Distributed traffic capture optimizes monitoring

Visibility can be the critical factor in heading off the increasing number of attacks, outages and data breaches in large-scale distributed networks. But up to now total visibility of Ethernet networks has been infeasible due to the cost of deploying analytical devices throughout the network. Distributed traffic capture is a new approach to network monitoring that can deliver complete, selectable and centralized visibility.

At present network traffic is monitored locally, using SPAN ports and/or inline with taps. SPAN ports tend to drop packets at random when the switch is loaded. What's more, many shops don't have enough available SPAN ports for even minimal monitoring coverage. Inline network taps are a direct way to capture traffic but they have traditionally lacked the selective aggregation, filtering capabilities, distributed management features and range of port densities necessary to make them anything more than a stand-alone solution.

With no way to get a centralized view over a LAN down to Layer 2, service-level agreements for real-time applications such as video and financial trades cannot be assured and enterprises cannot comply with regulations requiring a true and complete copy of transactions and lawful intercepts. This situation is exacerbated by the need to use existing gigabit monitoring infrastructure even as 10-gigabit switches continue to be rolled out at the core and access layers.

Much of the focus on network monitoring has been at the application layer. In part this is because monitoring equipment has become more capable and specialized, able to identify more events and correlate diverse data sets into actionable reports. But the equipment does not provide visibility into all parts of the network from a central location, leaving segments of the network unmonitored and the monitoring equipment's capacity either underutilized or oversubscribed.

Distributed traffic capture involves deploying traffic capture devices across the network as a unified system, linking network infrastructure to the analytical equipment. In this way traffic capture closely meshes with network topology, collecting a copy of traffic at any point and sending it in real time to centralized monitoring tools.

In large, distributed Ethernet networks, monitoring equipment sits atop an IP infrastructure oriented to a best-effort delivery. With the rapidly increasing presence of time-sensitive high-bandwidth traffic running at 10-gigabit over IP, network professionals have begun to apply traffic engineering principles to network design. One example is the adoption of traffic management protocols, such as MPLS, widely used as the basis for VPNs.

Likewise, engineers are beginning to take a traffic engineering approach to network monitoring: employing distributed traffic capture as a system matched to the network. The capabilities of the traffic capture devices are determined by the speeds, nature of traffic and their location in the network's core, distribution, access and/or gateway layers and, if applicable, related telecom architectures.