Tech Tips

Topics

Resources

Subscribe to Tech Tips

Packet Capture: Getting into the Path of the Packets

Packets don’t lie.

Network engineers have heard that statement for years. For the most part, it is true. When a device is placed properly in the network path, it can keep up with the ingress packet stream, and the protocol under capture is playing by the rules, the collected packet data is the gold standard for network visibility and troubleshooting.

However, we first need to get past that first step – properly placing the capture device along the network path.

If we are not capturing in the right place and in the right way, we can completely miss a network event and lose out on the packet truth that would lead to problem resolution. This is easier said than done in modern networks. Let’s take a quick look at how to get into the path of packets in a switched network.

Getting into the path of packets

Switches can make packet capture difficult. In the old days, we could just walk up to a hub, find an open port, and click capture on the analysis tool. Ethernet hubs gave us direct access to the collision domain. These days, however, switches now isolate these domains to a single interface. Only the device directly attached to the switch will “see” the network traffic for that port. If we plug into an adjacent port on the switch, we will only be able to capture broadcast, multicast, our own unicast, and flooded traffic (packets where the switch does not know the destination port).

There are two common ways that network engineers get around this gap invisibility.

The first is using a SPAN port. This method copies traffic from one or many switch ports over to a port where the capture tool is connected, allowing it access to packets to and from a target device or server. SPAN ports are passive and can be configured without service interruptions, which makes them the ideal choice for engineers who need a quick packet capture in a high availability environment.

The second way to capture in a switched environment is using a network tap. This is a device that is physically inserted somewhere along the network path – often at key locations such as switch uplinks, before or after firewalls, or in core data center locations. Some capture tools have taps built-in and are able to capture traffic inline on the path, for example, the EtherScope™ nXG. It’s more than just a packet capture tool; it is a powerful network discovery tool as well. Through the use of name discovery, SNMP queries, and WiFi analysis, the EtherScope™ nXG is able to collect the names and address information of devices on the network.

To install a tap on a connection, the cabling first must be unplugged and reconnected through the tap, resulting in a momentary service outage on the network path. When taps are built-in to the network design or installed during a service window, they are the best way to capture, providing the most accurate method for packet access along the network path.

In order to troubleshoot network problems with packet capture, we first need to get into the path of packets. Whether a SPAN or tap is used, NetAlly tools can help in collecting the right packets in the right place at the right time – helping to ensure that the packets don’t lie.

EtherScope nXG captures 100% of network traffic at line-rate, up to 10Gbps