Pilot Sneak Preview: A New Direction in Network Analysis?

Build a better analysis front-end and they will come. That’s what CACE Technologies hopes to achieve with its Pilot visualization and reporting tool (expected to be announced on or prior to 4/18). Pilot (named after the fish that "congregate around sharks, rays, and sea turtles, where it eats parasites on and leftovers around the host species" according to Wikipedia) was previewed at the Wireshark developer’s conference last week. I was fortunate enough to get my hands on a beta.

In my opinion, established vendors had nothing to fear from Wireshark. Build a superior expert system, high performance capture and aggregation hardware, easy to use distributed tools and data mining and you have a winner. That is, until now.

CACE is the first commercial vendor to truly embrace Wireshark as a platform while other vendors stood back in fear. Why are they afraid? Why not embrace open source rather than try to hide it as others have done. An example of this is incorporating so-called third-party decodes from Wireshark’s predecessor, Ethereal.

Pilot is different the moment you fire it up.  Notice in the screen shot below, the modern GUI and the ability to learn several aspects of the product via a series of short videos.  I'd love to see other vendors follow this refreshing approach.

Pilot is more than just a pretty face. It also serves as a data mining tool to cull data from a large number of Wireshark files. In a recent situation, I had an analyzer-less customer deploy a number of Wiresharks at several suspected problems areas in their network for long-term capture to disk. We were then able to go back and manually mine data from several capture points when a particular event occurred and zero in on the problem. With Pilot, we can now bring those long term capture files together to assist in the mining and analysis process.

At the heart of the product is a Google Finance-like chart that slides across statistics collected from one or more packet traces, shown in the screen shot below. The highlighted part is a section I selected by hand to "send to Wireshark" for deep packet inspection. Pilot leaves not only the packet decodes but all packet display functions to Wireshark, a departure from other vendors that merely grabbed the Wireshark decoders. Pilot can also take advantage of WinPcap and AirPcap to grab real-time wired and wireless packet-derived data.

There are other goodies in the interface like dragging and dropping a view such as top MAC or IP sources, conversations, bandwdith by bytes or packets, and so on top of your selected files(s) or a section of a graph.  For instance, perhaps you only want the IP Conversations view for the highlighted portion in the bytes per second graph in the above screenshot. Merely drag the view from the selection tree on the left-hand side over the highlighted part in the graph and instantly see the conversations only for that time span. Way cool.

Linux users are out of luck though – this is a Windows only product built using Microsoft Visual Studio tools, as clearly evidenced by the Office 2007 ribbon interface. Frankly, when I first used Office 2007, I didn’t like the new interface as I was used to using previous versions. Once I forced myself to learn it however, I felt that it was superior (who says you can’t teach an old dog new tricks?). As such, I felt right at home with Pilot.

There are a couple of improvements I'd like to see, however. For instance, you can "send" a statistic or part of a graph, such as one or more parts of a histogram (using multi-select) for top talkers (sources) to Wireshark for deep packet inspection. Unfortunately, you only see one-way packets streams from those source addresses. I’d love to see a feature pioneered by WildPackets with its Select Related feature and imitated by others as a "quick filter", to select a choice of source and/or source and peers, so I can follow the flows. Analyzing one-way top talkers at the packet level makes sense for broadcasts, but less so for unicast traffic.

There's more to the product including a number of output options for reporting in a variety of formats from PDF to Excel.  Watch for the annoucement and check out a demo.

I was thinking it would be interesting if CACE supported more than just the Wireshark analyzer. Despite claiming to be integrated with Wireshark, it really boils down to passing a portion of one or more trace files as a capture source along with a filter to Wireshark. Why not support the same for other analyzers? On second thought, that could cause some serious heartburn for competing vendors.

With over 300,000 Wireshark downloads per month, users will finally have a real tool to go hand-in-hand to help ease some of their analysis pains. One question that comes to mind is how many users of a free open source tool will be willing to pay real money for Pilot at $1,295 a pop including maintenance (the projected introductory pricing)? Only time will tell.

Meanwhile by feasting on those morsels surrounding the Wireshark community, Pilot could prove be an industry disruptor, even more so when the distributed version becomes available.

The Year in Review... and Ahead

Among my predictions for 2007 were continued growth in WiFi with 802.11n settling down, accelerated developments in 10 Gigabit due to passing of the 10GBASE-T copper media standard, accelerated data analysis on large volumes of captured traffic, advancements in forensics, and a couple of miscellaneous other things.

Of the above, accelerated data analysis and advancements in forensics fell far short of my expectations.  The only real advancements were in the sheer volume of storage offered by various data mining probes from the likes of Network General/NetScout, Network Instruments, Niksun, Solera, WildPackets, etc.  Besides SANs, these advancements essentially piggybacked the astonishing advancements in 3.5” hard drive technology, namely higher capacity and lower cost, thanks to Perpendicular Magnetic Recording (PMR).  The hardware is down to twenty cents a gigabyte.  Unreal.

Meanwhile, where were advancements in analyzing terabytes of packets? Better search tools?  Faster results?  Smarter expert systems? In the field, I continue to apply my own techniques over a variety of tools to achieve the results I’m looking for.  The vendors have disappointed in this area.  Enough with the whining and on to predictions for 2008.

More Network Analysis Acquisitions.  Fluke started off the year by announcing its acquisition of Crannog.  More recently, analysis vendors like Network Physics and Network General were snapped up for a song.  What will be the first analysis acquisition of 2008?  Possibly privately held performance analysis vendor NetQoS, but not for a song.  The company is showing some nice growth as late and the rumor on the street is that IBM is seriously courting.  Other analysis companies with acquisition potential include Network Instruments, WildPackets, and one or two others.  Stay tuned for an interesting year.

Virtualization Buzz Levels Off.  Datacenter consolidation, growth in blade servers, the green movement, multi-core processors, cheap high density memory and cheap storage added to the virtualization hyperbole in 2007.  Sure it will be hot in 2008, but highly commoditized making it a household word.  I’m not sure what will be hot and new in virtualization in 2008.  Maybe a push to deploy those analysis engines on the virtual machine (to capture packets from the virtual Ethernets).  Minor problem #1: Where to store all that data?  Minor problem #2: How to analyze all that data without impacting the core CPUs already running all those virtual machines?  One solution is for the analysis engine (or stand-alone for that matter) running in the VM and capturing packets off virtual networks to share a high performance back-end data store.  Let’s hope that 2008 will finally bring us some real innovation in high volume data analysis and forensics.

802.11n Soars, Analysis Lags.  No surprises here.  802.11n Draft 2.0 passed early this year, multi-vendor interoperability is real, the WiFi alliance has certified some 200+ Draft 2.0 products, Cisco announces its push into the enterprise, and 300 million WiFi chipsets were shipped in 2007, up 41% from the previous year.  802.11n will also resurrect interest in deploying WiFi in the 5 GHz band where it makes the most sense to not only stay out of the way of legacy 802.11 b/g and general interference, but to also provide more spectrum for non-overlapping dual channel 40 MHz coverage.  New wireless analysis challenges will result, especially in monitoring highly location dependent reception of dual channel MIMO traffic.  Stationary wireless monitoring tools are inadequate (except in niche situations) and 802.11n portable laptop analyzers can easily lose a lock on promiscuous MIMO reception while moving around, unlike their 802.11 a/b/g brethren.

10Gig (and TAPs) Take Off.  I’m cheating a little since at the end of 2006 I already figured 2008 to be the year of 10 Gigabit Ethernet.  So I’m making it official.  Look for this to be the big year as well as unprecedented announcements from TAP vendors in the areas of density, price drops per port, and new products.  Look for TAPs to be smarter too (filtering, buffering, stream aggregation, stream splitting, timestamp generation, etc), to help offload the strain from those aforementioned overloaded terabyte analysis probes that are dropping packets like flies.  Come to think of it, perhaps this is where the next innovation in analysis and forensics will come from - the TAP vendors.

Quality of Experience (QoE) Takes Center Stage.  The buzz surrounding quality of service (QoS) for not only VoIP but data applications as well and how it affects the end user QoE will continue to garner attention in the coming year.  I’m working on an interesting enterprise network analysis process showing how faster infrastructure response times in a series of tasks leads to a faster response from the user in between the tasks. User behavior needs to come into the equation along with how servers react to certain events, something that cannot be easily measured by TCP transactions alone.  Another area to keep a close watch on is how highly tuned converged networks carrying large volumes of VoIP traffic can impact data.  Have we forgotten about our mission critical data applications on the path to VoIP?  There’s so much more to QoE that I can’t possibly see how it will escape attention in 2008.

I wish you all the best in the New Year!

A Company is Born: Bitcricket

We interrupt this blog for an important announcement.

I’m proud to announce the birth of Bitcricket, my new company with an aim to make the network analysis experience personal again (with apologies to HP’s “The PC is Personal Again” campaign.)  You, my blog readers, are getting this exclusive before it hits the wire.

To celebrate, Bitcricket is giving away the brand new IP Subnet Calculator for IPv4 and IPv6.  With the Federal IPv6 mandate right around the corner in 2008, what better timing?  You can play with the various IPv6 addressing schemes, beginning with a choice of IPv6 addresses already configured in your workstation (the default for Vista and MacOS X).  Meanwhile, your favorite IPv4 mask, subnet, and CIDR features are there too.  The calculator has been designed to be cross-platform; it runs natively on Windows and MacOS X (both PPC and Intel architectures).

If you’d like, I can come on-site and teach real world protocol and network analysis with the tools you already own.  I am going to assume that you are already familiar with their basic operation via the owner’s manuals or introductory webinars from your vendors.   Likewise, I will gladly work side-by-side with you on troubleshooting and optimizing your most challenging application and/or network performance issues.

Happy troubleshooting!

Thank you and back to our regularly scheduled blog.

The Ups and Downs of Network Technology Stocks

I confess that I’m not a serious day trader although I do keep one eye on the market, especially the networking sector.  I’m always curious to see how the more focused companies like a NetScout or Cisco perform vs. umbrella technology companies like an IBM or HP.  So here’s my foolish attempt to write a financial blog. It’s  not quite what you’d expect from Motley, but you may find it interesting if you’re not exactly a market guru.

A great way to do a little stock trending analysis is via Google Finance.  Just type in a company name or ticker and a nifty history chart appears. It allows you to slide a window back and forth to select a period of time, move your mouse along the line chart to display the exact date, and see the trade volume bar chart at the bottom.  I think the coolest feature is the attachment of tags along the graph that reference financially related news at those exact dates.  If you’ve never tried it, give it a shot and type in NTCT for NetScout and follow along.  The figure below is the chart as of November 4th.

If you had put $2000 into NetScout back in May, it would be worth about $4000 today.  Not a bad return for less than 6 months time.  Sure beats my bank’s 4.872% (I made that up) CD for the same time period.  Just for fun, let’s follow the chart along with the recent news, as indicated by the letters.

Letter I, May 3 – Revenues are up but net income is below analysts’ estimates by a couple of pennies.  Oh rats, stock tanks shortly thereafter to $7.25.

Letter H, June 25 – The stock is now valued at $8.75 after a slow, upward climb of a buck and a half.  Fifty cents of that increase came the day NetScout announces a “Raised Q1 Guidance.”

Letter G, July 25 –A mere month later a similar Q2 Guidance (that was a rather short quarter, no?) is issued adding another million to the revenue projection and the stock knee jerks to ten bucks before settling down into the low nines the remainder of the summer.

Letters C-F, September 20 – The Network General  acquisition announcement generates some positive interest, kicking the stock up another buck or so.

Since then, it seems we’ve had lots of time to noodle the situation.  The most recent news last week is that the acquisition is officially complete.  My sources tell me that we’ll have to wait for the first round of real integration until April 1st of next year.  Meanwhile, it’s status quo.
A number of people I’ve spoken to thought the deal  was steal for NetScout at only $50m in real money, i.e. cash.  Since then, the stock has see-sawed upward, peaking at nearly $15.50 on Halloween.  Downright scary.

As an exercise to the student, try the same for Cisco and note how you could have doubled your investment albeit over a slightly longer period, one year.  Still beats that CD.

Meanwhile, those that bought NetScout in the weeks prior to the announcement are laughing all the way to the bank.  I wish I was one of them.

Network Performance Management – Winners and Losers

Network Physics, a company that venture capitalists invested some $55m (click here for the history), essentially liquidated this week to OPNET for a basement bargain $10m.

I have fond memories of Network Physics at Interop, with guys and gals running around in those loud “It’s Not the Network!” t-shirts.  The premise was that their packet-based NetSensory appliance monitors application flows on the network and distinguishes server vs. network delay.  I also worked with one of their brilliant engineers on the Apdex board of directors.

It looks like a loss for Network Physics (certainly the investors) but a win for OPNET. Near as I can tell, OPNET will ditch further development in their own their performance management product, ACE Live (announced just last month), and instead go with NetSensory and rename it ACE Live.  Got it?

There are many players in the network performance management space with overlapping areas and niches.  For instance, Coradiant focuses on Web based performance analytics.  NetQoS focuses on Application Performance Management although they are beginning to broaden.  They also have some nice integration with Cisco WAAS (Wide Area Application Services).  Larger umbrella companies like Compuware and Computer Associates, also have tools that watch application performance.  Compuware’s ApplicationVantage comes to mind (part of their Application Assurance portfolio) and CA has tools in this area focused on SLA’s in the web space.

As with any acquisition, how well will the acquiring technologies integrate into a much larger beast?  Track records have been mixed.  Some 25% of Cisco acquisitions don’t pan out.  Witness Network General’s failed comeback and acquisitions and now it’s NetScout’s problem.

Will larger companies lose their identity in this market, specifically application performance management/end-user satisfaction within the network performance space?   Or will smaller, but significant and fast growing players like NetQoS trump the big guys?
 
Speaking of NetQoS, how did they get so far ahead of Network Physics in the performance appliance biz?  I’d say partly that Network Physics suffered when shifting gears (like changing your college major mid-term) from shaping traffic to measuring the stuff and that NetQoS recognized early on the value of a feature rich (as in superb GUI) browser-based console coupled with a smart appliance, but I digress.

One thing I do know is that all the long and hard work over the years from Peter Sevcik (the NetForecast guy that started Apdex) pushing the importance of measuring the user-experience, is coming front and center.

When is a standard not a standard?

As standards become more and more complex, there tend to be numerous options included which makes one wonder whether or a not a standard is really a standard.

Take the controversial IEEE P802.11n/D2.00 Draft for instance, which was recently questioned in an interesting blog at lovemytool.com.  There are tons of options including the number of transmit and receive streams (i.e. MIMO operation), single or dual channel operation, various new data unit types, new ACKs, the list goes on.

Luckily, there are mandatory requirements as well as options. In fact, to obtain Wi-Fi Alliance 802.11n Draft 2.0 Certification, a device must implement a minimum set of mandatory capabilities specified in the IEEE draft.  Specifically, a device must implement 2 spatial streams in transmit mode, 2 spatial streams in receive mode, the A-MPDU and A-MSDU, and block ACK.  This simplifies things in that only a single 20 MHz channel in the 2.4 GHz band is required.   These minimum mandatory requirements roughly double the raw data rate over 802.11g in a single channel.  To gain the full benefit of 802.11n, a device may also implement the optional 40 MHz operational mode (that requires using the 5 GHz band in order to minimize interference with legacy b/g devices) as well as utilize additional spatial streams to boost throughput.

I would venture to say that a goal of the IEEE was to provide a minimal must-do set of requirements to gain at least some benefit over 802.11 b/g.  Beyond the minimal requirements, options allow vendors and customers to boost throughput depending on their environmental and legacy requirements.  This includes co-existence with2.4 GHz devices as well as optional deployment in the less-interference prone, albeit shorter-range  5 GHz band.  The Wi-Fi Alliance will test these options as well, ensuring interoperability for vendors that choose to implement them.  In fact, the majority of 2.0-certified devices to date support at least 3 spatial steams.  In rough numbers, this gives us 150 Mbps for single channel operation, 300 Mbps for dual.  I think the dual channel controversy (see 802.11n Going Enterprise?) will be put to rest especially in light of Cisco’s recent 802.11n equipment rollout for dual channel support in the 5 GHz band – the first to be Wi-Fi Alliance certified for that option.

Thank goodness we have organizations like the Wi-Fi Alliance to keep us on the straight and narrow.

How potent is NetScout's buyout of Network General?

On the heels of this week's announcment of Cisco buying Cognio, comes the news of NetScout acquiring Network General.  This time the terms were announced - $205 million.  That's $70 million less than when McAfee sold off the "Sniffer Unit" to Silver lake back in '04 and of course, far less value then when Network General merged with Network Associates in '97.  Is there a trend here?

Tim O'Neil over at LoveMyTool, gives us insight on the deal and reminds us that NetScout recently sold $120 million in stock, a sure sign that a deal was cooking.  NetScout's latest quarter came in at around $30 million.

As former CTO over at WildPackets, I kept a close watch on various competitors.  With NetG continuing to recover from the ill-fated NAI merger and subsequent break off as an independent again, two old industry rivals are about to become friends. I think the key to a buyout of this magnitude will be how quickly the two companies can come up with a cohesive, truly integrated product family.

Let's us learn from not only the NAI debacle. Hopefully the painful integration issues and lessons learned when Network General bought NetVigil will also be of value.

Cisco + Cognio = #122

The big news today in the network analysis industry was Cisco's definitive agreement to buyout out Cognio, making it their 122nd acquisition, and the first for Cisco's fiscal 2008.  Cognio went through some $20 million via a few rounds of VC developing their proprietary SAGE chip and software over the years. 

2007 was a break-out year, having a mature card/laptop-based RF Spectrum analysis product for the 802.11 2.4 and 5 Ghz bands, not to mention four OEMs including Cisco.  According to the press release, Cognio will fold into the Ethernet and Wireless Technology Group, part of the Wireless Networking Business Unit.

Cisco is underscoring the importance of premises wireless lately, with their recent 802.11n announcement and today's statement that "Wireless spectrum is a strategic asset for our customers."  Mark these words:  A strategic asset.

As typical when buying a private company, terms were not disclosed.  Sources tell me it is was a public for private stock swap deal with some cash thrown in namely to buy out employees that are bailing.  Sweet.

RF Spectrum analysis of 802.11 has caught my attention over past couple of years.  See RF Spectrum Analysis, RF Vision, $25 and Device Decimates Your WiFi.  I have fond memories during my tenure at WIldPackets of working with Cognio at their humble Germantown Maryland headquarters, a facility which will be shut down.  Employees staying on will be moving to beautiful rural Richfield Ohio, a village of some 3,500 residents just off Interstate 77 and home to Cisco's wireless group (the Aironet Systems facilities acquired by Cisco back in 1999 for a cool $800 million).

What does all this mean for the three remaining re-branders:  AirMagnet, Fluke Networks, and WildPackets?  For the short term, business as usual.  Longer term, it's hard to say.  Most have developer's agreements in place with Cisco for other projects. What really raised my eyebrows in today's release was was the quote from Cisco VP Brett Galloway: "Cisco continues to differentiate our ability to deliver our customers rich and dependable end-user mobility experiences."

The key word is differentiate.  Right now, there is virtually no differentiation between the OEMs, save for a little custom API work by AirMagnet and some minor WildPackets SNMP trap processing.  Thus, how will Cisco pull apart from the crowd?  My guess is that they will pursue the distributed angle as part of their unified wireless strategy.  Look for new stuff in 2008, perhaps as early as Interop.

A New Beginning

Yesterday was the first Monday in September, a day set aside since the 1880s as Labor Day. As the unofficial last day of summer before kids go back to school, it’s a day of rest, and a time to reflect. With the recent closing of WildPackets’ Minnesota office, I felt that need to reflect.

WildPackets was formed back in 2000 after AG Group acquired a training company, Optimized Engineering, and my former company, Net3 Group. Net3 Group was the genesis of the wonderful expert system and the incredible peer map (have you tried it lately?) that you see in today’s OmniPeek. They debuted in NetSense--the first post-capture expert system of its kind that analyzed packet captures from some eighteen different protocol analyzers.

Yikes, how many of those eighteen analyzers remain today? Indeed, much has changed in just seven short years. Wireshark has captured (no pun intended) the fundamental packet capture and decode market. The surviving major value-add players are the likes of Fluke Networks, Network General, Network Instruments, Agilent, and of course, WildPackets.  We're down to five from eighteen.  Perhaps throw in AirMagnet or Niksun for six.  However, these and other players seem to focus more on niche markets like wireless security or forensics.  But I digress.

A major milestone for WildPackets after the acquistion was the release of EtherPeek NX and AiroPeek NX, bringing NetSense technology into real-time packet analysis and propelling WildPackets to the next growth level.  I’m really proud of that accomplishment because I was able to conceive, design, and actually write the code.

As I moved from VP to CTO within WildPackets, my role shifted to competitive analysis, speaking, writing, customer facing, tradeshows, on-site training, etc.  In spite of all that, I continued doing what I loved best--driving the expert system in emerging areas of application performance, VoIP, and wireless.

Meanwhile, I’m taking a short leave of absence to reflect, listen, and see what’s out there.  This blog will continue with comments, opinions, and tips pertaining to all things network analysis and troubleshooting – my passion for the past 25 years.

Stay tuned.

Network Forensics

Quick, what’s the first word that comes to mind when you hear the word ‘forensics’?  CSI? Despite being an IT guy, I still have morbid thoughts along the lines of a pathologist slicing into a cadaver.  Or collecting stuff that might contain the perps’ DNA at a crime scene (fingerprints are so yesteryear.)

Webster’s defines forensics as “The use of science and technology to investigate and establish facts in criminal or civil courts of law.” 

I think this fits well with corporate needs for network forensics using analysis tools.  Many vendors have tools with catchy taglines on variants of “Retrospective Analysis”, “Business Forensics”, “Turn Back the Clock,” and so on. Unlike real-time, the basic premise behind network forensics is to mine data (usually via packets) and perform post analysis to reconstruct content or gather intelligence as to why certain things happened.  In some ways, forensics is like detailed hindsight.

There are several areas where forensics can be applied.  Samples of some broad categories include:

• Compliance:  Oops, someone sent out company confidential financial information in an unencrypted email or used IM to gossip about an coworker's medical condition. 
• Troubleshooting: Why did our network meltdown this morning?  Why do our CRM users often experience poor performance in the afternoon? 
• Verticals:  Why did the core switch peg during a critical trading hour?  Why are doctors losing wireless connectivity?  Is our converged VoIP operating smoothly?

Returning to the Webster definition, analysis tools can be used to establish facts as to a particular network related event that is disturbing.  By network, I mean the entire infrastructure from fabric to nodes to users – let’s not forget about the human element.

According to searchnetworking.com, Marcus Ranum is credited with saying “Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.”

Thus by virtually all definitions of the term, forensics is traditionally associated with crime solving.  This puts us more in the overall thinking of “when illicit things happened, what happened, and how can it be prevented?” whether from inside or outside sources.  Contrast this to troubleshooting as mentioned above.  Forensics is criminal.  A slow network is not.  Although one could argue that a dead network is criminal!

There’s also a relatively new category of forensics – enterprise forensics that focuses both on user activity and what drives or doesn’t drive the business (analytics + behavior).  Is what we’re seeing on the network consistent with business objectives?  Apdex (a measure of application satisfaction with respect to end-users) is a good measure of this.  Now we’re crossing the boundary over into Application Performance Management (APM) along with user behavior and IT vs. business expectations.

Some companies in fact have attempted with limited success, to focus on the behavioral aspect of forensics.  According to the book Digital Evidence and Computer Crime, “Behavioral evidence analysis provides a systematized method of synthesizing the specific technical knowledge and general scientific methods to gain a better understanding of criminal behavior and motivation.”

The big question here is whether or not unusual behavior can be predicted in advance based on characteristics of anomalous activity.  So what if Johnny does a 2 gig file transfer on Friday afternoon?  Maybe it’s a routine back-up.  Maybe it’s a one-off OS patch.  Furthermore, who cares if our WAN utilization is 100% during that time, as long as it’s fair access for all and all access for one when no one else is on at the moment?  Naturally, illegal file sharing and such is cause for alarm, but there will always be unpredictable anomalous spikes that don’t fit baselines.

I used to teach in my network analysis and troubleshooting courses that having 100% utilization is not necessarily a bad thing and should not be sending and setting off SNMP traps and alarms all over the place.  Of course, you don’t want one user or application to consume all the bandwidth for extended periods of time.  But brief bursts of 100% can actually be a good thing.  After all, if no application can ever utilize 100% of the pipe, then perhaps we should optimize things.  The key is to get on and off the network as quickly as possible – big pipes (and low end-to-end latency) help to achieve that.  But I digress.

Forensics tools need to provide the flexibility to blend real-time analysis with forensics and allow you to optimize the tool for your given situation.  Is 100% capture to disk of massive amounts of data important to you?  Where do you need to cover (capture) in your network, what is the nature of the traffic, and what are the capture bandwidth requirements?  How long do you need to keep the data around?  How important are the distributed aspects and how efficient is the data conveyed to centralized consoles or distributed consoles shared by multiple engineers (investigators)?  Do you prefer that the forensics data mining and subsequent analysis be carried on at the remote engines or brought back to the console to analyze locally and/or take off-line?

So slip on a mask and a pair of latex gloves and get to work!