How do you go about catching the one of the fastest things known to man (light) at a specific point in time with pinpoint accuracy over and over again? With a little patience and your network card, of course! This post is an introduction to the process of capturing network traffic (aka “sniffing” or “tracing”). With most of my blog being dedicated to network performance analysis, a post like this is foundational, and will help you understand the basics moving forward if you are new to “sniffing the wire”.
Networks range in size from small home networks with 1 PC to global corporations with many users and data centers, to the largest network (or collection of networks depending upon your definition) of them all, the Internet. While size, speed, design, and costs may vary, they all use the same signals to communicate. These signals may take the form of electricity (ethernet cables), light (fiber), and radio waves (wireless) across varying mediums. These analog signals are converted into digital form represented by 1’s and 0’s, which in turn are grouped together into series of bits and eventually combined into the data we view on our screens.
Network packets are comprised of these bits. Packets have different sizes and forms; but simply put, packets are much like mail. You write a letter that may vary in form and length depending on the type (data) and then place it in an envelope (frame). This piece of mail (packet) is then placed into your mailbox (network card), hauled away by the mail truck on roads (cables), routed through the post office facilities (routers and switches) and then delivered to its final destination where it is received, opened, and read. Now, imagine you wanted to send a friend a copy of your latest book by mail, but you had to send it page by page in envelopes (packets). Due to technical limitations and design, this is how computers communicate. The data can’t usually come in its entirety in one packet. In fact, sometimes it may take thousands, hundreds of thousands, or even millions! The rate at which this data transfers is in bits per second, or more commonly, megabits (Mbps) or gigabits (Gbps) per second. You could measure by packets per second, but applications, like people, typically don’t care about the number of envelopes but would rather know what’s in the letter and when the next page will arrive.
This is where network performance analysis comes into the picture, and is what can keep me awake at night! When packets go missing or traverse the network slower than they should applications have problems. They may manifest as a choppy phone call, slow download, erratic web page behavior, wireless disconnects, buffering issues, game lag, and more… I find the cause of these problems using the various techniques and tools discussed on this blog. See, all of this technical nonsense does actually mean something to the everyday person! Who doesn’t like crazy fast downloads, HD streaming, high quality video interviews, and uninterrupted game play!? One of the first steps in troubleshooting these problems is capturing the packets to see what is truly happening. They contain the actual data and their timing and size can be measured. It’s like monitoring traffic on a highway. To do this we can use various programs (such as Wireshark) that will watch a network card and capture (technically it copies) the packets. It then displays them on the screen in a way that is more readable to humans. Sometimes, you can even play them back again like a network traffic DVR (someone grab the popcorn!).
NOTE: Much like DMCA for TV and movies you might have on your DVR there are rules and regulations for the data that is captured. As this is also a form of communication there are wiretapping laws to consider as well. You have every right to capture your own network traffic at home, but I advise researching these things further before capturing public traffic or using the tools I mention at work. I do not accept responsibility for any illegal or forbidden acts. This blog is for informational purposes only!
Future posts will explain how to actually capture these packets moving at the speed of light (give or take a lot of bps depending), how to make sense of them, and other ways to measure performance, such as NetFlow.