DPI Training: The What and Why of Packet Analysis

(“In Case You Missed It Monday” is my chance to showcase something that I wrote and published in another venue, but is still relevant. This week’s post originally appeared on OrangeMatter)

If you have been troubleshooting networks for any length of time it should be obvious that packet inspection is a technique well worth learning. The depth of insight that packet capture tools like WireShark provide is hard to understate. It’s also hard to learn how to do. Unless you have a specific use case, or there’s a crisis and your boss is breathing down your neck, figuring out how to effectively and efficiently set up and analyze packet captures is never at the top of anyone’s list. As soon as you get into your capture tool, the questions begin: How do I select the correct interface? Am I supposed to capture all traffic, or just some? Do I filter by remote device IP, port, or some other element? After you run the capture you have to analyze the results. It’s easy to get lost in row upon row of raw packet information, never mind knowing which lines will give you a time-to-first-byte calculation, or tell you how long it took a TCP three-way handshake to complete. As challenging as it is, many people assume it can’t possibly be worth the effort. And that’s a shame, because learning how to perform and analyze packet captures is not just an esoteric skill you can use to score geek cred with your friends. It can be a game-changer in terms of your ability to solve problems and advance your career by being taken seriously by high-level IT professionals.

The single source of truth about your network

Packet inspection puts you in touch with the single source of truth about your network: the packets themselves. Nothing else will tell you what’s ACTUALLY happening on the wire right now because everything else is only seeing individual pieces of the puzzle. Packet capture gives you insight into situations like:

Users can’t connect to a Web-based application, and you‘ve checked “everything.” Packet capture will show you that one firewall rule you (and the other three people who double-checked your work) overlooked. Not only does it show you what is wrong, it shows you exactly which device to change.

A vendor insists its software is secure, but you suspect that’s a line of malarkey. Packet capture will show you the communication between clients, servers, and remote data sources to reveal whether or not the data streams are secure, encrypted, and consistent – or not.

Network admins often hear the complaint, “it’s slow,” but the reason an application is under-performing is a mystery. It could be the server isn’t responding in a timely fashion, or it could be a true network issue. Packet inspection lets you do two things. First, it checks the timing on TCP three-way handshakes. Slow response in this area indicates a network problem. Second, large time-to-first-byte values would prove it’s the application server that’s holding things up. I have worked with many network admins and engineers that struggle with these problems. To help them, I created the free email course on Deep Packet Inspection for Quality of Experience monitoring. Detailed, daily lessons will explain not only HOW to perform various tasks, but WHY you should. The lessons are self-contained, meaning there are no cliffhangers or please-sign-up-for-our-next-course-to-find-out-more prompts. And delivery to your inbox means you don’t have to remember to go to some website and open a course. Finally, you can work on each lesson at your pace and on your schedule. Monitoring tools have advanced past ping and simple SNMP and are now able to perform packet inspection. Shouldn’t you?

%d bloggers like this: