Encryption has stripped away some of the visibility that administrators rely on for maintaining enterprise networks. This is forcing administrators to adapt and decrypt this traffic in order to use it.

Packet Sniffing Under Pressure: Is It Obsolete?

Though these are significant challenges, in the interim period before these changes occur, packet sniffing still has a clearly-defined purpose. The use of packet sniffers is still essential for implementing Quality of Service (QoS) monitoring. Without it, you run the risk not just of missing the signs of poor performance, but also overlooking cyber attacks as well.

Packet sniffing may be ushered into an uncertain period by digital disruption but the traditional packet sniffing model still has a place in most enterprise environments. For now, the best way to navigate this uncertain landscape is to only adopt the best packet sniffers on the market. Using sturdy packet sniffers like Ntop with the ability to use 10 Gbit network traffic recording and to monitor virtual machines. This will help to mitigate some of the challenges raised by the growth in the scale of modern networks.

However, packet sniffing practices are going to have to evolve if this form of monitoring is to have any relevance in the next generation of networking. The work of Arista and Extrahop has shown there is still hope if enterprises can create new strategies to monitor network traffic.

As resolving performance degradation becomes more difficult and less transparent, administrators are going to be forced to resort to cutting-edge tools and techniques just to break through the white noise and see what is going on. In order to transcend the challenges of virtualized infrastructure, administrators are going to become that much more strategic in nature.