Network Analyzers can perform many functions, here are some of the key features you should be familiar with.
1. Network Traffic Analysis Using Packet Captures
A packet capture can log traffic that passes over the network. Having a tool that can capture packets on the network can give you every detail of what’s going across the wire. You can analyze the values of various fields in the packet, analyze its content and more. Not all analyzer programs capture the full packet, depending on your needs it may not be needed.
I will discuss Netflow below but I find packet capturing far superior to NetFlow in terms of network traffic analysis. I find its more accurate, easier to set up and allows for full packet inspection.
2. Monitoring The Flow of Traffic With Netflow
Netflow is a feature that can be enabled on routers and switches to collect IP traffic statistics. Netflow is not a packet capture its basically a flow log. When traffic flows across an interface on a router or switch it records information from that traffic that can be collected by a netflow analyzer. Netflow works for basic statistics like tracking source IP, destination IP, protocols and bandwidth.
Netflow was developed by Cisco if you want to learn more about this technology I recommend reading this article, Introduction to Cisco IOS Netflow
3. Detect Application and Protocols in Use
To really know what’s going on in your network you need a tool that can identify applications and protocols in use. HTTP, SMB, RDP, SSL, DNS, SMTP, LDAP are just a few of the protocols that can be detected by a network analyzer.
Here is a screenshot of Netfort detecting applications in use by the user. You can also see how much network traffic each protocol/user has generated.
4. Track Bandwidth Usage to Find Bandwidth Hogs
This is often the main reason to invest in a network analyzer….to find those bandwidth hogs. Most network monitoring programs will show you real-time network usage but provide no details on what or who is consuming the bandwidth. It’s frustrating to see your internet utilization at 99% with no clue whats consuming it all. A network analyzer should help pinpoint those bandwidth hogs. At the very least you should be able to find top bandwidth usage based on IP address, user, device, and protocol.
5. Track User Network Activity
You want to integrate Active Directory Users with your analyzer tool. This will help in troubleshooting and network forensics. Need to know who is streaming youtube videos? Need to know who is using an unsecured protocol like telnet? Integrating with Active Directory you can run those type of reports. Below I did a search for top users who accessed youtube.
7. Create Custom Reports
Most tools come with pre built dashboard and reports. That is great but every network is different and you need the ability to create very customized reports. In a medium to large networks capturing all traffic for analysis can be overwhelming. I like to narrow traffic down at times to a single subnet, protocol, location, user, website, IP address and so on. This really makes troubleshooting easier.
8. Top Talkers (Internal & External)
Being able to quickly spot top talkers on the network is a must have feature. When bandwidth utilization is high or application performance is slow this feature comes in very handy. You should be able to track top talkers by application, IP adders, websites, and host name.
9. Baseline Network Traffic
This can be difficult to do with a busy network but a good analyzer should make this easier. You can baseline traffic on a single system with Wireshark but to baseline all traffic you need a tool like Netfort or SolarWinds NTA. Over time you should have an idea of what normal bandwidth is, applications/protocols in use and what are the top talkers on your network.
10. Network Forensics & Security Monitoring
Advanced security threats are difficult to detect. Monitoring and capturing the flow of network is one of the best ways to identify security threats. Common use cases include:
- Identify Ransomware on the network
- Detect insecure protocols such as SMBv1
- Monitor unusual outgoing traffic
- Spot users or devices downloading large volumes of data
- Detect MAC addresses