TAP Into Network Analysis

Too often, solution providers get a frantic call from their customers with problems—sluggish performance, lost packets, misdirected traffic—with no effective troubleshooting mechanisms in place to identify and solve the issues. Nowadays, most networking equipment collects statistics and generates logs. With proper analysis tools, a clear image of the current state of network traffic emerges from the bewildering array of data.

Managing a network means dealing with an extensive to-do list. The list includes securing the network from attacks, preventing data leaks, monitoring for performance as well as assets, recording traffic and ensuring regulatory compliance.

Analyzing the data is not just another chore on the list, because the insights gleaned actually help accomplish the other tasks. Being aware of normal traffic and usage patterns will help identify unusual activity, which may be a precursor to an attack. An application taking up the most bandwidth and resources can be optimized for performance or rescheduled to run when traffic loads are lower. An application that should be running, but isn't, would be identified before a user flags the problem (by then, it's too late).

Understanding how applications vary in traffic usage, such as video vs. data, can help make decisions about network upgrades. For this Solutions that Work, CRN Test Center spoke with Chuck Hagerty, president and CEO of West Chester, Pa.-based DataPlus, on how to implement a network-analysis solution. DataPlus partners with a variety of vendors, including Network Critical.

The conversation centered on using network traffic access points (TAP) and network analyzers. While analyzers, such as sniffers and probes, are the key components of a network analytics solution, it is worthless without proper data collection. This is where the TAP comes in. Before any device can analyze traffic to monitor security, compliance or performance, it has to have access to 100 percent of the traffic data.

Previously, Switched Port for Analysis (SPAN) technology was commonly used to look at network traffic. Hagerty pointed out its limitations. While SPAN ports can copy traffic from any or all data ports to a single unused port for monitoring, it shows only "clean" traffic, he said. SPAN ports drop packets that are corrupt or below the minimum size, so not all the network traffic is passing through. An analyzer looking at the traffic as it comes from the SPAN port doesn't have the complete view of the traffic, and will not know why there are problems. SPAN ports remain popular, however, as it is often a feature on modern switches, such as the ones from Cisco Systems. Some switch families, such as the Cisco 3500 series, don't set a lower priority on SPAN traffic, which can also affect network speeds. Finally, SPAN ports drop the virtual LAN (VLAN) tag information. If the network contains any VLANs, the SPAN port will never notice the issue.

A TAP, on the other hand, is nonintrusive because it doesn't drop any corrupt packets, or lose frames when bandwidth is overloaded. A TAP can see VLAN tag information, so a network with VLANs can be monitored using a TAP.

Customers approach solution providers because they're looking for an unrestricted view into their critical network connections. Solution providers can offer the guarantee that a TAP is showing everything happening on the network, without any modification of filtering. A TAP sits between the router and the LAN link, seeing all the data as it is received and transmitted. TAP vendors include Fluke Networks, Network Critical and NetOptics.

Next: STEP 1 Investigate