Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reliable Packet Captures

Published byGwendoline Farmer Modified over 5 years ago

Similar presentations

Presentation on theme: "Reliable Packet Captures"— Presentation transcript:

1 Reliable Packet Captures
Christian Reusch CRnetPACKETS.com

2 Some real world dialogs about network capturing
We want to capture all the data, for our BIG DATA solution! And here is our really innovative solution… But you will miss packets of interest, if you capture with your plan! Missed packets are not important for us! I can see lost frames in the capture, seems that your server has not send the data! Can we trust the capture? Ugh… normally for sure, it is a normal Wireshark trace… I see 20kByte large frames in the trace, please activate Jumbo Frames support on the switches to fix the problem!

3 Hub First modern Ethernet and no COAX anymore Still a shared medium
Means: Every Packet of a Layer2 network can be seen on every Port of the Layer2 network Mostly 10 Mbit/s HDX Some Variants with 100 Mbit/s HDX (1)

4 Switch Switched network
A switch brings „intelligence“ and performance into the network But makes it much harder to capture (1) (1)

5 Switch Monitor Ports (SPAN) Remote SPAN (RSPAN) [VLAN]
Encapsulated Remote SPAN (ERSPAN) [GRE RSPAN] CRC errors will not be detected SPAN Port will only have TX direction, so it can be oversubscribed (1)

6 Switch Other; but no recommended solutions ARP Poisoning
CAM-Table flooding HUB (1) (1)

7 TAP A TAP provides a fully nonreactive Capture Point
Fully passive at 100 Mbit/s on networkside At 1000 Mbit/s needs to be active on networkside Best capture mode for reliable captures is „Break Out“ (2)

8 FiberSplitter Fully passive Cost effective
Same device can be used from 1 to 100 Gbit/s (1) (3) (2)

9 Packet Brocker Managed TAP Can filter traffic Can redirect traffic
Remote admistration But cannot always be used inline (2)

10 Localhost capturing Easy to use
Linux Libpcap (tcpdump) Windows WinPCAP on Windows (needs Install) RAWCAP from NETRESEC no installation needed Nowadays it isn´t anymore usefull, due to Segmentation Offloading (TSO_TRACE)

11 Where: VM Capturing Outside as close as possible to the VM
Internal captures for internal Traffic Do not use GuestOS captures From my point of view it is getting more and more important

12 How: VM capturing Tip for normal vSwitch (by Jasper Bongartz (4))
Using Portgroups to isolate the „Promiscous“ function of the vSwitch Using a dedicated capture VM -> does not affect the services on the other productive VMs Special appliances can be used Endace Riverbed Savvius Wireshark (4)

13 How: VM capturing 2 Other solutions: Virtual Taps
Somekind of ERSPAN Enterprise Plus Licence Mirror Port Direct at the Hypervisor level Usage of different Switches, like a Cisco NEXUS

14 How: Wireshark Capture
Very easy to use Live analysis possible Only reliable up to around Mbit/s Interface should be prepared Trace can easily get lost by accident Timestamping not reliable Only counts if packets get lost while writing to disk Trace example

15 How: Profesional Capture Software
Optimized for: Capturefile Storing and Indexing Data Retention Captures stored mostly in somekind of Database You will normally never loose a capture file by accident Retention can be done by Graphs or Searchmasks Mostly Very Expensive

16 How: Profesional Capture cards
HW Timestamping Breakout Capturing Latency, Microburst Analysis (6) Trace Produce Reliable Capture, as capture errors will be logged at NIC level CRC Errors will be captured External: Profishark Internal: Napatech, Endace

17 Tip: Capturing 10/100 Mbit/s
Using a Hub for 10MBit/s HDX Using a Span Port or a TAP in Aggregation Mode, if the Monitor Port Speed supports 1GBit/s Using Wireshark can be sufficient, but without reliable timestamping Better to use special capture HW

18 Tip: Capturing 1 Gbit/s Using a TAP in Breakout Mode
But a TAP at 1 Gbit/s is not fully passive and not that cheap Better idea using a Fiber Splitter fully passive and cheaper Using special HW capture cards e.g. Profishark Nappatech Endace ...

19 Tip: Capturing 10 Gbit/s and beyond
Native reliable capturing of 10 Gbit/s and more is very expensive >50k € Workaround: Using a Fibersplitter same price as 1 Gbit/s and using Packetbrockers to prefilter the traffic to a 1 Gbit/s breakout monitor link Using special HW capture cards to capture at 1 Gbit/s e.g. Profishark Nappatech Endace ...

20 Tip: Reliable Capturing Remote Solutions
Deploy TAPs or Fibersplitter permanently in the network Connect them to a Packet Broker Connect a Capture device to one port of the Packet Broker Use the Packet Broker to select which traffic you want to capture

21 Capture Strategys Strategies:
“One Try” strategy (BEST, massive HW, special HW -> Consultants, Carrier, Big Problem, Netwok Forensic) “More try” strategy (Network Admin, Not enough equipment)

22 Client-Server

23 Client-Server

24 Client-FW-Server

25 Client-FW-Server

26 Client-WAN-FW-Server

27 Client-WAN-FW-Server

28 Client-WAN-FW-LB-Server

29 Client-WAN-FW-LB-Server

30 Client-FW-WAN-FW-LB-Server

31 Client-FW-WAN-FW-LB-Server

32 Client-FW-WAN-FW-LB-VM(Server-Server)

33 Client-FW-WAN-FW-LB-VM(Server-Server)

34 Takeaway Capture Strategy
One try strategy Every Layer4 device, bottleneck and demarcation point is a useful capturepoint Capture as close as possible to a device but not on it You should use Taps/Fibersplitters and professional capture equipment So you can trust your captures More try strategy You are in a lucky position You can use fast access capture points (local captures) to plan the next steps You can use a divide and conquer strategy 2 parallel capture points are useful

35 Where would you capture if...(5)
User “A” complains that something is not working in application on “s6”

36 Where would you capture if... (5)
All users complain about the performance of an application on server S6?

37 Where would you capture if... (5)
Some users in Paris complain about the performance of the loadbalanced application on server S1, S2, S3, S4?

38 Where would you capture if... (5)
All users in Amsterdam complain about slow performance on every application?

39 Takeaway Tips: How to capture How develop a capture strategy
Problem orientated capturing Questions?

40 References (1) https://wiki.wireshark.org/CaptureSetup/Ethernet
(2) (3) machines/comment-page-2/ (4) (5) Zen and the art of packet Capturing... By Sake Blok: (6) The little thing called MicroBurst:

41 I am happy about FEEDBACK at Sharkfest Europe Guidebook
Thank You! Thank you! I am happy about FEEDBACK at Sharkfest Europe Guidebook

42 About me? Christian Reusch Analyzing Networks since 1999
Web: crnetpackets.com If you like you can send my Traces and I will answer

Download ppt "Reliable Packet Captures"

Similar presentations

CCNA3: Switching Basics and Intermediate Routing v3.0 CISCO NETWORKING ACADEMY PROGRAM Switching Concepts Introduction to Ethernet/802.3 LANs Introduction.

CCNA3: Switching Basics and Intermediate Routing v3.0 CISCO NETWORKING ACADEMY PROGRAM Switching Concepts Introduction to Ethernet/802.3 LANs Introduction.
SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008 Patrick.

SHARKFEST '08 | Foothill College | March 31 - April 2, 2008 Non-Intrusive Out-of-Band Network Monitoring Utilizing a Data-Access Switch April 1, 2008 Patrick.
Chabot College Chapter 2 Review Questions Semester IIIELEC 99.09 Semester III ELEC 99.09.

Chabot College Chapter 2 Review Questions Semester IIIELEC Semester III ELEC
Top Causes for Poor Application Performance Case Studies Mike Canney.

Top Causes for Poor Application Performance Case Studies Mike Canney.
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 TAP’s Demystified June 16 th 2010 Samuel Battaglia Technical Manager | Network Critical SHARKFEST.

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 TAP’s Demystified June 16 th 2010 Samuel Battaglia Technical Manager | Network Critical SHARKFEST.
1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.

1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.
1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.

1 Version 3 Module 8 Ethernet Switching. 2 Version 3 Ethernet Switching Ethernet is a shared media –One node can transmit data at a time More nodes increases.
1 K. Salah Module 4.0: Network Components Repeater Hub NIC Bridges Switches Routers VLANs.

1 K. Salah Module 4.0: Network Components Repeater Hub NIC Bridges Switches Routers VLANs.
1 CCNA 3 v3.1 Module 5. 2 CCNA 3 Module 5 Switches/LAN Design.

1 CCNA 3 v3.1 Module 5. 2 CCNA 3 Module 5 Switches/LAN Design.
Course 301 – Secured Network Deployment and IPSec VPN

Course 301 – Secured Network Deployment and IPSec VPN
1 K. Salah Module 4.3: Repeaters, Bridges, & Switches Repeater Hub NIC Bridges Switches VLANs GbE.

1 K. Salah Module 4.3: Repeaters, Bridges, & Switches Repeater Hub NIC Bridges Switches VLANs GbE.
Switches in Networking B. Konkoth. Network Traffic  Scalability  Ability to handle growing amount of work  Capability of a system to increase performance.

Switches in Networking B. Konkoth. Network Traffic  Scalability  Ability to handle growing amount of work  Capability of a system to increase performance.
Troubleshooting Software Tools vs. Professional Test Equipment.

Troubleshooting Software Tools vs. Professional Test Equipment.
Layer 2 Switch  Layer 2 Switching is hardware based.  Uses the host's Media Access Control (MAC) address.  Uses Application Specific Integrated Circuits.

Layer 2 Switch  Layer 2 Switching is hardware based.  Uses the host's Media Access Control (MAC) address.  Uses Application Specific Integrated Circuits.
Connecting LANs, Backbone Networks, and Virtual LANs

Connecting LANs, Backbone Networks, and Virtual LANs
Introduction An introduction to the equipment and organization of the Internet Lab.

Introduction An introduction to the equipment and organization of the Internet Lab.
Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.

Introduction to Networking. Key Terms packet  envelope of data sent between computers server  provides services to the network client  requests actions.
Management Information Systems Lection 04 Networks CLARK UNIVERSITY College of Professional and Continuing Education (COPACE)

Management Information Systems Lection 04 Networks CLARK UNIVERSITY College of Professional and Continuing Education (COPACE)
SHARKFEST ‘10 | Stanford University | June 14–17, 2010 To the Terabyte and Beyond! Leveraging Pilot and Wireshark to Analyze Truly Massive Packet Traces.

SHARKFEST ‘10 | Stanford University | June 14–17, 2010 To the Terabyte and Beyond! Leveraging Pilot and Wireshark to Analyze Truly Massive Packet Traces.
LECTURE 9 CT1303 LAN. LAN DEVICES Network: Nodes: Service units: PC Interface processing Modules: it doesn’t generate data, but just it process it and.

LECTURE 9 CT1303 LAN. LAN DEVICES Network: Nodes: Service units: PC Interface processing Modules: it doesn’t generate data, but just it process it and.

Similar presentations

Ads by Google