Blog
The Curious Case of Packet Sniffers
Justin Baker
February 20, 2009
For many network teams, the Packet Sniffer is still the go-to tool for tracking down any and all network-related problems. Network engineers use both commercial and open-source sniffers when they see performance degradations. They take packet dumps from segment to segment, hoping to catch the problem. I kind of think of chasing down a problem with a Packet Sniffer like whack-a-mole. Possibly fun for some people, definitely frustrating as well.
The thing with Packet Sniffer is, they were invented in 1986 (great innovation and very state of the art at the time, then again, so was Crocodile Dundee, Papa Don't Preach and Magnum, P.I. ;) ), and really haven't change much since.
A few major deficiencies of the Packet Sniffer:
1. They are reactive—In the most common scenario, the network team is informed of a performance issue and then tries to track it down by moving the packet sniffer around on the network, taking packet dumps for offline analysis, hoping to catch the right segment. By definition, this reactive process is only effective when there is a reproducible issue, while intermittent issues are almost certain to slip through the cracks.
2. Not enough visibility—Packet sniffers are good at providing detailed data about a single traffic flow; however, they generally can't look across multiple flows and transactions to spot patterns and commonalities. Additionally, visibility provided by packet sniffers often is restricted to the network layer. For complex applications that have interdependent components across the network, application, database, and storage tiers, the packet sniffer can tell you very little about those, thus we see the common picture of IT owning 50+ different tools and trying to piece all of them together when diagnosing a problem.
3. Very difficult to use—A common shortcoming most often associated with packet sniffers is that it is difficult to find the relevant information within a packet dump. Searching for a problem in a large packet dump is like looking for a snowflake in an avalanche. When it is difficult to find the root cause in a 2-MB packet dump, a 48-terabyte dump (the current state of the art as far as packet analyzer technology goes) can be outright daunting. Show me a network engineer that loves to stare at packet dumps, I'll show you a guy that's lying. :)
We actually single out Over-reliance on Packet Sniffers as one of the 7 Deadly Sins of Network Management. To hear more and to find out about the other 6 sins, join our webinar next week!
- Helen