NetFlow and Packet Capture, Why You Need Both

Differences between Netflow and Packet CaptureWhenever the issue of network forensic analysis is raised amongst network engineers, the NetFlow vs. Packet Capture debate will be sure to come up as well. As technology grows, there is an exponential increase in the complexity of networks, as well as an increase in the number of applications and end-users that may be on a network link at a given time. For some network engineers or operators at any NOC, this raises the question; “In the case of any error or lag in a given network, do we use packet capture or NetFlow for our analysis?” It shouldn’t have to be an either/or you need both to make sure you can get the visibility needed to keep the network performing.

Both provide visibility into the ongoing activities in a network; aiding in the improvement of network performance and applications and the analysis of network activities. The difference between NetFlow and Packet Capture lies in the specificity of details provided and the mode of operation. To gain more clarity, we will discuss the key factors that highlight their existence.

Origins and Traditional Purposes

From the onset, SNMP embedded in applications provided network engineers with the information needed for capacity planning and monitoring devices on a network, but that didn’t provide a deep insight into bandwidth and traffic utilization.

To satisfy this need, various tech companies developed packet capture tools, to gain a deeper insight into what’s happening in their network. That worked fine, and it helped a lot in troubleshooting general network issues, but over time, network structures started getting more complex and extensive, issues became more complicated, and network security needed more attention than ever before. This led to more upgrades and more improvement on sniffing devices and analyzers, but there were still limitations in deployment, reach, and maintenance.

On the other hand, Cisco developed NetFlow as a protocol for NetFlow-enabled switches and Cisco routers. They utilize UDPs and NetFlow collectors for the collection, recording, and export of information on IP traffic

going to and from the routers/switches in a format that enables further analysis. NetFlow was developed to complement packet capture, and satisfy needs surrounding enterprise-wide visibility, easy assessment, maintenance, and large-scale deployment. And most importantly, to provide data trends on historical changes involving trend analysis and network performance.

Setup And Resource Management

As with any other argument that borders on which processor structure should or should not be applied to enhance the delivery of an enterprise’s affairs, the resources to expand and the processes involved in individual setups and maintenance goes a long way in determining which (or in LiveAction’s case, both) will be chosen. The same applies to the NetFlow vs. Packet Capture debate; which is easier and cheaper to implement?

Depending on the vendor, for most packet capture tools to work efficiently and with ease, the intended network will have to be riddled with packet sniffers and agents throughout the extent of the network. Packet sniffers, for instance, assume to take a good chunk of the budget in their setup, and the maintenance costs might accrue to the point of being extravagant over time. And this is besides the costs attached to the installation and maintenance of packet capture agents over the period for which they were in use.

On the other hand, all the major networking equipment vendors support flow data, natively in their core networking devices, not limited to firewalls, switches, and routers. Furthermore, it makes it easy for network engineers to easily install, deploy, and use Cisco NetFlow, as an example. Additionally, NetFlow does not require the use of cables in its setup; the same cannot be said of packet capture tools, which need cables to establish a connection between the application and mirror ports.

Breadth vs. Depth

When it comes to the provision of information, packet capture brings it all in. It intercepts and documents all traffic flowing through a network or part of a network. Though they provide an extensive load of data, probes made by packet capture are limited to targeted locations, due to the level of maintenance and costs needed to deploy packet capture on a large scale.

Hence, while packet sniffers and analyzers provide a whole lot of information on a network segment, they are limited in their reach of the network’s entirety. Making it almost impossible for an enterprise’s network to be fully analyzed by packet capture. Nevertheless, network traffic information provided by packet capture for target locations is always complete and accurate documentation of the network’s history over a long time. To an extent, that gives it an edge in the NetFlow versus Packet Capture debate.

Instead of providing a large load of data on a network’s activity, the range of data provided by NetFlow is more specific. While engineers might have to rummage through the details provided by packet capture, to pinpoint needed information, NetFlow gives a summarized view of network activities by providing metadata, which includes –

  • Sender and receiver’s IP address
  • Timestamps
  • Communication Ports
  • Communication time length
  • The amount of transferred data

The summary information provided by NetFlow gives a broad view of a network’s entirety and makes it easy for engineers to assess a network quickly.

Probes

This factor makes for an essential point. Simply put, packet capture tools carry out Deep Packet Inspection (DPI) on targeted fields to provide extensive detail on its target, while probes carried out by NetFlow can be said to be superficial, as they sample packets to generate data instead of assessing each packet as they travel through the network. Where NetFlow skips a trend, packet capture will place its beam on the dark corner and create visibility on previously undetected activities.

Playback

Using sophisticated tools like LiveNX and LiveWire, NetOps can do historic playback on NetFlow (and virtually any other flow type) and packet data. For many other NPMD solutions, this is not possible.

Storage Space

Packet capture’s bulky historical data is stored for as far back as several years behind, making the payload cumbersome and expensive to store and maintain. But LiveWire for LiveNX or LiveCapture for Omnipeek makes this a thing of the past.

Get both NetFlow and Packet Capture in One Solution

There is no point in getting yourself stressed out on a NetFlow vs. Packet Capture debate when you can do both affordable, enabling your NetOps and IT team to discover and resolve problems faster than ever before! LiveAction through LiveNX has the industry’s first-ever unified network monitoring platform, combining flow, SNMP, and packet data. The platform combines all the benefits of the protocols and even goes further to improve on them to offer additional benefits that enable full support on all networks and network devices. With LiveAction teams can easily go from a global view of the network and drill down to individual packets when it is necessary to solve problems. This complete visibility is why LiveAction is unmatched in reducing MTTR.

Get a look for yourself at how LiveNX can help you.