The evolution of packet sniffing
The role of a packet sniffer in IT operational support has changed dramatically over the years from a niche LAN diagnostic tool used only by network experts, to a big data analytics platform providing service to the whole business. Most network engineers are familiar with the use of packet sniffers as diagnostic tools to address specific protocol or application communication issues. The mode of operation was well understood, 1) identify a logical and physical link that carried the troublesome traffic, 2) connect your sniffer to a spare port on a device in the path, 3) 'mirror' the relevant port carrying the real traffic to your sniffer port, 4) start a 'capture' and run it for a useful period of time, which could be anything from 30 seconds to an hour, but was almost always limited by the storage space on the sniffer, 5) stop and analyse the capture to (hopefully) identify the cause of the problem. Over time, additional functionality on the 'sniffer' assisted further in the task, filtering focused on 'relevant' protocols and/or source and destinations, protocol decodes and graphical user interfaces assisted with interpretation of data captures. Today thanks to advances in sniffer design and technology, wire data can be used and analysed in very different and more sophisticated ways. Improved processing speeds and increased availability of low cost RAM mean that instead of dumping data out to a storage medium before processing commences, analysis can be done in memory and in near real-time. They also mean that volumes of data that can be processed have increased to keep up with all but the most heavily used of links. In the simplest sense, wire data provides raw insight into a network environment, and with deep packet inspection in near real time, that insight is not based on synthesised statistical prediction, but provides a complete and objective view. Combined with the use of distributed packet capture architectures this means that the use of wire data is no longer limited to single-issue short-window analysis for a support specialist but is now suited to entire infrastructure, multi-silo, multi-purpose always-on data analysis for the business. To put it another way, wire data should now be treated as 'big data' that can be analysed for concrete business insight. Combining wire data with machine and agent data using big data techniques now has the capability to transform business insight into IT infrastructure performance.