Mark the page
Contact form
If you are interested in our offer, use the form and ask a question to our specialist.

Profitap and NetAlly - troubleshooting packet capture problems

The first step in any successful packet analysis, in terms of troubleshooting at the source, is to capture the right ones - the ones that contain the information you need to solve the problem. From this article, you'll learn how a combination of tools from Profitap and NetAlly makes it easier to access packet data.

In many cases, network problems can be solved with SNMP statistics and active or bandwidth tests. Sometimes, however, the only way to get to the source of the problem is through packet capture. In our day and age, it is very important to have the best tools to ensure that all necessary packets are captured. Without this, getting to the source of the problem can be difficult - if not even impossible. We suggest using a combination of equipment from two of our vendors, NetAlly EtherScope™ nXG and Profitap Booster In-Line, creating the perfect packet capture solution.

There are several steps to successfully capturing and analyzing network traffic. In this article, we will examine each of these steps and the role that EtherScope™ nXG and Booster In-Line play.

The first step in successfully capturing packets is to access their data. We can't just plug into any switch port and expect to capture packets between two devices. There are several capture methods to choose from, during their standard path. Each has its advantages and challenges, and we'll look at three of the most common.

SPAN Ports

For the moment, the most popular method of capturing network traffic from devices connected to an Ethernet switch. The switch from which we want to retrieve data is configured to copy traffic from all input and output ports and send it to another port to which we can connect the analyzer.

Pros:
  • There is no need to disconnect the devices.
  • Simple to set up.
  • Low cost, feature built into the switch.
  • It can be introduced quickly.
Minuses:
  • Aggregates traffic to a single port.
  • Requires switch configuration.
  • Configuration commands on the switch vary between vendors and models.
  • Not all switches have this feature.
  • Does not copy all packages (ignores some types and sizes).
  • Changes the "timing" of packages (which interferes with historical analysis).

In a situation where you are not working on a large amount of data, SPAN port can be a good solution, but in a gigabit connection, working in full duplex, it may happen that the combined input and output traffic exceeds the SPAN port's capacity. In this case, some packets will have to be dropped, making the analysis process significantly more complicated. Switch configuration changes are not always a problem in some networks, but large networks often require change control processes, which can increase the time between error detection and resolution.

Aggregation TAPs

Another way to get at the relevant packets is through aggregation TAPs. This is a device that physically sits in the connection between the monitored device and the rest of the network to collect and aggregate traffic from ingress and egress ports to a single egress port.

Pros:
  • No need to access or configure the switch.
  • TAP is fault-tolerant; if it loses power, the packets will continue to be transmitted.
  • It can be placed on the network while it is being built.
Minuses:
  • It is easy to overload the output port.
  • To install such a TAP, you need to disconnect the network.
  • The device must be purchased.

Aggregation TAPs have the advantage of not requiring access to the switch. However, as in the method in which we use SPAN ports, aggregation TAPs can become overloaded, resulting in the loss of some packets. In most cases, such a device is a good solution, especially when working with an analyzer that has only one input port.

Computer with 10-gigabit network card

One way to combat aggregation problems is to use an interceptor device, with a card whose bandwidth exceeds the same co-factor of the connection we are monitoring in duplex. Such a device could be, for example, a network card operating at 10G. This allows you to use the full capabilities of the TAP, which sends aggregated traffic to a port with a higher throughput than the sum of the incoming and outgoing traffic.

The challenge with this solution is finding a computer with a 10-gigabit network card, as well as the ability to capture at the full speed of a 10 Gbps link. In most cases, the computer will not be able to capture all the data from the link to which it is connected and then store it on disk or in memory. In a situation where our computer already has a suitable network card, a kind of bottleneck may turn out to be the disk, which will not be able to keep up with data writing.

NetAlly EtherScope™ nXG and Profitap Booster In-Line

When it comes to a way to capture and save packets losslessly, the combination of NetAlly EtherScope nXG and Profitap Booster In-Line is hard to beat. These two tools allow us to access the network, capture multiple links simultaneously and save packets at full 10Gbps link speed.

The In-Line Booster from Profitap consists of four in-line TAPs, passes PoE and is immune to power outages. Due to the "fail open" nature in which it operates, i.e. in the event of a power loss, the device continues to transmit packets between the devices to which it is connected. This is extremely important, because if we were to put a standard monitoring device directly into the network, it could become a critical point that would cripple our infrastructure in the event of a failure until repaired.

Traffic from all four TAPs is aggregated and then sent to the 1G/10G SFP+ port, which can operate on SFP transceivers - both copper and fiber - just like on DAC cables. With the 10G SFP+ port, we can transfer all network traffic from all four TAPs, operating at 100% of their capacity, in both directions. Their combined throughput is 8Gbps, which does not exceed the throughput of the output port.

Once we manage to connect the four links and send them to a single 10G interface, we connect it to the EtherScope nXG, which allows us to capture and record traffic at full 10Gbps link speed, without packet loss. It gives us confidence that we have access to all the data we need during analysis.

Capture on both sides of the device

When troubleshooting network problems and looking for bottlenecks in our infrastructure, we sometimes ask ourselves, "How much latency does a particular device cause?" The answer to this question is not always easy when we use a typical analysis solution. However, the situation changes when we use EtherScope nXG and Booster In-Line, because we can connect to the Profitap device from both sides of the device under investigation.

By taking packets going in and out of a device, then aggregating them and sending them to EtherScope nXG, we can accurately determine the latency generated by a device between two of our TAPs. Once we have measured the delay, we are able to determine if that device is our limiting point.

More than just capture

EtherScope nXG is a very powerful device whose packet capture is only a small part of its total capabilities. First of all, EtherScope is a portable network tester that allows you to use such functions as device name discovery on the network, SNMP queries or Wi-Fi analysis. A useful feature of this tester is the discovery of device names - so that in the future, when analyzing stored packets we have the IP addresses of devices before our eyes, we already know which addresses are assigned to which names.

Remote access and trace recovery

In creating EtherScope nXG and Profitap Booster In-Line, engineers from both companies kept in mind that a network analyst cannot always be on site for every network outage, and solved this problem by allowing the solution to be deployed at a remote location and then operated from a completely different location.

To use the EtherScope nXG remotely, either VNC or web remote control must be used, allowing the device to work with comparable performance to on-site work, without having to move from the office. With this option, a network analyst can prepare filters for packet capture, or run capture remotely.

After successfully capturing packets, EtherScope nXG prepares a PCAP file and then sends it to NetAlly's Link-Live Cloud Service where, through a web interface, the file can be retrieved and analyzed from anywhere.

As you can see, effective network traffic capture and analysis requires planning and the right tools. Although there are several ways to get at the packets we are interested in, we must keep in mind that each of these solutions has its own advantages and disadvantages, and that without all the necessary packages, troubleshooting network and application problems may be impossible.

Here we propose a proven combination of a true "harvester" when it comes to portable network testing, the NetAlly EtherScope nXG tester with the Profitap Booster that combines the capabilities of four TAPs and aggregates traffic to a single output port.

Such a solution allows us to:

  • Getting to the relevant packets in the network
  • PoE pass-through
  • Aggregate network traffic without overloading the output port
  • Writing at 10Gbps
  • Discovering device names and addresses on the network

Remotely control the operation of the device and analyze traffic from anywhere.

Więcej o NetAlly
Read more about Profitap
Back to all solutions
Ask a Stovaris specialist