Gigabit Ethernet has matured to the point that most users of network monitoring and analysis tools have figured out how to tap it effectively – from span ports to external taps and full duplex packet stream merging. Now we are faced with how to perform full packet analysis of 10 Gigabit Ethernet.
One solution to analyzing extremely high speed packet flows and not having to capture and decode every single packet is via the packet sampling option using NetFlow or SFlow. This gives us a representative picture of applications, users, and flows relative to each other so we can draw our pie and bandwidth percentage charts.
The problem is, we don’t have all the data to reconstruct stream data or fully piece together a complete sequence of events when performing forensics analysis. Thus, ideally, we’d really like to capture all packets for as long as possible, perhaps recycling the capture store when it fills (such as a multi-terabyte capture appliance).
Furthermore, the problem is compounded when you consider that one and ten gigabit Ethernet run at full duplex. Thus, we’re really talking 20 gigabits per second here.
There are a number of issues with the 10 Gigabit NIC vendors, custom or otherwise, preventing full line rate capture for anything but short bursts. Not only that, but even the latest SATA and RAID drive arrays are limited by write speeds (not bus speeds) even with parallel drives. In fact, a recent article in Computer Business Review hints that a certain 10 Gbps packet capture appliance to be announced in the 2nd quarter (which it was) in reality runs closer to 1.5 Gbps, yet the marketing spin reads “sustained 10 Gigabit full-duplex capture”. I guess sustained is left open to interpretation as “take-up”.
So what’s the real solution? First off, it will take next generation 10 Gigabit adapters to get us substantially above 1.5 Gbps. Perhaps by year-end.
Meanwhile, one slick way to handle this problem is via the new Gigamon GigaVUE-MP data-access switch paired up with external NetOptics or Datacom 10 Gig taps. The GigaVUE can take a 10 Gigabit full duplex input and split it to multiple one Gig monitoring ports. Combined with on-board filters for MAC, IP (addresses or subnets), ports, and VLANs, one can logically split applicable traffic to multiple one Gig ports for capture and analysis.
This makes a lot of sense, since 10 Gigabit is currently deployed at the router/switch interconnect level, where we have aggregation of a lot of traffic from disparate subnets, VLANs, etc. What better way to pre-filter and separate the traffic back out to multiple ports then to have the hardware do it for you – all at true 10 Gbps line rate?
Interesting tap development dept.: Datacom has introduced the first tap that can filter and aggregate streams, coined SINGLEstream. It currently runs at one Gig but can 10 be far behind?
Interesting factoid dept: Line rate full duplex 10 Gbps can fill a gigabyte in less than 1/2 second, a terabyte in under 8 minutes.