Networks are complex, and always changing. Trying to troubleshoot them – or find the cause of a breach – can be a huge undertaking, but this task can be made much easier if packet data is available. You can learn a tremendous amount from a single data packet. Just from the header you can determine who the sender and receiver are, the general characteristics of the communication – whether TCP (receipt acknowledgement requested), UDP (just make the best effort), or RTP (time-critical so resending just isn’t practical), and even a clue about the packet contents based on the port used to send the traffic, like Secure or Remote Shell (SSH or RSH), HTTP, and thousands of others.
If you’re experiencing problems on your network, having access to packet data for analysis can be far more valuable than any other type of data. With packets, you get a recording of the entire conversation between network nodes and, if necessary, you can look more closely at the packet payloads for possible problems.
A good example is a client talking to a database. If there is a long delay in data coming back to the client, you can investigate the entire conversation to see what’s happening. When control packets are flowing freely between the client and server, like requests and acknowledgements, but data results are slow in coming, it's clear the problem is with the application and not the network, since the network is responding quickly but the server is not. Packet payload data includes the specific requests being made of the database as well as the results returned. By looking at payloads, you may see that instead of data being returned, an error message is being reported, providing clear evidence of the exact fault in the application.
Another common problem might be that a user is having trouble authenticating to a network. Authentication requires that an exchange of packets be completed for the connection to be successful. Since a single missing packet will cause the authentication process to fail, users on wireless networks are especially susceptible to authentication failures, and packets will show exactly where the transaction fails.
In fact, packet analysis used in a wireless environment can provide IT teams with practical information about a whole range of network and application parameters, including the network’s overall capabilities, client activity level, device configuration, and general quality of service (QoS) for voice over Wi-Fi (VoFi) and other services.
Last, but certainly not least, IT teams and security analysts can make use of collections of packets, typically packet files in a format called PCAP, to investigate and resolve a host of security issues. If the organization is already getting alerts from an IDS/IPS/SIEM device, then its ability to analyze the packets that triggered the alert can reveal exactly what transpired. Unfortunately, a general lack of manpower means that most companies investigate only 5% of their alerts, but having quick access to those packets means a much faster forensics process than using fallible log data. Without those packets, you may never know how a culprit entered the network, or the extent of the damage.
The simple fact is that packets don’t lie, so it’s up to IT professionals to become better at asking them the right questions.