Network Forensic Analysis | NETSCOUT

Network Forensic Analysis

Network Forensic analysis takes traditional protocol analysis to the next level by extending the duration that the analyzer can capture packets with the latest capture, storage and analysis technology.  A Network Forensic Analyzer, most commonly called a Network Recorder, captures and stores all traffic so that it can be retrieved for analysis later.

Applications

With a network forensic analysis tool, you have the ability to go back-in-time to review historical network traffic to investigate security attacks, and network or application performance issues. Network Forensic Analysis tools are commonly used for:

  • Optimizing network and application performance
  • Data Center Consolidation - capture unexpected traffic pattern and isolate problems caused during deployment of virtualization or consolidation of traffic from other data centers
  • Unified Communication Deployment - evaluate stability and quality of deployment during pilot and the first few weeks of operation before contractor warranty ends
  • Service Assurance – guarantee the delivery of mission critical data through traffic profiling and reduce root cause analysis of intermittent issues
  • Tuning intrusion prevention and detection solutions

 

Typical Network Forensic Analysis Components

(click to enlarge)



Key Network Forensic Analyzer Considerations

The mission of this network forensic analysis tool is to store and then analyze.  The ability of the devices to capture, store and retrieve the packet is of utmost importance.  At the same time, the ability and ease of this network forensic analysis tool to identify and examine multi-terabyte volumes of traffic is equally important to ensure fast problem identification and resolution.  Many of the network protocol analyzers available today display the packets but do not summarize and analyze the network traffic in a way that will reduce the time it takes to resolve the problem.  The excessive time spent to resolve problems and the corresponding lost productivity can be staggering.  It is important to carefully scrutinize the analysis capabilities and specifications before selecting a Network Forensic Analysis tool. The following are some key considerations: 
  • Performance: What is the throughput to disk (not to memory) with no packet loss?
  • Visibility:  How many links can one recorder connect to and what kind of topology can it link to? How much will turning on real-time monitoring or data analysis affect the throughput?
  • Capacity: Is the storage specified based on raw storage or real data storage available? Is there a way to filter or slice traffic so that only relevant data is stored? 
  • Redundancy: Is RAID 5 or 10 used? If not, what happens when the hard disk fails? Will data be lost? How much work does it take to recover the system and/or the data?
  • Ease of use: How difficult is it to analyze the network data captured? Can data collected from different parts of the network be easily aggregated, segmented and analyzed to get to the root cause?
  • Depth of Analysis: How many applications would the tool be able to decode and support?  What about Video and Voice analysis? How is the analysis performance of the solution? Is there an easy way to analyze traffic across the network?