Full Packet Capture V Netflow
What should you use? The answer is both have their uses ...
Monitoring using NetFlow (or jFlow, sFlow IPFIX and other flow-based standards) provides a metadata-based view of activity on the network.
Full packet capture, on the other hand, continuously records a complete record of all network activity, including the actual data (packet payload) that is transferred across the network.
Often organizations have seen the two as mutually exclusive – one or the other – but the truth is that combining the two delivers a powerful arsenal for protecting against security threats, investigating alerts and ensuring the performance of networks and the applications that run on them.
As Zero Day attacks, Advanced Persistent Threats, malware and ransomware attacks continue to proliferate, organizations are realizing that investigating threats or performance issues with NetFlow only may not be sufficient to draw definitive conclusions about what’s happened.
In order to definitively understand the impact of a security breach, or a network or application performance problem, NetFlow, while useful, often isn’t sufficient by itself.
Combining NetFlow and recorded Network History gives NetOps and SecOps teams the ability to monitor the network for problems, and the detailed packet information needed to reconstruct precisely what happened.
NetFlow’s strength is that it writes headlines. It gives you a very effective high-level view of what’s happened across your network by providing metadata: timestamps, senders’ / receivers’ IP addresses, the ports they communicated on, the length of the conversation and the amount of data transferred.
Because it is summary information it doesn’t take up a lot of storage space. Which means more historical data can be archived – allowing analysts to go back months or even years back in time. NetFlow can also be generated by a wide variety of network elements, such as switches and routers – which means NetFlow can provide broad visibility across the network.
The downside is that NetFlow doesn’t provide nearly the level of detail that full packet capture data provides. While it is useful in alerting to potential issues, it can’t necessarily tell you exactly what happened, or allow you to rebuild and examine files that have been exfiltrated from the network, for example.
The other issue with NetFlow, is that it was originally designed just to provide trend data for historical changes in network performance and trend analysis. For this purpose, sampled data is sufficient, so many of the devices that generate NetFlow data are configured to sample packets to generate that data, rather than looking at every packet. While many can be reconfigured to generate 1:1 NetFlow records (where every packet is examined), some cannot. Which means they are not reporting on all the activity on the network.
The demand of generating NetFlow on routers and switches can take a significant performance toll. For this reason, they are often configured to generate sampled NetFlow only, in order to reduce load.
Using EndaceProbe Analytics Platforms running the EndaceFlow application, the overhead of NetFlow generation can be shifted to a dedicated appliance, freeing up switches and routers to perform the functions they were designed for.
Full Packet Capture
Recorded Network History, or full packet capture, gives you the full story. Packets let you accurately reconstruct exactly what happened and when it happened so you can uncover the cause of security or performance issues quickly and definitively.
Using Network History you can reconstruct a data exfiltration to see precisely what was taken. Or zoom in to microsecond level to troubleshoot short-lived events that simply don’t show up at NetFlow’s meta level of detail.
While it might not be feasible to store years of full packet capture history, it is certainly feasible to store weeks to months. Particularly if packet data is compressed, and irrelevant data truncated to remove the unwanted packet payload and keep all the header details - as our EndaceProbe™ Analytics Platforms can do.
EndaceVision™ lets you search the Network History on EndaceProbes, isolate traffic of interest for further analysis, and investigate issues right down to packet level.
Playback™ lets you replay the event to your real-time tools for back-in-time investigation and removes the needle-in-a-haystack approach of attempting to assemble and correlate evidence from multiple sources such as log and transaction files and NetFlow data.
How NetFlow and Packet Capture work together
NetFlow enables very efficient on-the-fly monitoring and allows your team to keep up-to-date with network events as they happen. But it is significantly strengthened by access to network packet history. You can quickly drill down to packet level, examine incidents and determine their root cause and severity.
With full, packet-level detail, investigations are both faster and more conclusive. Network and security analysts can keep on top of the mountain of alerts they receive every day, ensuring an unexamined issue doesn’t escalate to become a serious security breach or service outage.
The EndaceFlow Application can be hosted in Application Dock on EndaceProbe Analytics Platforms and can generate unsampled Netflow in v5, v9 and IPFIX formats at speeds up to 30Gbps without impacting on the EndaceProbe’s packet recording performance. With more than 130 exported fields, EndaceFlow provides unmatched full-stream flow visibility over any combination of IPv4 and IPv6-based networks.
Running EndaceFlow on EndaceProbes gives you the best of both worlds, letting you record a complete and accurate packet-level history of what happens on your network, while generating NetFlow data at full line rate to feed your NetFlow-based monitoring tools with accurate, unsampled NetFlow records.
Yes I'd Like a Demo
How about a Demo?
Integrating Network History into your security and performance monitoring tools gives you definitive evidence at your fingertips.
Find out just how fast and accurate your investigations could be.