Blog

Key Differences Between Packet Capture, Wire, and Real-Time Stream Analysis

Network administrators rely on network traffic analysis, such as packet capture and real-time stream analysis, to troubleshoot complex issues such as network and application performance degradations, as well as poor end-user experience.

Network flow analysis (e.g. NetFLOW or IPFix) provides quick insights into broad capacity utilization trends to help troubleshoot infrastructure and macro issues, but offers little insight into application sessions and the transactions that support them.

The more difficult that problems are to resolve, the more experts need to ‘consult the wire’.

Packet-level analysis reveals the relationships between the applications, servers, and clients involved, and the network interconnecting them. Analyzing packets can unlock the mystery of elusive, intermittent, and short term performance issues, and provide guidance on how to proceed quickly to problem resolution.

Packet analysis points to the cause of the issue, by passively analyzing the traffic itself

The questions typically raised by network teams are:

  • How fast can we find the root cause?
  • Which identification tools work best?

The answers to those questions usually support one of two approaches: packet capture or real-time stream analysis.

Approach #1 — Packet Capture and Analysis

With packet capture, full packets—including header and payload—are recorded. Specific methods of packet capture include sniffers, analyzers, stream-to-disk systems, and network recorders.

There are four steps to capturing packets for analysis:

  1. Capture packets
  2. Store packets on a disk or other storage device
  3. Extract a trace file (in PCAP format)
  4. Analyze the trace file with a software analyzer

While a number of pure packet capture solutions exist, the most popular tool is probably Wireshark, which is free and open-source. (See how Wireshark users can scale their network troubleshooting capabilities.)

This is a labor-intensive, manual approach, which can result in key clues being overlooked when large samples are being analyzed. With packet capture, you pretty much have to know what to look for, where to look for it, and when to look for it. This can definitely be a challenge when analyzing intermittent performance issues.

Stream-to-Disk Solutions

Stream-to-disk solutions attempt to automate manual packet analysis by managing the capture, storage, and analysis of traffic. This permits historical analysis of traffic from all corners of an enterprise’s infrastructure and the ability to use wire-level analysis for continuous monitoring. The drawback to stream-to-disk solutions is that they require significant investments in storage and processing. They are also complex to deploy, configure, and use, and incur significant query delays to extract insight out of mountains of collected data. Although much more comprehensive than manual techniques, total cost of ownership (TCO) can be prohibitive and is often out of reach for mid-sized organizations.

Figure 1: Stream-to-Disk Packet Analysis

(For some reasons why traditional packet capture might not be the best approach, see “Packet Capture: 6 Reasons for a New Approach”.)

Approach #2 — Real-Time Stream Analysis

Real-time stream analysis (or wire data performance analysis) is the second predominant approach to network traffic analysis. It includes the following steps:

  1. Analyze packets crossing the wire in real time
  2. Store analytics (i.e., key performance indicators (KPIs) and session metadata) extracted from the packets as they arrive
  3. Conduct analytics and reporting based on KPIs and rich transactional records

Figure 2: Real-time stream analysis

Real-time stream analytics approaches offer the combined benefits of lightweight compute and storage requirements, real-time, full-stack insight in seconds, and long historical retention for trending and predictive analytics. This approach essentially automates decode and analysis steps, delivering application, network, transaction, and client visibility from a single tool.

Different Network Strokes for Different Network Folks

Each approach to network traffic analysis has their advantages and their drawbacks. The table below summarizes and compares the attributes of each method.

Packet Capture Stream-to-Disk
Real-Time Stream Analysis
Real-time No Near Real-Time Yes
Storage Low High
Medium
Analysis Timespan MinutesWeeks-Months
Months-Years
Compute efficiency HighLow
High
Analysis ManualAutomated Automated
Network and Application Performance Visibility LimitedPartial* 100%
Application Transaction Visibility NoNo100%
Users Monitored Selected Partial* 100%
Configuration Required Low High Low
Deployment Time Minutes Weeks-Months Minutes

* required manual configuration