5 Points on your Network where you should be analyzing Network Traffic
Analyzing Network Traffic – Where To Start
If you want to find out what is happening on your network, analyzing network traffic is great way to start. By capturing traffic from a SPAN, mirror port or network TAP you have a non intrusive way for gaining visibility without the need for software agents or clients.
If you want to upgrade from capturing local traffic on a client using applications like Wireshark, it may not be obvious where to start capturing. In this blog post, I take a look at the most important points on a network which you should focus on. In all cases, you can use either a SPAN port, port mirror, TAP or network packet broker (NPB) to act as a data source for network packets.
1. Network Perimeter \ Internet Gateway
The best starting point for any type of traffic analysis strategy is at the edge of your network. Many bandwidth or security issues can be investigated by implementing network traffic analysis at this point. With the traffic analysis tool, you can spot things like large downloads, streaming or suspicious inbound or outbound traffic. Make sure you start off by monitoring the internal interfaces of firewalls, this will allow to track activity back to specific clients or users.
This video explains how you can use a SPAN port to monitor internet activity.
2. Network Core
Once you have visibility at the network edge, you should then look at analyzing network traffic at the network core. Most managed switches will allow you to take a copy of traffic going to\from multiple ports and send it to a single port where you can plug in your traffic analysis tool. On certain switches such as Cisco, you can monitor entire VLANs so you don’t need to worry about monitoring specific ports.
The key thing to watch out for when monitoring at the core is that you don’t overload the SPAN port. If you max out the capacity, you may need to consider splitting the traffic across two SPAN\mirror ports or upgrading to 10gb, if you are currently using 1gb ports.
Once you have got visibility inside your network, you should then consider monitoring activity just outside the networks edge. Typically, this is called the demilitarized zone (DMZ) and may contain web servers and other public facing resources.
A DMZ is a busy place when it comes to network events. Many devices here may have pubic IP addresses and so, will be constantly scanned and checked for vulnerability weaknesses.
4. Remote Networks
If you are analyzing network traffic at your network core, you should be able to see what is happening on WAN links. This is possible through the use of filters based on the subnets in use at the remote sites. You can read more about this in my recent blog post which looked at a number of ways for generating reports on WAN bandwidth utilization.
However, you will need to analyze traffic locally at the remote sites if you want to see what is happening on these remote networks. A typical use case for this would be identifying the source of a broadcast or unicast storm at the remote network.
5. East West Traffic on Virtual Platforms
If you use virtual environments like VMware, Hyper-V or VirtualBox, you will have virtual networks in place. These networks are built up from virtual switches which are mapped to the physical interfaces on the Hypervisor. However, network traffic can flow between virtual hosts that will never appear on the physical network. This has now become a common blind spot for many Network Managers who have virtualized one or more servers.
In order to gain visibility within a virtual environment, you need to deploy a virtual machine capable of analyzing network traffic flowing through a virtual switch. The following video explains what needs to be done to implement this on an ESX server.
We have further videos available within the resources section on this website which looks at what you need to do on other Hypervisors.
NetFort provides network traffic and security monitoring software for virtual and physical networks. NetFort’s flagship product, LANGuardian, is unique in the marketplace thanks to its powerful deep-packet inspection technology that can be downloaded and deployed on standard physical or virtual hardware to provide comprehensive visibility in minutes. Organizations worldwide depend on LANGuardian solutions from monitoring user activitytofile activity monitoring, web activity monitoring, network security monitoring, bandwidth monitoring, wire data analytics, network forensics to packet capture.
To see LANGuardian in action – try our interactive demo today!