Can you capture all the packets on your network?

Can you capture all the packets on your network?

The simple answer is yes, you can capture all the traffic on your network. I do it all day, every day, with my network monitoring servers. But it is a little more complicated that the short answer.

The first consideration is bandwidth. Let’s assume 200 client computers are attached to 50 servers. The clients are at 100 Mbps and the servers are at 1 Gbps. Quickly doing the math, you can see that the maximum bandwidth is 70 Gbps. Each packet will be mirrored (or copied) to the network monitor port. To avoid missing packets, that port would need a 70 Gbps uplink. Such an uplink exceeds the budgets of SMB IT departments.

The second consideration is storage. Let’s assume that the through put for client computers is, on average, 5% of the available bandwidth. For servers, we will use 25%. Given 3,600 seconds in an hour, do the math, and you’ll see we need 439.5 GB an hour for clients and 5.5 TB an hour for servers. Call that an even 6 TB an hour, 142 TB a day, 1 PB a week. Such disk storage costs exceed the budgets of SMB IT departments.

Given these numbers, how do I capture the packets that travel across my network? First, I use a 10 Gbps uplink to get the mirrored traffic. There are times when the traffic overwhelms the uplink and packets are lost. Second, I keep only a few hours of packets in storage. I maintain the packet summary (time, source IP and port, destination IP and port, byte count, application details) for a few weeks. The summary is significantly smaller than the actual traffic.

The more complex answer is yes and no. You can log all the packets. But even for relatively small networks, the required hardware for the resulting through put and storage requirements will be cost prohibitive.

In hindsight, maybe switching to NetFlows is not such a bad idea.

Posted by